Agent Pool Upgrade Failures Prevent Security Patching on Two Clusters

Question

Agent Pool Upgrade Failures Prevent Security Patching on Two Clusters

Claudia Nobrega 20

We’re experiencing issues on two of our clusters related to applying security patches. Attempts to upgrade the agent pool node image version are currently failing, which prevents us from keeping the underlying nodes fully up to date with the latest security updates.
This needs to be addressed to avoid running on unsupported or unpatched infrastructure.

User's image

Ankit Yadav 14,455 Reputation points Microsoft External Staff Moderator

2026-01-26T19:38:49.65+00:00
Hey @Claudia Nobrega

Since the node image upgrade is failing on both clusters and blocking the application of security patches, the next step is to understand what is preventing the upgrade from completing. Before we attempt any changes, let's try to investigate the issue to identify the underlying cause.

Below are the common reasons node image upgrades fail, along with simple validation checks to help narrow it down.

Possible Reasons the Upgrade Is Blocked

Pod Disruption Budgets (PDBs) Blocking Node Drain
Run:-

kubectl get pdb --all-namespaces

Check for:

Allowed Disruptions = 0 for any PDB

The PDB is tied to workloads running on the nodepool being upgraded

Stuck or Non‑Evictable Pods
Run:

kubectl get pods -A -o wide

Look for:

Pods in Terminating or Unknown state

Pods stuck with a deletionTimestamp

Pods on the node being upgraded showing eviction‑related warnings

Do check the node events, using below command:-

kubectl describe node <node-name>

Look for:

MemoryPressure

DiskPressure

NetworkUnavailable

Repeated kubelet or CNI errors

Azure Compute Quota Limitations;
Run:

az vm list-usage --location <region> -o table

Check if:

vCPUs are near the limit

The VM SKU family used by the nodepool (e.g., Dv5/Ev5) is at 100%

Nodepool Already in a Failed or Updating State

az aks nodepool show \ --resource-group <rg> \ --cluster-name <cluster> \ --name <nodepool> \ --query "provisioningState"

Check: Exact provisioning status of the nodepool.

5.Ongoing or Pending Operations in the Background

#cluster state az aks show --resource-group <rg> --name <cluster> --query "provisioningState" # nodepool state az aks nodepool show <args> --query "nodeImageVersion"

Once you share the results of the above checks, we can identify exactly what is blocking the node‑image upgrade and advise the correct fix for the same.

Answer accepted by question author

0 additional answers

Your answer

Ankit Yadav 14,455 Reputation points Microsoft External Staff Moderator

2026-01-26T19:38:49.65+00:00

Hey @Claudia Nobrega

Since the node image upgrade is failing on both clusters and blocking the application of security patches, the next step is to understand what is preventing the upgrade from completing. Before we attempt any changes, let's try to investigate the issue to identify the underlying cause.

Below are the common reasons node image upgrades fail, along with simple validation checks to help narrow it down.

Possible Reasons the Upgrade Is Blocked

Pod Disruption Budgets (PDBs) Blocking Node Drain
Run:-

kubectl get pdb --all-namespaces

Check for:

Allowed Disruptions = 0 for any PDB

The PDB is tied to workloads running on the nodepool being upgraded

Stuck or Non‑Evictable Pods
Run:

kubectl get pods -A -o wide

Look for:

Pods in Terminating or Unknown state

Pods stuck with a deletionTimestamp

Pods on the node being upgraded showing eviction‑related warnings

Do check the node events, using below command:-

kubectl describe node <node-name>

Look for:

MemoryPressure

DiskPressure

NetworkUnavailable

Repeated kubelet or CNI errors

Azure Compute Quota Limitations;
Run:

az vm list-usage --location <region> -o table

Check if:

vCPUs are near the limit

The VM SKU family used by the nodepool (e.g., Dv5/Ev5) is at 100%

Nodepool Already in a Failed or Updating State

az aks nodepool show \ --resource-group <rg> \ --cluster-name <cluster> \ --name <nodepool> \ --query "provisioningState"

Check: Exact provisioning status of the nodepool.

5.Ongoing or Pending Operations in the Background

#cluster state az aks show --resource-group <rg> --name <cluster> --query "provisioningState" # nodepool state az aks nodepool show <args> --query "nodeImageVersion"

Once you share the results of the above checks, we can identify exactly what is blocking the node‑image upgrade and advise the correct fix for the same.

Answer 1

Hello @Claudia Nobrega

Thanks for sharing the output for the commands asked earlier.

Based on the output we can confirm the AKS cluster and the agent pool are healthy and fully updated, with all nodes running image AKSUbuntu-2204gen2containerd-202601.13.0 and both the cluster and node pool in Succeeded provisioning state.

Unfortunately, we do not have logs or outputs captured at the exact time when the upgrade originally reported a Failed status, so it is not possible to determine a definitive root cause in retrospect.

If a similar issue occurs in future, please collect and share the outputs of

kubectl get pdb --all-namespaces, kubectl get pods -A -o wide, and kubectl describe node <node-name> (for the affected node pool), along with the full az aks upgrade or az aks nodepool upgrade command and error message, so that we can perform a targeted root cause analysis at that time.

Share via

Agent Pool Upgrade Failures Prevent Security Patching on Two Clusters

0 additional answers

Your answer