diff --git a/CHANGELOG.md b/CHANGELOG.md index 33c82fa6..18196f1f 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,28 +10,27 @@ Monitor the release status by regions at [AKS-Release-Tracker](https://releases. * No new clusters can be created with [Azure AD Integration (legacy)](https://learn.microsoft.com/azure/aks/azure-ad-integration-cli). Existing AKS clusters with Azure Active Directory integration will keep working. All Azure AD Integration (legacy) AKS clusters will be migrated to [AKS-managed Azure AD](https://learn.microsoft.com/azure/aks/managed-azure-ad) automatically starting from December 1st, 2023. We recommend updating your cluster with AKS-managed Azure AD before December 1st, 2023. This way you can manage the API server downtime during non-business hours. * Starting January 2024, due to Gatekeeper Upstream removing validation for constraint template contents at create/update time, [the Azure Policy Add-On](https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-add-on-for-aks:~:text=exception%20YAML.-,Install%20Azure%20Policy%20Add%2Don%20for%20AKS,-Before%20you%20install) will now no longer support this. The Azure Policy Add-On will report [‘InvalidConstraint/Template’ compliance reason code](https://learn.microsoft.com/azure/governance/policy/how-to/determine-non-compliance#aks-resource-provider-mode-compliance-reasons) for detected errors after constraint template admission. This change does not impact [other compliance reason codes](https://learn.microsoft.com/azure/governance/policy/how-to/determine-non-compliance#aks-resource-provider-mode-compliance-reasons). Customers are encouraged to continue to follow best practices when updating Azure Policy for Kubernetes definitions (i.e. [Gator CLI](https://open-policy-agent.github.io/gatekeeper/website/docs/gator/). * [Windows containerd v1.7](https://github.com/Azure/AKS/issues/3975) will be the default container runtime for k8s v1.28+ on AKS Windows nodes. Windows Host Process (HPC) containers is GA in Windows containerd v1.7 and it has some [breaking changes](https://github.com/kubernetes/enhancements/tree/master/keps/sig-windows/1981-windows-privileged-container-support#container-mounts). +* Starting from Kubernetes version 1.29.0, Azure Linux AKS clusters deployed will be cgroupV2 by default, and existing Azure Linux AKS clusters will change from cgroupV1 to cgroupV2 when upgraded to Kubernetes version 1.29.0+. ### Release notes * Bug Fixes * Fix for when an update with the identity property is issued on an existing AKS Fleet with MSI. - * Fix for if the system nodepool is set to be dedicated, Vertical Pod Autoscaler (VPA) pods can still be scheduled to system nodes. - * Fix for if VPA webhook's CABundle is different from the cert stored in secret, the VPA webhook image version will be bumped. + * Corrected issue where on tainted/dedicated system pools the Vertical Pod Autoscaler (VPA) deployment could end up on non-system pools. + * Fix for issue where a Certificate Authority bundle mismatch could produce an update on the image version of the VPA webhook. * Fix where pod age is now calculated from cluster creation time rather than cluster stop time for [managed cluster start/stop](https://learn.microsoft.com/en-us/azure/aks/start-stop-cluster?tabs=azure-cli). * In AKS with Azure CNI, there is possible deadlock scenario where Container Network Service (CNS) API is not available. [Aync Delete](https://github.com/Azure/azure-container-networking/tree/master/docs/feature/async-delete) fixes this deadlock issue. The CNI calls to CNS to release an IP address from a Pod asynchronously with a failsafe in such a way that if CNS is unavailable, it can recover these events when it does eventually start. * Fix for Windows NPM crashes in k8s 1.28 with Containerd 1.7. Bug was a result Windows NPM DaemonSet referencing a file that did not exist in its current directory.[Containerd 1.7](https://github.com/Azure/AKS/issues/3975). - * Fixed fleet clusters, so they will not be correctly set to NRG-Lockdown RestrictionLevel Restricted, instead of Unspecified. Additionally, fleet clusters within one of the undesired Unspecified states will be fixed on reconcile. + * Fixed fleet clusters, so they will now be correctly set to NRG-Lockdown RestrictionLevel Restricted, instead of Unspecified. Additionally, fleet clusters within one of the undesired Unspecified states will be fixed on reconcile. * Behavioral Change * All AKS managed namespaces now have a "kubernetes.azure.com/managedby:" AKS label. * VPA updater and recommender resource requests and limits can now be configured by customer to avoid OOMkill or resource wastage. - * Fix to prevent Open Service Mesh control plane from fighting with AKS admission enforcer. + * Fix to prevent conflict between Open Service Mesh and AKS Admission Enforcer. * [Windows Disable Outbound NAT (Preview)](https://learn.microsoft.com/azure/aks/nat-gateway#disable-outboundnat-for-windows-preview:~:text=identity%20%24IDENTITY_ID-,Disable%20OutboundNAT%20for%20Windows%20(preview),-Windows%20OutboundNAT%20can) now supports WS2019 and WS2022. - * Starting from Kubernetes version 1.29.0, Azure Linux AKS clusters deployed will be cgroupV2 by default, and existing Azure Linux AKS clusters will change from cgroupV1 to cgroupV2 when upgraded to Kubernetes version 1.29.0+. * Microsoft Defender for Cloud publisher image has been updated to 1.0.68 (now distroless) * Microsoft Defender for Cloud OldFileCleaner image has been updated to 1.4.68 * Component Updates * Azure Linux image has been updated to [Azure Linux - 202310.26.0](vhd-notes/AzureLinux/202310.26.0.txt). - * AKS Ubuntu 18.04 image has been updated to [AKSUbuntu-1804-202310.26.0](vhd-notes/aks-ubuntu/AKSUbuntu-1804/202310.26.0.txt). * AKS Ubuntu 22.04 image has been updated to [AKSUbuntu-2204-202310.26.0](vhd-notes/aks-ubuntu/AKSUbuntu-2204/202310.26.0.txt).