Azure/AKS 2025-04-06

Release 2025-04-06

on GitHub

Monitor the release status by region at AKS-Release-Tracker. This release is titled v20250406.

Announcements

• Starting in May 2025, Azure Kubernetes Service will begin rolling out a change to enable quota for all current and new AKS customers. AKS quota will represent a limit of the maximum number of managed clusters that an Azure subscription can consume per region. Existing AKS customer subscriptions will be given a quota limit at or above their current usage, depending on region availability. Once quota is enabled, customers can view their available quota and request quota increases in the Quotas page in the Azure Portal or by using the Quotas REST API. For details on how to view and request quota increases via the Portal Quotas page, visit Azure Quotas. For details on how to view and request quota increases via the Quotas REST API, visit: Azure Quota REST API Reference. New AKS customer subscriptions will be given a default limit upon new subscription creation. More information on the default limits for new subscriptions is available in documentation here.
• AKS Kubernetes version 1.32 roll out has been delayed and is now expected to reach all regions on or before the end of April. Please use the az-aks-get-versions command to accurately capture if Kubernetes version 1.32 is available in your region.
• Kubernetes version 1.28 will become an additional Long Term Support (LTS) version in AKS, alongside existing LTS versions 1.27 and 1.30.
• You can now switch non-LTS clusters on Kubernetes versions 1.25 onwards and within 3 versions of the current LTS versions to LTS by switching their tier to Premium.
• As of 31 March 2025, AKS no longer allows new cluster creation with the Basic Load Balancer. On 30 September 2025, the Basic Load Balancer will be retired. We will be posting updates on migration paths to the Standard Load Balancer. See AKS Basic LB Migration Issue for updates on when a simplified upgrade path is available. Refer to Basic Load Balancer Deprecation Update for more information.
• The asm-1-22 revision for the Istio-based service mesh add-on has been deprecated. Migrate to a supported revision following the AKS Istio upgrade guide.
• The pod security policy feature was retired on 1st August 2023 and removed from AKS versions 1.25 and higher. PodSecurityPolicy property will be officially removed from AKS API starting from 2025-03-01.
• Starting on 17 June 2025, AKS will no longer create new node images for Ubuntu 18.04 or provide security updates. Existing node images will be deleted. Your node pools will be unsupported and you will no longer be able to scale. To avoid service disruptions, scaling restrictions, and remain supported, please follow our instructions to upgrade to a supported Kubernetes version.
• Starting on 17 March 2027, AKS will no longer create new node images for Ubuntu 20.04 or provide security updates. Existing node images will be deleted. Your node pools will be unsupported and you will no longer be able to scale. To avoid service disruptions, scaling restrictions, and remain supported, please follow our instructions to upgrade to Kubernetes version 1.34+ by the retirement date.
• HTTP Application Routing (preview) has been retired as of March 3, 2025 and AKS will start to block new cluster creation with HTTP App routing enabled. Affected clusters must migrate to the generally available Application Routing add-on prior to that date.
• Customers with nodepools using Standard_NC24rsv3 VM sizes should resize or deallocate those VMs. Microsoft will deallocate remaining Standard_NC24rsv3 VMs in the coming weeks.

Release Notes

• Features:

  • AKS Security Bulletin and AKS CVE Mitigation Status are now available to track Security and CVE mitigations
  • Azure Portal will now show you Deployment Recommendations based on available capacity of virtual machines
  • Microsoft Copilot in Azure, including AKS is now generally available
  • AKS cost recommendations in Azure Advisor is Generally Available
  • Kubernetes 1.32 is now Generally Available
  • AKS Kubernetes patch versions 1.31.7, 1.30.11, 1.29.15 to resolve CVE-2025-0426
  • You can now enable Federal Information Process Standard (FIPS) when using Arm64 VM SKUs in Azure Linux 3.0 node pools in Kubernetes version 1.31+.
  • Enable Pod Sandboxing Confidential mounts for Azure File CSI driver on AKS 1.32

• The Azure Portal now offers Deployment Recommendations proactively if there are capacity constraints on the selected node pool sku, zone, and region when creating a new AKS cluster.

• Behavior Changes:

  • Add node anti-affinity for FIPS-compliant nodes to prevent scheduling of retina-agent pods to stop CrashLoopBackOff on FIPS-enabled nodes whilst fix for Retina + FIPS is being rolled out.
  • Increased tofqdns-endpoint-max-ip-per-hostname from 50 to 1000 and tofqdns-min-ttl from 0 to 3600 in Azure Cilium for better handling of large DNS responses and reduce DNS query load.
  • Konnectivity agent will now scale based on cluster node count.

• Component Updates:

  • Cost Analysis add-on updated to v0.0.22 to fix CVE-2025-22866
  • Updated ip-masq-agent updated to 0.1.15-2 to address CVE-2024-45338
  • Application routing add-on updated to v0.2.1-patch-8 for Kubernetes below 1.30 and to v0.2.3-patch-6 for Kubernetes 1.30+. This updates ingress-nginx to v1.11.5 to fix CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, and CVE-2025-24514.
  • Coredns 1.12.0 introduced a breaking change which was used in 1.32 AKS clusters. After the issue was discovered, Coredns was updated to v1.11.3-6 for 1.32 AKS clusters which does not contain the breaking change. Coredns upstream reverted the breaking change in v1.12.1. and AKS clusters on 1.33+ version will use coredns v1.12.1-1 (which does not contain the breaking change).
  • KEDA 2.16 is now supported on AKS 1.32. KEDA 2.15 and KEDA 2.14 introduced multiple breaking changes. View the troubleshooting guide to learn how to mitigate these breaking changes.
  • Updated NPM to v1.5.45 to resolve CVE-2025-22870
  • Cilium updated to v1.17 so that L7 policy (http, kafka etc) can now be applied to a cluster when advancedNetworkPolicies is set.
  • Windows GPU Device plugin updated to 0.0.17 to resolve CVE-2025-22870.
  • Egress gateway updated to 0.019
  • Eraser updated to v1.4.0-2 for Image Cleaner
  • Retina updated to v0.0.29 on Linux and Windows.
  • Cluster Autoscaler updated to 1.29.5, 1.30.3, 1.31.1.
  • Updated Istio-based service mesh add-on revision asm-1-23 to patch v1.23.5 and v1.24.3.
  • Azure File & Disk CSI driver updated to v1.29.14, v1.30.10, v1.31.6 & v1.32.1
  • Azure Blob CSI driver updated to v1.25.5 on AKS 1.31 & v1.26.2 on AKS 1.32
  • AKS Azure Linux v2 image has been updated to 202504.06.0.
  • AKS Azure Linux v3 image has been updated to 202504.06.0.
  • AKS Ubuntu 22.04 node image has been updated to 202504.06.0.
  • AKS Ubuntu 24.04 node image has been updated to 202504.06.00.