Azure/AKS 2025-07-20

Release 2025-07-20

on GitHub

Release 2025-07-20

Monitor the release status by region at AKS-Release-Tracker. This release is titled v20250720.

Announcements

• Kubernetes 1.27 LTS version and 1.30 community version are going out of support by July 30th. Please upgrade to a supported version , refer to AKS release calendar for more information.
• AKS Kubernetes version 1.33 is now compatible with Long-Term Support (LTS), aligning with all supported Kubernetes versions are eligible for Long-Term Support (LTS) on AKS.
• The asm-1-23 revision for the Istio add-on has been deprecated. Kindly upgrade your service mesh to a supported version following the AKS Istio upgrade guide.
• Virtual Machines (VMs) node pools are now enabled by default when creating a new node pool. Previously Virtual Machine Scale Sets (VMSS) were the default node pool type when creating a node pool in AKS. To learn more about VMs, an AKS-optimized node pool type, visit our documentation.
• WASI Node Pool has been retired. If you'd like to run WebAssembly (WASM) workloads, you can deploy SpinKube to Azure Kubernetes Service (AKS) from Azure Marketplace.

Release notes

• Features

  • Application routing add-on now supports configuration of SSL passthrough, custom logging format, and load balancer IP ranges. Review the configuration of NGINX ingress controller documentation for more information.
  • SecurityPatch Node OS upgrade channel is now supported for all network isolated clusters.
  • API server VNet integration is now Generally Available (GA) in additional regions: East Asia, Southeast Asia, Switzerland North, Brazil South, Central India, Germany West Central, and more GA regions. For the complete list of supported regions and any capacity limitations, see the API Server VNet Integration documentation.
  • Kubelet Service Certificate Rotation will begin rollout to all remaining public regions, starting on 23 July 2025. Rollout is expected to be completed in 10 days. Note: This is an estimate and is subject to change. See GitHub issue for regional updates. Existing node pools will have kubelet serving certificate rotation enabled by default when they perform their first upgrade to any kubernetes version 1.27 or greater. New node pools on kubernetes version 1.27 or greater will have kubelet serving certificate rotation enabled by default. For more information on kubelet serving certificate rotation and disablement, see https://aka.ms/aks/kubelet-serving-certificate-rotation.
  • Kubernetes Event-Driven Autoscaling (KEDA) is now supported in LTS.
  • Static Block allocation mode for Azure CNI Networking is now Generally Available.

• Preview Features

  • Azure Virtual Network Verifier is now available in Azure Portal (Node pools blade) for troubleshooting outbound connectivity issues in your AKS cluster.
  • Encryption in transit is now available for the Azure File CSI driver, starting from AKS version 1.33.
  • Node auto provisioning metrics are now available through Azure Monitor managed service for Prometheus. To learn more, visit our node auto provisioning documentation.
  • Disable HTTP Proxy is now available in Preview.

• Bug Fixes

  • Fixed issue where AKS evicted pods that had already been manually relocated, causing upgrade failures. This fix adds a node consistency check to ensure the pod is still on the original node before retrying eviction.

• Behavior Changes

  • The delete-machines API will only delete machines from the system nodepool if the system addon PDBs are respected.
  • AKS will now reject invalid OsSku enums during cluster creation, node pool creation, and node pool update. Previously AKS would default to Ubuntu. Unspecified OsSku with OsType Linux will still default to Ubuntu. For more information on supported OsSku options, see documentation for Azure CLI and the AKS API.
  • Application routing component Pods are now annotated with kubernetes.azure.com/set-kube-service-host-fqdn to automatically have the API server's domain name injected into the pod instead of the cluster IP, to enable communication to the API server. This is useful in cases where the cluster egress is via a layer 7 firewall.
  • Container Insights agents now have a memory limit of 750Mi (down from 4Gi).
  • Advanced Container Networking Services (ACNS) pods now run with priorityClassName: system-node-critical, preventing eviction under node resource pressure and improving cluster security posture.
  • Add node anti-affinity for FIPS-enabled nodes for retina-agent when pod-level metrics are enabled.

• Component Updates

  • Windows node images
    • Server 2019 Gen1 – 17763.7558.250714.
    • Server 2022 Gen1/Gen2 – 20348.3932.250714.
    • Server 23H2 Gen1/Gen2 – 25398.1732.250714.
  • AKS Azure Linux v2 image has been updated to 202507.15.0.
  • AKS Azure Linux v3 image has been updated to 202507.15.0.
  • AKS Ubuntu 22.04 node image has been updated to 202507.15.0.
  • AKS Ubuntu 24.04 node image has been updated to 202507.15.0.
  • Application Insights addon image is updated to 1.0.0-beta.7 to expose container port 4000 for scraping Prometheus metrics.
  • Application routing operator is updated to v0.2.7 for all supported Kubernetes versions.
  • Azure Network Policy Manager (NPM) image version is updated to v1.6.29 to resolve iptables-legacy command issues and bump Ubuntu to 24.04 with CVE fixes.
  • Azure Disk CSI driver versions are upgraded to v1.31.11, v1.32.8, v1.33.2 on AKS versions 1.31, 1.32, 1.33 respectively.
  • Cloud Controller Manager has been upgraded to v1.33.1, v1.32.6, v1.31.7 and v1.30.13.
  • Retina Basic image is updated to v0.0.36 on Linux and Windows.
  • Retina Enterprise has been updated to v0.1.11 to resolve several CVEs.
  • Azure Monitor managed service for Prometheus addon is updated to the latest release 06-19-2025.
  • Microsoft Defender for Cloud security-publisher image updated to 1.0.243 to address CVE-2023-4039 and CVE-2024-13176.
  • Microsoft Defender for Cloud old-file-cleaner image updated to 1.0.243 to address CVE-2025-0913 and CVE-2025-4673.
  • Image Cleaner eraser image is updated to v1.4.0-4.
  • Bumped Azure Cloud Controller Manager to v1.33.1, v1.32.6, v1.31.7, and v1.30.13.
  • Tigera operator is updated from v.1.38.0 to v1.38.2 to support Calico v3.30.1.
  • Calico has been upgraded with the v3.30.2.
  • Vertical Pod Autoscaler (VPA) addon images are now built with Dalec starting from AKS version 1.27.
  • Cluster Autoscaler is upgraded to v1.33.0 with Dalec-built image.
  • Azure Policy Addon is upgraded to v1.13.0 with enhanced EUDB request routing.
  • secrets-store-csi-driver is upgraded to v1.5.1
  • Workload identity image is updated to v1.5.1 with CVE fixes.
  • Istio revision asm-1-26 is now available for the Istio-based service mesh add-on. To adopt the new revision, follow the canary upgrade guidance. Other updates:
  • Istio-based service mesh add-on now supports the following annotations: service.beta.kubernetes.io/azure-allowed-ip-ranges, service.beta.kubernetes.io/azure-load-balancer-disable-tcp-reset, service.beta.kubernetes.io/azure-pip-ip-tags, service.beta.kubernetes.io/azure-load-balancer-tcp-idle-timeout for Istio ingress gateways.