diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/AgentPool.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/AgentPool.tsp index 9cb2d2a7b17b..555896963075 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/AgentPool.tsp +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/AgentPool.tsp @@ -1,7 +1,7 @@ import "@azure-tools/typespec-azure-core"; import "@azure-tools/typespec-azure-resource-manager"; import "@typespec/rest"; -import "./models.tsp"; +import "./CommonModels.tsp"; import "./ManagedCluster.tsp"; using TypeSpec.Rest; diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/AgentPoolUpgradeProfile.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/AgentPoolUpgradeProfile.tsp index b4779099ed92..c2e753ef46fe 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/AgentPoolUpgradeProfile.tsp +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/AgentPoolUpgradeProfile.tsp @@ -1,14 +1,20 @@ import "@azure-tools/typespec-azure-core"; import "@azure-tools/typespec-azure-resource-manager"; import "@typespec/rest"; -import "./models.tsp"; +import "./CommonModels.tsp"; import "./AgentPool.tsp"; using TypeSpec.Rest; using Azure.ResourceManager; using TypeSpec.Http; +using Versioning; namespace Microsoft.ContainerService; + +// ============================================================================= +// AgentPoolUpgradeProfile resource and operations +// ============================================================================= + /** * The list of available upgrades for an agent pool. */ @@ -27,6 +33,11 @@ model AgentPoolUpgradeProfile >; } +@@doc(AgentPoolUpgradeProfile.name, ""); +@@doc(AgentPoolUpgradeProfile.properties, + "The properties of the agent pool upgrade profile." +); + @armResourceOperations(#{ omitTags: true }) interface AgentPoolUpgradeProfiles { /** @@ -36,7 +47,89 @@ interface AgentPoolUpgradeProfiles { getUpgradeProfile is ArmResourceRead; } -@@doc(AgentPoolUpgradeProfile.name, ""); -@@doc(AgentPoolUpgradeProfile.properties, - "The properties of the agent pool upgrade profile." -); +// ============================================================================= +// AgentPoolUpgradeProfile models +// ============================================================================= + +/** + * The list of available upgrade versions. + */ +#suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +model AgentPoolUpgradeProfileProperties { + /** + * The Kubernetes version (major.minor.patch). + */ + kubernetesVersion: string; + + /** + * The operating system type. The default is Linux. + */ + osType: OSType = OSType.Linux; + + /** + * List of orchestrator types and versions available for upgrade. + */ + @identifiers(#[]) + upgrades?: AgentPoolUpgradeProfilePropertiesUpgradesItem[]; + + /** + * List of components grouped by kubernetes major.minor version. + */ + @added(Versions.v2025_10_02_preview) + @identifiers(#[]) + componentsByReleases?: ComponentsByRelease[]; + + /** + * List of historical good versions for rollback operations. + */ + @added(Versions.v2025_10_02_preview) + @visibility(Lifecycle.Read) + @identifiers(#[]) + recentlyUsedVersions?: AgentPoolRecentlyUsedVersion[]; + + /** + * The latest AKS supported node image version. + */ + latestNodeImageVersion?: string; +} + +/** Available upgrades for an AgentPool. */ +model AgentPoolUpgradeProfilePropertiesUpgradesItem { + /** + * The Kubernetes version (major.minor.patch). + */ + kubernetesVersion?: string; + + /** + * Whether the Kubernetes version is currently in preview. + */ + isPreview?: boolean; + + /** + * Whether the Kubernetes version is out of support. + */ + @added(Versions.v2025_10_02_preview) + isOutOfSupport?: boolean; +} + +/** + * A historical version that can be used for rollback operations. + */ +@added(Versions.v2025_10_02_preview) +model AgentPoolRecentlyUsedVersion { + /** + * The Kubernetes version (major.minor.patch) available for rollback. + */ + orchestratorVersion?: string; + + /** + * The node image version available for rollback. + */ + nodeImageVersion?: string; + + /** + * The timestamp when this version was last used. + */ + // FIXME: (utcDateTime) Please double check that this is the correct type for your scenario. + timestamp?: utcDateTime; +} diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/back-compatible.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/BackCompatible.tsp similarity index 68% rename from specification/containerservice/resource-manager/Microsoft.ContainerService/aks/back-compatible.tsp rename to specification/containerservice/resource-manager/Microsoft.ContainerService/aks/BackCompatible.tsp index 37b775a33000..b8f12c3a94e8 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/back-compatible.tsp +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/BackCompatible.tsp @@ -3,66 +3,11 @@ import "@azure-tools/typespec-client-generator-core"; using Azure.ClientGenerator.Core; using Microsoft.ContainerService; -#suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." -@@Legacy.flattenProperty(OperationValue.display); - -@@clientName(ManagedClusterPropertiesAutoScalerProfile.`balance-similar-node-groups`, - "balanceSimilarNodeGroups" -); -@@clientName(ManagedClusterPropertiesAutoScalerProfile.`daemonset-eviction-for-empty-nodes`, - "daemonsetEvictionForEmptyNodes" -); -@@clientName(ManagedClusterPropertiesAutoScalerProfile.`daemonset-eviction-for-occupied-nodes`, - "daemonsetEvictionForOccupiedNodes" -); -@@clientName(ManagedClusterPropertiesAutoScalerProfile.`ignore-daemonsets-utilization`, - "ignoreDaemonsetsUtilization" -); -@@clientName(ManagedClusterPropertiesAutoScalerProfile.`max-empty-bulk-delete`, - "maxEmptyBulkDelete" -); -@@clientName(ManagedClusterPropertiesAutoScalerProfile.`max-graceful-termination-sec`, - "maxGracefulTerminationSec" -); -@@clientName(ManagedClusterPropertiesAutoScalerProfile.`max-node-provision-time`, - "maxNodeProvisionTime" -); -@@clientName(ManagedClusterPropertiesAutoScalerProfile.`max-total-unready-percentage`, - "maxTotalUnreadyPercentage" -); -@@clientName(ManagedClusterPropertiesAutoScalerProfile.`new-pod-scale-up-delay`, - "newPodScaleUpDelay" -); -@@clientName(ManagedClusterPropertiesAutoScalerProfile.`ok-total-unready-count`, - "okTotalUnreadyCount" -); -@@clientName(ManagedClusterPropertiesAutoScalerProfile.`scan-interval`, - "scanInterval" -); -@@clientName(ManagedClusterPropertiesAutoScalerProfile.`scale-down-delay-after-add`, - "scaleDownDelayAfterAdd" -); -@@clientName(ManagedClusterPropertiesAutoScalerProfile.`scale-down-delay-after-delete`, - "scaleDownDelayAfterDelete" -); -@@clientName(ManagedClusterPropertiesAutoScalerProfile.`scale-down-delay-after-failure`, - "scaleDownDelayAfterFailure" -); -@@clientName(ManagedClusterPropertiesAutoScalerProfile.`scale-down-unneeded-time`, - "scaleDownUnneededTime" -); -@@clientName(ManagedClusterPropertiesAutoScalerProfile.`scale-down-unready-time`, - "scaleDownUnreadyTime" -); -@@clientName(ManagedClusterPropertiesAutoScalerProfile.`scale-down-utilization-threshold`, - "scaleDownUtilizationThreshold" -); -@@clientName(ManagedClusterPropertiesAutoScalerProfile.`skip-nodes-with-local-storage`, - "skipNodesWithLocalStorage" -); -@@clientName(ManagedClusterPropertiesAutoScalerProfile.`skip-nodes-with-system-pods`, - "skipNodesWithSystemPods" -); +// ============================================================================= +// Property flattening for SDK backward compatibility +// These must remain as augment decorators since 'properties' is inherited from +// ARM resource templates (TrackedResource, ProxyResource) +// ============================================================================= #suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." @@Legacy.flattenProperty(ManagedClusterAccessProfile.properties); @@ -73,6 +18,42 @@ using Microsoft.ContainerService; #suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." @@Legacy.flattenProperty(RunCommandResult.properties); +#suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." +@@Legacy.flattenProperty(ManagedCluster.properties); + +#suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." +@@Legacy.flattenProperty(ManagedClusterUpgradeProfile.properties); + +#suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." +@@Legacy.flattenProperty(MaintenanceConfiguration.properties); + +#suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." +@@Legacy.flattenProperty(AgentPool.properties); + +#suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." +@@Legacy.flattenProperty(AgentPoolUpgradeProfile.properties); + +#suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." +@@Legacy.flattenProperty(PrivateEndpointConnection.properties); + +#suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." +@@Legacy.flattenProperty(Snapshot.properties); + +#suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." +@@Legacy.flattenProperty(ManagedClusterSnapshot.properties); + +#suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." +@@Legacy.flattenProperty(TrustedAccessRoleBinding.properties); + +#suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." +@@Legacy.flattenProperty(LoadBalancer.properties); + +// ============================================================================= +// Operation parameter renaming +// These must remain as augment decorators since parameters are defined in +// template operations (ArmResourceCreateOrReplaceAsync, etc.) +// ============================================================================= + @@clientName(ManagedClusters.createOrUpdate::parameters.resource, "parameters"); @@clientName(ManagedClusters.updateTags::parameters.properties, "parameters"); @@clientName(ManagedClusters.resetServicePrincipalProfile::parameters.body, @@ -83,36 +64,15 @@ using Microsoft.ContainerService; @@clientName(ManagedClusters.rebalanceLoadBalancers::parameters.body, "parameters" ); -@@clientLocation(ManagedClusters.getAvailableAgentPoolVersions, AgentPools); -@@clientLocation(ManagedClusters.privateLinkResourcesList, - "PrivateLinkResources" -); @@clientName(ManagedClusters.privateLinkResourcesList, "List"); -@@clientLocation(ManagedClusters.post, "ResolvePrivateLinkServiceId"); @@clientName(ManagedClusters.post, "POST"); @@clientName(ManagedClusters.post::parameters.body, "parameters"); -@@clientLocation(ManagedClusters.operationStatusResultList, - "OperationStatusResult" -); @@clientName(ManagedClusters.operationStatusResultList, "List"); -@@clientLocation(ManagedClusters.operationStatusResultGet, - "OperationStatusResult" -); @@clientName(ManagedClusters.operationStatusResultGet, "Get"); -#suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." -@@Legacy.flattenProperty(ManagedCluster.properties); - -@@clientLocation(ManagedClusterUpgradeProfiles.getUpgradeProfile, - ManagedClusters -); -#suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." -@@Legacy.flattenProperty(ManagedClusterUpgradeProfile.properties); @@clientName(MaintenanceConfigurations.createOrUpdate::parameters.resource, "parameters" ); -#suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." -@@Legacy.flattenProperty(MaintenanceConfiguration.properties); @@clientName(ManagedNamespaces.createOrUpdate::parameters.resource, "parameters" @@ -121,26 +81,15 @@ using Microsoft.ContainerService; @@clientName(AgentPools.createOrUpdate::parameters.resource, "parameters"); @@clientName(AgentPools.deleteMachines::parameters.body, "machines"); -@@clientLocation(AgentPools.getByAgentPool, "OperationStatusResult"); -#suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." -@@Legacy.flattenProperty(AgentPool.properties); - -@@clientLocation(AgentPoolUpgradeProfiles.getUpgradeProfile, AgentPools); -#suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." -@@Legacy.flattenProperty(AgentPoolUpgradeProfile.properties); @@clientName(Machines.createOrUpdate::parameters.resource, "parameters"); @@clientName(PrivateEndpointConnections.update::parameters.resource, "parameters" ); -#suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." -@@Legacy.flattenProperty(PrivateEndpointConnection.properties); @@clientName(Snapshots.createOrUpdate::parameters.resource, "parameters"); @@clientName(Snapshots.updateTags::parameters.properties, "parameters"); -#suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." -@@Legacy.flattenProperty(Snapshot.properties); @@clientName(ManagedClusterSnapshots.createOrUpdate::parameters.resource, "parameters" @@ -148,14 +97,47 @@ using Microsoft.ContainerService; @@clientName(ManagedClusterSnapshots.updateTags::parameters.properties, "parameters" ); -#suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." -@@Legacy.flattenProperty(ManagedClusterSnapshot.properties); @@clientName(TrustedAccessRoleBindings.createOrUpdate::parameters.resource, "trustedAccessRoleBinding" ); -#suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." -@@Legacy.flattenProperty(TrustedAccessRoleBinding.properties); + +@@clientName(LoadBalancers.createOrUpdate::parameters.resource, "parameters"); + +@@clientName(IdentityBindings.createOrUpdate::parameters.resource, + "parameters" +); + +@@clientName(JWTAuthenticators.createOrUpdate::parameters.resource, + "parameters" +); + +@@clientName(MeshMemberships.createOrUpdate::parameters.resource, "parameters"); + +// ============================================================================= +// Operation location reorganization +// These reorganize where operations appear in generated SDK clients +// ============================================================================= + +@@clientLocation(ManagedClusters.getAvailableAgentPoolVersions, AgentPools); +@@clientLocation(ManagedClusters.privateLinkResourcesList, + "PrivateLinkResources" +); +@@clientLocation(ManagedClusters.post, "ResolvePrivateLinkServiceId"); +@@clientLocation(ManagedClusters.operationStatusResultList, + "OperationStatusResult" +); +@@clientLocation(ManagedClusters.operationStatusResultGet, + "OperationStatusResult" +); + +@@clientLocation(ManagedClusterUpgradeProfiles.getUpgradeProfile, + ManagedClusters +); + +@@clientLocation(AgentPools.getByAgentPool, "OperationStatusResult"); + +@@clientLocation(AgentPoolUpgradeProfiles.getUpgradeProfile, AgentPools); @@clientLocation(GuardrailsAvailableVersions.getGuardrailsVersions, ManagedClusters @@ -179,26 +161,6 @@ using Microsoft.ContainerService; @@clientLocation(MeshUpgradeProfiles.getMeshUpgradeProfile, ManagedClusters); @@clientLocation(MeshUpgradeProfiles.listMeshUpgradeProfiles, ManagedClusters); -@@clientName(TrustedAccessRoleBindings.createOrUpdate::parameters.resource, - "trustedAccessRoleBinding" -); -#suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." -@@Legacy.flattenProperty(TrustedAccessRoleBinding.properties); - -@@clientName(LoadBalancers.createOrUpdate::parameters.resource, "parameters"); -#suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." -@@Legacy.flattenProperty(LoadBalancer.properties); - -@@clientName(IdentityBindings.createOrUpdate::parameters.resource, - "parameters" -); - -@@clientName(JWTAuthenticators.createOrUpdate::parameters.resource, - "parameters" -); - -@@clientName(MeshMemberships.createOrUpdate::parameters.resource, "parameters"); - @@clientLocation(ManagedClustersOperationGroup.listKubernetesVersions, ManagedClusters ); @@ -208,6 +170,3 @@ using Microsoft.ContainerService; ); @@clientLocation(TrustedAccessRolesOperationGroup.list, "TrustedAccessRoles"); - -#suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." -@@Legacy.flattenProperty(OperationValue.display); diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/models.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/CommonModels.tsp similarity index 74% rename from specification/containerservice/resource-manager/Microsoft.ContainerService/aks/models.tsp rename to specification/containerservice/resource-manager/Microsoft.ContainerService/aks/CommonModels.tsp index 368893f93ab5..41060a877fcf 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/models.tsp +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/CommonModels.tsp @@ -2,12 +2,14 @@ import "@typespec/rest"; import "@typespec/http"; import "@azure-tools/typespec-azure-core"; import "@azure-tools/typespec-azure-resource-manager"; +import "@azure-tools/typespec-client-generator-core"; using TypeSpec.Rest; using TypeSpec.Http; using Azure.Core; using Azure.ResourceManager; using Azure.ResourceManager.Foundations; +using Azure.ClientGenerator.Core; using Versioning; namespace Microsoft.ContainerService; @@ -1381,933 +1383,513 @@ union Format { } /** - * The weekday enum. - */ -union WeekDay { - string, - - /** Represents Sunday. */ - Sunday: "Sunday", - - /** Represents Monday. */ - Monday: "Monday", - - /** Represents Tuesday. */ - Tuesday: "Tuesday", - - /** Represents Wednesday. */ - Wednesday: "Wednesday", - - /** Represents Thursday. */ - Thursday: "Thursday", - - /** Represents Friday. */ - Friday: "Friday", - - /** Represents Saturday. */ - Saturday: "Saturday", -} - -/** - * The week index. Specifies on which week of the month the dayOfWeek applies. + * The type of a snapshot. The default is NodePool. */ -union Type { +union SnapshotType { string, /** - * First week of the month. + * The snapshot is a snapshot of a node pool. */ - First: "First", + NodePool: "NodePool", /** - * Second week of the month. + * The snapshot is a snapshot of a managed cluster. */ - Second: "Second", + @added(Versions.v2025_10_02_preview) + ManagedCluster: "ManagedCluster", +} +/** + * The type of identity used for the managed cluster. For more information see [use managed identities in AKS](https://docs.microsoft.com/azure/aks/use-managed-identity). + */ +#suppress "@azure-tools/typespec-azure-core/no-enum" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +enum ResourceIdentityType { /** - * Third week of the month. + * Use an implicitly created system assigned managed identity to manage cluster resources. Master components in the control plane such as kube-controller-manager will use the system assigned managed identity to manipulate Azure resources. */ - Third: "Third", + SystemAssigned, /** - * Fourth week of the month. + * Use a user-specified identity to manage cluster resources. Master components in the control plane such as kube-controller-manager will use the specified user assigned managed identity to manipulate Azure resources. */ - Fourth: "Fourth", + UserAssigned, /** - * Last week of the month. + * Do not use a managed identity for the Managed Cluster, service principal will be used instead. */ - Last: "Last", -} - -/** - * The current provisioning state of the namespace. - */ -union NamespaceProvisioningState { - string, - - /** The namespace is being updated. */ - Updating: "Updating", - - /** The namespace is being deleted. */ - Deleting: "Deleting", - - /** The namespace is being created. */ - Creating: "Creating", - - /** The namespace provisioning succeeded. */ - Succeeded: "Succeeded", - - /** The namespace provisioning failed. */ - Failed: "Failed", - - /** The namespace provisioning was canceled. */ - Canceled: "Canceled", + None, } /** - * Enum representing different network policy rules. + * Describes the properties of a Operation value. */ -union PolicyRule { - string, - +model OperationValue { /** - * Deny all network traffic. + * The origin of the operation. */ - DenyAll: "DenyAll", + @visibility(Lifecycle.Read) + origin?: string; /** - * Allow all network traffic. + * The name of the operation. */ - AllowAll: "AllowAll", + @visibility(Lifecycle.Read) + name?: string; /** - * Allow traffic within the same namespace. + * Describes the properties of a Operation Value Display. */ - AllowSameNamespace: "AllowSameNamespace", + #suppress "@azure-tools/typespec-azure-core/no-legacy-usage" "Property flatten for SDK backward compatibility." + @Azure.ClientGenerator.Core.Legacy.flattenProperty + display?: OperationValueDisplay; } /** - * Action if Kubernetes namespace with same name already exists. + * Describes the properties of a Operation Value Display. */ -union AdoptionPolicy { - string, +model OperationValueDisplay { + /** + * The display name of the operation. + */ + @visibility(Lifecycle.Read) + operation?: string; /** - * If the namespace already exists in Kubernetes, attempts to create that same namespace in ARM will fail. + * The display name of the resource the operation applies to. */ - Never: "Never", + @visibility(Lifecycle.Read) + resource?: string; /** - * Take over the existing namespace to be managed by ARM, if there is no difference. + * The description of the operation. */ - IfIdentical: "IfIdentical", + @visibility(Lifecycle.Read) + description?: string; /** - * Always take over the existing namespace to be managed by ARM, some fields might be overwritten. + * The resource provider for the operation. */ - Always: "Always", + @visibility(Lifecycle.Read) + provider?: string; } /** - * Delete options of a namespace. + * Hold values properties, which is array of KubernetesVersion */ -union DeletePolicy { - string, - - /** - * Only delete the ARM resource, keep the Kubernetes namespace. Also delete the ManagedByARM label. - */ - Keep: "Keep", - +model KubernetesVersionListResult { /** - * Delete both the ARM resource and the Kubernetes namespace together. + * Array of AKS supported Kubernetes versions. */ - Delete: "Delete", + @identifiers(#[]) + values?: KubernetesVersion[]; } /** - * The drift action of the machine. Indicates whether a machine has deviated from its expected state due to changes in managed cluster properties, requiring corrective action. + * Kubernetes version profile for given major.minor release. */ -@added(Versions.v2025_10_02_preview) -union DriftAction { - string, - +model KubernetesVersion { /** - * The machine is up to date. + * major.minor version of Kubernetes release */ - Synced: "Synced", + version?: string; /** - * The machine has drifted and needs to be deleted and recreated. + * Capabilities on this Kubernetes version. */ - Recreate: "Recreate", -} - -/** - * Virtual machine state. Indicates the current state of the underlying virtual machine. - */ -union VmState { - string, + capabilities?: KubernetesVersionCapabilities; /** - * The virtual machine is currently running. + * Whether this version is default. */ - Running: "Running", + isDefault?: boolean; /** - * The virtual machine has been deleted by the user or due to spot eviction. + * Whether this version is in preview mode. */ - Deleted: "Deleted", -} - -/** - * The current provisioning state. - */ -union PrivateEndpointConnectionProvisioningState { - string, - - /** Private endpoint connection provisioning was canceled. */ - Canceled: "Canceled", - - /** Private endpoint connection is being created. */ - Creating: "Creating", - - /** Private endpoint connection is being deleted. */ - Deleting: "Deleting", - - /** Private endpoint connection provisioning failed. */ - Failed: "Failed", + isPreview?: boolean; - /** Private endpoint connection provisioning succeeded. */ - Succeeded: "Succeeded", + /** + * Patch versions of Kubernetes release + */ + #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + patchVersions?: Record; } /** - * The private link service connection status. + * Capabilities on this Kubernetes version. */ -union ConnectionStatus { - string, - - /** Connection is pending approval. */ - Pending: "Pending", - - /** Connection is approved. */ - Approved: "Approved", - - /** Connection is rejected. */ - Rejected: "Rejected", - - /** Connection is disconnected. */ - Disconnected: "Disconnected", +model KubernetesVersionCapabilities { + /** Kubernetes support plans available for this version. */ + supportPlan?: KubernetesSupportPlan[]; } /** - * The type of a snapshot. The default is NodePool. + * Kubernetes patch version profile */ -union SnapshotType { - string, - - /** - * The snapshot is a snapshot of a node pool. - */ - NodePool: "NodePool", - +model KubernetesPatchVersion { /** - * The snapshot is a snapshot of a managed cluster. + * Possible upgrade path for given patch version */ - @added(Versions.v2025_10_02_preview) - ManagedCluster: "ManagedCluster", + upgrades?: string[]; } /** - * The current provisioning state of trusted access role binding. + * Holds an array NodeImageVersions */ -union TrustedAccessRoleBindingProvisioningState { - string, - - /** Trusted access role binding provisioning was canceled. */ - Canceled: "Canceled", - - /** Trusted access role binding is being deleted. */ - Deleting: "Deleting", - - /** Trusted access role binding provisioning failed. */ - Failed: "Failed", - - /** Trusted access role binding provisioning succeeded. */ - Succeeded: "Succeeded", - - /** Trusted access role binding is being updated. */ - Updating: "Updating", -} +@added(Versions.v2025_10_02_preview) +model NodeImageVersionsListResult is Azure.Core.Page; /** - * Whether the version is preview or stable. + * node image version profile for given major.minor.patch release. */ @added(Versions.v2025_10_02_preview) -union GuardrailsSupport { - string, - +model NodeImageVersion { /** - * The version is preview. It is not recommended to use preview versions on critical production clusters. The preview version may not support all use-cases. + * The operating system of the node image. Example: AKSUbuntu */ - Preview: "Preview", + os?: string; /** - * The version is stable and can be used on critical production clusters. + * The SKU or flavor of the node image. Example: 2004gen2containerd */ - Stable: "Stable", -} - -/** - * Whether the version is preview or stable. - */ -@added(Versions.v2025_10_02_preview) -union SafeguardsSupport { - string, + sku?: string; /** - * The version is preview. It is not recommended to use preview versions on critical production clusters. The preview version may not support all use-cases. + * major.minor.patch version of the node image version release. Example: 2024.02.02 */ - Preview: "Preview", + version?: string; /** - * The version is stable and can be used on critical production clusters. + * The OS + SKU + version of the node image. Example: AKSUbuntu-1804gen2containerd-2024.02.02 */ - Stable: "Stable", + fullName?: string; } /** - * operator represents a key's relationship to a set of values. Valid operators are In and NotIn + * The SKU of a Managed Cluster. */ -@added(Versions.v2025_10_02_preview) -union Operator { - string, - +#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +model ManagedClusterSKU { /** - * The value of the key should be in the given list. + * The name of a managed cluster SKU. */ - In: "In", + name?: ManagedClusterSKUName; /** - * The value of the key should not be in the given list. + * The tier of a managed cluster SKU. If not specified, the default is 'Free'. See [AKS Pricing Tier](https://learn.microsoft.com/azure/aks/free-standard-pricing-tiers) for more details. */ - NotIn: "NotIn", + tier?: ManagedClusterSKUTier; +} +/** + * The complex type of the extended location. + */ +model ExtendedLocation { /** - * The value of the key should exist. + * The name of the extended location. */ - Exists: "Exists", + name?: string; /** - * The value of the key should not exist. + * The type of the extended location. */ - DoesNotExist: "DoesNotExist", + type?: ExtendedLocationTypes; } /** - * The provisioning state of the last accepted operation. + * Identity for the managed cluster. */ -@added(Versions.v2025_10_02_preview) -union IdentityBindingProvisioningState { - string, +model ManagedClusterIdentity { + /** + * The principal id of the system assigned identity which is used by master components. + */ + @visibility(Lifecycle.Read) + principalId?: string; /** - * Resource has been created. + * The tenant id of the system assigned identity which is used by master components. */ - Succeeded: "Succeeded", + @visibility(Lifecycle.Read) + tenantId?: string; /** - * Resource creation failed. + * The type of identity used for the managed cluster. For more information see [use managed identities in AKS](https://docs.microsoft.com/azure/aks/use-managed-identity). */ - Failed: "Failed", + type?: ResourceIdentityType; /** - * Resource creation was canceled. + * The delegated identity resources assigned to this managed cluster. This can only be set by another Azure Resource Provider, and managed cluster only accept one delegated identity resource. Internal use only. */ - Canceled: "Canceled", + #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + delegatedResources?: Record; /** - * The identity binding is being created. + * The user identity associated with the managed cluster. This identity will be used in control plane. Only one user assigned identity is allowed. The keys must be ARM resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. */ - Creating: "Creating", + #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + userAssignedIdentities?: Record; +} +/** User assigned identity properties. */ +model ManagedServiceIdentityUserAssignedIdentitiesValue { /** - * The identity binding is being updated. + * The principal id of user assigned identity. */ - Updating: "Updating", + @visibility(Lifecycle.Read) + principalId?: string; /** - * The identity binding is being deleted. + * The client id of user assigned identity. */ - Deleting: "Deleting", + @visibility(Lifecycle.Read) + clientId?: string; } /** - * The provisioning state of the last accepted operation. + * Properties of the managed cluster. */ -@added(Versions.v2025_10_02_preview) -union JWTAuthenticatorProvisioningState { - string, - +model ManagedClusterProperties { /** - * Resource has been created. + * The current provisioning state. */ - Succeeded: "Succeeded", + #suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @visibility(Lifecycle.Read) + provisioningState?: string; /** - * Resource creation failed. + * The Power State of the cluster. */ - Failed: "Failed", + @visibility(Lifecycle.Read) + powerState?: PowerState; /** - * Resource creation was canceled. + * CreationData to be used to specify the source Snapshot ID if the cluster will be created/upgraded using a snapshot. */ - Canceled: "Canceled", + @added(Versions.v2025_10_02_preview) + creationData?: CreationData; /** - * The JWT authenticator is being created. + * The max number of agent pools for the managed cluster. */ - Creating: "Creating", + @visibility(Lifecycle.Read) + maxAgentPools?: int32; /** - * The JWT authenticator is being updated. + * The version of Kubernetes specified by the user. Both patch version (e.g. 1.20.13) and (e.g. 1.20) are supported. When is specified, the latest supported GA patch version is chosen automatically. Updating the cluster with the same once it has been created (e.g. 1.14.x -> 1.14) will not trigger an upgrade, even if a newer patch version is available. When you upgrade a supported AKS cluster, Kubernetes minor versions cannot be skipped. All upgrades must be performed sequentially by major version number. For example, upgrades between 1.14.x -> 1.15.x or 1.15.x -> 1.16.x are allowed, however 1.14.x -> 1.16.x is not allowed. See [upgrading an AKS cluster](https://docs.microsoft.com/azure/aks/upgrade-cluster) for more details. */ - Updating: "Updating", + kubernetesVersion?: string; /** - * The JWT authenticator is being deleted. + * The version of Kubernetes the Managed Cluster is running. If kubernetesVersion was a fully specified version , this field will be exactly equal to it. If kubernetesVersion was , this field will contain the full version being used. */ - Deleting: "Deleting", -} - -/** - * The provisioning state of the last accepted operation. - */ -@added(Versions.v2025_10_02_preview) -union MeshMembershipProvisioningState { - string, + @visibility(Lifecycle.Read) + currentKubernetesVersion?: string; /** - * Resource creation was canceled. + * The DNS prefix of the Managed Cluster. This cannot be updated once the Managed Cluster has been created. */ - Canceled: "Canceled", + dnsPrefix?: string; /** - * The Mesh Membership is being created. + * The FQDN subdomain of the private cluster with custom private dns zone. This cannot be updated once the Managed Cluster has been created. */ - Creating: "Creating", + fqdnSubdomain?: string; /** - * The Mesh Membership is being deleted. + * The FQDN of the master pool. */ - Deleting: "Deleting", + @visibility(Lifecycle.Read) + fqdn?: string; /** - * Resource creation failed. + * The FQDN of private cluster. */ - Failed: "Failed", + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @visibility(Lifecycle.Read) + privateFQDN?: string; /** - * Resource has been created. + * The special FQDN used by the Azure Portal to access the Managed Cluster. This FQDN is for use only by the Azure Portal and should not be used by other clients. The Azure Portal requires certain Cross-Origin Resource Sharing (CORS) headers to be sent in some responses, which Kubernetes APIServer doesn't handle by default. This special FQDN supports CORS, allowing the Azure Portal to function properly. */ - Succeeded: "Succeeded", + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @visibility(Lifecycle.Read) + azurePortalFQDN?: string; /** - * The Mesh Membership is being updated. + * The agent pool properties. */ - Updating: "Updating", -} + @identifiers(#[]) + agentPoolProfiles?: ManagedClusterAgentPoolProfile[]; -/** - * The type of identity used for the managed cluster. For more information see [use managed identities in AKS](https://docs.microsoft.com/azure/aks/use-managed-identity). - */ -#suppress "@azure-tools/typespec-azure-core/no-enum" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -enum ResourceIdentityType { /** - * Use an implicitly created system assigned managed identity to manage cluster resources. Master components in the control plane such as kube-controller-manager will use the system assigned managed identity to manipulate Azure resources. + * The profile for Linux VMs in the Managed Cluster. */ - SystemAssigned, + linuxProfile?: ContainerServiceLinuxProfile; /** - * Use a user-specified identity to manage cluster resources. Master components in the control plane such as kube-controller-manager will use the specified user assigned managed identity to manipulate Azure resources. + * The profile for Windows VMs in the Managed Cluster. */ - UserAssigned, + windowsProfile?: ManagedClusterWindowsProfile; /** - * Do not use a managed identity for the Managed Cluster, service principal will be used instead. + * Information about a service principal identity for the cluster to use for manipulating Azure APIs. */ - None, -} + servicePrincipalProfile?: ManagedClusterServicePrincipalProfile; -/** - * Describes the properties of a Operation value. - */ -model OperationValue { /** - * The origin of the operation. + * The profile of managed cluster add-on. */ - @visibility(Lifecycle.Read) - origin?: string; + #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + addonProfiles?: Record; /** - * The name of the operation. + * The pod identity profile of the Managed Cluster. See [use AAD pod identity](https://docs.microsoft.com/azure/aks/use-azure-ad-pod-identity) for more details on AAD pod identity integration. */ - @visibility(Lifecycle.Read) - name?: string; + podIdentityProfile?: ManagedClusterPodIdentityProfile; /** - * Describes the properties of a Operation Value Display. + * The OIDC issuer profile of the Managed Cluster. */ - display?: OperationValueDisplay; -} + oidcIssuerProfile?: ManagedClusterOIDCIssuerProfile; -/** - * Describes the properties of a Operation Value Display. - */ -model OperationValueDisplay { /** - * The display name of the operation. + * The name of the resource group containing agent pool nodes. */ - @visibility(Lifecycle.Read) - operation?: string; + nodeResourceGroup?: string; /** - * The display name of the resource the operation applies to. + * Profile of the node resource group configuration. */ - @visibility(Lifecycle.Read) - resource?: string; + nodeResourceGroupProfile?: ManagedClusterNodeResourceGroupProfile; /** - * The description of the operation. + * Whether to enable Kubernetes Role-Based Access Control. */ - @visibility(Lifecycle.Read) - description?: string; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + enableRBAC?: boolean; /** - * The resource provider for the operation. + * The support plan for the Managed Cluster. If unspecified, the default is 'KubernetesOfficial'. */ - @visibility(Lifecycle.Read) - provider?: string; -} + supportPlan?: KubernetesSupportPlan; -/** - * Hold values properties, which is array of KubernetesVersion - */ -model KubernetesVersionListResult { /** - * Array of AKS supported Kubernetes versions. + * Enable namespace as Azure resource. The default value is false. It can be enabled/disabled on creation and updating of the managed cluster. See [https://aka.ms/NamespaceARMResource](https://aka.ms/NamespaceARMResource) for more details on Namespace as a ARM Resource. */ - @identifiers(#[]) - values?: KubernetesVersion[]; -} + @added(Versions.v2025_10_02_preview) + enableNamespaceResources?: boolean; -/** - * Kubernetes version profile for given major.minor release. - */ -model KubernetesVersion { /** - * major.minor version of Kubernetes release + * The network configuration profile. */ - version?: string; + networkProfile?: ContainerServiceNetworkProfile; /** - * Capabilities on this Kubernetes version. + * The Azure Active Directory configuration. */ - capabilities?: KubernetesVersionCapabilities; + aadProfile?: ManagedClusterAADProfile; /** - * Whether this version is default. + * The auto upgrade configuration. */ - isDefault?: boolean; + autoUpgradeProfile?: ManagedClusterAutoUpgradeProfile; /** - * Whether this version is in preview mode. + * Settings for upgrading a cluster. */ - isPreview?: boolean; + upgradeSettings?: ClusterUpgradeSettings; /** - * Patch versions of Kubernetes release + * Parameters to be applied to the cluster-autoscaler when enabled */ - #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - patchVersions?: Record; -} - -/** - * Capabilities on this Kubernetes version. - */ -model KubernetesVersionCapabilities { - /** Kubernetes support plans available for this version. */ - supportPlan?: KubernetesSupportPlan[]; -} + autoScalerProfile?: ManagedClusterPropertiesAutoScalerProfile; -/** - * Kubernetes patch version profile - */ -model KubernetesPatchVersion { /** - * Possible upgrade path for given patch version + * The access profile for managed cluster API server. */ - upgrades?: string[]; -} - -/** - * Holds an array NodeImageVersions - */ -@added(Versions.v2025_10_02_preview) -model NodeImageVersionsListResult is Azure.Core.Page; + apiServerAccessProfile?: ManagedClusterAPIServerAccessProfile; -/** - * node image version profile for given major.minor.patch release. - */ -@added(Versions.v2025_10_02_preview) -model NodeImageVersion { /** - * The operating system of the node image. Example: AKSUbuntu + * The Resource ID of the disk encryption set to use for enabling encryption at rest. This is of the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{encryptionSetName}' */ - os?: string; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + diskEncryptionSetID?: Azure.Core.armResourceIdentifier<[ + { + type: "Microsoft.Compute/diskEncryptionSets"; + } + ]>; /** - * The SKU or flavor of the node image. Example: 2004gen2containerd + * The user identity associated with the managed cluster. This identity will be used by the kubelet. Only one user assigned identity is allowed. The only accepted key is "kubeletidentity", with value of "resourceId": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}". */ - sku?: string; + #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + identityProfile?: Record; /** - * major.minor.patch version of the node image version release. Example: 2024.02.02 + * Private link resources associated with the cluster. */ - version?: string; + privateLinkResources?: PrivateLinkResource[]; /** - * The OS + SKU + version of the node image. Example: AKSUbuntu-1804gen2containerd-2024.02.02 + * If local accounts should be disabled on the Managed Cluster. If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. For more details see [disable local accounts](https://docs.microsoft.com/azure/aks/managed-aad#disable-local-accounts-preview). */ - fullName?: string; -} + disableLocalAccounts?: boolean; -/** - * The SKU of a Managed Cluster. - */ -#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -model ManagedClusterSKU { /** - * The name of a managed cluster SKU. + * Configurations for provisioning the cluster with HTTP proxy servers. */ - name?: ManagedClusterSKUName; + httpProxyConfig?: ManagedClusterHTTPProxyConfig; /** - * The tier of a managed cluster SKU. If not specified, the default is 'Free'. See [AKS Pricing Tier](https://learn.microsoft.com/azure/aks/free-standard-pricing-tiers) for more details. + * Security profile for the managed cluster. */ - tier?: ManagedClusterSKUTier; -} + securityProfile?: ManagedClusterSecurityProfile; -/** - * The complex type of the extended location. - */ -model ExtendedLocation { /** - * The name of the extended location. + * Storage profile for the managed cluster. */ - name?: string; + storageProfile?: ManagedClusterStorageProfile; /** - * The type of the extended location. + * Ingress profile for the managed cluster. */ - type?: ExtendedLocationTypes; -} + ingressProfile?: ManagedClusterIngressProfile; -/** - * Identity for the managed cluster. - */ -model ManagedClusterIdentity { /** - * The principal id of the system assigned identity which is used by master components. + * PublicNetworkAccess of the managedCluster. Allow or deny public network access for AKS */ - @visibility(Lifecycle.Read) - principalId?: string; + publicNetworkAccess?: PublicNetworkAccess; /** - * The tenant id of the system assigned identity which is used by master components. + * Workload Auto-scaler profile for the managed cluster. */ - @visibility(Lifecycle.Read) - tenantId?: string; + workloadAutoScalerProfile?: ManagedClusterWorkloadAutoScalerProfile; /** - * The type of identity used for the managed cluster. For more information see [use managed identities in AKS](https://docs.microsoft.com/azure/aks/use-managed-identity). + * Azure Monitor addon profiles for monitoring the managed cluster. */ - type?: ResourceIdentityType; + azureMonitorProfile?: ManagedClusterAzureMonitorProfile; /** - * The delegated identity resources assigned to this managed cluster. This can only be set by another Azure Resource Provider, and managed cluster only accept one delegated identity resource. Internal use only. + * Service mesh profile for a managed cluster. */ - #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - delegatedResources?: Record; + serviceMeshProfile?: ServiceMeshProfile; /** - * The user identity associated with the managed cluster. This identity will be used in control plane. Only one user assigned identity is allowed. The keys must be ARM resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. + * The resourceUID uniquely identifies ManagedClusters that reuse ARM ResourceIds (i.e: create, delete, create sequence) */ - #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - userAssignedIdentities?: Record; -} + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @visibility(Lifecycle.Read) + resourceUID?: string; -/** User assigned identity properties. */ -model ManagedServiceIdentityUserAssignedIdentitiesValue { /** - * The principal id of user assigned identity. + * Optional cluster metrics configuration. */ - @visibility(Lifecycle.Read) - principalId?: string; + metricsProfile?: ManagedClusterMetricsProfile; /** - * The client id of user assigned identity. - */ - @visibility(Lifecycle.Read) - clientId?: string; -} - -/** - * Properties of the managed cluster. - */ -model ManagedClusterProperties { - /** - * The current provisioning state. - */ - #suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @visibility(Lifecycle.Read) - provisioningState?: string; - - /** - * The Power State of the cluster. - */ - @visibility(Lifecycle.Read) - powerState?: PowerState; - - /** - * CreationData to be used to specify the source Snapshot ID if the cluster will be created/upgraded using a snapshot. - */ - @added(Versions.v2025_10_02_preview) - creationData?: CreationData; - - /** - * The max number of agent pools for the managed cluster. - */ - @visibility(Lifecycle.Read) - maxAgentPools?: int32; - - /** - * The version of Kubernetes specified by the user. Both patch version (e.g. 1.20.13) and (e.g. 1.20) are supported. When is specified, the latest supported GA patch version is chosen automatically. Updating the cluster with the same once it has been created (e.g. 1.14.x -> 1.14) will not trigger an upgrade, even if a newer patch version is available. When you upgrade a supported AKS cluster, Kubernetes minor versions cannot be skipped. All upgrades must be performed sequentially by major version number. For example, upgrades between 1.14.x -> 1.15.x or 1.15.x -> 1.16.x are allowed, however 1.14.x -> 1.16.x is not allowed. See [upgrading an AKS cluster](https://docs.microsoft.com/azure/aks/upgrade-cluster) for more details. - */ - kubernetesVersion?: string; - - /** - * The version of Kubernetes the Managed Cluster is running. If kubernetesVersion was a fully specified version , this field will be exactly equal to it. If kubernetesVersion was , this field will contain the full version being used. - */ - @visibility(Lifecycle.Read) - currentKubernetesVersion?: string; - - /** - * The DNS prefix of the Managed Cluster. This cannot be updated once the Managed Cluster has been created. - */ - dnsPrefix?: string; - - /** - * The FQDN subdomain of the private cluster with custom private dns zone. This cannot be updated once the Managed Cluster has been created. - */ - fqdnSubdomain?: string; - - /** - * The FQDN of the master pool. - */ - @visibility(Lifecycle.Read) - fqdn?: string; - - /** - * The FQDN of private cluster. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @visibility(Lifecycle.Read) - privateFQDN?: string; - - /** - * The special FQDN used by the Azure Portal to access the Managed Cluster. This FQDN is for use only by the Azure Portal and should not be used by other clients. The Azure Portal requires certain Cross-Origin Resource Sharing (CORS) headers to be sent in some responses, which Kubernetes APIServer doesn't handle by default. This special FQDN supports CORS, allowing the Azure Portal to function properly. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @visibility(Lifecycle.Read) - azurePortalFQDN?: string; - - /** - * The agent pool properties. - */ - @identifiers(#[]) - agentPoolProfiles?: ManagedClusterAgentPoolProfile[]; - - /** - * The profile for Linux VMs in the Managed Cluster. - */ - linuxProfile?: ContainerServiceLinuxProfile; - - /** - * The profile for Windows VMs in the Managed Cluster. - */ - windowsProfile?: ManagedClusterWindowsProfile; - - /** - * Information about a service principal identity for the cluster to use for manipulating Azure APIs. - */ - servicePrincipalProfile?: ManagedClusterServicePrincipalProfile; - - /** - * The profile of managed cluster add-on. - */ - #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - addonProfiles?: Record; - - /** - * The pod identity profile of the Managed Cluster. See [use AAD pod identity](https://docs.microsoft.com/azure/aks/use-azure-ad-pod-identity) for more details on AAD pod identity integration. - */ - podIdentityProfile?: ManagedClusterPodIdentityProfile; - - /** - * The OIDC issuer profile of the Managed Cluster. - */ - oidcIssuerProfile?: ManagedClusterOIDCIssuerProfile; - - /** - * The name of the resource group containing agent pool nodes. - */ - nodeResourceGroup?: string; - - /** - * Profile of the node resource group configuration. - */ - nodeResourceGroupProfile?: ManagedClusterNodeResourceGroupProfile; - - /** - * Whether to enable Kubernetes Role-Based Access Control. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - enableRBAC?: boolean; - - /** - * The support plan for the Managed Cluster. If unspecified, the default is 'KubernetesOfficial'. - */ - supportPlan?: KubernetesSupportPlan; - - /** - * Enable namespace as Azure resource. The default value is false. It can be enabled/disabled on creation and updating of the managed cluster. See [https://aka.ms/NamespaceARMResource](https://aka.ms/NamespaceARMResource) for more details on Namespace as a ARM Resource. - */ - @added(Versions.v2025_10_02_preview) - enableNamespaceResources?: boolean; - - /** - * The network configuration profile. - */ - networkProfile?: ContainerServiceNetworkProfile; - - /** - * The Azure Active Directory configuration. - */ - aadProfile?: ManagedClusterAADProfile; - - /** - * The auto upgrade configuration. - */ - autoUpgradeProfile?: ManagedClusterAutoUpgradeProfile; - - /** - * Settings for upgrading a cluster. - */ - upgradeSettings?: ClusterUpgradeSettings; - - /** - * Parameters to be applied to the cluster-autoscaler when enabled - */ - autoScalerProfile?: ManagedClusterPropertiesAutoScalerProfile; - - /** - * The access profile for managed cluster API server. - */ - apiServerAccessProfile?: ManagedClusterAPIServerAccessProfile; - - /** - * The Resource ID of the disk encryption set to use for enabling encryption at rest. This is of the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{encryptionSetName}' - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - diskEncryptionSetID?: Azure.Core.armResourceIdentifier<[ - { - type: "Microsoft.Compute/diskEncryptionSets"; - } - ]>; - - /** - * The user identity associated with the managed cluster. This identity will be used by the kubelet. Only one user assigned identity is allowed. The only accepted key is "kubeletidentity", with value of "resourceId": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}". - */ - #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - identityProfile?: Record; - - /** - * Private link resources associated with the cluster. - */ - privateLinkResources?: PrivateLinkResource[]; - - /** - * If local accounts should be disabled on the Managed Cluster. If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. For more details see [disable local accounts](https://docs.microsoft.com/azure/aks/managed-aad#disable-local-accounts-preview). - */ - disableLocalAccounts?: boolean; - - /** - * Configurations for provisioning the cluster with HTTP proxy servers. - */ - httpProxyConfig?: ManagedClusterHTTPProxyConfig; - - /** - * Security profile for the managed cluster. - */ - securityProfile?: ManagedClusterSecurityProfile; - - /** - * Storage profile for the managed cluster. - */ - storageProfile?: ManagedClusterStorageProfile; - - /** - * Ingress profile for the managed cluster. - */ - ingressProfile?: ManagedClusterIngressProfile; - - /** - * PublicNetworkAccess of the managedCluster. Allow or deny public network access for AKS - */ - publicNetworkAccess?: PublicNetworkAccess; - - /** - * Workload Auto-scaler profile for the managed cluster. - */ - workloadAutoScalerProfile?: ManagedClusterWorkloadAutoScalerProfile; - - /** - * Azure Monitor addon profiles for monitoring the managed cluster. - */ - azureMonitorProfile?: ManagedClusterAzureMonitorProfile; - - /** - * Service mesh profile for a managed cluster. - */ - serviceMeshProfile?: ServiceMeshProfile; - - /** - * The resourceUID uniquely identifies ManagedClusters that reuse ARM ResourceIds (i.e: create, delete, create sequence) - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @visibility(Lifecycle.Read) - resourceUID?: string; - - /** - * Optional cluster metrics configuration. - */ - metricsProfile?: ManagedClusterMetricsProfile; - - /** - * Node provisioning settings that apply to the whole cluster. + * Node provisioning settings that apply to the whole cluster. */ nodeProvisioningProfile?: ManagedClusterNodeProvisioningProfile; @@ -3141,38 +2723,11 @@ model AgentPoolSecurityProfile { } /** - * The security settings of the machine. + * GPU settings for the Agent Pool. */ -@added(Versions.v2025_10_02_preview) -model MachineSecurityProfile { +model GPUProfile { /** - * vTPM is a Trusted Launch feature for configuring a dedicated secure vault for keys and measurements held locally on the node. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - enableVTPM?: boolean; - - /** - * Secure Boot is a feature of Trusted Launch which ensures that only signed operating systems and drivers can boot. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false. - */ - enableSecureBoot?: boolean; - - /** - * SSH access method of an agent pool. - */ - sshAccess?: AgentPoolSSHAccess; - - /** - * Whether to enable host based OS and data drive encryption. This is only supported on certain VM sizes and in certain Azure regions. For more information, see: https://docs.microsoft.com/azure/aks/enable-host-encryption - */ - enableEncryptionAtHost?: boolean; -} - -/** - * GPU settings for the Agent Pool. - */ -model GPUProfile { - /** - * Whether to install GPU drivers. When it's not specified, default is Install. + * Whether to install GPU drivers. When it's not specified, default is Install. */ driver?: GPUDriver; @@ -3358,3798 +2913,2130 @@ model LocalDNSOverride { /** * Cache max TTL in seconds. See [cache plugin](https://coredns.io/plugins/cache) for more information. */ - cacheDurationInSeconds?: int32 = 3600; - - /** - * Serve stale duration in seconds. See [cache plugin](https://coredns.io/plugins/cache) for more information. - */ - serveStaleDurationInSeconds?: int32 = 3600; - - /** - * Policy for serving stale data. See [cache plugin](https://coredns.io/plugins/cache) for more information. - */ - serveStale?: LocalDNSServeStale = LocalDNSServeStale.Immediate; -} - -/** - * Settings to determine the node customization used to provision nodes in a pool. - */ -@added(Versions.v2025_10_02_preview) -model NodeCustomizationProfile { - /** - * The resource ID of the node customization resource to use. This can be a version. Omitting the version will use the latest version of the node customization. - */ - nodeCustomizationId?: Azure.Core.armResourceIdentifier<[ - { - type: "Microsoft.ContainerService/nodeCustomizations"; - } - ]>; -} - -/** - * Profile for Linux VMs in the container service cluster. - */ -model ContainerServiceLinuxProfile { - /** - * The administrator username to use for Linux VMs. - */ - @pattern("^[A-Za-z][-A-Za-z0-9_]*$") - adminUsername: string; - - /** - * The SSH configuration for Linux-based VMs running on Azure. - */ - ssh: ContainerServiceSshConfiguration; -} - -/** - * SSH configuration for Linux-based VMs running on Azure. - */ -model ContainerServiceSshConfiguration { - /** - * The list of SSH public keys used to authenticate with Linux-based VMs. A maximum of 1 key may be specified. - */ - @identifiers(#[]) - publicKeys: ContainerServiceSshPublicKey[]; -} - -/** - * Contains information about SSH certificate public key data. - */ -model ContainerServiceSshPublicKey { - /** - * Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers. - */ - keyData: string; -} - -/** - * Profile for Windows VMs in the managed cluster. - */ -model ManagedClusterWindowsProfile { - /** - * Specifies the name of the administrator account.

**Restriction:** Cannot end in "."

**Disallowed values:** "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5".

**Minimum-length:** 1 character

**Max-length:** 20 characters - */ - adminUsername: string; - - #suppress "@azure-tools/typespec-azure-resource-manager/secret-prop" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @doc("Specifies the password of the administrator account.

**Minimum-length:** 8 characters

**Max-length:** 123 characters

**Complexity requirements:** 3 out of 4 conditions below need to be fulfilled
Has lower characters
Has upper characters
Has a digit
Has a special character (Regex match [\\W_])

**Disallowed values:** \"abc@123\", \"P@$$w0rd\", \"P@ssw0rd\", \"P@ssword123\", \"Pa$$word\", \"pass@word1\", \"Password!\", \"Password1\", \"Password22\", \"iloveyou!\"") - adminPassword?: string; - - /** - * The license type to use for Windows VMs. See [Azure Hybrid User Benefits](https://azure.microsoft.com/pricing/hybrid-benefit/faq/) for more details. - */ - licenseType?: LicenseType; - - /** - * Whether to enable CSI proxy. For more details on CSI proxy, see the [CSI proxy GitHub repo](https://github.com/kubernetes-csi/csi-proxy). - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - enableCSIProxy?: boolean; - - /** - * The Windows gMSA Profile in the Managed Cluster. - */ - gmsaProfile?: WindowsGmsaProfile; -} - -/** - * Windows gMSA Profile in the managed cluster. - */ -model WindowsGmsaProfile { - /** - * Whether to enable Windows gMSA. Specifies whether to enable Windows gMSA in the managed cluster. - */ - enabled?: boolean; - - /** - * Specifies the DNS server for Windows gMSA.

Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster. - */ - dnsServer?: string; - - /** - * Specifies the root domain name for Windows gMSA.

Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster. - */ - rootDomainName?: string; -} - -/** - * Information about a service principal identity for the cluster to use for manipulating Azure APIs. - */ -model ManagedClusterServicePrincipalProfile { - /** - * The ID for the service principal. - */ - clientId: string; - - /** - * The secret password associated with the service principal in plain text. - */ - #suppress "@azure-tools/typespec-azure-resource-manager/secret-prop" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - secret?: string; -} - -/** - * A Kubernetes add-on profile for a managed cluster. - */ -model ManagedClusterAddonProfile { - /** - * Whether the add-on is enabled or not. - */ - enabled: boolean; - - /** - * Key-value pairs for configuring an add-on. - */ - #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - config?: Record; - - /** - * Information of user assigned identity used by this add-on. - */ - @visibility(Lifecycle.Read) - identity?: ManagedClusterAddonProfileIdentity; -} - -/** - * Information of user assigned identity used by this add-on. - */ -#suppress "@azure-tools/typespec-azure-resource-manager/no-empty-model" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -#suppress "@azure-tools/typespec-azure-core/composition-over-inheritance" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -model ManagedClusterAddonProfileIdentity extends UserAssignedIdentity {} - -/** - * Details about a user assigned identity. - */ -model UserAssignedIdentity { - /** - * The resource ID of the user assigned identity. - */ - resourceId?: Azure.Core.armResourceIdentifier<[ - { - type: "Microsoft.ManagedIdentity/userAssignedIdentities"; - } - ]>; - - /** - * The client ID of the user assigned identity. - */ - clientId?: string; - - /** - * The object ID of the user assigned identity. - */ - objectId?: string; -} - -/** - * The pod identity profile of the Managed Cluster. See [use AAD pod identity](https://docs.microsoft.com/azure/aks/use-azure-ad-pod-identity) for more details on pod identity integration. - */ -model ManagedClusterPodIdentityProfile { - /** - * Whether the pod identity addon is enabled. - */ - enabled?: boolean; - - /** - * Whether pod identity is allowed to run on clusters with Kubenet networking. Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. See [using Kubenet network plugin with AAD Pod Identity](https://docs.microsoft.com/azure/aks/use-azure-ad-pod-identity#using-kubenet-network-plugin-with-azure-active-directory-pod-managed-identities) for more information. - */ - allowNetworkPluginKubenet?: boolean; - - /** - * The pod identities to use in the cluster. - */ - @identifiers(#[]) - userAssignedIdentities?: ManagedClusterPodIdentity[]; - - /** - * The pod identity exceptions to allow. - */ - @identifiers(#[]) - userAssignedIdentityExceptions?: ManagedClusterPodIdentityException[]; -} - -/** - * Details about the pod identity assigned to the Managed Cluster. - */ -model ManagedClusterPodIdentity { - /** - * The name of the pod identity. - */ - name: string; - - /** - * The namespace of the pod identity. - */ - `namespace`: string; - - /** - * The binding selector to use for the AzureIdentityBinding resource. - */ - bindingSelector?: string; - - /** - * The user assigned identity details. - */ - identity: UserAssignedIdentity; - - /** - * The current provisioning state of the pod identity. - */ - @visibility(Lifecycle.Read) - provisioningState?: ManagedClusterPodIdentityProvisioningState; - - /** The provisioning information for the pod identity. */ - @visibility(Lifecycle.Read) - provisioningInfo?: ManagedClusterPodIdentityProvisioningInfo; -} - -/** Pod identity provisioning information. */ -model ManagedClusterPodIdentityProvisioningInfo { - /** - * Pod identity assignment error (if any). - */ - error?: ManagedClusterPodIdentityProvisioningError; -} - -/** - * An error response from the pod identity provisioning. - */ -model ManagedClusterPodIdentityProvisioningError { - /** - * Details about the error. - */ - error?: ManagedClusterPodIdentityProvisioningErrorBody; -} - -/** - * An error response from the pod identity provisioning. - */ -model ManagedClusterPodIdentityProvisioningErrorBody { - /** - * An identifier for the error. Codes are invariant and are intended to be consumed programmatically. - */ - code?: string; - - /** - * A message describing the error, intended to be suitable for display in a user interface. - */ - message?: string; - - /** - * The target of the particular error. For example, the name of the property in error. - */ - target?: string; - - /** - * A list of additional details about the error. - */ - @identifiers(#[]) - details?: ManagedClusterPodIdentityProvisioningErrorBody[]; -} - -/** - * A pod identity exception, which allows pods with certain labels to access the Azure Instance Metadata Service (IMDS) endpoint without being intercepted by the node-managed identity (NMI) server. See [disable AAD Pod Identity for a specific Pod/Application](https://azure.github.io/aad-pod-identity/docs/configure/application_exception/) for more details. - */ -model ManagedClusterPodIdentityException { - /** - * The name of the pod identity exception. - */ - name: string; - - /** - * The namespace of the pod identity exception. - */ - `namespace`: string; - - /** - * The pod labels to match. - */ - #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - podLabels: Record; -} - -/** - * The OIDC issuer profile of the Managed Cluster. - */ -#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -model ManagedClusterOIDCIssuerProfile { - /** - * The OIDC issuer url of the Managed Cluster. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @visibility(Lifecycle.Read) - issuerURL?: string; - - /** - * Whether the OIDC issuer is enabled. - */ - enabled?: boolean; -} - -/** - * Node resource group lockdown profile for a managed cluster. - */ -model ManagedClusterNodeResourceGroupProfile { - /** - * The restriction level applied to the cluster's node resource group. If not specified, the default is 'Unrestricted' - */ - restrictionLevel?: RestrictionLevel; -} - -/** - * Profile of network configuration. - */ -model ContainerServiceNetworkProfile { - /** - * Network plugin used for building the Kubernetes network. - */ - networkPlugin?: NetworkPlugin; - - /** - * The mode the network plugin should use. - */ - networkPluginMode?: NetworkPluginMode; - - /** - * Network policy used for building the Kubernetes network. - */ - networkPolicy?: NetworkPolicy; - - /** - * The network mode Azure CNI is configured with. This cannot be specified if networkPlugin is anything other than 'azure'. - */ - networkMode?: NetworkMode; - - /** - * Network dataplane used in the Kubernetes cluster. - */ - networkDataplane?: NetworkDataplane; - - /** - * Advanced Networking profile for enabling observability and security feature suite on a cluster. For more information see aka.ms/aksadvancednetworking. - */ - advancedNetworking?: AdvancedNetworking; - - /** - * A CIDR notation IP range from which to assign pod IPs when kubenet is used. - */ - @pattern("^([0-9]{1,3}\\.){3}[0-9]{1,3}(\\/([0-9]|[1-2][0-9]|3[0-2]))?$") - podCidr?: string = "10.244.0.0/16"; - - /** - * A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. - */ - @pattern("^([0-9]{1,3}\\.){3}[0-9]{1,3}(\\/([0-9]|[1-2][0-9]|3[0-2]))?$") - serviceCidr?: string = "10.0.0.0/16"; - - /** - * An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @pattern("^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$") - dnsServiceIP?: string = "10.0.0.10"; - - /** - * The outbound (egress) routing method. This can only be set at cluster creation time and cannot be changed later. For more information see [egress outbound type](https://docs.microsoft.com/azure/aks/egress-outboundtype). - */ - outboundType?: OutboundType = OutboundType.loadBalancer; - - /** - * The load balancer sku for the managed cluster. The default is 'standard'. See [Azure Load Balancer SKUs](https://docs.microsoft.com/azure/load-balancer/skus) for more information about the differences between load balancer SKUs. - */ - loadBalancerSku?: LoadBalancerSku; - - /** - * Profile of the cluster load balancer. - */ - loadBalancerProfile?: ManagedClusterLoadBalancerProfile; - - /** - * Profile of the cluster NAT gateway. - */ - natGatewayProfile?: ManagedClusterNATGatewayProfile; - - /** - * The profile for Static Egress Gateway addon. For more details about Static Egress Gateway, see https://aka.ms/aks/static-egress-gateway. - */ - staticEgressGatewayProfile?: ManagedClusterStaticEgressGatewayProfile; - - /** - * The CIDR notation IP ranges from which to assign pod IPs. One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. - */ - podCidrs?: string[]; - - /** - * The CIDR notation IP ranges from which to assign service cluster IPs. One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. They must not overlap with any Subnet IP ranges. - */ - serviceCidrs?: string[]; - - /** - * The IP families used to specify IP versions available to the cluster. IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6. - */ - ipFamilies?: IPFamily[]; - - /** - * Defines access to special link local addresses (Azure Instance Metadata Service, aka IMDS) for pods with hostNetwork=false. if not specified, the default is 'IMDS'. - */ - @added(Versions.v2025_10_02_preview) - podLinkLocalAccess?: PodLinkLocalAccess; - - /** - * Holds configuration customizations for kube-proxy. Any values not defined will use the kube-proxy defaulting behavior. See https://v.docs.kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/ where is represented by a - string. Kubernetes version 1.23 would be '1-23'. - */ - @added(Versions.v2025_10_02_preview) - kubeProxyConfig?: ContainerServiceNetworkProfileKubeProxyConfig; -} - -/** - * Advanced Networking profile for enabling observability and security feature suite on a cluster. For more information see aka.ms/aksadvancednetworking. - */ -model AdvancedNetworking { - /** - * Indicates the enablement of Advanced Networking functionalities of observability and security on AKS clusters. When this is set to true, all observability and security features will be set to enabled unless explicitly disabled. If not specified, the default is false. - */ - enabled?: boolean; - - /** - * Observability profile to enable advanced network metrics and flow logs with historical contexts. - */ - observability?: AdvancedNetworkingObservability; - - /** - * Security profile to enable security features on cilium based cluster. - */ - security?: AdvancedNetworkingSecurity; - - /** - * Profile to enable performance-enhancing features on clusters that use Azure CNI powered by Cilium. - */ - @added(Versions.v2025_10_02_preview) - performance?: AdvancedNetworkingPerformance; -} - -/** - * Observability profile to enable advanced network metrics and flow logs with historical contexts. - */ -model AdvancedNetworkingObservability { - /** - * Indicates the enablement of Advanced Networking observability functionalities on clusters. - */ - enabled?: boolean; -} - -/** - * Security profile to enable security features on cilium based cluster. - */ -model AdvancedNetworkingSecurity { - /** - * This feature allows user to configure network policy based on DNS (FQDN) names. It can be enabled only on cilium based clusters. If not specified, the default is false. - */ - enabled?: boolean; - - /** - * Enable advanced network policies. This allows users to configure Layer 7 network policies (FQDN, HTTP, Kafka). Policies themselves must be configured via the Cilium Network Policy resources, see https://docs.cilium.io/en/latest/security/policy/index.html. This can be enabled only on cilium-based clusters. If not specified, the default value is FQDN if security.enabled is set to true. - */ - advancedNetworkPolicies?: AdvancedNetworkPolicies; - - /** - * Encryption configuration for Cilium-based clusters. Once enabled all traffic between Cilium managed pods will be encrypted when it leaves the node boundary. - */ - @added(Versions.v2025_10_02_preview) - transitEncryption?: AdvancedNetworkingSecurityTransitEncryption; -} - -/** - * Profile of the managed cluster load balancer. - */ -model ManagedClusterLoadBalancerProfile { - /** - * Desired managed outbound IPs for the cluster load balancer. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - managedOutboundIPs?: ManagedClusterLoadBalancerProfileManagedOutboundIPs; - - /** - * Desired outbound IP Prefix resources for the cluster load balancer. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - outboundIPPrefixes?: ManagedClusterLoadBalancerProfileOutboundIPPrefixes; - - /** - * Desired outbound IP resources for the cluster load balancer. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - outboundIPs?: ManagedClusterLoadBalancerProfileOutboundIPs; - - /** - * The effective outbound IP resources of the cluster load balancer. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @visibility(Lifecycle.Read) - effectiveOutboundIPs?: ResourceReference[]; - - /** - * The desired number of allocated SNAT ports per VM. Allowed values are in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports. - */ - @maxValue(64000) - @minValue(0) - allocatedOutboundPorts?: int32 = 0; - - /** - * Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 30 minutes. - */ - @maxValue(120) - @minValue(4) - idleTimeoutInMinutes?: int32 = 30; - - /** - * Enable multiple standard load balancers per AKS cluster or not. - */ - enableMultipleStandardLoadBalancers?: boolean; - - /** - * The type of the managed inbound Load Balancer BackendPool. - */ - backendPoolType?: BackendPoolType = BackendPoolType.NodeIPConfiguration; - - /** - * The health probing behavior for External Traffic Policy Cluster services. - */ - @added(Versions.v2025_10_02_preview) - clusterServiceLoadBalancerHealthProbeMode?: ClusterServiceLoadBalancerHealthProbeMode = ClusterServiceLoadBalancerHealthProbeMode.ServiceNodePort; -} - -/** - * Desired managed outbound IPs for the cluster load balancer. - */ -#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -model ManagedClusterLoadBalancerProfileManagedOutboundIPs { - /** - * The desired number of IPv4 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. - */ - @maxValue(100) - @minValue(1) - count?: int32 = 1; - - /** - * The desired number of IPv6 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @maxValue(100) - @minValue(0) - countIPv6?: int32 = 0; -} - -/** - * Desired outbound IP Prefix resources for the cluster load balancer. - */ -model ManagedClusterLoadBalancerProfileOutboundIPPrefixes { - /** - * A list of public IP prefix resources. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - publicIPPrefixes?: ResourceReference[]; -} - -/** - * A reference to an Azure resource. - */ -model ResourceReference { - /** - * The fully qualified Azure resource id. - */ - id?: Azure.Core.armResourceIdentifier; -} - -/** - * Desired outbound IP resources for the cluster load balancer. - */ -#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -model ManagedClusterLoadBalancerProfileOutboundIPs { - /** - * A list of public IP resources. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - publicIPs?: ResourceReference[]; -} - -/** - * Profile of the managed cluster NAT gateway. - */ -#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -model ManagedClusterNATGatewayProfile { - /** - * Profile of the managed outbound IP resources of the cluster NAT gateway. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - managedOutboundIPProfile?: ManagedClusterManagedOutboundIPProfile; - - /** - * The effective outbound IP resources of the cluster NAT gateway. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @visibility(Lifecycle.Read) - effectiveOutboundIPs?: ResourceReference[]; - - /** - * Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 4 minutes. - */ - @maxValue(120) - @minValue(4) - idleTimeoutInMinutes?: int32 = 4; -} - -/** - * Profile of the managed outbound IP resources of the managed cluster. - */ -model ManagedClusterManagedOutboundIPProfile { - /** - * The desired number of outbound IPs created/managed by Azure. Allowed values must be in the range of 1 to 16 (inclusive). The default value is 1. - */ - @maxValue(16) - @minValue(1) - count?: int32 = 1; -} - -/** - * The Static Egress Gateway addon configuration for the cluster. - */ -model ManagedClusterStaticEgressGatewayProfile { - /** - * Enable Static Egress Gateway addon. Indicates if Static Egress Gateway addon is enabled or not. - */ - enabled?: boolean; -} - -/** - * Holds configuration customizations for kube-proxy. Any values not defined will use the kube-proxy defaulting behavior. See https://v.docs.kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/ where is represented by a - string. Kubernetes version 1.23 would be '1-23'. - */ -@added(Versions.v2025_10_02_preview) -model ContainerServiceNetworkProfileKubeProxyConfig { - /** - * Whether to enable on kube-proxy on the cluster (if no 'kubeProxyConfig' exists, kube-proxy is enabled in AKS by default without these customizations). - */ - enabled?: boolean; - - /** - * Specify which proxy mode to use ('IPTABLES', 'IPVS' or 'NFTABLES') - */ - mode?: Mode; - - /** - * Holds configuration customizations for IPVS. May only be specified if 'mode' is set to 'IPVS'. - */ - ipvsConfig?: ContainerServiceNetworkProfileKubeProxyConfigIpvsConfig; -} - -/** - * Holds configuration customizations for IPVS. May only be specified if 'mode' is set to 'IPVS'. - */ -@added(Versions.v2025_10_02_preview) -model ContainerServiceNetworkProfileKubeProxyConfigIpvsConfig { - /** - * IPVS scheduler, for more information please see http://www.linuxvirtualserver.org/docs/scheduling.html. - */ - scheduler?: IpvsScheduler; - - /** - * The timeout value used for idle IPVS TCP sessions in seconds. Must be a positive integer value. - */ - tcpTimeoutSeconds?: int32; - - /** - * The timeout value used for IPVS TCP sessions after receiving a FIN in seconds. Must be a positive integer value. - */ - tcpFinTimeoutSeconds?: int32; - - /** - * The timeout value used for IPVS UDP packets in seconds. Must be a positive integer value. - */ - udpTimeoutSeconds?: int32; -} - -/** - * Encryption configuration for Cilium-based clusters. Once enabled all traffic between Cilium managed pods will be encrypted when it leaves the node boundary. - */ -@added(Versions.v2025_10_02_preview) -model AdvancedNetworkingSecurityTransitEncryption { - /** - * Configures pod-to-pod encryption. This can be enabled only on Cilium-based clusters. If not specified, the default value is None. - */ - type?: TransitEncryptionType; -} - -/** - * Profile to enable performance-enhancing features on clusters that use Azure CNI powered by Cilium. - */ -@added(Versions.v2025_10_02_preview) -model AdvancedNetworkingPerformance { - /** - * Enable advanced network acceleration options. This allows users to configure acceleration using BPF host routing. This can be enabled only with Cilium dataplane. If not specified, the default value is None (no acceleration). The acceleration mode can be changed on a pre-existing cluster. See https://aka.ms/acnsperformance for a detailed explanation - */ - accelerationMode?: AccelerationMode = AccelerationMode.None; -} - -/** - * AADProfile specifies attributes for Azure Active Directory integration. For more details see [managed AAD on AKS](https://docs.microsoft.com/azure/aks/managed-aad). - */ -#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -model ManagedClusterAADProfile { - /** - * Whether to enable managed AAD. - */ - managed?: boolean; - - /** - * Whether to enable Azure RBAC for Kubernetes authorization. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - enableAzureRBAC?: boolean; - - /** - * The list of AAD group object IDs that will have admin role of the cluster. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - adminGroupObjectIDs?: string[]; - - /** - * (DEPRECATED) The client AAD application ID. Learn more at https://aka.ms/aks/aad-legacy. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - clientAppID?: string; - - /** - * (DEPRECATED) The server AAD application ID. Learn more at https://aka.ms/aks/aad-legacy. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - serverAppID?: string; - - /** - * (DEPRECATED) The server AAD application secret. Learn more at https://aka.ms/aks/aad-legacy. - */ - #suppress "@azure-tools/typespec-azure-resource-manager/secret-prop" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - serverAppSecret?: string; - - /** - * The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - tenantID?: string; -} - -/** - * Auto upgrade profile for a managed cluster. - */ -model ManagedClusterAutoUpgradeProfile { - /** - * The upgrade channel for auto upgrade. The default is 'none'. For more information see [setting the AKS cluster auto-upgrade channel](https://docs.microsoft.com/azure/aks/upgrade-cluster#set-auto-upgrade-channel). - */ - upgradeChannel?: UpgradeChannel; - - /** - * Node OS Upgrade Channel. Manner in which the OS on your nodes is updated. The default is NodeImage. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - nodeOSUpgradeChannel?: NodeOSUpgradeChannel; -} - -/** - * Settings for upgrading a cluster. - */ -model ClusterUpgradeSettings { - /** - * Settings for overrides. - */ - overrideSettings?: UpgradeOverrideSettings; -} - -/** - * Settings for overrides when upgrading a cluster. - */ -model UpgradeOverrideSettings { - /** - * Whether to force upgrade the cluster. Note that this option instructs upgrade operation to bypass upgrade protections such as checking for deprecated API usage. Enable this option only with caution. - */ - forceUpgrade?: boolean; - - /** - * Until when the overrides are effective. Note that this only matches the start time of an upgrade, and the effectiveness won't change once an upgrade starts even if the `until` expires as upgrade proceeds. This field is not set by default. It must be set for the overrides to take effect. - */ - // FIXME: (utcDateTime) Please double check that this is the correct type for your scenario. - until?: utcDateTime; -} - -/** - * Parameters to be applied to the cluster-autoscaler when enabled - */ -model ManagedClusterPropertiesAutoScalerProfile { - /** - * Detects similar node pools and balances the number of nodes between them. Valid values are 'true' and 'false' - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - `balance-similar-node-groups`?: string; - - /** - * DaemonSet pods will be gracefully terminated from empty nodes. If set to true, all daemonset pods on empty nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - `daemonset-eviction-for-empty-nodes`?: boolean; - - /** - * DaemonSet pods will be gracefully terminated from non-empty nodes. If set to true, all daemonset pods on occupied nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - `daemonset-eviction-for-occupied-nodes`?: boolean; - - /** - * Should CA ignore DaemonSet pods when calculating resource utilization for scaling down. If set to true, the resources used by daemonset will be taken into account when making scaling down decisions. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - `ignore-daemonsets-utilization`?: boolean; - - /** - * The expander to use when scaling up. If not specified, the default is 'random'. See [expanders](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#what-are-expanders) for more information. - */ - expander?: Expander; - - /** - * The maximum number of empty nodes that can be deleted at the same time. This must be a positive integer. The default is 10. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - `max-empty-bulk-delete`?: string; - - /** - * The maximum number of seconds the cluster autoscaler waits for pod termination when trying to scale down a node. The default is 600. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - `max-graceful-termination-sec`?: string; - - /** - * The maximum time the autoscaler waits for a node to be provisioned. The default is '15m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - `max-node-provision-time`?: string; - - /** - * The maximum percentage of unready nodes in the cluster. After this percentage is exceeded, cluster autoscaler halts operations. The default is 45. The maximum is 100 and the minimum is 0. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - `max-total-unready-percentage`?: string; - - /** - * Ignore unscheduled pods before they're a certain age. For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. The default is '0s'. Values must be an integer followed by a unit ('s' for seconds, 'm' for minutes, 'h' for hours, etc). - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - `new-pod-scale-up-delay`?: string; - - /** - * The number of allowed unready nodes, irrespective of max-total-unready-percentage. This must be an integer. The default is 3. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - `ok-total-unready-count`?: string; - - /** - * How often cluster is reevaluated for scale up or down. The default is '10'. Values must be an integer number of seconds. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - `scan-interval`?: string; - - /** - * How long after scale up that scale down evaluation resumes. The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - `scale-down-delay-after-add`?: string; - - /** - * How long after node deletion that scale down evaluation resumes. The default is the scan-interval. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - `scale-down-delay-after-delete`?: string; - - /** - * How long after scale down failure that scale down evaluation resumes. The default is '3m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - `scale-down-delay-after-failure`?: string; - - /** - * How long a node should be unneeded before it is eligible for scale down. The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - `scale-down-unneeded-time`?: string; - - /** - * How long an unready node should be unneeded before it is eligible for scale down. The default is '20m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - `scale-down-unready-time`?: string; - - /** - * Node utilization level, defined as sum of requested resources divided by capacity, below which a node can be considered for scale down. The default is '0.5'. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - `scale-down-utilization-threshold`?: string; - - /** - * If cluster autoscaler will skip deleting nodes with pods with local storage, for example, EmptyDir or HostPath. The default is true. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - `skip-nodes-with-local-storage`?: string; - - /** - * If cluster autoscaler will skip deleting nodes with pods from kube-system (except for DaemonSet or mirror pods). The default is true. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - `skip-nodes-with-system-pods`?: string; -} - -/** - * Access profile for managed cluster API server. - */ -#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -model ManagedClusterAPIServerAccessProfile { - /** - * The IP ranges authorized to access the Kubernetes API server. IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see [API server authorized IP ranges](https://docs.microsoft.com/azure/aks/api-server-authorized-ip-ranges). - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - authorizedIPRanges?: string[]; - - /** - * Whether to create the cluster as a private cluster or not. For more details, see [Creating a private AKS cluster](https://docs.microsoft.com/azure/aks/private-clusters). - */ - enablePrivateCluster?: boolean; - - /** - * The private DNS zone mode for the cluster. The default is System. For more details see [configure private DNS zone](https://docs.microsoft.com/azure/aks/private-clusters#configure-private-dns-zone). Allowed values are 'system' and 'none'. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - privateDNSZone?: string; - - /** - * Whether to create additional public FQDN for private cluster or not. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - enablePrivateClusterPublicFQDN?: boolean; - - /** - * Whether to disable run command for the cluster or not. - */ - disableRunCommand?: boolean; - - /** - * Whether to enable apiserver vnet integration for the cluster or not. See aka.ms/AksVnetIntegration for more details. - */ - enableVnetIntegration?: boolean; - - /** - * The subnet to be used when apiserver vnet integration is enabled. It is required when creating a new cluster with BYO Vnet, or when updating an existing cluster to enable apiserver vnet integration. - */ - subnetId?: Azure.Core.armResourceIdentifier<[ - { - type: "Microsoft.Network/virtualNetworks/subnets"; - } - ]>; -} - -/** - * A private link resource - */ -model PrivateLinkResource { - /** - * The ID of the private link resource. - */ - id?: string; - - /** - * The name of the private link resource. - */ - #suppress "@azure-tools/typespec-azure-core/no-openapi" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @OpenAPI.externalDocs("https://aka.ms/search-naming-rules") - name?: string; - - /** - * The resource type. - */ - type?: string; - - /** - * The group ID of the resource. - */ - groupId?: string; - - /** - * The RequiredMembers of the resource - */ - requiredMembers?: string[]; - - /** - * The private link service ID of the resource, this field is exposed only to NRP internally. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @visibility(Lifecycle.Read) - privateLinkServiceID?: Azure.Core.armResourceIdentifier; -} - -/** - * Cluster HTTP proxy configuration. - */ -#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -model ManagedClusterHTTPProxyConfig { - /** - * The HTTP proxy server endpoint to use. - */ - httpProxy?: string; - - /** - * The HTTPS proxy server endpoint to use. - */ - httpsProxy?: string; - - /** - * The endpoints that should not go through proxy. - */ - noProxy?: string[]; - - /** - * A read-only list of all endpoints for which traffic should not be sent to the proxy. This list is a superset of noProxy and values injected by AKS. - */ - @added(Versions.v2025_10_02_preview) - @visibility(Lifecycle.Read) - effectiveNoProxy?: string[]; - - /** - * Alternative CA cert to use for connecting to proxy servers. - */ - trustedCa?: string; - - /** - * Whether to enable HTTP proxy. When disabled, the specified proxy configuration will be not be set on pods and nodes. - */ - @added(Versions.v2025_10_02_preview) - enabled?: boolean; -} - -/** - * Security profile for the container service cluster. - */ -model ManagedClusterSecurityProfile { - /** - * Microsoft Defender settings for the security profile. - */ - defender?: ManagedClusterSecurityProfileDefender; - - /** - * Azure Key Vault [key management service](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/) settings for the security profile. - */ - azureKeyVaultKms?: AzureKeyVaultKms; - - /** - * Encryption at rest of Kubernetes resource objects. More information on this can be found under https://aka.ms/aks/kubernetesResourceObjectEncryption - */ - @added(Versions.v2025_10_02_preview) - kubernetesResourceObjectEncryptionProfile?: KubernetesResourceObjectEncryptionProfile; - - /** - * Workload identity settings for the security profile. Workload identity enables Kubernetes applications to access Azure cloud resources securely with Azure AD. See https://aka.ms/aks/wi for more details. - */ - workloadIdentity?: ManagedClusterSecurityProfileWorkloadIdentity; - - /** - * Image Cleaner settings for the security profile. - */ - imageCleaner?: ManagedClusterSecurityProfileImageCleaner; - - /** - * Image integrity is a feature that works with Azure Policy to verify image integrity by signature. This will not have any effect unless Azure Policy is applied to enforce image signatures. See https://aka.ms/aks/image-integrity for how to use this feature via policy. - */ - @added(Versions.v2025_10_02_preview) - imageIntegrity?: ManagedClusterSecurityProfileImageIntegrity; - - /** - * [Node Restriction](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction) settings for the security profile. - */ - @added(Versions.v2025_10_02_preview) - nodeRestriction?: ManagedClusterSecurityProfileNodeRestriction; - - /** - * A list of up to 10 base64 encoded CAs that will be added to the trust store on all nodes in the cluster. For more information see [Custom CA Trust Certificates](https://learn.microsoft.com/en-us/azure/aks/custom-certificate-authority). - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @maxItems(10) - @minItems(0) - customCATrustCertificates?: bytes[]; -} - -/** - * Microsoft Defender settings for the security profile. - */ -model ManagedClusterSecurityProfileDefender { - /** - * Resource ID of the Log Analytics workspace to be associated with Microsoft Defender. When Microsoft Defender is enabled, this field is required and must be a valid workspace resource ID. When Microsoft Defender is disabled, leave the field empty. - */ - logAnalyticsWorkspaceResourceId?: Azure.Core.armResourceIdentifier<[ - { - type: "Microsoft.OperationalInsights/workspaces"; - } - ]>; - - /** - * Microsoft Defender threat detection for Cloud settings for the security profile. - */ - securityMonitoring?: ManagedClusterSecurityProfileDefenderSecurityMonitoring; - - /** - * Microsoft Defender settings for security gating, validates container images eligibility for deployment based on Defender for Containers security findings. Using Admission Controller, it either audits or prevents the deployment of images that do not meet security standards. - */ - @added(Versions.v2025_10_02_preview) - securityGating?: ManagedClusterSecurityProfileDefenderSecurityGating; -} - -/** - * Microsoft Defender settings for the security profile threat detection. - */ -model ManagedClusterSecurityProfileDefenderSecurityMonitoring { - /** - * Whether to enable Defender threat detection - */ - enabled?: boolean; -} - -/** - * Microsoft Defender settings for security gating, validates container images eligibility for deployment based on Defender for Containers security findings. Using Admission Controller, it either audits or prevents the deployment of images that do not meet security standards. - */ -@added(Versions.v2025_10_02_preview) -model ManagedClusterSecurityProfileDefenderSecurityGating { - /** - * Whether to enable Defender security gating. When enabled, the gating feature will scan container images and audit or block the deployment of images that do not meet security standards according to the configured security rules. - */ - enabled?: boolean; - - /** - * List of identities that the admission controller will make use of in order to pull security artifacts from the registry. These are the same identities used by the cluster to pull container images. Each identity provided should have federated identity credential attached to it. - */ - @identifiers(#[]) - identities?: ManagedClusterSecurityProfileDefenderSecurityGatingIdentitiesItem[]; - - /** - * In use only while registry access granted by secret rather than managed identity. Set whether to grant the Defender gating agent access to the cluster's secrets for pulling images from registries. If secret access is denied and the registry requires pull secrets, the add-on will not perform any image validation. Default value is false. - */ - allowSecretAccess?: boolean; -} - -/** Identity information used by Defender security gating to access container registries. */ -@added(Versions.v2025_10_02_preview) -model ManagedClusterSecurityProfileDefenderSecurityGatingIdentitiesItem { - /** - * The container registry for which the identity will be used; the identity specified here should have a federated identity credential attached to it. - */ - azureContainerRegistry?: string; - - /** - * The identity object used to access the registry - */ - identity?: UserAssignedIdentity; -} - -/** - * Azure Key Vault key management service settings for the security profile. - */ -model AzureKeyVaultKms { - /** - * Whether to enable Azure Key Vault key management service. The default is false. - */ - enabled?: boolean; - - /** - * Identifier of Azure Key Vault key. See [key identifier format](https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name) for more details. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. When Azure Key Vault key management service is disabled, leave the field empty. - */ - keyId?: string; - - /** - * Network access of the key vault. Network access of key vault. The possible values are `Public` and `Private`. `Public` means the key vault allows public access from all networks. `Private` means the key vault disables public access and enables private link. The default value is `Public`. - */ - keyVaultNetworkAccess?: KeyVaultNetworkAccessTypes = KeyVaultNetworkAccessTypes.Public; - - /** - * Resource ID of key vault. When keyVaultNetworkAccess is `Private`, this field is required and must be a valid resource ID. When keyVaultNetworkAccess is `Public`, leave the field empty. - */ - keyVaultResourceId?: Azure.Core.armResourceIdentifier<[ - { - type: "Microsoft.KeyVault/vaults"; - } - ]>; -} - -/** - * Encryption at rest of Kubernetes resource objects using service-managed keys. More information on this can be found under https://aka.ms/aks/kubernetesResourceObjectEncryption. - */ -@added(Versions.v2025_10_02_preview) -model KubernetesResourceObjectEncryptionProfile { - /** - * Whether to enable encryption at rest of Kubernetes resource objects using service-managed keys. More information on this can be found under https://aka.ms/aks/kubernetesResourceObjectEncryption. - */ - infrastructureEncryption?: InfrastructureEncryption = InfrastructureEncryption.Disabled; -} - -/** - * Workload identity settings for the security profile. - */ -model ManagedClusterSecurityProfileWorkloadIdentity { - /** - * Whether to enable workload identity. - */ - enabled?: boolean; -} - -/** - * Image Cleaner removes unused images from nodes, freeing up disk space and helping to reduce attack surface area. Here are settings for the security profile. - */ -model ManagedClusterSecurityProfileImageCleaner { - /** - * Whether to enable Image Cleaner on AKS cluster. - */ - enabled?: boolean; - - /** - * Image Cleaner scanning interval in hours. - */ - intervalHours?: int32; -} - -/** - * Image integrity related settings for the security profile. - */ -@added(Versions.v2025_10_02_preview) -model ManagedClusterSecurityProfileImageIntegrity { - /** - * Whether to enable image integrity. The default value is false. - */ - enabled?: boolean; -} - -/** - * Node Restriction settings for the security profile. - */ -@added(Versions.v2025_10_02_preview) -model ManagedClusterSecurityProfileNodeRestriction { - /** - * Whether to enable Node Restriction - */ - enabled?: boolean; -} - -/** - * Storage profile for the container service cluster. - */ -model ManagedClusterStorageProfile { - /** - * AzureDisk CSI Driver settings for the storage profile. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - diskCSIDriver?: ManagedClusterStorageProfileDiskCSIDriver; - - /** - * AzureFile CSI Driver settings for the storage profile. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - fileCSIDriver?: ManagedClusterStorageProfileFileCSIDriver; - - /** - * Snapshot Controller settings for the storage profile. - */ - snapshotController?: ManagedClusterStorageProfileSnapshotController; - - /** - * AzureBlob CSI Driver settings for the storage profile. - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - blobCSIDriver?: ManagedClusterStorageProfileBlobCSIDriver; -} - -/** - * AzureDisk CSI Driver settings for the storage profile. - */ -#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -model ManagedClusterStorageProfileDiskCSIDriver { - /** - * Whether to enable AzureDisk CSI Driver. The default value is true. - */ - enabled?: boolean; - - /** - * The version of AzureDisk CSI Driver. The default value is v1. - */ - @added(Versions.v2025_10_02_preview) - version?: string; -} - -/** - * AzureFile CSI Driver settings for the storage profile. - */ -#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -model ManagedClusterStorageProfileFileCSIDriver { - /** - * Whether to enable AzureFile CSI Driver. The default value is true. - */ - enabled?: boolean; -} - -/** - * Snapshot Controller settings for the storage profile. - */ -model ManagedClusterStorageProfileSnapshotController { - /** - * Whether to enable Snapshot Controller. The default value is true. - */ - enabled?: boolean; -} - -/** - * AzureBlob CSI Driver settings for the storage profile. - */ -#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -model ManagedClusterStorageProfileBlobCSIDriver { - /** - * Whether to enable AzureBlob CSI Driver. The default value is false. - */ - enabled?: boolean; -} - -/** - * Ingress profile for the container service cluster. - */ -model ManagedClusterIngressProfile { - /** - * App Routing settings for the ingress profile. You can find an overview and onboarding guide for this feature at https://learn.microsoft.com/en-us/azure/aks/app-routing?tabs=default%2Cdeploy-app-default. - */ - webAppRouting?: ManagedClusterIngressProfileWebAppRouting; - - /** - * Settings for the managed Gateway API installation - */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @added(Versions.v2025_10_02_preview) - gatewayAPI?: ManagedClusterIngressProfileGatewayConfiguration; - - /** - * Settings for the managed Application Load Balancer installation - */ - @added(Versions.v2025_10_02_preview) - applicationLoadBalancer?: ManagedClusterIngressProfileApplicationLoadBalancer; -} - -/** Configuration for the ingress managed gateway. See https://aka.ms/k8s-gateway-api for more details. */ -@added(Versions.v2025_10_02_preview) -model ManagedClusterIngressProfileGatewayConfiguration { - /** - * Configuration for the managed Gateway API installation. If not specified, the default is 'Disabled'. See https://aka.ms/k8s-gateway-api for more details. - */ - installation?: ManagedGatewayType; -} - -/** - * Application Routing add-on settings for the ingress profile. - */ -model ManagedClusterIngressProfileWebAppRouting { - /** - * Whether to enable the Application Routing add-on. - */ - enabled?: boolean; - - /** - * Resource IDs of the DNS zones to be associated with the Application Routing add-on. Used only when Application Routing add-on is enabled. Public and private DNS zones can be in different resource groups, but all public DNS zones must be in the same resource group and all private DNS zones must be in the same resource group. - */ - @maxItems(5) - dnsZoneResourceIds?: Azure.Core.armResourceIdentifier<[ - { - type: "Microsoft.Network/dnszones"; - }, - { - type: "Microsoft.Network/privateDnsZones"; - } - ]>[]; - - /** - * Configuration for the default NginxIngressController. See more at https://learn.microsoft.com/en-us/azure/aks/app-routing-nginx-configuration#the-default-nginx-ingress-controller. - */ - nginx?: ManagedClusterIngressProfileNginx; - - /** - * Managed identity of the Application Routing add-on. This is the identity that should be granted permissions, for example, to manage the associated Azure DNS resource and get certificates from Azure Key Vault. See [this overview of the add-on](https://learn.microsoft.com/en-us/azure/aks/web-app-routing?tabs=with-osm) for more instructions. - */ - @visibility(Lifecycle.Read) - identity?: UserAssignedIdentity; - - /** - * Configuration for the Default Domain. This is a unique, autogenerated domain that comes with a signed TLS Certificate allowing for secure HTTPS. See [the Default Domain documentation](https://aka.ms/aks/defaultdomain) for more instructions. - */ - @added(Versions.v2025_10_02_preview) - defaultDomain?: ManagedClusterIngressDefaultDomainProfile; -} - -/** Nginx ingress controller configuration for the managed cluster ingress profile. */ -model ManagedClusterIngressProfileNginx { - /** - * Ingress type for the default NginxIngressController custom resource - */ - defaultIngressControllerType?: NginxIngressControllerType; -} - -/** Default domain profile for the managed cluster ingress profile. */ -@added(Versions.v2025_10_02_preview) -model ManagedClusterIngressDefaultDomainProfile { - /** - * Whether to enable Default Domain. - */ - enabled?: boolean; - - /** - * The unique fully qualified domain name assigned to the cluster. This will not change even if disabled then reenabled. - */ - @visibility(Lifecycle.Read) - domainName?: string; -} - -/** - * Application Load Balancer settings for the ingress profile. - */ -@added(Versions.v2025_10_02_preview) -model ManagedClusterIngressProfileApplicationLoadBalancer { - /** - * Whether to enable Application Load Balancer. - */ - enabled?: boolean; - - /** - * Managed identity of the Application Load Balancer add-on. This is the identity that should be granted permissions to manage the associated Application Gateway for Containers resource. - */ - @visibility(Lifecycle.Read) - identity?: UserAssignedIdentity; -} - -/** - * Workload Auto-scaler profile for the managed cluster. - */ -model ManagedClusterWorkloadAutoScalerProfile { - /** - * KEDA (Kubernetes Event-driven Autoscaling) settings for the workload auto-scaler profile. - */ - keda?: ManagedClusterWorkloadAutoScalerProfileKeda; - - /** - * VPA (Vertical Pod Autoscaler) settings for the workload auto-scaler profile. - */ - verticalPodAutoscaler?: ManagedClusterWorkloadAutoScalerProfileVerticalPodAutoscaler; -} - -/** - * KEDA (Kubernetes Event-driven Autoscaling) settings for the workload auto-scaler profile. - */ -model ManagedClusterWorkloadAutoScalerProfileKeda { - /** - * Whether to enable KEDA. - */ - enabled: boolean; -} - -/** - * VPA (Vertical Pod Autoscaler) settings for the workload auto-scaler profile. - */ -model ManagedClusterWorkloadAutoScalerProfileVerticalPodAutoscaler { - /** - * Whether to enable VPA. Default value is false. - */ - enabled: boolean = false; - - /** - * Whether VPA add-on is enabled and configured to scale AKS-managed add-ons. - */ - @added(Versions.v2025_10_02_preview) - addonAutoscaling?: AddonAutoscaling = AddonAutoscaling.Disabled; -} - -/** - * Azure Monitor addon profiles for monitoring the managed cluster. - */ -model ManagedClusterAzureMonitorProfile { - /** - * Metrics profile for the Azure Monitor managed service for Prometheus addon. Collect out-of-the-box Kubernetes infrastructure metrics to send to an Azure Monitor Workspace and configure additional scraping for custom targets. See aka.ms/AzureManagedPrometheus for an overview. - */ - metrics?: ManagedClusterAzureMonitorProfileMetrics; - - /** - * Azure Monitor Container Insights Profile for Kubernetes Events, Inventory and Container stdout & stderr logs etc. See aka.ms/AzureMonitorContainerInsights for an overview. - */ - @added(Versions.v2025_10_02_preview) - containerInsights?: ManagedClusterAzureMonitorProfileContainerInsights; - - /** - * Application Monitoring Profile for Kubernetes Application Container. Collects application logs, metrics and traces through auto-instrumentation of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview. - */ - @added(Versions.v2025_10_02_preview) - appMonitoring?: ManagedClusterAzureMonitorProfileAppMonitoring; -} - -/** - * Metrics profile for the Azure Monitor managed service for Prometheus addon. Collect out-of-the-box Kubernetes infrastructure metrics to send to an Azure Monitor Workspace and configure additional scraping for custom targets. See aka.ms/AzureManagedPrometheus for an overview. - */ -model ManagedClusterAzureMonitorProfileMetrics { - /** - * Whether to enable or disable the Azure Managed Prometheus addon for Prometheus monitoring. See aka.ms/AzureManagedPrometheus-aks-enable for details on enabling and disabling. - */ - enabled: boolean; - - /** - * Kube State Metrics profile for the Azure Managed Prometheus addon. These optional settings are for the kube-state-metrics pod that is deployed with the addon. See aka.ms/AzureManagedPrometheus-optional-parameters for details. - */ - kubeStateMetrics?: ManagedClusterAzureMonitorProfileKubeStateMetrics; -} - -/** - * Kube State Metrics profile for the Azure Managed Prometheus addon. These optional settings are for the kube-state-metrics pod that is deployed with the addon. See aka.ms/AzureManagedPrometheus-optional-parameters for details. - */ -model ManagedClusterAzureMonitorProfileKubeStateMetrics { - /** - * Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric (Example: 'namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...'). By default the metric contains only resource name and namespace labels. - */ - metricLabelsAllowlist?: string; - - /** - * Comma-separated list of Kubernetes annotation keys that will be used in the resource's labels metric (Example: 'namespaces=[kubernetes.io/team,...],pods=[kubernetes.io/team],...'). By default the metric contains only resource name and namespace labels. - */ - metricAnnotationsAllowList?: string; -} - -/** - * Azure Monitor Container Insights Profile for Kubernetes Events, Inventory and Container stdout & stderr logs etc. See aka.ms/AzureMonitorContainerInsights for an overview. - */ -@added(Versions.v2025_10_02_preview) -model ManagedClusterAzureMonitorProfileContainerInsights { - /** - * Indicates if Azure Monitor Container Insights Logs Addon is enabled or not. - */ - enabled?: boolean; - - /** - * Fully Qualified ARM Resource Id of Azure Log Analytics Workspace for storing Azure Monitor Container Insights Logs. - */ - logAnalyticsWorkspaceResourceId?: Azure.Core.armResourceIdentifier<[ - { - type: "Microsoft.OperationalInsights/workspaces"; - } - ]>; + cacheDurationInSeconds?: int32 = 3600; /** - * The syslog host port. If not specified, the default port is 28330. + * Serve stale duration in seconds. See [cache plugin](https://coredns.io/plugins/cache) for more information. */ - syslogPort?: int64; + serveStaleDurationInSeconds?: int32 = 3600; /** - * Indicates whether custom metrics collection has to be disabled or not. If not specified the default is false. No custom metrics will be emitted if this field is false but the container insights enabled field is false + * Policy for serving stale data. See [cache plugin](https://coredns.io/plugins/cache) for more information. */ - disableCustomMetrics?: boolean; + serveStale?: LocalDNSServeStale = LocalDNSServeStale.Immediate; +} +/** + * Settings to determine the node customization used to provision nodes in a pool. + */ +@added(Versions.v2025_10_02_preview) +model NodeCustomizationProfile { /** - * Indicates whether prometheus metrics scraping is disabled or not. If not specified the default is false. No prometheus metrics will be emitted if this field is false but the container insights enabled field is false + * The resource ID of the node customization resource to use. This can be a version. Omitting the version will use the latest version of the node customization. */ - disablePrometheusMetricsScraping?: boolean; + nodeCustomizationId?: Azure.Core.armResourceIdentifier<[ + { + type: "Microsoft.ContainerService/nodeCustomizations"; + } + ]>; } /** - * Application Monitoring Profile for Kubernetes Application Container. Collects application logs, metrics and traces through auto-instrumentation of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview. + * Profile for Linux VMs in the container service cluster. */ -@added(Versions.v2025_10_02_preview) -model ManagedClusterAzureMonitorProfileAppMonitoring { +model ContainerServiceLinuxProfile { /** - * Application Monitoring Auto Instrumentation for Kubernetes Application Container. Deploys web hook to auto-instrument Azure Monitor OpenTelemetry based SDKs to collect OpenTelemetry metrics, logs and traces of the application. See aka.ms/AzureMonitorApplicationMonitoring for an overview. + * The administrator username to use for Linux VMs. */ - autoInstrumentation?: ManagedClusterAzureMonitorProfileAppMonitoringAutoInstrumentation; + @pattern("^[A-Za-z][-A-Za-z0-9_]*$") + adminUsername: string; /** - * Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container Metrics. Collects OpenTelemetry metrics of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview. + * The SSH configuration for Linux-based VMs running on Azure. */ - openTelemetryMetrics?: ManagedClusterAzureMonitorProfileAppMonitoringOpenTelemetryMetrics; + ssh: ContainerServiceSshConfiguration; +} +/** + * SSH configuration for Linux-based VMs running on Azure. + */ +model ContainerServiceSshConfiguration { /** - * Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container Logs and Traces. Collects OpenTelemetry logs and traces of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview. + * The list of SSH public keys used to authenticate with Linux-based VMs. A maximum of 1 key may be specified. */ - openTelemetryLogs?: ManagedClusterAzureMonitorProfileAppMonitoringOpenTelemetryLogs; + @identifiers(#[]) + publicKeys: ContainerServiceSshPublicKey[]; } /** - * Application Monitoring Auto Instrumentation for Kubernetes Application Container. Deploys web hook to auto-instrument Azure Monitor OpenTelemetry based SDKs to collect OpenTelemetry metrics, logs and traces of the application. See aka.ms/AzureMonitorApplicationMonitoring for an overview. + * Contains information about SSH certificate public key data. */ -@added(Versions.v2025_10_02_preview) -model ManagedClusterAzureMonitorProfileAppMonitoringAutoInstrumentation { +model ContainerServiceSshPublicKey { /** - * Indicates if Application Monitoring Auto Instrumentation is enabled or not. + * Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers. */ - enabled?: boolean; + keyData: string; } /** - * Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container Metrics. Collects OpenTelemetry metrics of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview. + * Profile for Windows VMs in the managed cluster. */ -@added(Versions.v2025_10_02_preview) -model ManagedClusterAzureMonitorProfileAppMonitoringOpenTelemetryMetrics { +model ManagedClusterWindowsProfile { /** - * Indicates if Application Monitoring Open Telemetry Metrics is enabled or not. + * Specifies the name of the administrator account.

**Restriction:** Cannot end in "."

**Disallowed values:** "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5".

**Minimum-length:** 1 character

**Max-length:** 20 characters */ - enabled?: boolean; + adminUsername: string; + + #suppress "@azure-tools/typespec-azure-resource-manager/secret-prop" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @doc("Specifies the password of the administrator account.

**Minimum-length:** 8 characters

**Max-length:** 123 characters

**Complexity requirements:** 3 out of 4 conditions below need to be fulfilled
Has lower characters
Has upper characters
Has a digit
Has a special character (Regex match [\\W_])

**Disallowed values:** \"abc@123\", \"P@$$w0rd\", \"P@ssw0rd\", \"P@ssword123\", \"Pa$$word\", \"pass@word1\", \"Password!\", \"Password1\", \"Password22\", \"iloveyou!\"") + adminPassword?: string; /** - * The Open Telemetry host port for Open Telemetry metrics. If not specified, the default port is 28333. + * The license type to use for Windows VMs. See [Azure Hybrid User Benefits](https://azure.microsoft.com/pricing/hybrid-benefit/faq/) for more details. */ - port?: int64; -} + licenseType?: LicenseType; -/** - * Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container Logs and Traces. Collects OpenTelemetry logs and traces of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview. - */ -@added(Versions.v2025_10_02_preview) -model ManagedClusterAzureMonitorProfileAppMonitoringOpenTelemetryLogs { /** - * Indicates if Application Monitoring Open Telemetry Logs and traces is enabled or not. + * Whether to enable CSI proxy. For more details on CSI proxy, see the [CSI proxy GitHub repo](https://github.com/kubernetes-csi/csi-proxy). */ - enabled?: boolean; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + enableCSIProxy?: boolean; /** - * The Open Telemetry host port for Open Telemetry logs and traces. If not specified, the default port is 28331. + * The Windows gMSA Profile in the Managed Cluster. */ - port?: int64; + gmsaProfile?: WindowsGmsaProfile; } /** - * Service mesh profile for a managed cluster. + * Windows gMSA Profile in the managed cluster. */ -model ServiceMeshProfile { +model WindowsGmsaProfile { /** - * Mode of the service mesh. + * Whether to enable Windows gMSA. Specifies whether to enable Windows gMSA in the managed cluster. */ - mode: ServiceMeshMode; + enabled?: boolean; /** - * Istio service mesh configuration. + * Specifies the DNS server for Windows gMSA.

Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster. */ - istio?: IstioServiceMesh; -} + dnsServer?: string; -/** - * Istio service mesh configuration. - */ -model IstioServiceMesh { /** - * Istio components configuration. + * Specifies the root domain name for Windows gMSA.

Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster. */ - components?: IstioComponents; + rootDomainName?: string; +} +/** + * Information about a service principal identity for the cluster to use for manipulating Azure APIs. + */ +model ManagedClusterServicePrincipalProfile { /** - * Istio Service Mesh Certificate Authority (CA) configuration. For now, we only support plugin certificates as described here https://aka.ms/asm-plugin-ca + * The ID for the service principal. */ - certificateAuthority?: IstioCertificateAuthority; + clientId: string; /** - * The list of revisions of the Istio control plane. When an upgrade is not in progress, this holds one value. When canary upgrade is in progress, this can only hold two consecutive values. For more information, see: https://learn.microsoft.com/en-us/azure/aks/istio-upgrade + * The secret password associated with the service principal in plain text. */ - @maxItems(2) - @uniqueItems - revisions?: string[]; + #suppress "@azure-tools/typespec-azure-resource-manager/secret-prop" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + secret?: string; } /** - * Istio components configuration. + * A Kubernetes add-on profile for a managed cluster. */ -model IstioComponents { +model ManagedClusterAddonProfile { /** - * Istio ingress gateways. + * Whether the add-on is enabled or not. */ - @identifiers(#[]) - ingressGateways?: IstioIngressGateway[]; + enabled: boolean; /** - * Istio egress gateways. + * Key-value pairs for configuring an add-on. */ - @identifiers(#[]) - egressGateways?: IstioEgressGateway[]; + #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + config?: Record; /** - * Mode of traffic redirection. + * Information of user assigned identity used by this add-on. */ - @added(Versions.v2025_10_02_preview) - proxyRedirectionMechanism?: ProxyRedirectionMechanism; + @visibility(Lifecycle.Read) + identity?: ManagedClusterAddonProfileIdentity; } /** - * Istio ingress gateway configuration. For now, we support up to one external ingress gateway named `aks-istio-ingressgateway-external` and one internal ingress gateway named `aks-istio-ingressgateway-internal`. + * Information of user assigned identity used by this add-on. */ -model IstioIngressGateway { +#suppress "@azure-tools/typespec-azure-resource-manager/no-empty-model" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +#suppress "@azure-tools/typespec-azure-core/composition-over-inheritance" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +model ManagedClusterAddonProfileIdentity extends UserAssignedIdentity {} + +/** + * Details about a user assigned identity. + */ +model UserAssignedIdentity { /** - * Mode of an ingress gateway. + * The resource ID of the user assigned identity. */ - mode: IstioIngressGatewayMode; + resourceId?: Azure.Core.armResourceIdentifier<[ + { + type: "Microsoft.ManagedIdentity/userAssignedIdentities"; + } + ]>; /** - * Whether to enable the ingress gateway. + * The client ID of the user assigned identity. */ - enabled: boolean; + clientId?: string; + + /** + * The object ID of the user assigned identity. + */ + objectId?: string; } /** - * Istio egress gateway configuration. + * The pod identity profile of the Managed Cluster. See [use AAD pod identity](https://docs.microsoft.com/azure/aks/use-azure-ad-pod-identity) for more details on pod identity integration. */ -model IstioEgressGateway { +model ManagedClusterPodIdentityProfile { /** - * Whether to enable the egress gateway. + * Whether the pod identity addon is enabled. */ - enabled: boolean; + enabled?: boolean; /** - * Name of the Istio add-on egress gateway. + * Whether pod identity is allowed to run on clusters with Kubenet networking. Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. See [using Kubenet network plugin with AAD Pod Identity](https://docs.microsoft.com/azure/aks/use-azure-ad-pod-identity#using-kubenet-network-plugin-with-azure-active-directory-pod-managed-identities) for more information. */ - @pattern("[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*") - name: string; + allowNetworkPluginKubenet?: boolean; /** - * Namespace that the Istio add-on egress gateway should be deployed in. If unspecified, the default is aks-istio-egress. + * The pod identities to use in the cluster. */ - `namespace`?: string; + @identifiers(#[]) + userAssignedIdentities?: ManagedClusterPodIdentity[]; /** - * Name of the gateway configuration custom resource for the Istio add-on egress gateway. Must be specified when enabling the Istio egress gateway. Must be deployed in the same namespace that the Istio egress gateway will be deployed in. + * The pod identity exceptions to allow. */ - gatewayConfigurationName?: string; + @identifiers(#[]) + userAssignedIdentityExceptions?: ManagedClusterPodIdentityException[]; } /** - * Istio Service Mesh Certificate Authority (CA) configuration. For now, we only support plugin certificates as described here https://aka.ms/asm-plugin-ca + * Details about the pod identity assigned to the Managed Cluster. */ -model IstioCertificateAuthority { +model ManagedClusterPodIdentity { /** - * Plugin certificates information for Service Mesh. + * The name of the pod identity. */ - plugin?: IstioPluginCertificateAuthority; -} + name: string; -/** - * Plugin certificates information for Service Mesh. - */ -model IstioPluginCertificateAuthority { /** - * The resource ID of the Key Vault. + * The namespace of the pod identity. */ - keyVaultId?: Azure.Core.armResourceIdentifier<[ - { - type: "Microsoft.KeyVault/vaults"; - } - ]>; + `namespace`: string; /** - * Intermediate certificate object name in Azure Key Vault. + * The binding selector to use for the AzureIdentityBinding resource. */ - certObjectName?: string; + bindingSelector?: string; /** - * Intermediate certificate private key object name in Azure Key Vault. + * The user assigned identity details. */ - keyObjectName?: string; + identity: UserAssignedIdentity; /** - * Root certificate object name in Azure Key Vault. + * The current provisioning state of the pod identity. */ - rootCertObjectName?: string; + @visibility(Lifecycle.Read) + provisioningState?: ManagedClusterPodIdentityProvisioningState; + + /** The provisioning information for the pod identity. */ + @visibility(Lifecycle.Read) + provisioningInfo?: ManagedClusterPodIdentityProvisioningInfo; +} +/** Pod identity provisioning information. */ +model ManagedClusterPodIdentityProvisioningInfo { /** - * Certificate chain object name in Azure Key Vault. + * Pod identity assignment error (if any). */ - certChainObjectName?: string; + error?: ManagedClusterPodIdentityProvisioningError; } /** - * The metrics profile for the ManagedCluster. + * An error response from the pod identity provisioning. */ -model ManagedClusterMetricsProfile { +model ManagedClusterPodIdentityProvisioningError { /** - * The configuration for detailed per-Kubernetes resource cost analysis. + * Details about the error. */ - costAnalysis?: ManagedClusterCostAnalysis; + error?: ManagedClusterPodIdentityProvisioningErrorBody; } /** - * The cost analysis configuration for the cluster + * An error response from the pod identity provisioning. */ -model ManagedClusterCostAnalysis { +model ManagedClusterPodIdentityProvisioningErrorBody { + /** + * An identifier for the error. Codes are invariant and are intended to be consumed programmatically. + */ + code?: string; + /** - * Whether to enable cost analysis. The Managed Cluster sku.tier must be set to 'Standard' or 'Premium' to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. If not specified, the default is false. For more information see aka.ms/aks/docs/cost-analysis. + * A message describing the error, intended to be suitable for display in a user interface. */ - enabled?: boolean; -} + message?: string; -/** Node provisioning profile for the managed cluster. */ -model ManagedClusterNodeProvisioningProfile { /** - * The node provisioning mode. If not specified, the default is Manual. + * The target of the particular error. For example, the name of the property in error. */ - mode?: NodeProvisioningMode; + target?: string; /** - * The set of default Karpenter NodePools (CRDs) configured for node provisioning. This field has no effect unless mode is 'Auto'. Warning: Changing this from Auto to None on an existing cluster will cause the default Karpenter NodePools to be deleted, which will drain and delete the nodes associated with those pools. It is strongly recommended to not do this unless there are idle nodes ready to take the pods evicted by that action. If not specified, the default is Auto. For more information see aka.ms/aks/nap#node-pools. + * A list of additional details about the error. */ - defaultNodePools?: NodeProvisioningDefaultNodePools = NodeProvisioningDefaultNodePools.Auto; + @identifiers(#[]) + details?: ManagedClusterPodIdentityProvisioningErrorBody[]; } /** - * The bootstrap profile. + * A pod identity exception, which allows pods with certain labels to access the Azure Instance Metadata Service (IMDS) endpoint without being intercepted by the node-managed identity (NMI) server. See [disable AAD Pod Identity for a specific Pod/Application](https://azure.github.io/aad-pod-identity/docs/configure/application_exception/) for more details. */ -model ManagedClusterBootstrapProfile { +model ManagedClusterPodIdentityException { /** - * The artifact source. The source where the artifacts are downloaded from. + * The name of the pod identity exception. */ - artifactSource?: ArtifactSource = ArtifactSource.Direct; + name: string; /** - * The resource Id of Azure Container Registry. The registry must have private network access, premium SKU and zone redundancy. + * The namespace of the pod identity exception. */ - containerRegistryId?: Azure.Core.armResourceIdentifier<[ - { - type: "Microsoft.ContainerRegistry/registries"; - } - ]>; + `namespace`: string; + + /** + * The pod labels to match. + */ + #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + podLabels: Record; } /** - * When enabling the operator, a set of AKS managed CRDs and controllers will be installed in the cluster. The operator automates the deployment of OSS models for inference and/or training purposes. It provides a set of preset models and enables distributed inference against them. + * The OIDC issuer profile of the Managed Cluster. */ #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -model ManagedClusterAIToolchainOperatorProfile { +model ManagedClusterOIDCIssuerProfile { /** - * Whether to enable AI toolchain operator to the cluster. Indicates if AI toolchain operator enabled or not. + * The OIDC issuer url of the Managed Cluster. */ - enabled?: boolean; -} + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @visibility(Lifecycle.Read) + issuerURL?: string; -/** - * The pod scheduler profile for the cluster. - */ -@added(Versions.v2025_10_02_preview) -model SchedulerProfile { /** - * Mapping of each scheduler instance to its profile. + * Whether the OIDC issuer is enabled. */ - schedulerInstanceProfiles?: SchedulerProfileSchedulerInstanceProfiles; + enabled?: boolean; } /** - * Mapping of each scheduler instance to its profile. + * Node resource group lockdown profile for a managed cluster. */ -@added(Versions.v2025_10_02_preview) -model SchedulerProfileSchedulerInstanceProfiles { +model ManagedClusterNodeResourceGroupProfile { /** - * The scheduler profile for the upstream scheduler instance. + * The restriction level applied to the cluster's node resource group. If not specified, the default is 'Unrestricted' */ - upstream?: SchedulerInstanceProfile; + restrictionLevel?: RestrictionLevel; } /** - * The scheduler profile for a single scheduler instance. + * Profile of network configuration. */ -@added(Versions.v2025_10_02_preview) -model SchedulerInstanceProfile { +model ContainerServiceNetworkProfile { /** - * The config customization mode for this scheduler instance. + * Network plugin used for building the Kubernetes network. */ - schedulerConfigMode?: SchedulerConfigMode; -} + networkPlugin?: NetworkPlugin; -/** - * Settings for hosted system addons. - */ -@added(Versions.v2025_10_02_preview) -model ManagedClusterHostedSystemProfile { /** - * Whether to enable hosted system addons for the cluster. + * The mode the network plugin should use. */ - enabled?: boolean; -} + networkPluginMode?: NetworkPluginMode; -/** - * Contains read-only information about the Managed Cluster. - */ -model ManagedClusterStatus { /** - * The error details information of the managed cluster. Preserves the detailed info of failure. If there was no error, this field is omitted. + * Network policy used for building the Kubernetes network. */ - @visibility(Lifecycle.Read) - provisioningError?: Azure.ResourceManager.CommonTypes.ErrorDetail; -} + networkPolicy?: NetworkPolicy; -/** - * Control plane and agent pool upgrade profiles. - */ -#suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -model ManagedClusterUpgradeProfileProperties { /** - * The list of available upgrade versions for the control plane. + * The network mode Azure CNI is configured with. This cannot be specified if networkPlugin is anything other than 'azure'. */ - controlPlaneProfile: ManagedClusterPoolUpgradeProfile; + networkMode?: NetworkMode; /** - * The list of available upgrade versions for agent pools. + * Network dataplane used in the Kubernetes cluster. */ - @identifiers(#[]) - agentPoolProfiles: ManagedClusterPoolUpgradeProfile[]; -} + networkDataplane?: NetworkDataplane; -/** - * The list of available upgrade versions. - */ -model ManagedClusterPoolUpgradeProfile { /** - * The Kubernetes version (major.minor.patch). + * Advanced Networking profile for enabling observability and security feature suite on a cluster. For more information see aka.ms/aksadvancednetworking. */ - kubernetesVersion: string; + advancedNetworking?: AdvancedNetworking; /** - * The Agent Pool name. + * A CIDR notation IP range from which to assign pod IPs when kubenet is used. */ - name?: string; + @pattern("^([0-9]{1,3}\\.){3}[0-9]{1,3}(\\/([0-9]|[1-2][0-9]|3[0-2]))?$") + podCidr?: string = "10.244.0.0/16"; /** - * The operating system type. The default is Linux. + * A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. */ - osType: OSType = OSType.Linux; + @pattern("^([0-9]{1,3}\\.){3}[0-9]{1,3}(\\/([0-9]|[1-2][0-9]|3[0-2]))?$") + serviceCidr?: string = "10.0.0.0/16"; /** - * List of orchestrator types and versions available for upgrade. + * An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. */ - @identifiers(#[]) - upgrades?: ManagedClusterPoolUpgradeProfileUpgradesItem[]; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @pattern("^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$") + dnsServiceIP?: string = "10.0.0.10"; /** - * List of components grouped by kubernetes major.minor version. + * The outbound (egress) routing method. This can only be set at cluster creation time and cannot be changed later. For more information see [egress outbound type](https://docs.microsoft.com/azure/aks/egress-outboundtype). */ - @added(Versions.v2025_10_02_preview) - @identifiers(#[]) - componentsByReleases?: ComponentsByRelease[]; -} + outboundType?: OutboundType = OutboundType.loadBalancer; -/** Available upgrades for an AgentPool. */ -model ManagedClusterPoolUpgradeProfileUpgradesItem { /** - * The Kubernetes version (major.minor.patch). + * The load balancer sku for the managed cluster. The default is 'standard'. See [Azure Load Balancer SKUs](https://docs.microsoft.com/azure/load-balancer/skus) for more information about the differences between load balancer SKUs. */ - kubernetesVersion?: string; + loadBalancerSku?: LoadBalancerSku; /** - * Whether the Kubernetes version is currently in preview. + * Profile of the cluster load balancer. */ - isPreview?: boolean; + loadBalancerProfile?: ManagedClusterLoadBalancerProfile; /** - * Whether the Kubernetes version is out of support. + * Profile of the cluster NAT gateway. */ - @added(Versions.v2025_10_02_preview) - isOutOfSupport?: boolean; -} + natGatewayProfile?: ManagedClusterNATGatewayProfile; -/** - * components of given Kubernetes version. - */ -@added(Versions.v2025_10_02_preview) -model ComponentsByRelease { /** - * The Kubernetes version (major.minor). + * The profile for Static Egress Gateway addon. For more details about Static Egress Gateway, see https://aka.ms/aks/static-egress-gateway. */ - kubernetesVersion?: string; + staticEgressGatewayProfile?: ManagedClusterStaticEgressGatewayProfile; /** - * components of current or upgraded Kubernetes version in the cluster. + * The CIDR notation IP ranges from which to assign pod IPs. One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. */ - @identifiers(#[]) - components?: Component[]; -} + podCidrs?: string[]; -/** Component information for a Kubernetes version. */ -@added(Versions.v2025_10_02_preview) -model Component { /** - * Component name. + * The CIDR notation IP ranges from which to assign service cluster IPs. One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. They must not overlap with any Subnet IP ranges. */ - name?: string; + serviceCidrs?: string[]; /** - * Component version. + * The IP families used to specify IP versions available to the cluster. IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6. */ - version?: string; + ipFamilies?: IPFamily[]; /** - * If upgraded component version contains breaking changes from the current version. To see a detailed description of what the breaking changes are, visit https://learn.microsoft.com/azure/aks/supported-kubernetes-versions?tabs=azure-cli#aks-components-breaking-changes-by-version. + * Defines access to special link local addresses (Azure Instance Metadata Service, aka IMDS) for pods with hostNetwork=false. if not specified, the default is 'IMDS'. */ - hasBreakingChanges?: boolean; -} + @added(Versions.v2025_10_02_preview) + podLinkLocalAccess?: PodLinkLocalAccess; -/** - * Managed cluster Access Profile. - */ -#suppress "@azure-tools/typespec-azure-core/composition-over-inheritance" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -model ManagedClusterAccessProfile - extends Azure.ResourceManager.CommonTypes.TrackedResource { /** - * AccessProfile of a managed cluster. + * Holds configuration customizations for kube-proxy. Any values not defined will use the kube-proxy defaulting behavior. See https://v.docs.kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/ where is represented by a - string. Kubernetes version 1.23 would be '1-23'. */ - properties?: AccessProfile; + @added(Versions.v2025_10_02_preview) + kubeProxyConfig?: ContainerServiceNetworkProfileKubeProxyConfig; } /** - * Profile for enabling a user to access a managed cluster. + * Advanced Networking profile for enabling observability and security feature suite on a cluster. For more information see aka.ms/aksadvancednetworking. */ -model AccessProfile { +model AdvancedNetworking { /** - * Base64-encoded Kubernetes configuration file. + * Indicates the enablement of Advanced Networking functionalities of observability and security on AKS clusters. When this is set to true, all observability and security features will be set to enabled unless explicitly disabled. If not specified, the default is false. */ - kubeConfig?: bytes; -} + enabled?: boolean; -/** - * The list credential result response. - */ -model CredentialResults { /** - * Base64-encoded Kubernetes configuration file. + * Observability profile to enable advanced network metrics and flow logs with historical contexts. */ - @visibility(Lifecycle.Read) - @identifiers(#[]) - kubeconfigs?: CredentialResult[]; -} + observability?: AdvancedNetworkingObservability; -/** - * The credential result response. - */ -model CredentialResult { /** - * The name of the credential. + * Security profile to enable security features on cilium based cluster. */ - @visibility(Lifecycle.Read) - name?: string; + security?: AdvancedNetworkingSecurity; /** - * Base64-encoded Kubernetes configuration file. + * Profile to enable performance-enhancing features on clusters that use Azure CNI powered by Cilium. */ - @visibility(Lifecycle.Read) - value?: bytes; + @added(Versions.v2025_10_02_preview) + performance?: AdvancedNetworkingPerformance; } /** - * Tags object for patch operations. + * Observability profile to enable advanced network metrics and flow logs with historical contexts. */ -#suppress "@azure-tools/typespec-azure-resource-manager/patch-envelope" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -model TagsObject { +model AdvancedNetworkingObservability { /** - * Resource tags. + * Indicates the enablement of Advanced Networking observability functionalities on clusters. */ - #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - tags?: Record; + enabled?: boolean; } /** - * Properties used to configure planned maintenance for a Managed Cluster. + * Security profile to enable security features on cilium based cluster. */ -#suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -model MaintenanceConfigurationProperties { +model AdvancedNetworkingSecurity { /** - * Time slots during the week when planned maintenance is allowed to proceed. If two array entries specify the same day of the week, the applied configuration is the union of times in both entries. + * This feature allows user to configure network policy based on DNS (FQDN) names. It can be enabled only on cilium based clusters. If not specified, the default is false. */ - @identifiers(#[]) - timeInWeek?: TimeInWeek[]; + enabled?: boolean; /** - * Time slots on which upgrade is not allowed. + * Enable advanced network policies. This allows users to configure Layer 7 network policies (FQDN, HTTP, Kafka). Policies themselves must be configured via the Cilium Network Policy resources, see https://docs.cilium.io/en/latest/security/policy/index.html. This can be enabled only on cilium-based clusters. If not specified, the default value is FQDN if security.enabled is set to true. */ - @identifiers(#[]) - notAllowedTime?: TimeSpan[]; + advancedNetworkPolicies?: AdvancedNetworkPolicies; /** - * Maintenance window for the maintenance configuration. + * Encryption configuration for Cilium-based clusters. Once enabled all traffic between Cilium managed pods will be encrypted when it leaves the node boundary. */ - maintenanceWindow?: MaintenanceWindow; + @added(Versions.v2025_10_02_preview) + transitEncryption?: AdvancedNetworkingSecurityTransitEncryption; } /** - * Time in a week. + * Profile of the managed cluster load balancer. */ -model TimeInWeek { - /** - * The day of the week. - */ - day?: WeekDay; - +model ManagedClusterLoadBalancerProfile { /** - * A list of hours in the day used to identify a time range. Each integer hour represents a time range beginning at 0m after the hour ending at the next hour (non-inclusive). 0 corresponds to 00:00 UTC, 23 corresponds to 23:00 UTC. Specifying [0, 1] means the 00:00 - 02:00 UTC time range. + * Desired managed outbound IPs for the cluster load balancer. */ - hourSlots?: HourInDay[]; -} - -/** - * Hour in a day. - */ -@minValue(0) -@maxValue(23) -scalar HourInDay extends int32; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + managedOutboundIPs?: ManagedClusterLoadBalancerProfileManagedOutboundIPs; -/** - * A time range. For example, between 2021-05-25T13:00:00Z and 2021-05-25T14:00:00Z. - */ -model TimeSpan { /** - * The start of a time span + * Desired outbound IP Prefix resources for the cluster load balancer. */ - // FIXME: (utcDateTime) Please double check that this is the correct type for your scenario. - start?: utcDateTime; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + outboundIPPrefixes?: ManagedClusterLoadBalancerProfileOutboundIPPrefixes; /** - * The end of a time span + * Desired outbound IP resources for the cluster load balancer. */ - // FIXME: (utcDateTime) Please double check that this is the correct type for your scenario. - end?: utcDateTime; -} + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + outboundIPs?: ManagedClusterLoadBalancerProfileOutboundIPs; -/** - * Maintenance window used to configure scheduled auto-upgrade for a Managed Cluster. - */ -model MaintenanceWindow { /** - * Recurrence schedule for the maintenance window. + * The effective outbound IP resources of the cluster load balancer. */ - schedule: Schedule; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @visibility(Lifecycle.Read) + effectiveOutboundIPs?: ResourceReference[]; /** - * Length of maintenance window range from 4 to 24 hours. + * The desired number of allocated SNAT ports per VM. Allowed values are in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports. */ - @maxValue(24) - @minValue(4) - durationHours: int32 = 24; + @maxValue(64000) + @minValue(0) + allocatedOutboundPorts?: int32 = 0; /** - * The UTC offset in format +/-HH:mm. For example, '+05:30' for IST and '-07:00' for PST. If not specified, the default is '+00:00'. + * Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 30 minutes. */ - @pattern("^(-|\\+)[0-9]{2}:[0-9]{2}$") - utcOffset?: string; + @maxValue(120) + @minValue(4) + idleTimeoutInMinutes?: int32 = 30; /** - * The date the maintenance window activates. If the current date is before this date, the maintenance window is inactive and will not be used for upgrades. If not specified, the maintenance window will be active right away. + * Enable multiple standard load balancers per AKS cluster or not. */ - startDate?: plainDate; + enableMultipleStandardLoadBalancers?: boolean; /** - * The start time of the maintenance window. Accepted values are from '00:00' to '23:59'. 'utcOffset' applies to this field. For example: '02:00' with 'utcOffset: +02:00' means UTC time '00:00'. + * The type of the managed inbound Load Balancer BackendPool. */ - @pattern("^\\d{2}:\\d{2}$") - startTime: string; + backendPoolType?: BackendPoolType = BackendPoolType.NodeIPConfiguration; /** - * Date ranges on which upgrade is not allowed. 'utcOffset' applies to this field. For example, with 'utcOffset: +02:00' and 'dateSpan' being '2022-12-23' to '2023-01-03', maintenance will be blocked from '2022-12-22 22:00' to '2023-01-03 22:00' in UTC time. + * The health probing behavior for External Traffic Policy Cluster services. */ - @identifiers(#[]) - notAllowedDates?: DateSpan[]; + @added(Versions.v2025_10_02_preview) + clusterServiceLoadBalancerHealthProbeMode?: ClusterServiceLoadBalancerHealthProbeMode = ClusterServiceLoadBalancerHealthProbeMode.ServiceNodePort; } /** - * One and only one of the schedule types should be specified. Choose either 'daily', 'weekly', 'absoluteMonthly' or 'relativeMonthly' for your maintenance schedule. + * Desired managed outbound IPs for the cluster load balancer. */ -model Schedule { +#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +model ManagedClusterLoadBalancerProfileManagedOutboundIPs { /** - * For schedules like: 'recur every day' or 'recur every 3 days'. + * The desired number of IPv4 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. */ - daily?: DailySchedule; + @maxValue(100) + @minValue(1) + count?: int32 = 1; /** - * For schedules like: 'recur every Monday' or 'recur every 3 weeks on Wednesday'. + * The desired number of IPv6 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack. */ - weekly?: WeeklySchedule; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @maxValue(100) + @minValue(0) + countIPv6?: int32 = 0; +} +/** + * Desired outbound IP Prefix resources for the cluster load balancer. + */ +model ManagedClusterLoadBalancerProfileOutboundIPPrefixes { /** - * For schedules like: 'recur every month on the 15th' or 'recur every 3 months on the 20th'. + * A list of public IP prefix resources. */ - absoluteMonthly?: AbsoluteMonthlySchedule; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + publicIPPrefixes?: ResourceReference[]; +} +/** + * A reference to an Azure resource. + */ +model ResourceReference { /** - * For schedules like: 'recur every month on the first Monday' or 'recur every 3 months on last Friday'. + * The fully qualified Azure resource id. */ - relativeMonthly?: RelativeMonthlySchedule; + id?: Azure.Core.armResourceIdentifier; } /** - * For schedules like: 'recur every day' or 'recur every 3 days'. + * Desired outbound IP resources for the cluster load balancer. */ -model DailySchedule { +#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +model ManagedClusterLoadBalancerProfileOutboundIPs { /** - * Specifies the number of days between each set of occurrences. + * A list of public IP resources. */ - @maxValue(7) - @minValue(1) - intervalDays: int32; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + publicIPs?: ResourceReference[]; } /** - * For schedules like: 'recur every Monday' or 'recur every 3 weeks on Wednesday'. + * Profile of the managed cluster NAT gateway. */ -model WeeklySchedule { +#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +model ManagedClusterNATGatewayProfile { /** - * Specifies the number of weeks between each set of occurrences. + * Profile of the managed outbound IP resources of the cluster NAT gateway. */ - @maxValue(4) - @minValue(1) - intervalWeeks: int32; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + managedOutboundIPProfile?: ManagedClusterManagedOutboundIPProfile; + + /** + * The effective outbound IP resources of the cluster NAT gateway. + */ + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @visibility(Lifecycle.Read) + effectiveOutboundIPs?: ResourceReference[]; /** - * Specifies on which day of the week the maintenance occurs. + * Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 4 minutes. */ - dayOfWeek: WeekDay; + @maxValue(120) + @minValue(4) + idleTimeoutInMinutes?: int32 = 4; } /** - * For schedules like: 'recur every month on the 15th' or 'recur every 3 months on the 20th'. + * Profile of the managed outbound IP resources of the managed cluster. */ -model AbsoluteMonthlySchedule { +model ManagedClusterManagedOutboundIPProfile { /** - * Specifies the number of months between each set of occurrences. + * The desired number of outbound IPs created/managed by Azure. Allowed values must be in the range of 1 to 16 (inclusive). The default value is 1. */ - @maxValue(6) + @maxValue(16) @minValue(1) - intervalMonths: int32; + count?: int32 = 1; +} +/** + * The Static Egress Gateway addon configuration for the cluster. + */ +model ManagedClusterStaticEgressGatewayProfile { /** - * The date of the month. + * Enable Static Egress Gateway addon. Indicates if Static Egress Gateway addon is enabled or not. */ - @maxValue(31) - @minValue(1) - dayOfMonth: int32; + enabled?: boolean; } /** - * For schedules like: 'recur every month on the first Monday' or 'recur every 3 months on last Friday'. + * Holds configuration customizations for kube-proxy. Any values not defined will use the kube-proxy defaulting behavior. See https://v.docs.kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/ where is represented by a - string. Kubernetes version 1.23 would be '1-23'. */ -model RelativeMonthlySchedule { +@added(Versions.v2025_10_02_preview) +model ContainerServiceNetworkProfileKubeProxyConfig { /** - * Specifies the number of months between each set of occurrences. + * Whether to enable on kube-proxy on the cluster (if no 'kubeProxyConfig' exists, kube-proxy is enabled in AKS by default without these customizations). */ - @maxValue(6) - @minValue(1) - intervalMonths: int32; + enabled?: boolean; /** - * The week index. Specifies on which week of the month the dayOfWeek applies. + * Specify which proxy mode to use ('IPTABLES', 'IPVS' or 'NFTABLES') */ - weekIndex: Type; + mode?: Mode; /** - * Specifies on which day of the week the maintenance occurs. + * Holds configuration customizations for IPVS. May only be specified if 'mode' is set to 'IPVS'. */ - dayOfWeek: WeekDay; + ipvsConfig?: ContainerServiceNetworkProfileKubeProxyConfigIpvsConfig; } /** - * A date range. For example, between '2022-12-23' and '2023-01-05'. + * Holds configuration customizations for IPVS. May only be specified if 'mode' is set to 'IPVS'. */ -model DateSpan { +@added(Versions.v2025_10_02_preview) +model ContainerServiceNetworkProfileKubeProxyConfigIpvsConfig { /** - * The start date of the date span. + * IPVS scheduler, for more information please see http://www.linuxvirtualserver.org/docs/scheduling.html. */ - start: plainDate; + scheduler?: IpvsScheduler; /** - * The end date of the date span. + * The timeout value used for idle IPVS TCP sessions in seconds. Must be a positive integer value. */ - end: plainDate; -} + tcpTimeoutSeconds?: int32; -/** - * Reference to another subresource. - */ -model SubResource { /** - * Resource ID. + * The timeout value used for IPVS TCP sessions after receiving a FIN in seconds. Must be a positive integer value. */ - @visibility(Lifecycle.Read) - id?: string; + tcpFinTimeoutSeconds?: int32; /** - * The name of the resource that is unique within a resource group. This name can be used to access the resource. + * The timeout value used for IPVS UDP packets in seconds. Must be a positive integer value. */ - @visibility(Lifecycle.Read) - name?: string; + udpTimeoutSeconds?: int32; +} +/** + * Encryption configuration for Cilium-based clusters. Once enabled all traffic between Cilium managed pods will be encrypted when it leaves the node boundary. + */ +@added(Versions.v2025_10_02_preview) +model AdvancedNetworkingSecurityTransitEncryption { /** - * Resource type + * Configures pod-to-pod encryption. This can be enabled only on Cilium-based clusters. If not specified, the default value is None. */ - @visibility(Lifecycle.Read) - type?: string; + type?: TransitEncryptionType; } /** - * Properties of a namespace managed by ARM + * Profile to enable performance-enhancing features on clusters that use Azure CNI powered by Cilium. */ -model NamespaceProperties { +@added(Versions.v2025_10_02_preview) +model AdvancedNetworkingPerformance { /** - * The current provisioning state of the namespace. + * Enable advanced network acceleration options. This allows users to configure acceleration using BPF host routing. This can be enabled only with Cilium dataplane. If not specified, the default value is None (no acceleration). The acceleration mode can be changed on a pre-existing cluster. See https://aka.ms/acnsperformance for a detailed explanation */ - @visibility(Lifecycle.Read) - provisioningState?: NamespaceProvisioningState; + accelerationMode?: AccelerationMode = AccelerationMode.None; +} +/** + * AADProfile specifies attributes for Azure Active Directory integration. For more details see [managed AAD on AKS](https://docs.microsoft.com/azure/aks/managed-aad). + */ +#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +model ManagedClusterAADProfile { /** - * The labels of managed namespace. + * Whether to enable managed AAD. */ - #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - labels?: Record; + managed?: boolean; /** - * The annotations of managed namespace. + * Whether to enable Azure RBAC for Kubernetes authorization. */ - #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - annotations?: Record; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + enableAzureRBAC?: boolean; /** - * The special FQDN used by the Azure Portal to access the Managed Cluster. This FQDN is for use only by the Azure Portal and should not be used by other clients. The Azure Portal requires certain Cross-Origin Resource Sharing (CORS) headers to be sent in some responses, which Kubernetes APIServer doesn't handle by default. This special FQDN supports CORS, allowing the Azure Portal to function properly. + * The list of AAD group object IDs that will have admin role of the cluster. */ - @visibility(Lifecycle.Read) - portalFqdn?: string; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + adminGroupObjectIDs?: string[]; /** - * The default resource quota enforced upon the namespace. Customers can have other Kubernetes resource quota objects under the namespace. Resource quotas are additive; if multiple resource quotas are applied to a given namespace, then the effective limit will be one such that all quotas on the namespace can be satisfied. + * (DEPRECATED) The client AAD application ID. Learn more at https://aka.ms/aks/aad-legacy. */ - defaultResourceQuota?: ResourceQuota; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + clientAppID?: string; /** - * The default network policy enforced upon the namespace. Customers can have other Kubernetes network policy objects under the namespace. Network policies are additive; if a policy or policies apply to a given pod for a given direction, the connections allowed in that direction for the pod is the union of what all applicable policies allow. + * (DEPRECATED) The server AAD application ID. Learn more at https://aka.ms/aks/aad-legacy. */ - defaultNetworkPolicy?: NetworkPolicies; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + serverAppID?: string; /** - * Action if Kubernetes namespace with same name already exists. + * (DEPRECATED) The server AAD application secret. Learn more at https://aka.ms/aks/aad-legacy. */ - adoptionPolicy?: AdoptionPolicy; + #suppress "@azure-tools/typespec-azure-resource-manager/secret-prop" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + serverAppSecret?: string; /** - * Delete options of a namespace. + * The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription. */ - deletePolicy?: DeletePolicy; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + tenantID?: string; } /** - * Resource quota for the namespace. + * Auto upgrade profile for a managed cluster. */ -model ResourceQuota { - /** - * CPU request of the namespace in one-thousandth CPU form. See [CPU resource units](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu) for more details. - */ - cpuRequest?: string; - +model ManagedClusterAutoUpgradeProfile { /** - * CPU limit of the namespace in one-thousandth CPU form. See [CPU resource units](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu) for more details. + * The upgrade channel for auto upgrade. The default is 'none'. For more information see [setting the AKS cluster auto-upgrade channel](https://docs.microsoft.com/azure/aks/upgrade-cluster#set-auto-upgrade-channel). */ - cpuLimit?: string; + upgradeChannel?: UpgradeChannel; /** - * Memory request of the namespace in the power-of-two equivalents form: Ei, Pi, Ti, Gi, Mi, Ki. See [Memory resource units](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-memory) for more details. + * Node OS Upgrade Channel. Manner in which the OS on your nodes is updated. The default is NodeImage. */ - memoryRequest?: string; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + nodeOSUpgradeChannel?: NodeOSUpgradeChannel; +} +/** + * Settings for upgrading a cluster. + */ +model ClusterUpgradeSettings { /** - * Memory limit of the namespace in the power-of-two equivalents form: Ei, Pi, Ti, Gi, Mi, Ki. See [Memory resource units](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-memory) for more details. + * Settings for overrides. */ - memoryLimit?: string; + overrideSettings?: UpgradeOverrideSettings; } /** - * Default network policy of the namespace, specifying ingress and egress rules. + * Settings for overrides when upgrading a cluster. */ -model NetworkPolicies { +model UpgradeOverrideSettings { /** - * Enum representing different network policy rules. + * Whether to force upgrade the cluster. Note that this option instructs upgrade operation to bypass upgrade protections such as checking for deprecated API usage. Enable this option only with caution. */ - ingress?: PolicyRule = PolicyRule.AllowSameNamespace; + forceUpgrade?: boolean; /** - * Enum representing different network policy rules. + * Until when the overrides are effective. Note that this only matches the start time of an upgrade, and the effectiveness won't change once an upgrade starts even if the `until` expires as upgrade proceeds. This field is not set by default. It must be set for the overrides to take effect. */ - egress?: PolicyRule = PolicyRule.AllowAll; + // FIXME: (utcDateTime) Please double check that this is the correct type for your scenario. + until?: utcDateTime; } /** - * The list of available upgrade versions. + * Parameters to be applied to the cluster-autoscaler when enabled */ -#suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -model AgentPoolUpgradeProfileProperties { +model ManagedClusterPropertiesAutoScalerProfile { /** - * The Kubernetes version (major.minor.patch). + * Detects similar node pools and balances the number of nodes between them. Valid values are 'true' and 'false' */ - kubernetesVersion: string; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @clientName("balanceSimilarNodeGroups") + `balance-similar-node-groups`?: string; /** - * The operating system type. The default is Linux. + * DaemonSet pods will be gracefully terminated from empty nodes. If set to true, all daemonset pods on empty nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted. */ - osType: OSType = OSType.Linux; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @clientName("daemonsetEvictionForEmptyNodes") + `daemonset-eviction-for-empty-nodes`?: boolean; /** - * List of orchestrator types and versions available for upgrade. + * DaemonSet pods will be gracefully terminated from non-empty nodes. If set to true, all daemonset pods on occupied nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted. */ - @identifiers(#[]) - upgrades?: AgentPoolUpgradeProfilePropertiesUpgradesItem[]; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @clientName("daemonsetEvictionForOccupiedNodes") + `daemonset-eviction-for-occupied-nodes`?: boolean; /** - * List of components grouped by kubernetes major.minor version. + * Should CA ignore DaemonSet pods when calculating resource utilization for scaling down. If set to true, the resources used by daemonset will be taken into account when making scaling down decisions. */ - @added(Versions.v2025_10_02_preview) - @identifiers(#[]) - componentsByReleases?: ComponentsByRelease[]; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @clientName("ignoreDaemonsetsUtilization") + `ignore-daemonsets-utilization`?: boolean; /** - * List of historical good versions for rollback operations. + * The expander to use when scaling up. If not specified, the default is 'random'. See [expanders](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#what-are-expanders) for more information. */ - @added(Versions.v2025_10_02_preview) - @visibility(Lifecycle.Read) - @identifiers(#[]) - recentlyUsedVersions?: AgentPoolRecentlyUsedVersion[]; + expander?: Expander; /** - * The latest AKS supported node image version. + * The maximum number of empty nodes that can be deleted at the same time. This must be a positive integer. The default is 10. */ - latestNodeImageVersion?: string; -} + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @clientName("maxEmptyBulkDelete") + `max-empty-bulk-delete`?: string; -/** Available upgrades for an AgentPool. */ -model AgentPoolUpgradeProfilePropertiesUpgradesItem { /** - * The Kubernetes version (major.minor.patch). + * The maximum number of seconds the cluster autoscaler waits for pod termination when trying to scale down a node. The default is 600. */ - kubernetesVersion?: string; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @clientName("maxGracefulTerminationSec") + `max-graceful-termination-sec`?: string; /** - * Whether the Kubernetes version is currently in preview. + * The maximum time the autoscaler waits for a node to be provisioned. The default is '15m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. */ - isPreview?: boolean; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @clientName("maxNodeProvisionTime") + `max-node-provision-time`?: string; + + /** + * The maximum percentage of unready nodes in the cluster. After this percentage is exceeded, cluster autoscaler halts operations. The default is 45. The maximum is 100 and the minimum is 0. + */ + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @clientName("maxTotalUnreadyPercentage") + `max-total-unready-percentage`?: string; + + /** + * Ignore unscheduled pods before they're a certain age. For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. The default is '0s'. Values must be an integer followed by a unit ('s' for seconds, 'm' for minutes, 'h' for hours, etc). + */ + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @clientName("newPodScaleUpDelay") + `new-pod-scale-up-delay`?: string; + + /** + * The number of allowed unready nodes, irrespective of max-total-unready-percentage. This must be an integer. The default is 3. + */ + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @clientName("okTotalUnreadyCount") + `ok-total-unready-count`?: string; + + /** + * How often cluster is reevaluated for scale up or down. The default is '10'. Values must be an integer number of seconds. + */ + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @clientName("scanInterval") + `scan-interval`?: string; /** - * Whether the Kubernetes version is out of support. + * How long after scale up that scale down evaluation resumes. The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. */ - @added(Versions.v2025_10_02_preview) - isOutOfSupport?: boolean; -} + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @clientName("scaleDownDelayAfterAdd") + `scale-down-delay-after-add`?: string; -/** - * A historical version that can be used for rollback operations. - */ -@added(Versions.v2025_10_02_preview) -model AgentPoolRecentlyUsedVersion { /** - * The Kubernetes version (major.minor.patch) available for rollback. + * How long after node deletion that scale down evaluation resumes. The default is the scan-interval. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. */ - orchestratorVersion?: string; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @clientName("scaleDownDelayAfterDelete") + `scale-down-delay-after-delete`?: string; /** - * The node image version available for rollback. + * How long after scale down failure that scale down evaluation resumes. The default is '3m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. */ - nodeImageVersion?: string; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @clientName("scaleDownDelayAfterFailure") + `scale-down-delay-after-failure`?: string; /** - * The timestamp when this version was last used. + * How long a node should be unneeded before it is eligible for scale down. The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. */ - // FIXME: (utcDateTime) Please double check that this is the correct type for your scenario. - timestamp?: utcDateTime; -} + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @clientName("scaleDownUnneededTime") + `scale-down-unneeded-time`?: string; -/** - * Specifies a list of machine names from the agent pool to be deleted. - */ -model AgentPoolDeleteMachinesParameter { /** - * The agent pool machine names. + * How long an unready node should be unneeded before it is eligible for scale down. The default is '20m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. */ - machineNames: string[]; -} + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @clientName("scaleDownUnreadyTime") + `scale-down-unready-time`?: string; -/** - * The hardware and GPU settings of the machine. - */ -@added(Versions.v2025_10_02_preview) -model MachineHardwareProfile { /** - * The size of the VM. VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: https://docs.microsoft.com/azure/aks/quotas-skus-regions + * Node utilization level, defined as sum of requested resources divided by capacity, below which a node can be considered for scale down. The default is '0.5'. */ - vmSize?: string; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @clientName("scaleDownUtilizationThreshold") + `scale-down-utilization-threshold`?: string; /** - * GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. + * If cluster autoscaler will skip deleting nodes with pods with local storage, for example, EmptyDir or HostPath. The default is true. */ - gpuInstanceProfile?: GPUInstanceProfile; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @clientName("skipNodesWithLocalStorage") + `skip-nodes-with-local-storage`?: string; /** - * The GPU settings of the machine. + * If cluster autoscaler will skip deleting nodes with pods from kube-system (except for DaemonSet or mirror pods). The default is true. */ - gpuProfile?: GPUProfile; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @clientName("skipNodesWithSystemPods") + `skip-nodes-with-system-pods`?: string; } /** - * The operating system and disk used by the machine. + * Access profile for managed cluster API server. */ -@added(Versions.v2025_10_02_preview) -model MachineOSProfile { +#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +model ManagedClusterAPIServerAccessProfile { /** - * The operating system type. The default is Linux. + * The IP ranges authorized to access the Kubernetes API server. IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see [API server authorized IP ranges](https://docs.microsoft.com/azure/aks/api-server-authorized-ip-ranges). */ - osType?: OSType = OSType.Linux; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + authorizedIPRanges?: string[]; /** - * Specifies the OS SKU used by the agent pool. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated. + * Whether to create the cluster as a private cluster or not. For more details, see [Creating a private AKS cluster](https://docs.microsoft.com/azure/aks/private-clusters). */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - osSKU?: OSSKU; + enablePrivateCluster?: boolean; /** - * OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. + * The private DNS zone mode for the cluster. The default is System. For more details see [configure private DNS zone](https://docs.microsoft.com/azure/aks/private-clusters#configure-private-dns-zone). Allowed values are 'system' and 'none'. */ #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @maxValue(2048) - @minValue(0) - osDiskSizeGB?: int32; + privateDNSZone?: string; /** - * The OS disk type to be used for machines in the agent pool. The default is 'Ephemeral' if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. For more information see [Ephemeral OS](https://docs.microsoft.com/azure/aks/cluster-configuration#ephemeral-os). + * Whether to create additional public FQDN for private cluster or not. */ - osDiskType?: OSDiskType; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + enablePrivateClusterPublicFQDN?: boolean; /** - * Whether to use a FIPS-enabled OS. + * Whether to disable run command for the cluster or not. */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - enableFIPS?: boolean; + disableRunCommand?: boolean; /** - * The Linux machine's specific profile. + * Whether to enable apiserver vnet integration for the cluster or not. See aka.ms/AksVnetIntegration for more details. */ - linuxProfile?: MachineOSProfileLinuxProfile; + enableVnetIntegration?: boolean; /** - * The Windows machine's specific profile. + * The subnet to be used when apiserver vnet integration is enabled. It is required when creating a new cluster with BYO Vnet, or when updating an existing cluster to enable apiserver vnet integration. */ - windowsProfile?: AgentPoolWindowsProfile; + subnetId?: Azure.Core.armResourceIdentifier<[ + { + type: "Microsoft.Network/virtualNetworks/subnets"; + } + ]>; } /** - * The Linux machine's specific profile. + * A private link resource */ -#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -@added(Versions.v2025_10_02_preview) -model MachineOSProfileLinuxProfile { - /** - * The OS configuration of Linux machine. - */ - linuxOSConfig?: LinuxOSConfig; - +model PrivateLinkResource { /** - * Message of the day for Linux nodes, base64-encoded. A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It must not be specified for Windows nodes. It must be a static string (i.e., will be printed raw and not be executed as a script). + * The ID of the private link resource. */ - messageOfTheDay?: string; -} + id?: string; -/** - * The Kubernetes configurations used by the machine. - */ -@added(Versions.v2025_10_02_preview) -model MachineKubernetesProfile { /** - * The node labels on the machine. + * The name of the private link resource. */ - #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - nodeLabels?: Record; + #suppress "@azure-tools/typespec-azure-core/no-openapi" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @OpenAPI.externalDocs("https://aka.ms/search-naming-rules") + name?: string; /** - * The version of Kubernetes specified by the user. Both patch version and are supported. When is specified, the latest supported patch version is chosen automatically. + * The resource type. */ - orchestratorVersion?: string; + type?: string; /** - * The version of Kubernetes running on the machine. If orchestratorVersion was a fully specified version , this field will be exactly equal to it. If orchestratorVersion was , this field will contain the full version being used. + * The group ID of the resource. */ - @visibility(Lifecycle.Read) - currentOrchestratorVersion?: string; + groupId?: string; /** - * Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. + * The RequiredMembers of the resource */ - kubeletDiskType?: KubeletDiskType; + requiredMembers?: string[]; /** - * The Kubelet configuration on the machine. + * The private link service ID of the resource, this field is exposed only to NRP internally. */ - kubeletConfig?: KubeletConfig; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @visibility(Lifecycle.Read) + privateLinkServiceID?: Azure.Core.armResourceIdentifier; +} +/** + * Cluster HTTP proxy configuration. + */ +#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +model ManagedClusterHTTPProxyConfig { /** - * Taints added on the node during creation that will not be reconciled by AKS. These taints will not be reconciled by AKS and can be removed with a kubectl call. These taints allow for required configuration to run before the node is ready to accept workloads, for example 'key1=value1:NoSchedule' that then can be removed with `kubectl taint nodes node1 key1=value1:NoSchedule-` + * The HTTP proxy server endpoint to use. */ - nodeInitializationTaints?: string[]; + httpProxy?: string; /** - * The taints added to new node during machine create. For example, key=value:NoSchedule. + * The HTTPS proxy server endpoint to use. */ - nodeTaints?: string[]; + httpsProxy?: string; /** - * The maximum number of pods that can run on a node. + * The endpoints that should not go through proxy. */ - maxPods?: int32; + noProxy?: string[]; /** - * The node name in the Kubernetes cluster. + * A read-only list of all endpoints for which traffic should not be sent to the proxy. This list is a superset of noProxy and values injected by AKS. */ + @added(Versions.v2025_10_02_preview) @visibility(Lifecycle.Read) - nodeName?: string; + effectiveNoProxy?: string[]; /** - * Determines the type of workload a node can run. + * Alternative CA cert to use for connecting to proxy servers. */ - workloadRuntime?: WorkloadRuntime; + trustedCa?: string; /** - * Configuration for using artifact streaming on AKS. + * Whether to enable HTTP proxy. When disabled, the specified proxy configuration will be not be set on pods and nodes. */ - artifactStreamingProfile?: AgentPoolArtifactStreamingProfile; + @added(Versions.v2025_10_02_preview) + enabled?: boolean; } /** - * Contains read-only information about the machine. + * Security profile for the container service cluster. */ -@added(Versions.v2025_10_02_preview) -model MachineStatus { - /** - * The error details information of the machine. Preserves the detailed info of failure. If there was no error, this field is omitted. - */ - @visibility(Lifecycle.Read) - provisioningError?: Azure.ResourceManager.CommonTypes.ErrorDetail; - +model ManagedClusterSecurityProfile { /** - * Specifies the time at which the machine was created. + * Microsoft Defender settings for the security profile. */ - @visibility(Lifecycle.Read) - // FIXME: (utcDateTime) Please double check that this is the correct type for your scenario. - creationTimestamp?: utcDateTime; + defender?: ManagedClusterSecurityProfileDefender; /** - * The drift action of the machine. Indicates whether a machine has deviated from its expected state due to changes in managed cluster properties, requiring corrective action. + * Azure Key Vault [key management service](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/) settings for the security profile. */ - @visibility(Lifecycle.Read) - driftAction?: DriftAction; + azureKeyVaultKms?: AzureKeyVaultKms; /** - * Reason for machine drift. Provides detailed information on why the machine has drifted. This field is omitted if the machine is up to date. + * Encryption at rest of Kubernetes resource objects. More information on this can be found under https://aka.ms/aks/kubernetesResourceObjectEncryption */ - @visibility(Lifecycle.Read) - driftReason?: string; + @added(Versions.v2025_10_02_preview) + kubernetesResourceObjectEncryptionProfile?: KubernetesResourceObjectEncryptionProfile; /** - * Virtual machine state. Indicates the current state of the underlying virtual machine. + * Workload identity settings for the security profile. Workload identity enables Kubernetes applications to access Azure cloud resources securely with Azure AD. See https://aka.ms/aks/wi for more details. */ - @visibility(Lifecycle.Read) - vmState?: VmState; -} + workloadIdentity?: ManagedClusterSecurityProfileWorkloadIdentity; -/** - * The list of available versions for an agent pool. - */ -model AgentPoolAvailableVersions { /** - * The ID of the agent pool version list. + * Image Cleaner settings for the security profile. */ - @visibility(Lifecycle.Read) - id?: string; + imageCleaner?: ManagedClusterSecurityProfileImageCleaner; /** - * The name of the agent pool version list. + * Image integrity is a feature that works with Azure Policy to verify image integrity by signature. This will not have any effect unless Azure Policy is applied to enforce image signatures. See https://aka.ms/aks/image-integrity for how to use this feature via policy. */ - @visibility(Lifecycle.Read) - name?: string; + @added(Versions.v2025_10_02_preview) + imageIntegrity?: ManagedClusterSecurityProfileImageIntegrity; /** - * Type of the agent pool version list. + * [Node Restriction](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction) settings for the security profile. */ - @visibility(Lifecycle.Read) - type?: string; + @added(Versions.v2025_10_02_preview) + nodeRestriction?: ManagedClusterSecurityProfileNodeRestriction; /** - * Properties of agent pool available versions. + * A list of up to 10 base64 encoded CAs that will be added to the trust store on all nodes in the cluster. For more information see [Custom CA Trust Certificates](https://learn.microsoft.com/en-us/azure/aks/custom-certificate-authority). */ - properties: AgentPoolAvailableVersionsProperties; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @maxItems(10) + @minItems(0) + customCATrustCertificates?: bytes[]; } /** - * The list of available agent pool versions. + * Microsoft Defender settings for the security profile. */ -model AgentPoolAvailableVersionsProperties { - /** - * List of versions available for agent pool. - */ - @identifiers(#[]) - agentPoolVersions?: AgentPoolAvailableVersionsPropertiesAgentPoolVersionsItem[]; -} - -/** Available version information for an agent pool. */ -model AgentPoolAvailableVersionsPropertiesAgentPoolVersionsItem { +model ManagedClusterSecurityProfileDefender { /** - * Whether this version is the default agent pool version. + * Resource ID of the Log Analytics workspace to be associated with Microsoft Defender. When Microsoft Defender is enabled, this field is required and must be a valid workspace resource ID. When Microsoft Defender is disabled, leave the field empty. */ - default?: boolean; + logAnalyticsWorkspaceResourceId?: Azure.Core.armResourceIdentifier<[ + { + type: "Microsoft.OperationalInsights/workspaces"; + } + ]>; /** - * The Kubernetes version (major.minor.patch). + * Microsoft Defender threat detection for Cloud settings for the security profile. */ - kubernetesVersion?: string; + securityMonitoring?: ManagedClusterSecurityProfileDefenderSecurityMonitoring; /** - * Whether Kubernetes version is currently in preview. + * Microsoft Defender settings for security gating, validates container images eligibility for deployment based on Defender for Containers security findings. Using Admission Controller, it either audits or prevents the deployment of images that do not meet security standards. */ - isPreview?: boolean; + @added(Versions.v2025_10_02_preview) + securityGating?: ManagedClusterSecurityProfileDefenderSecurityGating; } /** - * A list of private endpoint connections + * Microsoft Defender settings for the security profile threat detection. */ -model PrivateEndpointConnectionListResult { +model ManagedClusterSecurityProfileDefenderSecurityMonitoring { /** - * The collection value. + * Whether to enable Defender threat detection */ - @pageItems - value?: PrivateEndpointConnection[]; + enabled?: boolean; } /** - * Properties of a private endpoint connection. + * Microsoft Defender settings for security gating, validates container images eligibility for deployment based on Defender for Containers security findings. Using Admission Controller, it either audits or prevents the deployment of images that do not meet security standards. */ -model PrivateEndpointConnectionProperties { +@added(Versions.v2025_10_02_preview) +model ManagedClusterSecurityProfileDefenderSecurityGating { /** - * The current provisioning state. + * Whether to enable Defender security gating. When enabled, the gating feature will scan container images and audit or block the deployment of images that do not meet security standards according to the configured security rules. */ - @visibility(Lifecycle.Read) - provisioningState?: PrivateEndpointConnectionProvisioningState; + enabled?: boolean; + + /** + * List of identities that the admission controller will make use of in order to pull security artifacts from the registry. These are the same identities used by the cluster to pull container images. Each identity provided should have federated identity credential attached to it. + */ + @identifiers(#[]) + identities?: ManagedClusterSecurityProfileDefenderSecurityGatingIdentitiesItem[]; + + /** + * In use only while registry access granted by secret rather than managed identity. Set whether to grant the Defender gating agent access to the cluster's secrets for pulling images from registries. If secret access is denied and the registry requires pull secrets, the add-on will not perform any image validation. Default value is false. + */ + allowSecretAccess?: boolean; +} +/** Identity information used by Defender security gating to access container registries. */ +@added(Versions.v2025_10_02_preview) +model ManagedClusterSecurityProfileDefenderSecurityGatingIdentitiesItem { /** - * The resource of private endpoint. + * The container registry for which the identity will be used; the identity specified here should have a federated identity credential attached to it. */ - privateEndpoint?: PrivateEndpoint; + azureContainerRegistry?: string; /** - * A collection of information about the state of the connection between service consumer and provider. + * The identity object used to access the registry */ - privateLinkServiceConnectionState: PrivateLinkServiceConnectionState; + identity?: UserAssignedIdentity; } /** - * Private endpoint which a connection belongs to. + * Azure Key Vault key management service settings for the security profile. */ -model PrivateEndpoint { +model AzureKeyVaultKms { /** - * The resource ID of the private endpoint + * Whether to enable Azure Key Vault key management service. The default is false. */ - id?: string; -} + enabled?: boolean; + + /** + * Identifier of Azure Key Vault key. See [key identifier format](https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name) for more details. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. When Azure Key Vault key management service is disabled, leave the field empty. + */ + keyId?: string; -/** - * The state of a private link service connection. - */ -model PrivateLinkServiceConnectionState { /** - * The private link service connection status. + * Network access of the key vault. Network access of key vault. The possible values are `Public` and `Private`. `Public` means the key vault allows public access from all networks. `Private` means the key vault disables public access and enables private link. The default value is `Public`. */ - status?: ConnectionStatus; + keyVaultNetworkAccess?: KeyVaultNetworkAccessTypes = KeyVaultNetworkAccessTypes.Public; /** - * The private link service connection description. + * Resource ID of key vault. When keyVaultNetworkAccess is `Private`, this field is required and must be a valid resource ID. When keyVaultNetworkAccess is `Public`, leave the field empty. */ - description?: string; + keyVaultResourceId?: Azure.Core.armResourceIdentifier<[ + { + type: "Microsoft.KeyVault/vaults"; + } + ]>; } /** - * A list of private link resources + * Encryption at rest of Kubernetes resource objects using service-managed keys. More information on this can be found under https://aka.ms/aks/kubernetesResourceObjectEncryption. */ -model PrivateLinkResourcesListResult { +@added(Versions.v2025_10_02_preview) +model KubernetesResourceObjectEncryptionProfile { /** - * The collection value. + * Whether to enable encryption at rest of Kubernetes resource objects using service-managed keys. More information on this can be found under https://aka.ms/aks/kubernetesResourceObjectEncryption. */ - @pageItems - value?: PrivateLinkResource[]; + infrastructureEncryption?: InfrastructureEncryption = InfrastructureEncryption.Disabled; } /** - * A run command request + * Workload identity settings for the security profile. */ -model RunCommandRequest { +model ManagedClusterSecurityProfileWorkloadIdentity { /** - * The command to run. + * Whether to enable workload identity. */ - command: string; + enabled?: boolean; +} +/** + * Image Cleaner removes unused images from nodes, freeing up disk space and helping to reduce attack surface area. Here are settings for the security profile. + */ +model ManagedClusterSecurityProfileImageCleaner { /** - * A base64 encoded zip file containing the files required by the command. + * Whether to enable Image Cleaner on AKS cluster. */ - context?: string; + enabled?: boolean; /** - * AuthToken issued for AKS AAD Server App. + * Image Cleaner scanning interval in hours. */ - clusterToken?: string; + intervalHours?: int32; } /** - * run command result. + * Image integrity related settings for the security profile. */ -model RunCommandResult { +@added(Versions.v2025_10_02_preview) +model ManagedClusterSecurityProfileImageIntegrity { /** - * The command id. + * Whether to enable image integrity. The default value is false. */ - @visibility(Lifecycle.Read) - id?: string; + enabled?: boolean; +} +/** + * Node Restriction settings for the security profile. + */ +@added(Versions.v2025_10_02_preview) +model ManagedClusterSecurityProfileNodeRestriction { /** - * Properties of command result. + * Whether to enable Node Restriction */ - properties?: CommandResultProperties; + enabled?: boolean; } /** - * The results of a run command + * Storage profile for the container service cluster. */ -model CommandResultProperties { +model ManagedClusterStorageProfile { /** - * provisioning State + * AzureDisk CSI Driver settings for the storage profile. */ - @visibility(Lifecycle.Read) - provisioningState?: string; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + diskCSIDriver?: ManagedClusterStorageProfileDiskCSIDriver; /** - * The exit code of the command + * AzureFile CSI Driver settings for the storage profile. */ - @visibility(Lifecycle.Read) - exitCode?: int32; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + fileCSIDriver?: ManagedClusterStorageProfileFileCSIDriver; /** - * The time when the command started. + * Snapshot Controller settings for the storage profile. */ - @visibility(Lifecycle.Read) - // FIXME: (utcDateTime) Please double check that this is the correct type for your scenario. - startedAt?: utcDateTime; + snapshotController?: ManagedClusterStorageProfileSnapshotController; /** - * The time when the command finished. + * AzureBlob CSI Driver settings for the storage profile. */ - @visibility(Lifecycle.Read) - // FIXME: (utcDateTime) Please double check that this is the correct type for your scenario. - finishedAt?: utcDateTime; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + blobCSIDriver?: ManagedClusterStorageProfileBlobCSIDriver; +} +/** + * AzureDisk CSI Driver settings for the storage profile. + */ +#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +model ManagedClusterStorageProfileDiskCSIDriver { /** - * The command output. + * Whether to enable AzureDisk CSI Driver. The default value is true. */ - @visibility(Lifecycle.Read) - logs?: string; + enabled?: boolean; /** - * An explanation of why provisioningState is set to failed (if so). + * The version of AzureDisk CSI Driver. The default value is v1. */ - @visibility(Lifecycle.Read) - reason?: string; + @added(Versions.v2025_10_02_preview) + version?: string; } /** - * Collection of OutboundEnvironmentEndpoint - */ -model OutboundEnvironmentEndpointCollection - is Azure.Core.Page; - -/** - * Egress endpoints which AKS agent nodes connect to for common purpose. + * AzureFile CSI Driver settings for the storage profile. */ -model OutboundEnvironmentEndpoint { - /** - * The category of endpoints accessed by the AKS agent node, e.g. azure-resource-management, apiserver, etc. - */ - category?: string; - +#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +model ManagedClusterStorageProfileFileCSIDriver { /** - * The endpoints that AKS agent nodes connect to + * Whether to enable AzureFile CSI Driver. The default value is true. */ - @identifiers(#[]) - endpoints?: EndpointDependency[]; + enabled?: boolean; } /** - * A domain name that AKS agent nodes are reaching at. + * Snapshot Controller settings for the storage profile. */ -model EndpointDependency { +model ManagedClusterStorageProfileSnapshotController { /** - * The domain name of the dependency. + * Whether to enable Snapshot Controller. The default value is true. */ - domainName?: string; + enabled?: boolean; +} +/** + * AzureBlob CSI Driver settings for the storage profile. + */ +#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +model ManagedClusterStorageProfileBlobCSIDriver { /** - * The Ports and Protocols used when connecting to domainName. + * Whether to enable AzureBlob CSI Driver. The default value is false. */ - @identifiers(#[]) - endpointDetails?: EndpointDetail[]; + enabled?: boolean; } /** - * connect information from the AKS agent nodes to a single endpoint. + * Ingress profile for the container service cluster. */ -model EndpointDetail { +model ManagedClusterIngressProfile { /** - * An IP Address that Domain Name currently resolves to. + * App Routing settings for the ingress profile. You can find an overview and onboarding guide for this feature at https://learn.microsoft.com/en-us/azure/aks/app-routing?tabs=default%2Cdeploy-app-default. */ - ipAddress?: string; + webAppRouting?: ManagedClusterIngressProfileWebAppRouting; /** - * The port an endpoint is connected to. + * Settings for the managed Gateway API installation */ - port?: int32; + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @added(Versions.v2025_10_02_preview) + gatewayAPI?: ManagedClusterIngressProfileGatewayConfiguration; /** - * The protocol used for connection + * Settings for the managed Application Load Balancer installation */ - protocol?: string; + @added(Versions.v2025_10_02_preview) + applicationLoadBalancer?: ManagedClusterIngressProfileApplicationLoadBalancer; +} +/** Configuration for the ingress managed gateway. See https://aka.ms/k8s-gateway-api for more details. */ +@added(Versions.v2025_10_02_preview) +model ManagedClusterIngressProfileGatewayConfiguration { /** - * Description of the detail + * Configuration for the managed Gateway API installation. If not specified, the default is 'Disabled'. See https://aka.ms/k8s-gateway-api for more details. */ - description?: string; + installation?: ManagedGatewayType; } /** - * The operations list. It contains an URL link to get the next set of results. - */ -model OperationStatusResultList is Azure.Core.Page; - -/** - * Properties used to configure a node pool snapshot. + * Application Routing add-on settings for the ingress profile. */ -#suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -model SnapshotProperties { - /** - * CreationData to be used to specify the source agent pool resource ID to create this snapshot. - */ - creationData?: CreationData; - - /** - * The type of a snapshot. The default is NodePool. - */ - snapshotType?: SnapshotType = SnapshotType.NodePool; - +model ManagedClusterIngressProfileWebAppRouting { /** - * The version of Kubernetes. + * Whether to enable the Application Routing add-on. */ - @visibility(Lifecycle.Read) - kubernetesVersion?: string; + enabled?: boolean; /** - * The version of node image. + * Resource IDs of the DNS zones to be associated with the Application Routing add-on. Used only when Application Routing add-on is enabled. Public and private DNS zones can be in different resource groups, but all public DNS zones must be in the same resource group and all private DNS zones must be in the same resource group. */ - @visibility(Lifecycle.Read) - nodeImageVersion?: string; + @maxItems(5) + dnsZoneResourceIds?: Azure.Core.armResourceIdentifier<[ + { + type: "Microsoft.Network/dnszones"; + }, + { + type: "Microsoft.Network/privateDnsZones"; + } + ]>[]; /** - * The operating system type. The default is Linux. + * Configuration for the default NginxIngressController. See more at https://learn.microsoft.com/en-us/azure/aks/app-routing-nginx-configuration#the-default-nginx-ingress-controller. */ - @visibility(Lifecycle.Read) - osType?: OSType = OSType.Linux; + nginx?: ManagedClusterIngressProfileNginx; /** - * Specifies the OS SKU used by the agent pool. The default is Ubuntu if OSType is Linux. The default is Windows2019 when Kubernetes <= 1.24 or Windows2022 when Kubernetes >= 1.25 if OSType is Windows. + * Managed identity of the Application Routing add-on. This is the identity that should be granted permissions, for example, to manage the associated Azure DNS resource and get certificates from Azure Key Vault. See [this overview of the add-on](https://learn.microsoft.com/en-us/azure/aks/web-app-routing?tabs=with-osm) for more instructions. */ @visibility(Lifecycle.Read) - osSku?: OSSKU; + identity?: UserAssignedIdentity; /** - * The size of the VM. + * Configuration for the Default Domain. This is a unique, autogenerated domain that comes with a signed TLS Certificate allowing for secure HTTPS. See [the Default Domain documentation](https://aka.ms/aks/defaultdomain) for more instructions. */ - @visibility(Lifecycle.Read) - vmSize?: string; + @added(Versions.v2025_10_02_preview) + defaultDomain?: ManagedClusterIngressDefaultDomainProfile; +} +/** Nginx ingress controller configuration for the managed cluster ingress profile. */ +model ManagedClusterIngressProfileNginx { /** - * Whether to use a FIPS-enabled OS. + * Ingress type for the default NginxIngressController custom resource */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @visibility(Lifecycle.Read) - enableFIPS?: boolean; + defaultIngressControllerType?: NginxIngressControllerType; } -/** - * Properties for a managed cluster snapshot. - */ -#suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +/** Default domain profile for the managed cluster ingress profile. */ @added(Versions.v2025_10_02_preview) -model ManagedClusterSnapshotProperties { - /** - * CreationData to be used to specify the source resource ID to create this snapshot. - */ - creationData?: CreationData; - +model ManagedClusterIngressDefaultDomainProfile { /** - * The type of a snapshot. The default is NodePool. + * Whether to enable Default Domain. */ - snapshotType?: SnapshotType = SnapshotType.NodePool; + enabled?: boolean; /** - * What the properties will be showed when getting managed cluster snapshot. Those properties are read-only. + * The unique fully qualified domain name assigned to the cluster. This will not change even if disabled then reenabled. */ @visibility(Lifecycle.Read) - managedClusterPropertiesReadOnly?: ManagedClusterPropertiesForSnapshot; + domainName?: string; } /** - * managed cluster properties for snapshot, these properties are read only. + * Application Load Balancer settings for the ingress profile. */ @added(Versions.v2025_10_02_preview) -model ManagedClusterPropertiesForSnapshot { - /** - * The current kubernetes version. - */ - kubernetesVersion?: string; - - /** - * The current managed cluster sku. - */ - sku?: ManagedClusterSKU; - +model ManagedClusterIngressProfileApplicationLoadBalancer { /** - * Whether the cluster has enabled Kubernetes Role-Based Access Control or not. + * Whether to enable Application Load Balancer. */ - enableRbac?: boolean; + enabled?: boolean; /** - * The current network profile. + * Managed identity of the Application Load Balancer add-on. This is the identity that should be granted permissions to manage the associated Application Gateway for Containers resource. */ @visibility(Lifecycle.Read) - networkProfile?: NetworkProfileForSnapshot; + identity?: UserAssignedIdentity; } /** - * network profile for managed cluster snapshot, these properties are read only. + * Workload Auto-scaler profile for the managed cluster. */ -@added(Versions.v2025_10_02_preview) -model NetworkProfileForSnapshot { - /** - * networkPlugin for managed cluster snapshot. - */ - networkPlugin?: NetworkPlugin; - - /** - * NetworkPluginMode for managed cluster snapshot. - */ - networkPluginMode?: NetworkPluginMode; - - /** - * networkPolicy for managed cluster snapshot. - */ - networkPolicy?: NetworkPolicy; - +model ManagedClusterWorkloadAutoScalerProfile { /** - * networkMode for managed cluster snapshot. + * KEDA (Kubernetes Event-driven Autoscaling) settings for the workload auto-scaler profile. */ - networkMode?: NetworkMode; + keda?: ManagedClusterWorkloadAutoScalerProfileKeda; /** - * loadBalancerSku for managed cluster snapshot. + * VPA (Vertical Pod Autoscaler) settings for the workload auto-scaler profile. */ - loadBalancerSku?: LoadBalancerSku; + verticalPodAutoscaler?: ManagedClusterWorkloadAutoScalerProfileVerticalPodAutoscaler; } /** - * Whether the version is default or not and support info. + * KEDA (Kubernetes Event-driven Autoscaling) settings for the workload auto-scaler profile. */ -#suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -@added(Versions.v2025_10_02_preview) -model GuardrailsAvailableVersionsProperties { - /** Whether this is the default version. */ - @visibility(Lifecycle.Read) - isDefaultVersion?: boolean; - +model ManagedClusterWorkloadAutoScalerProfileKeda { /** - * Whether the version is preview or stable. + * Whether to enable KEDA. */ - @visibility(Lifecycle.Read) - support?: GuardrailsSupport; + enabled: boolean; } /** - * Hold values properties, which is array of GuardrailsVersions - */ -@added(Versions.v2025_10_02_preview) -model GuardrailsAvailableVersionsList - is Azure.Core.Page; - -/** - * Whether the version is default or not and support info. + * VPA (Vertical Pod Autoscaler) settings for the workload auto-scaler profile. */ -#suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -@added(Versions.v2025_10_02_preview) -model SafeguardsAvailableVersionsProperties { - /** Whether this is the default version. */ - @visibility(Lifecycle.Read) - isDefaultVersion?: boolean; - +model ManagedClusterWorkloadAutoScalerProfileVerticalPodAutoscaler { /** - * Whether the version is preview or stable. + * Whether to enable VPA. Default value is false. */ - @visibility(Lifecycle.Read) - support?: SafeguardsSupport; -} - -/** - * Hold values properties, which is array of SafeguardsVersions - */ -@added(Versions.v2025_10_02_preview) -model SafeguardsAvailableVersionsList - is Azure.Core.Page; - -/** - * Holds an array of MeshRevisionsProfiles - */ -model MeshRevisionProfileList is Azure.Core.Page; + enabled: boolean = false; -/** - * Mesh revision profile properties for a mesh - */ -#suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -model MeshRevisionProfileProperties { - /** Available mesh revisions. */ - @identifiers(#[]) - meshRevisions?: MeshRevision[]; + /** + * Whether VPA add-on is enabled and configured to scale AKS-managed add-ons. + */ + @added(Versions.v2025_10_02_preview) + addonAutoscaling?: AddonAutoscaling = AddonAutoscaling.Disabled; } /** - * An upgradeable mesh revision - */ -scalar MeshRevisionUpgradesType extends string; -/** - * Holds information on upgrades and compatibility for given major.minor mesh release. + * Azure Monitor addon profiles for monitoring the managed cluster. */ -model MeshRevision { +model ManagedClusterAzureMonitorProfile { /** - * The revision of the mesh release. + * Metrics profile for the Azure Monitor managed service for Prometheus addon. Collect out-of-the-box Kubernetes infrastructure metrics to send to an Azure Monitor Workspace and configure additional scraping for custom targets. See aka.ms/AzureManagedPrometheus for an overview. */ - revision?: string; + metrics?: ManagedClusterAzureMonitorProfileMetrics; /** - * List of revisions available for upgrade of a specific mesh revision + * Azure Monitor Container Insights Profile for Kubernetes Events, Inventory and Container stdout & stderr logs etc. See aka.ms/AzureMonitorContainerInsights for an overview. */ - upgrades?: MeshRevisionUpgradesType[]; + @added(Versions.v2025_10_02_preview) + containerInsights?: ManagedClusterAzureMonitorProfileContainerInsights; /** - * List of items this revision of service mesh is compatible with, and their associated versions. + * Application Monitoring Profile for Kubernetes Application Container. Collects application logs, metrics and traces through auto-instrumentation of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview. */ - @identifiers(#[]) - compatibleWith?: CompatibleVersions[]; + @added(Versions.v2025_10_02_preview) + appMonitoring?: ManagedClusterAzureMonitorProfileAppMonitoring; } /** - * A compatible product/service version. - */ -scalar CompatibleVersionsVersionsType extends string; - -/** - * Version information about a product/service that is compatible with a service mesh revision. + * Metrics profile for the Azure Monitor managed service for Prometheus addon. Collect out-of-the-box Kubernetes infrastructure metrics to send to an Azure Monitor Workspace and configure additional scraping for custom targets. See aka.ms/AzureManagedPrometheus for an overview. */ -model CompatibleVersions { +model ManagedClusterAzureMonitorProfileMetrics { /** - * The product/service name. + * Whether to enable or disable the Azure Managed Prometheus addon for Prometheus monitoring. See aka.ms/AzureManagedPrometheus-aks-enable for details on enabling and disabling. */ - name?: string; + enabled: boolean; /** - * Product/service versions compatible with a service mesh add-on revision. + * Kube State Metrics profile for the Azure Managed Prometheus addon. These optional settings are for the kube-state-metrics pod that is deployed with the addon. See aka.ms/AzureManagedPrometheus-optional-parameters for details. */ - versions?: CompatibleVersionsVersionsType[]; + kubeStateMetrics?: ManagedClusterAzureMonitorProfileKubeStateMetrics; } /** - * Holds an array of MeshUpgradeProfiles - */ -model MeshUpgradeProfileList is Azure.Core.Page; - -/** - * Mesh upgrade profile properties for a major.minor release. - */ -#suppress "@azure-tools/typespec-azure-core/composition-over-inheritance" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -#suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -#suppress "@azure-tools/typespec-azure-resource-manager/no-empty-model" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -model MeshUpgradeProfileProperties extends MeshRevision {} - -/** - * Properties for trusted access role binding + * Kube State Metrics profile for the Azure Managed Prometheus addon. These optional settings are for the kube-state-metrics pod that is deployed with the addon. See aka.ms/AzureManagedPrometheus-optional-parameters for details. */ -model TrustedAccessRoleBindingProperties { - /** - * The current provisioning state of trusted access role binding. - */ - @visibility(Lifecycle.Read) - provisioningState?: TrustedAccessRoleBindingProvisioningState; - +model ManagedClusterAzureMonitorProfileKubeStateMetrics { /** - * The ARM resource ID of source resource that trusted access is configured for. + * Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric (Example: 'namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...'). By default the metric contains only resource name and namespace labels. */ - sourceResourceId: Azure.Core.armResourceIdentifier; + metricLabelsAllowlist?: string; /** - * A list of roles to bind, each item is a resource type qualified role name. For example: 'Microsoft.MachineLearningServices/workspaces/reader'. + * Comma-separated list of Kubernetes annotation keys that will be used in the resource's labels metric (Example: 'namespaces=[kubernetes.io/team,...],pods=[kubernetes.io/team],...'). By default the metric contains only resource name and namespace labels. */ - roles: string[]; + metricAnnotationsAllowList?: string; } /** - * List of trusted access roles - */ -model TrustedAccessRoleListResult is Azure.Core.Page; - -/** - * Trusted access role definition. + * Azure Monitor Container Insights Profile for Kubernetes Events, Inventory and Container stdout & stderr logs etc. See aka.ms/AzureMonitorContainerInsights for an overview. */ -model TrustedAccessRole { +@added(Versions.v2025_10_02_preview) +model ManagedClusterAzureMonitorProfileContainerInsights { /** - * Resource type of Azure resource + * Indicates if Azure Monitor Container Insights Logs Addon is enabled or not. */ - @visibility(Lifecycle.Read) - sourceResourceType?: string; + enabled?: boolean; /** - * Name of role, name is unique under a source resource type + * Fully Qualified ARM Resource Id of Azure Log Analytics Workspace for storing Azure Monitor Container Insights Logs. */ - @visibility(Lifecycle.Read) - name?: string; + logAnalyticsWorkspaceResourceId?: Azure.Core.armResourceIdentifier<[ + { + type: "Microsoft.OperationalInsights/workspaces"; + } + ]>; /** - * List of rules for the role. This maps to 'rules' property of [Kubernetes Cluster Role](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole). + * The syslog host port. If not specified, the default port is 28330. */ - @visibility(Lifecycle.Read) - @identifiers(#[]) - rules?: TrustedAccessRoleRule[]; -} + syslogPort?: int64; -/** - * Rule for trusted access role - */ -model TrustedAccessRoleRule { /** - * List of allowed verbs + * Indicates whether custom metrics collection has to be disabled or not. If not specified the default is false. No custom metrics will be emitted if this field is false but the container insights enabled field is false */ - @visibility(Lifecycle.Read) - verbs?: string[]; + disableCustomMetrics?: boolean; /** - * List of allowed apiGroups + * Indicates whether prometheus metrics scraping is disabled or not. If not specified the default is false. No prometheus metrics will be emitted if this field is false but the container insights enabled field is false */ - @visibility(Lifecycle.Read) - apiGroups?: string[]; + disablePrometheusMetricsScraping?: boolean; +} +/** + * Application Monitoring Profile for Kubernetes Application Container. Collects application logs, metrics and traces through auto-instrumentation of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview. + */ +@added(Versions.v2025_10_02_preview) +model ManagedClusterAzureMonitorProfileAppMonitoring { /** - * List of allowed resources + * Application Monitoring Auto Instrumentation for Kubernetes Application Container. Deploys web hook to auto-instrument Azure Monitor OpenTelemetry based SDKs to collect OpenTelemetry metrics, logs and traces of the application. See aka.ms/AzureMonitorApplicationMonitoring for an overview. */ - @visibility(Lifecycle.Read) - resources?: string[]; + autoInstrumentation?: ManagedClusterAzureMonitorProfileAppMonitoringAutoInstrumentation; /** - * List of allowed names + * Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container Metrics. Collects OpenTelemetry metrics of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview. */ - @visibility(Lifecycle.Read) - resourceNames?: string[]; + openTelemetryMetrics?: ManagedClusterAzureMonitorProfileAppMonitoringOpenTelemetryMetrics; /** - * List of allowed nonResourceURLs + * Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container Logs and Traces. Collects OpenTelemetry logs and traces of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview. */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @visibility(Lifecycle.Read) - nonResourceURLs?: string[]; + openTelemetryLogs?: ManagedClusterAzureMonitorProfileAppMonitoringOpenTelemetryLogs; } /** - * The properties of the machine + * Application Monitoring Auto Instrumentation for Kubernetes Application Container. Deploys web hook to auto-instrument Azure Monitor OpenTelemetry based SDKs to collect OpenTelemetry metrics, logs and traces of the application. See aka.ms/AzureMonitorApplicationMonitoring for an overview. */ -#suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -model MachineProperties { +@added(Versions.v2025_10_02_preview) +model ManagedClusterAzureMonitorProfileAppMonitoringAutoInstrumentation { /** - * network properties of the machine + * Indicates if Application Monitoring Auto Instrumentation is enabled or not. */ - @visibility(Lifecycle.Read) - network?: MachineNetworkProperties; + enabled?: boolean; +} +/** + * Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container Metrics. Collects OpenTelemetry metrics of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview. + */ +@added(Versions.v2025_10_02_preview) +model ManagedClusterAzureMonitorProfileAppMonitoringOpenTelemetryMetrics { /** - * Azure resource id of the machine. It can be used to GET underlying VM Instance + * Indicates if Application Monitoring Open Telemetry Metrics is enabled or not. */ - @visibility(Lifecycle.Read) - resourceId?: Azure.Core.armResourceIdentifier<[ - { - type: "Microsoft.Compute/virtualMachines"; - }, - { - type: "Microsoft.Compute/virtualMachineScaleSets/virtualMachines"; - } - ]>; + enabled?: boolean; /** - * The hardware and GPU settings of the machine. + * The Open Telemetry host port for Open Telemetry metrics. If not specified, the default port is 28333. */ - @added(Versions.v2025_10_02_preview) - hardware?: MachineHardwareProfile; + port?: int64; +} +/** + * Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container Logs and Traces. Collects OpenTelemetry logs and traces of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview. + */ +@added(Versions.v2025_10_02_preview) +model ManagedClusterAzureMonitorProfileAppMonitoringOpenTelemetryLogs { /** - * The operating system and disk used by the machine. + * Indicates if Application Monitoring Open Telemetry Logs and traces is enabled or not. */ - @added(Versions.v2025_10_02_preview) - operatingSystem?: MachineOSProfile; + enabled?: boolean; /** - * The Kubernetes configurations used by the machine. + * The Open Telemetry host port for Open Telemetry logs and traces. If not specified, the default port is 28331. */ - @added(Versions.v2025_10_02_preview) - kubernetes?: MachineKubernetesProfile; + port?: int64; +} +/** + * Service mesh profile for a managed cluster. + */ +model ServiceMeshProfile { /** - * Machine only allows 'System' and 'User' mode. + * Mode of the service mesh. */ - @added(Versions.v2025_10_02_preview) - mode?: AgentPoolMode; + mode: ServiceMeshMode; /** - * The security settings of the machine. + * Istio service mesh configuration. */ - @added(Versions.v2025_10_02_preview) - security?: MachineSecurityProfile; + istio?: IstioServiceMesh; +} +/** + * Istio service mesh configuration. + */ +model IstioServiceMesh { /** - * The priority for the machine. If not specified, the default is 'Regular'. + * Istio components configuration. */ - @added(Versions.v2025_10_02_preview) - priority?: ScaleSetPriority = ScaleSetPriority.Regular; + components?: IstioComponents; /** - * The version of node image. + * Istio Service Mesh Certificate Authority (CA) configuration. For now, we only support plugin certificates as described here https://aka.ms/asm-plugin-ca */ - @added(Versions.v2025_10_02_preview) - @visibility(Lifecycle.Read) - nodeImageVersion?: string; + certificateAuthority?: IstioCertificateAuthority; /** - * The current deployment or provisioning state. + * The list of revisions of the Istio control plane. When an upgrade is not in progress, this holds one value. When canary upgrade is in progress, this can only hold two consecutive values. For more information, see: https://learn.microsoft.com/en-us/azure/aks/istio-upgrade */ - #suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @added(Versions.v2025_10_02_preview) - @visibility(Lifecycle.Read) - provisioningState?: string; + @maxItems(2) + @uniqueItems + revisions?: string[]; +} +/** + * Istio components configuration. + */ +model IstioComponents { /** - * The tags to be persisted on the machine. + * Istio ingress gateways. */ - #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @added(Versions.v2025_10_02_preview) - tags?: Record; + @identifiers(#[]) + ingressGateways?: IstioIngressGateway[]; /** - * Unique read-only string used to implement optimistic concurrency. The eTag value will change when the resource is updated. Specify an if-match or if-none-match header with the eTag value for a subsequent request to enable optimistic concurrency per the normal eTag convention. + * Istio egress gateways. */ - @added(Versions.v2025_10_02_preview) - @visibility(Lifecycle.Read) - eTag?: string; + @identifiers(#[]) + egressGateways?: IstioEgressGateway[]; /** - * Contains read-only information about the machine. + * Mode of traffic redirection. */ @added(Versions.v2025_10_02_preview) - @visibility(Lifecycle.Read) - status?: MachineStatus; + proxyRedirectionMechanism?: ProxyRedirectionMechanism; } /** - * network properties of the machine + * Istio ingress gateway configuration. For now, we support up to one external ingress gateway named `aks-istio-ingressgateway-external` and one internal ingress gateway named `aks-istio-ingressgateway-internal`. */ -model MachineNetworkProperties { +model IstioIngressGateway { /** - * IPv4, IPv6 addresses of the machine + * Mode of an ingress gateway. */ - @visibility(Lifecycle.Read) - @identifiers(#[]) - ipAddresses?: MachineIpAddress[]; + mode: IstioIngressGatewayMode; /** - * The ID of the subnet which node and optionally pods will join on startup. If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} + * Whether to enable the ingress gateway. */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @added(Versions.v2025_10_02_preview) - vnetSubnetID?: Azure.Core.armResourceIdentifier<[ - { - type: "Microsoft.Network/virtualNetworks/subnets"; - } - ]>; + enabled: boolean; +} +/** + * Istio egress gateway configuration. + */ +model IstioEgressGateway { /** - * The ID of the subnet which pods will join when launched. If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} + * Whether to enable the egress gateway. */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @added(Versions.v2025_10_02_preview) - podSubnetID?: Azure.Core.armResourceIdentifier<[ - { - type: "Microsoft.Network/virtualNetworks/subnets"; - } - ]>; + enabled: boolean; /** - * Whether the machine is allocated its own public IP. Some scenarios may require the machine to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. The default is false. + * Name of the Istio add-on egress gateway. */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @added(Versions.v2025_10_02_preview) - enableNodePublicIP?: boolean; + @pattern("[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*") + name: string; /** - * The public IP prefix ID which VM node should use IPs from. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPPrefixes/{publicIPPrefixName} + * Namespace that the Istio add-on egress gateway should be deployed in. If unspecified, the default is aks-istio-egress. */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @added(Versions.v2025_10_02_preview) - nodePublicIPPrefixID?: Azure.Core.armResourceIdentifier<[ - { - type: "Microsoft.Network/publicIPPrefixes"; - } - ]>; + `namespace`?: string; /** - * IPTags of instance-level public IPs. + * Name of the gateway configuration custom resource for the Istio add-on egress gateway. Must be specified when enabling the Istio egress gateway. Must be deployed in the same namespace that the Istio egress gateway will be deployed in. */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @added(Versions.v2025_10_02_preview) - @identifiers(#[]) - nodePublicIPTags?: IPTag[]; + gatewayConfigurationName?: string; +} + +/** + * Istio Service Mesh Certificate Authority (CA) configuration. For now, we only support plugin certificates as described here https://aka.ms/asm-plugin-ca + */ +model IstioCertificateAuthority { + /** + * Plugin certificates information for Service Mesh. + */ + plugin?: IstioPluginCertificateAuthority; } /** - * The machine IP address details. + * Plugin certificates information for Service Mesh. */ -model MachineIpAddress { - /** - * To determine if address belongs IPv4 or IPv6 family - */ - @visibility(Lifecycle.Read) - family?: IPFamily; - +model IstioPluginCertificateAuthority { /** - * IPv4 or IPv6 address of the machine + * The resource ID of the Key Vault. */ - @visibility(Lifecycle.Read) - ip?: string; -} + keyVaultId?: Azure.Core.armResourceIdentifier<[ + { + type: "Microsoft.KeyVault/vaults"; + } + ]>; -/** Properties for a load balancer resource. */ -@added(Versions.v2025_10_02_preview) -model LoadBalancerProperties { /** - * Required field. A string value that must specify the ID of an existing agent pool. All nodes in the given pool will always be added to this load balancer. This agent pool must have at least one node and minCount>=1 for autoscaling operations. An agent pool can only be the primary pool for a single load balancer. + * Intermediate certificate object name in Azure Key Vault. */ - primaryAgentPoolName: string; + certObjectName?: string; /** - * Whether to automatically place services on the load balancer. If not supplied, the default value is true. If set to false manually, both of the external and the internal load balancer will not be selected for services unless they explicitly target it. + * Intermediate certificate private key object name in Azure Key Vault. */ - allowServicePlacement?: boolean; + keyObjectName?: string; /** - * Only services that must match this selector can be placed on this load balancer. + * Root certificate object name in Azure Key Vault. */ - serviceLabelSelector?: LabelSelector; + rootCertObjectName?: string; /** - * Services created in namespaces that match the selector can be placed on this load balancer. + * Certificate chain object name in Azure Key Vault. */ - serviceNamespaceSelector?: LabelSelector; + certChainObjectName?: string; +} +/** + * The metrics profile for the ManagedCluster. + */ +model ManagedClusterMetricsProfile { /** - * Nodes that match this selector will be possible members of this load balancer. + * The configuration for detailed per-Kubernetes resource cost analysis. */ - nodeSelector?: LabelSelector; + costAnalysis?: ManagedClusterCostAnalysis; +} +/** + * The cost analysis configuration for the cluster + */ +model ManagedClusterCostAnalysis { /** - * The current provisioning state. + * Whether to enable cost analysis. The Managed Cluster sku.tier must be set to 'Standard' or 'Premium' to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. If not specified, the default is false. For more information see aka.ms/aks/docs/cost-analysis. */ - #suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - @visibility(Lifecycle.Read) - provisioningState?: string; + enabled?: boolean; } -/** - * A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. - */ -@added(Versions.v2025_10_02_preview) -model LabelSelector { +/** Node provisioning profile for the managed cluster. */ +model ManagedClusterNodeProvisioningProfile { /** - * matchLabels is an array of {key=value} pairs. A single {key=value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is `key`, the operator is `In`, and the values array contains only `value`. The requirements are ANDed. + * The node provisioning mode. If not specified, the default is Manual. */ - matchLabels?: string[]; + mode?: NodeProvisioningMode; /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. + * The set of default Karpenter NodePools (CRDs) configured for node provisioning. This field has no effect unless mode is 'Auto'. Warning: Changing this from Auto to None on an existing cluster will cause the default Karpenter NodePools to be deleted, which will drain and delete the nodes associated with those pools. It is strongly recommended to not do this unless there are idle nodes ready to take the pods evicted by that action. If not specified, the default is Auto. For more information see aka.ms/aks/nap#node-pools. */ - @identifiers(#[]) - matchExpressions?: LabelSelectorRequirement[]; + defaultNodePools?: NodeProvisioningDefaultNodePools = NodeProvisioningDefaultNodePools.Auto; } /** - * A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + * The bootstrap profile. */ -@added(Versions.v2025_10_02_preview) -model LabelSelectorRequirement { +model ManagedClusterBootstrapProfile { /** - * key is the label key that the selector applies to. + * The artifact source. The source where the artifacts are downloaded from. */ - #suppress "@azure-tools/typespec-azure-resource-manager/secret-prop" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - key?: string; + artifactSource?: ArtifactSource = ArtifactSource.Direct; /** - * operator represents a key's relationship to a set of values. Valid operators are In and NotIn + * The resource Id of Azure Container Registry. The registry must have private network access, premium SKU and zone redundancy. */ - operator?: Operator; + containerRegistryId?: Azure.Core.armResourceIdentifier<[ + { + type: "Microsoft.ContainerRegistry/registries"; + } + ]>; +} +/** + * When enabling the operator, a set of AKS managed CRDs and controllers will be installed in the cluster. The operator automates the deployment of OSS models for inference and/or training purposes. It provides a set of preset models and enables distributed inference against them. + */ +#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +model ManagedClusterAIToolchainOperatorProfile { /** - * values is an array of string values, the values array must be non-empty. + * Whether to enable AI toolchain operator to the cluster. Indicates if AI toolchain operator enabled or not. */ - values?: string[]; + enabled?: boolean; } /** - * The names of the load balancers to rebalance. If set to empty, all load balancers will be rebalanced. + * The pod scheduler profile for the cluster. */ @added(Versions.v2025_10_02_preview) -model RebalanceLoadBalancersRequestBody { +model SchedulerProfile { /** - * The load balancer names list. + * Mapping of each scheduler instance to its profile. */ - loadBalancerNames?: string[]; + schedulerInstanceProfiles?: SchedulerProfileSchedulerInstanceProfiles; } /** - * IdentityBinding properties. + * Mapping of each scheduler instance to its profile. */ @added(Versions.v2025_10_02_preview) -model IdentityBindingProperties { - /** - * Managed identity profile for the identity binding. - */ - @visibility(Lifecycle.Read, Lifecycle.Create) - managedIdentity: IdentityBindingManagedIdentityProfile; - - /** - * The OIDC issuer URL of the IdentityBinding. - */ - @visibility(Lifecycle.Read) - oidcIssuer?: IdentityBindingOidcIssuerProfile; - +model SchedulerProfileSchedulerInstanceProfiles { /** - * The status of the last operation. + * The scheduler profile for the upstream scheduler instance. */ - @visibility(Lifecycle.Read) - provisioningState?: IdentityBindingProvisioningState; + upstream?: SchedulerInstanceProfile; } /** - * Managed identity profile for the identity binding. + * The scheduler profile for a single scheduler instance. */ @added(Versions.v2025_10_02_preview) -model IdentityBindingManagedIdentityProfile { - /** - * The resource ID of the managed identity. - */ - @visibility(Lifecycle.Read, Lifecycle.Create) - @pattern("^/subscriptions/[a-zA-Z0-9-]+/resourceGroups/[a-zA-Z0-9-]+/providers/Microsoft.ManagedIdentity/userAssignedIdentities/[a-zA-Z0-9-]+$") - resourceId: Azure.Core.armResourceIdentifier; - - /** - * The object ID of the managed identity. - */ - @visibility(Lifecycle.Read) - @maxLength(36) - @minLength(36) - @pattern("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$") - objectId?: string; - +model SchedulerInstanceProfile { /** - * The client ID of the managed identity. + * The config customization mode for this scheduler instance. */ - @visibility(Lifecycle.Read) - @maxLength(36) - @minLength(36) - @pattern("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$") - clientId?: string; + schedulerConfigMode?: SchedulerConfigMode; +} +/** + * Settings for hosted system addons. + */ +@added(Versions.v2025_10_02_preview) +model ManagedClusterHostedSystemProfile { /** - * The tenant ID of the managed identity. + * Whether to enable hosted system addons for the cluster. */ - @visibility(Lifecycle.Read) - @maxLength(36) - @minLength(36) - @pattern("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$") - tenantId?: string; + enabled?: boolean; } /** - * IdentityBinding OIDC issuer profile. + * Contains read-only information about the Managed Cluster. */ -@added(Versions.v2025_10_02_preview) -model IdentityBindingOidcIssuerProfile { +model ManagedClusterStatus { /** - * The OIDC issuer URL of the IdentityBinding. + * The error details information of the managed cluster. Preserves the detailed info of failure. If there was no error, this field is omitted. */ @visibility(Lifecycle.Read) - oidcIssuerUrl?: url; + provisioningError?: Azure.ResourceManager.CommonTypes.ErrorDetail; } /** - * The properties of JWTAuthenticator. For details on how to configure the properties of a JWT authenticator, please refer to the Kubernetes documentation: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-authentication-configuration. Please note that not all fields available in the Kubernetes documentation are supported by AKS. For troubleshooting, please see https://aka.ms/aks-external-issuers-docs. + * components of given Kubernetes version. */ -#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" @added(Versions.v2025_10_02_preview) -model JWTAuthenticatorProperties { +model ComponentsByRelease { /** - * The current provisioning state of the JWT authenticator. + * The Kubernetes version (major.minor). */ - @visibility(Lifecycle.Read) - provisioningState?: JWTAuthenticatorProvisioningState; + kubernetesVersion?: string; + + /** + * components of current or upgraded Kubernetes version in the cluster. + */ + @identifiers(#[]) + components?: Component[]; +} +/** Component information for a Kubernetes version. */ +@added(Versions.v2025_10_02_preview) +model Component { /** - * The JWT OIDC issuer details. + * Component name. */ - issuer: JWTAuthenticatorIssuer; + name?: string; /** - * The rules that are applied to validate token claims to authenticate users. All the expressions must evaluate to true for validation to succeed. + * Component version. */ - @identifiers(#[]) - claimValidationRules?: JWTAuthenticatorValidationRule[]; + version?: string; /** - * The mappings that define how user attributes are extracted from the token claims. + * If upgraded component version contains breaking changes from the current version. To see a detailed description of what the breaking changes are, visit https://learn.microsoft.com/azure/aks/supported-kubernetes-versions?tabs=azure-cli#aks-components-breaking-changes-by-version. */ - claimMappings: JWTAuthenticatorClaimMappings; + hasBreakingChanges?: boolean; +} +/** + * Managed cluster Access Profile. + */ +#suppress "@azure-tools/typespec-azure-core/composition-over-inheritance" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +model ManagedClusterAccessProfile + extends Azure.ResourceManager.CommonTypes.TrackedResource { /** - * The rules that are applied to the mapped user before completing authentication. All the expressions must evaluate to true for validation to succeed. + * AccessProfile of a managed cluster. */ - @identifiers(#[]) - userValidationRules?: JWTAuthenticatorValidationRule[]; + properties?: AccessProfile; } /** - * The OIDC issuer details for JWTAuthenticator. + * Profile for enabling a user to access a managed cluster. */ -#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -@added(Versions.v2025_10_02_preview) -model JWTAuthenticatorIssuer { +model AccessProfile { /** - * The issuer URL. The URL must begin with the scheme https and cannot contain a query string or fragment. This must match the "iss" claim in the presented JWT, and the issuer returned from discovery. + * Base64-encoded Kubernetes configuration file. */ - url: string; + kubeConfig?: bytes; +} +/** + * The list credential result response. + */ +model CredentialResults { /** - * The set of acceptable audiences the JWT must be issued to. At least one is required. When multiple is set, AudienceMatchPolicy is used in API Server configuration. + * Base64-encoded Kubernetes configuration file. */ - @minItems(1) - audiences: string[]; + @visibility(Lifecycle.Read) + @identifiers(#[]) + kubeconfigs?: CredentialResult[]; } /** - * The validation rule for JWTAuthenticator. + * The credential result response. */ -#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -@added(Versions.v2025_10_02_preview) -model JWTAuthenticatorValidationRule { +model CredentialResult { /** - * The CEL expression used to validate the claim or attribute. + * The name of the credential. */ - expression: string; + @visibility(Lifecycle.Read) + name?: string; /** - * The validation error message. + * Base64-encoded Kubernetes configuration file. */ - message?: string; + @visibility(Lifecycle.Read) + value?: bytes; } /** - * The claim mappings for JWTAuthenticator. + * Tags object for patch operations. */ -#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -@added(Versions.v2025_10_02_preview) -model JWTAuthenticatorClaimMappings { +#suppress "@azure-tools/typespec-azure-resource-manager/patch-envelope" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +model TagsObject { /** - * The expression to extract username attribute from the token claims. + * Resource tags. */ - username: JWTAuthenticatorClaimMappingExpression; + #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + tags?: Record; +} +/** + * Reference to another subresource. + */ +model SubResource { /** - * The expression to extract groups attribute from the token claims. When not provided, no groups are extracted from the token claims. + * Resource ID. */ - groups?: JWTAuthenticatorClaimMappingExpression; + @visibility(Lifecycle.Read) + id?: string; /** - * The expression to extract uid attribute from the token claims. When not provided, no uid is extracted from the token claims. + * The name of the resource that is unique within a resource group. This name can be used to access the resource. */ - uid?: JWTAuthenticatorClaimMappingExpression; + @visibility(Lifecycle.Read) + name?: string; /** - * The expression to extract extra attribute from the token claims. When not provided, no extra attributes are extracted from the token claims. + * Resource type */ - @identifiers(#[]) - extra?: JWTAuthenticatorExtraClaimMappingExpression[]; + @visibility(Lifecycle.Read) + type?: string; } /** - * The claim mapping expression for JWTAuthenticator. + * Specifies a list of machine names from the agent pool to be deleted. */ -#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -@added(Versions.v2025_10_02_preview) -model JWTAuthenticatorClaimMappingExpression { +model AgentPoolDeleteMachinesParameter { /** - * The CEL expression used to access token claims. + * The agent pool machine names. */ - expression: string; + machineNames: string[]; } /** - * The extra claim mapping expression for JWTAuthenticator. + * The operations list. It contains an URL link to get the next set of results. */ -#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" -@added(Versions.v2025_10_02_preview) -model JWTAuthenticatorExtraClaimMappingExpression { +model OperationStatusResultList is Azure.Core.Page; + +/** + * An upgradeable mesh revision + */ +scalar MeshRevisionUpgradesType extends string; +/** + * Holds information on upgrades and compatibility for given major.minor mesh release. + */ +model MeshRevision { /** - * The key of the extra attribute. + * The revision of the mesh release. */ - #suppress "@azure-tools/typespec-azure-resource-manager/secret-prop" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - key: string; + revision?: string; + + /** + * List of revisions available for upgrade of a specific mesh revision + */ + upgrades?: MeshRevisionUpgradesType[]; /** - * The CEL expression used to extract the value of the extra attribute. + * List of items this revision of service mesh is compatible with, and their associated versions. */ - valueExpression: string; + @identifiers(#[]) + compatibleWith?: CompatibleVersions[]; } /** - * Mesh membership properties of a managed cluster. + * A compatible product/service version. */ -@added(Versions.v2025_10_02_preview) -model MeshMembershipProperties { +scalar CompatibleVersionsVersionsType extends string; + +/** + * Version information about a product/service that is compatible with a service mesh revision. + */ +model CompatibleVersions { /** - * The current provisioning state of the Mesh Membership. + * The product/service name. */ - @visibility(Lifecycle.Read) - provisioningState?: MeshMembershipProvisioningState; + name?: string; /** - * The ARM resource id for the managed mesh member. This is of the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.AppLink/applinks/{appLinkName}/appLinkMembers/{appLinkMemberName}'. Visit https://aka.ms/applink for more information. + * Product/service versions compatible with a service mesh add-on revision. */ - #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" - managedMeshID: Azure.Core.armResourceIdentifier<[ - { - type: "Microsoft.AppLink/applinks"; - } - ]>; + versions?: CompatibleVersionsVersionsType[]; } /** @@ -7168,19 +5055,3 @@ model OperationListResult { @nextLink nextLink?: url; } - -/** - * The result of a request to list mesh memberships in a managed cluster. - */ -@added(Versions.v2025_10_02_preview) -model MeshMembershipsListResult { - /** - * The list of mesh memberships. - */ - @pageItems - value: MeshMembership[]; - - @doc("The URL to get the next set of mesh membership results.") - @nextLink - nextLink?: ResourceLocation; -} diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/GuardrailsAvailableVersion.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/GuardrailsAvailableVersion.tsp index ea3eeb1282f3..fa7b2a6303ea 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/GuardrailsAvailableVersion.tsp +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/GuardrailsAvailableVersion.tsp @@ -1,7 +1,7 @@ import "@azure-tools/typespec-azure-core"; import "@azure-tools/typespec-azure-resource-manager"; import "@typespec/rest"; -import "./models.tsp"; +import "./CommonModels.tsp"; using TypeSpec.Rest; using Azure.ResourceManager; @@ -9,6 +9,11 @@ using TypeSpec.Http; using Versioning; namespace Microsoft.ContainerService; + +// ============================================================================= +// GuardrailsAvailableVersion resource and operations +// ============================================================================= + /** * Available Guardrails Version */ @@ -27,6 +32,13 @@ model GuardrailsAvailableVersion >; } +@@maxLength(GuardrailsAvailableVersion.name, 24); +@@minLength(GuardrailsAvailableVersion.name, 1); +@@doc(GuardrailsAvailableVersion.name, "Safeguards version"); +@@doc(GuardrailsAvailableVersion.properties, + "Whether the version is default or not and support info." +); + @armResourceOperations @added(Versions.v2025_10_02_preview) interface GuardrailsAvailableVersions { @@ -50,9 +62,48 @@ interface GuardrailsAvailableVersions { >; } -@@maxLength(GuardrailsAvailableVersion.name, 24); -@@minLength(GuardrailsAvailableVersion.name, 1); -@@doc(GuardrailsAvailableVersion.name, "Safeguards version"); -@@doc(GuardrailsAvailableVersion.properties, - "Whether the version is default or not and support info." -); +// ============================================================================= +// GuardrailsAvailableVersion models +// ============================================================================= + +/** + * Whether the version is preview or stable. + */ +@added(Versions.v2025_10_02_preview) +union GuardrailsSupport { + string, + + /** + * The version is preview. It is not recommended to use preview versions on critical production clusters. The preview version may not support all use-cases. + */ + Preview: "Preview", + + /** + * The version is stable and can be used on critical production clusters. + */ + Stable: "Stable", +} + +/** + * Whether the version is default or not and support info. + */ +#suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +@added(Versions.v2025_10_02_preview) +model GuardrailsAvailableVersionsProperties { + /** Whether this is the default version. */ + @visibility(Lifecycle.Read) + isDefaultVersion?: boolean; + + /** + * Whether the version is preview or stable. + */ + @visibility(Lifecycle.Read) + support?: GuardrailsSupport; +} + +/** + * Hold values properties, which is array of GuardrailsVersions + */ +@added(Versions.v2025_10_02_preview) +model GuardrailsAvailableVersionsList + is Azure.Core.Page; diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/IdentityBinding.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/IdentityBinding.tsp index d830c957d02d..39762a2e4185 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/IdentityBinding.tsp +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/IdentityBinding.tsp @@ -1,7 +1,7 @@ import "@azure-tools/typespec-azure-core"; import "@azure-tools/typespec-azure-resource-manager"; import "@typespec/rest"; -import "./models.tsp"; +import "./CommonModels.tsp"; import "./ManagedCluster.tsp"; using TypeSpec.Rest; @@ -10,6 +10,11 @@ using TypeSpec.Http; using Versioning; namespace Microsoft.ContainerService; + +// ============================================================================= +// IdentityBinding resource and operations +// ============================================================================= + /** * The IdentityBinding resource. */ @@ -26,6 +31,16 @@ model IdentityBinding ...Azure.ResourceManager.EntityTagProperty; } +@@maxLength(IdentityBinding.name, 63); +@@minLength(IdentityBinding.name, 1); +@@doc(IdentityBinding.name, "The name of the identity binding."); +@@doc(IdentityBinding.properties, + "The resource-specific properties for this resource." +); +@@doc(IdentityBindings.createOrUpdate::parameters.resource, + "The identity binding to create or update." +); + @armResourceOperations @added(Versions.v2025_10_02_preview) interface IdentityBindings { @@ -58,12 +73,120 @@ interface IdentityBindings { listByManagedCluster is ArmResourceListByParent; } -@@maxLength(IdentityBinding.name, 63); -@@minLength(IdentityBinding.name, 1); -@@doc(IdentityBinding.name, "The name of the identity binding."); -@@doc(IdentityBinding.properties, - "The resource-specific properties for this resource." -); -@@doc(IdentityBindings.createOrUpdate::parameters.resource, - "The identity binding to create or update." -); +// ============================================================================= +// IdentityBinding models +// ============================================================================= + +/** + * The provisioning state of the last accepted operation. + */ +@added(Versions.v2025_10_02_preview) +union IdentityBindingProvisioningState { + string, + + /** + * Resource has been created. + */ + Succeeded: "Succeeded", + + /** + * Resource creation failed. + */ + Failed: "Failed", + + /** + * Resource creation was canceled. + */ + Canceled: "Canceled", + + /** + * The identity binding is being created. + */ + Creating: "Creating", + + /** + * The identity binding is being updated. + */ + Updating: "Updating", + + /** + * The identity binding is being deleted. + */ + Deleting: "Deleting", +} + +/** + * IdentityBinding properties. + */ +@added(Versions.v2025_10_02_preview) +model IdentityBindingProperties { + /** + * Managed identity profile for the identity binding. + */ + @visibility(Lifecycle.Read, Lifecycle.Create) + managedIdentity: IdentityBindingManagedIdentityProfile; + + /** + * The OIDC issuer URL of the IdentityBinding. + */ + @visibility(Lifecycle.Read) + oidcIssuer?: IdentityBindingOidcIssuerProfile; + + /** + * The status of the last operation. + */ + @visibility(Lifecycle.Read) + provisioningState?: IdentityBindingProvisioningState; +} + +/** + * Managed identity profile for the identity binding. + */ +@added(Versions.v2025_10_02_preview) +model IdentityBindingManagedIdentityProfile { + /** + * The resource ID of the managed identity. + */ + @visibility(Lifecycle.Read, Lifecycle.Create) + @pattern("^/subscriptions/[a-zA-Z0-9-]+/resourceGroups/[a-zA-Z0-9-]+/providers/Microsoft.ManagedIdentity/userAssignedIdentities/[a-zA-Z0-9-]+$") + resourceId: Azure.Core.armResourceIdentifier; + + /** + * The object ID of the managed identity. + */ + @visibility(Lifecycle.Read) + @maxLength(36) + @minLength(36) + @pattern("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$") + objectId?: string; + + /** + * The client ID of the managed identity. + */ + @visibility(Lifecycle.Read) + @maxLength(36) + @minLength(36) + @pattern("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$") + clientId?: string; + + /** + * The tenant ID of the managed identity. + */ + @visibility(Lifecycle.Read) + @maxLength(36) + @minLength(36) + @pattern("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$") + tenantId?: string; +} + +/** + * IdentityBinding OIDC issuer profile. + */ +@added(Versions.v2025_10_02_preview) +model IdentityBindingOidcIssuerProfile { + /** + * The OIDC issuer URL of the IdentityBinding. + */ + @visibility(Lifecycle.Read) + oidcIssuerUrl?: url; +} diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/JWTAuthenticator.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/JWTAuthenticator.tsp index 996a9bb36f01..b5190537a90e 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/JWTAuthenticator.tsp +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/JWTAuthenticator.tsp @@ -1,7 +1,7 @@ import "@azure-tools/typespec-azure-core"; import "@azure-tools/typespec-azure-resource-manager"; import "@typespec/rest"; -import "./models.tsp"; +import "./CommonModels.tsp"; import "./ManagedCluster.tsp"; using TypeSpec.Rest; @@ -10,6 +10,11 @@ using TypeSpec.Http; using Versioning; namespace Microsoft.ContainerService; + +// ============================================================================= +// JWTAuthenticator resource and operations +// ============================================================================= + /** * Configuration for JWT authenticator in the managed cluster. */ @@ -26,6 +31,16 @@ model JWTAuthenticator >; } +@@maxLength(JWTAuthenticator.name, 24); +@@minLength(JWTAuthenticator.name, 1); +@@doc(JWTAuthenticator.name, "The name of the JWT authenticator."); +@@doc(JWTAuthenticator.properties, + "The properties of JWTAuthenticator. For details on how to configure the properties of a JWT authenticator, please refer to the Kubernetes documentation: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-authentication-configuration. Please note that not all fields available in the Kubernetes documentation are supported by AKS. For troubleshooting, please see https://aka.ms/aks-external-issuers-docs." +); +@@doc(JWTAuthenticators.createOrUpdate::parameters.resource, + "The JWT authenticator to create or update." +); + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" @armResourceOperations @added(Versions.v2025_10_02_preview) @@ -55,12 +70,172 @@ interface JWTAuthenticators { listByManagedCluster is ArmResourceListByParent; } -@@maxLength(JWTAuthenticator.name, 24); -@@minLength(JWTAuthenticator.name, 1); -@@doc(JWTAuthenticator.name, "The name of the JWT authenticator."); -@@doc(JWTAuthenticator.properties, - "The properties of JWTAuthenticator. For details on how to configure the properties of a JWT authenticator, please refer to the Kubernetes documentation: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-authentication-configuration. Please note that not all fields available in the Kubernetes documentation are supported by AKS. For troubleshooting, please see https://aka.ms/aks-external-issuers-docs." -); -@@doc(JWTAuthenticators.createOrUpdate::parameters.resource, - "The JWT authenticator to create or update." -); +// ============================================================================= +// JWTAuthenticator models +// ============================================================================= + +/** + * The provisioning state of the last accepted operation. + */ +@added(Versions.v2025_10_02_preview) +union JWTAuthenticatorProvisioningState { + string, + + /** + * Resource has been created. + */ + Succeeded: "Succeeded", + + /** + * Resource creation failed. + */ + Failed: "Failed", + + /** + * Resource creation was canceled. + */ + Canceled: "Canceled", + + /** + * The JWT authenticator is being created. + */ + Creating: "Creating", + + /** + * The JWT authenticator is being updated. + */ + Updating: "Updating", + + /** + * The JWT authenticator is being deleted. + */ + Deleting: "Deleting", +} + +/** + * The properties of JWTAuthenticator. For details on how to configure the properties of a JWT authenticator, please refer to the Kubernetes documentation: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-authentication-configuration. Please note that not all fields available in the Kubernetes documentation are supported by AKS. For troubleshooting, please see https://aka.ms/aks-external-issuers-docs. + */ +#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +@added(Versions.v2025_10_02_preview) +model JWTAuthenticatorProperties { + /** + * The current provisioning state of the JWT authenticator. + */ + @visibility(Lifecycle.Read) + provisioningState?: JWTAuthenticatorProvisioningState; + + /** + * The JWT OIDC issuer details. + */ + issuer: JWTAuthenticatorIssuer; + + /** + * The rules that are applied to validate token claims to authenticate users. All the expressions must evaluate to true for validation to succeed. + */ + @identifiers(#[]) + claimValidationRules?: JWTAuthenticatorValidationRule[]; + + /** + * The mappings that define how user attributes are extracted from the token claims. + */ + claimMappings: JWTAuthenticatorClaimMappings; + + /** + * The rules that are applied to the mapped user before completing authentication. All the expressions must evaluate to true for validation to succeed. + */ + @identifiers(#[]) + userValidationRules?: JWTAuthenticatorValidationRule[]; +} + +/** + * The OIDC issuer details for JWTAuthenticator. + */ +#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +@added(Versions.v2025_10_02_preview) +model JWTAuthenticatorIssuer { + /** + * The issuer URL. The URL must begin with the scheme https and cannot contain a query string or fragment. This must match the "iss" claim in the presented JWT, and the issuer returned from discovery. + */ + url: string; + + /** + * The set of acceptable audiences the JWT must be issued to. At least one is required. When multiple is set, AudienceMatchPolicy is used in API Server configuration. + */ + @minItems(1) + audiences: string[]; +} + +/** + * The validation rule for JWTAuthenticator. + */ +#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +@added(Versions.v2025_10_02_preview) +model JWTAuthenticatorValidationRule { + /** + * The CEL expression used to validate the claim or attribute. + */ + expression: string; + + /** + * The validation error message. + */ + message?: string; +} + +/** + * The claim mappings for JWTAuthenticator. + */ +#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +@added(Versions.v2025_10_02_preview) +model JWTAuthenticatorClaimMappings { + /** + * The expression to extract username attribute from the token claims. + */ + username: JWTAuthenticatorClaimMappingExpression; + + /** + * The expression to extract groups attribute from the token claims. When not provided, no groups are extracted from the token claims. + */ + groups?: JWTAuthenticatorClaimMappingExpression; + + /** + * The expression to extract uid attribute from the token claims. When not provided, no uid is extracted from the token claims. + */ + uid?: JWTAuthenticatorClaimMappingExpression; + + /** + * The expression to extract extra attribute from the token claims. When not provided, no extra attributes are extracted from the token claims. + */ + @identifiers(#[]) + extra?: JWTAuthenticatorExtraClaimMappingExpression[]; +} + +/** + * The claim mapping expression for JWTAuthenticator. + */ +#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +@added(Versions.v2025_10_02_preview) +model JWTAuthenticatorClaimMappingExpression { + /** + * The CEL expression used to access token claims. + */ + expression: string; +} + +/** + * The extra claim mapping expression for JWTAuthenticator. + */ +#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +@added(Versions.v2025_10_02_preview) +model JWTAuthenticatorExtraClaimMappingExpression { + /** + * The key of the extra attribute. + */ + #suppress "@azure-tools/typespec-azure-resource-manager/secret-prop" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + key: string; + + /** + * The CEL expression used to extract the value of the extra attribute. + */ + valueExpression: string; +} diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/LoadBalancer.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/LoadBalancer.tsp index a5b8358d8bdb..d1355afc3325 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/LoadBalancer.tsp +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/LoadBalancer.tsp @@ -1,7 +1,7 @@ import "@azure-tools/typespec-azure-core"; import "@azure-tools/typespec-azure-resource-manager"; import "@typespec/rest"; -import "./models.tsp"; +import "./CommonModels.tsp"; import "./ManagedCluster.tsp"; using TypeSpec.Rest; @@ -10,6 +10,11 @@ using TypeSpec.Http; using Versioning; namespace Microsoft.ContainerService; + +// ============================================================================= +// LoadBalancer resource and operations +// ============================================================================= + /** * The configurations regarding multiple standard load balancers. If not supplied, single load balancer mode will be used. Multiple standard load balancers mode will be used if at lease one configuration is supplied. There has to be a configuration named `kubernetes`. The name field will be the name of the corresponding public load balancer. There will be an internal load balancer created if needed, and the name will be `-internal`. The internal lb shares the same configurations as the external one. The internal lbs are not needed to be included in LoadBalancer list. */ @@ -25,6 +30,14 @@ model LoadBalancer >; } +@@maxLength(LoadBalancer.name, 12); +@@minLength(LoadBalancer.name, 1); +@@doc(LoadBalancer.name, "The name of the load balancer."); +@@doc(LoadBalancer.properties, "The properties of the load balancer."); +@@doc(LoadBalancers.createOrUpdate::parameters.resource, + "The load balancer to create or update." +); + @armResourceOperations @added(Versions.v2025_10_02_preview) interface LoadBalancers { @@ -53,10 +66,120 @@ interface LoadBalancers { listByManagedCluster is ArmResourceListByParent; } -@@maxLength(LoadBalancer.name, 12); -@@minLength(LoadBalancer.name, 1); -@@doc(LoadBalancer.name, "The name of the load balancer."); -@@doc(LoadBalancer.properties, "The properties of the load balancer."); -@@doc(LoadBalancers.createOrUpdate::parameters.resource, - "The load balancer to create or update." -); +// ============================================================================= +// LoadBalancer models +// ============================================================================= + +/** + * operator represents a key's relationship to a set of values. Valid operators are In and NotIn + */ +@added(Versions.v2025_10_02_preview) +union Operator { + string, + + /** + * The value of the key should be in the given list. + */ + In: "In", + + /** + * The value of the key should not be in the given list. + */ + NotIn: "NotIn", + + /** + * The value of the key should exist. + */ + Exists: "Exists", + + /** + * The value of the key should not exist. + */ + DoesNotExist: "DoesNotExist", +} + +/** Properties for a load balancer resource. */ +@added(Versions.v2025_10_02_preview) +model LoadBalancerProperties { + /** + * Required field. A string value that must specify the ID of an existing agent pool. All nodes in the given pool will always be added to this load balancer. This agent pool must have at least one node and minCount>=1 for autoscaling operations. An agent pool can only be the primary pool for a single load balancer. + */ + primaryAgentPoolName: string; + + /** + * Whether to automatically place services on the load balancer. If not supplied, the default value is true. If set to false manually, both of the external and the internal load balancer will not be selected for services unless they explicitly target it. + */ + allowServicePlacement?: boolean; + + /** + * Only services that must match this selector can be placed on this load balancer. + */ + serviceLabelSelector?: LabelSelector; + + /** + * Services created in namespaces that match the selector can be placed on this load balancer. + */ + serviceNamespaceSelector?: LabelSelector; + + /** + * Nodes that match this selector will be possible members of this load balancer. + */ + nodeSelector?: LabelSelector; + + /** + * The current provisioning state. + */ + #suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @visibility(Lifecycle.Read) + provisioningState?: string; +} + +/** + * A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + */ +@added(Versions.v2025_10_02_preview) +model LabelSelector { + /** + * matchLabels is an array of {key=value} pairs. A single {key=value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is `key`, the operator is `In`, and the values array contains only `value`. The requirements are ANDed. + */ + matchLabels?: string[]; + + /** + * matchExpressions is a list of label selector requirements. The requirements are ANDed. + */ + @identifiers(#[]) + matchExpressions?: LabelSelectorRequirement[]; +} + +/** + * A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + */ +@added(Versions.v2025_10_02_preview) +model LabelSelectorRequirement { + /** + * key is the label key that the selector applies to. + */ + #suppress "@azure-tools/typespec-azure-resource-manager/secret-prop" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + key?: string; + + /** + * operator represents a key's relationship to a set of values. Valid operators are In and NotIn + */ + operator?: Operator; + + /** + * values is an array of string values, the values array must be non-empty. + */ + values?: string[]; +} + +/** + * The names of the load balancers to rebalance. If set to empty, all load balancers will be rebalanced. + */ +@added(Versions.v2025_10_02_preview) +model RebalanceLoadBalancersRequestBody { + /** + * The load balancer names list. + */ + loadBalancerNames?: string[]; +} diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/routes.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/LocationRoutes.tsp similarity index 85% rename from specification/containerservice/resource-manager/Microsoft.ContainerService/aks/routes.tsp rename to specification/containerservice/resource-manager/Microsoft.ContainerService/aks/LocationRoutes.tsp index 10f57ad3a92e..c68eb1c98734 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/routes.tsp +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/LocationRoutes.tsp @@ -1,6 +1,6 @@ import "@azure-tools/typespec-azure-core"; import "@typespec/rest"; -import "./models.tsp"; +import "./CommonModels.tsp"; import "@azure-tools/typespec-azure-resource-manager"; using TypeSpec.Rest; @@ -10,6 +10,10 @@ using Versioning; namespace Microsoft.ContainerService; +// ============================================================================= +// Location-scoped operation groups +// ============================================================================= + #suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-interface-requires-decorator" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" interface ManagedClustersOperationGroup { /** @@ -61,21 +65,3 @@ interface ContainerServiceOperationGroup { Parameters = LocationResourceParameter >; } - -interface Operations { - /** - * Gets a list of operations. - */ - @tag("ManagedClusters") - @autoRoute - @segment("operations") - @list - list( - ...CommonTypes.ApiVersionParameter, - - @doc("Microsoft.ContainerService provider") - @path - @segment("providers") - provider: "Microsoft.ContainerService", - ): ArmResponse | ErrorResponse; -} diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/Machine.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/Machine.tsp index a1ce7a8e33fb..a1ae8c2e3eac 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/Machine.tsp +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/Machine.tsp @@ -1,7 +1,7 @@ import "@azure-tools/typespec-azure-core"; import "@azure-tools/typespec-azure-resource-manager"; import "@typespec/rest"; -import "./models.tsp"; +import "./CommonModels.tsp"; import "./AgentPool.tsp"; using TypeSpec.Rest; @@ -10,6 +10,11 @@ using TypeSpec.Http; using Versioning; namespace Microsoft.ContainerService; + +// ============================================================================= +// Machine resource and operations +// ============================================================================= + /** * A machine. Contains details about the underlying virtual machine. A machine may be visible here but not in kubectl get nodes; if so it may be because the machine has not been registered with the Kubernetes API Server yet. */ @@ -30,6 +35,12 @@ model Machine is Azure.ResourceManager.ProxyResource { zones?: string[]; } +@@doc(Machine.name, "Host name of the machine."); +@@doc(Machine.properties, "The properties of the machine"); +@@doc(Machines.createOrUpdate::parameters.resource, + "The machine to create or update." +); + #suppress "@azure-tools/typespec-azure-resource-manager/no-resource-delete-operation" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" @armResourceOperations interface Machines { @@ -65,8 +76,427 @@ interface Machines { list is ArmResourceListByParent; } -@@doc(Machine.name, "Host name of the machine."); -@@doc(Machine.properties, "The properties of the machine"); -@@doc(Machines.createOrUpdate::parameters.resource, - "The machine to create or update." -); +// ============================================================================= +// Machine models +// ============================================================================= + +/** + * The drift action of the machine. Indicates whether a machine has deviated from its expected state due to changes in managed cluster properties, requiring corrective action. + */ +@added(Versions.v2025_10_02_preview) +union DriftAction { + string, + + /** + * The machine is up to date. + */ + Synced: "Synced", + + /** + * The machine has drifted and needs to be deleted and recreated. + */ + Recreate: "Recreate", +} + +/** + * Virtual machine state. Indicates the current state of the underlying virtual machine. + */ +union VmState { + string, + + /** + * The virtual machine is currently running. + */ + Running: "Running", + + /** + * The virtual machine has been deleted by the user or due to spot eviction. + */ + Deleted: "Deleted", +} + +/** + * The security settings of the machine. + */ +@added(Versions.v2025_10_02_preview) +model MachineSecurityProfile { + /** + * vTPM is a Trusted Launch feature for configuring a dedicated secure vault for keys and measurements held locally on the node. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false. + */ + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + enableVTPM?: boolean; + + /** + * Secure Boot is a feature of Trusted Launch which ensures that only signed operating systems and drivers can boot. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false. + */ + enableSecureBoot?: boolean; + + /** + * SSH access method of an agent pool. + */ + sshAccess?: AgentPoolSSHAccess; + + /** + * Whether to enable host based OS and data drive encryption. This is only supported on certain VM sizes and in certain Azure regions. For more information, see: https://docs.microsoft.com/azure/aks/enable-host-encryption + */ + enableEncryptionAtHost?: boolean; +} + +/** + * The hardware and GPU settings of the machine. + */ +@added(Versions.v2025_10_02_preview) +model MachineHardwareProfile { + /** + * The size of the VM. VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: https://docs.microsoft.com/azure/aks/quotas-skus-regions + */ + vmSize?: string; + + /** + * GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. + */ + gpuInstanceProfile?: GPUInstanceProfile; + + /** + * The GPU settings of the machine. + */ + gpuProfile?: GPUProfile; +} + +/** + * The operating system and disk used by the machine. + */ +@added(Versions.v2025_10_02_preview) +model MachineOSProfile { + /** + * The operating system type. The default is Linux. + */ + osType?: OSType = OSType.Linux; + + /** + * Specifies the OS SKU used by the agent pool. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated. + */ + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + osSKU?: OSSKU; + + /** + * OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. + */ + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @maxValue(2048) + @minValue(0) + osDiskSizeGB?: int32; + + /** + * The OS disk type to be used for machines in the agent pool. The default is 'Ephemeral' if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. For more information see [Ephemeral OS](https://docs.microsoft.com/azure/aks/cluster-configuration#ephemeral-os). + */ + osDiskType?: OSDiskType; + + /** + * Whether to use a FIPS-enabled OS. + */ + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + enableFIPS?: boolean; + + /** + * The Linux machine's specific profile. + */ + linuxProfile?: MachineOSProfileLinuxProfile; + + /** + * The Windows machine's specific profile. + */ + windowsProfile?: AgentPoolWindowsProfile; +} + +/** + * The Linux machine's specific profile. + */ +#suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +@added(Versions.v2025_10_02_preview) +model MachineOSProfileLinuxProfile { + /** + * The OS configuration of Linux machine. + */ + linuxOSConfig?: LinuxOSConfig; + + /** + * Message of the day for Linux nodes, base64-encoded. A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It must not be specified for Windows nodes. It must be a static string (i.e., will be printed raw and not be executed as a script). + */ + messageOfTheDay?: string; +} + +/** + * The Kubernetes configurations used by the machine. + */ +@added(Versions.v2025_10_02_preview) +model MachineKubernetesProfile { + /** + * The node labels on the machine. + */ + #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + nodeLabels?: Record; + + /** + * The version of Kubernetes specified by the user. Both patch version and are supported. When is specified, the latest supported patch version is chosen automatically. + */ + orchestratorVersion?: string; + + /** + * The version of Kubernetes running on the machine. If orchestratorVersion was a fully specified version , this field will be exactly equal to it. If orchestratorVersion was , this field will contain the full version being used. + */ + @visibility(Lifecycle.Read) + currentOrchestratorVersion?: string; + + /** + * Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. + */ + kubeletDiskType?: KubeletDiskType; + + /** + * The Kubelet configuration on the machine. + */ + kubeletConfig?: KubeletConfig; + + /** + * Taints added on the node during creation that will not be reconciled by AKS. These taints will not be reconciled by AKS and can be removed with a kubectl call. These taints allow for required configuration to run before the node is ready to accept workloads, for example 'key1=value1:NoSchedule' that then can be removed with `kubectl taint nodes node1 key1=value1:NoSchedule-` + */ + nodeInitializationTaints?: string[]; + + /** + * The taints added to new node during machine create. For example, key=value:NoSchedule. + */ + nodeTaints?: string[]; + + /** + * The maximum number of pods that can run on a node. + */ + maxPods?: int32; + + /** + * The node name in the Kubernetes cluster. + */ + @visibility(Lifecycle.Read) + nodeName?: string; + + /** + * Determines the type of workload a node can run. + */ + workloadRuntime?: WorkloadRuntime; + + /** + * Configuration for using artifact streaming on AKS. + */ + artifactStreamingProfile?: AgentPoolArtifactStreamingProfile; +} + +/** + * Contains read-only information about the machine. + */ +@added(Versions.v2025_10_02_preview) +model MachineStatus { + /** + * The error details information of the machine. Preserves the detailed info of failure. If there was no error, this field is omitted. + */ + @visibility(Lifecycle.Read) + provisioningError?: Azure.ResourceManager.CommonTypes.ErrorDetail; + + /** + * Specifies the time at which the machine was created. + */ + @visibility(Lifecycle.Read) + // FIXME: (utcDateTime) Please double check that this is the correct type for your scenario. + creationTimestamp?: utcDateTime; + + /** + * The drift action of the machine. Indicates whether a machine has deviated from its expected state due to changes in managed cluster properties, requiring corrective action. + */ + @visibility(Lifecycle.Read) + driftAction?: DriftAction; + + /** + * Reason for machine drift. Provides detailed information on why the machine has drifted. This field is omitted if the machine is up to date. + */ + @visibility(Lifecycle.Read) + driftReason?: string; + + /** + * Virtual machine state. Indicates the current state of the underlying virtual machine. + */ + @visibility(Lifecycle.Read) + vmState?: VmState; +} + +/** + * The properties of the machine + */ +#suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +model MachineProperties { + /** + * network properties of the machine + */ + @visibility(Lifecycle.Read) + network?: MachineNetworkProperties; + + /** + * Azure resource id of the machine. It can be used to GET underlying VM Instance + */ + @visibility(Lifecycle.Read) + resourceId?: Azure.Core.armResourceIdentifier<[ + { + type: "Microsoft.Compute/virtualMachines"; + }, + { + type: "Microsoft.Compute/virtualMachineScaleSets/virtualMachines"; + } + ]>; + + /** + * The hardware and GPU settings of the machine. + */ + @added(Versions.v2025_10_02_preview) + hardware?: MachineHardwareProfile; + + /** + * The operating system and disk used by the machine. + */ + @added(Versions.v2025_10_02_preview) + operatingSystem?: MachineOSProfile; + + /** + * The Kubernetes configurations used by the machine. + */ + @added(Versions.v2025_10_02_preview) + kubernetes?: MachineKubernetesProfile; + + /** + * Machine only allows 'System' and 'User' mode. + */ + @added(Versions.v2025_10_02_preview) + mode?: AgentPoolMode; + + /** + * The security settings of the machine. + */ + @added(Versions.v2025_10_02_preview) + security?: MachineSecurityProfile; + + /** + * The priority for the machine. If not specified, the default is 'Regular'. + */ + @added(Versions.v2025_10_02_preview) + priority?: ScaleSetPriority = ScaleSetPriority.Regular; + + /** + * The version of node image. + */ + @added(Versions.v2025_10_02_preview) + @visibility(Lifecycle.Read) + nodeImageVersion?: string; + + /** + * The current deployment or provisioning state. + */ + #suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @added(Versions.v2025_10_02_preview) + @visibility(Lifecycle.Read) + provisioningState?: string; + + /** + * The tags to be persisted on the machine. + */ + #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @added(Versions.v2025_10_02_preview) + tags?: Record; + + /** + * Unique read-only string used to implement optimistic concurrency. The eTag value will change when the resource is updated. Specify an if-match or if-none-match header with the eTag value for a subsequent request to enable optimistic concurrency per the normal eTag convention. + */ + @added(Versions.v2025_10_02_preview) + @visibility(Lifecycle.Read) + eTag?: string; + + /** + * Contains read-only information about the machine. + */ + @added(Versions.v2025_10_02_preview) + @visibility(Lifecycle.Read) + status?: MachineStatus; +} + +/** + * network properties of the machine + */ +model MachineNetworkProperties { + /** + * IPv4, IPv6 addresses of the machine + */ + @visibility(Lifecycle.Read) + @identifiers(#[]) + ipAddresses?: MachineIpAddress[]; + + /** + * The ID of the subnet which node and optionally pods will join on startup. If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} + */ + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @added(Versions.v2025_10_02_preview) + vnetSubnetID?: Azure.Core.armResourceIdentifier<[ + { + type: "Microsoft.Network/virtualNetworks/subnets"; + } + ]>; + + /** + * The ID of the subnet which pods will join when launched. If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} + */ + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @added(Versions.v2025_10_02_preview) + podSubnetID?: Azure.Core.armResourceIdentifier<[ + { + type: "Microsoft.Network/virtualNetworks/subnets"; + } + ]>; + + /** + * Whether the machine is allocated its own public IP. Some scenarios may require the machine to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. The default is false. + */ + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @added(Versions.v2025_10_02_preview) + enableNodePublicIP?: boolean; + + /** + * The public IP prefix ID which VM node should use IPs from. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPPrefixes/{publicIPPrefixName} + */ + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @added(Versions.v2025_10_02_preview) + nodePublicIPPrefixID?: Azure.Core.armResourceIdentifier<[ + { + type: "Microsoft.Network/publicIPPrefixes"; + } + ]>; + + /** + * IPTags of instance-level public IPs. + */ + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @added(Versions.v2025_10_02_preview) + @identifiers(#[]) + nodePublicIPTags?: IPTag[]; +} + +/** + * The machine IP address details. + */ +model MachineIpAddress { + /** + * To determine if address belongs IPv4 or IPv6 family + */ + @visibility(Lifecycle.Read) + family?: IPFamily; + + /** + * IPv4 or IPv6 address of the machine + */ + @visibility(Lifecycle.Read) + ip?: string; +} diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/MaintenanceConfiguration.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/MaintenanceConfiguration.tsp index 9ec9c91191fc..ce557381432f 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/MaintenanceConfiguration.tsp +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/MaintenanceConfiguration.tsp @@ -1,7 +1,7 @@ import "@azure-tools/typespec-azure-core"; import "@azure-tools/typespec-azure-resource-manager"; import "@typespec/rest"; -import "./models.tsp"; +import "./CommonModels.tsp"; import "./ManagedCluster.tsp"; using TypeSpec.Rest; @@ -9,6 +9,11 @@ using Azure.ResourceManager; using TypeSpec.Http; namespace Microsoft.ContainerService; + +// ============================================================================= +// MaintenanceConfiguration resource and operations +// ============================================================================= + /** * Planned maintenance configuration, used to configure when updates can be deployed to a Managed Cluster. See [planned maintenance](https://docs.microsoft.com/azure/aks/planned-maintenance) for more information about planned maintenance. */ @@ -23,6 +28,16 @@ model MaintenanceConfiguration >; } +@@doc(MaintenanceConfiguration.name, + "The name of the maintenance configuration. Supported values are 'default', 'aksManagedAutoUpgradeSchedule', or 'aksManagedNodeOSUpgradeSchedule'." +); +@@doc(MaintenanceConfiguration.properties, + "Properties of a default maintenance configuration." +); +@@doc(MaintenanceConfigurations.createOrUpdate::parameters.resource, + "The maintenance configuration to create or update." +); + @armResourceOperations interface MaintenanceConfigurations { /** @@ -46,12 +61,278 @@ interface MaintenanceConfigurations { listByManagedCluster is ArmResourceListByParent; } -@@doc(MaintenanceConfiguration.name, - "The name of the maintenance configuration. Supported values are 'default', 'aksManagedAutoUpgradeSchedule', or 'aksManagedNodeOSUpgradeSchedule'." -); -@@doc(MaintenanceConfiguration.properties, - "Properties of a default maintenance configuration." -); -@@doc(MaintenanceConfigurations.createOrUpdate::parameters.resource, - "The maintenance configuration to create or update." -); +// ============================================================================= +// MaintenanceConfiguration models +// ============================================================================= + +/** + * The weekday enum. + */ +union WeekDay { + string, + + /** Represents Sunday. */ + Sunday: "Sunday", + + /** Represents Monday. */ + Monday: "Monday", + + /** Represents Tuesday. */ + Tuesday: "Tuesday", + + /** Represents Wednesday. */ + Wednesday: "Wednesday", + + /** Represents Thursday. */ + Thursday: "Thursday", + + /** Represents Friday. */ + Friday: "Friday", + + /** Represents Saturday. */ + Saturday: "Saturday", +} + +/** + * The week index. Specifies on which week of the month the dayOfWeek applies. + */ +union Type { + string, + + /** + * First week of the month. + */ + First: "First", + + /** + * Second week of the month. + */ + Second: "Second", + + /** + * Third week of the month. + */ + Third: "Third", + + /** + * Fourth week of the month. + */ + Fourth: "Fourth", + + /** + * Last week of the month. + */ + Last: "Last", +} + +/** + * Properties used to configure planned maintenance for a Managed Cluster. + */ +#suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +model MaintenanceConfigurationProperties { + /** + * Time slots during the week when planned maintenance is allowed to proceed. If two array entries specify the same day of the week, the applied configuration is the union of times in both entries. + */ + @identifiers(#[]) + timeInWeek?: TimeInWeek[]; + + /** + * Time slots on which upgrade is not allowed. + */ + @identifiers(#[]) + notAllowedTime?: TimeSpan[]; + + /** + * Maintenance window for the maintenance configuration. + */ + maintenanceWindow?: MaintenanceWindow; +} + +/** + * Time in a week. + */ +model TimeInWeek { + /** + * The day of the week. + */ + day?: WeekDay; + + /** + * A list of hours in the day used to identify a time range. Each integer hour represents a time range beginning at 0m after the hour ending at the next hour (non-inclusive). 0 corresponds to 00:00 UTC, 23 corresponds to 23:00 UTC. Specifying [0, 1] means the 00:00 - 02:00 UTC time range. + */ + hourSlots?: HourInDay[]; +} + +/** + * Hour in a day. + */ +@minValue(0) +@maxValue(23) +scalar HourInDay extends int32; + +/** + * A time range. For example, between 2021-05-25T13:00:00Z and 2021-05-25T14:00:00Z. + */ +model TimeSpan { + /** + * The start of a time span + */ + // FIXME: (utcDateTime) Please double check that this is the correct type for your scenario. + start?: utcDateTime; + + /** + * The end of a time span + */ + // FIXME: (utcDateTime) Please double check that this is the correct type for your scenario. + end?: utcDateTime; +} + +/** + * Maintenance window used to configure scheduled auto-upgrade for a Managed Cluster. + */ +model MaintenanceWindow { + /** + * Recurrence schedule for the maintenance window. + */ + schedule: Schedule; + + /** + * Length of maintenance window range from 4 to 24 hours. + */ + @maxValue(24) + @minValue(4) + durationHours: int32 = 24; + + /** + * The UTC offset in format +/-HH:mm. For example, '+05:30' for IST and '-07:00' for PST. If not specified, the default is '+00:00'. + */ + @pattern("^(-|\\+)[0-9]{2}:[0-9]{2}$") + utcOffset?: string; + + /** + * The date the maintenance window activates. If the current date is before this date, the maintenance window is inactive and will not be used for upgrades. If not specified, the maintenance window will be active right away. + */ + startDate?: plainDate; + + /** + * The start time of the maintenance window. Accepted values are from '00:00' to '23:59'. 'utcOffset' applies to this field. For example: '02:00' with 'utcOffset: +02:00' means UTC time '00:00'. + */ + @pattern("^\\d{2}:\\d{2}$") + startTime: string; + + /** + * Date ranges on which upgrade is not allowed. 'utcOffset' applies to this field. For example, with 'utcOffset: +02:00' and 'dateSpan' being '2022-12-23' to '2023-01-03', maintenance will be blocked from '2022-12-22 22:00' to '2023-01-03 22:00' in UTC time. + */ + @identifiers(#[]) + notAllowedDates?: DateSpan[]; +} + +/** + * One and only one of the schedule types should be specified. Choose either 'daily', 'weekly', 'absoluteMonthly' or 'relativeMonthly' for your maintenance schedule. + */ +model Schedule { + /** + * For schedules like: 'recur every day' or 'recur every 3 days'. + */ + daily?: DailySchedule; + + /** + * For schedules like: 'recur every Monday' or 'recur every 3 weeks on Wednesday'. + */ + weekly?: WeeklySchedule; + + /** + * For schedules like: 'recur every month on the 15th' or 'recur every 3 months on the 20th'. + */ + absoluteMonthly?: AbsoluteMonthlySchedule; + + /** + * For schedules like: 'recur every month on the first Monday' or 'recur every 3 months on last Friday'. + */ + relativeMonthly?: RelativeMonthlySchedule; +} + +/** + * For schedules like: 'recur every day' or 'recur every 3 days'. + */ +model DailySchedule { + /** + * Specifies the number of days between each set of occurrences. + */ + @maxValue(7) + @minValue(1) + intervalDays: int32; +} + +/** + * For schedules like: 'recur every Monday' or 'recur every 3 weeks on Wednesday'. + */ +model WeeklySchedule { + /** + * Specifies the number of weeks between each set of occurrences. + */ + @maxValue(4) + @minValue(1) + intervalWeeks: int32; + + /** + * Specifies on which day of the week the maintenance occurs. + */ + dayOfWeek: WeekDay; +} + +/** + * For schedules like: 'recur every month on the 15th' or 'recur every 3 months on the 20th'. + */ +model AbsoluteMonthlySchedule { + /** + * Specifies the number of months between each set of occurrences. + */ + @maxValue(6) + @minValue(1) + intervalMonths: int32; + + /** + * The date of the month. + */ + @maxValue(31) + @minValue(1) + dayOfMonth: int32; +} + +/** + * For schedules like: 'recur every month on the first Monday' or 'recur every 3 months on last Friday'. + */ +model RelativeMonthlySchedule { + /** + * Specifies the number of months between each set of occurrences. + */ + @maxValue(6) + @minValue(1) + intervalMonths: int32; + + /** + * The week index. Specifies on which week of the month the dayOfWeek applies. + */ + weekIndex: Type; + + /** + * Specifies on which day of the week the maintenance occurs. + */ + dayOfWeek: WeekDay; +} + +/** + * A date range. For example, between '2022-12-23' and '2023-01-05'. + */ +model DateSpan { + /** + * The start date of the date span. + */ + start: plainDate; + + /** + * The end date of the date span. + */ + end: plainDate; +} diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/ManagedCluster.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/ManagedCluster.tsp index ca735b9c0db0..a78863c8c10a 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/ManagedCluster.tsp +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/ManagedCluster.tsp @@ -1,7 +1,7 @@ import "@azure-tools/typespec-azure-core"; import "@azure-tools/typespec-azure-resource-manager"; import "@typespec/rest"; -import "./models.tsp"; +import "./CommonModels.tsp"; using TypeSpec.Rest; using Azure.ResourceManager; @@ -9,6 +9,217 @@ using TypeSpec.Http; using Versioning; namespace Microsoft.ContainerService; + +/** + * The list of available versions for an agent pool. + */ +model AgentPoolAvailableVersions { + /** + * The ID of the agent pool version list. + */ + @visibility(Lifecycle.Read) + id?: string; + + /** + * The name of the agent pool version list. + */ + @visibility(Lifecycle.Read) + name?: string; + + /** + * Type of the agent pool version list. + */ + @visibility(Lifecycle.Read) + type?: string; + + /** + * Properties of agent pool available versions. + */ + properties: AgentPoolAvailableVersionsProperties; +} + +/** + * The list of available agent pool versions. + */ +model AgentPoolAvailableVersionsProperties { + /** + * List of versions available for agent pool. + */ + @identifiers(#[]) + agentPoolVersions?: AgentPoolAvailableVersionsPropertiesAgentPoolVersionsItem[]; +} + +/** Available version information for an agent pool. */ +model AgentPoolAvailableVersionsPropertiesAgentPoolVersionsItem { + /** + * Whether this version is the default agent pool version. + */ + default?: boolean; + + /** + * The Kubernetes version (major.minor.patch). + */ + kubernetesVersion?: string; + + /** + * Whether Kubernetes version is currently in preview. + */ + isPreview?: boolean; +} + +/** + * A run command request + */ +model RunCommandRequest { + /** + * The command to run. + */ + command: string; + + /** + * A base64 encoded zip file containing the files required by the command. + */ + context?: string; + + /** + * AuthToken issued for AKS AAD Server App. + */ + clusterToken?: string; +} + +/** + * run command result. + */ +model RunCommandResult { + /** + * The command id. + */ + @visibility(Lifecycle.Read) + id?: string; + + /** + * Properties of command result. + */ + properties?: CommandResultProperties; +} + +/** + * The results of a run command + */ +model CommandResultProperties { + /** + * provisioning State + */ + @visibility(Lifecycle.Read) + provisioningState?: string; + + /** + * The exit code of the command + */ + @visibility(Lifecycle.Read) + exitCode?: int32; + + /** + * The time when the command started. + */ + @visibility(Lifecycle.Read) + // FIXME: (utcDateTime) Please double check that this is the correct type for your scenario. + startedAt?: utcDateTime; + + /** + * The time when the command finished. + */ + @visibility(Lifecycle.Read) + // FIXME: (utcDateTime) Please double check that this is the correct type for your scenario. + finishedAt?: utcDateTime; + + /** + * The command output. + */ + @visibility(Lifecycle.Read) + logs?: string; + + /** + * An explanation of why provisioningState is set to failed (if so). + */ + @visibility(Lifecycle.Read) + reason?: string; +} + +/** + * Collection of OutboundEnvironmentEndpoint + */ +model OutboundEnvironmentEndpointCollection + is Azure.Core.Page; + +/** + * Egress endpoints which AKS agent nodes connect to for common purpose. + */ +model OutboundEnvironmentEndpoint { + /** + * The category of endpoints accessed by the AKS agent node, e.g. azure-resource-management, apiserver, etc. + */ + category?: string; + + /** + * The endpoints that AKS agent nodes connect to + */ + @identifiers(#[]) + endpoints?: EndpointDependency[]; +} + +/** + * A domain name that AKS agent nodes are reaching at. + */ +model EndpointDependency { + /** + * The domain name of the dependency. + */ + domainName?: string; + + /** + * The Ports and Protocols used when connecting to domainName. + */ + @identifiers(#[]) + endpointDetails?: EndpointDetail[]; +} + +/** + * connect information from the AKS agent nodes to a single endpoint. + */ +model EndpointDetail { + /** + * An IP Address that Domain Name currently resolves to. + */ + ipAddress?: string; + + /** + * The port an endpoint is connected to. + */ + port?: int32; + + /** + * The protocol used for connection + */ + protocol?: string; + + /** + * Description of the detail + */ + description?: string; +} + +/** + * A list of private link resources + */ +model PrivateLinkResourcesListResult { + /** + * The collection value. + */ + @pageItems + value?: PrivateLinkResource[]; +} + /** * Managed cluster. */ diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/ManagedClusterSnapshot.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/ManagedClusterSnapshot.tsp index f2d530cc9aa3..4f8adb50bc8e 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/ManagedClusterSnapshot.tsp +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/ManagedClusterSnapshot.tsp @@ -1,7 +1,7 @@ import "@azure-tools/typespec-azure-core"; import "@azure-tools/typespec-azure-resource-manager"; import "@typespec/rest"; -import "./models.tsp"; +import "./CommonModels.tsp"; using TypeSpec.Rest; using Azure.ResourceManager; @@ -9,6 +9,11 @@ using TypeSpec.Http; using Versioning; namespace Microsoft.ContainerService; + +// ============================================================================= +// ManagedClusterSnapshot resource and operations +// ============================================================================= + /** * A managed cluster snapshot resource. */ @@ -23,6 +28,19 @@ model ManagedClusterSnapshot >; } +@@maxLength(ManagedClusterSnapshot.name, 63); +@@minLength(ManagedClusterSnapshot.name, 1); +@@doc(ManagedClusterSnapshot.name, "The name of the managed cluster resource."); +@@doc(ManagedClusterSnapshot.properties, + "Properties of a managed cluster snapshot." +); +@@doc(ManagedClusterSnapshots.createOrUpdate::parameters.resource, + "The managed cluster snapshot to create or update." +); +@@doc(ManagedClusterSnapshots.updateTags::parameters.properties, + "Parameters supplied to the Update managed cluster snapshot Tags operation." +); + @armResourceOperations @added(Versions.v2025_10_02_preview) interface ManagedClusterSnapshots { @@ -61,15 +79,87 @@ interface ManagedClusterSnapshots { list is ArmListBySubscription; } -@@maxLength(ManagedClusterSnapshot.name, 63); -@@minLength(ManagedClusterSnapshot.name, 1); -@@doc(ManagedClusterSnapshot.name, "The name of the managed cluster resource."); -@@doc(ManagedClusterSnapshot.properties, - "Properties of a managed cluster snapshot." -); -@@doc(ManagedClusterSnapshots.createOrUpdate::parameters.resource, - "The managed cluster snapshot to create or update." -); -@@doc(ManagedClusterSnapshots.updateTags::parameters.properties, - "Parameters supplied to the Update managed cluster snapshot Tags operation." -); +// ============================================================================= +// ManagedClusterSnapshot models +// ============================================================================= + +/** + * Properties for a managed cluster snapshot. + */ +#suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +@added(Versions.v2025_10_02_preview) +model ManagedClusterSnapshotProperties { + /** + * CreationData to be used to specify the source resource ID to create this snapshot. + */ + creationData?: CreationData; + + /** + * The type of a snapshot. The default is NodePool. + */ + snapshotType?: SnapshotType = SnapshotType.NodePool; + + /** + * What the properties will be showed when getting managed cluster snapshot. Those properties are read-only. + */ + @visibility(Lifecycle.Read) + managedClusterPropertiesReadOnly?: ManagedClusterPropertiesForSnapshot; +} + +/** + * managed cluster properties for snapshot, these properties are read only. + */ +@added(Versions.v2025_10_02_preview) +model ManagedClusterPropertiesForSnapshot { + /** + * The current kubernetes version. + */ + kubernetesVersion?: string; + + /** + * The current managed cluster sku. + */ + sku?: ManagedClusterSKU; + + /** + * Whether the cluster has enabled Kubernetes Role-Based Access Control or not. + */ + enableRbac?: boolean; + + /** + * The current network profile. + */ + @visibility(Lifecycle.Read) + networkProfile?: NetworkProfileForSnapshot; +} + +/** + * network profile for managed cluster snapshot, these properties are read only. + */ +@added(Versions.v2025_10_02_preview) +model NetworkProfileForSnapshot { + /** + * networkPlugin for managed cluster snapshot. + */ + networkPlugin?: NetworkPlugin; + + /** + * NetworkPluginMode for managed cluster snapshot. + */ + networkPluginMode?: NetworkPluginMode; + + /** + * networkPolicy for managed cluster snapshot. + */ + networkPolicy?: NetworkPolicy; + + /** + * networkMode for managed cluster snapshot. + */ + networkMode?: NetworkMode; + + /** + * loadBalancerSku for managed cluster snapshot. + */ + loadBalancerSku?: LoadBalancerSku; +} diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/ManagedClusterUpgradeProfile.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/ManagedClusterUpgradeProfile.tsp index b202b38bdf34..258154596c8b 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/ManagedClusterUpgradeProfile.tsp +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/ManagedClusterUpgradeProfile.tsp @@ -1,14 +1,20 @@ import "@azure-tools/typespec-azure-core"; import "@azure-tools/typespec-azure-resource-manager"; import "@typespec/rest"; -import "./models.tsp"; +import "./CommonModels.tsp"; import "./ManagedCluster.tsp"; using TypeSpec.Rest; using Azure.ResourceManager; using TypeSpec.Http; +using Versioning; namespace Microsoft.ContainerService; + +// ============================================================================= +// ManagedClusterUpgradeProfile resource and operations +// ============================================================================= + /** * The list of available upgrades for compute pools. */ @@ -27,6 +33,11 @@ model ManagedClusterUpgradeProfile >; } +@@doc(ManagedClusterUpgradeProfile.name, ""); +@@doc(ManagedClusterUpgradeProfile.properties, + "The properties of the upgrade profile." +); + @armResourceOperations(#{ omitTags: true }) interface ManagedClusterUpgradeProfiles { /** @@ -36,7 +47,75 @@ interface ManagedClusterUpgradeProfiles { getUpgradeProfile is ArmResourceRead; } -@@doc(ManagedClusterUpgradeProfile.name, ""); -@@doc(ManagedClusterUpgradeProfile.properties, - "The properties of the upgrade profile." -); +// ============================================================================= +// ManagedClusterUpgradeProfile models +// ============================================================================= + +/** + * Control plane and agent pool upgrade profiles. + */ +#suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +model ManagedClusterUpgradeProfileProperties { + /** + * The list of available upgrade versions for the control plane. + */ + controlPlaneProfile: ManagedClusterPoolUpgradeProfile; + + /** + * The list of available upgrade versions for agent pools. + */ + @identifiers(#[]) + agentPoolProfiles: ManagedClusterPoolUpgradeProfile[]; +} + +/** + * The list of available upgrade versions. + */ +model ManagedClusterPoolUpgradeProfile { + /** + * The Kubernetes version (major.minor.patch). + */ + kubernetesVersion: string; + + /** + * The Agent Pool name. + */ + name?: string; + + /** + * The operating system type. The default is Linux. + */ + osType: OSType = OSType.Linux; + + /** + * List of orchestrator types and versions available for upgrade. + */ + @identifiers(#[]) + upgrades?: ManagedClusterPoolUpgradeProfileUpgradesItem[]; + + /** + * List of components grouped by kubernetes major.minor version. + */ + @added(Versions.v2025_10_02_preview) + @identifiers(#[]) + componentsByReleases?: ComponentsByRelease[]; +} + +/** Available upgrades for an AgentPool. */ +model ManagedClusterPoolUpgradeProfileUpgradesItem { + /** + * The Kubernetes version (major.minor.patch). + */ + kubernetesVersion?: string; + + /** + * Whether the Kubernetes version is currently in preview. + */ + isPreview?: boolean; + + /** + * Whether the Kubernetes version is out of support. + */ + @added(Versions.v2025_10_02_preview) + isOutOfSupport?: boolean; +} diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/ManagedNamespace.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/ManagedNamespace.tsp index ab26daa6e4aa..36ee05553fde 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/ManagedNamespace.tsp +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/ManagedNamespace.tsp @@ -1,7 +1,7 @@ import "@azure-tools/typespec-azure-core"; import "@azure-tools/typespec-azure-resource-manager"; import "@typespec/rest"; -import "./models.tsp"; +import "./CommonModels.tsp"; import "./ManagedCluster.tsp"; using TypeSpec.Rest; @@ -9,6 +9,11 @@ using Azure.ResourceManager; using TypeSpec.Http; namespace Microsoft.ContainerService; + +// ============================================================================= +// ManagedNamespace resource and operations +// ============================================================================= + /** * Namespace managed by ARM. */ @@ -25,6 +30,17 @@ model ManagedNamespace ...Azure.ResourceManager.EntityTagProperty; } +@@maxLength(ManagedNamespace.name, 63); +@@minLength(ManagedNamespace.name, 1); +@@doc(ManagedNamespace.name, "The name of the managed namespace."); +@@doc(ManagedNamespace.properties, "Properties of a namespace."); +@@doc(ManagedNamespaces.createOrUpdate::parameters.resource, + "The namespace to create or update." +); +@@doc(ManagedNamespaces.update::parameters.properties, + "Parameters supplied to the patch namespace operation, we only support patch tags for now." +); + @armResourceOperations interface ManagedNamespaces { /** @@ -67,13 +83,181 @@ interface ManagedNamespaces { >; } -@@maxLength(ManagedNamespace.name, 63); -@@minLength(ManagedNamespace.name, 1); -@@doc(ManagedNamespace.name, "The name of the managed namespace."); -@@doc(ManagedNamespace.properties, "Properties of a namespace."); -@@doc(ManagedNamespaces.createOrUpdate::parameters.resource, - "The namespace to create or update." -); -@@doc(ManagedNamespaces.update::parameters.properties, - "Parameters supplied to the patch namespace operation, we only support patch tags for now." -); +// ============================================================================= +// ManagedNamespace models +// ============================================================================= + +/** + * The current provisioning state of the namespace. + */ +union NamespaceProvisioningState { + string, + + /** The namespace is being updated. */ + Updating: "Updating", + + /** The namespace is being deleted. */ + Deleting: "Deleting", + + /** The namespace is being created. */ + Creating: "Creating", + + /** The namespace provisioning succeeded. */ + Succeeded: "Succeeded", + + /** The namespace provisioning failed. */ + Failed: "Failed", + + /** The namespace provisioning was canceled. */ + Canceled: "Canceled", +} + +/** + * Enum representing different network policy rules. + */ +union PolicyRule { + string, + + /** + * Deny all network traffic. + */ + DenyAll: "DenyAll", + + /** + * Allow all network traffic. + */ + AllowAll: "AllowAll", + + /** + * Allow traffic within the same namespace. + */ + AllowSameNamespace: "AllowSameNamespace", +} + +/** + * Action if Kubernetes namespace with same name already exists. + */ +union AdoptionPolicy { + string, + + /** + * If the namespace already exists in Kubernetes, attempts to create that same namespace in ARM will fail. + */ + Never: "Never", + + /** + * Take over the existing namespace to be managed by ARM, if there is no difference. + */ + IfIdentical: "IfIdentical", + + /** + * Always take over the existing namespace to be managed by ARM, some fields might be overwritten. + */ + Always: "Always", +} + +/** + * Delete options of a namespace. + */ +union DeletePolicy { + string, + + /** + * Only delete the ARM resource, keep the Kubernetes namespace. Also delete the ManagedByARM label. + */ + Keep: "Keep", + + /** + * Delete both the ARM resource and the Kubernetes namespace together. + */ + Delete: "Delete", +} + +/** + * Properties of a namespace managed by ARM + */ +model NamespaceProperties { + /** + * The current provisioning state of the namespace. + */ + @visibility(Lifecycle.Read) + provisioningState?: NamespaceProvisioningState; + + /** + * The labels of managed namespace. + */ + #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + labels?: Record; + + /** + * The annotations of managed namespace. + */ + #suppress "@azure-tools/typespec-azure-resource-manager/arm-no-record" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + annotations?: Record; + + /** + * The special FQDN used by the Azure Portal to access the Managed Cluster. This FQDN is for use only by the Azure Portal and should not be used by other clients. The Azure Portal requires certain Cross-Origin Resource Sharing (CORS) headers to be sent in some responses, which Kubernetes APIServer doesn't handle by default. This special FQDN supports CORS, allowing the Azure Portal to function properly. + */ + @visibility(Lifecycle.Read) + portalFqdn?: string; + + /** + * The default resource quota enforced upon the namespace. Customers can have other Kubernetes resource quota objects under the namespace. Resource quotas are additive; if multiple resource quotas are applied to a given namespace, then the effective limit will be one such that all quotas on the namespace can be satisfied. + */ + defaultResourceQuota?: ResourceQuota; + + /** + * The default network policy enforced upon the namespace. Customers can have other Kubernetes network policy objects under the namespace. Network policies are additive; if a policy or policies apply to a given pod for a given direction, the connections allowed in that direction for the pod is the union of what all applicable policies allow. + */ + defaultNetworkPolicy?: NetworkPolicies; + + /** + * Action if Kubernetes namespace with same name already exists. + */ + adoptionPolicy?: AdoptionPolicy; + + /** + * Delete options of a namespace. + */ + deletePolicy?: DeletePolicy; +} + +/** + * Resource quota for the namespace. + */ +model ResourceQuota { + /** + * CPU request of the namespace in one-thousandth CPU form. See [CPU resource units](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu) for more details. + */ + cpuRequest?: string; + + /** + * CPU limit of the namespace in one-thousandth CPU form. See [CPU resource units](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu) for more details. + */ + cpuLimit?: string; + + /** + * Memory request of the namespace in the power-of-two equivalents form: Ei, Pi, Ti, Gi, Mi, Ki. See [Memory resource units](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-memory) for more details. + */ + memoryRequest?: string; + + /** + * Memory limit of the namespace in the power-of-two equivalents form: Ei, Pi, Ti, Gi, Mi, Ki. See [Memory resource units](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-memory) for more details. + */ + memoryLimit?: string; +} + +/** + * Default network policy of the namespace, specifying ingress and egress rules. + */ +model NetworkPolicies { + /** + * Enum representing different network policy rules. + */ + ingress?: PolicyRule = PolicyRule.AllowSameNamespace; + + /** + * Enum representing different network policy rules. + */ + egress?: PolicyRule = PolicyRule.AllowAll; +} diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/MeshMembership.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/MeshMembership.tsp index daf33b6dccc6..aa8d4cbecd84 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/MeshMembership.tsp +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/MeshMembership.tsp @@ -1,7 +1,7 @@ import "@azure-tools/typespec-azure-core"; import "@azure-tools/typespec-azure-resource-manager"; import "@typespec/rest"; -import "./models.tsp"; +import "./CommonModels.tsp"; import "./ManagedCluster.tsp"; using TypeSpec.Rest; @@ -10,6 +10,11 @@ using TypeSpec.Http; using Versioning; namespace Microsoft.ContainerService; + +// ============================================================================= +// MeshMembership resource and operations +// ============================================================================= + /** * Mesh membership of a managed cluster. */ @@ -34,6 +39,16 @@ model MeshMembership ...Azure.ResourceManager.EntityTagProperty; } +@@maxLength(MeshMembership.name, 63); +@@minLength(MeshMembership.name, 1); +@@doc(MeshMembership.name, "The name of the mesh membership."); +@@doc(MeshMembership.properties, + "Mesh membership properties of a managed cluster." +); +@@doc(MeshMemberships.createOrUpdate::parameters.resource, + "The mesh membership to create or update." +); + @armResourceOperations @added(Versions.v2025_10_02_preview) interface MeshMemberships { @@ -65,12 +80,82 @@ interface MeshMemberships { >; } -@@maxLength(MeshMembership.name, 63); -@@minLength(MeshMembership.name, 1); -@@doc(MeshMembership.name, "The name of the mesh membership."); -@@doc(MeshMembership.properties, - "Mesh membership properties of a managed cluster." -); -@@doc(MeshMemberships.createOrUpdate::parameters.resource, - "The mesh membership to create or update." -); +// ============================================================================= +// MeshMembership models +// ============================================================================= + +/** + * The provisioning state of the last accepted operation. + */ +@added(Versions.v2025_10_02_preview) +union MeshMembershipProvisioningState { + string, + + /** + * Resource creation was canceled. + */ + Canceled: "Canceled", + + /** + * The Mesh Membership is being created. + */ + Creating: "Creating", + + /** + * The Mesh Membership is being deleted. + */ + Deleting: "Deleting", + + /** + * Resource creation failed. + */ + Failed: "Failed", + + /** + * Resource has been created. + */ + Succeeded: "Succeeded", + + /** + * The Mesh Membership is being updated. + */ + Updating: "Updating", +} + +/** + * Mesh membership properties of a managed cluster. + */ +@added(Versions.v2025_10_02_preview) +model MeshMembershipProperties { + /** + * The current provisioning state of the Mesh Membership. + */ + @visibility(Lifecycle.Read) + provisioningState?: MeshMembershipProvisioningState; + + /** + * The ARM resource id for the managed mesh member. This is of the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.AppLink/applinks/{appLinkName}/appLinkMembers/{appLinkMemberName}'. Visit https://aka.ms/applink for more information. + */ + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + managedMeshID: Azure.Core.armResourceIdentifier<[ + { + type: "Microsoft.AppLink/applinks"; + } + ]>; +} + +/** + * The result of a request to list mesh memberships in a managed cluster. + */ +@added(Versions.v2025_10_02_preview) +model MeshMembershipsListResult { + /** + * The list of mesh memberships. + */ + @pageItems + value: MeshMembership[]; + + @doc("The URL to get the next set of mesh membership results.") + @nextLink + nextLink?: ResourceLocation; +} diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/MeshRevisionProfile.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/MeshRevisionProfile.tsp index 4148884a9a13..0a206ff44c24 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/MeshRevisionProfile.tsp +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/MeshRevisionProfile.tsp @@ -1,12 +1,17 @@ import "@azure-tools/typespec-azure-core"; import "@azure-tools/typespec-azure-resource-manager"; import "@typespec/rest"; -import "./models.tsp"; +import "./CommonModels.tsp"; using Azure.ResourceManager; using TypeSpec.Rest; namespace Microsoft.ContainerService; + +// ============================================================================= +// MeshRevisionProfile resource and operations +// ============================================================================= + /** * Mesh revision profile for a mesh. */ @@ -20,6 +25,13 @@ model MeshRevisionProfile is ProxyResource { >; } +@@maxLength(MeshRevisionProfile.name, 24); +@@minLength(MeshRevisionProfile.name, 1); +@@doc(MeshRevisionProfile.name, "The mode of the mesh."); +@@doc(MeshRevisionProfile.properties, + "Mesh revision profile properties for a mesh" +); + @armResourceOperations(#{ omitTags: true }) interface MeshRevisionProfiles { /** @@ -44,9 +56,21 @@ interface MeshRevisionProfiles { >; } -@@maxLength(MeshRevisionProfile.name, 24); -@@minLength(MeshRevisionProfile.name, 1); -@@doc(MeshRevisionProfile.name, "The mode of the mesh."); -@@doc(MeshRevisionProfile.properties, - "Mesh revision profile properties for a mesh" -); +// ============================================================================= +// MeshRevisionProfile models +// ============================================================================= + +/** + * Holds an array of MeshRevisionsProfiles + */ +model MeshRevisionProfileList is Azure.Core.Page; + +/** + * Mesh revision profile properties for a mesh + */ +#suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +model MeshRevisionProfileProperties { + /** Available mesh revisions. */ + @identifiers(#[]) + meshRevisions?: MeshRevision[]; +} diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/MeshUpgradeProfile.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/MeshUpgradeProfile.tsp index 4d9c6ea1c3c4..9ba5a5cf6ccc 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/MeshUpgradeProfile.tsp +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/MeshUpgradeProfile.tsp @@ -1,7 +1,7 @@ import "@azure-tools/typespec-azure-core"; import "@azure-tools/typespec-azure-resource-manager"; import "@typespec/rest"; -import "./models.tsp"; +import "./CommonModels.tsp"; import "./ManagedCluster.tsp"; using TypeSpec.Rest; @@ -9,6 +9,11 @@ using Azure.ResourceManager; using TypeSpec.Http; namespace Microsoft.ContainerService; + +// ============================================================================= +// MeshUpgradeProfile resource and operations +// ============================================================================= + /** * Upgrade profile for given mesh. */ @@ -23,6 +28,13 @@ model MeshUpgradeProfile >; } +@@maxLength(MeshUpgradeProfile.name, 24); +@@minLength(MeshUpgradeProfile.name, 1); +@@doc(MeshUpgradeProfile.name, "The mode of the mesh."); +@@doc(MeshUpgradeProfile.properties, + "Mesh upgrade profile properties for a major.minor release." +); + @armResourceOperations(#{ omitTags: true }) interface MeshUpgradeProfiles { /** @@ -41,9 +53,19 @@ interface MeshUpgradeProfiles { >; } -@@maxLength(MeshUpgradeProfile.name, 24); -@@minLength(MeshUpgradeProfile.name, 1); -@@doc(MeshUpgradeProfile.name, "The mode of the mesh."); -@@doc(MeshUpgradeProfile.properties, - "Mesh upgrade profile properties for a major.minor release." -); +// ============================================================================= +// MeshUpgradeProfile models +// ============================================================================= + +/** + * Holds an array of MeshUpgradeProfiles + */ +model MeshUpgradeProfileList is Azure.Core.Page; + +/** + * Mesh upgrade profile properties for a major.minor release. + */ +#suppress "@azure-tools/typespec-azure-core/composition-over-inheritance" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +#suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +#suppress "@azure-tools/typespec-azure-resource-manager/no-empty-model" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +model MeshUpgradeProfileProperties extends MeshRevision {} diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/Operations.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/Operations.tsp new file mode 100644 index 000000000000..0d430b4ec09b --- /dev/null +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/Operations.tsp @@ -0,0 +1,32 @@ +import "@azure-tools/typespec-azure-core"; +import "@typespec/rest"; +import "./CommonModels.tsp"; +import "@azure-tools/typespec-azure-resource-manager"; + +using TypeSpec.Rest; +using TypeSpec.Http; +using Azure.ResourceManager; + +namespace Microsoft.ContainerService; + +// ============================================================================= +// Operations (provider-level, not location-scoped) +// ============================================================================= + +interface Operations { + /** + * Gets a list of operations. + */ + @tag("ManagedClusters") + @autoRoute + @segment("operations") + @list + list( + ...CommonTypes.ApiVersionParameter, + + @doc("Microsoft.ContainerService provider") + @path + @segment("providers") + provider: "Microsoft.ContainerService", + ): ArmResponse | ErrorResponse; +} diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/PrivateEndpointConnection.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/PrivateEndpointConnection.tsp index 34816224e105..dff57e0c7dce 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/PrivateEndpointConnection.tsp +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/PrivateEndpointConnection.tsp @@ -1,7 +1,7 @@ import "@azure-tools/typespec-azure-core"; import "@azure-tools/typespec-azure-resource-manager"; import "@typespec/rest"; -import "./models.tsp"; +import "./CommonModels.tsp"; import "./ManagedCluster.tsp"; using TypeSpec.Rest; @@ -9,6 +9,11 @@ using Azure.ResourceManager; using TypeSpec.Http; namespace Microsoft.ContainerService; + +// ============================================================================= +// PrivateEndpointConnection resource and operations +// ============================================================================= + /** * A private endpoint connection */ @@ -23,6 +28,16 @@ model PrivateEndpointConnection >; } +@@doc(PrivateEndpointConnection.name, + "The name of the private endpoint connection." +); +@@doc(PrivateEndpointConnection.properties, + "The properties of a private endpoint connection." +); +@@doc(PrivateEndpointConnections.update::parameters.resource, + "The updated private endpoint connection." +); + @armResourceOperations interface PrivateEndpointConnections { /** @@ -76,12 +91,104 @@ interface PrivateEndpointConnectionsOps } > {} -@@doc(PrivateEndpointConnection.name, - "The name of the private endpoint connection." -); -@@doc(PrivateEndpointConnection.properties, - "The properties of a private endpoint connection." -); -@@doc(PrivateEndpointConnections.update::parameters.resource, - "The updated private endpoint connection." -); +// ============================================================================= +// PrivateEndpointConnection models +// ============================================================================= + +/** + * The current provisioning state. + */ +union PrivateEndpointConnectionProvisioningState { + string, + + /** Private endpoint connection provisioning was canceled. */ + Canceled: "Canceled", + + /** Private endpoint connection is being created. */ + Creating: "Creating", + + /** Private endpoint connection is being deleted. */ + Deleting: "Deleting", + + /** Private endpoint connection provisioning failed. */ + Failed: "Failed", + + /** Private endpoint connection provisioning succeeded. */ + Succeeded: "Succeeded", +} + +/** + * The private link service connection status. + */ +union ConnectionStatus { + string, + + /** Connection is pending approval. */ + Pending: "Pending", + + /** Connection is approved. */ + Approved: "Approved", + + /** Connection is rejected. */ + Rejected: "Rejected", + + /** Connection is disconnected. */ + Disconnected: "Disconnected", +} + +/** + * Properties of a private endpoint connection. + */ +model PrivateEndpointConnectionProperties { + /** + * The current provisioning state. + */ + @visibility(Lifecycle.Read) + provisioningState?: PrivateEndpointConnectionProvisioningState; + + /** + * The resource of private endpoint. + */ + privateEndpoint?: PrivateEndpoint; + + /** + * A collection of information about the state of the connection between service consumer and provider. + */ + privateLinkServiceConnectionState: PrivateLinkServiceConnectionState; +} + +/** + * Private endpoint which a connection belongs to. + */ +model PrivateEndpoint { + /** + * The resource ID of the private endpoint + */ + id?: string; +} + +/** + * A list of private endpoint connections + */ +model PrivateEndpointConnectionListResult { + /** + * The collection value. + */ + @pageItems + value?: PrivateEndpointConnection[]; +} + +/** + * The state of a private link service connection. + */ +model PrivateLinkServiceConnectionState { + /** + * The private link service connection status. + */ + status?: ConnectionStatus; + + /** + * The private link service connection description. + */ + description?: string; +} diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/SafeguardsAvailableVersion.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/SafeguardsAvailableVersion.tsp index 1c09db49ee34..f5eb92aa6bbf 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/SafeguardsAvailableVersion.tsp +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/SafeguardsAvailableVersion.tsp @@ -1,7 +1,7 @@ import "@azure-tools/typespec-azure-core"; import "@azure-tools/typespec-azure-resource-manager"; import "@typespec/rest"; -import "./models.tsp"; +import "./CommonModels.tsp"; using TypeSpec.Rest; using Azure.ResourceManager; @@ -9,6 +9,11 @@ using TypeSpec.Http; using Versioning; namespace Microsoft.ContainerService; + +// ============================================================================= +// SafeguardsAvailableVersion resource and operations +// ============================================================================= + /** * Available Safeguards Version */ @@ -27,6 +32,13 @@ model SafeguardsAvailableVersion >; } +@@maxLength(SafeguardsAvailableVersion.name, 24); +@@minLength(SafeguardsAvailableVersion.name, 1); +@@doc(SafeguardsAvailableVersion.name, "Safeguards version"); +@@doc(SafeguardsAvailableVersion.properties, + "Whether the version is default or not and support info." +); + @armResourceOperations @added(Versions.v2025_10_02_preview) interface SafeguardsAvailableVersions { @@ -50,9 +62,48 @@ interface SafeguardsAvailableVersions { >; } -@@maxLength(SafeguardsAvailableVersion.name, 24); -@@minLength(SafeguardsAvailableVersion.name, 1); -@@doc(SafeguardsAvailableVersion.name, "Safeguards version"); -@@doc(SafeguardsAvailableVersion.properties, - "Whether the version is default or not and support info." -); +// ============================================================================= +// SafeguardsAvailableVersion models +// ============================================================================= + +/** + * Whether the version is preview or stable. + */ +@added(Versions.v2025_10_02_preview) +union SafeguardsSupport { + string, + + /** + * The version is preview. It is not recommended to use preview versions on critical production clusters. The preview version may not support all use-cases. + */ + Preview: "Preview", + + /** + * The version is stable and can be used on critical production clusters. + */ + Stable: "Stable", +} + +/** + * Whether the version is default or not and support info. + */ +#suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +@added(Versions.v2025_10_02_preview) +model SafeguardsAvailableVersionsProperties { + /** Whether this is the default version. */ + @visibility(Lifecycle.Read) + isDefaultVersion?: boolean; + + /** + * Whether the version is preview or stable. + */ + @visibility(Lifecycle.Read) + support?: SafeguardsSupport; +} + +/** + * Hold values properties, which is array of SafeguardsVersions + */ +@added(Versions.v2025_10_02_preview) +model SafeguardsAvailableVersionsList + is Azure.Core.Page; diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/Snapshot.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/Snapshot.tsp index 18e749fad2c0..95e9b9dff39b 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/Snapshot.tsp +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/Snapshot.tsp @@ -1,13 +1,18 @@ import "@azure-tools/typespec-azure-core"; import "@azure-tools/typespec-azure-resource-manager"; import "@typespec/rest"; -import "./models.tsp"; +import "./CommonModels.tsp"; using TypeSpec.Rest; using Azure.ResourceManager; using TypeSpec.Http; namespace Microsoft.ContainerService; + +// ============================================================================= +// Snapshot resource and operations +// ============================================================================= + /** * A node pool snapshot resource. */ @@ -20,6 +25,17 @@ model Snapshot is Azure.ResourceManager.TrackedResource { >; } +@@maxLength(Snapshot.name, 63); +@@minLength(Snapshot.name, 1); +@@doc(Snapshot.name, "The name of the managed cluster resource."); +@@doc(Snapshot.properties, "Properties of a snapshot."); +@@doc(Snapshots.createOrUpdate::parameters.resource, + "The snapshot to create or update." +); +@@doc(Snapshots.updateTags::parameters.properties, + "Parameters supplied to the Update snapshot Tags operation." +); + @armResourceOperations interface Snapshots { /** @@ -54,13 +70,59 @@ interface Snapshots { list is ArmListBySubscription; } -@@maxLength(Snapshot.name, 63); -@@minLength(Snapshot.name, 1); -@@doc(Snapshot.name, "The name of the managed cluster resource."); -@@doc(Snapshot.properties, "Properties of a snapshot."); -@@doc(Snapshots.createOrUpdate::parameters.resource, - "The snapshot to create or update." -); -@@doc(Snapshots.updateTags::parameters.properties, - "Parameters supplied to the Update snapshot Tags operation." -); +// ============================================================================= +// Snapshot models +// ============================================================================= + +/** + * Properties used to configure a node pool snapshot. + */ +#suppress "@azure-tools/typespec-azure-resource-manager/arm-resource-provisioning-state" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" +model SnapshotProperties { + /** + * CreationData to be used to specify the source agent pool resource ID to create this snapshot. + */ + creationData?: CreationData; + + /** + * The type of a snapshot. The default is NodePool. + */ + snapshotType?: SnapshotType = SnapshotType.NodePool; + + /** + * The version of Kubernetes. + */ + @visibility(Lifecycle.Read) + kubernetesVersion?: string; + + /** + * The version of node image. + */ + @visibility(Lifecycle.Read) + nodeImageVersion?: string; + + /** + * The operating system type. The default is Linux. + */ + @visibility(Lifecycle.Read) + osType?: OSType = OSType.Linux; + + /** + * Specifies the OS SKU used by the agent pool. The default is Ubuntu if OSType is Linux. The default is Windows2019 when Kubernetes <= 1.24 or Windows2022 when Kubernetes >= 1.25 if OSType is Windows. + */ + @visibility(Lifecycle.Read) + osSku?: OSSKU; + + /** + * The size of the VM. + */ + @visibility(Lifecycle.Read) + vmSize?: string; + + /** + * Whether to use a FIPS-enabled OS. + */ + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @visibility(Lifecycle.Read) + enableFIPS?: boolean; +} diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/TrustedAccessRoleBinding.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/TrustedAccessRoleBinding.tsp index f1c23a4d572c..7495ad8ffe63 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/TrustedAccessRoleBinding.tsp +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/TrustedAccessRoleBinding.tsp @@ -1,7 +1,7 @@ import "@azure-tools/typespec-azure-core"; import "@azure-tools/typespec-azure-resource-manager"; import "@typespec/rest"; -import "./models.tsp"; +import "./CommonModels.tsp"; import "./ManagedCluster.tsp"; using TypeSpec.Rest; @@ -9,6 +9,11 @@ using Azure.ResourceManager; using TypeSpec.Http; namespace Microsoft.ContainerService; + +// ============================================================================= +// TrustedAccessRoleBinding resource and operations +// ============================================================================= + /** * Defines binding between a resource and role */ @@ -26,6 +31,18 @@ model TrustedAccessRoleBinding >; } +@@maxLength(TrustedAccessRoleBinding.name, 24); +@@minLength(TrustedAccessRoleBinding.name, 1); +@@doc(TrustedAccessRoleBinding.name, + "The name of trusted access role binding." +); +@@doc(TrustedAccessRoleBinding.properties, + "Properties for trusted access role binding" +); +@@doc(TrustedAccessRoleBindings.createOrUpdate::parameters.resource, + "A trusted access role binding" +); + @armResourceOperations(#{ omitTags: true }) interface TrustedAccessRoleBindings { /** @@ -57,14 +74,114 @@ interface TrustedAccessRoleBindings { list is ArmResourceListByParent; } -@@maxLength(TrustedAccessRoleBinding.name, 24); -@@minLength(TrustedAccessRoleBinding.name, 1); -@@doc(TrustedAccessRoleBinding.name, - "The name of trusted access role binding." -); -@@doc(TrustedAccessRoleBinding.properties, - "Properties for trusted access role binding" -); -@@doc(TrustedAccessRoleBindings.createOrUpdate::parameters.resource, - "A trusted access role binding" -); +// ============================================================================= +// TrustedAccessRoleBinding models +// ============================================================================= + +/** + * The current provisioning state of trusted access role binding. + */ +union TrustedAccessRoleBindingProvisioningState { + string, + + /** Trusted access role binding provisioning was canceled. */ + Canceled: "Canceled", + + /** Trusted access role binding is being deleted. */ + Deleting: "Deleting", + + /** Trusted access role binding provisioning failed. */ + Failed: "Failed", + + /** Trusted access role binding provisioning succeeded. */ + Succeeded: "Succeeded", + + /** Trusted access role binding is being updated. */ + Updating: "Updating", +} + +/** + * Properties for trusted access role binding + */ +model TrustedAccessRoleBindingProperties { + /** + * The current provisioning state of trusted access role binding. + */ + @visibility(Lifecycle.Read) + provisioningState?: TrustedAccessRoleBindingProvisioningState; + + /** + * The ARM resource ID of source resource that trusted access is configured for. + */ + sourceResourceId: Azure.Core.armResourceIdentifier; + + /** + * A list of roles to bind, each item is a resource type qualified role name. For example: 'Microsoft.MachineLearningServices/workspaces/reader'. + */ + roles: string[]; +} + +/** + * List of trusted access roles + */ +model TrustedAccessRoleListResult is Azure.Core.Page; + +/** + * Trusted access role definition. + */ +model TrustedAccessRole { + /** + * Resource type of Azure resource + */ + @visibility(Lifecycle.Read) + sourceResourceType?: string; + + /** + * Name of role, name is unique under a source resource type + */ + @visibility(Lifecycle.Read) + name?: string; + + /** + * List of rules for the role. This maps to 'rules' property of [Kubernetes Cluster Role](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole). + */ + @visibility(Lifecycle.Read) + @identifiers(#[]) + rules?: TrustedAccessRoleRule[]; +} + +/** + * Rule for trusted access role + */ +model TrustedAccessRoleRule { + /** + * List of allowed verbs + */ + @visibility(Lifecycle.Read) + verbs?: string[]; + + /** + * List of allowed apiGroups + */ + @visibility(Lifecycle.Read) + apiGroups?: string[]; + + /** + * List of allowed resources + */ + @visibility(Lifecycle.Read) + resources?: string[]; + + /** + * List of allowed names + */ + @visibility(Lifecycle.Read) + resourceNames?: string[]; + + /** + * List of allowed nonResourceURLs + */ + #suppress "@azure-tools/typespec-azure-core/casing-style" "FIXME: Update justification, follow aka.ms/tsp/conversion-fix for details" + @visibility(Lifecycle.Read) + nonResourceURLs?: string[]; +} diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/main.tsp b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/main.tsp index 7f3b071c4f8e..49acfbf2fa53 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/main.tsp +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/main.tsp @@ -11,8 +11,8 @@ import "@typespec/rest"; import "@typespec/versioning"; import "@azure-tools/typespec-azure-core"; import "@azure-tools/typespec-azure-resource-manager"; -import "./models.tsp"; -import "./back-compatible.tsp"; +import "./CommonModels.tsp"; +import "./BackCompatible.tsp"; import "./ManagedClusterUpgradeProfile.tsp"; import "./ManagedCluster.tsp"; import "./GuardrailsAvailableVersion.tsp"; @@ -32,7 +32,8 @@ import "./LoadBalancer.tsp"; import "./IdentityBinding.tsp"; import "./JWTAuthenticator.tsp"; import "./MeshMembership.tsp"; -import "./routes.tsp"; +import "./Operations.tsp"; +import "./LocationRoutes.tsp"; using Azure.ResourceManager; using TypeSpec.Versioning;