v0.20260616.0

What's Changed

Changes

• fix: use one big vnet and attach AKS clusters to it to avoid creating bastion multiple times by @awesomenix in #8646
• refactor(linux): only start secure-tls-bootstrap.service via kubelet WantedBy= by @cameronmeissner in #8632
• fix: disable APT phased updates during Ubuntu VHD build by @djsly in #8664
• feat(e2e): isolate Kubeclient rate limiters to prevent test flakes by @timmy-wright in #8677
• fix: create per cluster api server dns zone to avoid circular dependency by @awesomenix in #8673
• fix: update windows base versions for 6B by @timmy-wright in #8668
• fix(e2): e2e fixes by @timmy-wright in #8678
• fix: skip reserved CIDR while allocating subnet by @awesomenix in #8681
• fix: dont t create private zone or api server in network isolated mode by @awesomenix in #8684
• fix: add prewarm containerd to nodecontroller boothook by @lilypan26 in #8687
• chore: add runzhen, karenychen, xuexu6666 as code owners by @ganeshkumarashok in #8688
• feat(linux): emit per-step CSE timing events for GPU driver install by @ganeshkumarashok in #8679
• test(e2e): enforce rebuild-revision parity across GPU OS variants by @surajssd in #8660
• docs: instruct contributors to open PRs from the repo, not a fork by @ganeshkumarashok in #8689
• test: (scriptless) Enable scriptless phase 3 in AB e2es by @lilypan26 in #8453
• fix: if niether nbc cmd or aks node config exists, exit gracefully by @awesomenix in #8703
• fix: make e2e recoverable if there are errors during the test by @awesomenix in #8706
• fix: fix artifact arm64 params, anc hotfix to handle boothook by @awesomenix in #8710
• feat: add secondary nic count in NBC and NetworkConfig by @jumpinthefire in #8697
• fix: vhdbuilder phase 2.5 should still use nbccsecmd hack by @lilypan26 in #8712
• fix(linux): allow secondary nics to be configured on boot by @jumpinthefire in #8642
• fix(acl): bump marketplace image to 3.20260602.01 by @aadhar-agarwal in #8669
• fix(e2e): harden localdns host plugin e2es by @jingwenw15 in #8649
• fix: check if any node exists and cleanup nsg resources if in RG by @awesomenix in #8718
• fix: network isolated cluster incorrect credential provider config for soverign clouds by @fseldow in #8709
• fix: dont use hack stuff for ANC hotfix test by @awesomenix in #8723
• test(e2e): extend Azl3 and ACL GPU e2e scenarios to cover NCA10 by @miz060 in #8716
• test: add DISABLE_SCRIPTLESS variable for local e2e testing by @lilypan26 in #8729
• fix: network isolated cluster oras login should use acr auth scope by @fseldow in #8719
• test(e2e): add Test_Ubuntu2004Gen2FIPS E2E scenario by @cameronmeissner in #8737
• fix: remove hardcode MAR endpoint in ensurePodInfraContainerImage for Network isolated cluster by @fseldow in #8735
• feat: adding support for amdama (supernova) gpus release 1.5 by @mipresmsft in #8749
• chore(deps): bump github.com/containerd/containerd/v2 from 2.2.4 to 2.2.5 in /image-fetcher by @dependabot[bot] in #8751
• chore(deps): bump github.com/containerd/containerd from 1.7.32 to 1.7.33 in /vhdbuilder/lister by @dependabot[bot] in #8750
• fix: added retry handling for transient azure linux rpm repo metadata failures by @awesomenix in #8752
• chore: bump golang to 1.25.11 for cve fixes by @lilypan26 in #8756
• fix: cleanup cluster resources if aks cluster is being deleted by @awesomenix in #8769

Dependabot Updates

• chore(deps): bump actions/checkout from 6 to 7 by @dependabot[bot] in #8746
• chore(deps): update pytest requirement from <10.0,>=9.0.3 to >=9.1.1,<10.0 in /vhdbuilder/packer/test/pam by @dependabot[bot] in #8753

VHD Component Updates

• feat(linux): refactor aks-secure-tls-bootstrap-client installation to use PMC/MCR and bump to v1.1.4-1 by @cameronmeissner in #8618
• chore(deps): update windowsbase (patch) by @renovate[bot] in #8665
• chore(deps): update runc-containerd-minor to v2.3.1-ubuntu24.04u2 by @renovate[bot] in #8652
• chore(deps): update runc-containerd-ca_watcher (patch) by @renovate[bot] in #8683
• chore(deps): update dependency trivy to v0.70.0-3.azl3 by @renovate[bot] in #8645
• chore(deps): update nvidia-device-plugin (patch) by @renovate[bot] in #8663
• feat(gpu): add NVIDIA GRID v20 driver support for RTX PRO 6000 BSE v6 SKUs by @ganeshkumarashok in #8666
• chore(deps): update dependency aquasecurity/trivy to v0.69.3 by @renovate[bot] in #8330
• chore(deps): update windowscached to v0.12.1-12 by @renovate[bot] in #8695
• feat: upgrade azurefile-csi-driver image to v1.35.4 by @andyzhangx in #8721
• chore(deps): update dependency trivy to v0.70.0-ubuntu22.04u3 by @renovate[bot] in #8693
• chore(deps): update kubelet-kubectl (patch) by @renovate[bot] in #8600
• chore(deps): update runc-containerd-ca_watcher (patch) by @renovate[bot] in #8714
• chore(deps): update nvidia-device-plugin (patch) by @renovate[bot] in #8699
• chore(deps): update containernetworking/cilium-log-collector docker tag to v0.0.2 by @renovate[bot] in #8667
• chore: upgrade Azure Blob CSI driver image versions by @andyzhangx in #8724
• feat(dra): update component.json by @runzhen in #8727
• chore: add cilium 1.19 to components.json by @camrynl in #8728
• fix: revert runc to 1.4.1 for ubuntu 2004 by @zachary-bailey in #8741
• fix: resolve containerd CVEs by @zachary-bailey in #8742
• chore: bump azure-cloud-node-manager and acr-credential-provider versions by @anndono in #8754
• chore(deps): update dependency dra-driver-nvidia-gpu to v0.4.0-ubuntu24.04u2 by @renovate[bot] in #8762
• chore(deps): update windowscached (patch) by @renovate[bot] in #8757

New Contributors

• @jumpinthefire made their first contribution in #8697

Full Changelog: v0.20260608.1...v0.20260616.0

v0.20260619.0

What's Changed

Changes

• fix: use one big vnet and attach AKS clusters to it to avoid creating bastion multiple times by @awesomenix in #8646
• refactor(linux): only start secure-tls-bootstrap.service via kubelet WantedBy= by @cameronmeissner in #8632
• fix: disable APT phased updates during Ubuntu VHD build by @djsly in #8664
• feat(e2e): isolate Kubeclient rate limiters to prevent test flakes by @timmy-wright in #8677
• fix: create per cluster api server dns zone to avoid circular dependency by @awesomenix in #8673
• fix: update windows base versions for 6B by @timmy-wright in #8668
• fix(e2): e2e fixes by @timmy-wright in #8678
• fix: skip reserved CIDR while allocating subnet by @awesomenix in #8681
• fix: dont t create private zone or api server in network isolated mode by @awesomenix in #8684
• fix: add prewarm containerd to nodecontroller boothook by @lilypan26 in #8687
• chore: add runzhen, karenychen, xuexu6666 as code owners by @ganeshkumarashok in #8688
• feat(linux): emit per-step CSE timing events for GPU driver install by @ganeshkumarashok in #8679
• test(e2e): enforce rebuild-revision parity across GPU OS variants by @surajssd in #8660
• docs: instruct contributors to open PRs from the repo, not a fork by @ganeshkumarashok in #8689
• test: (scriptless) Enable scriptless phase 3 in AB e2es by @lilypan26 in #8453
• fix: if niether nbc cmd or aks node config exists, exit gracefully by @awesomenix in #8703
• fix: make e2e recoverable if there are errors during the test by @awesomenix in #8706
• fix: fix artifact arm64 params, anc hotfix to handle boothook by @awesomenix in #8710
• feat: add secondary nic count in NBC and NetworkConfig by @jumpinthefire in #8697
• fix: vhdbuilder phase 2.5 should still use nbccsecmd hack by @lilypan26 in #8712
• fix(linux): allow secondary nics to be configured on boot by @jumpinthefire in #8642
• fix(acl): bump marketplace image to 3.20260602.01 by @aadhar-agarwal in #8669
• fix(e2e): harden localdns host plugin e2es by @jingwenw15 in #8649
• fix: check if any node exists and cleanup nsg resources if in RG by @awesomenix in #8718
• fix: network isolated cluster incorrect credential provider config for soverign clouds by @fseldow in #8709
• fix: dont use hack stuff for ANC hotfix test by @awesomenix in #8723
• test(e2e): extend Azl3 and ACL GPU e2e scenarios to cover NCA10 by @miz060 in #8716
• test: add DISABLE_SCRIPTLESS variable for local e2e testing by @lilypan26 in #8729
• fix: network isolated cluster oras login should use acr auth scope by @fseldow in #8719
• test(e2e): add Test_Ubuntu2004Gen2FIPS E2E scenario by @cameronmeissner in #8737

VHD Component Updates

• feat(linux): refactor aks-secure-tls-bootstrap-client installation to use PMC/MCR and bump to v1.1.4-1 by @cameronmeissner in #8618
• chore(deps): update windowsbase (patch) by @renovate[bot] in #8665
• chore(deps): update runc-containerd-minor to v2.3.1-ubuntu24.04u2 by @renovate[bot] in #8652
• chore(deps): update runc-containerd-ca_watcher (patch) by @renovate[bot] in #8683
• chore(deps): update dependency trivy to v0.70.0-3.azl3 by @renovate[bot] in #8645
• chore(deps): update nvidia-device-plugin (patch) by @renovate[bot] in #8663
• feat(gpu): add NVIDIA GRID v20 driver support for RTX PRO 6000 BSE v6 SKUs by @ganeshkumarashok in #8666
• chore(deps): update dependency aquasecurity/trivy to v0.69.3 by @renovate[bot] in #8330
• chore(deps): update windowscached to v0.12.1-12 by @renovate[bot] in #8695
• feat: upgrade azurefile-csi-driver image to v1.35.4 by @andyzhangx in #8721
• chore(deps): update dependency trivy to v0.70.0-ubuntu22.04u3 by @renovate[bot] in #8693
• chore(deps): update kubelet-kubectl (patch) by @renovate[bot] in #8600
• chore(deps): update runc-containerd-ca_watcher (patch) by @renovate[bot] in #8714
• chore(deps): update nvidia-device-plugin (patch) by @renovate[bot] in #8699
• chore(deps): update containernetworking/cilium-log-collector docker tag to v0.0.2 by @renovate[bot] in #8667
• chore: upgrade Azure Blob CSI driver image versions by @andyzhangx in #8724
• feat(dra): update component.json by @runzhen in #8727
• chore: add cilium 1.19 to components.json by @camrynl in #8728
• fix: revert runc to 1.4.1 for ubuntu 2004 by @zachary-bailey in #8741
• fix: resolve containerd CVEs by @zachary-bailey in #8742

New Contributors

• @jumpinthefire made their first contribution in #8697

Full Changelog: v0.20260608.1...v0.20260619.0

v0.20260617.0

What's Changed

Changes

• fix: use one big vnet and attach AKS clusters to it to avoid creating bastion multiple times by @awesomenix in #8646
• refactor(linux): only start secure-tls-bootstrap.service via kubelet WantedBy= by @cameronmeissner in #8632
• fix: disable APT phased updates during Ubuntu VHD build by @djsly in #8664
• feat(e2e): isolate Kubeclient rate limiters to prevent test flakes by @timmy-wright in #8677
• fix: create per cluster api server dns zone to avoid circular dependency by @awesomenix in #8673
• fix: update windows base versions for 6B by @timmy-wright in #8668
• fix(e2): e2e fixes by @timmy-wright in #8678
• fix: skip reserved CIDR while allocating subnet by @awesomenix in #8681
• fix: dont t create private zone or api server in network isolated mode by @awesomenix in #8684
• fix: add prewarm containerd to nodecontroller boothook by @lilypan26 in #8687
• chore: add runzhen, karenychen, xuexu6666 as code owners by @ganeshkumarashok in #8688
• feat(linux): emit per-step CSE timing events for GPU driver install by @ganeshkumarashok in #8679
• test(e2e): enforce rebuild-revision parity across GPU OS variants by @surajssd in #8660
• docs: instruct contributors to open PRs from the repo, not a fork by @ganeshkumarashok in #8689
• test: (scriptless) Enable scriptless phase 3 in AB e2es by @lilypan26 in #8453
• fix: if niether nbc cmd or aks node config exists, exit gracefully by @awesomenix in #8703
• fix: make e2e recoverable if there are errors during the test by @awesomenix in #8706
• fix: fix artifact arm64 params, anc hotfix to handle boothook by @awesomenix in #8710
• feat: add secondary nic count in NBC and NetworkConfig by @jumpinthefire in #8697
• fix: vhdbuilder phase 2.5 should still use nbccsecmd hack by @lilypan26 in #8712
• fix(linux): allow secondary nics to be configured on boot by @jumpinthefire in #8642
• fix(acl): bump marketplace image to 3.20260602.01 by @aadhar-agarwal in #8669
• fix(e2e): harden localdns host plugin e2es by @jingwenw15 in #8649
• fix: check if any node exists and cleanup nsg resources if in RG by @awesomenix in #8718
• fix: network isolated cluster incorrect credential provider config for soverign clouds by @fseldow in #8709
• fix: dont use hack stuff for ANC hotfix test by @awesomenix in #8723

VHD Component Updates

• feat(linux): refactor aks-secure-tls-bootstrap-client installation to use PMC/MCR and bump to v1.1.4-1 by @cameronmeissner in #8618
• chore(deps): update windowsbase (patch) by @renovate[bot] in #8665
• chore(deps): update runc-containerd-minor to v2.3.1-ubuntu24.04u2 by @renovate[bot] in #8652
• chore(deps): update runc-containerd-ca_watcher (patch) by @renovate[bot] in #8683
• chore(deps): update dependency trivy to v0.70.0-3.azl3 by @renovate[bot] in #8645
• chore(deps): update nvidia-device-plugin (patch) by @renovate[bot] in #8663
• feat(gpu): add NVIDIA GRID v20 driver support for RTX PRO 6000 BSE v6 SKUs by @ganeshkumarashok in #8666
• chore(deps): update dependency aquasecurity/trivy to v0.69.3 by @renovate[bot] in #8330
• chore(deps): update windowscached to v0.12.1-12 by @renovate[bot] in #8695
• feat: upgrade azurefile-csi-driver image to v1.35.4 by @andyzhangx in #8721
• chore(deps): update dependency trivy to v0.70.0-ubuntu22.04u3 by @renovate[bot] in #8693
• chore(deps): update kubelet-kubectl (patch) by @renovate[bot] in #8600
• chore(deps): update runc-containerd-ca_watcher (patch) by @renovate[bot] in #8714
• chore(deps): update nvidia-device-plugin (patch) by @renovate[bot] in #8699
• chore(deps): update containernetworking/cilium-log-collector docker tag to v0.0.2 by @renovate[bot] in #8667
• chore: upgrade Azure Blob CSI driver image versions by @andyzhangx in #8724

New Contributors

• @jumpinthefire made their first contribution in #8697

Full Changelog: v0.20260608.1...v0.20260617.0

v0.20260615.0

What's Changed

Changes

• fix: use one big vnet and attach AKS clusters to it to avoid creating bastion multiple times by @awesomenix in #8646
• refactor(linux): only start secure-tls-bootstrap.service via kubelet WantedBy= by @cameronmeissner in #8632
• fix: disable APT phased updates during Ubuntu VHD build by @djsly in #8664
• feat(e2e): isolate Kubeclient rate limiters to prevent test flakes by @timmy-wright in #8677
• fix: create per cluster api server dns zone to avoid circular dependency by @awesomenix in #8673
• fix: update windows base versions for 6B by @timmy-wright in #8668
• fix(e2): e2e fixes by @timmy-wright in #8678
• fix: skip reserved CIDR while allocating subnet by @awesomenix in #8681
• fix: dont t create private zone or api server in network isolated mode by @awesomenix in #8684
• fix: add prewarm containerd to nodecontroller boothook by @lilypan26 in #8687
• chore: add runzhen, karenychen, xuexu6666 as code owners by @ganeshkumarashok in #8688
• feat(linux): emit per-step CSE timing events for GPU driver install by @ganeshkumarashok in #8679
• test(e2e): enforce rebuild-revision parity across GPU OS variants by @surajssd in #8660
• docs: instruct contributors to open PRs from the repo, not a fork by @ganeshkumarashok in #8689
• test: (scriptless) Enable scriptless phase 3 in AB e2es by @lilypan26 in #8453
• fix: if niether nbc cmd or aks node config exists, exit gracefully by @awesomenix in #8703
• fix: make e2e recoverable if there are errors during the test by @awesomenix in #8706

VHD Component Updates

• feat(linux): refactor aks-secure-tls-bootstrap-client installation to use PMC/MCR and bump to v1.1.4-1 by @cameronmeissner in #8618
• chore(deps): update windowsbase (patch) by @renovate[bot] in #8665
• chore(deps): update runc-containerd-minor to v2.3.1-ubuntu24.04u2 by @renovate[bot] in #8652
• chore(deps): update runc-containerd-ca_watcher (patch) by @renovate[bot] in #8683
• chore(deps): update dependency trivy to v0.70.0-3.azl3 by @renovate[bot] in #8645
• chore(deps): update nvidia-device-plugin (patch) by @renovate[bot] in #8663
• feat(gpu): add NVIDIA GRID v20 driver support for RTX PRO 6000 BSE v6 SKUs by @ganeshkumarashok in #8666

Full Changelog: v0.20260608.1...v0.20260615.0

v0.20260608.1

What's Changed

Changes

• feat: reduce node impact by aks-log-collector by @awesomenix in #8598
• fix(e2e): unblock Windows sysprep when VMAgentDisabler.dll load stalls by @r2k1 in #8544
• fix: limit log collection to latest 10MB for all the files by @awesomenix in #8599
• refactor: nvidia GB image build and update driver install order by @keith-ms in #8597
• fix(acl): bump marketplace to 3.20260517.01 and adapt to UKI rename by @aadhar-agarwal in #8577
• fix: in case of azure cni overlay use correct options to match RP by @awesomenix in #8609
• docs: update copilot instructions with shell script best practices by @djsly in #8482
• fix: prewarm containerd in boothook by @awesomenix in #8604
• fix: re-add few more files to nodecustomdata.yaml to allow bootstrapping azurelinuxv2 by @awesomenix in #8621
• feat: add new kubeletconfigs for node hardening by @mxj220 in #8497
• test: raise e2e cluster timeout so bastion create doesn't hit deadline by @ganeshkumarashok in #8616
• fix(e2e): strict wireserver validation — fail fast on unexpected curl exits by @r2k1 in #8580
• fix: handle idle image builder templates when retrying prefetch optimization and increase retry count by @cameronmeissner in #8623
• fix(e2e): improve infra setup reliability with retries and tolerant GC by @r2k1 in #8488
• fix(e2e): harden kube exec against apiserver SPDY hangs by @r2k1 in #8627
• chore(e2e): bump client-go to v0.36.1, Go to 1.26.4, switch pod exec to WebSocket by @r2k1 in #8628
• feat(e2e): use OR tag matching semantics with TAGS_TO_RUN when all are name filters by @cameronmeissner in #8631
• chore(e2e): remove usage of deprecated secure TLS bootstrap client deadline NBC field by @cameronmeissner in #8635
• chore: remove unprotected settings from fips 2204 e2es by @mxj220 in #8634
• fix: make Ubuntu Pro inert on 20.04/FIPS VHDs to stop phone-home (AB#38255910) by @djsly in #8638
• fix: filter apt list by CPU architecture to prevent cross-arch kubelet install failures by @djsly in #8639
• refactor: trim GPU provisioning critical path (skip redundant pull, async cleanup, defer DCGM) by @ganeshkumarashok in #8615
• fix: ensure aks-node-controller TestForwardCompatibility is not flaky by @cameronmeissner in #8644
• feat: expand sov cloud support by @cameronmeissner in #8648
• fix(vhd): remove bundled overlaybd packages after artifact streaming install by @ganeshkumarashok in #8651
• fix: widen fs.file-max sysctl from int32 to int64 by @fcher in #8640
• fix: Revert "fix: widen fs.file-max sysctl from int32 to int64 (#8640)" by @pdamianov-dev in #8658

VHD Component Updates

• chore(deps): update aks/aks-gpu-grid docker tag to v570 by @renovate[bot] in #8539
• chore(windows): bump cilium networking package to 1.7.1 for Windows 2025 by @rzlink in #8602
• chore(deps): update inspektor-gadget by @burak-ok in #8481
• chore(deps): update nvidia-dcgm (patch) by @renovate[bot] in #8354
• chore(deps): bump aks-secure-tls-bootstrap-client to v1.1.3 by @cameronmeissner in #8617
• chore: add 1.36 azure-cloud-node-manager and 1.35/1.36 acr-credential-provider entries by @anndono in #8608
• chore(deps): update ciprod to v3.4.0 by @renovate[bot] in #8548
• chore(deps): update dependency trivy by @renovate[bot] in #8550
• chore(deps): bump aks-secure-tls-bootstrap-client to v1.1.4 by @cameronmeissner in #8633
• chore(deps): update nvidia-device-plugin (patch) by @renovate[bot] in #8585
• chore(deps): bump containerdv2 to 2.2.4 for Ubuntu 2404 and AzureLinux 3.0 by @djsly in #7796

New Contributors

• @fcher made their first contribution in #8640

Full Changelog: v0.20260527.0...v0.20260608.1

v0.20260527.0

What's Changed

Changes

• chore: update Renovate configuration to limit PR and commit rates, and add new package groups by @Devinwong in #8522
• chore(linux): simplify API server outbound connection check logic by @cameronmeissner in #8523
• chore: update ACL marketplace image version to 3.20260510 by @aadhar-agarwal in #8530
• fix: fix delete cached kube binaries by @lilypan26 in #8533
• chore: clean up acl and flatcar kube binaries by @lilypan26 in #8543
• test: add FIPS provider validation to FIPS scenario tests by @Devinwong in #8502
• chore: add validator to ensure unused cached kube binaries are cleaned up by @lilypan26 in #8538
• fix: remove AzureLinux 3.0 modprobe LPE blacklist (CSE-time + VHD bake-in) — kernel 6.6.139.1-1.azl3+ fixes upstream by @djsly in #8546
• fix(security): bump Go to 1.25.10 and golang.org/x/net to v0.55.0 by @djsly in #8551
• fix(windows): register k8s-restart-job in NodePrep to avoid PIS bootstrap race by @r2k1 in #8535
• chore(deps): bump github.com/containerd/containerd from 1.7.29 to 1.7.32 in /vhdbuilder/lister by @dependabot[bot] in #8549
• chore(deps): bump github.com/containerd/containerd/v2 from 2.1.6 to 2.2.4 in /image-fetcher by @dependabot[bot] in #8547
• feat(linux): add build support for GB200/300 image series by @keith-ms in #8521
• fix(security): enable Dependabot pip updates + bump pytest to 9.0.3 (CVE-2025-71176) by @djsly in #8586
• ci: drop unused environment: test from validate-components by @r2k1 in #8579
• fix: cleanup nodecustomdata.yaml which are static paths on VHD by @awesomenix in #8587
• fix(e2e): reduce E2E test flakiness (sandbox events, duplicate CSE timing) by @r2k1 in #8480
• fix: regression in disable and stop sshd service by @awesomenix in #8596

Dependabot Updates

• chore(deps): bump github.com/onsi/gomega from 1.40.0 to 1.41.0 by @dependabot[bot] in #8531
• chore(deps): update pytest-rerunfailures requirement from <17.0,>=16.0 to >=16.3,<17.0 in /vhdbuilder/packer/test/pam by @dependabot[bot] in #8588

VHD Component Updates

• chore(deps): update cilium-ipam (patch) by @renovate[bot] in #8270
• feat: update prometheus-collector images to 7.0.0-main-05-07-2026-dbf4ae51 by @rashmichandrashekar in #8508
• fix: remove old kube-proxy images and updated cloud manager to match RP by @awesomenix in #8527
• chore(deps): update nvidia-device-plugin (patch) by @renovate[bot] in #8495
• chore(windows): bump cilium networking package to 1.7.0 for Windows 2025 by @rzlink in #8542
• chore: upgrade azurefile-csi-driver to v1.35.3, v1.34.6, v1.33.10 by @andyzhangx in #8541
• chore: remove windows annual VHD build inputs by @aboodasfari in #8540
• chore(deps): update oss/v2/kubernetes/windows-gmsa-webhook docker tag to v0.12.1-11 by @renovate[bot] in #8578
• chore: upgrade azuredisk-csi-driver to v1.33.10, v1.34.4 and blob-csi-driver to v1.26.12, v1.27.5 by @andyzhangx in #8594
• fix: update containerd versions on Ubuntu to fix CVEs by @awesomenix in #8595
• chore(deps): update kubelet-kubectl (patch) by @renovate[bot] in #8494

New Contributors

• @aboodasfari made their first contribution in #8540

Full Changelog: v0.20260514.0...v0.20260527.0

aks-node-controller hotfix v202605.14.1

What's Changed

Changes

• [Part 1] test: marker commit to simulate ANC hotfix cherry-pick (dry run) by @Devinwong in #8590

Full Changelog: v0.20260514.0...aks-node-controller/hotfix/v202605.14.1

ANC hotfix v202605.14.1

Hotfix for aks-node-controller on official/v20260514 (end-to-end dry run).

Built from merge commit 2916dae of PR #8590, which adds:

• AKS.AKSNodeController.HotfixBeacon GuestAgent event surfacing the running ANC version to Kusto telemetry
• slog beacon line in runProvisionCommand (journalctl + /var/log/azure/aks-node-controller.log)
• write_files marker /opt/azure/containers/anc-hotfix-dryrun-beacon.txt in nodecustomdata scriptless section

Triggers the aks-dalec pipeline to build deb/rpm packages via dalec and publish aks-node-controller_202605.14.1 to PMC (packages.microsoft.com).

After PMC publish completes, Part 2 PR will set hotfix/anc-hotfix-version.json to {"version":"202605.14.1"} so nodes provisioning on 202605.14.0 VHDs with EnableScriptlessCSECmd=true self-update to this hotfix.

v0.20260514.0

What's Changed

Changes

• feat(linux): refactor secure-tls-bootstrap.service to use default file and conditionally set AZURE_ENVIRONMENT_FILEPATH by @cameronmeissner in #8456
• fix: skip setup_golang.sh on hosts without apt-get by @aadhar-agarwal in #8462
• feat: add CoreDNS hosts plugin support for LocalDNS by @saewoni in #8165
• fix: use oras from AZL3 MCR image instead of imagecustomizer by @hbeberman in #8467
• fix: always add aks custom cloud until we do better by @awesomenix in #8468
• fix: add agentbaker tests for new code path i added by @awesomenix in #8473
• feat(e2e): add HTTPS_PROXY + private DNS test scenario by @r2k1 in #8470
• fix: use cloud-specific ARM endpoint for IMDS token in ORAS login by @charleswool in #8424
• fix: blacklist rxrpc/esp4/esp6 modules to mitigate DirtyFrag LPE by @djsly in #8475
• fix: remove description while writing out mod file by @awesomenix in #8484
• feat: add 5B non-sec regkeys by @smiezah-msft in #8483
• chore(vhdbuilder): build ACL VHDs using marketplace images by @aadhar-agarwal in #8469
• test: add coverage for removeComments CSE stripping logic by @djsly in #8489
• feat(acl): add FIPS image builds for Azure Container Linux by @hbeberman in #8463
• fix: prewarm containerd, increase timeout value for wait for containerd ready by @awesomenix in #8496
• fix: better logging when file hash compare fails by @timmy-wright in #8503

Dependabot Updates

• chore(deps): bump github.com/Masterminds/semver/v3 from 3.4.0 to 3.5.0 by @dependabot[bot] in #8441
• chore(deps): bump actions/create-github-app-token from 2 to 3 by @dependabot[bot] in #8174
• chore(deps): bump azure/cli from 2 to 3 by @dependabot[bot] in #8175
• chore(deps): bump azure/cli from 2 to 3 by @dependabot[bot] in #8457
• chore(deps): bump actions/create-github-app-token from 2 to 3 by @dependabot[bot] in #8458

VHD Component Updates

• chore(deps): update kubelet-kubectl (patch) by @renovate[bot] in #8352
• chore(deps): update kube-components (patch) by @renovate[bot] in #8349
• chore(deps): update oss/v2/azure/ip-masq-agent-v2 docker tag to v0.1.16-4 by @renovate[bot] in #8100
• chore(deps): update autoscaler (patch) by @renovate[bot] in #8376
• chore(deps): update coredns (patch) by @renovate[bot] in #8377
• chore(deps): update windowsbase (patch) by @renovate[bot] in #8498
• chore(deps): bump aks-secure-tls-bootstrap-client to v1.1.2 by @cameronmeissner in #8518

New Contributors

• @charleswool made their first contribution in #8424

Full Changelog: v0.20260505.3...v0.20260514.0

v0.20260505.3

What's Changed

Changes

• test: reduce Go test timeout to 80m to stay below 90m ADO job limit by @r2k1 in #8395
• feat: implement budget timeout for apt_get_install by @Devinwong in #8379
• feat: refactor aks-node-controller to use urfave cli to manually do command line parsing, setting by @awesomenix in #8397
• fix: conslidate use of masterminds semver across the codebase by @awesomenix in #8399
• feat: add patch-only version matching for ANC hotfix download by @Devinwong in #8355
• feat: add CSE timing regression tests for all Linux VHDs (Ubuntu 22.04/24.04, Azure Linux V3) by @djsly in #8284
• feat: add GitHub Action for ANC hotfix template injection by @Devinwong in #8405
• fix: use compact JSON in ANC hotfix injection by @Devinwong in #8410
• chore: add agentbaker artifact streaming combo e2es by @mxj220 in #8332
• feat(windows): add support for configuring secure TLS bootstrap client RPC timeouts by @cameronmeissner in #8398
• chore(deps): bump go.opentelemetry.io/otel from 1.39.0 to 1.41.0 in /vhdbuilder/lister by @dependabot[bot] in #8402
• chore(deps): bump go.opentelemetry.io/otel from 1.39.0 to 1.41.0 in /image-fetcher by @dependabot[bot] in #8409
• chore: add tcpdump to AzureLinuxV3 by @hunter32292 in #8413
• chore: remove snapshot generation from copilot-instructions.md by @cameronmeissner in #8415
• test(ci): add dcgm-exporter compatibility unit test to validate-components workflow by @surajssd in #8368
• fix: exclude beta/pre-release versions for containerd in renovate config by @Devinwong in #8418
• fix: separate allowedVersions into its own packageRule by @Devinwong in #8420
• fix: always clean up /opt/cni/downloads after installNetworkPlugin by @djsly in #8429
• fix: prevent degraded secure-tls-bootstrap.service health from failing CSE by @cameronmeissner in #8432
• feat(scriptless): compare AKSNodeConfig generated cse cmd with NBC cse cmd by @lilypan26 in #8416
• fix: disable scriptless phase2 for subsets of overlapping tests by @awesomenix in #8430
• fix: disable prefetch optimization for azurecontainerlinux since it break first time boot by @awesomenix in #8436
• fix: mitigate CVE-2026-31431 (Copy Fail) algif_aead LPE on Ubuntu and AzureLinux by @djsly in #8437
• fix: replace apt-mark with dpkg equivalents to avoid slow apt initialization by @djsly in #8421
• fix: dont run scriptless phase2 if preprovision is turned on by @awesomenix in #8440
• fix: update AzureContainerLinux image reference by @aadhar-agarwal in #8446
• test(e2e): add ANC hotfix binary selection E2E test by @Devinwong in #8423
• fix: adjusting windows container image json url logic to reach build scripts by @smiezah-msft in #8422
• fix: reduce Windows SIG cleanup retention to 7d and remove name filters by @r2k1 in #8435
• fix: start aks-node-controller service after ssh service by @awesomenix in #8449
• fix: auto create PRs for minor ciprod versions by @timmy-wright in #8445
• fix: add ACL-specific butane config with first-boot service workaround by @aadhar-agarwal in #8447
• test: make Windows log extraction best-effort in cleanup by @r2k1 in #8433
• fix: remove description while writing out mod file by @awesomenix in #8485

Dependabot Updates

• chore(deps): bump github.com/onsi/gomega from 1.39.1 to 1.40.0 by @dependabot[bot] in #8428

VHD Component Updates

• chore(deps): update nvidia-device-plugin (patch) by @renovate[bot] in #8293
• chore(deps): update dependency moby-containerd to v1.7.31-ubuntu20.04u1 by @renovate[bot] in #8382
• feat: install aznfs package on AzureLinux 3.0 by @andyzhangx in #8085
• chore(deps): update dependency containerd2 to v2.1.6-2.azl3 by @renovate[bot] in #8431
• chore(deps): bump aks-secure-tls-bootstrap-client to v1.1.1 by @cameronmeissner in #8438
• chore(deps): update nvidia-device-plugin (patch) by @renovate[bot] in #8427
• fix: update inspektor gadget v0.51.0 compatibility by @burak-ok in #8396
• chore(deps): update azuremonitor/containerinsights/ciprod docker tag to v3.3.0 by @renovate[bot] in #8451
• Revert "chore(deps): update dependency moby-containerd to v1.7.31-ubuntu20.04u1 (#8382)" by @Devinwong in #8455

New Contributors

• @burak-ok made their first contribution in #8396

Full Changelog: v0.20260424.0...v0.20260505.3