Azure/AKS 2025-08-08

Release 2025-08-08

on GitHub

Release 2025-08-08

Monitor the release status by region at AKS-Release-Tracker. This release is titled v20250808.

Announcements

• Starting in September 2025, AKS will start rolling out a change to enable a managed clusters quota for all current and new AKS customers. This rollout is expected to take place between 1-30 September 2025. AKS quota is the maximum number of managed clusters (AKS clusters) that an Azure subscription can create per region. Once the managed clusters quota is released, customers will need both managed clusters quota and node quota (VM SKUs) to create an AKS cluster. Existing AKS customer subscriptions will be given a default limit at or above their current usage, depending on the available regional capacity. Existing subscriptions using AKS for the first time and new subscriptions will be given a default limit. Customers can view quota limits and usage and request additional quota in the Azure portal Quotas blade or by using the Quotas REST API. Before the rollout is complete, quota limits and usage may be visible in the Azure portal on the Quotas blade, and customers will be able to request quota; however, limits won’t be enforced in every region until 1 October 2025. More information on the default limits for new subscriptions is available in documentation here.
• AKS Kubernetes patch versions 1.33.2, 1.32.6, 1.31.10, 1.30.13, 1.30.14 include a critical security fix for CVE-2025-4563 where nodes can bypass dynamic resource allocation authorization checks. This vulnerability affects the NodeRestriction admission controller when the DynamicResourceAllocation feature gate is enabled. Upgrade your clusters to these patched versions or above. Refer to version support policy and upgrading a cluster for more information.
• Kubernetes CIS benchmark results and recommendations have been updated to CIS Kubernetes V1.27 Benchmark v1.11.1. The results are applicable to AKS 1.29.x through AKS 1.32.x.
• AKS long term support now fully supports KEDA.
• Kubelet serving certificate rotation is now enabled in all public cloud regions. For more information on kubelet serving certificate rotation and disablement, refer to the documentation. Sovereign cloud rollout will begin on 18 August 2025. For rollout updates and questions, see AKS Github Issues.

Release notes

Features

• Istio-based service mesh add-on now:
  • Supports the following annotation: service.beta.kubernetes.io/azure-disable-load-balancer-floating-ip for Istio ingress gateways, allowing for Azure Load Balancer Floating IP configuration.
  • Permits use of the defaultConfig.proxyHeaders field in MeshConfig as an allowed but unsupported customization. For guidance, see the MeshConfig documentation and the Istio support policy.
• Azure Monitor users can now disable the Retina agent from running on specific nodes. This agent collects node network metrics and disabling it on a node will remove the Retina agent and stop all node network metric generation. Review the documentation for more information.
• Availability zones are now available as part of the Machine Show/List API.

Preview Features

• You can create new Confidential Virtual Machine node pools using Ubuntu 24.04 (preview) or Azure Linux 3.0 (preview). The default OS SKU for Ubuntu will remain Ubuntu 20.04 until Kubernetes version 1.35. You can upgrade existing Ubuntu node pools to Ubuntu 24.04 (preview). Note that you cannot update existing node pools to use a Confidential VM size.
• Managed Namespaces is now available as preview with Azure RBAC enabled clusters. To get started, review the documentation.
• AKS Component Insights is now available in Preview. Component insights shows breaking changes and component version changes for upcoming minor version upgrades.
• AKS MCP Server is now in public preview.
• Agentic CLI for AKS is now in private preview. This experience focuses on enabling users to diagnose and resolve cluster issues using natural language. You can signup at [aka.ms/aks/cli-agent/signup]/(https://aka.ms/aks/cli-agent/signup) for early access.

Bug Fixes

• Fixes an issue in Istio-based service mesh add-on that was preventing simple TLS origination using system certificates. Addresses CVE-2025-46821 in 1.25.3.
• Bring your own CNI clusters don't utilize route tables. To optimize resource usage in such clusters, existing route tables will be deleted and no new ones will be created.

Behavior Changes

• To allow addons that require Microsoft Entra ID authentication to be able to use workload identity while enabling IMDS restriction, it is now required to enable the OIDC issuer as well.
• For Istio-based service mesh add-on for AKS, partial updates to serviceMeshProfile in AKS managedClusters API now supports empty revision lists. If no revisions are specified, the system will use existing revision values instead of returning an error.

Component Updates

• Windows node images
  • Server 2019 Gen1 – 17763.7558.250714.
  • Server 2022 Gen1/Gen2 – 20348.3932.250714.
  • Server 23H2 Gen1/Gen2 – 25398.1732.250714.
• AKS Azure Linux v2 image has been updated to 202507.21.0 (image list).
• AKS Azure Linux v3 image has been updated to 202507.21.0 (image list).
• AKS Ubuntu 22.04 node image has been updated to 202507.21.0 (image list).
• AKS Ubuntu 24.04 node image has been updated to 202507.21.0 (image list).
• Container Insights has been upgraded to 3.1.28 which includes performance improvements and bug fixes.
• Azure Disk CSI driver has been upgraded to v1.32.9, v1.33.3 on AKS 1.32 and 1.33 respectively.
• Retina Basic agent images have been updated to v1.0.0-rc1, addressing security vulnerability GHSA-fv92-fjc5-jj9h.
• Node Auto Provisioning (NAP) has been updated to Karpenter release 1.6.1 with improvements and bug fixes.
• Azure Monitor managed service for Prometheus addon is updated to the latest release 07-24-2025
• Istio-based service mesh add-on has been updated with patch releases 1.25.3 and 1.26.2 for Istio-based service mesh revisions asm-1-25 and asm-1-26. To adopt patch updates, restart workloads to triggers sidecar re-injection of the new istio-proxy version.
• Cloud Controller Manager image versions updated to v1.33.2, v1.32.7, v1.31.8, and v1.30.14.
• kube-egress-gateway has been updated to v0.1.1 for Kubernetes 1.34, adding support for Static Egress Gateway in additional regions and fixing service traffic handling in Cilium clusters.