Azure
[Retirement] aks-disable-kubelet-serving-certificate-rotation=true will no longer be supported.
Starting on March 30, 2026 the node pool tag, aks-disable-kubelet-serving-certificate-rotation=true will no longer be supported. New node pools can be created with the node pool tag, but AKS will not respect the node pool tag. For new node pools, that means that they will be created with Kubelet Serving Certificate Rotation (KSCR) enabled, despite the node pool tag. For existing node pools, this means that KSCR will be automatically enabled on their next reimage operation.
Recommended Action:
Starting on March 30, 2026 AKS will remove support for the node pool tag, aks-disable-kubelet-serving-certificate-rotation=true. To prepare for this removal, you should:
Update their workload with the correct cert path If your workloads expect the kubelet serving certificate to be located in /etc/kuberetes/, you'll need to update so that it matches the new path: /var/lib/kubelet/pki.
If you don't follow this step, you won't be able to establish TLS with your kubelets.
Node pool tag removal (optional) Manually remove your aks-disable-kubelet-serving-certificate-rotation=true node pool tag, by updating your nodepool. This is optional, after March 30, 2026 AKS will no longer respect the node pool tag.
Upgrade or Reimage to enable KSCR After March 30, 2026, or once the node pool tag is removed, KSCR will automatically be enabled on the next reimage operation. This includes upgrades with a minimum kubernetes version of 1.27.
