Centralised collection of Azure Kubernetes Service (AKS) guides, sample applications, and supporting tooling that I have used or written while working with AKS in production and lab environments.
PodIdentity/— Walkthrough for the (now-deprecated) AAD Pod Identity add-on, including enabling pod identity on an existing cluster, binding a Managed Identity to a pod, and serving TLS via the Azure Key Vault Provider for Secrets Store CSI Driver. Ships two Spring Boot samples:boot-kv/— Spring Boot reading secrets from Azure Key Vault.storage-test/— Spring Boot accessing an Azure Storage Account, with docs comparing ROPC and Managed Identity credential flows.
WorkloadIdentity/— Azure AD Workload Identity sample.storage-test/is a Spring Boot app that authenticates to a Storage Account through a federated workload identity (no client secret).GithubAction/— Notes for accessing an AAD-enabled AKS cluster from GitHub Actions in non-interactive mode usingkubelogin+ workload-identity federation. The matching workflow files live in.github/workflows/kubelogin.ymland.github/workflows/githubaction.yml.kubeconfig-generator/— PEP 723 single-fileuvscript that mints a bearer-token kubeconfig for any Kubernetes ServiceAccount. Also containsargocd/RBAC manifests (standard wildcard and a hardened explicit-verb variant) for registering a target cluster with ArgoCD via theargocd-managerServiceAccount.
Ingress/AppGW_ManagedNginx/— Guide for fronting the AKS managed NGINX ingress controller (Application Routing add-on) with Azure Application Gateway, including TLS termination via Azure Key Vault, subdomain and path-based routing, and the App Gateway components (listener, backend pool/settings, custom health probe, rules) needed to make it work.Ingress/sample-app/— Spring Boot echo app with reference Kubernetes manifests for several ingress flavours used in the guides above: internal/external NGINX, AGIC (Application Gateway Ingress Controller), and ALB (Application Gateway for Containers), plus subdomain and path-based routing examples.
FlexNode/— End-to-end recipes for joining a non-Azure VM to an existing AKS cluster as a worker node with the Azure AKS Flex Node agent in bootstrap-token mode (no Arc, no Service Principal):README.md— Joining an AWS EC2 (Ubuntu 24.04) instance.AKSFlexNode-on-Azure-VM-guide.md— Joining an Azure VM in a different region/VNet from the cluster.
GPU/— Creating a GPU node pool on AKS and installing the NVIDIA GPU Operator on top of node-feature-discovery, including a worked example of GPU time-slicing onStandard_NC24ads_A100_v4.prometheus_dcgm.jsonis a Grafana dashboard for DCGM GPU metrics.
terraform/— Terraform module that provisions an AKS cluster against pre-existing VNet/subnets, with system + user node pools, AAD-integrated managed Kubernetes RBAC (Azure RBAC for Kubernetes disabled), Azure CNI with Cilium network policy + data plane, OIDC issuer, KEDA, the Key Vault Secrets Provider add-on, OMS agent, Microsoft Defender, and anAcrPullrole assignment for the kubelet identity against an existing Azure Container Registry.
DockerRegistryMirror/— Running an in-cluster Docker registry mirror (docker.io/registry) and wiring it into containerd on every node via a DaemonSet that installs the requiredhosts.toml. Requires containerd ≥ 1.5.cost-analysis/—aks_namespace_costs.pyproduces namespace-level cost breakdowns for AKS clusters using the Microsoft.CostManagement Generate Cost Details Report API. Requires the AKS cost analysis add-on. Packaged withpyproject.toml(Python ≥ 3.12, pytest + ruff dev deps).
Each subdirectory has its own README.md (or guide-suffixed .md) with the
detailed step-by-step instructions, manifests, and CLI snippets. This
top-level README is just an index.