Skip to content

Releases: Azure/AKS

Release 2025-09-21

26 Sep 00:31
@dyu1208 dyu1208
2025-09-21
b6ac949
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Release 2025-09-21 Latest
Latest

Release Notes 2025-09-21

Monitor the release status by regions at AKS-Release-Tracker. This release is titled v20250921.

Announcements

  • AKS Kubernetes version 1.31 standard support will be deprecated by November 1, 2025. Kindly upgrade your clusters to 1.32 community version or enable Long Term Support with 1.31 in order to continue in the same version. Refer to version support policy and upgrading a cluster for more information.
  • Revision asm-1-24 of the Istio add-on has been deprecated. Please migrate to a supported revision following the Istio add-on upgrade guide.
  • AKS Kubernetes version 1.34 is now available in preview. Refer to 1.34 Release Notes and upgrading a cluster for more information.
  • Starting on 30 November 2025, AKS will no longer support or provide security updates for Azure Linux 2.0. Migrate to a supported Azure Linux version by upgrading your node pools to a supported Kubernetes version or migrating to osSku AzureLinux3. For more information, see [Retirement] Azure Linux 2.0 node pools on AKS.
  • Security patch information for Ubuntu 24.04 is available in AKS-Release-Tracker.
  • Azure Kubernetes Service no longer supports the --skip-gpu-driver-install node pool tag to skip automatic driver installation. This node pool tag can no longer be used at AKS node pool creation time to install custom GPU drivers or use the GPU Operator. Alternatively, you should use the generally available gpu-driver API field to update your existing node pools or create new GPU-enabled node pools to skip automatic GPU driver installation.
  • AKS Automatic is generally available. Find the recording to the virtual launch event on Youtube.
  • Availability Sets on AKS are being retired on AKS on September 30 2025. Any new attempts to create a new Availability Sets will be blocked as of September 30 2025. Existing Availability Sets will remain functional after retirement but will be considered out of support. To migrate from Availability Sets, see the Availability Sets migration documentation for more info.
  • The Basic Load Balancer is being retired on AKS on September 30 2025. Any new attempts to create a new basic tier load balancer will be blocked. Existing Basic load balancers will remain functional after retirement but will be considered out of support. See the basic load balancer migration documentation for more details on migration to the Standard load balancer.

Release notes

Features

  • API Server Vnet Integration is now available in East US region.
  • AKS Node Problem Detector (NPD) conducts GPU health monitoring to enable automatic detection and reporting of issues impacting select GPU-enabled VM sizes, and is now generally available.
  • Kubelet Serving Certificate Rotation (KSCR) is now enabled by default in Sovereign cloud regions. Existing node pools in these regions will have KSCR enabled by default when they perform their first upgrade to any kubernetes version 1.27 or greater. Kubelet serving certificate rotation allows AKS to utilize kubelet server TLS bootstrapping for both bootstrapping and rotating serving certificates signed by the Cluster CA. See documentation for detailed instructions.
  • Node auto provisioning (NAP) now supports private clusters, and disk encryption sets. See NAP documentation for more information.

Bug Fixes

  • Fixed an issue where KAITO workspace creation would fail on AKS Automatic because gpu-provisioner creates an agentPool. Non-node auto provisioning pools, such as agentPool, are now allowed to be added to AKS Automatic clusters.
  • Fixed a bug where ETag was not returned in ManagedClusters or AgentPools responses in API versions 2024-09-01 or newer, even though the API specification said it would be.

Behavioral Changes

  • Deployment Safeguards will stop enforcing readiness and liveness probes on the placeholder pods that Application Routing creates to mount synchronized secrets from Azure Key Vault.
  • AKS Automatic system pool needs to have at least 3 availability zones, ephemeral OS disk, and Azure Linux OS.
  • Starting with 20250902-preview API, the enableCustomCATrust field is removed. This field is not required when using the GA feature, and is only used by a deprecated version of the feature. When using Custom Certificate Authority, you no longer need to specify enableCustomCATrust. You can just add certificates to your cluster by specifying your text file for the --custom-ca-trust-certificates parameter. See documentation for detailed instructions.
  • Starting September 2025, new AKS clusters that use the AKS-managed virtual network option will place cluster subnets into private subnets by default (defaultOutboundAccess = false) in alignment with egress best practices. This setting does not impact AKS-managed cluster traffic, which uses explicitly configured outbound paths. It may affect unsupported scenarios, such as deploying other resources (e.g., VMs) into the same subnet. Clusters using BYO VNets are unaffected by this change. In supported configurations, no action is required.
  • For Pod Sandboxing, kata-mshv-vm-isolation will be replaced with kata-vm-isolation while the --workload-runtime used when creating a cluster will be changed from KataMshvVmIsolation to KataVmIsolation. Make sure you use the correct name when creating Pod Sandboxing clusters.
  • Cluster Autoscaler will delete nodes that encounter provisioning errors/ failures immediately, instead of waiting for the full max-node-provision-time defined in the cluster autoscaler profile. This change significantly reduces scale-up delays caused by failed node provisioning attempts.
  • In ingress-nginx managed via the application routing add-on, the metric ingress_upstream_latency_seconds has been removed following its deprecation upstream.

Component Updates

Read more
Assets 2
Loading

Release 2025-08-29

02 Sep 20:46
@dyu1208 dyu1208
2025-08-29
f27d81c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Release 2025-08-29

Release 2025-08-29

Monitor the release status by regions at AKS-Release-Tracker. This release is titled v20250829.

Announcements

  • AKS Automatic is now generally available. AKS Automatic is based on three key pillars: production-ready by default, integrated best practices and safeguards, and code to Kubernetes in minutes. Sign up to watch the AKS Automatic Virtual Launch on September 16th from 8:00 AM - 12:00 PM (UTC-07:00).
    • New Automatic cluster creation is only allowed in API Server Vnet Integration GA supported regions. Migrating from SKU: "Base" to SKU: "Automatic" is only allowed in API Server Vnet Integration GA supported regions. Operations on existing Automatic clusters will not be blocked even if the cluster is not in API Server Vnet Integration GA supported regions.
  • AKS patch versions 1.33.3, 1.32.7, and 1.30.11 are now available. Refer to version support policy and upgrading a cluster for more information.
  • Istio-based service mesh add-on is now compatible with AKS Long Term Support (LTS) for Istio revisions asm-1-25+ and AKS versions 1.28+. Please note that not every Istio revision will be compatible with every AKS LTS version. It is recommended to review the Istio add-on support policy for an overview of this feature's support.
  • API Server Vnet Integration is now available in the following additional regions: centralus, austriaeast, chilecentral, denmarkeast, israelnorthwest, malaysiawest, southcentralus2, southeastus3, southeastus5, southwestus, and usgovtexas. For the latest list of supported regions, see the API Server VNet Integration documentation.
  • 1.30 Kubernetes version is now officially End of Life. Please upgrade to 1.31 version. If you require 1.30 version, then switch to AKS Long Term Support (LTS).
  • Security Patch tab under AKS-Release-Tracker now provides information for Azure Linux v3. This provides real time info on the security patch contents and timestamp of actual release.

Release notes

Features

Bug Fixes

  • Fixed a bug where ETag was not returned in ManagedClusters or AgentPools responses in API versions 2024-09-01 or newer, even though the API specification said it would be.
  • Fixed cluster autoscaler bug 7694 in kubernetes version 1.31+, where the "DeletionCandidateOfClusterAutoscaler" taint would persist on some of the remaining nodes after scale-down. This incorrect tainting prevented new pods from being scheduled on those nodes.

Behavioral Changes

  • All AKS Automatic clusters, and AKS Standard clusters that enabled Deployment Safeguards via the safeguardsProfile, will now have a new Microsoft.ContainerService/deploymentSafeguards sub-resource created under managedClusters. See Use Deployment Safeguards for more information.
  • Disallow adding non-Node auto provisioning pools to AKS Automatic clusters. There is no effect on existing Automatic Clusters that have non-Node auto provisioning pools.
  • A new runTimeClassName, kata-vm-isolation, has been added for Pod Sandboxing in preparation for deprecating the old kata-mshv-vm-isolation name. Users can continue using the original name for the time being.
  • Starting with Kubernetes version 1.34, all AKS Automatic clusters will include a new AKS-managed component named Cluster Health Monitor within the kube-system namespace. This component is designed to collect metrics related to the cluster’s control plane and AKS-managed components, helping ensure these services are operating as expected and improving overall observability.

Component Updates

Read more
Loading

Release 2025-08-08

12 Aug 21:38
@shashankbarsin shashankbarsin
2025-08-08
b5421d8
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Release 2025-08-08

Release 2025-08-08

Monitor the release status by region at AKS-Release-Tracker. This release is titled v20250808.

Announcements

  • Starting in September 2025, AKS will start rolling out a change to enable a managed clusters quota for all current and new AKS customers. This rollout is expected to take place between 1-30 September 2025. AKS quota is the maximum number of managed clusters (AKS clusters) that an Azure subscription can create per region. Once the managed clusters quota is released, customers will need both managed clusters quota and node quota (VM SKUs) to create an AKS cluster. Existing AKS customer subscriptions will be given a default limit at or above their current usage, depending on the available regional capacity. Existing subscriptions using AKS for the first time and new subscriptions will be given a default limit. Customers can view quota limits and usage and request additional quota in the Azure portal Quotas blade or by using the Quotas REST API. Before the rollout is complete, quota limits and usage may be visible in the Azure portal on the Quotas blade, and customers will be able to request quota; however, limits won’t be enforced in every region until 1 October 2025. More information on the default limits for new subscriptions is available in documentation here.
  • AKS Kubernetes patch versions 1.33.2, 1.32.6, 1.31.10, 1.30.13, 1.30.14 include a critical security fix for CVE-2025-4563 where nodes can bypass dynamic resource allocation authorization checks. This vulnerability affects the NodeRestriction admission controller when the DynamicResourceAllocation feature gate is enabled. Upgrade your clusters to these patched versions or above. Refer to version support policy and upgrading a cluster for more information.
  • Kubernetes CIS benchmark results and recommendations have been updated to CIS Kubernetes V1.27 Benchmark v1.11.1. The results are applicable to AKS 1.29.x through AKS 1.32.x.
  • AKS long term support now fully supports KEDA.
  • Kubelet serving certificate rotation is now enabled in all public cloud regions. For more information on kubelet serving certificate rotation and disablement, refer to the documentation. Sovereign cloud rollout will begin on 18 August 2025. For rollout updates and questions, see AKS Github Issues.

Release notes

Features

Preview Features

Bug Fixes

Behavior Changes

  • To allow addons that require Microsoft Entra ID authentication to be able to use workload identity while enabling IMDS restriction, it is now required to enable the OIDC issuer as well.
  • For Istio-based service mesh add-on for AKS, partial updates to serviceMeshProfile in AKS managedClusters API now supports empty revision lists. If no revisions are specified, the system will use existing revision values instead of returning an error.

Component Updates

Read more
Loading

Release 2025-07-20

24 Jul 17:31
@julia-yin julia-yin
2025-07-20
8483c4e
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Release 2025-07-20

Release 2025-07-20

Monitor the release status by region at AKS-Release-Tracker. This release is titled v20250720.

Announcements

Release notes

Read more
Loading

Release 2025-06-17

20 Jun 00:47
@AllenWen-at-Azure AllenWen-at-Azure
2025-06-17
10f65de
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Release 2025-06-17

Monitor the release status by region at AKS-Release-Tracker. This release is titled v20250617.

Announcements

  • Kubernetes 1.27 LTS version and 1.30 community version are going out of support by July 30th. Please upgrade to a supported version , refer to AKS release calendar for more information.
  • Customers using Azure Linux 2.0 should migrate to Azure Linux 3.0 before November 2025. For details on how to migrate from Azure Linux 2.0 to Azure Linux 3.0, see this doc. AKS is currently working on a feature to allow for migrations between Azure Linux 2.0 and Azure Linux 3.0 through a node pool update command. For updates on feature progress and availability, see Github issue.
  • Starting in June 2025, AKS clusters with version >= 1.28 and using Azure Linux 2.0 can be opted into Long Term Support. See blog for more information.
  • Starting in July 2025, Azure Kubernetes Service will begin rolling out a change to enable quota for all current and new AKS customers. AKS quota will represent a limit of the maximum number of managed clusters that an Azure subscription can consume per region. Existing AKS customer subscriptions will be given a quota limit at or above their current usage, depending on region availability. Once quota is enabled, customers can view their available quota and request quota increases in the Quotas page in the Azure Portal or by using the Quotas REST API. For details on how to view and request quota increases via the Portal Quotas page, visit Azure Quotas. For details on how to view and request quota increases via the Quotas REST API, visit: Azure Quota REST API Reference. New AKS customer subscriptions will be given a default limit upon new subscription creation. More information on the default limits for new subscriptions is available in documentation here.
  • Ubuntu 18.04 is no longer supported on AKS. AKS will no longer create new node images or provide security updates for Ubuntu 18.04 nodes. Existing node images will be deleted by 17 July 2025. Scaling operations will fail. To avoid service disruptions, scaling restrictions, and remain supported, please follow our instructions to upgrade to a supported Kubernetes version.
  • Teleport (preview) on AKS will be retired on 15 July 2025, please migrate to Artifact Streaming (preview) on AKS or update your node pools to set --aks-custom-headers EnableACRTeleport=false. Azure Container Registry has removed the Teleport API meaning that any nodes with Teleport enabled are pulling images from Azure Container Registry as any other AKS node. After 15 July 2025, any node pools with Teleport (preview) enabled may experience breakage and node provisioning failures. For more information, see aka.ms/aks/teleport-retirement.
    Azure Kubernetes Service will no longer support the --skip-gpu-driver-install node pool tag to skip automatic driver installation. Starting on August 14 2025, you will no longer be able to use this node pool tag at AKS node pool creation time to install custom GPU drivers or use the GPU Operator. Alternatively, you should use the generally available gpu-driver API field to update your existing node pools or create new GPU-enabled node pools to skip automatic GPU driver installation.

Release Notes

  • Preview Features

    • Azure Monitor Application Insights for Azure Kubernetes Service (AKS) workloads is now available in preview.
    • Ubuntu 24.04 is now available in public preview in k8s 1.32+. ContainerD 2.0 is enabled by default. You can create new Ubuntu 24.04 node pools or update existing Linux node pools to Ubuntu 24.04. Use the "Ubuntu2404" os sku enum after registering the preview flag "Ubuntu2404Preview". You can also use the new "Ubuntu2204" os sku enum to rollback to Ubuntu 22.04 if you encounter any issues! You may also rollback using "Ubuntu" os sku enum. For more information, see upgrading your OS version.
    • Cost optimized add-on scaling is now available in preview. This feature allows you to autoscale supported addons or customize the resource's default CPU/ memory requests and limits to improve cost savings.

  • Features

    • AKS version 1.33 is now generally available. Please check the AKS Release tracker for when your region will receive the GA update.
    • AKS patch versions 1.32.5, 1.31.9 are now available. Refer to version support policy and upgrading a cluster for more information.
    • API Server VNet Integration is available now, please find the most up to date regions where this feature has been rolled out.
    • Kubelet Service Certificate Rotation has now been rolled out to East US and UK South. Existing node pools will have kubelet serving certificate rotation enabled by default when they perform their first upgrade to any kubernetes version 1.27 or greater. New node pools on kubernetes version 1.27 or greater will have kubelet serving certificate rotation enabled by default. For more information on kubelet serving certificate rotation and disablement, see certificate rotation in Azure Kubernetes Service.
    • MaxblockedNodes property is getting rolled to all regions. This helps cluster operators to put a limit on number of nodes that can be blocked on pdb blocked eviction failures and continuing upgrade forward. Read more.

  • Bug Fixes

    • Fixed a race condition with streams sharing data between Cilium agent and ACNS security agent.
    • Fixed Azure Policy addon Gatekeeper regression causing crash loop on clusters with Kubernetes versions < 1.27.
    • Resolved an issue where node pool scaling failed with customized kubelet configuration. Without this fix, node pools using CustomKubeletConfigs could not be scaled, and encountered an error message stating that the CustomKubeletConfig or CustomLinuxOSConfig cannot be changed for the scaling operation.
    • Fixed an issue where updating node pools with the exclude label, it doesn't update the Load Balancer Backend Pool properly.
    • Resolved a problem when upgrading Kubenet or Nodesubnet cluster with AGIC enabled to Azure CNI Overlay there might be some connectivity issues to services exposed via Ingress App Gateway public IP.
    • Fixed a bug where clusters with Node Auto Provisioning enabled could intermittently get an error about "multiple identities configured" and be unable to authenticate with Azure.
    • Fixed an issure to ensure the vms in a specific cloud are compatible with the latest Windows 550 grid driver.

  • Behavior Changes

    • AKS now allows daily schedules for the auto upgrade configuration.
    • Static Egress Gateway memory limits increased from 500Mi to 3000Mi reducing the risk of memory-related restarts under load.
    • The GPU provisioner component of KAITO has now been moved to the AKS control plane when the KAITO add-on is used. The OSS installation will still require this component to run on the kubernetes nodes.
    • Azure Monitor managed service for Prometheus updates the max shards from 12 to 24, ensuring enhanced scaling capabilities.
    • linuxutil plugin is enabled again for Retina Basic and ACNS.
    • Node Auto-Provisioning (NAP) now requires Kubernetes RBAC to be enabled, because NAP relies on secure and scoped access to Kubernetes resources to provision nodes based on pending pod resource requests. Kubernetes RBAC is enabled by default. For more information, see RBAC for Kubernetes.
    • Deployment Safeguards no longer requires Azure Policy permissions. Cluster admins will have the ability to turn on and di...
Read more
Loading

Release 2025-05-19

24 May 19:04
@kaarthis kaarthis
2025-05-19
adde443
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Release 2025-05-19

Monitor the release status by region at AKS-Release-Tracker. This release is titled v20250519.

Announcements

  • Customers using Azure Linux 2.0 should migrate to Azure Linux 3.0 before November 2025. For details on how to migrate from Azure Linux 2.0 to Azure Linux 3.0, see this doc. AKS is currently working on a feature to allow for migrations between Azure Linux 2.0 and Azure Linux 3.0 through a node pool update command. For updates on feature progress and availability, see Github issue.
  • Starting in June 2025, AKS clusters with version >= 1.28 and using Azure Linux 2.0 can be opted into Long Term Support.
  • Starting in June 2025, Azure Kubernetes Service will begin rolling out a change to enable quota for all current and new AKS customers. AKS quota will represent a limit of the maximum number of managed clusters that an Azure subscription can consume per region. Existing AKS customer subscriptions will be given a quota limit at or above their current usage, depending on region availability. Once quota is enabled, customers can view their available quota and request quota increases in the Quotas page in the Azure Portal or by using the Quotas REST API. For details on how to view and request quota increases via the Portal Quotas page, visit Azure Quotas. For details on how to view and request quota increases via the Quotas REST API, visit: Azure Quota REST API Reference. New AKS customer subscriptions will be given a default limit upon new subscription creation. More information on the default limits for new subscriptions is available in documentation here.
  • Starting on 17 June 2025, AKS will no longer create new node images for Ubuntu 18.04 or provide security updates. Existing node images will be deleted. Your node pools will be unsupported and you will no longer be able to scale. To avoid service disruptions, scaling restrictions, and remain supported, please follow our instructions to upgrade to a supported Kubernetes version.
  • Teleport (preview) on AKS will be retired on 15 July 2025, please migrate to Artifact Streaming (preview) on AKS or update your node pools to set --aks-custom-headers EnableACRTeleport=false. Azure Container Registry has removed the Teleport API meaning that any nodes with Teleport enabled are pulling images from Azure Container Registry as any other AKS node. After 15 July 2025, any node pools with Teleport (preview) enabled may experience breakage and node provisioning failures. For more information, see aka.ms/aks/teleport-retirement.
  • Azure Kubernetes Service will no longer support the --skip-gpu-driver-install node pool tag to skip automatic driver installation. Starting on August 14 2025, you will no longer be able to use this node pool tag at AKS node pool creation time to install custom GPU drivers or use the GPU Operator. Alternatively, you should use the generally available gpu-driver API field to update your existing node pools or create new GPU-enabled node pools to skip automatic GPU driver installation.

Release Notes

  • Preview Features

  • Features

    • Kubernetes 1.31 and 1.32 are now designated as Long-Term Support (LTS) versions.
    • Kubernetes 1.33 is available in Preview. A full matrix of supported add-ons and components is published at the AKS versions page.
    • AKS now allows upgrading from Azure CNI NodeSubnet to Azure CNI NodeSubnet with Cilium dataplane, and from Azure CNI NodeSubnet with Cilium dataplane to Azure CNI Overlay with Cilium dataplane.

  • Bug Fixes

    • Fixed failures triggered by duplicate tag keys that differed only by character case.

  • Behavior Changes

    • Static egress gateway memory limits increased from 128Mi to 500Mi for greater stability.
    • Memory for Azure Monitor Container Insights container ama-logs increased from 750Mi to 1Gi.
    • AKS nodes now use Azure Container Registry (ACR)-scoped Entra ID tokens for kubelet authentication when pulling images from ACR. This enhancement replaces the legacy ARM-based Entra token model, aligning with modern security practices by scoping credentials directly to the registry and improving isolation and traceability.
    • Timeouts due to FQDN IP updates are exported by Cilium Agent as cilium_proxy_datapath_update_timeout_total on Azure CNI Powered by Cilium.
    • ARM requests made with an api-version >= 2025-03-01 to obtain the status of async AKS operations can now return RP-defined status values for ongoing operations. Requests made with an api-version < 2025-03-01 will only return an InProgress status for ongoing operations.

  • Component Updates

Loading

Release 2025-04-27

02 May 23:24
@charleswool charleswool
2025-04-27
95fe633
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Release 2025-04-27

Monitor the release status by region at AKS-Release-Tracker. This release is titled v20250427.

Announcements

  • AKS supported Kubernetes version release updates are now available in AKS Release Tracker. You can check current in-support Kubernetes versions and LTS versions for specific region and track new patches version release progress with Release Tracker.
  • Customers using AzureLinux 2.0 should migrate to Azure Linux 3.0 before November 2025. For details on how to migrate from Azure Linux 2.0 to Azure Linux 3.0, see this doc. AKS is currently working on a feature to allow for migrations between Azure Linux 2.0 and Azure Linux 3.0 through a node pool update command. For updates on feature progress and availability, see Github issue.
  • AKS now requires a minimum of 2GBs of memory for the SKU for all user nodepools. To learn more, see aka.ms/aks/restrictedSKUs.
  • Starting on 5 May, 2025, WebAssembly System Interface (WASI) node pools will no longer be supported. You can no longer create WASI (preview) node pools, and existing WASI node pools will be unsupported.
  • Starting in June 2025, Azure Kubernetes Service will begin rolling out a change to enable quota for all current and new AKS customers. AKS quota will represent a limit of the maximum number of managed clusters that an Azure subscription can consume per region. Existing AKS customer subscriptions will be given a quota limit at or above their current usage, depending on region availability. Once quota is enabled, customers can view their available quota and request quota increases in the Quotas page in the Azure Portal or by using the Quotas REST API. For details on how to view and request quota increases via the Portal Quotas page, visit Azure Quotas. For details on how to view and request quota increases via the Quotas REST API, visit: Azure Quota REST API Reference. New AKS customer subscriptions will be given a default limit upon new subscription creation. More information on the default limits for new subscriptions is available in documentation here.
  • As of 31 March 2025, AKS no longer allows new cluster creation with the Basic Load Balancer. On 30 September 2025, the Basic Load Balancer will be retired. We will be posting updates on migration paths to the Standard Load Balancer. See AKS Basic LB Migration Issue for updates on when a simplified upgrade path is available. Refer to Basic Load Balancer Deprecation Update for more information.
  • The asm-1-22 revision for the Istio-based service mesh add-on has been deprecated. Migrate to a supported revision following the AKS Istio upgrade guide.
  • Starting on 17 June 2025, AKS will no longer create new node images for Ubuntu 18.04 or provide security updates. Existing node images will be deleted. Your node pools will be unsupported and you will no longer be able to scale. To avoid service disruptions, scaling restrictions, and remain supported, please follow our instructions to upgrade to a supported Kubernetes version.
  • Teleport (preview) on AKS will be retired on 15 July 2025, please migrate to Artifact Streaming (preview) on AKS or update your node pools to set --aks-custom-headers EnableACRTeleport=false. Azure Container Registry has removed the Teleport API meaning that any nodes with Teleport enabled are pulling images from Azure Container Registry as any other AKS node. After 15 July 2025, any node pools with Teleport (preview) enabled may experience breakage and node provisioning failures. For more information, see aka.ms/aks/teleport-retirement.

Release Notes

  • Features:

  • Preview Features:

    • Kubernetes 1.33 version is now available for Preview, see Release tracker for when it hits your region.
    • Kubernetes 1.31 and 1.32 are now recognized as Long-Term Support (LTS) releases in AKS, joining existing LTS versions 1.28 and 1.29. You can view when these LTS releases hit your region in real time via the Release tracker. For more information, see Long Term Support (LTS).

  • Bug Fixes:

    • Fix an issue in Azure CNI Powered by Cilium to improves DNS request/response performance, especially in large scale clusters using FQDN based policies. Without this fix, if the user sets a DNS request timeout below 2 seconds, in high-scale scenarios they may experience request drops due to duplicate request IDs.
    • Fix an issue where load balancer tags were not updated after accluster tag update. Load balancer tags now correctly reflect the latest state.
    • Fix an issue in Cilium v1.17 where a deadlock was causing server pods to be unable to start.

  • Behavior Changes:

    • aksmanagedap is blocked as a reserved name for AKS system component, you can no longer use it for creating agent pool. See naming convention for more information.
    • linuxutil plugin is temporarily disabled for Retina Basic and ACNS as it was causing memory leaks that leads to Retina pods OOMKill.
    • Advanced Container Networking Services (ACNS) configmaps (cilium, retina, hubble) now auto‑format cluster names to satisfy Cilium 1.17 rules:≤ 32 chars, lowercase alphanumeric characters and dashes, no leading/trailing dashes, functionality is unaffected. This change is due to the strict enforcement of Cilium 1.17. See this link for details.
    • The defaultConfig.gatewayTopology field is now included in the Istio add-on MeshConfig AllowList as an unsupported field. For more details, see the Istio MeshConfig documentation.
    • Previously, you can't disable Node AutoProvisioning once enabled, now you can if meet certain criteria. See this document for more details.
    • Disabling kube-proxy no longer requires the KubeProxyConfigurationPreview feature flag in bring-your-own (BYO) CNI scenarios.
    • Kubelet Service Certificate Rotation will begin regional rollout, starting with westcentralus and eastasia by 16 May 2025. Existing node pools in these regions will have kubelet serving certificate rotation enabled by default when they perform their first upgrade to any kubernetes version 1.27 or greater. New node pools in these regions on kubernetes version 1.27 or greater will have kubelet serving certificate rotation enabled by default. For more information on kubelet serving certificate rotation, see aka.ms/aks/kubelet-serving-certificate-rotation.

  • Component Updates:

Read more
Loading

Release 2025-04-06

10 Apr 07:29
@palma21 palma21
2025-04-06
156388f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Release 2025-04-06

Monitor the release status by region at AKS-Release-Tracker. This release is titled v20250406.

Announcements

  • Starting in May 2025, Azure Kubernetes Service will begin rolling out a change to enable quota for all current and new AKS customers. AKS quota will represent a limit of the maximum number of managed clusters that an Azure subscription can consume per region. Existing AKS customer subscriptions will be given a quota limit at or above their current usage, depending on region availability. Once quota is enabled, customers can view their available quota and request quota increases in the Quotas page in the Azure Portal or by using the Quotas REST API. For details on how to view and request quota increases via the Portal Quotas page, visit Azure Quotas. For details on how to view and request quota increases via the Quotas REST API, visit: Azure Quota REST API Reference. New AKS customer subscriptions will be given a default limit upon new subscription creation. More information on the default limits for new subscriptions is available in documentation here.
  • AKS Kubernetes version 1.32 roll out has been delayed and is now expected to reach all regions on or before the end of April. Please use the az-aks-get-versions command to accurately capture if Kubernetes version 1.32 is available in your region.
  • Kubernetes version 1.28, 1.29 will become additional Long Term Support (LTS) versions in AKS, alongside existing LTS versions 1.27 and 1.30.
  • AKS Kubernetes version 1.29 is going out of support in all regions on or before end April, 2025.
  • You can now switch non-LTS clusters on Kubernetes versions 1.25 onwards and within 3 versions of the current LTS versions to LTS by switching their tier to Premium.
  • As of 31 March 2025, AKS no longer allows new cluster creation with the Basic Load Balancer. On 30 September 2025, the Basic Load Balancer will be retired. We will be posting updates on migration paths to the Standard Load Balancer. See AKS Basic LB Migration Issue for updates on when a simplified upgrade path is available. Refer to Basic Load Balancer Deprecation Update for more information.
  • The asm-1-22 revision for the Istio-based service mesh add-on has been deprecated. Migrate to a supported revision following the AKS Istio upgrade guide.
  • The pod security policy feature was retired on 1st August 2023 and removed from AKS versions 1.25 and higher. PodSecurityPolicy property will be officially removed from AKS API starting from 2025-03-01.
  • Starting on 17 June 2025, AKS will no longer create new node images for Ubuntu 18.04 or provide security updates. Existing node images will be deleted. Your node pools will be unsupported and you will no longer be able to scale. To avoid service disruptions, scaling restrictions, and remain supported, please follow our instructions to upgrade to a supported Kubernetes version.
  • Starting on 17 March 2027, AKS will no longer create new node images for Ubuntu 20.04 or provide security updates. Existing node images will be deleted. Your node pools will be unsupported and you will no longer be able to scale. To avoid service disruptions, scaling restrictions, and remain supported, please follow our instructions to upgrade to Kubernetes version 1.34+ by the retirement date.
  • HTTP Application Routing (preview) has been retired as of March 3, 2025 and AKS will start to block new cluster creation with HTTP App routing enabled. Affected clusters must migrate to the generally available Application Routing add-on prior to that date.
  • Customers with nodepools using Standard_NC24rsv3 VM sizes should resize or deallocate those VMs. Microsoft will deallocate remaining Standard_NC24rsv3 VMs in the coming weeks.
  • Teleport (preview) on AKS will be retired on 15 July 2025, please migrate to Artifact Streaming (preview) on AKS or update your node pools to set --aks-custom-headers EnableACRTeleport=false. Azure Container Registry has removed the Teleport API meaning that any nodes with Teleport enabled are pulling images from Azure Container Registry as any other AKS node. After 15 July 2025, any node pools with Teleport (preview) enabled may experience breakage and node provisioning failures. For more information, see aka.ms/aks/teleport-retirement.

Release Notes

  • Features:

  • Behavior Changes:

    • Add node anti-affinity for FIPS-compliant nodes to prevent scheduling of retina-agent pods to stop CrashLoopBackOff on FIPS-enabled nodes whilst fix for Retina + FIPS is being rolled out.
    • Increased tofqdns-endpoint-max-ip-per-hostname from 50 to 1000 and tofqdns-min-ttl from 0 to 3600 in Azure Cilium for better handling of large DNS responses and reduce DNS query load.
    • Konnectivity agent will now scale based on cluster node count.
    • Starting on 15 April 2025, you will now be able to update your clusters to add an HTTP Proxy Configuration. Any update command that adds/changes an HTTP Proxy Configuration will now trigger an automatic reimage that will ensure all node pools in the cluster will have the same configuration. For more information, see aka.ms/aks/http-proxy.
    • Starting with Kubernetes 1.33, the default Kubernetes Scheduler is configured to use a MaxSkew value of 1 for topology.kubernetes.io/zone. For more details see Ensure pods are spread across AZs

  • Component Updates:

Read more
Loading

Release 2025-03-16

21 Mar 21:55
@sabbour sabbour
2025-03-16
5e184c2
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Release 2025-03-16

Release 2025-03-16

Monitor the release status by region in the AKS Release Tracker. This release is titled v20250316.

Announcements

  • Starting in April 2025, Azure Kubernetes Service will begin rolling out a change to enable quota for all current and new AKS customers. AKS quota will represent a limit of the maximum number of managed clusters that an Azure subscription can consume per region. Existing AKS customer subscriptions will be given a quota limit at or above their current usage, depending on region availability. Once quota is enabled, customers can view their available quota and request quota increases in the Quotas page in the Azure Portal or by using the Quotas REST API. For details on how to view and request quota increases via the Portal Quotas page, visit Azure Quotas. For details on how to view and request quota increases via the Quotas REST API, visit: Azure Quota REST API Reference. New AKS customer subscriptions will be given a default limit upon new subscription creation. More information on the default limits for new subscriptions is available in documentation here.
  • AKS Kubernetes version 1.32 roll out has been delayed and is now expected to reach all regions on or before the end of April. Please use the az-aks-get-versions command to accurately capture if Kubernetes version 1.32 is available in your region.
  • AKS will be upgrading the KEDA addon to more recent KEDA versions. The AKS team will add KEDA 2.16 on AKS clusters with K8s versions >=1.32, KEDA 2.14 for Kubernetes v1.30 and v1.31. KEDA 2.15 and KEDA 2.14 will introduce multiple breaking changes. View the troubleshooting guide to learn how to mitigate these breaking changes.
  • AKS Kubernetes version 1.28 will soon be available as a Long Term Support version.
  • You can now switch non-LTS clusters on Kubernetes versions 1.25 onwards and within 3 versions of the current LTS versions to LTS by switching their tier to Premium.
  • On 31 March 2025, AKS will no longer allow new cluster creation with the Basic Load Balancer. On 30 September 2025, the Basic Load Balancer will be retired. We will be posting updates on migration paths to the Standard Load Balancer. See AKS Basic LB Migration Issue for updates on when a simplified upgrade path is available. Refer to Basic Load Balancer Deprecation Update for more information.
  • The asm-1-22 revision for the Istio-based service mesh add-on has been deprecated. Migrate to a supported revision following the AKS Istio upgrade guide.
  • The pod security policy feature was retired on 1st August 2023 and removed from AKS versions 1.25 and higher. PodSecurityPolicy property will be officially removed from AKS API starting from 2025-03-01.
  • Starting on 17 June 2025, AKS will no longer create new node images for Ubuntu 18.04 or provide security updates. Existing node images will be deleted. Your node pools will be unsupported and you will no longer be able to scale. To avoid service disruptions, scaling restrictions, and remain supported, please follow our instructions to upgrade to a supported Kubernetes version.
  • Starting on 17 March 2027, AKS will no longer create new node images for Ubuntu 20.04 or provide security updates. Existing node images will be deleted. Your node pools will be unsupported and you will no longer be able to scale. To avoid service disruptions, scaling restrictions, and remain supported, please follow our instructions to upgrade to Kubernetes version 1.34+ by the retirement date.
  • Customer on retired NCv1, NCv2, NDv1, and NVv1 VM sizes should expect to have those node pools deallocated. Please move to supported VM sizes. You can find more information and instructions to do so here.

Release Notes

  • Features:

  • Preview Features:

    • You can use the EnableCiliumNodeSubnet feature in preview to create Cilium node subnet clusters using Azure CNI Powered by Cilium.
    • Control plane metrics are now available through Azure Monitor platform metrics in preview to monitor critical control plane components such as API server and etcd.

  • Bug Fixes:

    • Fixed an issue with the retina-agent volume to restrict access to only /var/run/cilium directory. Currently retina-agent mounts /var/run from host directory. This can have potential issue as it can overwrite data in the directory.
    • Fixed an issue where SSHAccess was being reset to the default value enabled on partial PUT requests for managedCluster.AgentPoolProfile.SecurityProfile without specifying SSHAccess.
    • Fixed an issue where Node Auto Provisioning (Karpenter) failed to properly apply the kubernetes.azure.com/azure-cni-overlay=true label to nodes which resulted in failure to assign pod IPs in some cases.
    • Fixed an issue where calico-typha could be scheduled on virtual-kubelet due to overly permissive tolerations. Tolerations are now properly restricted to prevent incorrect scheduling. Check this GitHub Issue for more details.
    • Fixed an issue in Hubble-Relay scheduling behavior to prevent deployment on cordoned nodes, allowing the cluster autoscaler to properly scale down nodes.
    • Fixed an issue where pods could get stuck in ContainerCreating during Cilium+NodeSubnet to Cilium+Overlay upgrades by ensuring the original network configuration is retained on existing nodes.
    • Fixed an issue where priority class isn't set on the Custom CA Trust DaemonSet. This change ensures that the DaemonSet will not be evicted first in case of node pressure.
    • Fixed an issue where policy enforcements through Azure Policy addon were interrupted during cluster scaling or upgrade operations due to a missing Pod Disruption Budget (PDB) for the Gatekee...
Read more
Loading

Release 2025-02-20

25 Feb 03:17
@dyu1208 dyu1208
2025-02-20
7d89adb
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Release 2025-02-20

Release 2025-02-20

Monitor the release status by region at AKS-Release-Tracker. This release is titled v20250220.

Announcements

  • AKS Kubernetes version 1.32 is rolling out soon and is expected to reach all regions on or before the end of March. Please use the az-aks-get-versions command to accurately capture if Kubernetes version 1.32 is available in your region.
  • HTTP Application Routing (preview) is going to be retired on March 3, 2025 and AKS will start to block new cluster creation with HTTP Application Routing (preview) enabled. Affected clusters must migrate to the generally available Application Routing add-on prior to that date. Refer to the migration guide for more information.
  • Using the GPU VHD image (preview) to provision GPU-enabled AKS nodes was retired on January 10, 2025 and AKS will block creation of new node pools with the GPU VHD image (preview). Follow the detailed steps to create GPU-enabled node pools using the alternative supported options.
  • Extend the AKS security patch release notes in release tracker to include a package comparison with the current - 1 AKS Ubuntu base image.

Release Notes

  • Features:

  • Preview Features:

    • You can use the EnableCiliumNodeSubnet feature in preview to create Cilium node subnet clusters using Azure CNI Powered by Cilium.
    • Control plane metrics are now available through Azure Monitor platform metrics in preview to monitor critical control plane components such as API server, etcd, scheculer, autoscaler, and controller-manager.

  • Bug Fixes:

    • Resolved an issue with Istio service mesh add-on where having multiple operations with the Lua EnvoyFilter (e.g. adding the Lua filter to call an external service and specifying the cluster referenced by Lua code) was not allowed.
    • Fixed a bug in Azure CNI Pod Subnet Static Block Allocation mode with Cilium which caused incorrect iptables rules, leading to pod connectivity failures to DNS and IMDS.
    • Resolved an issue in Azure CNI static block IP allocation mode, where the updated Azure Table client mishandled untyped numbers, causing static block node pools to be misidentified as dynamic and leading to operation failures.
    • Fixed a bug in Azure Kubernetes Fleet Manager hub cluster resource groups (FL_ prefix resource groups) by truncating the name to avoid issues with long generated managed resource group names breaking the maximum length of resource groups.

  • Behavior Changes:

    • Horizontal Pod Autoscaling introduced for ama-metrics replicaset pod in the Azure Monitor managed service for Prometheus add-on. More details about the configuration of the Horizontal Pod Autoscaler can be found here.
    • Starting with Kubernetes v1.32, node subnet mode will be installed via the azure-cns DaemonSet, allowing for faster security updates.
    • By default, in new create operations on supported k8s versions, if you have selected a VM SKU which supports Ephemeral OS disks but have not specified an OS disk size, AKS will provision an Ephemeral OS disk with a size that scales according to the total temp storage of the VM SKU, so long as the temp is at least 128GiB. If you are looking to utilize the temp storage of the VM SKU, you will need to specify the OS disk size during deployment, otherwise it will be consumed by default. See more information here.
    • vmSize is no longer a required parameter in the AKS REST API. For AgentPools created through the SDK without a specified vmSize, AKS will find an appropriate VM SKU for your deployment based on quota and capacity. See more information under properties.vmSize here.

  • Component Updates:

    • Updated Windows CNS from v1.6.13 to v1.6.21 and Linux CNS from v1.6.18 to v1.6.21.
    • Updated Windows CNI and Linux CNI from v1.6.18 to v1.6.21.
    • Updated tigera operator to v1.36.3 and calico to v3.29.0.
    • Node Auto Provisioning has been upgraded to use Karpenter v0.7.2.
    • Updated LTS patch version 1.27.102 for Command Injection affecting Windows nodes to address CVE-2024-9042.
    • Updated the Retina basic image to v0.0.25 for Linux and Windows to address CVE-2025-23047 and CVE-2024-45338.
    • Updated the cost-analysis-agent image from v0.0.20 to v0.0.21. Upgrades the following dependencies in cost-analysis-agent to fix CVE-2024-45341 and CVE-2024-45336:
      • github.com/Azure/azure-sdk-for-go/sdk/azcore v1.15.0 to v1.17.0
      • github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 to v1.8.1
      • github.com/prometheus/common v0.60.0 to v0.62.0
      • github.com/samber/lo v1.47.0 to v1.49.1
      • github.com/stretchr/testify v1.9.0 to v1.10.0
    • AKS Azure Linux v2 image has been updated to 202502.09.0.
    • AKS Ubuntu 22.04 node image has been updated to 202502.09.0.
    • AKS Ubuntu 24.04 node image has been updated to 202502.09.0.
    • AKS Windows Server 2019 image has been updated to 17763.6775.250117.
    • AKS Windows Server 2022 image has been updated to 20348.3091.250117.
    • AKS Windows Server 23H2 image has been updated to 25398.1369.250117.
Loading