Essential tools
kubectl + kubelogin + helm is the minimum. Add k9s for interactive debugging. Skip GUIs until you know the CLI.
Required tools
Install these before touching any AKS cluster:
# Install Azure CLI (includes az aks commands)
# Windows: winget install Microsoft.AzureCLI
# macOS: brew install azure-cli
# Linux: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
# Install kubectl and kubelogin via Azure CLI
az aks install-cli
# Verify installations
kubectl version --client
kubelogin --version
helm version
| Tool | Why You Need It | Install |
|---|---|---|
| Azure CLI | Cluster lifecycle management | winget install Microsoft.AzureCLI |
| kubectl | All Kubernetes API interactions | az aks install-cli |
| kubelogin | Required for Entra ID auth (every production cluster) | az aks install-cli |
| Helm | Install third-party components (ingress, cert-manager) | winget install Helm.Helm |
kubelogin is not optional. Every production AKS cluster uses Entra ID integration. Without kubelogin, kubectl cannot authenticate. The az aks install-cli command installs both kubectl and kubelogin.
Connecting to your cluster
# Get credentials (merges into ~/.kube/config)
az aks get-credentials --resource-group myrg --name myaks
# For Entra ID clusters, convert kubeconfig to use kubelogin
kubelogin convert-kubeconfig -l azurecli
# Verify connectivity
kubectl get nodes
Recommended (not required)
| Tool | Purpose | Opinion |
|---|---|---|
| k9s | Terminal UI for Kubernetes | Best debugging tool. Beats kubectl get loops. |
| Kustomize | Template-free YAML composition | Built into kubectl (kubectl apply -k) |
| kubectx/kubens | Fast context/namespace switching | Essential once you have 2+ clusters |
| stern | Multi-pod log tailing | kubectl logs but across all pods at once |
# Install k9s
winget install derailed.k9s
# Run it -- instant cluster overview
k9s
Helm vs Kustomize
Use Helm for third-party charts. Use Kustomize for your own apps. Don't use both on the same application.
| Scenario | Use | Why |
|---|---|---|
| Install NGINX Ingress Controller | Helm | Maintained chart, complex templates, values-based config |
| Install cert-manager | Helm | Same as above |
| Deploy your own microservice | Kustomize | Simple overlays, no template engine needed |
| Customize a Helm chart heavily | Helm + values file | Don't eject into Kustomize patches on top of Helm |
If you find yourself patching Helm output with Kustomize, you've gone wrong. Either use the chart's values.yaml properly or fork the chart. The Helm-then-Kustomize pipeline is a maintenance nightmare.
Infrastructure as code
| Tool | When to Use |
|---|---|
| Bicep | Azure-only shops, simplest syntax, first-party support |
| Terraform | Multi-cloud requirement, existing Terraform estate |
| ARM Templates | Never for new projects. Legacy only. |
Bicep compiles to ARM but is human-readable. If you're Azure-only, use Bicep. Terraform makes sense if you also manage AWS/GCP resources or your team already knows it.
Skip these (for now)
- Lens/OpenLens: GUI Kubernetes IDE. Learn kubectl first so you understand what the GUI is doing.
- Docker Desktop Kubernetes: Use AKS directly or kind/minikube for local dev.
- Rancher/Portainer: Adds a management layer you don't need for a single cluster.