new breaking change + fix and updated link#5760
Open
alvinli222 wants to merge 1 commit intomasterfrom
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the top-level AKS release notes for the April 28, 2026 changelog entry. The PR adds an ama-metrics announcement about scoped secret access on Kubernetes 1.36+ and refreshes one preview-feature entry with a direct documentation link.
Changes:
- Added a new ama-metrics release note describing namespace-scoped secret access for Kubernetes 1.36 and later.
- Updated the preview-features entry for kubelet configuration customization to link to the Custom Node Configuration documentation.
- Kept the changes localized to
CHANGELOG.mdas release-note/documentation updates.
| ### Announcements | ||
| * AKS-2026-0003: A Linux kernel algif_aead local privilege escalation vulnerability ([CVE-2026-31431](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)) lets a pod escalate to root on the underlying node — including non-root pods with no special capabilities. Affects AKS nodes running Ubuntu 20.04 FIPS, Ubuntu 22.04, Ubuntu 24.04, and Azure Linux 3.0. Azure Linux 2.0 (Mariner) and Windows nodes aren't affected. The mitigation is globally deployed in node image versions 202604.13.0 and 202604.24.0. New nodes and any node that goes through a node image upgrade are automatically protected. Existing nodes aren't patched in place — upgrade the node image, or, if your pool is already on 202604.24.0, apply the mitigation DaemonSet from the [advisory](https://github.com/Azure/AKS/issues/5753) immediately. See the [AKS security bulletin](https://learn.microsoft.com/azure/aks/security-bulletins/overview) for full details. | ||
| * The [Kubernetes SIG Network](https://github.com/kubernetes/community/blob/master/sig-network/README.md) and the Security Response Committee [announced the upcoming retirement](https://www.kubernetes.dev/blog/2025/11/12/ingress-nginx-retirement/) of the [Ingress NGINX project](https://github.com/kubernetes/ingress-nginx/), with maintenance ending in March 2026. Application routing add-on users: Production workloads remain fully supported through November 2026. Migrate to the [application routing Gateway API implementation](https://learn.microsoft.com/azure/aks/app-routing-gateway-api) for a Gateway API-based ingress traffic management experience. | ||
| * The [ama-metrics](https://learn.microsoft.com/azure/azure-monitor/containers/prometheus-metrics-scrape-crd) ClusterRole no longer grants cluster-wide get/list/watch access to Kubernetes Secrets. On Kubernetes 1.36 and later, secrets access is now namespace-scoped: users using pod/service monitors with basic auth enabled must [configure the new secrets_access_namespaces](https://aka.ms/azureprometheus-scoped-secrets-access) setting in the ama-metrics-settings-configmap to specify which namespaces the target allocator can read secrets from, and must create a corresponding Role and RoleBinding in each of those namespaces to avoid failures in metrics scraping. Clusters running Kubernetes versions prior to 1.36 are unaffected and retain cluster-wide secrets access for backward compatibility. This change improves security posture by limiting secrets visibility to only the namespaces explicitly authorized by the user. |
Contributor
There was a problem hiding this comment.
https://aka.ms/azureprometheus-scoped-secrets-access is pointing to GitHub doc. can we get the necessary steps into learn.microsoft.com in parallel?
| @@ -7,6 +7,7 @@ Monitor the release status by regions at [AKS-Release-Tracker](https://releases. | |||
| ### Announcements | |||
| * AKS-2026-0003: A Linux kernel algif_aead local privilege escalation vulnerability ([CVE-2026-31431](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)) lets a pod escalate to root on the underlying node — including non-root pods with no special capabilities. Affects AKS nodes running Ubuntu 20.04 FIPS, Ubuntu 22.04, Ubuntu 24.04, and Azure Linux 3.0. Azure Linux 2.0 (Mariner) and Windows nodes aren't affected. The mitigation is globally deployed in node image versions 202604.13.0 and 202604.24.0. New nodes and any node that goes through a node image upgrade are automatically protected. Existing nodes aren't patched in place — upgrade the node image, or, if your pool is already on 202604.24.0, apply the mitigation DaemonSet from the [advisory](https://github.com/Azure/AKS/issues/5753) immediately. See the [AKS security bulletin](https://learn.microsoft.com/azure/aks/security-bulletins/overview) for full details. | |||
| * The [Kubernetes SIG Network](https://github.com/kubernetes/community/blob/master/sig-network/README.md) and the Security Response Committee [announced the upcoming retirement](https://www.kubernetes.dev/blog/2025/11/12/ingress-nginx-retirement/) of the [Ingress NGINX project](https://github.com/kubernetes/ingress-nginx/), with maintenance ending in March 2026. Application routing add-on users: Production workloads remain fully supported through November 2026. Migrate to the [application routing Gateway API implementation](https://learn.microsoft.com/azure/aks/app-routing-gateway-api) for a Gateway API-based ingress traffic management experience. | |||
| ### Announcements | ||
| * AKS-2026-0003: A Linux kernel algif_aead local privilege escalation vulnerability ([CVE-2026-31431](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)) lets a pod escalate to root on the underlying node — including non-root pods with no special capabilities. Affects AKS nodes running Ubuntu 20.04 FIPS, Ubuntu 22.04, Ubuntu 24.04, and Azure Linux 3.0. Azure Linux 2.0 (Mariner) and Windows nodes aren't affected. The mitigation is globally deployed in node image versions 202604.13.0 and 202604.24.0. New nodes and any node that goes through a node image upgrade are automatically protected. Existing nodes aren't patched in place — upgrade the node image, or, if your pool is already on 202604.24.0, apply the mitigation DaemonSet from the [advisory](https://github.com/Azure/AKS/issues/5753) immediately. See the [AKS security bulletin](https://learn.microsoft.com/azure/aks/security-bulletins/overview) for full details. | ||
| * The [Kubernetes SIG Network](https://github.com/kubernetes/community/blob/master/sig-network/README.md) and the Security Response Committee [announced the upcoming retirement](https://www.kubernetes.dev/blog/2025/11/12/ingress-nginx-retirement/) of the [Ingress NGINX project](https://github.com/kubernetes/ingress-nginx/), with maintenance ending in March 2026. Application routing add-on users: Production workloads remain fully supported through November 2026. Migrate to the [application routing Gateway API implementation](https://learn.microsoft.com/azure/aks/app-routing-gateway-api) for a Gateway API-based ingress traffic management experience. | ||
| * The [ama-metrics](https://learn.microsoft.com/azure/azure-monitor/containers/prometheus-metrics-scrape-crd) ClusterRole no longer grants cluster-wide get/list/watch access to Kubernetes Secrets. On Kubernetes 1.36 and later, secrets access is now namespace-scoped: users using pod/service monitors with basic auth enabled must [configure the new secrets_access_namespaces](https://aka.ms/azureprometheus-scoped-secrets-access) setting in the ama-metrics-settings-configmap to specify which namespaces the target allocator can read secrets from, and must create a corresponding Role and RoleBinding in each of those namespaces to avoid failures in metrics scraping. Clusters running Kubernetes versions prior to 1.36 are unaffected and retain cluster-wide secrets access for backward compatibility. This change improves security posture by limiting secrets visibility to only the namespaces explicitly authorized by the user. |
| ### Preview Features | ||
| * Added preview support for AKS-managed [NAT Gateway V2](https://learn.microsoft.com/azure/aks/nat-gateway) outbound type in supported public Azure regions. Regions where StandardV2 NAT Gateway is not yet available remain excluded. | ||
| * Customers can now preview customization of the default `kube-reserved` and hard eviction kubelet configuration through the existing custom node preview feature registration starting with the 2026-03-02-preview API. | ||
| * Customers can now preview customization of the default `kube-reserved` and hard eviction kubelet configuration through the existing [Custom Node Configuration](https://learn.microsoft.com/azure/aks/custom-node-configuration) preview feature starting with the 2026-03-02-preview API release. |
Contributor
There was a problem hiding this comment.
@alvinli222 do we have a doc that specifically covers the new delta (Customers can now preview customization of the default kube-reserved and hard eviction kubelet configuration) we are covering in this release?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Added new breaking change for ama-metrics