DataDog · mrdoggopat · Jun 27, 2025 · Jun 27, 2025 · Jun 27, 2025 · Jun 27, 2025
@@ -141,6 +141,16 @@
 
 The AKS Kubelet certificate requires changing the Kubelet host to the `spec.nodeName` and the `hostCAPath` location of the certificate, as seen in the previous snippets. This enables TLS verification. Without these changes, the Agent cannot connect to the Kubelet.
 
+However, AKS has changed how they structure their certificates relative to the [June 17th 2025 release][13], which is rolled out for East US and UK South. You can read more about this [in the Azure documentation here][14]. If your AKS cluster is located in one of the aforementioned regions and you are upgrading either:
+  - Your AKS node pool from version 1.27 or later to a newer version.
+  - The node image from `202501.12.0` to a more recent version.
+
+Make the following changes to the agent configuration:
+  - Change the `hostCAPath` to `/var/lib/kubelet/pki/kubelet-server-current.pem`.
+  - Optionally, you can remove the `spec.nodeName` configuration entirely since this new certificate path does not require changing the Kubelet host to `spec.nodeName` anymore.
+
+If you choose to upgrade and disable [Kubelet serving certificate rotation][15] then you can keep the previous configurations.
+
 ### Without TLS verification
 
 In some clusters, DNS resolution for `spec.nodeName` inside Pods does not work in AKS. This affects:
@@ -607,3 +617,6 @@
 [10]: https://cloud.google.com/kubernetes-engine/docs/how-to/autopilot-spot-pods
 [11]: https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-compute-classes
 [12]: https://cloud.google.com/kubernetes-engine/docs/how-to/disable-kubelet-readonly-port
+[13]: https://github.com/Azure/AKS/releases/tag/2025-06-17
+[14]: https://learn.microsoft.com/en-us/azure/aks/certificate-rotation
+[15]: https://learn.microsoft.com/en-us/azure/aks/certificate-rotation#disable-kubelet-serving-certificate-rotation