Skip to article
Containers Azure Kubernetes Service

AKS add-on

An AKS add-on is a Microsoft-supported capability that can be enabled on an Azure Kubernetes Service cluster to add functionality such as monitoring, policy, ingress, or security integration, with installation and lifecycle managed through AKS.

Source: Microsoft Learn - Add-ons, extensions, and other integrations with Azure Kubernetes Service Reviewed 2026-05-09

Exam trap
Enabling add-ons in production without checking permissions and resource impact.
Production check
Which add-ons are enabled, and which team owns each one?
Article details and learning context
Aliases
AKS addon, Azure Kubernetes Service add-on, managed AKS integration, AKS integration
Difficulty
fundamentals
CLI mappings
3
Last verified
2026-05-09

Understand the concept

In plain English

An AKS add-on is an optional capability that plugs into an AKS cluster without forcing the team to hand-build every supporting component. Add-ons can provide monitoring, policy, ingress, service mesh, GitOps, or other platform integrations depending on current AKS support. The practical value is managed lifecycle. Azure helps install and update the add-on, while operators still decide whether it belongs in the cluster, what configuration it needs, and how it affects workloads, identity, networking, and cost.

Why it matters

AKS add-ons matter because platform teams often need production capabilities faster than they can safely engineer and maintain them from scratch. A supported add-on can standardize monitoring, policy enforcement, ingress behavior, or governance across many clusters. The tradeoff is that add-ons are not decoration. They can consume resources, require permissions, change admission behavior, create dependencies, or affect upgrades. A strong AKS operating model treats add-ons as platform components with owners, configuration baselines, validation commands, and rollback plans rather than as checkboxes enabled during cluster creation and forgotten afterward. Practically, AKS add-on becomes safer when teams save enabled add-on name, managed identity, created resources, version, and upgrade notes, because reviewers can compare the intended design with the running state.

Technical context

Technically, an AKS add-on sits between the Azure control plane and in-cluster Kubernetes resources. It may create pods, deployments, managed identities, roles, configuration objects, or Azure resource links inside the cluster. Add-ons are enabled, disabled, inspected, or updated through AKS management operations and Azure CLI commands such as az aks addon. Some capabilities are implemented as cluster extensions instead of classic add-ons, so operators must confirm the current integration model before automating deployment or assuming upgrade behavior.

Exam context

Compare with

Where it is used

Where you see it

  1. az aks enable-addons commands, the AKS portal add-ons view, cluster configuration, and managed pods or extensions deployed into system namespaces
  2. Azure portal, CLI output, IaC templates, monitoring dashboards, and incident runbooks

Common situations

  • enable cluster monitoring or policy integration
  • standardize ingress or service mesh capabilities
  • attach governance features across many clusters
  • reduce custom platform maintenance
  • validate cluster add-on state during audits

Illustrative Azure scenarios

These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.

Scenario 01 AKS add-on in action Scenario, objectives, solution, measured impact, and takeaway.
Scenario

Beacon Retail Group, a national specialty retailer, ran separate monitoring setups across store-services clusters and could not prove which clusters were production ready. The platform team standardized supported AKS add-ons across its fleet.

Goals
  • inventory add-ons for 18 clusters
  • standardize monitoring and policy capabilities
  • reduce cluster onboarding time by 35 percent
  • capture evidence for quarterly platform review
Approach using AKS add-on

on

The team built an AKS add-on baseline that defined which capabilities were required for production and which were optional. Azure CLI scripts listed enabled add-ons, compared them with the baseline, and generated deployment evidence. For clusters missing required functionality, engineers enabled the supported add-ons through approved change windows and then used kubectl to confirm in-cluster pods, events, and namespaces were healthy. The platform runbook documented owner, purpose, validation command, and rollback impact for each add-on so store-service teams could request exceptions without weakening the standard.

Potential outcomes
  • Cluster onboarding time dropped from 12 days to 7 days.
  • The platform review identified five clusters with missing monitoring before they became incident risks.
  • Support tickets about inconsistent telemetry fell 31 percent.
  • Every production cluster had owner and validation evidence for required add-ons.
What to learn

AKS add-ons help platform teams deliver supported cluster capabilities consistently, but only when ownership and validation are treated as part of the design.

Scenario 02 AKS add-on in action Scenario, objectives, solution, measured impact, and takeaway.
Scenario

Verdant Labs, a life-sciences research company, needed a faster way to prepare AKS clusters for regulated analytics workloads without hand-installing every cluster component. The cloud team used AKS add-ons as part of the approved cluster template.

Goals
  • prepare research clusters in under 4 hours
  • enable required governance integrations
  • avoid unsupported hand-built components
  • produce repeatable deployment evidence
Approach using AKS add-on

on

The solution defined an AKS cluster template with approved add-ons for monitoring and policy-related capabilities, while separating experimental extensions into a review queue. During provisioning, Azure CLI enabled the supported add-ons and recorded configuration state in the release artifact. Engineers then verified Kubernetes resources created by each add-on, checked events for failed rollouts, and documented any resource overhead. Because add-ons were tracked as cluster components, research teams could not bypass the approval path by installing ad hoc tools into production namespaces. The release note also captured enabled add-on name, managed identity, created resources, version, and upgrade notes, the accountable owner, rollback trigger, and verification command so future reviews could reuse the same operating pattern.

Potential outcomes
  • Cluster preparation time improved from two days to three hours.
  • Audit evidence collection for cluster readiness fell by 60 percent.
  • No production cluster used an unapproved monitoring component during the first two quarters.
  • Node resource reservations were adjusted after add-on overhead was measured.
What to learn

An AKS add-on is most useful when it becomes a governed platform capability, not a forgotten option selected during cluster creation.

Scenario 03 AKS add-on in action Scenario, objectives, solution, measured impact, and takeaway.
Scenario

Mariner Claims Network, an insurance technology provider, was modernizing claims APIs and needed predictable platform features across blue-green AKS environments. The team used AKS add-ons to keep both environments aligned.

Goals
  • keep blue and green clusters functionally equivalent
  • validate add-on health before traffic shift
  • reduce release-preparation defects by 25 percent
  • document add-on impact on node capacity
Approach using AKS add-on

on

The platform group created an add-on comparison step in the blue-green release checklist. Before traffic moved, Azure CLI listed add-on state for both clusters, and kubectl verified the corresponding in-cluster workloads. Differences were flagged as release blockers unless an exception was approved. The team also captured node utilization before and after add-on changes to ensure required platform components did not starve claims workloads. For each add-on, the runbook documented whether failure would affect telemetry, policy enforcement, ingress, or only reporting. The release note also captured enabled add-on name, managed identity, created resources, version, and upgrade notes, the accountable owner, rollback trigger, and verification command so future reviews could reuse the same operating pattern.

Potential outcomes
  • Release-preparation defects fell 38 percent after add-on drift checks were added.
  • Two traffic shifts were stopped because the green cluster lacked required telemetry.
  • Average change-review time dropped by 45 minutes because evidence was scripted.
  • Capacity planning avoided one unnecessary node pool expansion.
What to learn

AKS add-ons provide durable value when teams compare, monitor, and govern them across every cluster lifecycle stage.

Azure CLI

Azure CLI is useful for AKS add-ons because add-ons are cluster-level configuration, and command output gives repeatable evidence of which capabilities are enabled. CLI checks also pair well with kubectl inspection, letting operators compare Azure management state with the in-cluster resources actually running.

Useful for

  • List enabled add-ons for a cluster before approving a production change.
  • Enable, disable, or update supported add-ons through repeatable deployment scripts.
  • Show add-on configuration and capture evidence for security or platform reviews.
  • Compare Azure add-on state with Kubernetes pods, namespaces, and events after an upgrade.

Before you run a command

  • Confirm the cluster, resource group, subscription, and Kubernetes context match the intended environment.
  • Check whether the capability is a classic AKS add-on or a cluster extension.
  • Review permissions, identities, namespaces, and Azure resources the add-on may create.
  • Understand whether disabling the add-on would affect admission, routing, telemetry, or compliance.

What the output tells you

  • Enabled add-ons show which managed capabilities AKS believes are configured for the cluster.
  • Add-on properties reveal identities, configuration values, and integration state where exposed.
  • Missing add-ons explain why expected telemetry, policy, or ingress behavior is absent.
  • Differences between Azure CLI and kubectl output indicate drift, failed rollout, or unhealthy in-cluster components.

Mapped commands

Inspect and operate AKS add-on

diagnostic
az aks show --name <cluster> --resource-group <resource-group> --query addonProfiles
az aksdiscoverContainers
az aks enable-addons --name <cluster> --resource-group <resource-group> --addons monitoring
az aksremoveContainers
az aks disable-addons --name <cluster> --resource-group <resource-group> --addons monitoring
az aksremoveContainers

Architecture context

Technically, an AKS add-on sits between the Azure control plane and in-cluster Kubernetes resources. It may create pods, deployments, managed identities, roles, configuration objects, or Azure resource links inside the cluster. Add-ons are enabled, disabled, inspected, or updated through AKS management operations and Azure CLI commands such as az aks addon. Some capabilities are implemented as cluster extensions instead of classic add-ons, so operators must confirm the current integration model before automating deployment or assuming upgrade behavior.

Security
Security for AKS add-ons depends on what the add-on is allowed to do inside the cluster and in Azure. Some add-ons need managed identities, Kubernetes RBAC, admission hooks, access to logs, or network permissions. Before enabling one, teams should review the required roles, namespace placement, secrets, and data collected by the component. Add-ons should be included in cluster security reviews, not treated as harmless extras. Operators also need to watch for drift, unsupported versions, and broad permissions that may let an add-on affect workloads outside its intended boundary. The evidence to retain is enabled add-on name, managed identity, created resources, version, and upgrade notes, because those details show who can change the boundary and whether exposure matches policy.
Cost
Cost impact is usually indirect, but it can still be material. Add-ons may deploy pods that consume CPU and memory, increase log ingestion, require managed identities, attach Azure resources, or cause workloads to scale differently. A monitoring add-on can raise Azure Monitor costs through high-volume telemetry, while ingress or mesh integrations may add supporting infrastructure. FinOps review should include add-on purpose, resource requests, log volume, and whether the capability is duplicated by another tool. Unused add-ons should be removed cleanly rather than left running because nobody remembers why they were enabled. A FinOps review should connect enabled add-on name, managed identity, created resources, version, and upgrade notes to owner, environment, expected utilization, and review date so spend stays explainable.
Reliability
Reliability impact depends on the function of the add-on. Monitoring and policy add-ons can improve reliability by detecting failures or preventing bad deployments, while ingress or service mesh add-ons may sit directly in request paths. If an add-on fails, upgrades poorly, or consumes unexpected node resources, application availability can suffer. Reliable AKS operations include checking add-on status after cluster upgrades, validating pods and events in the add-on namespace, and documenting what happens if the add-on is disabled. Production clusters should test add-on changes in lower environments first. During incidents, enabled add-on name, managed identity, created resources, version, and upgrade notes helps responders decide whether the issue is workload behavior, platform capacity, or a misconfigured release.
Performance
Performance considerations depend on whether the add-on is passive, control-plane oriented, or in the application traffic path. Observability and policy add-ons usually affect performance through resource consumption, admission latency, or telemetry overhead. Ingress and mesh add-ons may directly influence request latency, routing, retries, and throughput. Operators should measure node pressure, pod startup behavior, admission delays, and request latency before and after enabling an add-on. The safe habit is to treat add-ons like production software: benchmark the important path, monitor health, and document expected performance signals. Teams should compare performance before and after changing AKS add-on, using enabled add-on name, managed identity, created resources, version, and upgrade notes to separate real bottlenecks from configuration assumptions.
Operations
Operationally, AKS add-ons should be handled through an add-on inventory and standard runbook. Operators need to know which add-ons are enabled, why they are needed, which team owns them, how they are configured, and how their health is checked. Azure CLI can list and show add-on status, while kubectl can inspect the pods, events, and configuration objects created in the cluster. Change records should capture before-and-after add-on state, because a small add-on toggle can affect policy enforcement, telemetry, ingress, or workload scheduling across the cluster. The runbook should capture enabled add-on name, managed identity, created resources, version, and upgrade notes, assign an owner, and define when to roll back, escalate, or accept a documented exception.

Common mistakes

  • Enabling add-ons in production without checking permissions and resource impact.
  • Assuming every AKS integration is managed as a classic add-on instead of a cluster extension.
  • Forgetting to validate add-on health after Kubernetes version upgrades.
  • Leaving unused add-ons running because their purpose was never documented.