Azure · hbeberman · May 11, 2026 · May 5, 2026 · May 6, 2026 · May 11, 2026
@@ -141,6 +141,14 @@ parameters:
     displayName: Build Azure Container Linux ARM64 TL Gen2
     type: boolean
     default: true
+  - name: buildaclfipstlgen2
+    displayName: Build Azure Container Linux FIPS TL Gen2
+    type: boolean
+    default: true
+  - name: buildaclarm64fipstlgen2
+    displayName: Build Azure Container Linux ARM64 FIPS TL Gen2
+    type: boolean
+    default: true
 
 variables:
   - name: MODE
@@ -904,6 +912,56 @@ stages:
               useOverrides: ${{ parameters.useOverrides }}
               overrideBranch: ${{ parameters.overrideBranch }}
               artifactName: acl-arm64-tl-gen2
+      - job: buildaclfipstlgen2
+        condition: eq('${{ parameters.buildaclfipstlgen2 }}', true)
+        dependsOn: [ ]
+        timeoutInMinutes: 360
+        steps:
+          - bash: |
+              echo '##vso[task.setvariable variable=OS_SKU]AzureContainerLinux'
+              echo '##vso[task.setvariable variable=OS_VERSION]acl'
+              echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner'
+              echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3'
+              echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-acl'
+              echo '##vso[task.setvariable variable=IMG_VERSION]3.20260506.01'
+              echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2'
+              echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16ds_v5'
+              echo '##vso[task.setvariable variable=FEATURE_FLAGS]None'
+              echo '##vso[task.setvariable variable=ARCHITECTURE]X86_64'
+              echo '##vso[task.setvariable variable=ENABLE_FIPS]True'
+              echo '##vso[task.setvariable variable=ENABLE_TRUSTED_LAUNCH]True'
+              echo '##vso[task.setvariable variable=ENABLE_CGROUPV2]True'
+            displayName: Setup Build Variables
+          - template: ./templates/.builder-release-template.yaml
+            parameters:
+              useOverrides: ${{ parameters.useOverrides }}
+              overrideBranch: ${{ parameters.overrideBranch }}
+              artifactName: acl-fips-tl-gen2
+      - job: buildaclarm64fipstlgen2
+        condition: eq('${{ parameters.buildaclarm64fipstlgen2 }}', true)
+        dependsOn: [ ]
+        timeoutInMinutes: 360
+        steps:
+          - bash: |
+              echo '##vso[task.setvariable variable=OS_SKU]AzureContainerLinux'
+              echo '##vso[task.setvariable variable=OS_VERSION]acl'
+              echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner'
+              echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3'
+              echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-arm64-gen2-acl'
+              echo '##vso[task.setvariable variable=IMG_VERSION]3.20260506.01'
+              echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2'
+              echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16pds_v6'
+              echo '##vso[task.setvariable variable=FEATURE_FLAGS]None'
+              echo '##vso[task.setvariable variable=ARCHITECTURE]ARM64'
+              echo '##vso[task.setvariable variable=ENABLE_FIPS]True'
+              echo '##vso[task.setvariable variable=ENABLE_TRUSTED_LAUNCH]True'
+              echo '##vso[task.setvariable variable=ENABLE_CGROUPV2]True'
+            displayName: Setup Build Variables
+          - template: ./templates/.builder-release-template.yaml
+            parameters:
+              useOverrides: ${{ parameters.useOverrides }}
+              overrideBranch: ${{ parameters.overrideBranch }}
+              artifactName: acl-arm64-fips-tl-gen2
       - job: build2404arm64gb200gen2containerd
         condition: eq('${{ parameters.build2404arm64gb200gen2containerd }}', true)
         dependsOn: [ ]

@@ -247,6 +247,50 @@ stages:
           parameters:
             artifactName: acl-arm64-tl-gen2
 
+    - job: buildaclfipstlgen2
+      timeoutInMinutes: 360
+      steps:
+        - bash: |
+            echo '##vso[task.setvariable variable=OS_SKU]AzureContainerLinux'
+            echo '##vso[task.setvariable variable=OS_VERSION]acl'
+            echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner'
+            echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3'
+            echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-acl'
+            echo '##vso[task.setvariable variable=IMG_VERSION]3.20260506.01'
+            echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2'
+            echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16ds_v5'
+            echo '##vso[task.setvariable variable=FEATURE_FLAGS]None'
+            echo '##vso[task.setvariable variable=ARCHITECTURE]X86_64'
+            echo '##vso[task.setvariable variable=ENABLE_FIPS]True'
+            echo '##vso[task.setvariable variable=ENABLE_TRUSTED_LAUNCH]True'
+            echo '##vso[task.setvariable variable=ENABLE_CGROUPV2]True'
+          displayName: Setup Build Variables
+        - template: ./templates/.builder-release-template.yaml
+          parameters:
+            artifactName: acl-fips-tl-gen2
+
+    - job: buildaclarm64fipstlgen2
+      timeoutInMinutes: 360
+      steps:
+        - bash: |
+            echo '##vso[task.setvariable variable=OS_SKU]AzureContainerLinux'
+            echo '##vso[task.setvariable variable=OS_VERSION]acl'
+            echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner'
+            echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3'
+            echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-arm64-gen2-acl'
+            echo '##vso[task.setvariable variable=IMG_VERSION]3.20260506.01'
+            echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2'
+            echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16pds_v6'
+            echo '##vso[task.setvariable variable=FEATURE_FLAGS]None'
+            echo '##vso[task.setvariable variable=ARCHITECTURE]ARM64'
+            echo '##vso[task.setvariable variable=ENABLE_FIPS]True'
+            echo '##vso[task.setvariable variable=ENABLE_TRUSTED_LAUNCH]True'
+            echo '##vso[task.setvariable variable=ENABLE_CGROUPV2]True'
+          displayName: Setup Build Variables
+        - template: ./templates/.builder-release-template.yaml
+          parameters:
+            artifactName: acl-arm64-fips-tl-gen2
+
   - stage: e2e
     dependsOn: build
     condition: and(succeeded(), ne(variables.SKIP_E2E_TESTS, 'true'))

@@ -238,6 +238,32 @@ var (
 		OSDiskSizeGB: 60,
 	}
 
+	VHDACLGen2FIPSTL = &Image{
+		Name:                "aclgen2fipsTL",
+		OS:                  OSACL,
+		Arch:                "amd64",
+		Distro:              datamodel.AKSACLGen2FIPSTL,
+		Gallery:             imageGalleryLinux,
+		Flatcar:             true,
+		OSDiskSizeGB:        60,
+		UnsupportedLocalDns: true,
+		// Secure TLS Bootstrapping isn't currently supported on FIPS-enabled VHDs
+		UnsupportedSecureTLSBootstrapping: true,
+	}
+
+	VHDACLArm64Gen2FIPSTL = &Image{
+		Name:                "aclgen2arm64fipsTL",
+		OS:                  OSACL,
+		Arch:                "arm64",
+		Distro:              datamodel.AKSACLArm64Gen2FIPSTL,
+		Gallery:             imageGalleryLinux,
+		Flatcar:             true,
+		OSDiskSizeGB:        60,
+		UnsupportedLocalDns: true,
+		// Secure TLS Bootstrapping isn't currently supported on FIPS-enabled VHDs
+		UnsupportedSecureTLSBootstrapping: true,
+	}
+
 	VHDWindows2022Containerd = &Image{
 		Name:            "windows-2022-containerd",
 		OS:              "windows",

@@ -243,6 +243,28 @@ func Test_ACL_ARM64(t *testing.T) {
 	})
 }
 
+func Test_ACLGen2FIPSTL(t *testing.T) {
+	RunScenario(t, &Scenario{
+		Description: "Tests that a node using the ACL FIPS TrustedLaunch Gen2 VHD can be properly bootstrapped and FIPS is active at runtime",
+		Config: Config{
+			Cluster: ClusterKubenet,
+			VHD:     config.VHDACLGen2FIPSTL,
+			BootstrapConfigMutator: func(_ *Cluster, nbc *datamodel.NodeBootstrappingConfiguration) {
+				// LocalDNS isn't currently supported on FIPS-enabled VHDs; mirror Test_AzureLinux3OSGuard.
+				nbc.AgentPoolProfile.LocalDNSProfile = nil
+			},
+			VMConfigMutator: func(vmss *armcompute.VirtualMachineScaleSet) {
+				vmss.Properties = addTrustedLaunchToVMSS(vmss.Properties)
+			},
+			Validator: func(ctx context.Context, s *Scenario) {
+				ValidateFileHasContent(ctx, s, "/etc/os-release", "ID=azurelinux")
+				ValidateFileHasContent(ctx, s, "/etc/os-release", "VARIANT_ID=azurecontainerlinux")
+				ValidateACLFIPSEnabled(ctx, s)
+			},
+		},
+	})
+}
+
 func Test_ACL_Scriptless(t *testing.T) {
 	RunScenario(t, &Scenario{
 		Description: "Tests that a node using ACL and the self-contained installer can be properly bootstrapped",

@@ -486,6 +486,18 @@ func ValidateFileExists(ctx context.Context, s *Scenario, fileName string) {
 	}
 }
 
+func ValidateACLFIPSEnabled(ctx context.Context, s *Scenario) {
+	s.T.Helper()
+	ValidateFileExists(ctx, s, "/etc/system-fips")
+	execScriptOnVMForScenarioValidateExitCode(
+		ctx,
+		s,
+		`test "$(cat /proc/sys/crypto/fips_enabled)" = "1"`,
+		0,
+		"expected /proc/sys/crypto/fips_enabled to be 1",
+	)
+}
+
 func ValidateFileDoesNotExist(ctx context.Context, s *Scenario, fileName string) {
 	s.T.Helper()
 	if fileExist(ctx, s, fileName) {
@@ -2788,7 +2800,7 @@ func ValidateCollectWindowsLogsScript(ctx context.Context, s *Scenario) {
 func ValidateVulnerableKernelModulesDisabled(ctx context.Context, s *Scenario) {
 	s.T.Helper()
 
-	if s.VHD.Flatcar {
+	if s.VHD.Flatcar && s.VHD.OS != config.OSACL {
 		s.T.Log("Skipping vulnerable kernel module validation: not applicable for Flatcar")
 		return
 	}

@@ -365,6 +365,8 @@ var _ = Describe("AgentBaker API implementation tests", func() {
 			aclDistros = []datamodel.Distro{
 				datamodel.AKSACLGen2TL,
 				datamodel.AKSACLArm64Gen2TL,
+				datamodel.AKSACLGen2FIPSTL,
+				datamodel.AKSACLArm64Gen2FIPSTL,
 			}
 
 			allLinuxDistros = append(allLinuxDistros, ubuntuDistros...)

@@ -119,6 +119,8 @@ var AvailableContainerdDistros = []Distro{
 	AKSFlatcarArm64Gen2,
 	AKSACLGen2TL,
 	AKSACLArm64Gen2TL,
+	AKSACLGen2FIPSTL,
+	AKSACLArm64Gen2FIPSTL,
 	AKSCBLMarinerV1,
 	AKSCBLMarinerV2,
 	AKSAzureLinuxV2,
@@ -182,6 +184,8 @@ var AvailableGen2Distros = []Distro{
 	AKSFlatcarArm64Gen2,
 	AKSACLGen2TL,
 	AKSACLArm64Gen2TL,
+	AKSACLGen2FIPSTL,
+	AKSACLArm64Gen2FIPSTL,
 	AKSCBLMarinerV2Gen2,
 	AKSAzureLinuxV2Gen2,
 	AKSAzureLinuxV3Gen2,
@@ -270,6 +274,8 @@ var AvailableFlatcarDistros = []Distro{
 var AvailableACLDistros = []Distro{
 	AKSACLGen2TL,
 	AKSACLArm64Gen2TL,
+	AKSACLGen2FIPSTL,
+	AKSACLArm64Gen2FIPSTL,
 }
 
 // IsContainerdSKU returns true if distro type is containerd-enabled.
@@ -763,6 +769,20 @@ var (
 		Version:       LinuxSIGImageVersion,
 	}
 
+	SIGACLGen2FIPSTLImageConfigTemplate = SigImageConfigTemplate{
+		ResourceGroup: AKSAzureLinuxResourceGroup,
+		Gallery:       AKSAzureLinuxGalleryName,
+		Definition:    "aclgen2fipsTL",
+		Version:       LinuxSIGImageVersion,
+	}
+
+	SIGACLArm64Gen2FIPSTLImageConfigTemplate = SigImageConfigTemplate{
+		ResourceGroup: AKSAzureLinuxResourceGroup,
+		Gallery:       AKSAzureLinuxGalleryName,
+		Definition:    "aclgen2arm64fipsTL",
+		Version:       LinuxSIGImageVersion,
+	}
+
 	SIGWindows2019ImageConfigTemplate = SigImageConfigTemplate{
 		ResourceGroup: AKSWindowsResourceGroup,
 		Gallery:       AKSWindowsGalleryName,
@@ -859,7 +879,6 @@ func GetMaintainedLinuxSIGImageConfigMap() map[Distro]SigImageConfig {
 	return maintained
 }
 
-//nolint:dupl // each distro family needs its own map, structural similarity is expected.
 func getSigUbuntuImageConfigMapWithOpts(opts ...SigImageConfigOpt) map[Distro]SigImageConfig {
 	return map[Distro]SigImageConfig{
 		AKSUbuntuFipsContainerd2004:           SIGUbuntuFipsContainerd2004ImageConfigTemplate.WithOptions(opts...),
@@ -898,7 +917,6 @@ func getSigCBLMarinerImageConfigMapWithOpts(opts ...SigImageConfigOpt) map[Distr
 	}
 }
 
-//nolint:dupl // each distro family needs its own map, structural similarity is expected.
 func getSigAzureLinuxImageConfigMapWithOpts(opts ...SigImageConfigOpt) map[Distro]SigImageConfig {
 	return map[Distro]SigImageConfig{
 		AKSAzureLinuxV2:                  SIGAzureLinuxV2Gen1ImageConfigTemplate.WithOptions(opts...),
@@ -920,6 +938,8 @@ func getSigAzureLinuxImageConfigMapWithOpts(opts ...SigImageConfigOpt) map[Distr
 		AKSAzureLinuxV3OSGuardGen2FIPSTL: SIGAzureLinuxV3OSGuardGen2FIPSTLImageConfigTemplate.WithOptions(opts...),
 		AKSACLGen2TL:                     SIGACLGen2TLImageConfigTemplate.WithOptions(opts...),
 		AKSACLArm64Gen2TL:                SIGACLArm64Gen2TLImageConfigTemplate.WithOptions(opts...),
+		AKSACLGen2FIPSTL:                 SIGACLGen2FIPSTLImageConfigTemplate.WithOptions(opts...),
+		AKSACLArm64Gen2FIPSTL:            SIGACLArm64Gen2FIPSTLImageConfigTemplate.WithOptions(opts...),
 	}
 }
 

@@ -38,6 +38,8 @@ var _ = Describe("GetMaintainedLinuxSIGImageConfigMap", func() {
 			AKSFlatcarArm64Gen2:              SIGFlatcarArm64Gen2ImageConfigTemplate.WithOptions(),
 			AKSACLGen2TL:                     SIGACLGen2TLImageConfigTemplate.WithOptions(),
 			AKSACLArm64Gen2TL:                SIGACLArm64Gen2TLImageConfigTemplate.WithOptions(),
+			AKSACLGen2FIPSTL:                 SIGACLGen2FIPSTLImageConfigTemplate.WithOptions(),
+			AKSACLArm64Gen2FIPSTL:            SIGACLArm64Gen2FIPSTLImageConfigTemplate.WithOptions(),
 		}
 		actual := GetMaintainedLinuxSIGImageConfigMap()
 		for distro, config := range expected {
@@ -105,7 +107,7 @@ var _ = Describe("GetSIGAzureCloudSpecConfig", func() {
 		Expect(mariner.Definition).To(Equal("V1"))
 		Expect(mariner.Version).To(Equal(FrozenCBLMarinerV1SIGImageVersionForDeprecation))
 
-		Expect(len(sigConfig.SigAzureLinuxImageConfig)).To(Equal(19))
+		Expect(len(sigConfig.SigAzureLinuxImageConfig)).To(Equal(21))
 
 		azurelinuxV2 := sigConfig.SigAzureLinuxImageConfig[AKSAzureLinuxV2]
 		Expect(azurelinuxV2.ResourceGroup).To(Equal("resourcegroup"))
@@ -386,5 +388,17 @@ var _ = Describe("GetSIGAzureCloudSpecConfig", func() {
 		Expect(aclArm64Gen2.Gallery).To(Equal("aksazurelinux"))
 		Expect(aclArm64Gen2.Definition).To(Equal("aclgen2arm64TL"))
 		Expect(aclArm64Gen2.Version).To(Equal(LinuxSIGImageVersion))
+
+		aclGen2FIPS := sigConfig.SigAzureLinuxImageConfig[AKSACLGen2FIPSTL]
+		Expect(aclGen2FIPS.ResourceGroup).To(Equal("resourcegroup"))
+		Expect(aclGen2FIPS.Gallery).To(Equal("aksazurelinux"))
+		Expect(aclGen2FIPS.Definition).To(Equal("aclgen2fipsTL"))
+		Expect(aclGen2FIPS.Version).To(Equal(LinuxSIGImageVersion))
+
+		aclArm64Gen2FIPS := sigConfig.SigAzureLinuxImageConfig[AKSACLArm64Gen2FIPSTL]
+		Expect(aclArm64Gen2FIPS.ResourceGroup).To(Equal("resourcegroup"))
+		Expect(aclArm64Gen2FIPS.Gallery).To(Equal("aksazurelinux"))
+		Expect(aclArm64Gen2FIPS.Definition).To(Equal("aclgen2arm64fipsTL"))
+		Expect(aclArm64Gen2FIPS.Version).To(Equal(LinuxSIGImageVersion))
 	})
 })
@@ -194,6 +194,8 @@ const (
 	AKSFlatcarArm64Gen2                   Distro = "aks-flatcar-arm64-gen2"
 	AKSACLGen2TL                          Distro = "aks-acl-gen2-tl"
 	AKSACLArm64Gen2TL                     Distro = "aks-acl-arm64-gen2-tl"
+	AKSACLGen2FIPSTL                      Distro = "aks-acl-gen2-fips-tl"
+	AKSACLArm64Gen2FIPSTL                 Distro = "aks-acl-arm64-gen2-fips-tl"
 
 	// Windows string const.
 	// AKSWindows2019 stands for distro of windows server 2019 SIG image with docker.
@@ -277,6 +279,8 @@ var AKSDistrosAvailableOnVHD = []Distro{
 	AKSFlatcarArm64Gen2,
 	AKSACLGen2TL,
 	AKSACLArm64Gen2TL,
+	AKSACLGen2FIPSTL,
+	AKSACLArm64Gen2FIPSTL,
 }
 
 type CustomConfigurationComponent string