diff --git a/CHANGELOG.md b/CHANGELOG.md index 189a5a88a..589af8496 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,73 +6,80 @@ Monitor the release status by regions at [AKS-Release-Tracker](https://releases. ### Announcements * Ubuntu version updates - * Ubuntu 24.04 is now generally available and will be the default for OS SKU `Ubuntu` starting in Kubernetes v1.35. This means that if you upgrade to kubernetes v1.35 with `Ubuntu` OS SKU, you'll automatically update your OS version from Ubuntu 22.04 to Ubuntu 24.04. If you'd like to continue to use Ubuntu 22.04, you can use it until kubernetes v1.36 end of life. You can also create or update your existing node pools to with CLI version 2.82.0+. For more information, see [AKS Documentation](https://aka.ms/aks/upgrade-os-version). + * Ubuntu 24.04 is now generally available and will be the default for OS SKU `Ubuntu` starting in Kubernetes v1.35. This means that if you upgrade to Kubernetes v1.35 with `Ubuntu` OS SKU, you'll automatically update your OS version from Ubuntu 22.04 to Ubuntu 24.04. If you'd like to continue to use Ubuntu 22.04, you can use it until Kubernetes v1.36 end of life. You can also create or update your existing node pools using CLI version 2.82.0+. For more information, see [documentation](https://aka.ms/aks/upgrade-os-version). * Ubuntu 18.04 support has been removed from AKS, meaning you'll no longer be able to scale your node pools. If you are currently using Ubuntu 18.04 on AKS, please follow our instructions to [upgrade](https://learn.microsoft.com/azure/aks/upgrade-aks-cluster) your Kubernetes version to 1.25+ where Ubuntu 22.04 will be the default Ubuntu version. For more information on this retirement and removal, see [AKS Github Issues](https://github.com/Azure/AKS/issues/4873) -* AKS has now published the results from the [CIS Kubernetes Benchmark v1.12.0](https://www.cisecurity.org/benchmark/kubernetes/) recommendations on AKS. The results are applicable to AKS 1.32.x through AKS 1.34.x. For detailed report, see [AKS Documentation](https://review.learn.microsoft.com/azure/aks/cis-kubernetes). -* AKS has now published the results from the [CIS Ubuntu 24.04 LTS Benchmark v1.0.0](https://www.cisecurity.org/benchmark/ubuntu_linux). For detailed report, see [AKS Documentation](https://aka.ms/aks/ubuntu-cis). -* As of November 30, 2025, Azure Kubernetes Service (AKS) no longer supports or provides security updates for Azure Linux 2.0. The Azure Linux 2.0 node image is frozen at the [202512.06.0 release](/vhd-notes/AzureLinux/202512.06.0.txt). Beginning March 31, 2026, node images will be removed, and you'll be unable to scale your node pools. Migrate to a supported Azure Linux version by [upgrading your node pools](https://learn.microsoft.com/azure/aks/upgrade-cluster?tabs=azure-cli) to a supported Kubernetes version or migrating to [osSku AzureLinux3](https://learn.microsoft.com/azure/aks/upgrade-os-version). For more information, see [\[Retirement\] Azure Linux 2.0 node pools on AKS](https://github.com/Azure/AKS/issues/4988) +* AKS has now published the results from the [CIS Kubernetes Benchmark v1.12.0](https://www.cisecurity.org/benchmark/kubernetes/) recommendations on AKS. The results are applicable to AKS 1.32.x through AKS 1.34.x. Detailed report is available in [documentation](https://learn.microsoft.com/azure/aks/cis-kubernetes). +* AKS has now published the results from the [CIS Ubuntu 24.04 LTS Benchmark v1.0.0](https://www.cisecurity.org/benchmark/ubuntu_linux). Detailed report is available in [documentation](https://aka.ms/aks/ubuntu-cis). +* Since November 30, 2025, Azure Kubernetes Service (AKS) no longer supports or provides security updates for Azure Linux 2.0. The Azure Linux 2.0 node image is frozen at the [202512.06.0 release](vhd-notes/AzureLinux/202512.06.0.txt). Beginning March 31, 2026, node images will be removed, and you'll be unable to scale your node pools. Migrate to a supported Azure Linux version by [upgrading your node pools](https://learn.microsoft.com/azure/aks/upgrade-cluster?tabs=azure-cli) to a supported Kubernetes version or migrating to [osSku AzureLinux3](https://learn.microsoft.com/azure/aks/upgrade-os-version). For more information, see [Retirement of Azure Linux 2.0 node pools on AKS](https://github.com/Azure/AKS/issues/4988) * AKS now blocks the creation of clusters with Basic Load Balancer which [retired on 30 September 2025](https://learn.microsoft.com/answers/questions/1033471/retirement-announcement-basic-load-balancer-will-b). Clusters still using Basic Load Balancers are considered out of support and you must [upgrade to the Standard Load Balancer](https://learn.microsoft.com/azure/aks/upgrade-basic-load-balancer-on-aks). -* Starting on March 30, 2026 the node pool tag, aks-disable-kubelet-serving-certificate-rotation=true will no longer be supported. New node pools can be created with the node pool tag, but AKS will not respect the node pool tag. For new node pools, that means that they will be created with [Kubelet Serving Certificate Rotation (KSCR)](https://aka.ms/aks/kubelet-serving-certificate-rotation) enabled, despite the node pool tag. For existing node pools, this means that KSCR will be automatically enabled on their next reimage operation. For updates about this retirement, see [AKS Github Issue](https://github.com/Azure/AKS/issues/5539). -* As of 19 October 2025, AKS Automatic clusters have transitioned to a new billing model in alignment with the service moving from preview to General Availability. To learn more about Azure Kubernetes Service pricing, please visit the [pricing](https://azure.microsoft.com/pricing/details/kubernetes-service/) page. As part of this transition, the following pricing updates have taken effect in supported regions: +* Starting on March 30, 2026 the node pool tag, `aks-disable-kubelet-serving-certificate-rotation=true` will no longer be supported. New node pools can be created with the node pool tag, but AKS will not respect the node pool tag. For new node pools, that means that they will be created with [Kubelet Serving Certificate Rotation (KSCR)](https://aka.ms/aks/kubelet-serving-certificate-rotation) enabled, despite the node pool tag. For existing node pools, this means that KSCR will be automatically enabled on their next reimage operation. For updates about this retirement, see [AKS Github Issue](https://github.com/Azure/AKS/issues/5539). +* Since 19 October 2025, AKS Automatic clusters have transitioned to a new billing model in alignment with the service moving from preview to General Availability. To learn more about Azure Kubernetes Service pricing, please visit the [pricing](https://azure.microsoft.com/pricing/details/kubernetes-service/) page. As part of this transition, the following pricing updates have taken effect in supported regions: * Compute charges based on the duration and type of virtual machines used by AKS Automatic clusters. - * A $0.16 cluster / hour hosted control plane fee. For more information, see [Pricing](https://azure.microsoft.com/pricing/details/kubernetes-service/) + * A $0.16 cluster / hour hosted control plane fee. ### Kubernetes Version * AKS Kubernetes version `1.31` is deprecated. Please upgrade your clusters to `1.32` version or above. Refer to [version support policy](https://learn.microsoft.com/azure/aks/supported-kubernetes-versions?tabs=azure-cli#kubernetes-version-support-policy) and [upgrading a cluster](https://learn.microsoft.com/azure/aks/upgrade-aks-cluster?tabs=azure-cli) for more information. * AKS Kubernetes version `1.34` is now generally available. Refer to [version support policy](https://learn.microsoft.com/azure/aks/supported-kubernetes-versions) and [upgrading a cluster](https://learn.microsoft.com/azure/aks/upgrade-cluster) for more information. * AKS LTS (Long Term Support) patch versions are now available: - * Kubernetes 1.30.101-akslts - [Changelog](https://github.com/aks-lts/kubernetes/blob/release-1.30-lts/CHANGELOG/CHANGELOG-1.30.md#v130101-akslts) - * Kubernetes 1.29.101-akslts - [Changelog](https://github.com/aks-lts/kubernetes/blob/release-1.29-lts/CHANGELOG/CHANGELOG-1.29.md#v129100-akslts) - * Kubernetes 1.28.103-akslts - [Changelog](https://github.com/aks-lts/kubernetes/blob/release-1.28-lts/CHANGELOG/CHANGELOG-1.28.md#v128102-akslts) + * Kubernetes 1.30.101-akslts - [Changelog](https://github.com/aks-lts/kubernetes/blob/release-1.30-lts/CHANGELOG/CHANGELOG-1.30.md) + * Kubernetes 1.29.101-akslts - [Changelog](https://github.com/aks-lts/kubernetes/blob/release-1.29-lts/CHANGELOG/CHANGELOG-1.29.md) + * Kubernetes 1.28.103-akslts - [Changelog](https://github.com/aks-lts/kubernetes/blob/release-1.28-lts/CHANGELOG/CHANGELOG-1.28.md) For deprecation and patch timelines by region, please check the [AKS-Release-Tracker](https://releases.aks.azure.com/) ### Preview features * [Azure CNI Overlay](https://learn.microsoft.com/azure/aks/azure-cni-overlay) now supports Pod CIDR address space expansion in public preview, allowing you to add more Pod IPs without recreating the cluster. -* OpenTelemetry support for AKS monitoring is now in limited public preview. Documentation and sign up form can be found at [https://aka.ms/AzureMonitorOTelPreview](https://aka.ms/AzureMonitorOTelPreview) -* [Private IP support for Static Egress Gateway](https://learn.microsoft.com/azure/aks/configure-static-egress-gateway#static-private-ip-support-preview) is now available in public preview using Kubernetes 1.34+. -* External identity provider based authentication is now available in public preview. Documentation can be found at [External Identity Provider doc](https://learn.microsoft.com/azure/aks/external-identity-provider-authentication-configure?pivots=github) +* OpenTelemetry support for AKS monitoring is now in limited public preview. Sign up form can be found [here](https://aka.ms/AzureMonitorOTelPreview) +* [Private IP support for Static Egress Gateway](https://learn.microsoft.com/azure/aks/configure-static-egress-gateway#static-private-ip-support-preview) is now available in public preview on clusters of version >=1.34. +* [External identity provider based authentication to cluster control plane](https://learn.microsoft.com/azure/aks/external-identity-provider-authentication-configure?pivots=github) is now available in preview. +* [Identity bindings](https://learn.microsoft.com/azure/aks/identity-bindings-concepts) is now available in preview. This addresses [workload identity's](https://learn.microsoft.com/azure/aks/workload-identity-overview?tabs=dotnet) scale limitation of 20 federated identities credentials per managed identity. +* [Entra ID based SSH access to nodes](https://learn.microsoft.com/azure/aks/manage-ssh-node-access?pivots=entraid-ssh) is now available in preview. +* Revised experience for [data encryption at rest for secrets in AKS using KMS provider for Azure Key Vault](https://learn.microsoft.com/azure/aks/kms-data-encryption-concepts) with options for platform-managed keys or customer-managed keys is now available in preview. * [Flatcar Container Linux for AKS (preview)](https://aka.ms/aks/flatcar) is a CNCF-based vendor-neutral container-optimized immutable OS, best suited for running on multi-cloud and on-prem environments. Flatcar Container Linux is now available in preview as an OS option on AKS. You can deploy Flatcar Container Linux node pools in a new AKS cluster or add Flatcar Container Linux node pools to your existing clusters. * Windows Server 2025 is now supported in preview. This new version includes the following updates: Containerd 2.0 is now default, Generation 2 VMs are enabled by default, and FIPS is enabled by default. For more information on upgrading your windows OS version, see [AKS documentation](https://aka.ms/aks/upgrade-windows-os-version). * [Azure Linux with OS Guard](https://learn.microsoft.com/azure/azure-linux/intro-azure-linux-os-guard), a hardened and immutable variant of Azure Linux, is now in public preview. -* Istio CNI in public preview now supports the ProxyRedirectionMechanism starting API version `2026-01-01`. More details at [Enable Istio CNI for Istio-based service mesh](https://learn.microsoft.com/azure/aks/istio-cni). +* [Istio CNI](https://learn.microsoft.com/azure/aks/istio-cni) is now in public preview. Istio CNI improves security by eliminating the need for `NET_ADMIN` and `NET_RAW` capabilities in application workloads within the service mesh ### Behavioral Changes * Starting with API version `2026-01-01`, AKS returns `podCIDR` and `podCIDRs` fields when `networkPlugin=none`, allowing customers to update their podCIDR to match their CNI configuration. * When using [LocalDNS](https://learn.microsoft.com/azure/aks/localdns-custom), AKS now rejects forwarding external domains to CoreDNS from vnetDNSOverrides to prevent DNS resolution issues. -* AKS now enforces required subnet configuration for networking add-ons such as Application Gateway for Containers, which may cause cluster creation or upgrades to fail if add-on subnets are misconfigured or do not meet required constraints. See [Application Gateway for Containers networking requirements](https://learn.microsoft.com/azure/application-gateway/for-containers/quickstart-create-application-gateway-for-containers-managed-by-alb-controller) -* **AKS now returns a client error when virtual network encryption is used with API server VNet integration, as this configuration is not supported.** See [API server VNet integration limitations](https://learn.microsoft.com/azure/aks/api-server-vnet-integration#limitations) +* AKS now enforces required subnet configuration for networking add-ons such as Application Gateway for Containers, which may cause cluster creation or upgrades to fail if add-on subnets are misconfigured or do not meet required constraints. See [Application Gateway for Containers networking requirements](https://learn.microsoft.com/azure/application-gateway/for-containers/quickstart-create-application-gateway-for-containers-managed-by-alb-controller). +* AKS now returns a client error when virtual network encryption is used with API server VNet integration, as this configuration is not supported. See [API server VNet integration limitations](https://learn.microsoft.com/azure/aks/api-server-vnet-integration#limitations) ### Component Updates -* Windows node images - * Server 2019 Gen1 – [17763.8146.251212](/vhd-notes/AKSWindows/2019/17763.8146.251212.txt) - * Server 2022 Gen1/Gen2 – [20348.4529.251212](/vhd-notes/AKSWindows/2022/20348.4529.251212.txt) - * Server 23H2 Gen1/Gen2 – [25398.2025.251212](/vhd-notes/AKSWindows/23H2/25398.2025.251212.txt) - * Server 2025 Gen1/Gen2 – [26100.7462.251212](/vhd-notes/AKSWindows/2025/26100.7462.251212.txt) -* Windows GMSA container has been updated to 0.12.1-2_5 in the latest Windows [node images](https://github.com/Azure/AgentBaker/releases/tag/v0.20251218.0) -* Azure Disk CSI driver has been updated to [v1.33.7](https://github.com/kubernetes-sigs/azuredisk-csi-driver/releases/tag/v1.33.7) for AKS clusters with Kubernetes versions 1.33+ -* Azure Blob CSI driver has been downgraded to [v1.26.6](https://github.com/kubernetes-sigs/blob-csi-driver/releases/tag/v1.26.6) for AKS clusters with Kubernetes versions 1.34+ to address stability issues -* Secrets Store CSI driver has been updated to [v1.7.2](https://github.com/Azure/secrets-store-csi-driver-provider-azure/releases/tag/v1.7.2) -* Cilium has been updated to [v1.18.2](https://github.com/cilium/cilium/releases/tag/v1.18.2) (now distroless) for AKS clusters with Kubernetes versions 1.34+ -* Calico images have been updated to address multiple security vulnerabilities, including: [CVE-2025-61725](https://nvd.nist.gov/vuln/detail/CVE-2025-61725[) ,[CVE-2025-61724](https://nvd.nist.gov/vuln/detail/CVE-2025-61724) , [CVE-2025-61723](https://nvd.nist.gov/vuln/detail/CVE-2025-61723) , [CVE-2025-58189](https://nvd.nist.gov/vuln/detail/CVE-2025-58189) , [CVE-2025-58188](https://nvd.nist.gov/vuln/detail/CVE-2025-58188) , [CVE-2025-58187](https://nvd.nist.gov/vuln/detail/CVE-2025-58187) , [CVE-2025-58186](https://nvd.nist.gov/vuln/detail/CVE-2025-58186) , [CVE-2025-58185](https://nvd.nist.gov/vuln/detail/CVE-2025-58185) , [CVE-2025-58183](https://nvd.nist.gov/vuln/detail/CVE-2025-58183) , and [CVE-2025-47912](https://nvd.nist.gov/vuln/detail/CVE-2025-47912). -* azure-cns and azure-cni versions have been updated to [1.7.9](https://github.com/Azure/azure-container-networking/releases/tag/v1.7.9) for clusters running Kubernetes versions 1.33+. -* CoreDNS images have been updated to address multiple CVEs +* AKS Azure Linux v2 image has been updated to [202512.06.0](vhd-notes/AzureLinux/202512.06.0.txt). +* AKS Azure Linux v3 image has been updated to [202512.06.0](vhd-notes/AzureLinuxv3/202512.06.0.txt). +* AKS Ubuntu 22.04 node image has been updated to [202512.06.0](vhd-notes/aks-ubuntu/AKSUbuntu-2204/202512.06.0.txt). +* AKS Ubuntu 24.04 node image has been updated to [202512.06.0](vhd-notes/aks-ubuntu/AKSUbuntu-2404/202512.06.0.txt). +* Windows node images: + * Server 2019 Gen1 – [17763.8146.251212](vhd-notes/AKSWindows/2019/17763.8146.251212.txt). + * Server 2022 Gen1/Gen2 – [20348.4529.251212](vhd-notes/AKSWindows/2022/20348.4529.251212.txt). + * Server 23H2 Gen1/Gen2 – [25398.2025.251212](vhd-notes/AKSWindows/23H2/25398.2025.251212.txt). + * Server 2025 Gen1/Gen2 – [26100.7462.251212](vhd-notes/AKSWindows/2025/26100.7462.251212.txt). +* Windows GMSA container has been updated to 0.12.1-2_5 in the latest Windows node images. +* Azure Disk CSI driver has been updated to [v1.33.7](https://github.com/kubernetes-sigs/azuredisk-csi-driver/releases/tag/v1.33.7) for AKS clusters of version >= 1.33. +* Azure Blob CSI driver has been downgraded to [v1.26.6](https://github.com/kubernetes-sigs/blob-csi-driver/releases/tag/v1.26.6) for AKS clusters of version >= 1.34 to address stability issues. +* Secrets Store CSI driver has been updated to [v1.7.2](https://github.com/Azure/secrets-store-csi-driver-provider-azure/releases/tag/v1.7.2) for AKS clusters of version >= 1.26. +* Cilium has been updated to [v1.18.2](https://github.com/cilium/cilium/releases/tag/v1.18.2) (now distroless) for AKS clusters of version >= 1.34. +* Calico images have been updated to address multiple security vulnerabilities, including: [CVE-2025-61725](https://nvd.nist.gov/vuln/detail/CVE-2025-61725), [CVE-2025-61724](https://nvd.nist.gov/vuln/detail/CVE-2025-61724), [CVE-2025-61723](https://nvd.nist.gov/vuln/detail/CVE-2025-61723), [CVE-2025-58189](https://nvd.nist.gov/vuln/detail/CVE-2025-58189), [CVE-2025-58188](https://nvd.nist.gov/vuln/detail/CVE-2025-58188), [CVE-2025-58187](https://nvd.nist.gov/vuln/detail/CVE-2025-58187), [CVE-2025-58186](https://nvd.nist.gov/vuln/detail/CVE-2025-58186), [CVE-2025-58185](https://nvd.nist.gov/vuln/detail/CVE-2025-58185), [CVE-2025-58183](https://nvd.nist.gov/vuln/detail/CVE-2025-58183), and [CVE-2025-47912](https://nvd.nist.gov/vuln/detail/CVE-2025-47912). +* `azure-cns` and `azure-cni` versions have been updated to [1.7.9](https://github.com/Azure/azure-container-networking/releases/tag/v1.7.9) for AKS clusters of version >= 1.33. +* CoreDNS images have been updated to address multiple CVEs: * CoreDNS image on AKS clusters with version >= 1.34.0 updated to [v1.13.1-1](https://github.com/coredns/coredns/releases/tag/v1.13.1) * CoreDNS image on AKS clusters with version >= 1.33.0 and < 1.34.0 updated to [v1.12.1-6](https://github.com/coredns/coredns/releases/tag/v1.12.1) * CoreDNS image on AKS clusters with version >= 1.32.0 and < 1.33.0 updated to [v1.11.3-13](https://github.com/coredns/coredns/releases/tag/v1.11.3) * CoreDNS image on AKS clusters with version >= 1.24.0 and < 1.32.0 updated to [v1.9.4-7](https://github.com/coredns/coredns/releases/tag/v1.9.4) -* Network Policy Manager (NPM) has been updated to [v1.6.34](https://github.com/Azure/azure-container-networking/releases/tag/v1.6.34) for all supported Kubernetes versions to resolve CVEs: [CVE-2025-6297](https://nvd.nist.gov/vuln/detail/CVE-2025-6297), [CVE-2025-8058](https://nvd.nist.gov/vuln/detail/CVE-2025-8058), [CVE-2024-10963](https://nvd.nist.gov/vuln/detail/CVE-2024-10963), [CVE-2025-9230](https://nvd.nist.gov/vuln/detail/CVE-2025-9230), [GHSA-2464-8j7c-4cjm](https://github.com/advisories/GHSA-2464-8j7c-4cjm) -* IP Masq Agent has been updated to [v0.1.15-7](https://github.com/Azure/ip-masq-agent-v2/releases/tag/v0.1.15) with an Azure Linux 3.0 OS refresh, addressing glibc and OpenSSL vulnerabilities: [CVE-2025-4802](https://nvd.nist.gov/vuln/detail/CVE-2025-4802), [CVE-2025-8058](https://nvd.nist.gov/vuln/detail/CVE-2025-8058), [CVE-2025-9230](https://nvd.nist.gov/vuln/detail/CVE-2025-9230), [CVE-2025-9232](https://nvd.nist.gov/vuln/detail/CVE-2025-9232) -* Istio-based service mesh add-on has been upgraded to [v1.27.4](https://istio.io/latest/news/releases/1.27.x/announcing-1.27.4/) to address CVEs: [CVE-2025-66220](https://www.cve.org/CVERecord?id=CVE-2025-66220), [CVE-2025-64527](https://www.cve.org/CVERecord?id=CVE-2025-64527), [CVE-2025-64763](https://www.cve.org/CVERecord?id=CVE-2025-64763), [CVE-2025-55162](https://www.cve.org/CVERecord?id=CVE-2025-55162), [CVE-2025-54588](https://www.cve.org/CVERecord?id=CVE-2025-54588). Users should restart their workloads to reinject for the newest patch version. More information at [Istio Upgrade Documentation](https://learn.microsoft.com/azure/aks/istio-upgrade). -* Azure Service Mesh (OSM) add-on has been updated to [v1.2.11](https://github.com/openservicemesh/osm/releases/tag/v1.2.11) to adopt DALEC and address CVEs: [CVE-2024-45337](https://nvd.nist.gov/vuln/detail/CVE-2024-45337), [CVE-2025-22869](https://nvd.nist.gov/vuln/detail/CVE-2025-22869), [CVE-2025-22868](https://nvd.nist.gov/vuln/detail/CVE-2025-22868), [CVE-2024-24790](https://nvd.nist.gov/vuln/detail/CVE-2024-24790), [CVE-2024-34156](https://nvd.nist.gov/vuln/detail/CVE-2024-34156), [CVE-2025-47907](https://nvd.nist.gov/vuln/detail/CVE-2025-47907), [CVE-2025-58183](https://nvd.nist.gov/vuln/detail/CVE-2025-58183), [CVE-2025-61729](https://nvd.nist.gov/vuln/detail/CVE-2025-61729) -* Azure Policy add-on has been updated to [v1.15.1](https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes#1151) -* Application Gateway Ingress Controller (AGIC) has been updated to [v1.9.4](https://github.com/Azure/application-gateway-kubernetes-ingress/releases/tag/1.9.4) -* Application Monitoring has been upgraded to [v1.0.0-beta.10](https://github.com/microsoft/Docker-Provider/releases/tag/appmonitoring-1.0.0-beta.10) +* Network Policy Manager (NPM) has been updated to [v1.6.34](https://github.com/Azure/azure-container-networking/releases/tag/v1.6.34) for all supported Kubernetes versions to resolve CVEs: [CVE-2025-6297](https://nvd.nist.gov/vuln/detail/CVE-2025-6297), [CVE-2025-8058](https://nvd.nist.gov/vuln/detail/CVE-2025-8058), [CVE-2024-10963](https://nvd.nist.gov/vuln/detail/CVE-2024-10963), [CVE-2025-9230](https://nvd.nist.gov/vuln/detail/CVE-2025-9230), [GHSA-2464-8j7c-4cjm](https://github.com/advisories/GHSA-2464-8j7c-4cjm). +* IP Masq Agent has been updated to [v0.1.15-7](https://github.com/Azure/ip-masq-agent-v2/releases/tag/v0.1.15) with an Azure Linux 3.0 OS refresh, addressing glibc and OpenSSL vulnerabilities: [CVE-2025-4802](https://nvd.nist.gov/vuln/detail/CVE-2025-4802), [CVE-2025-8058](https://nvd.nist.gov/vuln/detail/CVE-2025-8058), [CVE-2025-9230](https://nvd.nist.gov/vuln/detail/CVE-2025-9230), [CVE-2025-9232](https://nvd.nist.gov/vuln/detail/CVE-2025-9232). +* Istio-based service mesh add-on has been upgraded to [v1.27.4](https://istio.io/latest/news/releases/1.27.x/announcing-1.27.4/) to address CVEs: [CVE-2025-66220](https://nvd.nist.gov/vuln/detail/CVE-2025-66220), [CVE-2025-64527](https://nvd.nist.gov/vuln/detail/CVE-2025-64527), [CVE-2025-64763](https://nvd.nist.gov/vuln/detail/CVE-2025-64763), [CVE-2025-55162](https://nvd.nist.gov/vuln/detail/CVE-2025-55162), [CVE-2025-54588](https://nvd.nist.gov/vuln/detail/CVE-2025-54588). Users can restart workload pods to trigger re-injection of the updated istio-proxy version. More details on patch upgrades are available [here](https://learn.microsoft.com/azure/aks/istio-upgrade). +* [Open Service Mesh add-on](https://learn.microsoft.com/azure/aks/open-service-mesh-about) has been updated to [v1.2.11](https://github.com/openservicemesh/osm/releases/tag/v1.2.11) to address CVEs: [CVE-2024-45337](https://nvd.nist.gov/vuln/detail/CVE-2024-45337), [CVE-2025-22869](https://nvd.nist.gov/vuln/detail/CVE-2025-22869), [CVE-2025-22868](https://nvd.nist.gov/vuln/detail/CVE-2025-22868), [CVE-2024-24790](https://nvd.nist.gov/vuln/detail/CVE-2024-24790), [CVE-2024-34156](https://nvd.nist.gov/vuln/detail/CVE-2024-34156), [CVE-2025-47907](https://nvd.nist.gov/vuln/detail/CVE-2025-47907), [CVE-2025-58183](https://nvd.nist.gov/vuln/detail/CVE-2025-58183), [CVE-2025-61729](https://nvd.nist.gov/vuln/detail/CVE-2025-61729). +* Azure Policy add-on has been updated to [v1.15.1](https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes#1151). +* Application Gateway Ingress Controller (AGIC) has been updated to [v1.9.4](https://github.com/Azure/application-gateway-kubernetes-ingress/releases/tag/1.9.4). +* Application Monitoring has been upgraded to [v1.0.0-beta.10](https://github.com/microsoft/Docker-Provider/releases/tag/appmonitoring-1.0.0-beta.10). * Container Insights has been updated to [3.1.32](https://github.com/microsoft/Docker-Provider/releases/tag/3.1.32) with CVE patches -* Azure Monitor Metrics (ama-metrics) has been updated to the [release-11-13-2025](https://github.com/Azure/prometheus-collector/blob/main/RELEASENOTES.md#release-11-13-2025) +* Azure Monitor Metrics (ama-metrics) has been updated to the [release-11-13-2025](https://github.com/Azure/prometheus-collector/blob/main/RELEASENOTES.md#release-11-13-2025). * Cloud controller manager has been updated to [v1.34.2](https://github.com/kubernetes-sigs/cloud-provider-azure/compare/v1.34.1...v1.34.2) to fix a bug where services sharing Azure IPv6 PIP would not get reconciled. * Cluster autoscaler has been upgraded to [v1.34.1](https://github.com/kubernetes/autoscaler/releases/tag/cluster-autoscaler-1.34.1) -* Microsoft Defender for Containers Sensor has been updated to [v0.8.39](https://learn.microsoft.com/azure/defender-for-cloud/defender-sensor-change-log#sensor-versions-available-per-release) +* Microsoft Defender for Containers Sensor has been updated to [v0.8.39](https://learn.microsoft.com/azure/defender-for-cloud/defender-sensor-change-log#sensor-versions-available-per-release). --- @@ -197,7 +204,7 @@ Monitor the release status by regions at [AKS-Release-Tracker](https://releases. * Server 23H2 Gen1/Gen2 – [25398.1849.250910](vhd-notes/AKSWindows/23H2/25398.1849.250910.txt) * Server 2025 Gen1/Gen2 – [26100.6584.250910](vhd-notes/AKSWindows/2025/26100.6584.250910.txt) * AKS Azure Linux v2 image has been updated to [202509.11.0](vhd-notes/AzureLinux/202509.11.0.txt) -* AKS Azure Linux v3 image has been updated to [202509.18.0](vhd-notes/AKSAzureLinuxv3/202509.18.0.txt). +* AKS Azure Linux v3 image has been updated to [202509.18.0](vhd-notes/AzureLinuxv3/202509.18.0.txt). * AKS Ubuntu 22.04 node image has been updated to [202509.11.0](vhd-notes/aks-ubuntu/AKSUbuntu-2204/202509.11.0.txt). * AKS Ubuntu 24.04 node image has been updated to [202509.11.0](vhd-notes/aks-ubuntu/AKSUbuntu-2404/202509.11.0.txt). * `Azure File CSI driver` has been upgraded to [`v1.32.7`](https://github.com/kubernetes-sigs/azurefile-csi-driver/releases/tag/v1.32.7) on AKS 1.32, and [`v1.33.5`](https://github.com/kubernetes-sigs/azurefile-csi-driver/releases/tag/v1.33.5) on AKS 1.33.