github Azure/AKS 2025-03-16
Release 2025-03-16
on GitHub

9 days ago

Release 2025-03-16

Monitor the release status by region in the AKS Release Tracker. This release is titled v20250316.

Announcements

  • Starting in April 2025, Azure Kubernetes Service will begin rolling out a change to enable quota for all current and new AKS customers. AKS quota will represent a limit of the maximum number of managed clusters that an Azure subscription can consume per region. Existing AKS customer subscriptions will be given a quota limit at or above their current usage, depending on region availability. Once quota is enabled, customers can view their available quota and request quota increases in the Quotas page in the Azure Portal or by using the Quotas REST API. For details on how to view and request quota increases via the Portal Quotas page, visit Azure Quotas. For details on how to view and request quota increases via the Quotas REST API, visit: Azure Quota REST API Reference. New AKS customer subscriptions will be given a default limit upon new subscription creation. More information on the default limits for new subscriptions is available in documentation here.
  • AKS Kubernetes version 1.32 roll out has been delayed and is now expected to reach all regions on or before the end of April. Please use the az-aks-get-versions command to accurately capture if Kubernetes version 1.32 is available in your region.
  • AKS Kubernetes version 1.28 will be the next Long Term Support version.
  • You can now switch non-LTS clusters on Kubernetes versions 1.25 onwards and within 3 versions of the current LTS versions to LTS by switching their tier to Premium.
  • On 31 March 2025, AKS will no longer allow new cluster creation with the Basic Load Balancer. On 30 September 2025, the Basic Load Balancer will be retired. We will be posting updates on migration paths to the Standard Load Balancer. See AKS Basic LB Migration Issue for updates on when a simplified upgrade path is available. Refer to Basic Load Balancer Deprecation Update for more information.
  • The asm-1-22 revision for the Istio-based service mesh add-on has been deprecated. Migrate to a supported revision following the AKS Istio upgrade guide.
  • The pod security policy feature was retired on 1st August 2023 and removed from AKS versions 1.25 and higher. PodSecurityPolicy property will be officially removed from AKS API starting from 2025-03-01.
  • Starting on 17 June 2025, AKS will no longer create new node images for Ubuntu 18.04 or provide security updates. Existing node images will be deleted. Your node pools will be unsupported and you will no longer be able to scale. To avoid service disruptions, scaling restrictions, and remain supported, please follow our instructions to upgrade to a supported Kubernetes version.
  • Starting on 17 March 2027, AKS will no longer create new node images for Ubuntu 20.04 or provide security updates. Existing node images will be deleted. Your node pools will be unsupported and you will no longer be able to scale. To avoid service disruptions, scaling restrictions, and remain supported, please follow our instructions to upgrade to Kubernetes version 1.34+ by the retirement date.

Release Notes

  • Features:

  • Preview Features:

    • You can use the EnableCiliumNodeSubnet feature in preview to create Cilium node subnet clusters using Azure CNI Powered by Cilium.
    • Control plane metrics are now available through Azure Monitor platform metrics in preview to monitor critical control plane components such as API server and etcd.

  • Bug Fixes:

    • Fixed an issue with the retina-agent volume to restrict access to only /var/run/cilium directory. Currently retina-agent mounts /var/run from host directory. This can have potential issue as it can overwrite data in the directory.
    • Fixed an issue where SSHAccess was being reset to the default value enabled on partial PUT requests for managedCluster.AgentPoolProfile.SecurityProfile without specifying SSHAccess.
    • Fixed an issue where Node Auto Provisioning (Karpenter) failed to properly apply the kubernetes.azure.com/azure-cni-overlay=true label to nodes which resulted in failure to assign pod IPs in some cases.
    • Fixed an issue where calico-typha could be scheduled on virtual-kubelet due to overly permissive tolerations. Tolerations are now properly restricted to prevent incorrect scheduling. Check this GitHub Issue for more details.
    • Fixed an issue in Hubble-Relay scheduling behavior to prevent deployment on cordoned nodes, allowing the cluster autoscaler to properly scale down nodes.
    • Fixed an issue where pods could get stuck in ContainerCreating during Cilium+NodeSubnet to Cilium+Overlay upgrades by ensuring the original network configuration is retained on existing nodes.
    • Fixed an issue where priority class isn't set on the Custom CA Trust DaemonSet. This change ensures that the DaemonSet will not be evicted first in case of node pressure.
    • Fixed an issue where policy enforcements through Azure Policy addon were interrupted during cluster scaling or upgrade operations due to a missing Pod Disruption Budget (PDB) for the Gatekeeper webhook pods.

  • Behavior Changes:

    • AI toolchain operator add-on has switched from using the Machine CRD to NodeClaim CRD, introducing a change in the experience to clean up resources after a KAITO workspace is deleted. Note that existing workspaces and GPU nodes provisioned by the add-on remain unaffected. Please refer to the updated AKS guidance for deletion of resources provisioned in old workspaces.
    • AKS will now enforce the limit of 10 unique CAs added to the node's trust store when using Custom Certificate Authority.
    • Default maxSurge value to 10% for all new and existing clusters with Kubernetes versions >= 1.32.0.
    • Starting with Kubernetes 1.32, all Azure CNI NodeSubnet clusters will have the CNI installed via the Azure CNS DaemonSet instead of during node provisioning.
    • AKS now validates Istio custom resources that do not have the istio.io/rev label set.
    • When creating an Azure Container Registry (ACR) cache rule to cache Microsoft Container Registry (MCR) container images in the private ACR, the required cache rule should be changed from /* to aks-managed-repository/*.
    • When creating a network isolated cluster with a managed private Azure Container Registry (ACR), the registry will now have anonymous pull access set to false.

  • Component Updates:

    • Istio revision asm-1-24 is now available with Istio-based service mesh add-on. Please refer to Istio's release announcement for a full list of changes. Note that this release removes the deprecated istio.io/gateway-name label, please use gateway.networking.k8s.io/gateway-name label instead.
    • Update Azure Disk CSI driver to v1.31.5 on AKS 1.31, v1.30.9 on AKS 1.30.
    • Update Azure File CSI driver to v1.31.4 on AKS 1.31, v1.30.8 on AKS 1.30.
    • Update Azure Blob CSI driver to v1.25.3 on AKS 1.31, v1.24.7 on AKS 1.30.
    • Update AI toolchain operator add-on (preview) to KAITO v0.4.4.
    • Update Cilium to v1.17.0 for AKS clusters >= 1.32.0.
    • Update Azure Monitor Container Insights image to v3.1.26.
    • Update Azure Monitor metrics image to v6.15.0 for all AKS cluster versions addressing CVE-2024-45338.
    • Update Credential Provider to v1.32.3, v1.30.10, v1.31.4, and v1.32.3.
    • Update Cloud Controller Manager v1.32.3, v1.30.10, v1.31.4, and v1.32.3.
    • Update the Application Gateway Ingress Controller add-on to v1.8.0, adding support for CNI Overlay.
    • Update windows-gmsa-webhook-image version has been bumped to [v0.12.1[(https://github.com/kubernetes-sigs/windows-gmsa/releases/tag/v0.12.1)] to address security vulnerabilities. There is no functionality change between v0.10.0 and v1.21.1.
    • Update Calico to v3.28.3, TigeraOperator to v1.34.8, Calico to v3.29.2, and TigeraOperator to v1.36.5, addressing security vulnerabilities including CVE-2024-45337 and CVE-2024-45338.
    • Update Node Auto Provisioning to use Karpenter v0.7.3.
    • Update defender-admission-controller version from 20250212.3 to 20250304.1 to address CVE-2024-56138 and CVE-2024-45339.
    • Revert CoreDNS to v1.11.3-6 for AKS clusters on version 1.32+ due to an upstream regression in v1.12.0. This version of CoreDNS is built using go version 1.23.3, OS family=azurelinux, version=3.0, and has no CVEs reported.
    • Update the azure-ip-masq-agent DaemonSet to use the ip-masq-v2 image addressing CVE-2024-5535 and CVE-2024-9143.
    • Update NPM image tag to v1.5.44 to resolve CVEs in the Ubuntu base image, including CVE-2025-0395, CVE-2024-12133, CVE-2024-12243, CVE-2024-13176, CVE-2024-9143, CVE-2024-45336, CVE-2024-45341, and CVE-2025-22866.
    • Update Azure Policy add-on to v1.10.0 which uses gatekeeper v3.18.2.
    • AKS Azure Linux v2 image has been updated to 202503.13.0.
    • AKS Ubuntu 22.04 node image has been updated to 202503.13.0.
    • AKS Ubuntu 24.04 node image has been updated to 202503.13.0.
    • AKS Windows Server 2019 image has been updated to 17763.7009.250316.
    • AKS Windows Server 2022 image has been updated to 20348.3328.250314.
    • AKS Windows Server 23H2 image has been updated to 25398.1486.250314.
Check out latest releases or
releases around Azure/AKS 2025-03-16

Don't miss a new AKS release

NewReleases is sending notifications on new releases.

Get notifications