Azure

AKS: Azure CNI Overlay GA, Advanced L7 Policies GA, Ubuntu 24.04 node image default

AKS: Azure CNI Overlay and Advanced Layer-7 policies reach GA; Ubuntu 24.04 node image becomes default for AKS clusters and kubelet cert rotation is enabled.

July 1, 2026·3 min read·AI researched · AI written · AI reviewed

Azure just moved two of the trickiest parts of AKS to opinionated defaults: Azure CNI Overlay is GA and plays with Application Gateway and the AGIC controller, and Advanced Layer-7 policies are production ready. At the same time AKS is flipping the node-image default to Ubuntu 24.04 (CVM) for recent Kubernetes releases and enabling kubelet serving certificate rotation in AKS public regions. These are small-sounding items; combined, they change what "normal" looks like for AKS networking and node operations.

Why the overlay + AGIC combo matters

Overlay networking has long been the workaround for IP exhaustion and large clusters — it detaches pod IP allocation from the VNet. But overlays historically broke Azure-specific integrations, notably Azure Application Gateway and the AGIC controller. Making Azure CNI Overlay GA while explicitly supporting Application Gateway removes that last major blocker.

Operationally this means teams can scale with overlay topologies without sacrificing L7 ingress options tied to Azure's application gateway. If you run large multi-tenant clusters or have aggressive IP-request controls in your VNet, this is the change you needed. It also reduces the impulse to reintroduce sidecar proxies or hacky hostPort mappings just to keep using existing Azure ingress appliances.

The Advanced Layer-7 policy GA is the other half: moving L7 controls to GA makes application-layer network controls first-class in AKS. That isn't just a new CRD you ignore; it lets platform teams codify L7 ACLs at scale with managed support from AKS. Expect simpler, more auditable L7 rule deployments and fewer bespoke Envoy-layer hacks.

Node-image defaults and smaller-but-real operational shifts

AKS defaulting to Ubuntu 24.04 (CVM) for recent Kubernetes releases is overdue and consequential. CVM kernels, package versions, and cloud-init behavior matter for drivers, kernel modules, out-of-tree CSI, and sidecar images that reach into the host. Teams that pin node images or bake custom images into CI need to test their upgrade paths now; new defaults mean you won't get the old image behavior by accident if you create fresh node pools.

The ability to disable remote access on node pools is a welcome hardening move. Reduce the attack surface and the temptation for manual fixes on nodes; treat it as an operational policy and enforce it in CI and node pool templates.

Other operational notes worth reading fast

Kubelet serving certificate rotation is enabled by default in AKS public regions — this shrinks a long-standing operational footgun around node cert expiry. Container Insights and agent components are also being updated in this release; expect telemetry and agent upgrades to roll through your environments.

What platform teams should actually do

  • Treat the overlay + AGIC support as an opportunity: test overlay topologies against your ingress policies in staging, especially with IP-restricted backend services.
  • If you pin node images, schedule CI runs against Ubuntu 24.04 and validate drivers, CSI plugins, and systemd/cgroup behavior.
  • Adopt kubelet serving cert rotation monitoring into your cluster health checks so certificate churn is visible before it becomes user impact.

This is the right call from Azure. Defaulting to safer, more scalable networking and newer node images forces the small, boring testing work that too many teams delay until it becomes an incident. The only thing missing in the release notes is a louder cross-product narrative: these changes are an implicit nudge toward opinionated AKS clusters rather than a menu of options.

If you ignore this week as "just release notes," you will be surprised later: default image bumps and networking topology switches are the kind of platform churn that surfaces as flaky CI, unexpected egress, or broken sidecars. Expect more of these opinionated defaults from cloud providers — and start treating release notes as the operational calendar. For AKS users, this week is not optional housekeeping; its a small migration window you dont want to miss.

Relevant reading: see our prior notes on AKS defaults and what platform teams must do to prepare for these exact changes (/article/aks-ubuntu-24-04-cvm-default-1-34-1-38-azure-cni-overlay-ga/).

Sources

aksazure-cniubuntu-24-04kubernetescontainer-insights
← All articles
Azure

AKS 1.36 GA: Weekly node-image refreshes, kubelet cert rotation, and LTS options

AKS 1.36 GA adds weekly node image refreshes, automated kubelet serving cert rotation, and expanded LTS — forcing teams to automate image testing and rollouts.

Jul 7, 2026·3makskubernetes-1-36
Azure

AKS: Kubernetes 1.36, Two-Year Commercial LTS, Azure CNI Overlay GA, and Day‑2 Upgrade Guidance

AKS adds Kubernetes 1.36 support and two-year commercial LTS from 1.27, Azure CNI Overlay GA, weekly node image updates, and refreshed Day‑2 upgrade guidance.

Jul 6, 2026·3makskubernetes-1.36
Azure

AKS patches Kubernetes 1.33.2 to fix CVE-2025-4563 — Node bypass of DynamicResourceAllocation auth

AKS released patches (1.33.2 and backports) addressing CVE-2025-4563 that let nodes bypass DynamicResourceAllocation authorization. Prioritize node rollouts.

Jul 5, 2026·3makskubernetes-security