End-Of-Life Reminders

• For customers using AKS on Windows Server 2019, please be aware that Windows Server 2019 has reached end of mainstream support, we recommend customers to upgrade to Windows Server 2022.

• If you’re using AKS on Azure Local, version 22H2, please be aware that Azure Local, version 22H2 has reached end of service in May 2025. You'll no longer receive monthly security and quality updates that provide protection from the latest security threats. To continue receiving updates, we recommend updating your operating system to version 23H2. Uninstall AKS on Azure Local, version 22H2 before you apply the solution upgrade since AKS versions are incompatible between Azure Local, version 22H2 and Azure Local, version 23H2. Please see the documentation here to plan your upgrade

Upcoming End-of-Life Announcements

• We’ve previously announced the 3-year retirement of Windows Server 2019 node pool support on AKS Arc. Windows Server 2019 images will no longer be supported after 31 March 2026. This means in April 2026 and onwards, Windows Server 2019 node pools will not be available on AKS Arc releases after April 2026, and issues related to Windows node pools that use the Windows Server 2019 image will not be supported. Please ensure you recreate your Windows node pools using the Windows Server 2022 image to remain in support.

• We've previously announced the 3-year retirement of the current architecture of AKS hybrid on Windows Server 2019 and AKS on Windows Server 2022. Starting on March 2028, you will no longer get support, security and quality updates for your existing AKS hybrid clusters.

Release Notes

Version Numbers

• AKS Hybrid version - 1.2.2.11107
• KVA version: 1.30.9
• Powershell version 1.2.41
• Containerd: 1.7.13
• WAC: 2306 GA version
• AKS Extension in WAC: 4.11.0
• Kubernetes version 1.29.12, 1.29.13, 1.30.8, 1.30.9, 1.31.4, 1.31.5
• Azure Linux - Version: 3.0.20250602

What's New

• Fixed an image packaging issue where Kubernetes (k8s) dependencies were not picked up from the backed VHD and were instead fetched from the internet. The image now uses the dependencies bundled in the VHD rather than downloading them, ensuring smooth cluster provisioning and runtime consistency.

End-Of-Life Reminders

• For customers using AKS on Windows Server 2019, please be aware that Windows Server 2019 has reached end of mainstream support, we recommend customers to upgrade to Windows Server 2022.

• If you’re using AKS on Azure Local, version 22H2, please be aware that Azure Local, version 22H2 has reached end of service in May 2025. You'll no longer receive monthly security and quality updates that provide protection from the latest security threats. To continue receiving updates, we recommend updating your operating system to version 23H2. Uninstall AKS on Azure Local, version 22H2 before you apply the solution upgrade since AKS versions are incompatible between Azure Local, version 22H2 and Azure Local, version 23H2. Please see the documentation here to plan your upgrade

Upcoming End-of-Life Announcements

• We’ve previously announced the 3-year retirement of Windows Server 2019 node pool support on AKS Arc. Windows Server 2019 images will no longer be supported after 31 March 2026. This means in April 2026 and onwards, Windows Server 2019 node pools will not be available on AKS Arc releases after April 2026, and issues related to Windows node pools that use the Windows Server 2019 image will not be supported. Please ensure you recreate your Windows node pools using the Windows Server 2022 image to remain in support.

• We've previously announced the 3-year retirement of the current architecture of AKS hybrid on Windows Server 2019 and AKS on Windows Server 2022. Starting on March 2028, you will no longer get support, security and quality updates for your existing AKS hybrid clusters.

Release Notes

Version Numbers

• AKS Hybrid version - 1.2.0.11008
• KVA version: 1.30.9
• Powershell version 1.2.41
• Containerd: 1.7.13
• WAC: 2306 GA version
• AKS Extension in WAC: 4.11.0
• Kubernetes version 1.29.12, 1.29.13, 1.30.8, 1.30.9, 1.31.4, 1.31.5
• Azure Linux - Version: 3.0.20250602

What's New

• Introducing Kubernetes version 1.30 and 1.31 in this release.
• We also have upgraded the Linux images to now use Azure Linux 3.0.

CVE fixes

• All CVEs addressed in included in this Azure Linux 3.0

End-Of-Life Announcements

• For customers using AKS on Windows Server 2019, please be aware that it has reached end of mainstream support, we recommend customers to upgrade to Windows Server 2022.

• If you’re using AKS on Azure Local, version 22H2, please be aware that Azure Local, version 22H2 has reached end of service in May 2025. You'll no longer receive monthly security and quality updates that provide protection from the latest security threats. To continue receiving updates, we recommend updating your operating system to version 23H2. Uninstall AKS on Azure Local, version 22H2 before you apply the solution upgrade since AKS versions are incompatible between Azure Local, version 22H2 and Azure Local, version 23H2.

• We’ve previously announced the 3-year retirement of Windows Server 2019 on AKS hybrid. Windows Server 2019 will no longer be supported after 31 March 2026. This means in April 2026 and onwards, Windows Server 2019 node pools will not be available from supported AKS hybrid releases. Please ensure you upgrade your Windows node pools to Windows Server 2022 to remain in support.

• We've previously announced the 3-year retirement of the current architecture of AKS hybrid on Windows Server 2019 and AKS on Windows Server 2022. Starting on March 2028, you will no longer get support, security and quality updates for your existing AKS hybrid clusters.

Release Notes

Version Numbers

• KVA version: 1.29.4
• PowerShell: 1.2.35
• Containerd: 1.6.26
• WAC: 2306 GA version
• AKS Extension in WAC: 4.11.0

What's New

• Improved error detection and reporting across key operations like login, key management, and virtual disk handling.
• Fixes to address and prevent out-of-sync issues between cloud and node agents, improving consistency and reducing operational drift.
• Fixes that address inconsistencies in key expiration logic and corrected certificate revocation behaviors to ensure secure and predictable cryptographic operations.
• New telemetry points were added for agent lifecycle events, panic traces, and login flows, enhancing system visibility and diagnostics.
• Prechecks were introduced or refined to catch issues early—such as network connectivity gaps, invalid configurations, and resource constraints—before critical operations proceed.
• Enhancements ensure proper cleanup of stale or orphaned resources like IP/MAC pool entries and containers, reducing the risk of resource leaks and operational blockages.
• There are no new Kubernetes versions in this release.

Known issues

• If you’re using A2 GPUs, you might hit unexpected issues while upgrading to this release. In this event, file a support case for further assistance.

CVE fixes

• All CVEs addressed in Mariner 2.0.20240829 and Mariner 2.0.20240731 are addressed in the previous AKS hybrid release. No new changes.

Kubernetes changelog for 1.27, 1.28 and 1.29 versions

• kubernetes/CHANGELOG/CHANGELOG-1.29.md at master · kubernetes/kubernetes

• kubernetes/CHANGELOG/CHANGELOG-1.28.md at master · kubernetes/kubernetes

• kubernetes/CHANGELOG/CHANGELOG-1.27.md at master · kubernetes/kubernetes

Announcements

• There are no new Kubernetes versions in this release. This release is for bug fixes and to mitigate the impact on Azure CDN from Edgio retirement.

• Known issue: If you’re using A2 GPUs, you might hit unexpected issues while upgrading to this release. In this event, file a support case for further assistance.

• For customers using AKS on Windows Server 2019, be aware that it has reached end of mainstream support, we recommend customers to upgrade to Windows Server 2022 if possible.

• We’ve previously announced the 3-year retirement of Windows Server 2019 on AKS hybrid. Please ensure you upgrade to Windows Server 2022 to remain in support.

• If you’re using AKS on Azure Local, version 22H2, be aware that Azure Local, version 22H2 will reach end of service by May 2025. After that, you won't receive monthly security and quality updates that provide protection from the latest security threats. To continue receiving updates, we recommend updating your operating system to version 23H2. Uninstall AKS on Azure Local, version 22H2 before you apply the solution upgrade since AKS versions are incompatible between Azure Local, version 22H2 and Azure Local, version 23H2.

Release Notes

Version Numbers

• KVA version: 1.29.4
• PowerShell: 1.2.16
• Containerd: 1.6.26
• WAC: 2306 GA version
• AKS Extension in WAC: 4.11.0

What's New

• Due to Edgio bankruptcy and its impact on Azure CDN, assets hosted behind azureedge.net domain will cease to function anytime. The endpoint was used during Install-AksHci and Enable-AksHciArcConnection to onboard AKS hybrid clusters to Azure Arc. This release removes the endpoint from AKS hybrid product.
• Improved AKS hybrid VHD delete operations.
• Free IPs in IP pool in case AKS hybrid cluster is scaled down or deleted.
• Unexpected cluster VM restarts during an upgrade operation.

CVE fixes

• All CVEs addressed in Mariner 2.0.20240829 and Mariner 2.0.20240731 are addressed in the previous AKS hybrid release. No new changes.

Kubernetes changelog for 1.27, 1.28 and 1.29 versions

• kubernetes/CHANGELOG/CHANGELOG-1.29.md at master · kubernetes/kubernetes

• kubernetes/CHANGELOG/CHANGELOG-1.28.md at master · kubernetes/kubernetes

• kubernetes/CHANGELOG/CHANGELOG-1.27.md at master · kubernetes/kubernetes

Announcements

• With this release, we are retiring older AKS hybrid versions: July 2023, Aug 2023 and Oct 2023. Please update your clusters to remain in support.

• With this release, Kubernetes version 1.26 and below is out of support. Please ensure that you upgrade your clusters to remain in support.

• For customers using AKS on Windows Server 2019, be aware that it has reached end of mainstream support, we recommend customers to upgrade to Windows Server 2022 if possible.

• We’ve previously announced the 3-year retirement of Windows Server 2019 on AKS hybrid. Please ensure you upgrade to Windows Server 2022 to remain in support.

• Flannel CNI option has been deprecated, and no support will be offered. This option will be removed in the next release of AKS hybrid.

• If you’re using AKS on Azure Local, version 22H2, be aware that Azure Local, version 22H2 will reach end of service by May 2025. After that, you won't receive monthly security and quality updates that provide protection from the latest security threats. To continue receiving updates, we recommend updating your operating system to  version 23H2. Uninstall AKS on Azure Local, version 22H2 before you apply the solution upgrade since AKS versions are incompatible between Azure Local, version 22H2 and Azure Local, version 23H2.

Release Notes

Version Numbers

• KVA version: 1.29.4
• PowerShell: 1.2.16
• Containerd: 1.6.26
• WAC: 2306 GA version
• AKS Extension in WAC: 4.11.0

What's New

• We’ve fixed GitHub issue 282. Previously, if you installed AKS hybrid in an environment with Az.Accounts > 2.7 installed, the installation would fail at the Arc onboarding stage. With this release, you can now use the latest version of Az.Accounts, with support for encrypted service principal.

• In order to install AKS hybrid in an environment with Az.Accounts > 2.7, in addition to passing the -credential parameter during Set-AksHciRegistration, you also need to pass the $credential parameter during Install-AksHci: Install-AksHci -credential $credential

Bug Fixes

• Users can now run Enable-AksHciArcConnection after Disable-AksHciArcConnection.

• Improved error messages when create/update AKS cluster hits timeout issues.

• Reduced RBAC scope of CSI plugin to VM update operation only.

• Block logical network deletion if it is currently used by an AKS cluster.

CVE fixes

• All CVEs addressed in Mariner 2.0.20240829 and Mariner 2.0.20240731 are addressed in this AKS Arc release

Kubernetes changelog for 1.27, 1.28 and 1.29 versions

• kubernetes/CHANGELOG/CHANGELOG-1.29.md at master · kubernetes/kubernetes

• kubernetes/CHANGELOG/CHANGELOG-1.28.md at master · kubernetes/kubernetes

• kubernetes/CHANGELOG/CHANGELOG-1.27.md at master · kubernetes/kubernetes

Announcements

• With this release, we are retiring older AKS-HCI versions: January 2023, March 2023, and May 2023. Please update your clusters to remain in support.

Release Notes

Version Numbers

• KVA version: 1.28.5
• PowerShell: 1.2.4
• Containerd: 1.6.26
• WAC: 2306 GA version
• AKS Extension in WAC: 4.11.0

What's New

Features

• Improvements in fail-back functionality allows AKS to efficiently use the recovered servers after a fail-over event has been resolved and the HCI cluster has been restored.

Software updates

• We have updated several components and dependencies to the latest versions to fix the following CVEs:
  • CVE-2023-5528 Kubernetes Improper Input Validation vulnerability
  • CVE-2023-3955 Insufficient input sanitization on Windows nodes leads to privilege escalation
  • CVE-2023-3676 Insufficient input sanitization on Windows nodes leads to privilege
  • CVE-2023-45288 - Golang.org/x/net is bumped to v0.23.0 to address this
  • CVE-2024-24786 - Updated google.golang.org/protobuf to v1.33.0 to resolve this

Bug Fixes

  - A bug that would allow VHD to be deleted while it was still attached to a VM, has been fixed.
  - Several MOC bugs were fixed and enhancements made in the VHD attach/detach/cleanup processes.

Some important Bugs fixes and Regressions fixed in k8s 1.28 called out below

(please check the full list on Kubernetes release notes -1.28 changelog.md)

- Fix pod restart after node reboot when NewVolumeManagerReconstruction feature gate is enabled and SELinuxMountReadWriteOncePod disabled 
- Fix a race condition in kube-proxy when using LocalModeNodeCIDR to avoid dropping Services traffic if the object node is recreated when kube-proxy is starting 
- Fixed a race condition between Run() and SetTransform() and SetWatchErrorHandler() in shared informers. 
- Fixed a regression in default configurations, which enabled PodDisruptionConditions by default, that prevented the control plane's pod garbage collector from deleting pods that contained duplicated field keys (env. variables with repeated keys or container ports). 
- Fixed the issue where pod with ordinal number lower than the rolling partitioning number was being deleted it was coming up with updated image.
- Fixes calculating the requeue time in the cronjob controller, which results in properly handling failed/stuck jobs 
- Service Controller: update load balancer hosts after node's ProviderID is updated 
- Fix a bug in cronjob controller where already created jobs may be missing from the status.
- Fixed a bug where containers would not start on cgroupv2 systems where swap is disabled. 
- Fixed a regression in kube-proxy where it might refuse to start if given single-stack IPv6 configuration options on a node that has both IPv4 and IPv6 IPs. 
- Fixed an issue to not drain all the pods in a namespace when an empty-selector i.e. "{}" is specified in a Pod Disruption Budget (PDB) 
- Fixed attaching volumes after detach errors. Now volumes that failed to detach are not treated as attached, Kubernetes will make sure they are fully attached before they can be used by pods. 
- Fixed bug to surface events for the following metrics: apiserver_encryption_config_controller_automatic_reload_failures_total, apiserver_encryption_config_controller_automatic_reload_last_timestamp_seconds, apiserver_encryption_config_controller_automatic_reload_success_total
- Fixes a bug where Services using finalizers may hold onto ClusterIP and/or NodePort allocated resources for longer than expected if the finalizer is removed using the status subresource 
- Revised the logic for DaemonSet rolling update to exclude nodes if scheduling constraints are not met. This eliminates the problem of rolling updates to a DaemonSet getting stuck around tolerations
- Sometimes, the scheduler incorrectly placed a pod in the "unschedulable" queue instead of the "backoff" queue. This happened when some plugin previously declared the pod as "unschedulable" and then in a later attempt encounters some other error. Scheduling of that pod then got delayed by up to five minutes, after which periodic flushing moved the pod back into the "active" queue. 

Announcements

• For those customers using Windows Server 2019, be aware that it has reached end of mainstream support, we recommend customers to upgrade to latest Windows Server version if possible.

Release Notes

Version Numbers

• AKS hybrid version: 1.0.22.10209
• Kubernetes versions: 1.25.6, 1.25.11, 1.26.3, 1.26.6, 1.27.1, 1.27.3
• KVA version: 1.27.3
• PowerShell: 1.1.104
• WAC: 2306 GA version
• AKS Extension in WAC: 4.11.0
• Containerd: 1.6.26

What's New

Features

• Update to Calico CNI 3.26.4

Bug Fixes

• In some instances, KMS pod was not able to communicate to cloudagent. It was failing with the error “rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial tcp: i/o timeout””.
• Expired tokens were observed in customer deployments even when the auto rotate feature was enabled.
• Issues with HAproxy Loadbalancer failover cluster and failback. In some situations, we observed attempts to bind IPs before VIPs were available.
• Problems scaling a cluster running on unsupported versions of Kubernetes caused by missing configmaps or wrong location used in MOC.

Software updates

• We have updated several components and dependencies to the latest versions to fix the following CVEs:
  • CVE-2023-48795
  • CVE-2024-21626

Announcements

• With this release, we will retire older AKS-HCI versions from July 2022, August 2022, September 2022, and October 2022. Please update your clusters to remain in support.

Release Notes

Version Numbers

• AKS hybrid version: 1.0.21.11030
• Kubernetes versions: 1.24.10, 1.24.11, 1.25.6, 1.25.11, 1.26.3, 1.26.6
• KVA version: 1.26.6
• PowerShell: 1.1.95
• WAC: 2306 GA version
• AKS Extension in WAC: 2.170.0
• Containerd: 1.6.22

What's New

Features

• Updated to CAPI 1.4.2

Bug Fixes

• Azure Arc onboarding prechecks were improved to handle transitory restricted network bandwidth.

Software updates

• We have updated several components and dependencies to the latest versions to fix the following CVEs:
  • CVE-2021-3121

Announcements

• This release adds support for Kubernetes 1.26.*
• Deprecation alert: Support for the Flannel CNI will be removed on or after December 1st 2023.

Release Notes

Version Numbers

• AKS hybrid version: 1.0.20.10819
• Kubernetes versions: 1.24.10, 1.24.11, 1.25.6, 1.25.7, 1.26.0, 1.26.3
• KVA version: 1.26.3
• PowerShell: 1.1.83
• WAC: 2306 GA version
• AKS Extension in WAC: 2.163.0
• Containerd: 1.6.12

What's New

• AKS hybrid node autoscaler moves to a more secure Kubernetes Namespace: Based on customer feedback, we have made changes in which Kubernetes namespace to deploy the AKS hybrid node autoscaler in, instead of using the default namespace it now resides in the kube-system namespace of the management cluster. This enhances the security posture of the node autoscaler, as it can be isolated from other resources and pods in the default namespace, and it also enables customers to apply custom policies and RBAC rules to the default namespace. During upgrade to the latest release, if the node autoscaler is enabled it will be relocated and re-configured from the default namespace to the kube-system namespace, during the move and the upgrade autoscaling will be paused and continues after the upgrade is completed.

Deprecated Features for AKS on Azure Stack HCI and Windows Server:

Deprecating Flannel CNI option for AKS hybrid networking: As part of our commitment to continuous innovation and providing the best possible service for our customers, we are deprecating the Flannel CNI option for AKS hybrid networking. Flannel was the original CNI when AKS hybrid released, but it has limitations in functionality, scalability, security, and observability. We have been using Calico as the default CNI option for AKS hybrid networking for 18 months, and it offers superior performance and features for hybrid scenarios. Customers who are still using Flannel should migrate to Calico as soon as possible by redeploying the target cluster with a new network configuration, as Flannel will be removed by December 1st 2023. We are also planning on adding additional CNI options in AKS hybrid over the next 12 months, to give customers more flexibility and choice for their hybrid deployments.

NOTE: This does not affect AKS Edge Essentials with K3s.

WAC updates

• We are now using the WAC 2306 GA version.

Bug Fixes

• We fixed a bug where the volume was not detached after the pod and PVC objects were deleted.

Software updates

• We have updated several components and dependencies to the latest versions to fix the following CVEs:
  • CVE-2021-3121
  • For more information on Kubernetes v1.26, click here

Announcements

Release Notes

Version Numbers

• AKS hybrid version: 1.0.19.10705
• Kubernetes versions: 1.23.12, 1.23.15, 1.24.9, 1.24.11, 1.25.5, 1.25.7
• KVA version: 1.25.7
• PowerShell: 1.1.81
• WAC: 2306 GA version
• AKS Extension in WAC: 2.162.0
• Containerd: 1.6.12

What's New

WAC updates

• We are now using the WAC 2306 GA version.

Bug Fixes

• We fixed a bug where the volume was not detached after the pod and PVC objects were deleted.
• To see other bug fixes, please check out our release blog.

Software updates

• We have updated several components and dependencies to the latest versions to fix the following CVEs:
  • CVE-2021-3121
  • For more information on Kubernetes v1.25, click here.