Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In this article, you learn about the managed system node pools (preview) feature for Azure Kubernetes Service (AKS) Automatic clusters. With this feature, AKS automatically manages system node pools in your cluster, including configuration, scaling, and maintenance.
To create an AKS Automatic cluster with managed system node pools, see the Create an Azure Kubernetes Service (AKS) Automatic cluster with managed system node pools (preview) quickstart.
Important
AKS preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they're excluded from the service-level agreements and limited warranty. AKS previews are partially covered by customer support on a best-effort basis. As such, these features aren't meant for production use. For more information, see the following support articles:
Key features and benefits
The managed system node pools feature allows you to focus on your applications while AKS Automatic ensures that the underlying infrastructure is optimized for performance and reliability. Key features and benefits include:
- No operational overhead: AKS provisions, upgrades, and scales the system node pools automatically, eliminating the need for manual intervention.
- Simplified cluster creation: You don't need to track or allocate compute quotas for system node pools, as AKS handles this for you.
- Cost efficiency: Virtual machines (VMs) running on system node pools aren't charged to customer subscriptions, allowing you to optimize costs while maintaining high performance.
- Enhanced performance: Isolating system workloads from customer applications improves reliability and ensures consistent performance backed by Services Level Agreements (SLAs).
Components of managed system node pools
The following table outlines the components managed by AKS in managed system node pools. AKS handles the creation, upgrading, and scaling of the system nodes where these components run.
| Component | Namespace | Deployment(s) |
|---|---|---|
| Azure Monitor | kube-system |
ama-logs, ama-metrics, ama-metrics-ksm, ama-metrics-operator-targets |
| Workload identity | kube-system |
azure-wi-webhook-controller-manager |
| CoreDNS | kube-system |
coredns, coredns-autoscaler |
| Eraser | kube-system |
eraser-controller-manager |
| Kubernetes Event-driven Autoscaling (KEDA) | kube-system |
keda-admission-webhooks, keda-operator, keda-operator-metrics-apiserver |
| Konnectivity | kube-system |
konnectivity-agent, konnectivity-agent-autoscaler |
| Metrics Server | kube-system |
metrics-server |
| Vertical Pod Autoscaling (VPA) | kube-system |
vpa-admission-controller, vpa-recommender, vpa-updater |
Other add-ons and extensions run on an aks-system-surge node, with scaling handled by node auto-provisioning (NAP). DaemonSets run on both managed system node pools and nodes in your subscription, including the aks-system-surge nodes.
Managed system node pool restrictions
Since AKS manages the system node pool on your behalf, AKS applies multiple layers of security restrictions through built-in policies, baseline pod security standards, and admission time policies. These controls help protect your cluster infrastructure, prevent unauthorized access to critical resources, and enforce security best practices. Understanding these restrictions helps you design applications that work within managed system node pool security boundaries while maintaining high security standards.
Restrictions that prevent changing system resources on the managed system node pool
The following operations are denied for objects and pods running on the managed system node pool:
- All create, update, and delete operations.
- All pod
execandattachoperations.
Restrictions that prevent running workloads on the managed system node pool
The following workload specifications are denied when scheduled on a managed system node pool:
- Workloads tolerating
CriticalAddonsOnlyand other forms of wildcard tolerations. - Workloads that specify custom schedulers.
- Workloads that grants
nodes/proxypermissions, except for approved system users and groups.
Unsupported AKS API operations
The following AKS API operations are unsupported:
- Upgrading a managed system node pool.
- Deleting a managed system node pool.
- Stopping a cluster with a managed system node pool.
- Listing agent pools on a cluster doesn't include managed system node pools.