Azure/AKS 2025-01-06

Release 2024-01-06

on GitHub

Release 2025-01-06

Monitor the release status by regions at AKS-Release-Tracker. This release is titled as v20250106.

Announcements

• AKS Kubernetes version 1.28 is deprecated by Jan 30, 2025. Kindly upgrade your clusters to 1.29 version or above. Refer to version support policy and upgrading a cluster for more information.

Release Notes

• Features:

  • AKS Kubernetes version 1.31 is now in GA.
  • AKS Kubernetes patch versions 1.29.11, 1.30.7, 1.31.2, and 1.31.3 are now available.
  • AKS LTS version 1.27.101 available in all regions since December 2024. This patches the kubelet CVE-2024-10220
  • Advanced Container Networking Service (ACNS) is Generally Available.

• Preview features:

  • SeccompDefault is now an available parameter in custom node configuration. For more information on enabling seccomp profiles, see Secure container access to resources.

• Behavior change:

  • Invalid values sent to the Azure AKS API for the properties.mode field of AKS AgentPools will now be rejected. Prior to this change, unknown modes were assumed to be User. The only valid values for this field are the (case-sensitive) strings: "User", "System", or "Gateway".
  • AKS no longer supports the GPU image (preview) to provision GPU-enabled AKS nodes. Alternative options that are supported today and recommended by AKS include the default experience with manual NVIDIA device plugin installation or the NVIDIA GPU Operator, detailed in AKS GPU node pool documentation.
  • Kubernetes version 1.32 is the last version that supports Windows Server 2019. You will not be able to create new or upgrade existing Windows Server 2019 node pools in AKS versions 1.33+. Follow the detailed steps in AKS documentation to transition to Windows Server 2022 or any newly supported Windows Server version by that date. After 1 March 2026, Windows Server 2019 won't be supported.
  • New API throttling limit has been added to PutManagedCluster API for AKS. Please see AKS resource provider throttling limits for more details.

• Bug Fix:

  • GPU bootstrapping issue impacting GPU provisioning with Node Auto Provision has been fixed. Refer Github issue for more details.
  • Fixed an issue in v1.31 where Cluster Autoscaler did not respond to external changes in Spot VMSS based nodepool's node count (e.g., evictions), leading to scale-up failures. Refer Github Issue 7373 for more details.
  • Resolved an issue (NotFound error message) when querying a VM which has been deleted, which results in the NodeClaim being stuck in notReady state resulting in the NodeClaim not being deleted.
  • Fixed the windows nodes CNS pods restarting Github issue observed in clusters running on AKS +v1.27 Kubernetes version.

• Component updates:

  • Tigera operator image version has been bumped to v1.34.7 with this release, for clusters running Kubernetes version (and including) v1.30.0. This patches the following CVEs detected in the tigera operator - CVE-2021-3999, CVE-2020-1751, CVE-2019-19126, CVE-2021-35942, CVE-2020-1752, CVE-2020-10029, CVE-2019-9169, CVE-2020-6096, CVE-2021-38604, CVE-2018-19591, CVE-2018-20796, CVE-2019-9192, CVE-2021-3326, CVE-2019-6488, CVE-2016-10739, CVE-2019-7309, CVE-2022-23219, CVE-2022-23218, CVE-2019-25013, CVE-2020-27618.
  • Azure Disks CSI driver version has been bumped to v1.30.6 for AKS clusters running AKS Kubernetes version +v1.30. This patches the following CVEs - CVE-2024-51744, CVE-2024-50602, CVE-2024-9143, CVE-2019-11255
  • Bumping the Azure CNI version from v1.4.56 to v1.4.58. This patches the CVE regarding grpc 1.52.0 dependencies - CVE-2023-2976, CVE-2020-8908
  • Cilium container image version bumped to v1.14.15-241024 for AKS clusters running k8s version greater than v1.29.
  • AKS Azure Linux v2 image has been updated to 202501.12.0
  • AKS Azure Linux v3 image has been updated to 202501.05.0
  • AKS Ubuntu 22.04 node image has been updated to 202501.12.0
  • AKS Windows Server 2022 image has been updated to v20348.2966.241218
  • AKS Windows Server 2019 image has been updated to 17763.6659.241226
  • AKS Windows Server 23H2 image has been updated to 25398.1308.241226
  • App routing operator updated to 0.2.1-patch-6 for K8s < 1.30 and which upgrades external-dns to version 0.15.0 fixing a number of CVEs (CVE-2023-39325, GHSA-m425-mq94-257g, CVE-2024-24790, CVE-2023-39325, CVE-2023-45283, CVE-2023-45288, CVE-2024-34156)
  • App routing operator updated to 0.2.3-patch-3 for K8s +1.30 which fixes an issue where Open Service Mesh would not reload correctly on Nginx deployment updates. The Prometheus metrics endpoint has now been moved to a separate Service called nginx-metrics behind a ClusterIP. Prometheus scraping will continue to work as expected.
  • Cost-analysis-agent image upgraded from v0.0.18 to v0.0.19. this upgrades the golang-jwt dependency in cost-analysis-agent to patch CVE-2024-51744
  • Promtheus collector for Azure Monitor managed service for Prometheus addon version bumped from 6.10.1-main-10-04-2024-77dcfe3d to 6.11.0-main-10-21-2024-91ec49e3. This fixes a bug where the minimal ingestion profile keep list was not being honored.
  • Application Gateway ingress controller addon version bumped from 1.7.4 to 1.7.6 for clusters with AKS Kubernetes version greater than or equal to 1.27. please find more details here
  • Retina enterprise and operator image version bumped to v0.1.3. This resolves the following CVEs - CVE-2024-37307, CVE-2024-42486, CVE-2024-42487, CVE-2024-42488, CVE-2024-47825, and CVE-2023-45288 and changes for high-level filtering of some metric labels. This results in less irrelevant metric collection which can affect clusters at a large scale.
  • Retina basic image version bumped to v0.0.17 which patches the following CVEs: CVE-2024-37307, CVE-2024-42486, CVE-2024-42487, CVE-2024-42488, CVE-2024-47825, and CVE-2023-45288. This also changes for high-level filtering of some metric labels. This results in less irrelevant metric collection which can affect clusters at a large scale
  • NPM image version bumped to v1.5.39 to fix potential connectivity issues for clusters with "azure" network policy manager on nodes with high scale of iptables rules and CVE-2024-34155, CVE-2024-34156, and CVE-2024-34158
  • Istio-based service mesh add-on revision asm-1-23 has been upgraded to patch v1.23.4, revision asm-1-22 has been upgraded to patch v1.22.7, and revision asm-1-22 has been upgraded to patch v1.22.3. Users can restart the workload pods to trigger re-injection of the newer patch version of istio-proxy. More information can be found here. Vulnerability CVE-2024-41110 and CVE-2024-53271 has been addressed in the patch version 1.23.4 and 1.22.7.