Release 2023-10-29

Release 2023-10-29

Monitor the release status by regions at AKS-Release-Tracker.

Announcements

• Kubernetes 1.25 is being deprecated at the end of January 2024 and support will transition to our platform support policy.
• No new clusters can be created with Azure AD Integration (legacy). Existing AKS clusters with Azure Active Directory integration will keep working. All Azure AD Integration (legacy) AKS clusters will be migrated to AKS-managed Azure AD automatically starting from December 1st, 2023. We recommend updating your cluster with AKS-managed Azure AD before December 1st, 2023. This way you can manage the API server downtime during non-business hours.
• Starting January 2024, due to Gatekeeper Upstream removing validation for constraint template contents at create/update time, the Azure Policy Add-On will now no longer support this. The Azure Policy Add-On will report ‘InvalidConstraint/Template’ compliance reason code for detected errors after constraint template admission. This change does not impact other compliance reason codes. Customers are encouraged to continue to follow best practices when updating Azure Policy for Kubernetes definitions (i.e. Gator CLI).
• Windows containerd v1.7 will be the default container runtime for k8s v1.28+ on AKS Windows nodes. Windows Host Process (HPC) containers is GA in Windows containerd v1.7 and it has some breaking changes.
• Starting Kubernetes 1.29, the default cgroups implementation on Azure Linux AKS nodes will be cgroupsv2. Older versions of Java, .NET and NodeJS do not support memory querying v2 memory constraints and this will lead to out of memory (OOM) issues for workloads. Please test your applications for cgroupsv2 compliance, and read the FAQ for cgroupsv2.
• AKS sent out an advisory regarding CVE-2023-29332 on September 13, 2023, which impacts AKS agent nodes. Recommended mitigation is to upgrade AKS cluster and AKS node image. If impacted clusters are not upgraded, AKS will apply mitigation on customer's next cluster update operation including node OS updates and node rolling upgrades, which may cause workload disruption.

Release notes

• Preview Features
  • Windows Disable Outbound NAT (Preview) now supports WS2019 and WS2022.
• Bug Fixes
  • Corrected issue where on tainted/dedicated system pools the Vertical Pod Autoscaler (VPA) deployment could end up on non-system pools.
  • Fix for issue where a Certificate Authority bundle mismatch could produce an update on the image version of the VPA webhook.
  • Fix for possible deadlock scenario between Container Network Service and Azure CNI where pod IPs would not release on pod delete and new pods would not get an IP.
  • Fix for Windows NPM crashes in k8s 1.28 with Containerd 1.7. Bug was a result of Windows NPM DaemonSet referencing a file that did not exist in its current directory.Containerd 1.7.
  • Fix for fleet clusters, so they will now be correctly set to NRG-Lockdown RestrictionLevel Restricted, instead of Unspecified. Additionally, fleet clusters within one of the undesired Unspecified states will be fixed on reconcile.
  • Fix to prevent conflict between Open Service Mesh and AKS Admission Enforcer.
  • Fix to improve response time and reduce long mc and agentpool operation latency.
• Behavioral Change
  • All AKS managed namespaces now have a "kubernetes.azure.com/managedby:" AKS label.
  • For exceptional cases, AKS now allows customer to update the requests and limits of VPA Updater and Recommender pods.
• Component Updates
  • Microsoft Defender for Cloud publisher image has been updated to 1.0.68 (now distroless)
  • Microsoft Defender for Cloud OldFileCleaner image has been updated to 1.4.68
  • Azure Linux image has been updated to Azure Linux - 202310.26.0.
  • AKS Ubuntu 22.04 image has been updated to AKSUbuntu-2204-202310.26.0.

Release 2023-10-22

Release 2023-10-22

Monitor the release status by regions at AKS-Release-Tracker.

Announcements

• Kubernetes 1.25 is being deprecated at the end of January 2024 and support will transition to our platform support policy.
• No new clusters can be created with Azure AD Integration (legacy). Existing AKS clusters with Azure Active Directory integration will keep working. All Azure AD Integration (legacy) AKS clusters will be migrated to AKS-managed Azure AD automatically starting from December 1st, 2023. We recommend updating your cluster with AKS-managed Azure AD before December 1st, 2023. This way you can manage the API server downtime during non-business hours.

Release notes

• Bug Fixes

  • Fix for some abnormal slow put managedClusters/agentPool operations caused by hanging connections.
  • Fix for some throttling issue by increasing secrets store AKV provider cpu limit from 50m to 100m.
  • Fix for CVE by upgrading Azure file driver version to v1.24.11 on AKS 1.25.
  • Fix for Azure CNI Overlay when using Linux Kernel 6.2+ and K8s 1.28+. This fix prevents the CNI from setting up pod networking incorrectly.

• Behavioral Change

  • Introduced acn-multitenancy-editor ClusterRole to give azure-cns permissions on "multitenantpodnetworkconfigs", "podnetworkinstances", and "podnetworks" resources.

• Component Updates

  • Bumped cloud-controller-manager image to v1.28.2, v1.27.10, v1.26.16 and v1.25.20.
  • Updated Windows podsubnet and overlay CNI with signed version (v1.4.39.2) from v1.4.39.1.
  • Azure Linux image has been updated to Azure Linux - 202310.19.0.
  • AKS Ubuntu 18.04 image has been updated to AKSUbuntu-1804-202310.19.0.

Release 2023-10-15

Release 2023-10-15

Monitor the release status by regions at AKS-Release-Tracker.

Announcements

• No new clusters can be created with Azure AD Integration (legacy). Existing AKS clusters with Azure Active Directory integration will keep working. All Azure AD Integration (legacy) AKS clusters will be migrated to AKS-managed Azure AD automatically starting from 1st Dec. 2023. We recommend updating your cluster with AKS-managed Azure AD before 1 Dec 2023. This way you can manage the API server downtime during non-business hours.
• CVE-2023-29332 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability. An attacker who successfully exploited this vulnerability could gain Cluster Administrator privileges. Please update your AKS VHD to at least VHD version 230801 as mentioned in the issue
• CVE-2023-44487 - The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly

Release notes

• Feature

  • AKS supports to use annotations to configure the load balancer health probe for different service ports

• Bug Fixes

  • Fix for preventing cilium-operator from restarting unmanaged coredns pods
  • Fix for AKS Not Honoring/ Returning PrivateEndpointConnection description field
  • Fix for PUT on ManagedCluster allowing more than the maximum tag limit of 50 in some rare cases
  • Fix for Failure to create multiple agent pools concurrently when using the same PodSubnetID- Dynamic IP Allocation mode

• Behavioral Changes

  • Change in Key Vault error codes - KeyVaultEncryptKeyFailed will now be KeyVaultEncryptFailed and KeyVaultDecryptKeyFailed will now be KeyVaultDecryptFailed

• Component Updates

  • Updates ama-logs addon to version 3.1.15 10/13/2023
  • Azure Linux image has been updated to Azure Linux - 202310.09.0
  • Azure Windows 2019 Image has been updated to Azure Windows - 17763.4974.231011
  • Azure Windows 2022 Image has been updated to Azure Windows - 20348.2031.231011
  • AKS Ubuntu 22.04 image has been updated to AKSUbuntu-2204-202310.09.0

Release 2023-10-08

Release 2023-10-08

Monitor the release status by regions at AKS-Release-Tracker.

Announcements

• No new clusters can be created with Azure AD Integration (legacy). Existing AKS clusters with Azure Active Directory integration will keep working. All Azure AD Integration (legacy) AKS clusters will be migrated to AKS-managed Azure AD automatically starting from 1st Dec. 2023. We recommend updating your cluster with AKS-managed Azure AD before 1 Dec 2023. This way you can manage the API server downtime during non-business hours.

Release notes

• Features

  • Stop cluster upgrades automatically on API breaking changes is now generally available.
  • The AKS vscode extension has released four new features: A brand new user experience for cluster create and visual kubectl commands as well as several internal enhancements. To read more and engage with the team directly, visit the GitHub repository

• Bug Fixes

  • Microsoft Defender for Containers has been updated to image version 1.3.81 to support kernel versions 6.2 or higher.

• Behavioral Changes

  • With the release of Container Insights 3.1.14, default 1-year tokens will be set to 1-hour expiry and refreshed at 10 minutes.
  • A warning has been added for clusters utilizing dual-stack networking and outbound type user-defined routing if the associated route table does not have a default IPv6 route in place. Visit Dual-stack kubenet networking for full details.
  • Customers can now disable Windows GMSA on an existing cluster.
  • Node OS Auto Upgrade now has a built-in Policy Definition that can be used to validate and enforce whether it is enabled on an AKS cluster.

• Component Updates

  • Windows CNI has been updated to v1.4.39.1 for Azure CNI Overlay and Azure CNI with dynamic allocation.
  • Azure Monitor Metrics for AKS has been updated to image version 6.7.7. Please see their release notes for full details.
  • The AKS vscode extension v1.3.15 has been released

Release 2023-10-01

Release 2023-10-01

Monitor the release status by regions at AKS-Release-Tracker.

Announcements

• No new clusters can be created with Azure AD Integration (legacy). Existing AKS clusters with Azure Active Directory integration will keep working. All Azure AD Integration (legacy) AKS clusters will be migrated to AKS-managed Azure AD automatically starting from 1st Dec. 2023. We recommend updating your cluster with AKS-managed Azure AD before 1 Dec 2023. This way you can manage the API server downtime during non-business hours.

Release notes

• Features

  • Support for IP address changes for Azure Blob NFS mounts on AKS 1.27+.
  • Configurable resource group for the Private Link Service (PLS) creation using the "ServiceAnnotationPLSResourceGroup = "service.beta.kubernetes.io/azure-pls-resource-group" annotation.
  • The vertical pod autoscaling (VPA) add-on for AKS is now generally available.
  • Bring your own keys (BYOK) support to encrypt Azure Ephemeral disks is now generally available in AKS.

• Bug Fixes

  • Fix for some events during an upgrade such as "Deleting node" not appearing in kubectl get events.
  • Fix for metricDefinitions operation not exposed in Azure China.
  • Fix for Cluster Autoscaler condition where nodes that VPA pods are scheduled to could not be evicted.

• Behavioral Changes

  • The pod CPU request from ama-metrics daemonsets will be reduced in Windows from 500m to 150m and in Linux from 75m to 50m.
  • AKS will now validate, and block if necessary, service CIDRs placed in public and multicast IP address ranges.
  • If the ama-logs add-on is enabled, host port 28330 will be mounted to the ama-logs daemonset in order to facilitate syslog collection.
  • To reduce vertical pod autoscaling (VPA) out of memory (OOM) errors, the vpa-recommender CPU limit will increase to 1000m, memory limit to 2000Mi, and memory request to 800Mi from 200m, 1000m, and 500Mi respectively.
  • The default max surge value during upgrades will be changed from 1 to 10% for AKS 1.28+ on new clusters to improve upgrade latency.

• Component Updates

  • Linux Network Policy Manager (NPM) version has been rebuilt to v1.4.45.2, containing patches for Ubuntu CVEs.
  • ip-masq-agent-v2 onboarded to semantic versioning and has been updated to v0.1.8.
  • Upgraded Azure File CSI driver to v1.24.10 on AKS 1.25, v1.26.8 on AKS 1.26, and v1.28.5 on AKS 1.27.
  • Blob CSI driver upgraded to v1.22.2 on AKS 1.27+ to support AZNFS mount helper.

Release 2023-09-24

Azure Kubernetes Service Changelog

Release 2023-09-24

Monitor the release status by regions at AKS-Release-Tracker.

Announcements

• No new clusters can be created with Azure AD Integration (legacy). Existing AKS clusters with Azure Active Directory integration will keep working. All Azure AD Integration (legacy) AKS clusters will be migrated to AKS-managed Azure AD automatically starting from 1st Dec. 2023. We recommend updating your cluster with AKS-managed Azure AD before 1 Dec 2023. This way you can manage the API server downtime during non-business hours.

Release notes

• Behavioral changes

  • If your VM SKU does not support ephemeral or PremiumSSD OS disks, AKS will now use StandardSSD as the default OS disk type as compared to Standard HDD previously.
  • Azure Kubernetes Clusters should enable node os auto-upgrade - Microsoft Azure (Audit) policy to include the Configure Node OS Auto upgrade on Azure Kubernetes Cluster - Microsoft Azure (DINE) policy to allow customers to enforce that Node OS Auto Upgrade is configured on a cluster, where before they could only Audit that a cluster was configured without Node OS Auto Upgrade.

• Preview Features

  • Image Integrity allows you to sign container images via a process that ensures their authenticity and integrity.

• Bug Fixes

  • Fix for the Private Link Service (PLS) creation failure that can occur if the customer selects a subnet name or PLS name that is too long.

• Component Updates

  • Microsoft Defender Publisher container (part of defender for containers solution) image version has been updated to 1.0.67 from 1.0.64 which improves memory utilizaiton to reduce pod restarts due to OOMKills
  • Cilium version has been updated to 1.13.5 for AKS clusters with kubernetes versions 1.28 or greater
  • Azure File CSI driver updated to version v1.24.9 for clusters with kubernetes version 1.25, v1.26.7 for clusters with kubernetes version 1.26 and v.1.28.4 for clusters with kubernetes version 1.27
  • Hotfix: There were 3 CVE's in the upstream Kubernetes related to insufficient input sanitiztion which leads to privilege escalation. AKS Patched the AKS cluster nodes for clusters version 1.24.9, 1.24.10, 1.24.15, 1.25.5, 1.25.6, 1.25.11, 1.26.0, 1.26.3, 1.26.6, 1.27.3. CVE links - CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893. Update your AKS cluster's node images if the cluster does not have node OS auto-upgrade feature enabled.

Release 2023-09-17

Release 2023-09-17

Monitor the release status by regions at AKS-Release-Tracker.

Announcements

• No new clusters can be created with Azure AD Integration (legacy). Existing AKS clusters with Azure Active Directory integration will keep working. All Azure AD Integration (legacy) AKS clusters will be migrated to AKS-managed Azure AD automatically starting from 1st Dec. 2023. We recommend updating your cluster with AKS-managed Azure AD before 1 Dec 2023. This way you can manage the API server downtime during non-business hours.

Release notes

• Behavioral changes

  • After you set the node OS auto-upgrade channel to "None", AKS doesn't automatically reimage nodes in your node pools. But when you set the node OS auto-upgrade channel to "Unmanaged", AKS will reimage all nodes in your node pools.

• Features

  • HTTP Proxy can now be updated post clusters creation.

• Component Updates

  • Azure Monitor container insights addon updated to 09/15/2023 release.
  • Updated Azure Monitor metrics addon image to 09/11/2023 release.
  • AKS Windows 2019 image has been updated to 17763.4851.230914.
  • AKS Windows 2022 image has been updated to 20348.1970.230914.
  • Updated Windows Azure CNI to v1.5.6.1.

Release 2023-09-10

Release 2023-09-10

Monitor the release status by regions at AKS-Release-Tracker.

Announcements

• No new clusters can be created with Azure AD Integration (legacy). Existing AKS clusters with Azure Active Directory integration will keep working. All Azure AD Integration (legacy) AKS clusters will be migrated to AKS-managed Azure AD automatically starting from 1st Dec. 2023. We recommend updating your cluster with AKS-managed Azure AD before 1 Dec 2023. This way you can manage the API server downtime during non-business hours.

Release notes

• Behavioral changes

  • Update admissions enforcer to ignore "kubernetes.azure.com/managedby" and "control-plane" namespaces to fix this issue.
  • "kubernetes.azure.com/managedby" label added to aks managed namespaces (kube-system, gatekeeper-system, tigera-system, calico-system)
  • Stopped nodepools will be upgraded during an Auto Upgrade operation. The upgrade will apply to nodes when the nodepool is started.
  • Added priorityClassName system-node-critical property to all KEDA add-on pods to fix this issue.
  • We will now check that your cluster has less than 400 nodes when an upgrade operation is requested and using Kubenet (400 being the node limit for Kubenet).

• Bug Fixes

  • Enable HonorPVReclaimPolicy for Azure Disk CSI driver 1.28, fixing an issue where in some Bound Persistent Volume (PV) – Persistent Volume Claim (PVC) pairs, the ordering of PV-PVC deletion determines whether the PV delete reclaim policy is honored.

• Component Updates

  • Updated Azure Disk CSI version to v1.28.3 on K8S 1.27.
  • Updated Azure File CSI version to v1.28.3 on K8S 1.27, v1.26.6 on K8S 1.26, v1.24.7 on K8S 1.25.
  • AKS Ubuntu 18.04 image has been updated to AKSUbuntu-1804-202309.06.0.
  • AKS Ubuntu 22.04 image has been updated to AKSUbuntu-2204-202309.06.0.
  • Azure Linux image has been updated to AzureLinux-202309.06.0.

Release 2023-09-03

Monitor the release status by regions at AKS-Release-Tracker.

Announcements

• Asia East has now been changed to the 2nd release region. New release changes will reach to Asia East after US West Central, and before UK South. Follow this via AKS-Release-Tracker.
• No new clusters can be created with Azure AD Integration (legacy). Existing AKS clusters with Azure Active Directory integration will keep working. All Azure AD Integration (legacy) AKS clusters will be migrated to AKS-managed Azure AD automatically starting from 1st Dec. 2023. We recommend updating your cluster with AKS-managed Azure AD before 1 Dec 2023. This way you can manage the API server downtime during non-business hours.
• To avoid disruptions stemming from unmanaged Canonical nightly security updates, AKS will disable unmanaged Canonical nightly updates by 2 September 2023, on clusters that haven’t specified an update option explicitly, mapping to the option None in the node OS upgrade channel feature. AKS strongly recommends proactively moving to auto-upgrade node-image or node OS upgrade channel - SecurityPatch or NodeImage options; you can set maintenance windows for these channels.

Release notes

• Preview Features
  • AKS 1.28 version is now available in preview.
  • Now customers can disable OutboundNAT for Windows nodes as long as the cluster's outbound type is not Load Balancer. This change enables customers to disable OutboundNAT in conjunction with User Defined Routes (UDR) and Azure firewall. Before the modification, customers could only disable OutboundNAT for Windows nodes when the cluster's outbound type was NAT Gateway.
• Features
  • Node OS Upgrade Channel - NodeImage is now generally available.
  • Outbound IP can now be a combination of ip/ipprefix and managed ones.
• Behavioral changes
  • The taint added by AKS node auto repair will change from remediator.aks.microsoft.com/unschedulable to remediator.kubernetes.azure.com/unschedulable.
  • After you update SSH key, AKS doesn't automatically reimage your node pool, you can choose anytime to perform the reimage operation . Only after reimage is complete, does the update SSH key operation take effect.
• Component Updates
  • Image Cleaner now has eraser version bumped to v1.2.1.
  • Updated Windows gmsa webhook to v0.7.1 which supports multi-arch (amd64 and arm64).
  • Bumped version of Azure Workload Identity to 1.1.0.
  • AKS Ubuntu 18.04 image has been updated to AKSUbuntu-1804-202308.28.0.
  • AKS Ubuntu 22.04 image has been updated to AKSUbuntu-2204-202308.28.0.
  • Azure Linux image has been updated to AzureLinux-202308.28.0.

Release 2023-08-27

Release 2023-08-27

Monitor the release status by regions at AKS-Release-Tracker.

Announcements

• No new clusters can be created with Azure AD Integration (legacy). Existing AKS clusters with Azure Active Directory integration will keep working. All Azure AD Integration (legacy) AKS clusters will be migrated to AKS-managed Azure AD automatically starting from 1st Dec. 2023. We recommend updating your cluster with AKS-managed Azure AD before 1 Dec 2023. This way you can manage the API server downtime during non-business hours.
• Please review the following CVEs that impact all Windows node pools in AKS clusters - CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893. Please update your Windows nodes to the VHD version 230809 as mentioned in these issues.
• To avoid disruptions stemming from unmanaged Canonical nightly security updates, AKS will disable unmanaged Canonical nightly updates by 2 September 2023
  on clusters that haven’t specified an update option explicitly, mapping to the option None in the node OS upgrade channel feature. AKS strongly recommends proactively moving to auto-upgrade node-image or node OS upgrade channel - Security Patch; you can set maintenance windows for these channels.

Release notes

• Behavioral changes

  • Previously AKS returned only 1 random node's failure even if multiple nodes had drain failures, in the error response. Now all the node drain failures are appended to the error response and returned for easier troubleshooting.

• Bug Fixes

  • Customers using Azure Monitor Managed Prometheus Service for AKS Clusters may have experienced issues with metrics add-on being disabled, missing metrics and alerts, in case both Container Insights log and Managed Prometheus are enabled on the clusters. These hotfixes fix that issue.
  • A bug was fixed that prevented clusters using Azure CNI Powered by Cilium from starting after being stopped.

• Component Updates

  • Updated Azure File CSI driver to v1.24.5 on AKS versions >= 1.24.0 and < 1.26.
  • Bump cloud-controller-manager image v1.25.18, v1.26.14, v1.27.8 and v1.28.0.
  • AKS Ubuntu 18.04 image has been updated to AKSUbuntu-1804-202308.22.0.
  • AKS Ubuntu 22.04 image has been updated to AKSUbuntu-2204-202308.22.0.
  • Azure Linux image has been updated to AzureLinux-202308.22.0.
  • AKS Windows 2019 image has been updated to 17763.4737.230809.
  • AKS Windows 2022 image has been updated to 20348.1906.230809.