Azure/AKS 2024-02-07

Release 2024-02-07

on GitHub

Release 2024-02-07

Monitor the release status by regions at AKS-Release-Tracker.

Announcements

• Starting in March, due to Gatekeeper Upstream removing validation for constraint template contents at create/update time, the Azure Policy addon will now no longer support the validation for constraint template. The Azure Policy Add-On will report ‘InvalidConstraint/Template’ compliance reason code for detected errors after constraint template admission. This change does not impact other compliance reason codes. Customers are encouraged to continue to follow best practices when updating Azure Policy for Kubernetes definitions (i.e. Gator CLI).
• Starting with Kubernetes 1.29, the default cgroups implementation on Azure Linux AKS nodes will be cgroupsv2. Older versions of Java, .NET and NodeJS do not support memory querying v2 memory constraints and this will lead to out of memory (OOM) issues for workloads. Please test your applications for cgroupsv2 compliance, and read the FAQ for cgroupsv2.
• All current AKS API versions silently ignore unknown fields. An unknown field is a field that isn't part of the AKS API. AKS API version 2024-01-01, 2024-01-02-preview and all subsequent API versions will change this behavior. Unknown fields in a request will result in the request being rejected with an error stating that the unknown field is not understood. This change only impacts new API versions and won't impact you unless you update to use an API version 2024-01-01 or later. Existing API calls (via Azure Resource Manager templates or otherwise) will continue to function as-is.

Release notes

• Features

  • Planned Maintenance and node-image upgrade channel are available in Azure Portal.
  • Associate capacity reservation groups to node pools is now generally available.
  • Ability to set a node soak duration during upgrade for node pools is now generally available.

• Preview features

  • AKS 1.29.0 is in preview.
  • Control Plane Metrics (API server, ETCD, Cluster Autoscaler, etc) for AKS now available in preview on Azure Monitor managed service for Prometheus.

• Bug Fixes

  • Enable HonorPVReclaimPolicy for CSI drivers on AKS 1.27+ to align with upstream behavior.
  • Node Auto Provision can now be enabled when aadProfiles, including ServerAppID, ClientAppID, ServerAppSecret, are being set.

• Behavioral Change

  • Update the Agentpool Profile protocol to include the new PodIPAllocationMode property.

• Component Updates

  • Istio-based service mesh add-on's istiod and ingress images updated to 1.18.7-hotfix.20240210 and 1.19.7 for asm-1-18 and asm-1-19 respectively. User needs to restart the workload pods to trigger re-injection of the newer patch version of istio-proxy. Vulnerabilities CVE-2024-23322, CVE-2024-23323, CVE-2024-23324, CVE-2024-23325, and CVE-2024-23327 have been addressed in these patch versions. More information can be found here.
  • For the cloud-provider-node-manager-windows component, the following versions have been updated:
    • v1.29.0 for >=1.29.0 version
    • v1.28.5 for >=1.28.0 version
    • v1.27.13 for >=1.27.0 version
    • v1.26.19 for >=1.26.0 version
    • v1.25.24 for >=1.25.0 version
  • Upgraded konnectivity-agent image version from v0.0.33-hotfix.20221110 to to v0.1.6-hotfix.20240116.
  • Upgraded Cilium to v1.13.10 for kubernetes v1.28.0+.
  • Upgraded Tigera Operator to v1.30.7, azurefile-csi-driver to v1.29.3, and Microsoft Defender for Cloud Low Level Collector to v.2.0.0 starting with Kubernetes v1.29 preview.
    • Calico v3.26.3 is installed when using Tigera Operator v1.30.7.
    • Microsoft Defender for Cloud Low Level Collector v.2.0.0 includes a new process collection engine, optimized and reduced CPU & Memory usage.
  • Upgraded Network Observability (Retina) to v0.1.3 with minor bug fixes.
  • Upgraded gatekeeper to v3.14.0 and policy addon v1.3.0
    • Azure Policy Changes
      • Introduces error state for policies in error, enabling them to be distinguished from policies in noncompliant states.
      • Adds support for v1 constraint templates and use of the excludedNamespaces parameter in mutation policies.
      • Adds an error status check on constraint templates post-installation.
  • Upgraded container insights agent to v3.1.17.
  • Upgraded Microsoft Defender for Cloud Security Publisher to 1.0.78 with improved logging, fixed a small bug related to cgroupv2.
  • Azure Linux image has been updated to Azure Linux - 202402.07.0.
  • AKS Ubuntu 22.04 image has been updated to AKSUbuntu-2204-202402.07.0.
  • Azure Windows 2019 Image has been updated to Azure Windows 2019 - 17763.5329.240202.
  • Azure Windows 2022 Image has been updated to Azure Windows 2022 - 20348.2227.240202.