Azure/AKS 2025-04-27

Release 2025-04-27

on GitHub

Monitor the release status by region at AKS-Release-Tracker. This release is titled v20250427.

Announcements

• AKS supported Kubernetes version release updates are now available in AKS Release Tracker. You can check current in-support Kubernetes versions and LTS versions for specific region and track new patches version release progress with Release Tracker.
• Customers using AzureLinux 2.0 should migrate to Azure Linux 3.0 before November 2025. For details on how to migrate from Azure Linux 2.0 to Azure Linux 3.0, see this doc. AKS is currently working on a feature to allow for migrations between Azure Linux 2.0 and Azure Linux 3.0 through a node pool update command. For updates on feature progress and availability, see Github issue.
• AKS now requires a minimum of 2GBs of memory for the SKU for all user nodepools. To learn more, see aka.ms/aks/restrictedSKUs.
• Starting on 5 May, 2025, WebAssembly System Interface (WASI) node pools will no longer be retired. You can no longer create WASI (preview) node pools, and existing WASI node pools will be unsupported.
• Starting in June 2025, Azure Kubernetes Service will begin rolling out a change to enable quota for all current and new AKS customers. AKS quota will represent a limit of the maximum number of managed clusters that an Azure subscription can consume per region. Existing AKS customer subscriptions will be given a quota limit at or above their current usage, depending on region availability. Once quota is enabled, customers can view their available quota and request quota increases in the Quotas page in the Azure Portal or by using the Quotas REST API. For details on how to view and request quota increases via the Portal Quotas page, visit Azure Quotas. For details on how to view and request quota increases via the Quotas REST API, visit: Azure Quota REST API Reference. New AKS customer subscriptions will be given a default limit upon new subscription creation. More information on the default limits for new subscriptions is available in documentation here.
• As of 31 March 2025, AKS no longer allows new cluster creation with the Basic Load Balancer. On 30 September 2025, the Basic Load Balancer will be retired. We will be posting updates on migration paths to the Standard Load Balancer. See AKS Basic LB Migration Issue for updates on when a simplified upgrade path is available. Refer to Basic Load Balancer Deprecation Update for more information.
• The asm-1-22 revision for the Istio-based service mesh add-on has been deprecated. Migrate to a supported revision following the AKS Istio upgrade guide.
• Starting on 17 June 2025, AKS will no longer create new node images for Ubuntu 18.04 or provide security updates. Existing node images will be deleted. Your node pools will be unsupported and you will no longer be able to scale. To avoid service disruptions, scaling restrictions, and remain supported, please follow our instructions to upgrade to a supported Kubernetes version.
• Teleport (preview) on AKS will be retired on 15 July 2025, please migrate to Artifact Streaming (preview) on AKS or update your node pools to set --aks-custom-headers EnableACRTeleport=false. Azure Container Registry has removed the Teleport API meaning that any nodes with Teleport enabled are pulling images from Azure Container Registry as any other AKS node. After 15 July 2025, any node pools with Teleport (preview) enabled may experience breakage and node provisioning failures. For more information, see aka.ms/aks/teleport-retirement.

Release Notes

• Features:

  • Network isolated cluster with outbound type none is now Generally Available.
  • AKS Security Bulletin and AKS CVE Mitigation Status are now available to track Security and CVE mitigations.

• Preview Features:

  • Kubernetes 1.33 version is now available for Preview, see Release tracker for when it hits your region.
  • Kubernetes 1.31 and 1.32 are now recognized as Long-Term Support (LTS) releases in AKS, joining existing LTS versions 1.28 and 1.29. You can view when these LTS releases hit your region in real time via the Release tracker. For more information, see Long Term Support (LTS).

• Bug Fixes:

  • Fix an issue in Azure CNI Powered by Cilium to improves DNS request/response performance, especially in large scale clusters using FQDN based policies. Without this fix, if the user sets a DNS request timeout below 2 seconds, in high-scale scenarios they may experience request drops due to duplicate request IDs.
  • Fix an issue where load balancer tags were not updated after accluster tag update. Load balancer tags now correctly reflect the latest state.
  • Fix an issue in Cilium v1.17 where a deadlock was causing server pods to be unable to start.

• Behavior Changes:

  • aksmanagedap is blocked as a reserved name for AKS system component, you can no longer use it for creating agent pool. See naming convention for more information.
  • linuxutil plugin is temporarily disabled for Retina Basic and ACNS as it was causing memory leaks that leads to Retina pods OOMKill.
  • Advanced Container Networking Services (ACNS) configmaps (cilium, retina, hubble) now auto‑format cluster names to satisfy Cilium 1.17 rules:≤ 32 chars, lowercase alphanumeric characters and dashes, no leading/trailing dashes, functionality is unaffected. This change is due to the strict enforcement of Cilium 1.17. See this link for details.
  • The defaultConfig.gatewayTopology field is now included in the Istio add-on MeshConfig AllowList as an unsupported field. For more details, see the Istio MeshConfig documentation.
  • Previously, you can't disable Node AutoProvisioning once enabled, now you can if meet certain criteria. See this document for more details.
  • Disabling kube-proxy no longer requires the KubeProxyConfigurationPreview feature flag in bring-your-own (BYO) CNI scenarios.
  • ExtensionManager (comprised of extension-operator and extension-agent in the kube-system), a key component that manages the cluster extension lifecycle, is moved from user node pools to internal AKS infrastructure. With this change, cluster extensions no longer require any of the outbound networking rules needed for extensions-manager. Note that this change only removes the outbound requirements for ExtensionManager component used to install the extensions while the extensions themselves (such as flux extension whose pods run on AKS user node pools) will still require their outbound network endpoints to be allowed on your firewall.
  • Kubelet Service Certificate Rotation will begin regional rollout, starting with westcentralus and eastasia by 16 May 2025. Existing node pools in these regions will have kubelet serving certificate rotation enabled by default when they perform their first upgrade to any kubernetes version 1.27 or greater. New node pools in these regions on kubernetes version 1.27 or greater will have kubelet serving certificate rotation enabled by default. For more information on kubelet serving certificate rotation, see aka.ms/aks/kubelet-serving-certificate-rotation.

• Component Updates:

  • Fleet networking components updated to v0.39 from v0.38 to fix CVE.
  • Workload Identity updated from v1.4.0 to v1.5.0
  • App-routing-operator has been upgraded to v0.2.5 on all supported AKS versions.
  • Cost-analysis-agent and cost-analysis-scraper image updated from v0.0.22 to 0.0.23 to fix CVE-2025-22871.
  • Cloud-controller-manager updated to v1.32.4, v1.31.5, v1.30.11 and v1.29.14.
  • Promtheus collector for Azure Monitor managed service for Prometheus addon updated from 6.15.0-main-02-21-2025-4acb2b4c to 6.16.0-main-04-15-2025-d78050c6.
  • Retina Enterprise image updated to v0.1.9 to resolve issues with retina-operator container image build on ARM64 nodes.
  • Retina base image to v0.0.30 for both Linux and Windows to resolve security vulnerabilities CVE-2024-40635 , CVE-2025-30162 and CVE-2025-22870.
  • Calico CNI/Tigera Operator updated to v3.28.4 (operator v1.34.10) and v3.29.3 (operator v1.36.7), fixing CVE-2025-0395, CVE-2025-22869, CVE-2025-22872, CVE-2024-9042, CVE-2025-0426 and CVE-2025-22871.
  • Cilium image updated to patch version v1.13.18-250409 on AKS 1.27 and 1.28 to fix CVE-2024-45336, CVE-2024-45341, CVE-2025-22866, CVE-2025-22870, CVE-2024-45337.
  • Updated Istio-based service mesh add-on revisions asm-1-23, asm-1-24, and asm-1-25 to patch v1.23.6, v1.24.5 and 1.25.2. asm-1-24 support has now been extended to include AKS 1.33.
  • Azure Disk CSI driver version updated to v1.32.4 on AKS 1.32, v1.31.8 on AKS 1.31.
  • Coredns updated to v1.12.1-1 on AKS 1.33.
  • AKS Azure Linux v2 image has been updated to 202504.27.0.
  • AKS Azure Linux v3 image has been updated to 202504.27.0.
  • AKS Ubuntu 22.04 node image has been updated to 202504.27.0.
  • AKS Ubuntu 24.04 node image has been updated to 202504.27.00.