Azure AKS (changelog)

azure/aks last check 107 releases
Notes
Release notes
v2025-03-16 · 1y+
view on github

Release 2025-03-16

Monitor the release status by region in the AKS Release Tracker. This release is titled v20250316.

Announcements

  • Starting in April 2025, Azure Kubernetes Service will begin rolling out a change to enable quota for all current and new AKS customers. AKS quota will represent a limit of the maximum number of managed clusters that an Azure subscription can consume per region. Existing AKS customer subscriptions will be given a quota limit at or above their current usage, depending on region availability. Once quota is enabled, customers can view their available quota and request quota increases in the Quotas page in the Azure Portal or by using the Quotas REST API. For details on how to view and request quota increases via the Portal Quotas page, visit Azure Quotas. For details on how to view and request quota increases via the Quotas REST API, visit: Azure Quota REST API Reference. New AKS customer subscriptions will be given a default limit upon new subscription creation. More information on the default limits for new subscriptions is available in documentation here.
  • AKS Kubernetes version 1.32 roll out has been delayed and is now expected to reach all regions on or before the end of April. Please use the az-aks-get-versions command to accurately capture if Kubernetes version 1.32 is available in your region.
  • AKS will be upgrading the KEDA addon to more recent KEDA versions. The AKS team will add KEDA 2.16 on AKS clusters with K8s versions >=1.32, KEDA 2.14 for Kubernetes v1.30 and v1.31. KEDA 2.15 and KEDA 2.14 will introduce multiple breaking changes. View the troubleshooting guide to learn how to mitigate these breaking changes.
  • AKS Kubernetes version 1.28 will soon be available as a Long Term Support version.
  • You can now switch non-LTS clusters on Kubernetes versions 1.25 onwards and within 3 versions of the current LTS versions to LTS by switching their tier to Premium.
  • On 31 March 2025, AKS will no longer allow new cluster creation with the Basic Load Balancer. On 30 September 2025, the Basic Load Balancer will be retired. We will be posting updates on migration paths to the Standard Load Balancer. See AKS Basic LB Migration Issue for updates on when a simplified upgrade path is available. Refer to Basic Load Balancer Deprecation Update for more information.
  • The asm-1-22 revision for the Istio-based service mesh add-on has been deprecated. Migrate to a supported revision following the AKS Istio upgrade guide.
  • The pod security policy feature was retired on 1st August 2023 and removed from AKS versions 1.25 and higher. PodSecurityPolicy property will be officially removed from AKS API starting from 2025-03-01.
  • Starting on 17 June 2025, AKS will no longer create new node images for Ubuntu 18.04 or provide security updates. Existing node images will be deleted. Your node pools will be unsupported and you will no longer be able to scale. To avoid service disruptions, scaling restrictions, and remain supported, please follow our instructions to upgrade to a supported Kubernetes version.
  • Starting on 17 March 2027, AKS will no longer create new node images for Ubuntu 20.04 or provide security updates. Existing node images will be deleted. Your node pools will be unsupported and you will no longer be able to scale. To avoid service disruptions, scaling restrictions, and remain supported, please follow our instructions to upgrade to Kubernetes version 1.34+ by the retirement date.
  • Customer on retired NCv1, NCv2, NDv1, and NVv1 VM sizes should expect to have those node pools deallocated. Please move to supported VM sizes. You can find more information and instructions to do so here.

Release Notes

  • Features:

  • Preview Features:

    • You can use the EnableCiliumNodeSubnet feature in preview to create Cilium node subnet clusters using Azure CNI Powered by Cilium.
    • Control plane metrics are now available through Azure Monitor platform metrics in preview to monitor critical control plane components such as API server and etcd.

  • Bug Fixes:

    • Fixed an issue with the retina-agent volume to restrict access to only /var/run/cilium directory. Currently retina-agent mounts /var/run from host directory. This can have potential issue as it can overwrite data in the directory.
    • Fixed an issue where SSHAccess was being reset to the default value enabled on partial PUT requests for managedCluster.AgentPoolProfile.SecurityProfile without specifying SSHAccess.
    • Fixed an issue where Node Auto Provisioning (Karpenter) failed to properly apply the kubernetes.azure.com/azure-cni-overlay=true label to nodes which resulted in failure to assign pod IPs in some cases.
    • Fixed an issue where calico-typha could be scheduled on virtual-kubelet due to overly permissive tolerations. Tolerations are now properly restricted to prevent incorrect scheduling. Check this GitHub Issue for more details.
    • Fixed an issue in Hubble-Relay scheduling behavior to prevent deployment on cordoned nodes, allowing the cluster autoscaler to properly scale down nodes.
    • Fixed an issue where pods could get stuck in ContainerCreating during Cilium+NodeSubnet to Cilium+Overlay upgrades by ensuring the original network configuration is retained on existing nodes.
    • Fixed an issue where priority class isn't set on the Custom CA Trust DaemonSet. This change ensures that the DaemonSet will not be evicted first in case of node pressure.
    • Fixed an issue where policy enforcements through Azure Policy addon were interrupted during cluster scaling or upgrade operations due to a missing Pod Disruption Budget (PDB) for the Gatekeeper webhook pods.

  • Behavior Changes:

    • AI toolchain operator add-on has switched from using the Machine CRD to NodeClaim CRD, introducing a change in the experience to clean up resources after a KAITO workspace is deleted. Note that existing workspaces and GPU nodes provisioned by the add-on remain unaffected. Please refer to the updated AKS guidance for deletion of resources provisioned in old workspaces.
    • AKS will now enforce the limit of 10 unique CAs added to the node's trust store when using Custom Certificate Authority.
    • Default maxSurge value to 10% for all new and existing clusters with Kubernetes versions >= 1.32.0.
    • Starting with Kubernetes 1.32, all Azure CNI NodeSubnet clusters will have the CNI installed via the Azure CNS DaemonSet instead of during node provisioning.
    • AKS now validates Istio custom resources that do not have the istio.io/rev label set.
    • When creating an Azure Container Registry (ACR) cache rule to cache Microsoft Container Registry (MCR) container images in the private ACR, the required cache rule should be changed from /* to aks-managed-repository/*.
    • When creating a network isolated cluster with a managed private Azure Container Registry (ACR), the registry will now have anonymous pull access set to false.

  • Component Updates: