v0.20260527.0

What's Changed

Changes

• chore: update Renovate configuration to limit PR and commit rates, and add new package groups by @Devinwong in #8522
• chore(linux): simplify API server outbound connection check logic by @cameronmeissner in #8523
• chore: update ACL marketplace image version to 3.20260510 by @aadhar-agarwal in #8530
• fix: fix delete cached kube binaries by @lilypan26 in #8533
• chore: clean up acl and flatcar kube binaries by @lilypan26 in #8543
• test: add FIPS provider validation to FIPS scenario tests by @Devinwong in #8502
• chore: add validator to ensure unused cached kube binaries are cleaned up by @lilypan26 in #8538
• fix: remove AzureLinux 3.0 modprobe LPE blacklist (CSE-time + VHD bake-in) — kernel 6.6.139.1-1.azl3+ fixes upstream by @djsly in #8546
• fix(security): bump Go to 1.25.10 and golang.org/x/net to v0.55.0 by @djsly in #8551
• fix(windows): register k8s-restart-job in NodePrep to avoid PIS bootstrap race by @r2k1 in #8535
• chore(deps): bump github.com/containerd/containerd from 1.7.29 to 1.7.32 in /vhdbuilder/lister by @dependabot[bot] in #8549
• chore(deps): bump github.com/containerd/containerd/v2 from 2.1.6 to 2.2.4 in /image-fetcher by @dependabot[bot] in #8547
• feat(linux): add build support for GB200/300 image series by @keith-ms in #8521
• fix(security): enable Dependabot pip updates + bump pytest to 9.0.3 (CVE-2025-71176) by @djsly in #8586
• ci: drop unused environment: test from validate-components by @r2k1 in #8579
• fix: cleanup nodecustomdata.yaml which are static paths on VHD by @awesomenix in #8587
• fix(e2e): reduce E2E test flakiness (sandbox events, duplicate CSE timing) by @r2k1 in #8480
• fix: regression in disable and stop sshd service by @awesomenix in #8596

Dependabot Updates

• chore(deps): bump github.com/onsi/gomega from 1.40.0 to 1.41.0 by @dependabot[bot] in #8531
• chore(deps): update pytest-rerunfailures requirement from <17.0,>=16.0 to >=16.3,<17.0 in /vhdbuilder/packer/test/pam by @dependabot[bot] in #8588

VHD Component Updates

• chore(deps): update cilium-ipam (patch) by @renovate[bot] in #8270
• feat: update prometheus-collector images to 7.0.0-main-05-07-2026-dbf4ae51 by @rashmichandrashekar in #8508
• fix: remove old kube-proxy images and updated cloud manager to match RP by @awesomenix in #8527
• chore(deps): update nvidia-device-plugin (patch) by @renovate[bot] in #8495
• chore(windows): bump cilium networking package to 1.7.0 for Windows 2025 by @rzlink in #8542
• chore: upgrade azurefile-csi-driver to v1.35.3, v1.34.6, v1.33.10 by @andyzhangx in #8541
• chore: remove windows annual VHD build inputs by @aboodasfari in #8540
• chore(deps): update oss/v2/kubernetes/windows-gmsa-webhook docker tag to v0.12.1-11 by @renovate[bot] in #8578
• chore: upgrade azuredisk-csi-driver to v1.33.10, v1.34.4 and blob-csi-driver to v1.26.12, v1.27.5 by @andyzhangx in #8594
• fix: update containerd versions on Ubuntu to fix CVEs by @awesomenix in #8595
• chore(deps): update kubelet-kubectl (patch) by @renovate[bot] in #8494

New Contributors

• @aboodasfari made their first contribution in #8540

Full Changelog: v0.20260514.0...v0.20260527.0

aks-node-controller hotfix v202605.14.1

What's Changed

Changes

• [Part 1] test: marker commit to simulate ANC hotfix cherry-pick (dry run) by @Devinwong in #8590

Full Changelog: v0.20260514.0...aks-node-controller/hotfix/v202605.14.1

ANC hotfix v202605.14.1

Hotfix for aks-node-controller on official/v20260514 (end-to-end dry run).

Built from merge commit 2916dae of PR #8590, which adds:

• AKS.AKSNodeController.HotfixBeacon GuestAgent event surfacing the running ANC version to Kusto telemetry
• slog beacon line in runProvisionCommand (journalctl + /var/log/azure/aks-node-controller.log)
• write_files marker /opt/azure/containers/anc-hotfix-dryrun-beacon.txt in nodecustomdata scriptless section

Triggers the aks-dalec pipeline to build deb/rpm packages via dalec and publish aks-node-controller_202605.14.1 to PMC (packages.microsoft.com).

After PMC publish completes, Part 2 PR will set hotfix/anc-hotfix-version.json to {"version":"202605.14.1"} so nodes provisioning on 202605.14.0 VHDs with EnableScriptlessCSECmd=true self-update to this hotfix.

v0.20260514.0

What's Changed

Changes

• feat(linux): refactor secure-tls-bootstrap.service to use default file and conditionally set AZURE_ENVIRONMENT_FILEPATH by @cameronmeissner in #8456
• fix: skip setup_golang.sh on hosts without apt-get by @aadhar-agarwal in #8462
• feat: add CoreDNS hosts plugin support for LocalDNS by @saewoni in #8165
• fix: use oras from AZL3 MCR image instead of imagecustomizer by @hbeberman in #8467
• fix: always add aks custom cloud until we do better by @awesomenix in #8468
• fix: add agentbaker tests for new code path i added by @awesomenix in #8473
• feat(e2e): add HTTPS_PROXY + private DNS test scenario by @r2k1 in #8470
• fix: use cloud-specific ARM endpoint for IMDS token in ORAS login by @charleswool in #8424
• fix: blacklist rxrpc/esp4/esp6 modules to mitigate DirtyFrag LPE by @djsly in #8475
• fix: remove description while writing out mod file by @awesomenix in #8484
• feat: add 5B non-sec regkeys by @smiezah-msft in #8483
• chore(vhdbuilder): build ACL VHDs using marketplace images by @aadhar-agarwal in #8469
• test: add coverage for removeComments CSE stripping logic by @djsly in #8489
• feat(acl): add FIPS image builds for Azure Container Linux by @hbeberman in #8463
• fix: prewarm containerd, increase timeout value for wait for containerd ready by @awesomenix in #8496
• fix: better logging when file hash compare fails by @timmy-wright in #8503

Dependabot Updates

• chore(deps): bump github.com/Masterminds/semver/v3 from 3.4.0 to 3.5.0 by @dependabot[bot] in #8441
• chore(deps): bump actions/create-github-app-token from 2 to 3 by @dependabot[bot] in #8174
• chore(deps): bump azure/cli from 2 to 3 by @dependabot[bot] in #8175
• chore(deps): bump azure/cli from 2 to 3 by @dependabot[bot] in #8457
• chore(deps): bump actions/create-github-app-token from 2 to 3 by @dependabot[bot] in #8458

VHD Component Updates

• chore(deps): update kubelet-kubectl (patch) by @renovate[bot] in #8352
• chore(deps): update kube-components (patch) by @renovate[bot] in #8349
• chore(deps): update oss/v2/azure/ip-masq-agent-v2 docker tag to v0.1.16-4 by @renovate[bot] in #8100
• chore(deps): update autoscaler (patch) by @renovate[bot] in #8376
• chore(deps): update coredns (patch) by @renovate[bot] in #8377
• chore(deps): update windowsbase (patch) by @renovate[bot] in #8498
• chore(deps): bump aks-secure-tls-bootstrap-client to v1.1.2 by @cameronmeissner in #8518

New Contributors

• @charleswool made their first contribution in #8424

Full Changelog: v0.20260505.3...v0.20260514.0

v0.20260505.3

What's Changed

Changes

• test: reduce Go test timeout to 80m to stay below 90m ADO job limit by @r2k1 in #8395
• feat: implement budget timeout for apt_get_install by @Devinwong in #8379
• feat: refactor aks-node-controller to use urfave cli to manually do command line parsing, setting by @awesomenix in #8397
• fix: conslidate use of masterminds semver across the codebase by @awesomenix in #8399
• feat: add patch-only version matching for ANC hotfix download by @Devinwong in #8355
• feat: add CSE timing regression tests for all Linux VHDs (Ubuntu 22.04/24.04, Azure Linux V3) by @djsly in #8284
• feat: add GitHub Action for ANC hotfix template injection by @Devinwong in #8405
• fix: use compact JSON in ANC hotfix injection by @Devinwong in #8410
• chore: add agentbaker artifact streaming combo e2es by @mxj220 in #8332
• feat(windows): add support for configuring secure TLS bootstrap client RPC timeouts by @cameronmeissner in #8398
• chore(deps): bump go.opentelemetry.io/otel from 1.39.0 to 1.41.0 in /vhdbuilder/lister by @dependabot[bot] in #8402
• chore(deps): bump go.opentelemetry.io/otel from 1.39.0 to 1.41.0 in /image-fetcher by @dependabot[bot] in #8409
• chore: add tcpdump to AzureLinuxV3 by @hunter32292 in #8413
• chore: remove snapshot generation from copilot-instructions.md by @cameronmeissner in #8415
• test(ci): add dcgm-exporter compatibility unit test to validate-components workflow by @surajssd in #8368
• fix: exclude beta/pre-release versions for containerd in renovate config by @Devinwong in #8418
• fix: separate allowedVersions into its own packageRule by @Devinwong in #8420
• fix: always clean up /opt/cni/downloads after installNetworkPlugin by @djsly in #8429
• fix: prevent degraded secure-tls-bootstrap.service health from failing CSE by @cameronmeissner in #8432
• feat(scriptless): compare AKSNodeConfig generated cse cmd with NBC cse cmd by @lilypan26 in #8416
• fix: disable scriptless phase2 for subsets of overlapping tests by @awesomenix in #8430
• fix: disable prefetch optimization for azurecontainerlinux since it break first time boot by @awesomenix in #8436
• fix: mitigate CVE-2026-31431 (Copy Fail) algif_aead LPE on Ubuntu and AzureLinux by @djsly in #8437
• fix: replace apt-mark with dpkg equivalents to avoid slow apt initialization by @djsly in #8421
• fix: dont run scriptless phase2 if preprovision is turned on by @awesomenix in #8440
• fix: update AzureContainerLinux image reference by @aadhar-agarwal in #8446
• test(e2e): add ANC hotfix binary selection E2E test by @Devinwong in #8423
• fix: adjusting windows container image json url logic to reach build scripts by @smiezah-msft in #8422
• fix: reduce Windows SIG cleanup retention to 7d and remove name filters by @r2k1 in #8435
• fix: start aks-node-controller service after ssh service by @awesomenix in #8449
• fix: auto create PRs for minor ciprod versions by @timmy-wright in #8445
• fix: add ACL-specific butane config with first-boot service workaround by @aadhar-agarwal in #8447
• test: make Windows log extraction best-effort in cleanup by @r2k1 in #8433
• fix: remove description while writing out mod file by @awesomenix in #8485

Dependabot Updates

• chore(deps): bump github.com/onsi/gomega from 1.39.1 to 1.40.0 by @dependabot[bot] in #8428

VHD Component Updates

• chore(deps): update nvidia-device-plugin (patch) by @renovate[bot] in #8293
• chore(deps): update dependency moby-containerd to v1.7.31-ubuntu20.04u1 by @renovate[bot] in #8382
• feat: install aznfs package on AzureLinux 3.0 by @andyzhangx in #8085
• chore(deps): update dependency containerd2 to v2.1.6-2.azl3 by @renovate[bot] in #8431
• chore(deps): bump aks-secure-tls-bootstrap-client to v1.1.1 by @cameronmeissner in #8438
• chore(deps): update nvidia-device-plugin (patch) by @renovate[bot] in #8427
• fix: update inspektor gadget v0.51.0 compatibility by @burak-ok in #8396
• chore(deps): update azuremonitor/containerinsights/ciprod docker tag to v3.3.0 by @renovate[bot] in #8451
• Revert "chore(deps): update dependency moby-containerd to v1.7.31-ubuntu20.04u1 (#8382)" by @Devinwong in #8455

New Contributors

• @burak-ok made their first contribution in #8396

Full Changelog: v0.20260424.0...v0.20260505.3

v0.20260424.0

What's Changed

Changes

• feat: add configuration support for secure TLS bootstrap client RPC timeouts by @cameronmeissner in #8261
• feat: add OSSKU-based IsCgroupV2 detection and CustomizedImageTrustedLaunch distro by @aadhar-agarwal in #8252
• feat: aks-node-controller self-update mechanism and version command support by @Devinwong in #8257
• feat: add support for --help and version commands in aks-node-controller by @Devinwong in #8313
• feat(windows): windows base version update & script to do it manually by @timmy-wright in #8315
• feat: cache versioned kubelet kubectl package binaries by @awesomenix in #8287
• feat(localdns): add localDNS metrics exporter by @saewoni in #7917
• feat(windows): add using cache first in DownloadFileWithOras by @fseldow in #8289
• feat: implement rendering nodecustomdata in aks-node-controller to support hotfixing scripts by @awesomenix in #8357
• feat: disable kernel lockdown mode for azurelinux 3.0 aks image by default by @miz060 in #7990
• feat(linux): network isolated cluster install package via cached first by @fseldow in #8292
• feat: pass cse cmd generated from nbc to node controller by @awesomenix in #8291
• feat: refactoring blobfuse install to centralized in components.json by @Devinwong in #8326
• feat: enhance renovate configuration with package rules and team assignments by @Devinwong in #8323

Fixes

• fix: use the script file directly instead of bash -c by @awesomenix in #8312
• fix: windows doesnt support EnableScriptlessCSECmd which is default now by @awesomenix in #8318
• fix: acl hostname seems to be set further down boot order, wait for hostname to converge by @awesomenix in #8320
• fix: switch to use msft golang for building aks-node-controller by @awesomenix in #8324
• fix: speed up provisioning even more by 10s with localdns enabled by @awesomenix in #8338
• fix: wait for a bit longer for containerd to get ready, sometimes its slow by @awesomenix in #8348
• fix: do not retry not found errors from azure by @awesomenix in #8351
• fix: fix azure cni case where route table doesnt exist by @awesomenix in #8363
• fix: unfreeze 2204 kernel to pick up new one which has CVE fixes in 1109 by @awesomenix in #8381
• fix: fall back to reinstall command to download security patch package if the package is already installed by @YaoC in #8344
• fix: check file exists before sourcing by @timmy-wright in #8391
• fix: cis regressions — re-apply /etc/issue banners + comprehensive logfile permissions for scan VM by @djsly in #8317
• fix(vhd-scanning): install trivy from PMC with version pinning and Renovate tracking by @djsly in #8248
• fix: add fips tests and downgrade 2004 containerd by @awesomenix in #8380
• fix: bump containerd, fix e2es by @awesomenix in #8385
• fix: adjust Renovate configuration limits and rebase behavior by @Devinwong in #8304
• disable minor update for all packages by default by @Devinwong in #8310
• fix: split rpm matchUpdateTypes and ignoreUnstable by @Devinwong in #8316
• fix: reduce hourly limits for PRs and commits, and update kubelet package rules by @Devinwong in #8346
• fix: update kubelet-kubectl group configuration and add autoscaler group by @Devinwong in #8365
• fix(renovate): enable Renovate version tracking for DCGM AzureLinux 3.0 by @surajssd in #8276

CI/CD/E2E

• fix(e2e): prevent kubenet route table detachment and stale node accumulation by @djsly in #8279
• fix(e2e): allow transient cloud-init temp mount failures in systemd unit validator by @hsubramanianaks in #8309
• e2e: increase Azure SDK retry tolerance for gallery throttling by @djsly in #8314
• test: add blobfuse related content tests by @Devinwong in #8296
• fix: use single e2e and run all flavours by @awesomenix in #8319
• fix: consolidate e2e scenario tests by @awesomenix in #8329
• test: add Ubuntu 24.04 ARM64 artifact streaming e2e tests by @calvin197 in #8328
• test: re-enable Windows Cilium Networking e2e test by @rzlink in #8337
• fix(e2e): validate secure TLS bootstrapping token fallback purely through kubelet logs by @cameronmeissner in #8353
• fix: remove localdns metrics exporter flaky security hardening directives check from e2e by @jingwenw15 in #8356
• fix(e2e): gunzip nbc-cmd source in CustomDataWithNBCCmdHack for Flatcar/ACL by @ganeshkumarashok in #8360
• fix: skip kernel log validation for fips 2004 OS by @awesomenix in #8384
• fix: move EnableScriptlessNBCCSECmd to ScenarioRuntime by @awesomenix in #8325
• fix: add ubuntu2204 azure cni with overlay since thats most popular by @awesomenix in #8389

Dependabot Updates

• chore(deps): bump github.com/moby/spdystream from 0.5.0 to 0.5.1 in /e2e by @dependabot[bot] in #8331

VHD Component Updates

• chore(deps): bump aks-secure-tls-bootstrap-client to v1.1.0 by @cameronmeissner in #8277
• chore(deps): update oss/v2/kubernetes/windows-gmsa-webhook docker tag to v0.12.1-10 by @renovate[bot] in #8275
• chore(deps): bump azure-cloud-node-manager versions by @anndono in #8298
• chore(deps): update kube-components (patch) by @renovate[bot] in #8099
• chore(deps): update windowsbase (patch) by @renovate[bot] in #8307
• chore(deps): update acr-credential-provider (patch) by @renovate[bot] in #8053
• chore(deps): update containernetworking/azure-cns docker tag to v1.8.6 by @renovate[bot] in #8255
• chore(deps): update containernetworking/azure-cni docker tag to v1.8.6 by @renovate[bot] in #8254
• chore(deps): update ama-metrics (minor) by @renovate[bot] in #8278
• chore(deps): update kube-components (patch) by @renovate[bot] in #8321
• chore(deps): update kubelet-kubectl (patch) by @renovate[bot] in #8128
• chore(deps): update runc-containerd-ca_watcher (patch) by @renovate[bot] in #8127
• chore(deps): update dependency dcgm-exporter by @renovate[bot] in #8290
• chore(deps): update containernetworking/azure-cni docker tag to v1.6.43 by @renovate[bot] in #8340
• chore(deps): update containernetworking/azure-cni docker tag to v1.7.16 by @renovate[bot] in #8333
• chore(deps): update azure-cns (patch) by @renovate[bot] in #8334
• chore: upgrade CSI driver image versions by @andyzhangx in #8339

New Contributors

• @hsubramanianaks made their first contribution in #8309
• @jingwenw15 made their first contribution in #8356

Full Changelog: v0.20260413.0...v0.20260424.0

test version v0.0.1 for aks-node-controller hotfix

Non-production. Test version v0.0.1 for aks-node-controller hotfix.

v0.20260413.0

What's Changed

Changes

• feat(windows): log collector updates by @timmy-wright in #8218
• feat(windows): add known aks processes and files to defender exclusions to improve windows node performance by @timmy-wright in #8245
• feat(windows): add Windows 2025 support for Windows Cilium Networking (WCN) by @rzlink in #7778
• feat(windows): download containerd with oras in network isolated windows cluster by @jiashun0011 in #8151

Fixes

• fix(cse): resolve error code collisions and add missing definition by @surajssd in #8241
• fix(cse): prevent CSE timeout overrun with per-op budget and pre-command guard by @djsly in #8230
• fix(cse): use dpkg for local deb installs by @awesomenix in #8285
• fix(tl): quote --features arg for arm64 TL image definitions by @aadhar-agarwal in #8222
• fix(gpu): add systemd ordering to prevent MIG device detection race by @surajssd in #8247

CI/CD/E2E

• ci: add --min-tls-version TLS1_2 to storage account creation in VHD build scripts by @Copilot in #8210
• ci: add Artifact Streaming E2Es for ARM64 by @mxj220 in #8232
• test: add test for MIG mixed mode by @runzhen in #8249
• feat(e2e): dynamically fetch VM extension version with caching, timeouts, and fallback by @surajssd in #8064
• feat(e2e): fix time dependency and add artifact streaming e2e for azure linux v3 by @ganeshkumarashok in #8204
• fix(ci): change minimum tls version to 1.2 by @awesomenix in #8208
• fix(e2e): improve node-exporter validator diagnostics by @chmill-zz in #8193
• fix(e2e): improveV2 node-exporter validator diagnostics by @chmill-zz in #8234
• fix(e2e): retry VMSS creation on GalleryImageNotFound error by @surajssd in #8239
• fix(e2e): retry WireServer blocked validation to eliminate flakes by @djsly in #8272
• fix(e2e): resolve debug pod before wireserver check retry loop by @djsly in #8274
• fix(e2e): strip --pod-infra-container-image for Kubernetes >= 1.35 by @djsly in #8273
• fix(e2e): set PrincipalType on role assignment to avoid AAD replication race by @ganeshkumarashok in #8251
• fix(e2e): run NC24ads_A100_v4 tests in a westus2 by @runzhen in #8250
• fix(e2e): add DAG dependencies to prevent route table race condition by @djsly in #8268
• refactor(e2e): add DAG-based concurrent task execution for cluster setup by @r2k1 in #8149

Dependabot Updates

• chore(deps): bump actions/github-script from 8 to 9 by @dependabot[bot] in #8271

VHD Component Updates

• chore(deps): bump ACR credential provider for service account image pull by @qweeah in #8206
• chore(deps): update nvidia-device-plugin (minor) by @renovate[bot] in #8129
• chore(deps): update dependency dcgm-exporter - autoclosed by @renovate[bot] in #8238
• chore(deps): update containernetworking/cilium/cilium docker tag to v1.17.10-260312 by @renovate[bot] in #8113
• chore(deps): upgrade blobfuse version to v2.5.3 on Ubuntu by @andyzhangx in #8219

New Contributors

• @runzhen made their first contribution in #8249

Full Changelog: v0.20260330.0...v0.20260413.0

v0.20260330.0

What's Changed

Changes

• feat: network isolated cluster skip cse download by @fseldow in #8077
• fix: skip certificate error E2E failure caused by vmss bug by @mxj220 in #8122
• feat: unblock artifact streaming for arm64 nodes and remove support on mariner by @KananMehta in #8103
• fix: disable nvidia-fabricmanager on single-GPU VMs with MIG by @ganeshkumarashok in #8049
• fix: disable automatic e2e pipeline triggers by @awesomenix in #8135
• fix: restrict e2e pipeline triggers to e2e and go changes by @awesomenix in #8137
• fix: add daily schedules for e2e pipelines on main by @awesomenix in #8140
• fix: stagger nightly e2e schedules to reduce API throttling by @ganeshkumarashok in #8141
• feat: download kubelet with oras in network isolated windows cluster by @jiashun0011 in #8042
• fix(windows): move add kubelet failure restart code by @timmy-wright in #8142
• feat: add hotfix auto-tagging and template generation workflows by @Devinwong in #8131
• feat: support new ACL os-release (ID=azurelinux, VARIANT_ID=azurecontainerlinux) by @aadhar-agarwal in #8123
• fix: revert "feat: add scripts hotfix pipeline for test (#8046)" by @Devinwong in #8150
• feat: onboard NVIDIA GPU support for ACL by @henryli001 in #8112
• feat: run aks node controller at boot time faster by 15s by @awesomenix in #8082
• feat: log scriptless cmd mode for easier logging and debugging by @awesomenix in #8155
• chore: deprecate acr teleport by @calvin197 in #8052
• chore(deps): bump google.golang.org/grpc from 1.72.2 to 1.79.3 in /image-fetcher by @dependabot[bot] in #8126
• chore(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /vhdbuilder/lister by @dependabot[bot] in #8125
• test: add hotfix e2e test for scriptless CSE command scripts hotfix delivery mechanism by @Devinwong in #8148
• fix: remove teleport references from ACL ARM64 packer template and add ACL builds to PR check-in gates by @cameronmeissner in #8159
• fix: adjust node exporter tls to match what was default behavior in extension by @chmill-zz in #8156
• feat: improve cse bootstrap latency by deferring non-critical work by @awesomenix in #8105
• fix: temporary disable checking for cse-overrides until ACL is fixed by @awesomenix in #8164
• fix: acl and flatcar skip oras repo tag when it is network isolated cluster by @fseldow in #8157
• fix: correctly determine compatibility with prefetch optimization in linux VHD builds by @cameronmeissner in #8162
• fix: stabilize flaky cse_timeout shellspec test by @ganeshkumarashok in #8166
• chore: add @SriHarsha001 to CODEOWNERS by @ganeshkumarashok in #8167
• fix: use reinstall command to download packages by @YaoC in #8176
• fix: set SecurityType=TrustedLaunch in ACL ARM64 image def by @aadhar-agarwal in #8187
• test: convert ACL GPU E2Es to scriptless e2es by @ganeshkumarashok in #8179
• feat: download azure acr credential provider via oras in network isolated windows cluster by @fseldow in #8152
• fix: gracefully restart containerd instead of killing it by @awesomenix in #8184
• fix: set RemainAfterExit=yes for resolv-uplink-override.service by @aadhar-agarwal in #8177
• chore: remove deprecated Azure Linux and Mariner VHD definitions by @Devinwong in #8180
• fix(e2e): explicitly validate --rotate-certificates is true true within TLS bootstrapping validation by @cameronmeissner in #8199
• chore: minor comment change by @calvin197 in #8202

Dependabot Updates

• chore(deps): bump actions/create-github-app-token from 2 to 3 by @dependabot[bot] in #8094

VHD Component Updates

• chore: add cloud-node-manager v1.35.0 entry by @anndono in #8048
• chore: add cloud-node-manager 1.30.15 and 1.31.12 entries by @anndono in #8097
• chore(deps): update containernetworking/azure-npm docker tag to v1.6.42 by @renovate[bot] in #7492
• chore(deps): update containernetworking/azure-cns docker tag to v1.7.15 by @renovate[bot] in #7386
• chore: update containernetworking/azure-cni docker tag to v1.7.15 by @csfmomo in #8134
• refactor: move acr-mirror version to components.json by @ganeshkumarashok in #8160
• chore(deps): update dependency dcgm-exporter by @renovate[bot] in #8143

Full Changelog: v0.20260318.0...v0.20260330.0

v0.20260318.0

What's Changed

Changes

• test(e2e): add ENABLE_SECURE_TLS_BOOTSTRAPPING to E2E test config by @cameronmeissner in #8087
• feat: oras pull pause image if not cached for windows network isolated cluster by @fseldow in #8038
• feat: windows network isolated cluster support anonymous-disabled bootstrap acr by @fseldow in #8039
• chore: add walinuxagent to team's package list by @mxj220 in #8107
• chore: add gpu tag to ma35d scenarios by @lilypan26 in #8110
• chore(windows): update e2e tests to check dotnet deprecation by @janenotjung-hue in #8095
• fix: azurelinux configure GRID vGPU licensing by @miz060 in #8106
• fix: better error message in windows CSE when API server can't be contacted by @timmy-wright in #7828
• fix: use 1048576 for LIMITNOFILE in both ubuntu and mariner by @SriHarsha001 in #8101
• feat: add Azure Container Linux ARM64 VHD build target by @aadhar-agarwal in #8102

Dependabot Updates

• chore(deps): bump azure/login from 2 to 3 by @dependabot[bot] in #8116

VHD Component Updates

• chore(deps): update cilium-ipam to v1.18.6-260130 by @pdamianov-dev in #8068
• chore(deps): update cilium-ipam to v1.18.6-260312 (patch) by @renovate[bot] in #8093
• chore: use renovate for waagent version, write to release notes, add log-checking e2e by @mxj220 in #8062
• chore(deps): bump azure-cloud-node-manager versions by @anndono in #8083
• chore(deps): update dependency dcgm-exporter by @renovate[bot] in #8043
• chore(deps): update nvidia-device-plugin (patch) by @renovate[bot] in #8098
• chore(deps): update oss/v2/kubernetes/kubelet-sysext docker tag to v1.34.4 by @renovate[bot] in #8002

New Contributors

• @anndono made their first contribution in #8083

Full Changelog: v0.20260312.0...v0.20260318.0