Azure/AKS 2026-05-29

Release 2026-05-29

on GitHub

Release Notes - 2026-05-29

Monitor the release status by regions at AKS-Release-Tracker. Vulnerabilities addressed by AKS releases can be tracked at CVE API viewer.

Announcements of upcoming changes and retirements

• Revision asm-1-27 of the Istio-based service mesh add-on has been deprecated. Please upgrade to revision 1.28 or later following the Istio add-on upgrade guide.
• Windows Server Annual Channel for Containers retired on AKS on May 15, 2026. 5B is the last image that AKS will produce for Windows Server Annual Channel. After 5B, AKS will no longer produce new Windows Server Annual Channel node images or provide security patches. You will not be able to create new node pools with Windows Server Annual Channel. On May 15, 2027, AKS will remove all existing Windows Annual Channel node images, which will cause scaling and remediation (reimage and redeploy) operations to fail. Customers must migrate their Windows Server Annual Channel node pools to Long Term Servicing Channel (LTSC) by following the migration guide.
• Windows Server 2019 retired on March 1, 2026 and its preview feature flag has been removed. You can expect the following impact: AKS no longer produces new node images or provides security patches. All existing node pools with Windows Server 2019 are unsupported. You will not be able to create new node pools in k8s 1.33+. Starting on April 1, 2027, AKS will remove all existing node images for Windows Server 2019, meaning that scaling operations will fail. For more information, see aka.ms/aks/ws2019-retirement-github.
• Starting on June 8, 2026, AKS no longer supports Flatcar Container Linux for Azure Kubernetes Service (AKS) (preview). At that point, AKS will no longer produce new Flatcar Container Linux node images or provide security patches, and you'll be unable to create new node pools with Flatcar Container Linux. On September 8, 2026, AKS will remove all existing Flatcar Container Linux node images, causing scaling and remediation (reimage and redeploy) operations to fail. Migrate existing Flatcar Container Linux for AKS node pools to Azure Container Linux for AKS.
• Managed system node pools are now generally available for AKS Automatic. New AKS Automatic clusters preconfigure managed system node pools by default. If you have an existing Automatic cluster without managed system node pools, you should recreate the cluster and migrate the workloads.
  • New AKS Automatic clusters now preconfigure LocalDNS mode to Required by default, including new node pools added to existing Automatic clusters. Existing node pools are unchanged.
  • Users with the Azure Kubernetes Service Contributor or Contributor role (with Microsoft.ContainerService/deploymentSafeguards/write permission) can now edit the excludedNamespaces field for deployment safeguards on Automatic clusters, controlling which policies apply to specific namespaces.
  • Deployment safeguards in Enforce mode and Pod Security Standards set to Baseline now allow pods on Automatic clusters to read the /var/log and /hostfs hostPath volumes (read-only), supporting log exporter scenarios.
  • Since AKS manages the system node pool on your behalf, AKS applies multiple layers of security restrictions:
    • New AKS Automatic clusters with managed system node pools now block customer-supplied SSH keys. Existing Automatic clusters with managed system node pools keep their existing keys but can't add new ones; clusters without managed system node pools are unaffected.
    • AKS Automatic clusters enforce a ValidatingAdmissionPolicy that blocks Services from setting spec.externalIPs, in line with the upstream deprecation of Service externalIPs. The policy applies immediately to Automatic clusters with managed system node pools, and to Automatic clusters without managed system node pools starting in Kubernetes 1.36.
    • AKS Automatic clusters with managed system node pools deny kubectl port-forward for objects and pods running on the managed system node pool.
    • AKS Automatic clusters with managed system node pools block read access to secrets in the kube-system namespace, except for known trusted identities. This mitigates the risk of attackers using the node bootstrap token to deploy pods on managed system node pools.
    • AKS Automatic clusters with managed system node pools enforce stricter authorization on MutatingAdmissionPolicyBinding resources by blocking unauthorized mutation operations (create, update, patch, delete).
    • For AKS versions prior to 1.36, AKS Automatic clusters with managed system node pools block all mutating admission resources (MutatingWebhookConfiguration, MutatingAdmissionPolicy, and MutatingAdmissionPolicyBinding) to reduce risk from unsafe mutations. Starting in AKS 1.36, Automatic clusters with managed system node pools allow a controlled subset of mutating admission configurations, provided they do not target the following sensitive resources: nodes, persistentvolumes, certificatesigningrequests, and tokenreviews.

Release notes

Kubernetes versions

• Kubernetes Version 1.36 Preview is being rolled out.
• Kubernetes patch versions 1.35.4, 1.34.7, and 1.33.11 are now available. These builds use Go 1.25.9, which includes fixes for the following CVEs (CVE-2026-27140, CVE-2026-27143, CVE-2026-27144, CVE-2026-32282, CVE-2026-32283, CVE-2026-32288, CVE-2026-32289).
• Kubernetes patch versions 1.35.5, 1.34.8, and 1.33.12 are now available.

Features

• Windows Server 2025 is now generally available. You no longer need to register a feature flag to create Windows Server 2025 node pools. Windows Server 2025 node pools can be created in Kubernetes version 1.32+ with a minimum GA CLI version of 2.87.0.
• Azure Container Linux is generally available (GA) as an OS option on AKS starting AKS v1.34. You can deploy ACL node pools in a new AKS cluster or add ACL node pools to your existing clusters. AKS also supports migrating existing node pools to ACL using in-place OS SKU migration or by creating new ACL node pools. For detailed migration steps, considerations, and rollback instructions, see Migrate existing nodes to ACL.
• Azure Policy add-on now generates ValidatingAdmissionPolicies (VAP) for all customers. This enforces CEL-based policies inside the API server process for minimal latency and enables fail-closed enforcement.

Preview features

• Azure Linux 3.0 confidential VM (CVM) is now available in preview in Fairfax (US Gov) regions. Register the AzureLinuxCVMPreview feature to enable it.
• In-place node pool resize is now available in preview. Resize the VM size of an existing VMSS-based node pool in place via az aks nodepool update --node-vm-size, without manually creating and migrating to a new node pool.

Behavioral changes

• LocalDNS is now automatically enabled on node pools running Kubernetes 1.36 or later. Node pools with preconfigured LocalDNS or upstream NodeLocal DNS, Cilium or Calico clusters with network policies enabled, and bring-your-own (BYO) CNI clusters are excluded. To disable it, see aka.ms/aks/localdns.
• Node Auto Provisioning (NAP) Standard SKU clusters running Kubernetes 1.36 or later now default to LocalDNS mode Preferred on the default and system-surge AKSNodeClass resources, improving DNS resolution performance and resilience. Existing in-cluster AKSNodeClass specs are preserved.
• Application routing gateways using the Gateway API now write access logs to stdout by default for the managed (meshless) Istio configuration.
• The application routing operator now supports DNS and TLS integrations for the Gateway API, including the ability to configure TLS using Key Vault certificates via the CSI driver and publish DNS A records through ExternalDNS CRDs to map gateway hostnames to load balancer IPs in DNS zones.
• AKS now allows migration from the managedNATGatewayV2 outbound type to the block and none outbound types, supporting network-isolated cluster scenarios. Migration to other outbound types remains blocked.
• AKS now validates pod CIDR ranges during cluster create and update for kubenet and Azure CNI Overlay clusters. Clusters can no longer be created or updated with a pod CIDR that overlaps with reserved IP ranges (172.30.0.0/16, 172.31.0.0/16), preventing potential in-cluster networking failures. Existing clusters with an overlapping pod CIDR are unaffected. See CNI prerequisites.
• AKS now rejects Calico NPM and Azure NPM install and uninstall operations on clusters running Kubernetes versions earlier than 1.30. Requests are rejected at the API level with a descriptive error directing customers to upgrade to a newer supported Kubernetes version before retrying. Existing clusters already using Calico NPM or Azure NPM are unaffected.

Bug fixes

• Fixed an issue in the Istio-based service mesh add-on where operations on v1beta1 Gateway resources were incorrectly rejected with an "Unknown gvk" error from the admission webhook. The webhook now registers a handler for v1beta1 Gateway resources.
• Fixed a bug where the Multiple Standard Load Balancers rebalance operation ignored orphaned nodes (nodes present in the cluster but not on any load balancer backend pool). Orphaned nodes are now included during rebalancing and distributed evenly across load balancers.
• Fixed a bug where a cluster create or update could report success but silently fail to install Karpenter or KEDA. The operation now fails and returns an error describing the installation failure.

Component updates

• Azure Blob Storage CSI driver has been updated with the latest security patches. AKS now uses Azure Blob CSI driver v1.26.12 on AKS 1.32+ clusters and v1.27.5 on AKS 1.34+ clusters.
• Azure Disk CSI Driver has been upgraded:
  • v1.33.10 on AKS 1.33 and 1.34
  • v1.34.4 on AKS 1.35
• Azure File CSI Driver has been upgraded:
  • v1.33.10 on AKS 1.33
  • v1.34.6 on AKS 1.34
  • v1.35.3 on AKS 1.35
• Cloud Provider Azure has been updated to include the v1.36.0 release. cloud-controller-manager and cloud-node-manager are now mapped to v1.36.1-1 for Kubernetes 1.36, supported minor versions were bumped for 1.32–1.35, and health-probe-proxy was updated from v1.35.3-2 to v1.36.1-1.
• Azure CNI Powered by Cilium has been updated:
  • Cilium v1.19.3 (agent, operator, ACNS, cilium-envoy, Hubble, ClusterMesh) for Kubernetes 1.36+.
  • Cilium v1.18.9 agent and operator images for Kubernetes 1.34.
• Advanced Container Networking Services (ACNS) DNS proxy has been updated to v1.18.9-260520 on AKS 1.34+ and includes security patch updates addressing CVEs.
• Azure Policy add-on has been updated to v1.15.5-1 on AKS 1.30+ clusters and patches CVE-2026-25679, CVE-2026-27142, CVE-2026-27139, CVE-2026-32280, CVE-2025-68121, CVE-2025-61726, CVE-2025-61728, CVE-2026-32281, and CVE-2026-32283.
• Microsoft Defender for Containers sensor has been upgraded to v0.9.53 on AKS 1.35+ and v0.8.50 on AKS earlier than 1.35. This update introduces malware scanning as a new optional capability that customers can enable, along with blocking support for the existing GA Drift Detection capability.
• Microsoft Defender for Containers sensor v0.10 is now available on AKS 1.36.
• Azure Monitor managed service for Prometheus add-on has been updated to v7.0.0, incorporating the May release.
• Node Auto Provisioning (NAP) Karpenter provider has been updated to v1.12.1.
• AKS Windows images:
  • Windows Server 2022 - 20348.5139.260513.
  • Windows Server 2025 - 26100.32860.260513.
  • Windows Server 23H2 - 25398.2330.260513.
• AKS Azure Linux images:
  • v3.0 - 202605.05.1.
  • v3.0 - 202605.14.0.
  • v3.0 - 202605.27.0.
• AKS Ubuntu images:
  • Ubuntu 22.04 - 202605.05.1.
  • Ubuntu 22.04 - 202605.14.0.
  • Ubuntu 22.04 - 202605.27.0.
  • Ubuntu 24.04 - 202605.05.1.
  • Ubuntu 24.04 - 202605.14.0.
  • Ubuntu 24.04 - 202605.27.0.