AzureAKSWorkload IdentityACRaz CLI

AKS — Azure Kubernetes Service

AKS cluster management, Workload Identity, ACR, node pools, and az CLI daily opsUpdated May 2026
TL;DR

Use az aks get-credentials to connect, az aks nodepool to manage node pools, and AKS Workload Identity (replacing legacy Pod Identity) to grant pods Azure RBAC permissions without secrets. Run az account show to confirm active subscription.

Cluster Basics

Daily AKS commands for connecting to a cluster, checking its status, and managing add-ons. AKS manages the control plane — you only see and pay for worker nodes.

bashaks-basics.sh
RG=my-resource-group
CLUSTER=my-aks-cluster

# Connect (merges into ~/.kube/config)
az aks get-credentials --resource-group $RG --name $CLUSTER
az aks get-credentials --resource-group $RG --name $CLUSTER --admin  # admin creds

# Cluster info
az aks show --resource-group $RG --name $CLUSTER \
  --query '{version:kubernetesVersion,provisioningState:provisioningState,fqdn:fqdn}'
az aks get-upgrades --resource-group $RG --name $CLUSTER

# List add-ons
az aks addon list --resource-group $RG --name $CLUSTER

# Node pools
az aks nodepool list --resource-group $RG --cluster-name $CLUSTER \
  --query '[].{name:name,mode:mode,count:count,vmSize:vmSize,k8sVersion:orchestratorVersion}'

# Scale node pool
az aks nodepool scale \
  --resource-group $RG \
  --cluster-name $CLUSTER \
  --name nodepool1 \
  --node-count 5

# Check active subscription
az account show --query '{name:name,id:id}'

Workload Identity

AKS Workload Identity is the modern replacement for Pod Identity — a Kubernetes ServiceAccount is federated with a managed identity, and Azure SDK automatically exchanges the projected token for an Azure credential.

bashworkload-identity.sh
SUBSCRIPTION=$(az account show --query id -o tsv)
RG=my-resource-group
CLUSTER=my-aks-cluster
IDENTITY_NAME=my-app-identity
NAMESPACE=my-namespace
SA_NAME=my-service-account

# 1. Enable OIDC issuer and Workload Identity on cluster
az aks update --resource-group $RG --name $CLUSTER \
  --enable-oidc-issuer --enable-workload-identity

# 2. Get OIDC issuer URL
OIDC_URL=$(az aks show --resource-group $RG --name $CLUSTER \
  --query "oidcIssuerProfile.issuerUrl" -o tsv)

# 3. Create managed identity
az identity create --name $IDENTITY_NAME --resource-group $RG
CLIENT_ID=$(az identity show --name $IDENTITY_NAME --resource-group $RG --query clientId -o tsv)

# 4. Assign Azure RBAC to managed identity (e.g. Storage Blob Reader)
az role assignment create \
  --assignee $CLIENT_ID \
  --role "Storage Blob Data Reader" \
  --scope /subscriptions/$SUBSCRIPTION/resourceGroups/$RG

# 5. Federate the K8s SA with the managed identity
az identity federated-credential create \
  --name federated-sa \
  --identity-name $IDENTITY_NAME \
  --resource-group $RG \
  --issuer $OIDC_URL \
  --subject "system:serviceaccount:$NAMESPACE:$SA_NAME" \
  --audience api://AzureADTokenExchange

# 6. Annotate the Kubernetes ServiceAccount
kubectl annotate sa $SA_NAME -n $NAMESPACE \
  azure.workload.identity/client-id=$CLIENT_ID

ACR — Azure Container Registry

Attach ACR to AKS with a single command to avoid pull secret management — AKS uses the cluster's managed identity to pull images automatically.

bashacr.sh
ACR_NAME=myacr
RG=my-resource-group
CLUSTER=my-aks-cluster

# Create ACR
az acr create --resource-group $RG --name $ACR_NAME --sku Basic

# Attach ACR to AKS (grants AcrPull role to kubelet identity)
az aks update --resource-group $RG --name $CLUSTER --attach-acr $ACR_NAME

# Authenticate docker to ACR
az acr login --name $ACR_NAME

# Build and push via ACR Tasks (no local docker needed)
az acr build --registry $ACR_NAME --image myapp:v1.2.3 .

# List images
az acr repository list --name $ACR_NAME
az acr repository show-tags --name $ACR_NAME --repository myapp

# Import image from Docker Hub to ACR
az acr import --name $ACR_NAME \
  --source docker.io/library/nginx:1.25 \
  --image nginx:1.25

Node Pool Operations

Use multiple node pools to isolate workloads by resource profile — e.g., a system pool for cluster add-ons and a GPU pool for ML workloads. Use spot instances for cost-sensitive workloads with --priority Spot.

bashnode-pools.sh
RG=my-resource-group
CLUSTER=my-aks-cluster

# Add a new user node pool
az aks nodepool add \
  --resource-group $RG \
  --cluster-name $CLUSTER \
  --name highcpu \
  --node-count 2 \
  --node-vm-size Standard_F8s_v2 \
  --mode User \
  --labels workload=highcpu \
  --node-taints highcpu=true:NoSchedule

# Add a spot node pool (lower cost, evictable)
az aks nodepool add \
  --resource-group $RG \
  --cluster-name $CLUSTER \
  --name spotpool \
  --priority Spot \
  --eviction-policy Delete \
  --spot-max-price -1 \
  --node-count 3

# Enable cluster autoscaler on a node pool
az aks nodepool update \
  --resource-group $RG \
  --cluster-name $CLUSTER \
  --name nodepool1 \
  --enable-cluster-autoscaler \
  --min-count 2 \
  --max-count 10

# Delete a node pool
az aks nodepool delete \
  --resource-group $RG \
  --cluster-name $CLUSTER \
  --name highcpu
AWS Ops (EKS) GKE (Google Cloud) Cost Optimization Cluster Upgrades