Skip to content

Releases: Azure/AKS

Release 2026-05-29

04 Jun 22:30
@dyu1208 dyu1208
2026-05-29
67669da
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release 2026-05-29 Latest
Latest

Release Notes - 2026-05-29

Monitor the release status by regions at AKS-Release-Tracker. Vulnerabilities addressed by AKS releases can be tracked at CVE API viewer.

Announcements of upcoming changes and retirements

  • Revision asm-1-27 of the Istio-based service mesh add-on has been deprecated. Please upgrade to revision 1.28 or later following the Istio add-on upgrade guide.
  • Windows Server Annual Channel for Containers retired on AKS on May 15, 2026. 5B is the last image that AKS will produce for Windows Server Annual Channel. After 5B, AKS will no longer produce new Windows Server Annual Channel node images or provide security patches. You will not be able to create new node pools with Windows Server Annual Channel. On May 15, 2027, AKS will remove all existing Windows Annual Channel node images, which will cause scaling and remediation (reimage and redeploy) operations to fail. Customers must migrate their Windows Server Annual Channel node pools to Long Term Servicing Channel (LTSC) by following the migration guide.
  • Windows Server 2019 retired on March 1, 2026 and its preview feature flag has been removed. You can expect the following impact: AKS no longer produces new node images or provides security patches. All existing node pools with Windows Server 2019 are unsupported. You will not be able to create new node pools in k8s 1.33+. Starting on April 1, 2027, AKS will remove all existing node images for Windows Server 2019, meaning that scaling operations will fail. For more information, see aka.ms/aks/ws2019-retirement-github.
  • Starting on June 8, 2026, AKS no longer supports Flatcar Container Linux for Azure Kubernetes Service (AKS) (preview). At that point, AKS will no longer produce new Flatcar Container Linux node images or provide security patches, and you'll be unable to create new node pools with Flatcar Container Linux. On September 8, 2026, AKS will remove all existing Flatcar Container Linux node images, causing scaling and remediation (reimage and redeploy) operations to fail. Migrate existing Flatcar Container Linux for AKS node pools to Azure Container Linux for AKS.
  • Managed system node pools are now generally available for AKS Automatic. New AKS Automatic clusters preconfigure managed system node pools by default. If you have an existing Automatic cluster without managed system node pools, you should recreate the cluster and migrate the workloads.
    • New AKS Automatic clusters now preconfigure LocalDNS mode to Required by default, including new node pools added to existing Automatic clusters. Existing node pools are unchanged.
    • Users with the Azure Kubernetes Service Contributor or Contributor role (with Microsoft.ContainerService/deploymentSafeguards/write permission) can now edit the excludedNamespaces field for deployment safeguards on Automatic clusters, controlling which policies apply to specific namespaces.
    • Deployment safeguards in Enforce mode and Pod Security Standards set to Baseline now allow pods on Automatic clusters to read the /var/log and /hostfs hostPath volumes (read-only), supporting log exporter scenarios.
    • Since AKS manages the system node pool on your behalf, AKS applies multiple layers of security restrictions:
      • New AKS Automatic clusters with managed system node pools now block customer-supplied SSH keys. Existing Automatic clusters with managed system node pools keep their existing keys but can't add new ones; clusters without managed system node pools are unaffected.
      • AKS Automatic clusters enforce a ValidatingAdmissionPolicy that blocks Services from setting spec.externalIPs, in line with the upstream deprecation of Service externalIPs. The policy applies immediately to Automatic clusters with managed system node pools, and to Automatic clusters without managed system node pools starting in Kubernetes 1.36.
      • AKS Automatic clusters with managed system node pools deny kubectl port-forward for objects and pods running on the managed system node pool.
      • AKS Automatic clusters with managed system node pools block read access to secrets in the kube-system namespace, except for known trusted identities. This mitigates the risk of attackers using the node bootstrap token to deploy pods on managed system node pools.
      • AKS Automatic clusters with managed system node pools enforce stricter authorization on MutatingAdmissionPolicyBinding resources by blocking unauthorized mutation operations (create, update, patch, delete).
      • For AKS versions prior to 1.36, AKS Automatic clusters with managed system node pools block all mutating admission resources (MutatingWebhookConfiguration, MutatingAdmissionPolicy, and MutatingAdmissionPolicyBinding) to reduce risk from unsafe mutations. Starting in AKS 1.36, Automatic clusters with managed system node pools allow a controlled subset of mutating admission configurations, provided they do not target the following sensitive resources: nodes, persistentvolumes, certificatesigningrequests, and tokenreviews.

Release notes

Kubernetes versions

Features

  • Windows Server 2025 is now generally available. You no longer need to register a feature flag to create Windows Server 2025 node pools. Windows Server 2025 node pools can be created in Kubernetes version 1.32+ with a minimum GA CLI version of 2.87.0.
  • Azure Container Linux is generally available (GA) as an OS option on AKS starting AKS v1.34. You can deploy ACL node pools in a new AKS cluster or add ACL node pools to your existing clusters. AKS also supports migrating existing node pools to ACL using in-place OS SKU migration or by creating new ACL node pools. For detailed migration steps, considerations, and rollback instructions, see Migrate existing nodes to ACL.
  • Azure Policy add-on now generates ValidatingAdmissionPolicies (VAP) for all customers. This enforces CEL-based policies inside the API server process for minimal latency and enables fail-closed enforcement.

Preview features

  • Azure Linux 3.0 confidential VM (CVM) is now available in preview in Fairfax (US Gov) regions. Register the AzureLinuxCVMPreview feature to enable it.
  • In-place node pool resize is now available in preview. Resize the VM size of an existing VMSS-based node pool in place via az aks nodepool update --node-vm-size, without manually creating and migrating to a new node pool.

Behavioral changes

  • LocalDNS is now automatically enabled on node pools running Kubernetes 1.36 or later. Node pools with preconfigured LocalDNS or upstream NodeLocal DNS, Cilium or Calico clusters with network policies enabled, and bring-your-own (BYO) CNI clusters are excluded. To disable it, see aka.ms/aks/localdns.
  • Node Auto Provisioning (NAP) Standard SKU clusters running Kubernetes 1.36 or later now default to LocalDNS mode Preferred on the default and system-surge AKSNodeClass resources, improving DNS resolution performance and resilience. Existing in-cluster AKSNodeClass specs are preserved.
  • Application routing gateways using the Gateway API now write access logs to stdout by default for the managed (meshless) Istio configuration.
  • T...
Read more
Assets 2
Loading

Release 2026-04-28

04 May 20:09
@alvinli222 alvinli222
2026-04-28
9c9791c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release 2026-04-28

Release Notes - 2026-04-28

Monitor the release status by regions at AKS-Release-Tracker. Vulnerabilities addressed by AKS releases can be tracked at CVE API viewer.

Announcements

  • AKS-2026-0003: A Linux kernel algif_aead local privilege escalation vulnerability (CVE-2026-31431) lets a pod escalate to root on the underlying node — including non-root pods with no special capabilities. Affects AKS nodes running Ubuntu 20.04 FIPS, Ubuntu 22.04, Ubuntu 24.04, and Azure Linux 3.0. Azure Linux 2.0 (Mariner) and Windows nodes aren't affected. The mitigation is globally deployed in node image versions 202604.13.0 and 202604.24.0. New nodes and any node that goes through a node image upgrade are automatically protected. Existing nodes aren't patched in place — upgrade the node image, or, if your pool is already on 202604.24.0, apply the mitigation DaemonSet from the advisory immediately. See the AKS security bulletin for full details.
  • The Kubernetes SIG Network and the Security Response Committee announced the upcoming retirement of the Ingress NGINX project, with maintenance ending in March 2026. Application routing add-on users: Production workloads remain fully supported through November 2026. Migrate to the application routing Gateway API implementation for a Gateway API-based ingress traffic management experience.
  • On Long Term Support clusters, Premium-tier billing for a cluster begins only after the cluster's Kubernetes minor version exits community support and enters the long-term support window. Until then, the cluster continues to be billed at its existing tier rate. See the Long Term Support for more information.

Kubernetes Version

  • New Kubernetes patch versions are now available: 1.35.2, 1.35.3, 1.34.5, 1.34.6, 1.33.9, and 1.33.10.
  • AKS Kubernetes Long Term Support (LTS) version 1.29 is deprecated. Please upgrade your clusters to a supported version. Refer to AKS Support Calendar for more information.
  • AKS Kubernetes version 1.32 is now available only through Long Term Support. Use an LTS support plan for clusters that need to remain on 1.32, or upgrade to a supported standard-support Kubernetes version.

For deprecation, rollouts and patch timelines by region, please check the AKS-Release-Tracker.

Preview Features

  • Added preview support for AKS-managed NAT Gateway V2 outbound type in supported public Azure regions. Regions where StandardV2 NAT Gateway is not yet available remain excluded.
  • Customers can now preview customization of the default kube-reserved and hard eviction kubelet configuration through the existing custom node preview feature registration starting with the 2026-03-02-preview API.
  • Customers can now view the VM SKUs supported on AKS and available in their Azure subscription with the AKS List Available VM SKUs API, to create their clusters and/or add node pools.
  • AKS-managed GPU metrics are now supported by default in Azure Managed Prometheus and Dashboards with Grafana in Azure Monitor.
  • Customers can now set both MaxUnavailable and MaxSurge values to surge during node pool upgrades based on available capacity with Capacity Based Surge. With both configurations enabled, the MaxSurge value will be attempted first. If MaxSurge value is not available due to quota or capacity, a surge of 1 node will be attempted. If a surge of 1 is not available, MaxUnavailable configuration will be attempted for an in-place upgrade.

Features

  • Gateway API-based ingress for the application routing add-on is now generally available. The Kubernetes SIG Network and the Security Response Committee announced the upcoming retirement of the Ingress NGINX project, with maintenance ending in March 2026. Application routing add-on users: Production workloads remain fully supported through November 2026. Migrate to the application routing Gateway API implementation for a Gateway API-based ingress traffic management experience.
  • AKS Automatic clusters with managed system node pools can now migrate to AKS Standard clusters in additional regions after adding a system node pool.
  • Users can now configure spec.minReadySeconds in the Application Routing Gateway Parameters ConfigMap. This helps applications that need extra initialization time after passing their initial health check and can reduce disruption during rolling upgrades. See the related AKS GitHub issue.

Bug Fixes

  • Fixed an issue in the Istio-based service mesh add-on where the CRD installer could pull busybox from an unintended registry in AGC environments. This also removes non-Job Helm hooks from related resources to avoid a CRD installer race condition.
  • Fixed empty PUT reconcile failures with CustomRouteTableInvalidUpdateAttempt on clusters using bring-your-own route tables.
  • Added validation to prevent enabling Artifact Streaming with Pod Sandboxing, which is not supported.
  • Added AKS Automatic managed system node pool protection that blocks ClusterRoleBinding create or update requests when the roleRef targets configured privileged ClusterRoles, reducing the risk of privilege escalation through service account impersonation.

Behavioral Changes

Component Updates

Read more
Loading

Release 2026-04-02

09 Apr 02:49
@shashankbarsin shashankbarsin
2026-04-02
b7dc6da
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release 2026-04-02

Release Notes - 2026-04-02

Monitor the release status by regions at AKS-Release-Tracker. Vulnerabiltiies addressed by AKS releases can be tracked at CVE API viewer.

Announcements

  • Starting on June 30, 2027, Azure Kubernetes Service (AKS) no longer supports or provides security updates for Ubuntu 22.04. To avoid disruptions, transition to Ubuntu 24.04 or later by that date. Between now and June 30, 2027, you can continue to use Ubuntu 22.04 on AKS without disruption. If you don't migrate by June 30, 2027, you won't be able to create new node pools, AKS won't produce new node images, and you'll no longer receive security patches for existing node pools. If you want to enable long-term support (LTS) with Kubernetes version 1.33 or later, first update your node pools to Ubuntu 24.04. On April 30, 2028, AKS will remove Ubuntu 22.04 node images and existing code, causing scaling and remediation operations to fail. For more information, see aka.ms/aks/ubuntu2204-retirement-github.
  • Starting on April 1, 2027, the node pool tag, aks-disable-kubelet-serving-certificate-rotation=true will no longer be supported. New node pools can be created with the node pool tag, but AKS will not respect the node pool tag. For new node pools, that means that they will be created with Kubelet Serving Certificate Rotation (KSCR) enabled, despite the node pool tag. For existing node pools, this means that KSCR will be automatically enabled on their next reimage operation. For updates about this retirement, see AKS GitHub Issue.
  • Teleport (preview) on AKS has now been removed by Azure Container Registry and by AKS. Please migrate to Artifact Streaming (preview) on AKS or update your node pools to set --aks-custom-headers EnableACRTeleport=false. Existing node pools with Teleport (preview) enabled may experience breakage and node provisioning failures. For more information, see aka.ms/aks/teleport-retirement.
  • Check out What's new with Microsoft in open source and Kubernetes at KubeCon + CloudNativeCon Europe 2026 for the recent announcements at KubeCon + CloudNativeCon Europe 2026.

Kubernetes Version

For deprecation, rollouts and patch timelines by region, please check the AKS-Release-Tracker.

Preview Features

  • Added support for AKS-managed NAT Gateway V2 outbound in supported public Azure regions, with automatic exclusion in sovereign clouds and regions where StandardV2 NAT Gateway isn't yet available.

Features

  • Customers using Standard_NC80ads_H100_v5 VM sizes can now configure MIG (multi-instance GPU) profiles on their agent pools, enabling partitioning of H100 GPUs into smaller instances (MIG1g, MIG2g, MIG3g, MIG4g, MIG7g) for better GPU utilization and multi-tenancy scenarios.
  • A preinstalled Premium SSD v2 StorageClass is now available on AKS 1.35 clusters in supported regions, providing sensible defaults for Premium SSD v2 adoption without requiring custom StorageClasses.
  • API Server VNET Integration is now available in malaysiasouth.
  • Vertical Pod Autoscaler (VPA) now supports the Recreate update mode.
  • Users can now customize the termination grace period on Istio-based service mesh gateway proxy pods.
  • Disable HTTP Proxy is now generally available. It's enabled by default for new clusters and can be disabled for existing AKS clusters. Once you disable HTTP proxy on a cluster, the proxy configuration is saved in the database but the proxy variables are removed from the pods and nodes.
  • AKS Managed API Server Guard is now generally available. It acts as a last-resort safeguard for the kube-apiserver during extreme load.

Bug Fixes

  • Fixed a bug in the AKS-managed nodes/proxy ValidatingAdmissionPolicy on AKS Automatic clusters where RBAC rules containing only nonResourceURLs were incorrectly denied.
  • A new ValidatingAdmissionPolicy has been added to AKS Automatic clusters to prevent creation or mutation of Kubernetes Service objects (such as clusterIP, externalIPs, or loadBalancerIP) that could redirect traffic to the Azure WireServer IP address, mitigating a potential remote code execution risk.
  • Fixed an issue in the AKS Istio add-on that could prevent CRD installer pods from scheduling on nodes tainted with CriticalAddonsOnly and cni.istio.io/ready=false, improving installation and upgrade reliability.

Behavioral Changes

  • Starting with Kubernetes 1.34, clusters using Azure CNI Powered by Cilium include a new AKS-managed cilium-fluent-bit component to improve Cilium supportability.
  • The noProxy validation for HTTP proxy configuration has been relaxed. The updated validation only runs upon changes to the noProxy field and uses a less strict regex, unblocking customers with non-standard noProxy entries.
  • When using HTTP Proxy, you can't add more than 20 Trusted CA Certificates. See HTTP Proxy limitations for more information.

Component Updates

  • Node Auto Provisioning has been updated to Karpenter Azure provider v1.10.1.
  • Azure Monitor Metrics (ama-metrics) has been updated to the release-03-05-2026.
  • Azure File CSI driver has been updated to v1.33.8 (AKS 1.33), v1.34.4 (AKS 1.34), and v1.35.1 (AKS 1.35).
  • Azure Blob CSI driver has been updated to v1.26.10 (AKS 1.33) and v1.27.3 (AKS 1.34/1.35).
  • Microsoft Defender for Containers sensor has been upgraded to v0.9.52 on AKS >= 1.35 and to v0.8.49 on AKS < 1.35. See release notes for v0.9.52 and v0.8.49. The following Defender for Containers components were also updated:
  • Cloud-provider-azure has been updated to v1.35.0 with cloud-controller-manager v1.35.1-1 and cloud-node-manager v1.35.1-1.
  • Cluster autoscaler v1.35.0 is now available on AKS version 1.35.
  • Cilium agent and operator images have been updated to v1.17.9...
Read more
Loading

Release Notes - 2026-03-05

11 Mar 23:12
@kaarthis kaarthis
2026-03-05
d0efd81
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release Notes - 2026-03-05

Monitor the release status by regions at AKS-Release-Tracker.

Announcements

  • Azure Kubernetes Service support for Flatcar Container Linux for AKS (preview) will be retired on 8 June 2026, transition to a supported alternative by that date. From now to 7 June 2026, you can continue to use Flatcar Container Linux for AKS (preview) on Azure Kubernetes Service without disruption. Starting on 8 June 2026, Azure Kubernetes Service will no longer support Flatcar Container Linux for AKS (preview). You will no longer be able to create new node pools. AKS will not produce new node images and will no longer provide security patches for existing node pools. AKS will remove Flatcar Container Linux for AKS (preview) node images and existing code on 8 September 2026, meaning that scaling and remediation operations will fail.
  • Azure Linux has expanded GPU support to include NVIDIA A100, H100, and H200 VMs. Find the full list of supported GPUs with Azure Linux on AKS here.

Kubernetes Version

  • AKS Kubernetes version 1.35 is now generally available and being rolled out across regions. Please refer to the components breaking changes for more information.
  • AKS Kubernetes version 1.32 reaches the end of standard support on April 30, 2026. Please upgrade your clusters to a supported version. Refer to the AKS Support Calendar, version support policy for more information.
  • New Kubernetes patch versions are now available: 1.32.11, 1.33.7, 1.34.3.
  • AKS Kubernetes Long Term Support (LTS) version 1.28 is deprecated. Please upgrade your clusters to a supported version. Refer to AKS Support Calendar for more information.

For deprecation, rollouts and patch timelines by region, please check the AKS-Release-Tracker.

Preview Features

  • Azure Monitor Profile OTLP gRPC support is now available in public preview, enabling OpenTelemetry Protocol gRPC endpoints for Azure Monitor metrics collection.
  • ACNS preview feature is now supported on dual-stack clusters.
  • Node Auto Provisioning has been updated to Karpenter Azure provider v1.7.2. This release adds a new alpha resource NodeOverlay for controlling node priorities and supports two new scheduling labels: kubernetes.azure.com/scalesetpriority and kubernetes.azure.com/os-sku.

Features

Behavioral Changes

  • AKS Automatic clusters now enforce multiple layers of defense against remote code execution via nodes/proxy permissions:
    • A ValidatingAdmissionPolicy (VAP) restricts creation or updates of ClusterRole and Role objects granting nodes/proxy, except for approved system users and groups.
    • An authorization policy denies nodes/proxy by default. Approved system users, groups, and kube-system service accounts are exempt.
  • On clusters where ACNS performance is used to enable eBPF host routing, nodes will be labeled with kubernetes.azure.com/ebpf-host-routing=true. This is done by a node image upgrade.
  • Service tags for API server authorized IP ranges are now supported for AKS clusters with API server VNet integration.
  • AKS now supports configuring Standard V2 Azure NAT Gateway as a user‑assigned NAT gateway for outbound (egress) traffic.

Component Updates

Loading

Release 2026-02-08

17 Feb 21:29
@kaysieyu kaysieyu
2026-02-08
2c84848
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release 2026-02-08

Release Notes 2026-02-08

Monitor the release status by regions at AKS-Release-Tracker.

Announcements

  • Windows Server 2019 is scheduled for retirement on March 1, 2026. Please transition to Windows Server 2022+ by that date. After that date, AKS will no longer produce new node images or provide security patches for Windows Server 2019. After that date, you will not be able to create new node pools with Windows Server 2019 on any Kubernetes version. All existing node pools with Windows Server 2019 will be unsupported. Windows Server 2019 is not supported in Kubernetes versions >= 1.33. Starting on April 1, 2027, AKS will remove all existing node images for Windows Server 2019 which will result in failure of scaling and remediation (reimage and redeploy) operations.
  • Windows Server Annual Channel (Preview) on AKS will be retired on May 15, 2026, please transition to the Long Term Servicing Channel (LTSC) by that date. From now to May 15, 2026 you can continue to use Windows Server Annual Channel (Preview) without disruption. On May 15, 2026, AKS will no longer produce new Windows Server Annual Channel node images or provide security patches. You will not be able to create new node pools with Windows Server Annual Channel. On May 15, 2027, AKS will remove all existing Windows Server Annual Channel node images, which will cause scaling and remediation (reimage and redeploy) operations to fail.

Kubernetes Version

  • AKS Kubernetes patch versions 1.34.2, 1.33.6, and 1.32.10 are now available. Refer to version support policy and upgrading a cluster for more information.
  • AKS Kubernetes version 1.35 preview is rolling out to multiple regions and is expected to complete by early March.

Preview Features

  • Managed GPU profiles are now available in public preview via API version 2026-01-02-preview.
  • Blue-green node pool upgrade is now available in public preview via API version 2025-08-02-preview and Azure CLI version 2.64.0 or higher.
  • Node pool version rollback is now available in public preview via API version 2025-08-02-preview and Azure CLI version 2.64.0 or higher.

Features

Behavioral Changes

  • Nodes are now annotated with a kubernetes.azure.com/security-patch-timestamp annotation during a security VHD reboot upgrade. This gives you a unified way to verify when the last security patch was applied to each node. Refer to Autoupgrade Node OS Image FAQs for more information.
  • By default, AKS no longer creates or updates Network Security Groups on subnets it delegates for Application Gateway for Containers, improving reliability in policy-managed environments.
  • To protect against potential security concern of remote code execution via nodes/proxy get permission, AKS Automatic has added multiple layers of defense:
    1. A ValidatingAdmissionPolicy(VAP) that restrict the use of the Kubernetes nodes/proxy permission. One policy blocks creation or updates of ClusterRole and Role objects granting nodes/proxy, except for approved system users and groups.
    2. An authorization policy that denies nodes/proxy by default. This prevents exploitation even if a user has already been granted nodes/proxy permission through existing RBAC bindings. Approved system users, groups, and kube-system service accounts are exempt.
  • AKS Deployment Safeguards no longer Deny missing startup, liveness, and readiness probe requirements on AKS Automatic clusters. The policy has been changed to warn only. Learn more.
  • Gateway API CRDs can now be enabled directly without first requiring a supported gateway implementation such as the Managed Istio service mesh add-on to be enabled on the cluster.

Component Updates

Read more
Loading

Release 2026-01-04

09 Jan 18:09
@varora24 varora24
2026-01-04
c968284
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release 2026-01-04

Release Notes 2026-01-04

Monitor the release status by regions at AKS-Release-Tracker.

Announcements

  • Ubuntu version updates
    • Ubuntu 24.04 is now generally available and will be the default for OS SKU Ubuntu starting in Kubernetes v1.35. This means that if you upgrade to Kubernetes v1.35 with Ubuntu OS SKU, you'll automatically update your OS version from Ubuntu 22.04 to Ubuntu 24.04. If you'd like to continue to use Ubuntu 22.04, you can use it until Kubernetes v1.36 end of life. You can also create or update your existing node pools using CLI version 2.82.0+. For more information, see documentation.
    • Ubuntu 18.04 support has been removed from AKS, meaning you'll no longer be able to scale your node pools. If you are currently using Ubuntu 18.04 on AKS, please follow our instructions to upgrade your Kubernetes version to 1.25+ where Ubuntu 22.04 will be the default Ubuntu version. For more information on this retirement and removal, see AKS Github Issues
  • AKS has now published the results from the CIS Kubernetes Benchmark v1.12.0 recommendations on AKS. The results are applicable to AKS 1.32.x through AKS 1.34.x. Detailed report is available in documentation.
  • AKS has now published the results from the CIS Ubuntu 24.04 LTS Benchmark v1.0.0. Detailed report is available in documentation.
  • Since November 30, 2025, Azure Kubernetes Service (AKS) no longer supports or provides security updates for Azure Linux 2.0. The Azure Linux 2.0 node image is frozen at the 202512.06.0 release. Beginning March 31, 2026, node images will be removed, and you'll be unable to scale your node pools. Migrate to a supported Azure Linux version by upgrading your node pools to a supported Kubernetes version or migrating to osSku AzureLinux3. For more information, see Retirement of Azure Linux 2.0 node pools on AKS
  • AKS now blocks the creation of clusters with Basic Load Balancer which retired on 30 September 2025. Clusters still using Basic Load Balancers are considered out of support and you must upgrade to the Standard Load Balancer.
  • Starting on March 30, 2026 the node pool tag, aks-disable-kubelet-serving-certificate-rotation=true will no longer be supported. New node pools can be created with the node pool tag, but AKS will not respect the node pool tag. For new node pools, that means that they will be created with Kubelet Serving Certificate Rotation (KSCR) enabled, despite the node pool tag. For existing node pools, this means that KSCR will be automatically enabled on their next reimage operation. For updates about this retirement, see AKS Github Issue.
  • Since 19 October 2025, AKS Automatic clusters have transitioned to a new billing model in alignment with the service moving from preview to General Availability. To learn more about Azure Kubernetes Service pricing, please visit the pricing page. As part of this transition, the following pricing updates have taken effect in supported regions:
    • Compute charges based on the duration and type of virtual machines used by AKS Automatic clusters.
    • A $0.16 cluster / hour hosted control plane fee.
  • Node Auto Provisioning is now supported in clusters using Disk Encryption Sets and Customer-Managed Keys. See our Customer Managed Keys documentation for more information.

Kubernetes Version

For deprecation and patch timelines by region, please check the AKS-Release-Tracker

Preview features

Behavioral Changes

  • Starting with API version 2026-01-01, AKS returns podCIDR and podCIDRs fields when networkPlugin=none, allowing customers to update their podCIDR to match their CNI configuration.
  • When using LocalDNS, AKS now rejects forwarding external domains to CoreDNS from vnetDNSOverrides to prevent DNS resolution issues.
  • AKS now enforces required subnet configuration for networking add-ons such as Application Gateway for Containers, which may cause cluster creation or upgrades to fail if add-on subnets are misconfigured or do not meet required constraints. See Application Gateway for Containers networking requirements.
  • AKS now returns a client error when virtual network encryption is used with API server VNet integration, as this configuration is not supported. See API server VNet integration limitations

Component Updates

  • AKS Azure Linux v2 image has been updated to 202512.06.0.
  • AKS Azure Linux v3 image has been updated to 202512.06.0.
  • AKS Ubuntu 22.04 node image has been updated to 202512.06.0.
  • AKS Ubuntu 24.04 node image has been updated to 202512.06.0.
  • Windows node images:
    • Server 2019 Gen1 – [17763.8146.251212](vhd-notes/A...
Read more
Loading

Release 2025-10-12

17 Oct 18:09
@dyu1208 dyu1208
2025-10-12
351c21e
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release 2025-10-12

Release Notes 2025-10-12

Monitor the release status by regions at AKS-Release-Tracker.

Announcements

  • Starting on 30 November 2025, AKS will no longer support or provide security updates for Azure Linux 2.0. Migrate to a supported Azure Linux version by upgrading your node pools to a supported Kubernetes version or migrating to osSku AzureLinux3. For more information, see [Retirement] Azure Linux 2.0 node pools on AKS.
  • Starting on 9 November 2025, AKS will remove all existing Ubuntu 18.04 VHDs. If you have existing Ubuntu 18.04 node pools, scaling operations will fail after this date.
  • If you are currently using Ubuntu 18.04 on AKS, please follow our instructions to upgrade your Kubernetes version to 1.25+ where Ubuntu 22.04 will be the default Ubuntu version.
  • If you are currently using Ubuntu 18.04 with the GPU image (preview) on AKS, please follow instructions to recreate your node pools with an alternative GPU method.
  • If you are currently using Ubuntu 18.04 with FIPS, please follow our instructions to upgrade your Kubernetes version to 1.27+ where Ubuntu 20.04 will be the default FIPS Ubuntu version.
  • AKS is now blocking creation of new clusters with Basic Load Balancer retired on 30 September 2025.
  • Starting 19 October 2025, AKS Automatic clusters will transition to a new billing model in alignment with the service moving from preview to General Availability. To learn more about Azure Kubernetes Service pricing, please visit the pricing page. As part of this transition, the following pricing updates will take effect in supported regions:
    • Compute charges based on the duration and type of virtual machines used by AKS Automatic clusters will be applied on 19 October 2025.
    • A $0.16 cluster / hour hosted control plane fee will also begin rolling out across regions. For more information, see Pricing

Kubernetes Version

  • AKS Version 1.34 Preview is being rolled out to multiple regions and is expected to complete by early November.
  • AKS LTS (Long Term Support) patch versions are now available:

Preview features

Features

  • AKS now allows the use of unsupported GPU vm sizes after skipping gpu driver installation. If a GPU vm size is not in our list of supported vm sizes, we do not install the necessary gpu components or provide support. For more information, see Skip GPU drivers.
  • Envoy filters of all types are now allowed in the Istio add-on for AKS. While you can use them to customize traffic handling, issues caused by Envoy filters aren’t covered by Microsoft Support. Learn more at aka.ms/istio-add-on-envoy-filter.
  • Force Upgrade and override drain now support async validations for PDB-blocking evictions and can be used to bypass PDB restrictions. Requires Azure CLI 2.79.0+ or stable API version 2025-09-01+.

Behavioral Changes

  • Cluster Autoscaler will delete nodes that encounter provisioning errors/failures immediately, instead of waiting for the full max-node-provision-time defined in the cluster autoscaler profile. This change significantly reduces scale-up delays caused by failed node provisioning attempts.
  • AKS Automatic clusters can now only be created with the stable upgrade channel and the NodeImage Node OS upgrade channel. Existing clusters are not affected.
  • Node Auto Provisioning default AKSNodeClass will now use Ubuntu 22.04 for Kubernetes versions < 1.34 and Ubuntu 24.04 for Kubernetes versions 1.34+. This ensures consistency across AKS node image defaults. This does not affect existing clusters' default AKSNodeClass.
  • Deployment safeguards now allow an explicit allowlist of container images to mount hostpath volumes, including fluent-bit (mcr.microsoft.com/oss). Additional system namespaces like azappconfig-system, azureml, dapr-system, dataprotection-microsoft, flux-system, acstor, sc-system, and azure-extensions-usage-system are now excluded by default. This change is applicable to AKS Automatic clusters.
  • Starting with Kubernetes version 1.33, clusters using Azure CNI Powered by Cilium will include a new AKS-managed component named azure-iptables-monitor. This component is a sidecar container alongside the Cilium agent that will set labels on the Cilium node if a user iptables rule is detected.
  • Pod Subnet- Dynamic IP Allocation will SNAT Azure DNS traffic (168.63.129.16) using the node IP instead of the pod CIDR IP, aligning the behavior with Static Block Allocation.
  • AKS now automatically reimages all node pools in the cluster when you update the HTTP proxy configuration on your cluster using the az aks update command. You can use Pod Disruption Budgets (PDBs) to safeguard disruption to critical pods during reimage.
  • AKS now by default applies dynamic sizing logic for ama-logs and ama-metrics requests in production regions for AKS Automatic. This enhancement streamlines resource allocation, cost optimization, and scalability for monitoring workloads.
  • Customers in ussec and usnat regions will start using ama-logs managed identity mode when they create new clusters, providing enhanced functionality. Existing clusters are not impacted. This follows the deprecation announcement for legacy authentication mode.

Component Updates

  • A high-severity vulnerability in runc (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) has been addressed. These CVEs could allow container breakout if an attacker can run untrusted workloads. This impacts AKS clusters using Ubuntu and Azure Linux images with runc versions prior to 1.3.3. This fix does not cover Azure Linux 2.0 images - this image will reach end of life in November 2025 and the backport efforts are underway. More information available here.
  • AKS Azure Linux v2 image has been updated to 202510.03.0.
  • AKS Azure Linux v3 image has been updated to 202510.03.0.
  • AKS Ubuntu 22.04 node image has been updated to 202510.03.0.
  • AKS Ubuntu 24.04 node image has been updated to 202510.03.0.
  • Istio revision asm-1-27 is now available for the Istio-based service mesh add-on. Customers can follow canary upgrade guidance to adopt the new revision. Note that native sidecar mode is enabled by default starting asm-1-27. For full details, see the Istio 1.27 release notes and Native sidecar mode for Istio-based service mesh add-on.
  • Azure Policy Add-on has been upgraded to v1.14.2.
  • App Routing updated to version 0.2.10 with ingress-nginx bumped to v1.13.1 addressing CVE-2025-22874, CVE-2025-47906, and CVE-2025-47907.
  • Azure CNI and CNS have been updated to version 1.7.4.
  • Blob CSI Driver has been upgraded:
  • VPA (Vertical Pod Autoscaler) ...
Read more
Loading

Release 2025-09-21

26 Sep 00:31
@dyu1208 dyu1208
2025-09-21
b6ac949
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release 2025-09-21

Release Notes 2025-09-21

Monitor the release status by regions at AKS-Release-Tracker. This release is titled v20250921.

Announcements

  • AKS Kubernetes version 1.31 standard support will be deprecated by November 1, 2025. Kindly upgrade your clusters to 1.32 community version or enable Long Term Support with 1.31 in order to continue in the same version. Refer to version support policy and upgrading a cluster for more information.
  • Revision asm-1-24 of the Istio add-on has been deprecated. Please migrate to a supported revision following the Istio add-on upgrade guide.
  • AKS Kubernetes version 1.34 is now available in preview. Refer to 1.34 Release Notes and upgrading a cluster for more information.
  • Starting on 30 November 2025, AKS will no longer support or provide security updates for Azure Linux 2.0. Migrate to a supported Azure Linux version by upgrading your node pools to a supported Kubernetes version or migrating to osSku AzureLinux3. For more information, see [Retirement] Azure Linux 2.0 node pools on AKS.
  • Security patch information for Ubuntu 24.04 is available in AKS-Release-Tracker.
  • Azure Kubernetes Service no longer supports the --skip-gpu-driver-install node pool tag to skip automatic driver installation. This node pool tag can no longer be used at AKS node pool creation time to install custom GPU drivers or use the GPU Operator. Alternatively, you should use the generally available gpu-driver API field to update your existing node pools or create new GPU-enabled node pools to skip automatic GPU driver installation.
  • AKS Automatic is generally available. Find the recording to the virtual launch event on Youtube.
  • Availability Sets on AKS are being retired on AKS on September 30 2025. Any new attempts to create a new Availability Sets will be blocked as of September 30 2025. Existing Availability Sets will remain functional after retirement but will be considered out of support. To migrate from Availability Sets, see the Availability Sets migration documentation for more info.
  • The Basic Load Balancer is being retired on AKS on September 30 2025. Any new attempts to create a new basic tier load balancer will be blocked. Existing Basic load balancers will remain functional after retirement but will be considered out of support. See the basic load balancer migration documentation for more details on migration to the Standard load balancer.

Release notes

Features

  • API Server Vnet Integration is now available in East US region.
  • AKS Node Problem Detector (NPD) conducts GPU health monitoring to enable automatic detection and reporting of issues impacting select GPU-enabled VM sizes, and is now generally available.
  • Kubelet Serving Certificate Rotation (KSCR) is now enabled by default in Sovereign cloud regions. Existing node pools in these regions will have KSCR enabled by default when they perform their first upgrade to any kubernetes version 1.27 or greater. Kubelet serving certificate rotation allows AKS to utilize kubelet server TLS bootstrapping for both bootstrapping and rotating serving certificates signed by the Cluster CA. See documentation for detailed instructions.
  • Node auto provisioning (NAP) now supports private clusters. See NAP documentation for more information.

Bug Fixes

  • Fixed an issue where KAITO workspace creation would fail on AKS Automatic because gpu-provisioner creates an agentPool. Non-node auto provisioning pools, such as agentPool, are now allowed to be added to AKS Automatic clusters.
  • Fixed a bug where ETag was not returned in ManagedClusters or AgentPools responses in API versions 2024-09-01 or newer, even though the API specification said it would be.

Behavioral Changes

  • Deployment Safeguards will stop enforcing readiness and liveness probes on the placeholder pods that Application Routing creates to mount synchronized secrets from Azure Key Vault.
  • AKS Automatic system pool needs to have at least 3 availability zones, ephemeral OS disk, and Azure Linux OS.
  • Starting with 20250902-preview API, the enableCustomCATrust field is removed. This field is not required when using the GA feature, and is only used by a deprecated version of the feature. When using Custom Certificate Authority, you no longer need to specify enableCustomCATrust. You can just add certificates to your cluster by specifying your text file for the --custom-ca-trust-certificates parameter. See documentation for detailed instructions.
  • Starting September 2025, new AKS clusters that use the AKS-managed virtual network option will place cluster subnets into private subnets by default (defaultOutboundAccess = false) in alignment with egress best practices. This setting does not impact AKS-managed cluster traffic, which uses explicitly configured outbound paths. It may affect unsupported scenarios, such as deploying other resources (e.g., VMs) into the same subnet. Clusters using BYO VNets are unaffected by this change. In supported configurations, no action is required.
  • For Pod Sandboxing, kata-mshv-vm-isolation will be replaced with kata-vm-isolation while the --workload-runtime used when creating a cluster will be changed from KataMshvVmIsolation to KataVmIsolation. Make sure you use the correct name when creating Pod Sandboxing clusters.
  • Cluster Autoscaler will delete nodes that encounter provisioning errors/ failures immediately, instead of waiting for the full max-node-provision-time defined in the cluster autoscaler profile. This change significantly reduces scale-up delays caused by failed node provisioning attempts.
  • In ingress-nginx managed via the application routing add-on, the metric ingress_upstream_latency_seconds has been removed following its deprecation upstream.

Component Updates

Read more
Loading

Release 2025-08-29

02 Sep 20:46
@dyu1208 dyu1208
2025-08-29
f27d81c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release 2025-08-29

Release 2025-08-29

Monitor the release status by regions at AKS-Release-Tracker. This release is titled v20250829.

Announcements

  • AKS Automatic is now generally available. AKS Automatic is based on three key pillars: production-ready by default, integrated best practices and safeguards, and code to Kubernetes in minutes. Sign up to watch the AKS Automatic Virtual Launch on September 16th from 8:00 AM - 12:00 PM (UTC-07:00).
    • New Automatic cluster creation is only allowed in API Server Vnet Integration GA supported regions. Migrating from SKU: "Base" to SKU: "Automatic" is only allowed in API Server Vnet Integration GA supported regions. Operations on existing Automatic clusters will not be blocked even if the cluster is not in API Server Vnet Integration GA supported regions.
  • AKS patch versions 1.33.3, 1.32.7, and 1.30.11 are now available. Refer to version support policy and upgrading a cluster for more information.
  • Istio-based service mesh add-on is now compatible with AKS Long Term Support (LTS) for Istio revisions asm-1-25+ and AKS versions 1.28+. Please note that not every Istio revision will be compatible with every AKS LTS version. It is recommended to review the Istio add-on support policy for an overview of this feature's support.
  • API Server Vnet Integration is now available in the following additional regions: centralus, austriaeast, chilecentral, denmarkeast, israelnorthwest, malaysiawest, southcentralus2, southeastus3, southeastus5, southwestus, and usgovtexas. For the latest list of supported regions, see the API Server VNet Integration documentation.
  • 1.30 Kubernetes version is now officially End of Life. Please upgrade to 1.31 version. If you require 1.30 version, then switch to AKS Long Term Support (LTS).
  • Security Patch tab under AKS-Release-Tracker now provides information for Azure Linux v3. This provides real time info on the security patch contents and timestamp of actual release.

Release notes

Features

Bug Fixes

  • Fixed a bug where ETag was not returned in ManagedClusters or AgentPools responses in API versions 2024-09-01 or newer, even though the API specification said it would be.
  • Fixed cluster autoscaler bug 7694 in kubernetes version 1.31+, where the "DeletionCandidateOfClusterAutoscaler" taint would persist on some of the remaining nodes after scale-down. This incorrect tainting prevented new pods from being scheduled on those nodes.

Behavioral Changes

  • All AKS Automatic clusters, and AKS Standard clusters that enabled Deployment Safeguards via the safeguardsProfile, will now have a new Microsoft.ContainerService/deploymentSafeguards sub-resource created under managedClusters. See Use Deployment Safeguards for more information.
  • Disallow adding non-Node auto provisioning pools to AKS Automatic clusters. There is no effect on existing Automatic Clusters that have non-Node auto provisioning pools.
  • A new runTimeClassName, kata-vm-isolation, has been added for Pod Sandboxing in preparation for deprecating the old kata-mshv-vm-isolation name. Users can continue using the original name for the time being.
  • Starting with Kubernetes version 1.34, all AKS Automatic clusters will include a new AKS-managed component named Cluster Health Monitor within the kube-system namespace. This component is designed to collect metrics related to the cluster’s control plane and AKS-managed components, helping ensure these services are operating as expected and improving overall observability.

Component Updates

Read more
Loading

Release 2025-08-08

12 Aug 21:38
@shashankbarsin shashankbarsin
2025-08-08
b5421d8
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release 2025-08-08

Release 2025-08-08

Monitor the release status by region at AKS-Release-Tracker. This release is titled v20250808.

Announcements

  • Starting in September 2025, AKS will start rolling out a change to enable a managed clusters quota for all current and new AKS customers. This rollout is expected to take place between 1-30 September 2025. AKS quota is the maximum number of managed clusters (AKS clusters) that an Azure subscription can create per region. Once the managed clusters quota is released, customers will need both managed clusters quota and node quota (VM SKUs) to create an AKS cluster. Existing AKS customer subscriptions will be given a default limit at or above their current usage, depending on the available regional capacity. Existing subscriptions using AKS for the first time and new subscriptions will be given a default limit. Customers can view quota limits and usage and request additional quota in the Azure portal Quotas blade or by using the Quotas REST API. Before the rollout is complete, quota limits and usage may be visible in the Azure portal on the Quotas blade, and customers will be able to request quota; however, limits won’t be enforced in every region until 1 October 2025. More information on the default limits for new subscriptions is available in documentation here.
  • AKS Kubernetes patch versions 1.33.2, 1.32.6, 1.31.10, 1.30.13, 1.30.14 include a critical security fix for CVE-2025-4563 where nodes can bypass dynamic resource allocation authorization checks. This vulnerability affects the NodeRestriction admission controller when the DynamicResourceAllocation feature gate is enabled. Upgrade your clusters to these patched versions or above. Refer to version support policy and upgrading a cluster for more information.
  • Kubernetes CIS benchmark results and recommendations have been updated to CIS Kubernetes V1.27 Benchmark v1.11.1. The results are applicable to AKS 1.29.x through AKS 1.32.x.
  • AKS long term support now fully supports KEDA.
  • Kubelet serving certificate rotation is now enabled in all public cloud regions. For more information on kubelet serving certificate rotation and disablement, refer to the documentation. Sovereign cloud rollout will begin on 18 August 2025. For rollout updates and questions, see AKS Github Issues.

Release notes

Features

Preview Features

Bug Fixes

Behavior Changes

  • To allow addons that require Microsoft Entra ID authentication to be able to use workload identity while enabling IMDS restriction, it is now required to enable the OIDC issuer as well.
  • For Istio-based service mesh add-on for AKS, partial updates to serviceMeshProfile in AKS managedClusters API now supports empty revision lists. If no revisions are specified, the system will use existing revision values instead of returning an error.

Component Updates

Read more
Loading