Azure/AKS 2026-04-28

Release 2026-04-28

on GitHub

Release Notes - 2026-04-28

Monitor the release status by regions at AKS-Release-Tracker. Vulnerabilities addressed by AKS releases can be tracked at CVE API viewer.

Announcements

• AKS-2026-0003: A Linux kernel algif_aead local privilege escalation vulnerability (CVE-2026-31431) lets a pod escalate to root on the underlying node — including non-root pods with no special capabilities. Affects AKS nodes running Ubuntu 20.04 FIPS, Ubuntu 22.04, Ubuntu 24.04, and Azure Linux 3.0. Azure Linux 2.0 (Mariner) and Windows nodes aren't affected. The mitigation is globally deployed in node image versions 202604.13.0 and 202604.24.0. New nodes and any node that goes through a node image upgrade are automatically protected. Existing nodes aren't patched in place — upgrade the node image, or, if your pool is already on 202604.24.0, apply the mitigation DaemonSet from the advisory immediately. See the AKS security bulletin for full details.
• The Kubernetes SIG Network and the Security Response Committee announced the upcoming retirement of the Ingress NGINX project, with maintenance ending in March 2026. Application routing add-on users: Production workloads remain fully supported through November 2026. Migrate to the application routing Gateway API implementation for a Gateway API-based ingress traffic management experience.

Kubernetes Version

• New Kubernetes patch versions are now available: 1.35.2, 1.35.3, 1.34.5, 1.34.6, 1.33.9, and 1.33.10.
• AKS Kubernetes Long Term Support (LTS) version 1.29 is deprecated. Please upgrade your clusters to a supported version. Refer to AKS Support Calendar for more information.
• AKS Kubernetes version 1.32 is now available only through Long Term Support. Use an LTS support plan for clusters that need to remain on 1.32, or upgrade to a supported standard-support Kubernetes version.

For deprecation, rollouts and patch timelines by region, please check the AKS-Release-Tracker.

Preview Features

• Added preview support for AKS-managed NAT Gateway V2 outbound type in supported public Azure regions. Regions where StandardV2 NAT Gateway is not yet available remain excluded.
• Customers can now preview customization of the default kube-reserved and hard eviction kubelet configuration through the existing custom node preview feature registration starting with the 2026-03-02-preview API.
• Customers can now view the VM SKUs supported on AKS and available in their Azure subscription with the AKS List Available VM SKUs API, to create their clusters and/or add node pools.
• AKS-managed GPU metrics are now supported by default in Azure Managed Prometheus and Dashboards with Grafana in Azure Monitor.

Features

• Gateway API-based ingress for the application routing add-on is now generally available. The Kubernetes SIG Network and the Security Response Committee announced the upcoming retirement of the Ingress NGINX project, with maintenance ending in March 2026. Application routing add-on users: Production workloads remain fully supported through November 2026. Migrate to the application routing Gateway API implementation for a Gateway API-based ingress traffic management experience.
• AKS Automatic clusters with managed system node pools can now migrate to AKS Standard clusters in additional regions after adding a system node pool.
• Users can now configure spec.minReadySeconds in the Application Routing Gateway Parameters ConfigMap. This helps applications that need extra initialization time after passing their initial health check and can reduce disruption during rolling upgrades. See the related AKS GitHub issue.

Bug Fixes

• Fixed an issue in the Istio-based service mesh add-on where the CRD installer could pull busybox from an unintended registry in AGC environments. This also removes non-Job Helm hooks from related resources to avoid a CRD installer race condition.
• Fixed empty PUT reconcile failures with CustomRouteTableInvalidUpdateAttempt on clusters using bring-your-own route tables.
• Added validation to prevent enabling Artifact Streaming with Pod Sandboxing, which is not supported.
• Added AKS Automatic managed system node pool protection that blocks ClusterRoleBinding create or update requests when the roleRef targets configured privileged ClusterRoles, reducing the risk of privilege escalation through service account impersonation.

Behavioral Changes

• Starting on AKS 1.36, new AKS Automatic clusters will be preconfigured with Kubernetes Gateway API via the application routing add-on instead of Managed NGINX ingress with the application routing add-on due to the upstream Ingress NGINX retirement. Existing clusters are not changed. Creating Automatic clusters with explicit --enable-app-routing continues to enable NGINX, while explicit --enable-app-routing-istio enables Gateway API without NGINX.
• Mesh Membership now requires the Managed Gateway API add-on to be enabled with Standard or InferenceExtension installation before a cluster can join an Azure Kubernetes Application Network. Attempts to create a mesh membership without the required Gateway API add-on return a 400 Bad Request error. For more information, see aka.ms/managed-gateway-api.
• When using HTTP Proxy, you cannot add more than 20 Trusted CA certificates. See HTTP Proxy limitations for more information.
• AKS is rolling out kube-proxy reduced privileges for Kubernetes 1.30 and later. kube-proxy uses the NET_ADMIN and SYS_RESOURCE Linux capabilities instead of privileged: true. Kubernetes 1.29 and earlier are unaffected.
• Fleet-managed resources are now deployed through managed namespace ClusterResourcePlacement selection so fleet-managed resources can be rolled out separately from customer workloads.

Component Updates

• Azure Policy add-on has been updated to 1.16.1. Gatekeeper has been updated to 3.20.1-8 with CVE fixes.
• Istio-based service mesh add-on revisions have been updated: asm-1-27 to 1.27.9-2, asm-1-28 to 1.28.6-1, and asm-1-29 to 1.29.2-1. Revision asm-1-29 is now available, and asm-1-26 is deprecated. For more information, see Istio add-on patch upgrades.
• Azure Monitor Container Insights has been updated to 3.3.0.
• Node Auto Provisioning has been updated to Karpenter Azure provider v1.10.2. This release sets Artifact Streaming uniformly disabled by default.
• Application Routing NGINX updated to NGINX image version 1.13.9. See the upstream ingress-nginx controller 1.13.9 changelog.
• Azure Disk CSI driver has been updated to v1.34.3 on AKS 1.35 and v1.33.9 on AKS 1.33 and 1.34.
• Azure File CSI driver has been updated to v1.35.2 on AKS 1.35, v1.34.5 on AKS 1.34, and v1.33.9 on AKS 1.33.
• Azure Blob CSI driver has been updated to v1.27.4 on AKS 1.34 and 1.35, and v1.26.11 on AKS 1.33.
• Cloud-provider-azure components, including cloud-controller-manager, cloud-node-manager, and health-probe-proxy, have been updated for AKS 1.32, 1.33, 1.34, and 1.35 with the April 2026 releases v1.32.16, v1.33.11, v1.34.8, and v1.35.3.
• Cilium has been updated to v1.17.10 for Kubernetes 1.32 and 1.33 to support Gateway API scenarios.
• Azure Monitor managed Prometheus collector has been updated to the April 9, 2026 release.
• Cost-analysis agent and scraper images have been updated from 0.0.25 to 0.0.26 with CVE fixes.
• AKS Windows images:
  • Windows Server 2022 - 20348.5020.260415.
  • Windows Server 2025 - 26100.32690.260415.
  • Windows Server 23H2 - 25398.2274.260415.
• AKS Azure Linux images:
  • v3.0 - 202603.18.1.
  • v3.0 - 202603.30.0.
  • v3.0 - 202604.13.0.
  • v3.0 - 202604.24.0.
• AKS Ubuntu images:
  • Ubuntu 22.04 - 202603.18.1.
  • Ubuntu 22.04 - 202603.30.0.
  • Ubuntu 22.04 - 202604.13.0.
  • Ubuntu 22.04 - 202604.24.0.
  • Ubuntu 24.04 - 202603.18.1.
  • Ubuntu 24.04 - 202603.30.0.
  • Ubuntu 24.04 - 202604.13.0.
  • Ubuntu 24.04 - 202604.24.0.