Azure

AKS patches Kubernetes 1.33.2 to fix CVE-2025-4563 — Node bypass of DynamicResourceAllocation auth

AKS released patches (1.33.2 and backports) addressing CVE-2025-4563 that let nodes bypass DynamicResourceAllocation authorization. Prioritize node rollouts.

July 5, 2026·3 min read·AI researched · AI written · AI reviewed

Microsoft just shipped a critical patch that you should treat like an emergency: AKS builds for Kubernetes 1.33.2 (and backported fixes for 1.32.x, 1.31.x and 1.30.x) close CVE-2025-4563 — a bug that could let nodes bypass DynamicResourceAllocation authorization checks when the DynamicResourceAllocation feature gate and the NodeRestriction admission controller are in use.

If you run clusters with DynamicResourceAllocation enabled (device plugins, extended resource allocation flows, or custom schedulers that rely on that API surface), a compromised kubelet or malicious node could have been able to request or manipulate allocations outside the expected RBAC/authorization path. This is a control-plane trust-boundary mistake: narrow in trigger but potentially catastrophic for multi-tenant clusters or any environment where node-level compromise is a risk.

Microsoft paired the CVE patches with a handful of practical platform updates you should track now:

  • A refreshed Ubuntu 24.04-based AKS node image is available; validate and schedule node image rollouts if you standardize on Ubuntu 24.04.
  • Updated Container Insights and agent packages to improve stability during node image upgrades.
  • Updated Azure Disk CSI driver builds with bug fixes relevant to stateful workloads.

Microsoft has also flipped a notable default: the OIDC issuer is now enabled by default for new AKS clusters created on newer Kubernetes versions (1.34+ by default). That’s the right move — workload identity should be a default primitive, not an opt-in. Expect fewer ad-hoc credential hacks and simpler Entra ID integrations for add-ons that depend on cloud identity flows. But defaults change the upgrade calculus: clusters created before this change won’t switch behavior automatically, and the divergence can surprise operators who assume uniform identity behavior across their estate.

The practical implication for platform teams: treat node-pool rollouts as higher urgency than control-plane upgrades alone. Microsoft’s guidance now emphasizes more frequent node image rollouts for OS and Kubernetes security fixes, and explicitly recommends separating control-plane-only upgrades from node pool upgrades using the CLI flag to narrow your validation blast radius.

The upgrade command you’ll use when you want to move just the control plane is simple:

az aks upgrade --resource-group <rg> --name <cluster> --kubernetes-version <version> --control-plane-only

Use that to shrink your blast radius during validation windows; then schedule node pool rollouts with automation that respects AKS regional rollout timings and the release tracker.

Speaking of timing: the AKS release tracker and AKS release status information now expose regional rollout data for patched node images and add-on versions. Instead of guessing when a patched node image hits a region, you can plan maintenance windows per region and avoid either an unnecessary rush or a dangerous delay.

Opinion: Microsoft is doing the right thing by moving OIDC to the default and exposing regional rollout timing — both reduce risky human guesswork. But the other side of that coin is urgency: if your platform still treats node image updates as "whenever we have time," you’re going to be the team that gets called at 3 a.m. The cadence is accelerating; automation is no longer optional.

If you manage AKS, prioritize the 1.33.2 (and backported) builds for any cluster with DynamicResourceAllocation enabled, verify node images pick up the updated Ubuntu 24.04 node image where applicable, and use the release tracker to coordinate regional rollouts. Missing this window isn’t a minor compliance issue — it’s a live risk.

Final note: this week’s updates are more than ticky-box fixes. They signal a security-first operational posture from AKS — faster backports, more visible rollouts, and identity defaults that push teams toward safer patterns. If your platform automation can’t keep up, fix that before the next critical patch arrives.

Sources

akskubernetes-securitycve-2025-4563oidc-issuer-default
← All articles
Azure

AKS 1.36 GA: Weekly node-image refreshes, kubelet cert rotation, and LTS options

AKS 1.36 GA adds weekly node image refreshes, automated kubelet serving cert rotation, and expanded LTS — forcing teams to automate image testing and rollouts.

Jul 7, 2026·3makskubernetes-1-36
Azure

AKS: Kubernetes 1.36, Two-Year Commercial LTS, Azure CNI Overlay GA, and Day‑2 Upgrade Guidance

AKS adds Kubernetes 1.36 support and two-year commercial LTS from 1.27, Azure CNI Overlay GA, weekly node image updates, and refreshed Day‑2 upgrade guidance.

Jul 6, 2026·3makskubernetes-1.36
Azure

AKS v20260619 rollout: Azure CNI Overlay GA, Advanced Layer-7 Policies, kubelet serving cert rotation

AKS v20260619 brings Azure CNI Overlay GA, advanced Layer-7 network policies, and kubelet serving cert rotation. Update networking and patch pipelines.

Jul 4, 2026·3maksazure-cni