github Azure/AKS 2026-02-08
Release 2026-02-08
on GitHub

4 hours ago

Release Notes 2026-02-08

Monitor the release status by regions at AKS-Release-Tracker.

Announcements

  • Windows Server 2019 is scheduled for retirement on March 1, 2026. Please transition to Windows Server 2022+ by that date. After that date, AKS will no longer produce new node images or provide security patches for Windows Server 2019. After that date, you will not be able to create new node pools with Windows Server 2019 on any Kubernetes version. All existing node pools with Windows Server 2019 will be unsupported. Windows Server 2019 is not supported in Kubernetes versions >= 1.33. Starting on April 1, 2027, AKS will remove all existing node images for Windows Server 2019 which will result in failure of scaling and remediation (reimage and redeploy) operations.
  • Windows Server Annual Channel (Preview) on AKS will be retired on May 15, 2026, please transition to the Long Term Servicing Channel (LTSC) by that date. From now to May 15, 2026 you can continue to use Windows Server Annual Channel (Preview) without disruption. On May 15, 2026, AKS will no longer produce new Windows Server Annual Channel node images or provide security patches. You will not be able to create new node pools with Windows Server Annual Channel. On May 15, 2027, AKS will remove all existing Windows Server Annual Channel node images, which will cause scaling and remediation (reimage and redeploy) operations to fail.

Kubernetes Version

Preview Features

Features

Behavioral Changes

  • LocalDNS is now enabled by default for clusters running Kubernetes 1.35+.
  • Nodes are now annotated with a kubernetes.azure.com/security-patch-timestamp annotation during a security VHD reboot upgrade. This gives you a unified way to verify when the last security patch was applied to each node. Refer to Autoupgrade Node OS Image FAQs for more information.
  • By default, AKS no longer creates or updates Network Security Groups on subnets it delegates for Application Gateway for Containers, improving reliability in policy-managed environments.
  • To protect against potential security concern of remote code execution via nodes/proxy get permission, AKS Automatic has added multiple layers of defense:
    1. A ValidatingAdmissionPolicy(VAP) that restrict the use of the Kubernetes nodes/proxy permission. One policy blocks creation or updates of ClusterRole and Role objects granting nodes/proxy, except for approved system users and groups.
    2. An authorization policy that denies nodes/proxy by default. This prevents exploitation even if a user has already been granted nodes/proxy permission through existing RBAC bindings. Approved system users, groups, and kube-system service accounts are exempt.
  • AKS Deployment Safeguards no longer Deny missing startup, liveness, and readiness probe requirements on AKS Automatic clusters. The policy has been changed to warn only. Learn more.
  • Gateway API CRDs can now be enabled directly without first requiring a supported gateway implementation such as the Managed Istio service mesh add-on to be enabled on the cluster.

Component Updates

Check out latest releases or
releases around Azure/AKS 2026-02-08

Don't miss a new AKS release

NewReleases is sending notifications on new releases.

Get notifications