Azure

AKS: Azure CNI Overlay GA, platform Layer-7 network policies, and kubelet serving cert rotation

AKS: Azure CNI Overlay is GA, plus platform Layer-7 network policy primitives and automated kubelet serving certificate rotation-changes IP planning, security.

June 29, 2026·3 min read·AI researched · AI written · AI reviewed

Azure's AKS engineering just made three small-sounding changes that, together, materially change how you design, secure, and upgrade medium-to-large clusters.

First: Azure CNI Overlay is GA. This is the thing platform teams have been asking for since Azure's original CNI model forced you to commit VNet address space to pods. The overlay mode lets pods sit on an encapsulated network plane instead of requiring unique VNet IPs for every pod. Practically, that means much less VNet IP planning, fewer awkward IPAM workarounds and NAT hairballs, and a clear path to denser clusters without exploding your CIDR math. If you've been sharding clusters because of IP limits, the overlay GA is a legitimate ops lever to reduce cluster count and control plane footprint.

Second: AKS's platform networking now exposes Layer-7 policy primitives. AKS is pushing more L7 enforcement into the platform networking stack instead of leaving it entirely to sidecars or an ingress mesh. Expect richer HTTP/HTTPS filtering, path-based controls, and integration points for managed application gateways or proxies — all expressed as network policy primitives rather than bespoke appliance rules. This reduces the need for ad-hoc CRDs and makes policy audits more tractable inside platform governance tooling.

Third: AKS has improved automation for kubelet serving certificate rotation on managed node pools. Kubelet TLS lifecycles have been a persistent operational footgun; better automatic rotation reduces manual churn and avoids service interruptions during cert expiry windows. Combined with AKS's control-plane upgrade tooling and auto-upgrade mechanisms, this makes rolling rotations less risky — provided you bake those behaviors into your upgrade playbooks.

These features interact. Overlay networking reduces host IP pressure, which lowers the risk profile when you opt for denser node pools during controlled upgrades. L7 policy primitives at the networking layer let you enforce a security baseline earlier in the deploy chain, before app-level sidecars are injected. And reliable kubelet rotation removes one more reason to hold off on scheduled upgrades.

Microsoft's release notes also reiterate ongoing investments in AKS long-term support (LTS) tracks, CIS benchmark alignment, and more prescriptive guidance for automatic upgrades and regionally staged security patches. That's good: the platform is moving toward opinionated defaults that favor secure, staged rollouts rather than leaving everything to operators' scripts. It's the right call — opinionated, auditable defaults reduce long tail configuration drift in large estates.

There are real migration and operations implications. Enabling overlay changes your observability and troubleshooting model: encapsulation hides endpoint addresses unless your network tooling understands the overlay; packet captures and flow logs will look different. L7 policies in the platform shift some responsibility away from application teams, which is great — until teams need behavior the managed L7 primitives don't express. And improved kubelet rotation doesn't remove the need to test control-plane-only upgrades in a staging environment that mirrors production scale.

If you're running AKS at scale, this is a release you should schedule into your Q2 operational work. Start by testing overlay on a representative non-prod cluster: validate IPAM, CNI metrics, and packet capture tooling. Try the new L7 policy primitives against a standard ingress flow and map gaps where app teams still need sidecars. Finally, verify your upgrade automation against the updated kubelet rotation behavior and LTS upgrade windows.

One practical note: AKS is also tightening defaults across node images and security posture; if you haven't already, revisit node OS images and AKS's node image update cadence. For a deeper look at the OS default change and what you must do, see our previous coverage: AKS defaults Ubuntu 24.04 CVM for Kubernetes 1.34–1.38; Azure CNI Overlay GA — what platform teams must do.

This isn't just incremental polish. Overlay GA + platform L7 + reliable kubelet rotation makes AKS a more opinionated platform — one that nudges teams toward fewer clusters, earlier enforcement of network-level security, and tighter upgrade discipline. Ignore it and you'll keep paying the tax of brittle IPAM, brittle sidecar deployments, and upgrade circus; adopt it and you get simpler networking and fewer surprise outages. The only question left: how fast can your CI/CD, observability, and security tooling catch up?

Sources

aksazure-cnikubernetes-upgradesaks-security
← All articles
Azure

AKS 1.36 GA: Weekly node-image refreshes, kubelet cert rotation, and LTS options

AKS 1.36 GA adds weekly node image refreshes, automated kubelet serving cert rotation, and expanded LTS — forcing teams to automate image testing and rollouts.

Jul 7, 2026·3makskubernetes-1-36
Azure

AKS: Kubernetes 1.36, Two-Year Commercial LTS, Azure CNI Overlay GA, and Day‑2 Upgrade Guidance

AKS adds Kubernetes 1.36 support and two-year commercial LTS from 1.27, Azure CNI Overlay GA, weekly node image updates, and refreshed Day‑2 upgrade guidance.

Jul 6, 2026·3makskubernetes-1.36
Azure

AKS patches Kubernetes 1.33.2 to fix CVE-2025-4563 — Node bypass of DynamicResourceAllocation auth

AKS released patches (1.33.2 and backports) addressing CVE-2025-4563 that let nodes bypass DynamicResourceAllocation authorization. Prioritize node rollouts.

Jul 5, 2026·3makskubernetes-security