Azure/AKS 2025-06-17

Release 2025-06-17

on GitHub

Monitor the release status by region at AKS-Release-Tracker. This release is titled v20250617.

Announcements

• Kubernetes 1.27 LTS version and 1.30 community version are going out of support by July 30th. Please upgrade to a supported version , refer to AKS release calendar for more information.
• Kubernetes 1.33 community version is going to be released before end of June 2025, please keep track of the rollout by regions via AKS Release tracker.
• Customers using Azure Linux 2.0 should migrate to Azure Linux 3.0 before November 2025. For details on how to migrate from Azure Linux 2.0 to Azure Linux 3.0, see this doc. AKS is currently working on a feature to allow for migrations between Azure Linux 2.0 and Azure Linux 3.0 through a node pool update command. For updates on feature progress and availability, see Github issue.
• Starting in June 2025, AKS clusters with version >= 1.28 and using Azure Linux 2.0 can be opted into Long Term Support. See blog for more information.
• Starting in June 2025, Azure Kubernetes Service will begin rolling out a change to enable quota for all current and new AKS customers. AKS quota will represent a limit of the maximum number of managed clusters that an Azure subscription can consume per region. Existing AKS customer subscriptions will be given a quota limit at or above their current usage, depending on region availability. Once quota is enabled, customers can view their available quota and request quota increases in the Quotas page in the Azure Portal or by using the Quotas REST API. For details on how to view and request quota increases via the Portal Quotas page, visit Azure Quotas. For details on how to view and request quota increases via the Quotas REST API, visit: Azure Quota REST API Reference. New AKS customer subscriptions will be given a default limit upon new subscription creation. More information on the default limits for new subscriptions is available in documentation here.
• Ubuntu 18.04 is no longer supported on AKS. AKS will no longer create new node images or provide security updates for Ubuntu 18.04 nodes. Existing node images will be deleted by 17 July 2025. Scaling operations will fail. To avoid service disruptions, scaling restrictions, and remain supported, please follow our instructions to upgrade to a supported Kubernetes version.
• Teleport (preview) on AKS will be retired on 15 July 2025, please migrate to Artifact Streaming (preview) on AKS or update your node pools to set --aks-custom-headers EnableACRTeleport=false. Azure Container Registry has removed the Teleport API meaning that any nodes with Teleport enabled are pulling images from Azure Container Registry as any other AKS node. After 15 July 2025, any node pools with Teleport (preview) enabled may experience breakage and node provisioning failures. For more information, see aka.ms/aks/teleport-retirement.
  Azure Kubernetes Service will no longer support the --skip-gpu-driver-install node pool tag to skip automatic driver installation. Starting on August 14 2025, you will no longer be able to use this node pool tag at AKS node pool creation time to install custom GPU drivers or use the GPU Operator. Alternatively, you should use the generally available gpu-driver API field to update your existing node pools or create new GPU-enabled node pools to skip automatic GPU driver installation.

Release Notes

• Preview Features

  • Azure Monitor Application Insights for Azure Kubernetes Service (AKS) workloads is now available in preview.
  • Ubuntu 24.04 is now available in public preview in k8s 1.32+. ContainerD 2.0 is enabled by default. You can create new Ubuntu 24.04 node pools or update existing Linux node pools to Ubuntu 24.04. Use the "Ubuntu2404" os sku enum after registering the preview flag "Ubuntu2404Preview". You can also use the new "Ubuntu2204" os sku enum to rollback to Ubuntu 22.04 if you encounter any issues! You may also rollback using "Ubuntu" os sku enum. For more information, see upgrading your OS version.
  • Cost optimized add-on scaling is now available in preview. This feature allows you to autoscale supported addons or customize the resource's default CPU/ memory requests and limits to improve cost savings.

• Features

  • AKS patch versions 1.32.5, 1.31.9 are now available. Refer to version support policy and upgrading a cluster for more information.
  • API Server VNet Integration is available now, please find the most up to date regions where this feature has been rolled out.
  • Kubelet Service Certificate Rotation has now been rolled out to East US and UK South. Existing node pools will have kubelet serving certificate rotation enabled by default when they perform their first upgrade to any kubernetes version 1.27 or greater. New node pools on kubernetes version 1.27 or greater will have kubelet serving certificate rotation enabled by default. For more information on kubelet serving certificate rotation and disablement, see certificate rotation in Azure Kubernetes Service.
  • MaxblockedNodes property is getting rolled to all regions. This helps cluster operators to put a limit on number of nodes that can be blocked on pdb blocked eviction failures and continuing upgrade forward. Read more.

• Bug Fixes

  • Fixed a race condition with streams sharing data between Cilium agent and ACNS security agent.
  • Fixed Azure Policy addon Gatekeeper regression causing crash loop on clusters with Kubernetes versions < 1.27.
  • Resolved an issue where node pool scaling failed with customized kubelet configuration. Without this fix, node pools using CustomKubeletConfigs could not be scaled, and encountered an error message stating that the CustomKubeletConfig or CustomLinuxOSConfig cannot be changed for the scaling operation.
  • Fixed an issue where updating node pools with the exclude label, it doesn't update the Load Balancer Backend Pool properly.
  • Resolved a problem when upgrading Kubenet or Nodesubnet cluster with AGIC enabled to Azure CNI Overlay there might be some connectivity issues to services exposed via Ingress App Gateway public IP.
  • Fixed a bug where clusters with Node Auto Provisioning enabled could intermittently get an error about "multiple identities configured" and be unable to authenticate with Azure.
  • Fixed an issure to ensure the vms in a specific cloud are compatible with the latest Windows 550 grid driver.

• Behavior Changes

  • AKS now allows daily schedules for the auto upgrade configuration.
  • Static Egress Gateway memory limits increased from 500Mi to 3000Mi reducing the risk of memory-related restarts under load.
  • Starting with this release, updates to HTTP Proxy settings in AKS will once again trigger automatic reimaging of nodes. This behavior, which ensures consistent proxy configuration across all nodes, was previously disabled but has now been re-enabled to improve reliability and reduce manual intervention.
  • The GPU provisioner component of KAITO has now been moved to the AKS control plane when the KAITO add-on is used. The OSS installation will still require this component to run on the kubernetes nodes.
  • Azure Monitor managed service for Prometheus updates the max shards from 12 to 24, ensuring enhanced scaling capabilities.
  • linuxutil plugin is enabled again for Retina Basic and ACNS.
  • Kubelet Service Certificate Rotation has now been rolled out to East US and UK South. Existing node pools will have kubelet serving certificate rotation enabled by default when they perform their first upgrade to any kubernetes version 1.27 or greater. New node pools on kubernetes version 1.27 or greater will have kubelet serving certificate rotation enabled by default. For more information on kubelet serving certificate rotation and disablement, see certificate rotation in Azure Kubernetes Service.
  • Node Auto-Provisioning (NAP) now requires Kubernetes RBAC to be enabled, because NAP relies on secure and scoped access to Kubernetes resources to provision nodes based on pending pod resource requests. Kubernetes RBAC is enabled by default. For more information, see RBAC for Kubernetes.
  • Deployment Safeguards no longer requires Azure Policy permissions. Cluster admins will have the ability to turn on and disable Deployment Safeguards.

• Component Updates

  • Windows node images
    • Server 2019 Gen1 – 17763.7314.250518.
    • Server 2022 Gen1/Gen2 – 20348.3692.250518
    • Server 23H2 Gen1/Gen2 – 25398.1611.250518
  • AKS Azure Linux v2 image has been updated to 202506.12.0.
  • AKS Azure Linux v3 image has been updated to 202506.12.0.
  • AKS Ubuntu 22.04 node image has been updated to 202506.12.0.
  • AKS Ubuntu 24.04 node image has been updated to 202506.12.0.
  • Updated Istio-based service mesh add-on to versions v1.23.6, v1.24.6, v1.25.3.
  • Updated Secret Store CSI driver to v1.5.0 and the Azure provider to v1.7.0.
  • Updated tigera operator to v1.36.10 and calico to v3.29.4 for versions running on K8S 1.32. Updated tigera operator to v1.38.0 and calico to v3.30.0 for versions running on K8S 1.33.
  • Updated KEDA to v2.17 for AKS clusters running on Kubernetes 1.33.
  • Updated Azure Disk CSI driver to v1.32.7 for AKS 1.32, v1.33.1 for AKS 1.33.
  • Updated Azure File CSI driver to v1.30.10 for AKS 1.30, v1.31.6 for AKS 1.31, v1.32.4 for AKS 1.32, v1.33.1 for AKS 1.33.
  • Updated Azure Blob CSI driver v1.24.10 for AKS 1.30, v1.25.8 for AKS 1.31, v1.26.5 for AKS 1.32, AKS 1.33.
  • Updated Azure Network Policy Manager (NPM) to v1.5.48.
  • Updated Azure Monitor managed service for Prometheus images to 05-29-2025 release.
  • Updated Azure Policy add-on image to v1.12.2.
  • Updated Retina basic image to v0.0.34.
  • Updated Retina Enteprise image to v0.1.10.
  • Updated Metrics-server to v0.7.2-7 for AKS clusters on 1.32+ version, v0.6.3-6 for AKS clusters on 1.24+ version.
  • Updated coredns version to v1.9.4-6 for AKS clusters on 1.24+ version, v1.11.3-8 for AKS clusters on 1.32+ version, v1.12.1-2 for AKS clusters on 1.33+ version.
  • Released an update in GRID driver version on the guest VM for NVs_v3 VM family to ensure compatibility with host VM GPU driver version for Windows GPU node pools.
  • Updated cilium/fqdn images to v1.14.20-1 for Kubernetes 1.29, v1.16.10 for Kubernetes 1.31, v1.17.4 for Kubernetes 1.32 to fix CVE‑2025‑22871 , CVE‑2025‑22872 , CVE‑2024‑45336 , CVE‑2024‑45341 , CVE‑2025‑22866 , CVE‑2025‑43973 , CVE‑2025‑43970 , CVE‑2025‑43972 , CVE‑2025‑43971 , CVE‑2025‑32793.