new breaking change + fix and updated link

CHANGELOG.md

@@ -7,6 +7,7 @@ Monitor the release status by regions at [AKS-Release-Tracker](https://releases.
 ### Announcements
 * AKS-2026-0003: A Linux kernel algif_aead local privilege escalation vulnerability ([CVE-2026-31431](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)) lets a pod escalate to root on the underlying node — including non-root pods with no special capabilities. Affects AKS nodes running Ubuntu 20.04 FIPS, Ubuntu 22.04, Ubuntu 24.04, and Azure Linux 3.0. Azure Linux 2.0 (Mariner) and Windows nodes aren't affected. The mitigation is globally deployed in node image versions 202604.13.0 and 202604.24.0. New nodes and any node that goes through a node image upgrade are automatically protected. Existing nodes aren't patched in place — upgrade the node image, or, if your pool is already on 202604.24.0, apply the mitigation DaemonSet from the [advisory](https://github.com/Azure/AKS/issues/5753) immediately. See the [AKS security bulletin](https://learn.microsoft.com/azure/aks/security-bulletins/overview) for full details.
 * The [Kubernetes SIG Network](https://github.com/kubernetes/community/blob/master/sig-network/README.md) and the Security Response Committee [announced the upcoming retirement](https://www.kubernetes.dev/blog/2025/11/12/ingress-nginx-retirement/) of the [Ingress NGINX project](https://github.com/kubernetes/ingress-nginx/), with maintenance ending in March 2026. Application routing add-on users: Production workloads remain fully supported through November 2026. Migrate to the [application routing Gateway API implementation](https://learn.microsoft.com/azure/aks/app-routing-gateway-api) for a Gateway API-based ingress traffic management experience.
+* The [ama-metrics](https://learn.microsoft.com/azure/azure-monitor/containers/prometheus-metrics-scrape-crd) ClusterRole no longer grants cluster-wide get/list/watch access to Kubernetes Secrets. On Kubernetes 1.36 and later, secrets access is now namespace-scoped: users using pod/service monitors with basic auth enabled must [configure the new secrets_access_namespaces](https://aka.ms/azureprometheus-scoped-secrets-access) setting in the ama-metrics-settings-configmap to specify which namespaces the target allocator can read secrets from, and must create a corresponding Role and RoleBinding in each of those namespaces to avoid failures in metrics scraping. Clusters running Kubernetes versions prior to 1.36 are unaffected and retain cluster-wide secrets access for backward compatibility. This change improves security posture by limiting secrets visibility to only the namespaces explicitly authorized by the user.
 
 ### Kubernetes Version
 * New Kubernetes patch versions are now available: `1.35.2`, `1.35.3`, `1.34.5`, `1.34.6`, `1.33.9`, and `1.33.10`.
@@ -17,7 +18,7 @@ For deprecation, rollouts and patch timelines by region, please check the [AKS-R
 
 ### Preview Features
 * Added preview support for AKS-managed [NAT Gateway V2](https://learn.microsoft.com/azure/aks/nat-gateway) outbound type in supported public Azure regions. Regions where StandardV2 NAT Gateway is not yet available remain excluded.
-* Customers can now preview customization of the default `kube-reserved` and hard eviction kubelet configuration through the existing custom node preview feature registration starting with the 2026-03-02-preview API.
+* Customers can now preview customization of the default `kube-reserved` and hard eviction kubelet configuration through the existing [Custom Node Configuration](https://learn.microsoft.com/azure/aks/custom-node-configuration) preview feature starting with the 2026-03-02-preview API release.
 * Customers can now view the VM SKUs supported on AKS and available in their Azure subscription with the [AKS List Available VM SKUs API](https://learn.microsoft.com/azure/aks/aks-list-skus), to create their clusters and/or add node pools.
 * [AKS-managed GPU metrics](https://learn.microsoft.com/azure/aks/monitor-gpu-metrics) are now supported by default in Azure Managed Prometheus and Dashboards with Grafana in Azure Monitor.