Azure/AKS 2025-09-21

Release 2025-09-21

on GitHub

Release Notes 2025-09-21

Monitor the release status by regions at AKS-Release-Tracker. This release is titled v20250921.

Announcements

• AKS Kubernetes version 1.31 standard support will be deprecated by November 1, 2025. Kindly upgrade your clusters to 1.32 community version or enable Long Term Support with 1.31 in order to continue in the same version. Refer to version support policy and upgrading a cluster for more information.
• Revision asm-1-24 of the Istio add-on has been deprecated. Please migrate to a supported revision following the Istio add-on upgrade guide.
• AKS Kubernetes version 1.34 is now available in preview. Refer to 1.34 Release Notes and upgrading a cluster for more information.
• Starting on 30 November 2025, AKS will no longer support or provide security updates for Azure Linux 2.0. Migrate to a supported Azure Linux version by upgrading your node pools to a supported Kubernetes version or migrating to osSku AzureLinux3. For more information, see [Retirement] Azure Linux 2.0 node pools on AKS.
• Security patch information for Ubuntu 24.04 is available in AKS-Release-Tracker.
• Azure Kubernetes Service no longer supports the --skip-gpu-driver-install node pool tag to skip automatic driver installation. This node pool tag can no longer be used at AKS node pool creation time to install custom GPU drivers or use the GPU Operator. Alternatively, you should use the generally available gpu-driver API field to update your existing node pools or create new GPU-enabled node pools to skip automatic GPU driver installation.
• AKS Automatic is generally available. Find the recording to the virtual launch event on Youtube.

Release notes

Features

• API Server Vnet Integration is now available in East US region.
• AKS Node Problem Detector (NPD) conducts GPU health monitoring to enable automatic detection and reporting of issues impacting select GPU-enabled VM sizes, and is now generally available.
• Kubelet Serving Certificate Rotation (KSCR) is now enabled by default in Sovereign cloud regions. Existing node pools in these regions will have KSCR enabled by default when they perform their first upgrade to any kubernetes version 1.27 or greater. Kubelet serving certificate rotation allows AKS to utilize kubelet server TLS bootstrapping for both bootstrapping and rotating serving certificates signed by the Cluster CA. See documentation for detailed instructions.

Bug Fixes

• Fixed an issue where KAITO workspace creation would fail on AKS Automatic because gpu-provisioner creates an agentPool. Non-node auto provisioning pools, such as agentPool, are now allowed to be added to AKS Automatic clusters.
• Fixed a bug where ETag was not returned in ManagedClusters or AgentPools responses in API versions 2024-09-01 or newer, even though the API specification said it would be.

Behavioral Changes

• Deployment Safeguards will stop enforcing readiness and liveness probes on the placeholder pods that Application Routing creates to mount synchronized secrets from Azure Key Vault.
• AKS Automatic system pool needs to have at least 3 availability zones, ephemeral OS disk, and Azure Linux OS.
• Starting with 20250902-preview API, the enableCustomCATrust field is removed. This field is not required when using the GA feature, and is only used by a deprecated version of the feature. When using Custom Certificate Authority, you no longer need to specify enableCustomCATrust. You can just add certificates to your cluster by specifying your text file for the --custom-ca-trust-certificates parameter. See documentation for detailed instructions.
• Starting September 2025, new AKS clusters that use the AKS-managed virtual network option will place cluster subnets into private subnets by default (defaultOutboundAccess = false) in alignment with egress best practices. This setting does not impact AKS-managed cluster traffic, which uses explicitly configured outbound paths. It may affect unsupported scenarios, such as deploying other resources (e.g., VMs) into the same subnet. Clusters using BYO VNets are unaffected by this change. In supported configurations, no action is required.
• For Pod Sandboxing, kata-mshv-vm-isolation will be replaced with kata-vm-isolation while the --workload-runtime used when creating a cluster will be changed from KataMshvVmIsolation to KataVmIsolation. Make sure you use the correct name when creating Pod Sandboxing clusters.

Component Updates

• Windows node images
  • Server 2019 Gen1 – 17763.7792.250910
  • Server 2022 Gen1/Gen2 – 20348.4171.250910
  • Server 23H2 Gen1/Gen2 – 25398.1849.250910
  • Server 2025 Gen1/Gen2 – 26100.6584.250910
• AKS Azure Linux v2 image has been updated to 202509.11.0
• AKS Azure Linux v3 image has been updated to 202509.18.0.
• AKS Ubuntu 22.04 node image has been updated to 202509.11.0.
• AKS Ubuntu 24.04 node image has been updated to 202509.11.0.
• Azure File CSI driver has been upgraded to v1.32.7 on AKS 1.32, and v1.33.5 on AKS 1.33.
• Azure Policy addon has been upgraded to v1.13.1 to address CVE-2025-47907.
• Azure Blob CSI driver has been upgraded to v1.26.7 on AKS 1.33.
• Azure Disk CSI driver has been upgraded to v1.32.10 on AKS 1.32.
• Karpenter has been upgraded to v1.6.3 with FIPS support for Node Auto Provisioning, Ubuntu 2404 ImageFamily support, and various improvements.
• Cilium has been upgraded to v1.14.20-2 on AKS 1.29 and 1.30, v1.16.13 on AKS 1.31, and v1.17.7 on AKS 1.32 addressing multiple CVEs.
• Istio-based service mesh add-on revisions asm-1-25, asm-1-26, and asm-1-27 have been upgraded to v1.25.5, v1.26.4, and v1.27.1. Users can restart workload pods to trigger re-injection of the updated istio-proxy version. More details on patch upgrades are available here.
• Calico bumped to version 3.30.3, 3.29.5
• Tigera Operator bumped to version 1.38.6, 1.36.13
• Container Insights has been upgraded to v3.1.29.
• Cluster Autoscaler has been upgraded to v1.31.5 for AKS 1.31, v1.32.2 for AKS 1.32, and v1.33.0-aks for AKS 1.33.