Azure · bmoore-msft · Feb 5, 2025 · Feb 5, 2025 · Feb 5, 2025 · Feb 5, 2025
@@ -2,6 +2,94 @@
 
 ## Release 2025-01-06
 
+Monitor the release status by regions at [AKS-Release-Tracker](https://releases.aks.azure.com/). This release is titled as `v20250130`.
+
+### Announcements
+* General support for AKS Kubernetes version 1.28 was deprecated on Jan 30, 2025. Upgrade your clusters to version 1.29 or later. Refer to [version support policy](https://learn.microsoft.com/azure/aks/supported-kubernetes-versions?tabs=azure-cli#kubernetes-version-support-policy) and [upgrading a cluster](https://learn.microsoft.com/azure/aks/upgrade-aks-cluster?tabs=azure-cli) for more information.
+* Azure Kubernetes Service will no longer support the [WebAssembly System Interface (WASI) nodepools (preview).](https://learn.microsoft.com/azure/aks/use-wasi-node-pools) Starting on May 5, 2025 you will no longer be able to create new WASI nodepools. If you'd like to run WebAssembly (WASM) workloads, you can [deploy SpinKube to Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/deploy-spinkube) from Azure Marketplace. For more information on this retirement, see [AKS GitHub](https://github.com/Azure/AKS/issues/4770).
+* Security patch releases in release tracker, starting with 20250115T000000Z will contain release notes for the release.
+
+### Release Notes
+* Features:
+  * AKS Kubernetes patch versions 1.29.11, 1.30.7 and 1.31.3 are now available.
+  * AKS LTS version 1.28 available in all regions.
+  * The upcoming apiVersion 2025-01-01 will enable additional outbound configurations to allow for servicing of network isolated clusters.
+  * CNI validation for node autoprovisioner now allows all CNI configurations except for Calico and kubenet.
+  * AKS Automatic SKU now supports BYO Virtual Networks.
+
+* Behavior change:
+  * Proper casing will be enforced on PUT of `Microsoft.ContainerService/managedClusters/agentPools` for the `AgentPoolMode` property. See this [issue](https://github.com/Azure/AKS/issues/4468) for more detail.
+  * Change the toggle for cilium nodesubnet support to `true` by default. The feature is still behind a feature flag  `EnableCiliumNodeSubnet`, but with this change, customers can create cilium nodesubnet clusters.
+  * Changes to removes Prometheus port and scrape annotations from Retina Linux and Windows daemonset for basic and advanced. This avoids duplication for customers utilizing Retina.
+  * New clusters will no longer be able to enable the HTTP application routing add-on. See the notice on this migration guide: https://learn.microsoft.com/azure/aks/app-routing-migration
+  * The Windows liveness probe for Managed Prometheus has moved to use a health endpoint starting with the image: 6.14.0-main-01-16-2025-8d52acfe. This change makes a backwards compatible change so that older images can still use the batch script for the liveness and the new image will use the health endpoint.
+  * The LoadBalancer can now be customized to include `port_*` annotations referenced in the [documentation](https://cloud-provider-azure.sigs.k8s.io/topics/loadbalancer/#loadbalancer-annotations).  An additional annotation has been added for: `external-dns.alpha.kubernetes.io/hostname`.
+
+* Bug Fix: 
+  * Fixed a typo (tcpKeepAlive - tcpKeepalive) in the istio [meshconfig toggle](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-tcp_keepalive). The typo made the toggle unusable since only toggles in the meshconfig are allowed.
+  * Fixed a bug where some AgentPools with `"kubeletDiskType":"OS",` were not validated.
+  * Fixed a bug when create a cluster with a private DNS zone may result in an `InvalidTemplateDeployment` error.
+  * Fixed an issue where the Karpenter image version was not being set correctly: TODO: confirm w/ Bryce.
+  * Fixed a race and potential deadlock condition when a Non-Cilium cluster is updating to ACNS Cilium.
+  * Added early validation when of valid subnets to block 169.254.0.0/16 (link local) before run-time failures occur.
+  * Fixed a breaking change between AppArmor and cilium. Starting on K8s 1.30 and Ubuntu 24.04, cilium containers can fail with error Init:CreateContainerError since AppArmor annotations are no longer supported. This change keeps apparmor annotations for k8s versions below 1.30, and adds the new security context field for k8s versions 1.30 and above. Related PR in upstream cilium charts: [https://github.com/cilium/cilium/pull/32199](https://github.com/cilium/cilium/pull/32199).
+  * Fixed a bug that prevented upgrade from starting if the PDB expected pod count is less than the minAvailable count.
+  * Change to propagate network plugin mode and network dataplane values to karpenter to enable alternate CNIs
+  * Update the AKSNodeClass CRD to add vnetSubnetID and remove imageVersion
+  * Fixed an error condition when AKS attempts to remove the taint `disk.csi.azure.com/agent-not-ready=NoExecute` on node startup.  More details: [https://github.com/kubernetes-sigs/azuredisk-csi-driver/pull/2309](https://github.com/kubernetes-sigs/azuredisk-csi-driver/pull/2309)
+  * Addressed an issue related to node subnet `IPAM Invoker Add failed with error: Failed to allocate pool` and the associated [agentbaker release](https://github.com/Azure/AgentBaker/pull/5551).
+  * Added validation when a cluster migrates to CNI Overlay to block migration when there is a custom ip-masq-agent config in the kube-system namespace.  This prevents loss of connectivity during migration.  See the [AKS documentation](https://learn.microsoft.com/en-us/azure/aks/upgrade-aks-ipam-and-dataplane) for more information.
+
+* Component updates:
+  * Cilium v1.14 version from v1.14.18-241220 to v1.14.18-250107 (v1.14.18-1) to include a fix for cilium dual stack upgrades. On upgrades cilium config changes bpf-filter-priority from 1 2 but is not cleaning up the old filters at the old priority and as a result impacts connectivity. This patch will fix this bug, see GH issue in cilium repo for more details https://github.com/cilium/cilium/issues/36172
+  * Update the Azure disk driver version to v1.30.6 on AKS Version 1.30+ to fix CVE using toggle TODO: which CVE?
+  * Update Azure File CSI driver version to v1.29.10 on AKS 1.28 LTS
+  * Update Azure File CSI driver version to v1.30.7 on AKS 1.29 and 1.30
+  * Update Azure File CSI driver version to v1.31.3 on AKS 1.31
+  * Update Azure Disk CSI driver to v1.29.12 on AKS 1.28, 1.29
+  * Update Azure Disk CSI driver to v1.30.7 on AKS 1.30, 1.31
+  * Update Azure Blob CSI driver to v1.23.10 on AKS 1.28, 1.29
+  * Update Azure Blob CSI driver to v1.24.6 on AKS 1.30, 1.31
+  * Update Workload Identity image version to v1.4.0
+  * CNS/CNI updated to v.1.6.18 which includes Cilium nodesubnet support
+  * Added Multi-Instance GPU support for standard_nc40ads_h100_v5
+  * Update the OMS image to v3.1.25-1
+  * Update secrets store driver to v1.4.7 and akv provider to v1.6.2.
+  * Update Container Insights to v3.1.25
+  * Updates the Retina basic image to v0.0.23 on Linux and Windows: [release notes](https://github.com/microsoft/retina/releases/tag/v0.0.23) 
+  * Update karpenter image version to 0.6.1-aks
+  * Update agentbaker version to v0.20250122.0
+  * Update Cilium v1.16 from v1.16.5-250108 to v1.16.5-250110 (v1.16.5-1) to include a fix for Cilium dual stack upgrades. This will fix [https://github.com/cilium/cilium/issues/36172](https://github.com/cilium/cilium/issues/36172). The following CVEs are included in [v1.16.5](https://github.com/cilium/cilium/releases/tag/v1.16.5)
+    * [CVE-2024-52529](https://nvd.nist.gov/vuln/detail/CVE-2024-52529)
+  * The following CVEs were patched in Cilium v.1.14.15
+    * [CVE-2024-24789](https://nvd.nist.gov/vuln/detail/CVE-2024-24789)
+    * [CVE-2024-24790](https://nvd.nist.gov/vuln/detail/CVE-2024-24790)
+    * [CVE-2024-24791](https://nvd.nist.gov/vuln/detail/CVE-2024-24791)
+    * [CVE-2024-34156](https://nvd.nist.gov/vuln/detail/CVE-2024-34156)
+    * [CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155)
+    * [CVE-2024-34158](https://nvd.nist.gov/vuln/detail/CVE-2024-34158)
+    * [CVE-2024-37307](https://nvd.nist.gov/vuln/detail/CVE-2024-37307)
+    * [CVE-2024-42486](https://nvd.nist.gov/vuln/detail/CVE-2024-42486)
+    * [CVE-2024-42487](https://nvd.nist.gov/vuln/detail/CVE-2024-42487)
+    * [CVE-2024-42488](https://nvd.nist.gov/vuln/detail/CVE-2024-42488)
+    * [CVE-2024-47825](https://nvd.nist.gov/vuln/detail/CVE-2024-47825)
+  * Update the cost-analysis-agent image v0.0.19 to v0.0.20.  Upgrades the following dependencies in cost-analysis-agent to fix CVE-2024-45337 and CVE-2024-45338
+    * [golang.org/x/crypto](http://golang.org/x/crypto) v0.27.0 to v0.31.0
+    * [golang.org/x/net](http://golang.org/x/net) v0.29.0 to v0.33.0
+    * [golang.org/x/sys](http://golang.org/x/sys) v0.25.0 to v0.28.0
+    * [golang.org/x/text](http://golang.org/x/text) v0.18.0 to v0.21.0
+  * coredns image v1.12.0-1 and v1.9.4-5 versions have been built using Dalec framework, published to MCR under oss/v2 path. All AKS clusters with 1.32+ versions will use v1.12.0-1 coredns image version and existing AKS clusters on 1.24+ versions will use v1.9.4-5 coredns image version.
+  * Update the ip-masq-agent to v0.1.15 to address [CVE-2024-45338](https://nvd.nist.gov/vuln/detail/CVE-2024-45338) and [CVE-2024-10220](https://nvd.nist.gov/vuln/detail/CVE-2024-10220)
+  * Update NPM image to v1.5.41 to fix [CVE-2024-45338](https://nvd.nist.gov/vuln/detail/CVE-2024-45338) in usr/bin/azure-npm (gobinary) and GHSA-xr7q-jx4m-x55m in usr/bin/azure-npm (gobinary).  See the release notes for [v1.5.41](https://github.com/Azure/azure-container-networking/releases/tag/v1.5.41) for more details.
+  * AKS Windows Server 2019 image has been updated to [AKSWindows-2019-17763.6775.250117](vhd-notes/AKSWindows/2019/17763.6775.250117.txt).
+  * AKS Windows Server 2022 image has been updated to [AKSWindows-2022-20348.3091.250117](vhd-notes/AKSWindows/2022/20348.3091.250117.txt).
+  * AKS Windows Server 2022-23H2 image has been updated to [AKSWindows-2022-23H2-25398.1369.250117](vhd-notes/AKSWindows/23H2/25398.1369.250117.txt).
+  * AKS Azure Linux image has been updated to [202501.28.0](vhd-notes/AzureLinux/202501.28.0.txt).
+  * AKS Ubuntu 2204 image has been updated to [202501.28.0](vhd-notes/aks-ubuntu/AKSUbuntu-2204/202501.28.0.txt).
+  * AKS Ubuntu 2404 image has been updated to [202501.28.0](vhd-notes/aks-ubuntu/AKSUbuntu-2404/202501.28.0.txt).
+
+## Release 2025-01-06
+
 Monitor the release status by regions at [AKS-Release-Tracker](https://releases.aks.azure.com/). This release is titled as `v20250106`.
 
 ### Announcements
@@ -4299,7 +4387,7 @@ This release is rolling out to all regions - ETA for conclusion 2021-02-17 for p
 * Preview Features
   * AKS now supports Private Clusters created with a custom DNS zone (BYO DNS zone). Read more [here](https://docs.microsoft.com/azure/aks/private-clusters#configure-private-dns-zone).
   * AKS now allows you to reuse your standard LoadBalancer outbound IP (created by AKS) as Inbound IP to your services (and vice-versa) from Kubernetes v1.20+.
-  * AKS now supports re-using the same Load Balancer IP across multiple services from Kubernetes v1.20+.
+  * AKS now supports reusing the same Load Balancer IP across multiple services from Kubernetes v1.20+.
 * Behavioral Change
   * The AKS default storage class behavior now will be to delay the creation of a Persistent Volume until a pod is created. Allowing the Persistent Volume to be created in the same zone as the pod. Read more [here](https://docs.microsoft.com/azure/aks/azure-disk-csi#create-a-custom-storage-class).
 * Component Updates

@@ -16,7 +16,7 @@ The IP address plan used for this cluster consists of a VNET, a Subnet (VNET-Loc
 | Address | Description |
 | ------- | ----------- |
 | 172.16.0.1/24 | IP address and netmask (CIDR notation) for the Docker bridge address. |
-| 172.15.8.2 | IP address reserved from the Kubernets Service range used for DNS. |
+| 172.15.8.2 | IP address reserved from the Kubernetes Service range used for DNS. |
 
 ## Environment