v1.36.0

Cloud Provider Azure v1.36.0

Full Changelog: v1.35.0..v1.36.0

Changes by Kind

Feature

  • ACR credential provider now supports KSA-based authentication with identity bindings. Configure via: –ib-sni-name, –ib-apiserver-ip, –ib-default-client-id, –ib-default-tenant-id. (#9907, @qweeah)
  • feat: implement tagsList-based Interconnect Group ID retrieval from IMDS (#9999, @anndono)
  • feat: add shared agent skills and manual release workflow (#10070, @nilo19)
  • Add cherry-pick-pr shared skill (#10089, @nilo19)
  • The build system now auto-detects and supports podman as the container CLI. When podman is available it is used for image build, push, and manifest operations. Set CONTAINER_CLI=docker to force docker usage. (#10108, @nilo19)
  • feat: add fix-image-cves shared skill for Trivy-based CVE remediation (#10124, @nilo19)
  • Support config-gated in-place mutation of FirstPartyUsage IP tags on existing public IPs via enableIPTagMutationForExistingPublicIP config flag, avoiding unnecessary IP address changes and service disruption when the service.beta.kubernetes.io/azure-pip-ip-tags annotation changes. (#10133, @nilo19)
  • feat: add run-e2e-test shared skill for interactive e2e test replay (#10143, @nilo19)
  • feat: support AllowCrossTenantReplication in AccountOptions (#10148, @andyzhangx)
  • feat: support separate resource group for private DNS zone (#10189, @andyzhangx)

Bug or Regression

  • fix: network isolated clusters should always use managed identity credential (#9841, @norshtein)
  • fix(multi-slb): support IP sharing across multiple services

When a service specifies an IP address that already exists on a load balancer, the service is now placed on that load balancer instead of picking one with the fewest rules, provided the service is eligible for that load balancer. The load balancer configuration annotation cannot be combined with an IP specification. Migration to a different load balancer is blocked if the frontend IP is still referenced by other resources.

Switching internal/external issues (10050 and 10117) will be fixed in another change. (#9937, @Liunardy)

  • chore: bump acr refresh token cache TTL to avoid acr throttling issue (#9974, @mainred)
  • fix: PrivateEndpointNetworkPolicies setting issue (#9980, @andyzhangx)
  • fix: support GOEXPERIMENT build arg in Dockerfiles for manual testing (#10084, @nilo19)
  • fix: bump otel/sdk and grpc to address CVE-2026-24051, CVE-2026-33186 (#10132, @nilo19)
  • fix: set GOTOOLCHAIN=local in fix-image-cves skill to match CI (#10158, @nilo19)
  • fix: route standalone VM providerID/ipConfigID to availability set handler instead of unconditionally assuming VMSS when DisableAvailabilitySetNodes is true (#10194, @andyzhangx)
  • fix(multi-slb): support switching internal/external when IP sharing across multiple services

Correctly clean up stale rules and probes when services sharing a frontend IP switch between external and internal in multi-SLB mode. (#10211, @Liunardy)

  • fix: add isSmbOAuthEnabledEqual check to storage account matching (#10227, @andyzhangx)
  • [release-1.36] fix: add .go-version generation to vendor license scripts (#10306, @anndono)
  • fix(multi-slb): support switching internal/external when IP sharing across multiple services

Correctly clean up stale rules and probes when services sharing a frontend IP switch between external and internal in multi-SLB mode. (#10329, @Liunardy)

Cleanup

  • build(deps): bump sigs.k8s.io/controller-tools from 0.19.0 to 0.20.0 in /pkg/azclient/client-gen in the all group (#9783, @dependabot[bot])
  • chore: bump azclient to v0.14.3 and armcompute v6 -> v7 (#9887, @tony-schndr)
  • chore: remove redundant function name prefixes from log messages (#9910, @anndono)
  • fix: Remove GOTOOLCHAIN=auto to unblock dalec build (#9930, @nilo19)
  • build(deps): bump oss/go/microsoft/golang from 1.24.12-bookworm to 1.24.13-bookworm in the all group (#9938, @dependabot[bot])
  • build(deps): bump the all group in /pkg/azclient/configloader with 2 updates (#9941, @dependabot[bot])
  • build(deps): bump the all group in /pkg/azclient/trace with 3 updates (#9943, @dependabot[bot])
  • build(deps): bump the all group across 1 directory with 7 updates (#9951, @dependabot[bot])
  • build(deps): bump the all group in /pkg/azclient/configloader with 3 updates (#9960, @dependabot[bot])
  • build(deps): bump sigs.k8s.io/cloud-provider-azure/pkg/azclient from 0.14.4 to 0.14.5 in /pkg/azclient/trace in the all group (#9961, @dependabot[bot])
  • build(deps): bump k8s.io/client-go from 0.35.0 to 0.35.1 in /pkg/azclient/cache in the all group (#9964, @dependabot[bot])
  • build(deps): bump the all group in /pkg/azclient/configloader with 3 updates (#9989, @dependabot[bot])
  • build(deps): bump k8s.io/client-go from 0.35.1 to 0.35.2 in /pkg/azclient/cache in the all group (#9992, @dependabot[bot])
  • doc: rename agents.md to AGENTS.md (#10002, @nilo19)
  • chore: enable dependabot for release-1.35 (#10020, @nilo19)
  • build(deps): bump the all group in /pkg/azclient/trace with 3 updates (#10023, @dependabot[bot])
  • build(deps): bump the all group across 1 directory with 3 updates (#10024, @dependabot[bot])
  • build(deps): bump sigs.k8s.io/cloud-provider-azure/pkg/azclient from 0.14.6 to 0.15.0 in /pkg/azclient/trace in the all group (#10039, @dependabot[bot])
  • build(deps): bump golang.org/x/sync from 0.19.0 to 0.20.0 in /pkg/azclient/cache in the all group (#10041, @dependabot[bot])
  • chore: update Helm chart for v1.35.1 (#10049, @mboersma)
  • Update Azure SDK version and API version in virtual network client tests (#10053, @georgeedward2000)
  • build(deps): bump sigs.k8s.io/cloud-provider-azure/pkg/azclient from 0.15.0 to 0.15.2 in /pkg/azclient/trace in the all group (#10056, @dependabot[bot])
  • chore: fix trivy-action version comment from master to v0.35.0 (#10071, @andyzhangx)
  • build(deps): bump the all group in /pkg/azclient/configloader with 3 updates (#10074, @dependabot[bot])
  • build(deps): bump sigs.k8s.io/cloud-provider-azure/pkg/azclient from 0.15.2 to 0.15.3 in /pkg/azclient/trace in the all group (#10075, @dependabot[bot])
  • build(deps): bump k8s.io/client-go from 0.35.2 to 0.35.3 in /pkg/azclient/cache in the all group (#10077, @dependabot[bot])
  • refactor: move release draft creation into release skill (#10102, @nilo19)
  • fix: make release tag creation parallel-safe and restore branch after docs PR (#10131, @nilo19)
  • chore: remove deprecated rand.Seed (#10142, @YurDuiachenko)
  • build(deps): bump the all group in /pkg/azclient/trace with 2 updates (#10151, @dependabot[bot])
  • chore: enable IP tag mutation in e2e cloud config (#10163, @nilo19)
  • build(deps): bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 (#10165, @dependabot[bot])
  • build(deps): bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 in /tests (#10166, @dependabot[bot])
  • chore: update Helm chart for v1.35.3 (#10167, @mboersma)
  • build(deps): bump oss/go/microsoft/golang from 1.25.8-bookworm to 1.25.9-bookworm in the all group (#10178, @dependabot[bot])
  • build(deps): bump sigs.k8s.io/cloud-provider-azure/pkg/azclient from 0.15.3 to 0.16.0 in /pkg/azclient/trace in the all group (#10180, @dependabot[bot])
  • chore: pin labeler GitHub Action to full-length commit SHAs (#10192, @Liunardy)
  • build(deps): bump oss/go/microsoft/golang from ac63f43 to 8fe67ba (#10195, @dependabot[bot])
  • build(deps): bump the all group across 1 directory with 4 updates (#10198, @dependabot[bot])
  • build(deps): bump the all group in /pkg/azclient/trace with 2 updates (#10199, @dependabot[bot])
  • build(deps): bump the all group in /pkg/azclient/cache with 2 updates (#10202, @dependabot[bot])
  • build(deps): bump the all group across 1 directory with 8 updates (#10210, @dependabot[bot])
  • chore(dependabot): remove 1.32 jobs (#10215, @Liunardy)
  • build(deps): bump sigs.k8s.io/cloud-provider-azure/pkg/azclient from 0.17.0 to 0.18.0 in /pkg/azclient/trace in the all group (#10216, @dependabot[bot])
  • build(deps): bump oss/go/microsoft/golang from 8fe67ba to 40d08f7 (#10228, @dependabot[bot])
  • build(deps): bump k8s.io/component-base from 0.35.4 to 0.36.0 in /health-probe-proxy in the all group across 1 directory (#10233, @dependabot[bot])
  • build(deps): bump k8s.io/client-go from 0.35.4 to 0.36.0 in /pkg/azclient/cache in the all group across 1 directory (#10234, @dependabot[bot])
  • build(deps): bump the all group in /tests with 9 updates (#10251, @dependabot[bot])
  • build(deps): bump sigs.k8s.io/cloud-provider-azure/pkg/azclient from 0.18.0 to 0.20.0 in /pkg/azclient/trace in the all group across 1 directory (#10255, @dependabot[bot])
  • build(deps): bump the all group across 1 directory with 4 updates (#10256, @dependabot[bot])
  • chore: bump dependencies against k/k release-1.36 (#10266, @anndono)
  • build(deps): bump the all group in /tests with 2 updates (#10267, @dependabot[bot])
  • test: add CALICO_VERSION substitution to linux-vmss CI manifests (#10268, @nilo19)
  • test: add CALICO_VERSION substitution to linux-vmss-ci-version manifest (#10269, @nilo19)
  • [release-1.36] chore: update vendor licenses (#10295, @anndono)
  • [release-1.36] cleanup: remove unused load balancer production paths (#10310, @k8s-infra-cherrypick-robot)

Documentation

Failing Test

Uncategorized

Dependencies

Added

  • github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v7: v7.3.0
  • github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v9: v9.0.0
  • github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus: v1.1.0
  • github.com/grpc-ecosystem/go-grpc-middleware/v2: v2.3.3
  • k8s.io/streaming: v0.36.0

Changed

  • cel.dev/expr: v0.24.0 → v0.25.1
  • github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.20.0 → v1.21.1
  • github.com/Azure/azure-sdk-for-go/sdk/internal: v1.11.2 → v1.12.0
  • github.com/coreos/go-systemd/v22: v22.6.0 → v22.7.0
  • github.com/grpc-ecosystem/grpc-gateway/v2: v2.27.2 → v2.27.7
  • github.com/prometheus/common: v0.67.4 → v0.67.5
  • go.etcd.io/etcd/api/v3: v3.6.5 → v3.6.8
  • go.etcd.io/etcd/client/pkg/v3: v3.6.5 → v3.6.8
  • go.etcd.io/etcd/client/v3: v3.6.5 → v3.6.8
  • go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.62.0 → v0.65.0
  • go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.62.0 → v0.65.0
  • go.opentelemetry.io/otel: v1.39.0 → v1.43.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.37.0 → v1.40.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.37.0 → v1.40.0
  • go.opentelemetry.io/otel/metric: v1.39.0 → v1.43.0
  • go.opentelemetry.io/otel/sdk: v1.39.0 → v1.43.0
  • go.opentelemetry.io/otel/sdk/metric: v1.39.0 → v1.43.0
  • go.opentelemetry.io/otel/trace: v1.39.0 → v1.43.0
  • go.opentelemetry.io/proto/otlp: v1.7.1 → v1.9.0
  • go.uber.org/zap: v1.27.0 → v1.27.1
  • golang.org/x/crypto: v0.46.0 → v0.50.0
  • golang.org/x/exp: v0.0.0-20250911091902-df9299821621 → v0.0.0-20251219203646-944ab1f22d93
  • golang.org/x/net: v0.48.0 → v0.53.0
  • golang.org/x/oauth2: v0.32.0 → v0.34.0
  • golang.org/x/sync: v0.19.0 → v0.20.0
  • golang.org/x/sys: v0.39.0 → v0.43.0
  • golang.org/x/term: v0.38.0 → v0.42.0
  • golang.org/x/text: v0.32.0 → v0.36.0
  • golang.org/x/time: v0.14.0 → v0.15.0
  • google.golang.org/genproto/googleapis/api: v0.0.0-20250826171959-ef028d996bc1 → v0.0.0-20260128011058-8636f8732409
  • google.golang.org/genproto/googleapis/rpc: v0.0.0-20250826171959-ef028d996bc1 → v0.0.0-20260128011058-8636f8732409
  • google.golang.org/grpc: v1.75.0 → v1.79.3
  • google.golang.org/protobuf: v1.36.10 → v1.36.12-0.20260120151049-f2248ac996af
  • k8s.io/api: v0.35.0 → v0.36.0
  • k8s.io/apimachinery: v0.35.0 → v0.36.0
  • k8s.io/apiserver: v0.35.0 → v0.36.0
  • k8s.io/client-go: v0.35.0 → v0.36.0
  • k8s.io/cloud-provider: v0.35.0 → v0.36.0
  • k8s.io/component-base: v0.35.0 → v0.36.0
  • k8s.io/component-helpers: v0.35.0 → v0.36.0
  • k8s.io/controller-manager: v0.35.0 → v0.36.0
  • k8s.io/klog/v2: v2.130.1 → v2.140.0
  • k8s.io/kms: v0.35.0 → v0.36.0
  • k8s.io/kube-openapi: v0.0.0-20250910181357-589584f1c912 → v0.0.0-20260317180543-43fb72c5454a
  • k8s.io/kubelet: v0.35.0 → v0.36.0
  • k8s.io/utils: v0.0.0-20251002143259-bc988d571ff4 → v0.0.0-20260210185600-b8788abfbbc2
  • sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.33.0 → v0.34.0
  • sigs.k8s.io/cloud-provider-azure/pkg/azclient: v0.13.0 → v0.18.0
  • sigs.k8s.io/structured-merge-diff/v6: v6.3.0 → v6.3.2

Removed

  • github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6: v6.4.0
  • github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6: v6.2.0
  • github.com/google/btree: v1.1.3
  • github.com/google/go-cmp: v0.7.0
  • github.com/grpc-ecosystem/go-grpc-prometheus: v1.2.0

New Contributors

Last modified May 14, 2026: Update release notes for v1.36.0 (f5ca0e9a5)