Release Notes - 2026-06-19
Monitor the release status by regions at AKS-Release-Tracker. Vulnerabilities addressed by AKS releases can be tracked at CVE API viewer.
Announcements
- Windows Server 2022 retirement has been extended. Please note the following updates: Windows Server 2022 retires on June 30, 2028. After that date, AKS will no longer produce new node images or provide security patches. After that date, you will not be able to create new node pools with Windows Server 2022 on any Kubernetes version. All existing node pools with Windows Server 2022 will be unsupported. Windows Server 2022 is not supported in Kubernetes version 1.37 and above. Starting on June 30, 2029, AKS will remove all existing node images for Windows Server 2022, meaning that scaling operations will fail. For more information on this retirement, see the Retirement GitHub issue.
- Azure Service Mesh add-on revision
asm-1-30(estimated to release in early July) introduces the following changes to default behavior:- The default proxy redirection mechanism on new installations will change from privileged init containers to Istio CNI for revisions
asm-1-30and above. Clusters upgrading toasm-1-30will not be impacted. Read more about Istio CNI. To retain the existing proxy redirection mechanism on new installations, see the instructions to disable Istio CNI. - Starting with
asm-1-30, Istio ingress, egress, and gateway pods will have a weighted preference of 100 for nodes labeledazureservicemesh/istio.replica.preferred(previously 50) and 50 for AKS system nodes labeledkubernetes.azure.com/mode: system(previously 100).
- The default proxy redirection mechanism on new installations will change from privileged init containers to Istio CNI for revisions
Kubernetes versions
- Kubernetes version 1.36 is now generally available and supported as a Long Term Support (LTS) version. You no longer need to enable a preview to create or upgrade clusters to 1.36.
Features
- The Application Gateway for Containers managed add-on is now generally available. You no longer need to register a preview feature flag to enable the ALB controller on your cluster.
- FIPS is now supported on Ubuntu 22.04 node pools with FIPS 140-3 compliance in the 2026-05-29 release. You can migrate to Ubuntu 22.04 FIPS by upgrading existing FIPS node pools to k8s 1.35+ with 'Ubuntu' OS SKU, or by updating existing FIPS node pools in k8s 1.25+ to 'Ubuntu2204' os sku. You can now enable FIPS and Trusted Launch in the same node pools when using Ubuntu on AKS.
- AKS now supports the NVIDIA RTX PRO 6000 Blackwell Server Edition GPU VM sizes as managed GPUs. These SKUs use the NVIDIA GRID driver and are supported on Ubuntu node pools.
- Confidential VMs (CVM) with Azure Linux is now generally available.
Behavioral changes
- On AKS Automatic clusters running Kubernetes 1.36 or later, you can now disable the default application routing add-on with Gateway API to use the Istio-based service mesh add-on with Istio CNI, either at cluster create time or afterward.
- Deployment Safeguards in Enforce mode now apply default resource requests to DaemonSets and Jobs when those requests are missing, in addition to Deployments and StatefulSets. This includes AKS Automatic clusters.
- You can now configure custom Prometheus metric scraping and log collection on AKS Automatic clusters that use a managed system node pool.
- AKS now automatically derives the IPv6 pod CIDR from the pod subnet when you create a dual-stack Azure CNI static block allocation (VnetScale) cluster, so you no longer need to pass the pod CIDR explicitly.
- Windows gMSA now validates for CoreDNS conflicts. AKS rejects enabling gMSA, or changing its root domain name, when the cluster's
coredns-customConfigMap already defines a server block for the same domain. This prevents a duplicate zone that would crash CoreDNS and disrupt cluster-wide DNS. - AKS now rejects enabling FIPS (
--enable-fips-image) on Pod Sandboxing (Kata) workload runtime node pools. The Kata node image doesn't carry FIPS compliance, so the request now fails at the API with a clear error instead of silently providing no FIPS enforcement. - You can now create Pod Sandboxing (Kata) node pools on
Standard_DadsV7-series VM sizes, which were previously rejected by nested-virtualization validation. - You can now migrate an AKS Automatic cluster that uses a managed system node pool to the AKS Base SKU.
Bug fixes
- Fixed an issue where the
aks-istio-systemnamespace was not exempted from the Azure Policy add-on when using application routing with the Gateway API in Istio mode. The namespace is now exempted, so the two features can be used together in the same cluster. - Fixed a bug where Multiple Standard Load Balancers rejected valid domain-prefixed label keys (for example,
kubernetes.io/os) in node selectors. Label selector validation now follows standard Kubernetes semantics.
Component updates
- The Istio-based service mesh add-on revisions
asm-1-29andasm-1-28have been upgraded to patches1.29.4and1.28.8, which address CVE-2026-47774. Restart your workload pods to trigger re-injection of the updatedistio-proxysidecar. For more information, see the Istio add-on upgrade guide. - Azure File CSI Driver has been upgraded to
v1.35.4on AKS 1.35 and 1.36. - Azure Blob Storage CSI driver has been upgraded to
v1.26.14on AKS 1.33 andv1.27.7on AKS 1.34+. This update also fixes a regression where blob containers with a$in the name (for example,$web) could not be accessed. - Azure CNI Powered by Cilium has been updated:
- Cloud Provider Azure components (
cloud-controller-manager,cloud-node-manager, andhealth-probe-proxy) have been updated to the June 18, 2026 release:v1.33.14on AKS 1.33,v1.34.11on AKS 1.34,v1.35.6on AKS 1.35, andv1.36.2on AKS 1.36. - AKS Windows images:
- Windows Server 2022 - 20348.5256.260610.
- Windows Server 2025 - 26100.32995.260610.
- AKS Azure Linux images:
- v3.0 - 202606.08.1.
- AKS Ubuntu images:
- Ubuntu 22.04 - 202606.08.1.
- Ubuntu 24.04 - 202606.08.1.