Skip to main content
Version: 0.8

Create a cluster


Install the latest version of the Azure CLI.

Login to your account, which needs to have the permissions to create an AKS cluster, by executing:

az login

Prepare using the AKS preview

CoCo on AKS is currently in preview. An extension for the az CLI is needed to create such a cluster. Add the extension with the following commands:

az extension add \
--name aks-preview \
--allow-preview true
az extension update \
--name aks-preview \
--allow-preview true

Then register the required feature flags in your subscription to allow access to the public preview:

az feature register \
--namespace "Microsoft.ContainerService" \
--name "KataCcIsolationPreview"

The registration can take a few minutes. The status of the operation can be checked with the following command, which should show the registration state as Registered:

az feature show \
--namespace "Microsoft.ContainerService" \
--name "KataCcIsolationPreview" \
--output table

Afterward, refresh the registration of the ContainerService provider:

az provider register \
--namespace "Microsoft.ContainerService"

Create resource group

The AKS with CoCo preview is currently available in the following locations:


Set the name of the resource group you want to use:


You can either use an existing one or create a new resource group with the following command:

azLocation="westus" # Select a location from the list above

az group create \
--name "${azResourceGroup:?}" \
--location "${azLocation:?}"

Create AKS cluster

First, we need to create an AKS cluster. We can't directly create a CoCo-enabled cluster, so we'll need to create a non-CoCo cluster first, and then add a CoCo node pool, optionally replacing the non-CoCo node pool.

We'll first start by creating the non-CoCo cluster:

# Select the name for your AKS cluster

az aks create \
--resource-group "${azResourceGroup:?}" \
--name "${azClusterName:?}" \
--kubernetes-version 1.29 \
--os-sku AzureLinux \
--node-vm-size Standard_DC4as_cc_v5 \
--node-count 1 \

We then add a second node pool with CoCo support:

az aks nodepool add \
--resource-group "${azResourceGroup:?}" \
--name nodepool2 \
--cluster-name "${azClusterName:?}" \
--node-count 1 \
--os-sku AzureLinux \
--node-vm-size Standard_DC4as_cc_v5 \
--workload-runtime KataCcIsolation

Optionally, we can now remove the non-CoCo node pool:

az aks nodepool delete \
--resource-group "${azResourceGroup:?}" \
--cluster-name "${azClusterName:?}" \
--name nodepool1

Finally, update your kubeconfig with the credentials to access the cluster:

az aks get-credentials \
--resource-group "${azResourceGroup:?}" \
--name "${azClusterName:?}"

For validation, list the available nodes using kubectl:

kubectl get nodes

It should show two nodes:

NAME                                STATUS   ROLES    AGE     VERSION
aks-nodepool1-32049705-vmss000000 Ready <none> 9m47s v1.29.0
aks-nodepool2-32238657-vmss000000 Ready <none> 45s v1.29.0


After trying out Contrast, you might want to clean up the cloud resources created in this step. In case you've created a new resource group, you can just delete that group with

az group delete \
--name "${azResourceGroup:?}"

Deleting the resource group will also delete the cluster and all other related resources.

To only cleanup the AKS cluster and node pools, run

az aks delete \
--resource-group "${azResourceGroup:?}" \
--name "${azClusterName:?}"