Changing --network-plugin in Azure Kubernetes Service for existing cluster

Question

I'm trying to implement Azure Key Vault such that API keys, credentials and other Kubernetes secrets are read into production and staging environments. Ultimately, I'd like to try to expand that to local development environments so devs don't have to mess with it at all. It is just read in when they start their cluster.

Anyway, I'm following this to enable Pod Identities:

https://learn.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity

When I get to this step, I'm modifying the:

az aks create -g myResourceGroup -n myAKSCluster --enable-managed-identity --enable-pod-identity --network-plugin azure

To the following because I'm trying to change an existing cluster:

az aks update -g myResourceGroup -n myAKSCluster --enable-managed-identity --enable-pod-identity --network-plugin azure

This doesn't work and figured out I need to run each flag one at a time, so I had to run --enable-managed-identity first since --enable-pod-identity depends on it.

At any rate, when I get to the --enable-pod-identity I get the following error:

Operation failed with status: 'Bad Request'. Details: Network plugin kubenet is not supported to use with PodIdentity addon.

So I try the --network-plugin azure and get:

az: error: unrecognized arguments: --network-plugin azure

Apparently this is flag is not available with update.

Poking around in the Azure portal for the AKS resource, I do see kubenet listed, but I'm not able to change it.

So, the question: Is it possible to change the Network Plugin on existing cluster or do I need to start a new?

---

EDIT: Looks like others are having similar issues on existing clusters:

https://github.com/Azure/AKS/issues/2094

Answer 1

Is it possible to change the Network Plugin on the existing cluster or do I need to start a new?

It's impossible to change the network plugin on the existing cluster, so you need to create a new cluster and set the network plugin with azure at the creation time. You can find there is no parameter --network-plugin in the CLI command az aks update even if you install the aks-preview extension. It means it does not support changing the network plugin of the existing cluster.