Azure/AKS 2025-08-29

Release 2025-08-29

on GitHub

Release 2025-08-29

Monitor the release status by regions at AKS-Release-Tracker. This release is titled v20250829.

Announcements

• AKS Automatic is now generally available. AKS Automatic is based on three key pillars: production-ready by default, integrated best practices and safeguards, and code to Kubernetes in minutes. Sign up to watch the AKS Automatic Virtual Launch on September 16th from 8:00 AM - 12:00 PM (UTC-07:00).
  • New Automatic cluster creation is only allowed in API Server Vnet Integration GA supported regions. Migrating from SKU: "Base" to SKU: "Automatic" is only allowed in API Server Vnet Integration GA supported regions. Operations on existing Automatic clusters will not be blocked even if the cluster is not in API Server Vnet Integration GA supported regions.
• AKS patch versions 1.33.3, 1.32.7, and 1.30.11 are now available. Refer to version support policy and upgrading a cluster for more information.
• Istio-based service mesh add-on is now compatible with AKS Long Term Support (LTS) for Istio revisions asm-1-25+ and AKS versions 1.28+. Please note that not every Istio revision will be compatible with every AKS LTS version. It is recommended to review the Istio add-on support policy for an overview of this feature's support.
• API Server Vnet Integration is now available in the following additional regions: centralus, austriaeast, chilecentral, denmarkeast, israelnorthwest, malaysiawest, southcentralus2, southeastus3, southeastus5, southwestus, and usgovtexas. For the latest list of supported regions, see the API Server VNet Integration documentation.
• 1.30 Kubernetes version is now officially End of Life. Please upgrade to 1.31 version. If you require 1.30 version, then switch to AKS Long Term Support (LTS).
• Security Patch tab under AKS-Release-Tracker now provides information for Azure Linux v3. This provides real time info on the security patch contents and timestamp of actual release.

Release notes

Features

• Azure CNI Overlay is now GA and compatible with Application Gateway for Containers and Application Gateway Ingress Controller. See AGC networking for details on Overlay compatibility.
• Advanced Container Networking Services: Layer 7 Policies reached General Availability.
• Disabling SSH on Windows node pools is now available.
• Ubuntu 24.04 CVM is now enabled by default for K8s version 1.34-1.38.
• OpenID Connect (OIDC) issuer is now enabled by default on new cluster creation for Kubernetes version 1.34 and above.
• Node Auto-provisioning enabled clusters can use planned maintenance for scheduling node image upgrades that adhere to aksManagedNodeOSUpgradeSchedule.
• When upgrading from kubenet to Azure CNI Overlay, customers can now specify a different pod CIDR using the --pod-cidr parameter. See Upgrade Azure CNI for more information.
• The migration CLI command to migrate from Availability Sets on AKS is now Generally Available. The feature is accessible in the Azure CLI v2.76.0 (August 2025). For more information on the migration tool, visit our Availability Sets migration documentation.
• The migration CLI command to migrate from the Basic Load Balancer on AKS is now Generally Available. The feature is accessible in the Azure CLI v2.76.0 (August 2025). For more information on the migration tool, visit our Basic Load Balancer migration documentation.

Bug Fixes

• Fixed a bug where ETag was not returned in ManagedClusters or AgentPools responses in API versions 2024-09-01 or newer, even though the API specification said it would be.
• Fixed cluster autoscaler bug 7694 in kubernetes version 1.31+, where the "DeletionCandidateOfClusterAutoscaler" taint would persist on some of the remaining nodes after scale-down. This incorrect tainting prevented new pods from being scheduled on those nodes.

Behavioral Changes

• All AKS Automatic clusters, and AKS Standard clusters that enabled Deployment Safeguards via the safeguardsProfile, will now have a new Microsoft.ContainerService/deploymentSafeguards sub-resource created under managedClusters. See Use Deployment Safeguards for more information.
• Disallow adding non-Node auto provisioning pools to AKS Automatic clusters. There is no effect on existing Automatic Clusters that have non-Node auto provisioning pools.
• A new runTimeClassName, kata-vm-isolation, has been added for Pod Sandboxing in preparation for deprecating the old kata-mshv-vm-isolation name. Users can continue using the original name for the time being.
• Starting with Kubernetes version 1.34, all AKS Automatic clusters will include a new AKS-managed component named Cluster Health Monitor within the kube-system namespace. This component is designed to collect metrics related to the cluster’s control plane and AKS-managed components, helping ensure these services are operating as expected and improving overall observability.

Component Updates

• Windows node images
  • Server 2019 Gen1 – 17763.7678.250823
  • Server 2022 Gen1/Gen2 – 20348.4052.250823
  • Server 23H2 Gen1/Gen2 – 25398.1791.250823
  • Server 2025 Gen1/Gen2 – 26100.4946.250823
• AKS Azure Linux v2 image has been updated to 202508.20.0 (image list).
• AKS Azure Linux v3 image has been updated to 202508.20.0 (image list).
• AKS Ubuntu 22.04 node image has been updated to 202508.20.0 (image list).
• AKS Ubuntu 24.04 node image has been updated to 202508.20.0 (image list).

• Azure File CSI driver has been upgraded to v1.33.4 on AKS 1.33, which includes performance improvements and bug fixes.
• Azure Disk CSI driver has been upgraded to v1.33.4 on AKS 1.33, which includes performance improvements and bug fixes.
• NPM (Network Policy Manager) has been upgraded to v1.6.33 to resolve multiple CVEs: CVE-2025-5702, CVE-2025-32988](https://nvd.nist.gov/vuln/detail/CVE-2025-32988), CVE-2025-32989, CVE-2025-32990, CVE-2025-6395, CVE-2025-40909, CVE-2025-47907.
• Gatekeeper has been upgraded to v3.20.0, which includes policy engine improvements and bug fixes.
• Managed Prometheus/AMA-Metrics has been upgraded to 08-13-2025, which updates PodMonitor and ServiceMonitor CRDs. Refer to release notes 08-13-2025 for details.
• Application routing operator has been upgraded to v0.2.8, which upgrades ExternalDNS from 0.15.0 to 0.17.0.
• Azure Policy add-on has been upgraded to v1.13.1 to address CVE-2025-47907.