Azure/AKS 2026-01-04

Release 2026-01-04

on GitHub

Release Notes 2026-01-04

Monitor the release status by regions at AKS-Release-Tracker.

Announcements

• Ubuntu version updates
  • Ubuntu 24.04 is now generally available and will be the default for OS SKU Ubuntu starting in Kubernetes v1.35. This means that if you upgrade to Kubernetes v1.35 with Ubuntu OS SKU, you'll automatically update your OS version from Ubuntu 22.04 to Ubuntu 24.04. If you'd like to continue to use Ubuntu 22.04, you can use it until Kubernetes v1.36 end of life. You can also create or update your existing node pools using CLI version 2.82.0+. For more information, see documentation.
  • Ubuntu 18.04 support has been removed from AKS, meaning you'll no longer be able to scale your node pools. If you are currently using Ubuntu 18.04 on AKS, please follow our instructions to upgrade your Kubernetes version to 1.25+ where Ubuntu 22.04 will be the default Ubuntu version. For more information on this retirement and removal, see AKS Github Issues
• AKS has now published the results from the CIS Kubernetes Benchmark v1.12.0 recommendations on AKS. The results are applicable to AKS 1.32.x through AKS 1.34.x. Detailed report is available in documentation.
• AKS has now published the results from the CIS Ubuntu 24.04 LTS Benchmark v1.0.0. Detailed report is available in documentation.
• Since November 30, 2025, Azure Kubernetes Service (AKS) no longer supports or provides security updates for Azure Linux 2.0. The Azure Linux 2.0 node image is frozen at the 202512.06.0 release. Beginning March 31, 2026, node images will be removed, and you'll be unable to scale your node pools. Migrate to a supported Azure Linux version by upgrading your node pools to a supported Kubernetes version or migrating to osSku AzureLinux3. For more information, see Retirement of Azure Linux 2.0 node pools on AKS
• AKS now blocks the creation of clusters with Basic Load Balancer which retired on 30 September 2025. Clusters still using Basic Load Balancers are considered out of support and you must upgrade to the Standard Load Balancer.
• Starting on March 30, 2026 the node pool tag, aks-disable-kubelet-serving-certificate-rotation=true will no longer be supported. New node pools can be created with the node pool tag, but AKS will not respect the node pool tag. For new node pools, that means that they will be created with Kubelet Serving Certificate Rotation (KSCR) enabled, despite the node pool tag. For existing node pools, this means that KSCR will be automatically enabled on their next reimage operation. For updates about this retirement, see AKS Github Issue.
• Since 19 October 2025, AKS Automatic clusters have transitioned to a new billing model in alignment with the service moving from preview to General Availability. To learn more about Azure Kubernetes Service pricing, please visit the pricing page. As part of this transition, the following pricing updates have taken effect in supported regions:
  • Compute charges based on the duration and type of virtual machines used by AKS Automatic clusters.
  • A $0.16 cluster / hour hosted control plane fee.

Kubernetes Version

• AKS Kubernetes version 1.31 is deprecated. Please upgrade your clusters to 1.32 version or above. Refer to version support policy and upgrading a cluster for more information.
• AKS Kubernetes version 1.34 is now generally available. Refer to version support policy and upgrading a cluster for more information.
• AKS LTS (Long Term Support) patch versions are now available:
  • Kubernetes 1.30.101-akslts - Changelog
  • Kubernetes 1.29.101-akslts - Changelog
  • Kubernetes 1.28.103-akslts - Changelog

For deprecation and patch timelines by region, please check the AKS-Release-Tracker

Preview features

• Azure CNI Overlay now supports Pod CIDR address space expansion in public preview, allowing you to add more Pod IPs without recreating the cluster.
• OpenTelemetry support for AKS monitoring is now in limited public preview. Sign up form can be found here
• Private IP support for Static Egress Gateway is now available in public preview on clusters of version >=1.34.
• External identity provider based authentication to cluster control plane is now available in preview.
• Identity bindings is now available in preview. This addresses workload identity's scale limitation of 20 federated identities credentials per managed identity.
• Entra ID based SSH access to nodes is now available in preview.
• Revised experience for data encryption at rest for secrets in AKS using KMS provider for Azure Key Vault with options for platform-managed keys or customer-managed keys is now available in preview.
• Flatcar Container Linux for AKS (preview) is a CNCF-based vendor-neutral container-optimized immutable OS, best suited for running on multi-cloud and on-prem environments. Flatcar Container Linux is now available in preview as an OS option on AKS. You can deploy Flatcar Container Linux node pools in a new AKS cluster or add Flatcar Container Linux node pools to your existing clusters.
• Windows Server 2025 is now supported in preview. This new version includes the following updates: Containerd 2.0 is now default, Generation 2 VMs are enabled by default, and FIPS is enabled by default. For more information on upgrading your windows OS version, see AKS documentation.
• Azure Linux with OS Guard, a hardened and immutable variant of Azure Linux, is now in public preview.
• Istio CNI is now in public preview. Istio CNI improves security by eliminating the need for NET_ADMIN and NET_RAW capabilities in application workloads within the service mesh

Behavioral Changes

• Starting with API version 2026-01-01, AKS returns podCIDR and podCIDRs fields when networkPlugin=none, allowing customers to update their podCIDR to match their CNI configuration.
• When using LocalDNS, AKS now rejects forwarding external domains to CoreDNS from vnetDNSOverrides to prevent DNS resolution issues.
• AKS now enforces required subnet configuration for networking add-ons such as Application Gateway for Containers, which may cause cluster creation or upgrades to fail if add-on subnets are misconfigured or do not meet required constraints. See Application Gateway for Containers networking requirements.
• AKS now returns a client error when virtual network encryption is used with API server VNet integration, as this configuration is not supported. See API server VNet integration limitations

Component Updates

• AKS Azure Linux v2 image has been updated to 202512.06.0.
• AKS Azure Linux v3 image has been updated to 202512.06.0.
• AKS Ubuntu 22.04 node image has been updated to 202512.06.0.
• AKS Ubuntu 24.04 node image has been updated to 202512.06.0.
• Windows node images:
  • Server 2019 Gen1 – 17763.8146.251212.
  • Server 2022 Gen1/Gen2 – 20348.4529.251212.
  • Server 23H2 Gen1/Gen2 – 25398.2025.251212.
  • Server 2025 Gen1/Gen2 – 26100.7462.251212.
• Windows GMSA container has been updated to 0.12.1-2_5 in the latest Windows node images.
• Azure Disk CSI driver has been updated to v1.33.7 for AKS clusters of version >= 1.33.
• Azure Blob CSI driver has been downgraded to v1.26.6 for AKS clusters of version >= 1.34 to address stability issues.
• Secrets Store CSI driver has been updated to v1.7.2 for AKS clusters of version >= 1.26.
• Cilium has been updated to v1.18.2 (now distroless) for AKS clusters of version >= 1.34.
• Calico images have been updated to address multiple security vulnerabilities, including: CVE-2025-61725, CVE-2025-61724, CVE-2025-61723, CVE-2025-58189, CVE-2025-58188, CVE-2025-58187, CVE-2025-58186, CVE-2025-58185, CVE-2025-58183, and CVE-2025-47912.
• azure-cns and azure-cni versions have been updated to 1.7.9 for AKS clusters of version >= 1.33.
• CoreDNS images have been updated to address multiple CVEs:
  • CoreDNS image on AKS clusters with version >= 1.34.0 updated to v1.13.1-1
  • CoreDNS image on AKS clusters with version >= 1.33.0 and < 1.34.0 updated to v1.12.1-6
  • CoreDNS image on AKS clusters with version >= 1.32.0 and < 1.33.0 updated to v1.11.3-13
  • CoreDNS image on AKS clusters with version >= 1.24.0 and < 1.32.0 updated to v1.9.4-7
• Network Policy Manager (NPM) has been updated to v1.6.34 for all supported Kubernetes versions to resolve CVEs: CVE-2025-6297, CVE-2025-8058, CVE-2024-10963, CVE-2025-9230, GHSA-2464-8j7c-4cjm.
• IP Masq Agent has been updated to v0.1.15-7 with an Azure Linux 3.0 OS refresh, addressing glibc and OpenSSL vulnerabilities: CVE-2025-4802, CVE-2025-8058, CVE-2025-9230, CVE-2025-9232.
• Istio-based service mesh add-on has been upgraded to v1.27.4 to address CVEs: CVE-2025-66220, CVE-2025-64527, CVE-2025-64763, CVE-2025-55162, CVE-2025-54588. Users can restart workload pods to trigger re-injection of the updated istio-proxy version. More details on patch upgrades are available here.
• Open Service Mesh add-on has been updated to v1.2.11 to address CVEs: CVE-2024-45337, CVE-2025-22869, CVE-2025-22868, CVE-2024-24790, CVE-2024-34156, CVE-2025-47907, CVE-2025-58183, CVE-2025-61729.
• Azure Policy add-on has been updated to v1.15.1.
• Application Gateway Ingress Controller (AGIC) has been updated to v1.9.4.
• Application Monitoring has been upgraded to v1.0.0-beta.10.
• Container Insights has been updated to 3.1.32 with CVE patches
• Azure Monitor Metrics (ama-metrics) has been updated to the release-11-13-2025.
• Cloud controller manager has been updated to v1.34.2 to fix a bug where services sharing Azure IPv6 PIP would not get reconciled.
• Cluster autoscaler has been upgraded to v1.34.1
• Microsoft Defender for Containers Sensor has been updated to v0.8.39.