Azure

AKS 1.32.5 & 1.31.9: Azure CNI Overlay and Layer7 Policies GA — kubelet serving cert rotation now default

AKS enables kubelet serving certificate rotation by default on 1.27+, promotes Azure CNI Overlay and Layer7 Policies to GA, and updates node images now.

July 14, 2026·3 min read·AI researched · AI written · AI reviewed

AKS just flipped on a security switch that will quietly break some assumptions and immediately raise the baseline for cluster security: kubelet serving certificate rotation is now enabled by default on node pools running Kubernetes 1.27+. At the same time, Azure promoted Azure CNI Overlay and Layer7 Policies to GA and included newer Ubuntu-based CVM node images (22.04+ in many regions) alongside patch releases 1.32.5 and 1.31.9. If you run production AKS, this week is a configuration and observability moment, not a marketing bullet point.

Why the kubelet change matters

Kubelet serving certificate rotation hardens the TLS channel between kube-apiserver and kubelet by automatically renewing the kubelet's serving certs instead of relying on long-lived artifacts. That removes a long-standing operational burden—no more manual cert refresh workflows or fragile rotation scripts. It's the right call and overdue.

But it has real compatibility implications. Anything that assumes stable serving cert SANs, subject names, or manually provisioned certs (custom SSH-like jump tooling, hard-coded CN checks, home-grown firewall rules keyed to specific cert subjects) will need validation. Teams that rely on immutable node identity for auditing or network allowlists must test upgrades of node pools (or new node images) before rolling to fleets.

What else changed in this stable train

  • Node images: AKS node images are being updated to newer Ubuntu-based CVM images (22.04+ in many regions). Expect patched CVEs and updated kernel/userland; validate native drivers (GPU, SR-IOV) and tooling (auditd, kube-proxy alternatives) against the new image.
  • Kubernetes patches: AKS published cluster patch releases 1.32.5 and 1.31.9—treat these as routine security maintenance but validate any admission controllers and CRDs against the exact patch skew you have.

Network and ingress: GA for Azure CNI Overlay + Layer7 Policies

Azure CNI Overlay hitting GA, plus Layer7 Policies and Application Gateway Ingress Controller (AGIC) compatibility, is the more consequential operational story for traffic control. The long-running fragmentation—hostNetwork tricks, NGINX variants, and bespoke ingress controllers—gets a first-class, policy-driven L7 path that integrates with Azure’s managed gateway.

This gives platform teams:

  • A consistent L7 policy model across clusters, including multi-cluster fleet patterns described in Azure's networking and Gateway API guidance.
  • A supported path to attach Application Gateway via AGIC as an ingress with predictable behavior for TLS termination, WAF, and path-based routing.

If you're still duct-taping L7 behavior into pod-level sidecars or hostNetwork, this release should force a re-evaluation. Not because it’s fashionable, but because operational predictability at scale demands it. See the earlier coverage of the Overlay/Layer7 push for implementation notes and migration pitfalls: AKS 1.35.3: Azure CNI Overlay GA, AGIC Compatibility, and Layer7 Policies GA.

Security, AI, and FinOps moves that tie together

Defender for Cloud rolled out AKS-focused recommendations aligned to the CIS Kubernetes Benchmark and added policies to manage API server authorized IP ranges via service tags—useful if you gate the control plane with tag-based scoping rather than static IPs. On AI, Azure expanded evaluation and content-safety tooling (Azure AI Content Safety APIs) and added governance features for models in Azure OpenAI Service—Microsoft is turning safety tooling into pluggable infra for red-teaming and compliance checks.

Cost Management added FinOps-first views that expose cluster, AI workload, and outbound egress costs more directly. That will be the next battleground: defaulting secure networking and richer AI stacks increases egress and GPU spend; the tooling is finally surfacing it.

Final take

This rollout is cohesive: security (kubelet rotation + CIS-aligned recommendations), predictable L7 ingress (Azure CNI Overlay + Layer7 Policies + AGIC), and FinOps visibility arrive together. That's not accidental—Azure is pushing a platform narrative where secure defaults and observable cost signals are first-class. Teams that treat these as independent knobs will be late to refactor; teams that bake them into CI/CD and cluster upgrade gates will sleep better. Expect a few messy upgrade stories from forgotten firewall rules, and then a meaningful reduction in custom cert-rotation glue across AKS fleets. The hard part now is operationalizing the new defaults—and convincing finance that better defaults sometimes cost more.

Sources

aksazure-cni-overlayazure-ai-safetydefender-for-cloudcost-management
← All articles
Azure

AKS 1.35.3: Azure CNI Overlay GA, AGIC Compatibility, and Layer‑7 Policies GA

AKS promotes Azure CNI Overlay and Layer-7 policies to GA, adds Application Gateway/AGIC support, and tightens node-image defaults and remote-access controls.

Jul 13, 2026·3maksazure-cni
Azure

AKS 1.36 GA: commercial LTS, weekly node-image patching, and auto-upgrade channels

AKS promotes Kubernetes 1.36 to GA with commercial LTS through 2028 and new weekly node-image patching and auto-upgrade channels—platform teams must automate.

Jul 12, 2026·3makskubernetes-1-36
Azure

AKS 1.36 GA: Commercial LTS, weekly node-image refreshes, and region-specific release visibility

AKS 1.36 GA adds commercial LTS through June 30, 2028 and weekly node-image refreshes. Separate Kubernetes lifecycle, image pinning and regional rollouts.

Jul 10, 2026·3makskubernetes-1.36