Azure · tallaxes · Apr 2, 2026 · Apr 2, 2026 · Apr 2, 2026 · Apr 2, 2026
diff --git a/charts/karpenter-crd/templates/karpenter.azure.com_aksnodeclasses.yaml b/charts/karpenter-crd/templates/karpenter.azure.com_aksnodeclasses.yaml
@@ -68,7 +68,7 @@ spec:
                   enabled:
                     description: |-
                       enabled controls the artifact streaming mode. Artifact streaming speeds up the cold-start of containers on a node through on-demand image loading. To use this feature, container images must also enable artifact streaming on ACR.
-                      If not specified, defaults to true.
+                      If not specified, defaults to false.
                     type: boolean
                 type: object
               fipsMode:
@@ -938,7 +938,7 @@ spec:
                   enabled:
                     description: |-
                       enabled controls the artifact streaming mode. Artifact streaming speeds up the cold-start of containers on a node through on-demand image loading. To use this feature, container images must also enable artifact streaming on ACR.
-                      If not specified, defaults to true.
+                      If not specified, defaults to false.
                     type: boolean
                 type: object
               fipsMode:

diff --git a/pkg/apis/crds/karpenter.azure.com_aksnodeclasses.yaml b/pkg/apis/crds/karpenter.azure.com_aksnodeclasses.yaml
@@ -68,7 +68,7 @@ spec:
                   enabled:
                     description: |-
                       enabled controls the artifact streaming mode. Artifact streaming speeds up the cold-start of containers on a node through on-demand image loading. To use this feature, container images must also enable artifact streaming on ACR.
-                      If not specified, defaults to true.
+                      If not specified, defaults to false.
                     type: boolean
                 type: object
               fipsMode:
@@ -938,7 +938,7 @@ spec:
                   enabled:
                     description: |-
                       enabled controls the artifact streaming mode. Artifact streaming speeds up the cold-start of containers on a node through on-demand image loading. To use this feature, container images must also enable artifact streaming on ACR.
-                      If not specified, defaults to true.
+                      If not specified, defaults to false.
                     type: boolean
                 type: object
               fipsMode:

diff --git a/pkg/apis/v1alpha2/aksnodeclass.go b/pkg/apis/v1alpha2/aksnodeclass.go
@@ -38,7 +38,7 @@ var (
 // Artifact streaming allows container images to be streamed on demand to nodes rather than fully downloaded before starting.
 type ArtifactStreaming struct {
 	// enabled controls the artifact streaming mode. Artifact streaming speeds up the cold-start of containers on a node through on-demand image loading. To use this feature, container images must also enable artifact streaming on ACR.
-	// If not specified, defaults to true.
+	// If not specified, defaults to false.
 	// +optional
 	Enabled *bool `json:"enabled,omitempty"`
 }

diff --git a/pkg/apis/v1beta1/aksnodeclass.go b/pkg/apis/v1beta1/aksnodeclass.go
@@ -38,26 +38,26 @@ var (
 // Artifact streaming allows container images to be streamed on demand to nodes rather than fully downloaded before starting.
 type ArtifactStreaming struct {
 	// enabled controls the artifact streaming mode. Artifact streaming speeds up the cold-start of containers on a node through on-demand image loading. To use this feature, container images must also enable artifact streaming on ACR.
-	// If not specified, defaults to true.
+	// If not specified, defaults to false.
 	// +optional
 	Enabled *bool `json:"enabled,omitempty"`
 }
 
-// IsEnabled returns whether artifact streaming should be enabled for the given architecture and image family.
+// IsEnabled returns whether artifact streaming should be enabled for the given architecture.
 // ARM64 does not support artifact streaming and always returns false.
-// For AMD64, returns the explicit value if set; otherwise defaults to true for Ubuntu and false for AzureLinux.
-func (a *ArtifactStreaming) IsEnabled(arch string, imageFamily string) bool {
+//
+// NOTE: There is no admission-time validation to reject artifactStreaming.enabled=true for ARM64
+// workloads. AKSNodeClass does not know the target architecture — that comes from NodePool
+// requirements, a separate resource. CEL validation on AKSNodeClass cannot cross-reference NodePool
+// fields (CEL only has access to self). A validating webhook could enforce this but does not exist
+// today. As a result, enabling artifact streaming on an AKSNodeClass used by ARM64 NodePools will
+// silently not take effect. The instance type provider compensates by excluding ARM64 SKUs when
+// artifact streaming is enabled.
+func (a *ArtifactStreaming) IsEnabled(arch string) bool {
 	if arch == karpv1.ArchitectureArm64 {
 		return false
 	}
-	if a != nil && a.Enabled != nil {
-		return *a.Enabled
-	}
-	// Default: disabled for AzureLinux, enabled for everything else
-	if imageFamily == AzureLinuxImageFamily {
-		return false
-	}
-	return true
+	return a != nil && a.Enabled != nil && *a.Enabled
 }
 
 // AKSNodeClassSpec is the top level specification for the AKS Karpenter Provider.
@@ -692,17 +692,16 @@ func (in *AKSNodeClass) GetEncryptionAtHost() bool {
 	return false
 }
 
-// IsArtifactStreamingEnabled returns whether artifact streaming should be enabled for this node class
-// based on the architecture and image family. ARM64 nodes do not support artifact streaming and will
-// always return false. For AMD64, defaults to true for Ubuntu and false for AzureLinux, unless
-// explicitly set in the spec.
+// IsArtifactStreamingEnabled returns whether artifact streaming should be enabled for this node class.
+// Delegates to ArtifactStreaming.IsEnabled which handles ARM64 and nil checks.
 func (in *AKSNodeClass) IsArtifactStreamingEnabled(arch string) bool {
-	return in.Spec.ArtifactStreaming.IsEnabled(arch, lo.FromPtr(in.Spec.ImageFamily))
+	return in.Spec.ArtifactStreaming.IsEnabled(arch)
 }
 
 // IsArtifactStreamingExplicitlyEnabled returns true only when the user has explicitly
 // set artifact streaming to enabled (true) in the NodeClass spec. Returns false when
 // artifact streaming is not set (nil/default) or explicitly disabled.
+// Unlike IsArtifactStreamingEnabled, this is architecture-independent.
 func (in *AKSNodeClass) IsArtifactStreamingExplicitlyEnabled() bool {
 	return in.Spec.ArtifactStreaming != nil &&
 		in.Spec.ArtifactStreaming.Enabled != nil &&

diff --git a/pkg/providers/imagefamily/customscriptsbootstrap/provisionclientbootstrap.go b/pkg/providers/imagefamily/customscriptsbootstrap/provisionclientbootstrap.go
@@ -105,10 +105,7 @@ func (p *ProvisionClientBootstrap) ConstructProvisionValues(ctx context.Context)
 
 	nodeLabels := lo.Assign(map[string]string{}, p.Labels)
 
-	// Artifact streaming is configurable through the AKSNodeClass spec
-	// ARM64 does not support artifact streaming and is always disabled
-	// If not specified, defaults to enabled for Ubuntu, disabled for AzureLinux
-	enableArtifactStreaming := p.ArtifactStreaming.IsEnabled(p.Arch, osSKUToImageFamily(p.OSSKU))
+	enableArtifactStreaming := p.ArtifactStreaming.IsEnabled(p.Arch)
 
 	// unspecified FIPSMode is effectively no FIPS for now
 	enableFIPS := lo.FromPtr(p.FIPSMode) == v1beta1.FIPSModeFIPS
@@ -211,13 +208,3 @@ func (p *ProvisionClientBootstrap) ConstructProvisionValues(ctx context.Context)
 		ProvisionHelperValues: provisionHelperValues,
 	}, nil
 }
-
-// osSKUToImageFamily maps OSSKU to the corresponding image family constant
-func osSKUToImageFamily(ossku string) string {
-	switch ossku {
-	case ImageFamilyOSSKUAzureLinux2, ImageFamilyOSSKUAzureLinux3:
-		return v1beta1.AzureLinuxImageFamily
-	default:
-		return v1beta1.UbuntuImageFamily
-	}
-}
diff --git a/pkg/providers/imagefamily/customscriptsbootstrap/provisionclientbootstrap_test.go b/pkg/providers/imagefamily/customscriptsbootstrap/provisionclientbootstrap_test.go
@@ -703,71 +703,23 @@ func TestArtifactStreamingEnablement(t *testing.T) {
 		expectError                      bool
 		expectedErrorSubstring           string
 	}{
-		// Default behavior (artifactStreaming = nil)
+		// Default behavior (artifactStreaming = nil) — disabled for all
 		{
-			name:                             "AMD64 Ubuntu2004 FIPS - Artifact streaming enabled (default)",
-			arch:                             karpv1.ArchitectureAmd64,
-			ossku:                            customscriptsbootstrap.ImageFamilyOSSKUUbuntu2004,
-			kubernetesVersion:                "1.31.0",
-			imageDistro:                      "aks-ubuntu-fips-containerd-20.04-gen2",
-			expectedArtifactStreamingEnabled: true,
-		},
-		{
-			name:                             "AMD64 Ubuntu2204 - Artifact streaming enabled (default)",
+			name:                             "AMD64 default - Artifact streaming disabled",
 			arch:                             karpv1.ArchitectureAmd64,
 			ossku:                            customscriptsbootstrap.ImageFamilyOSSKUUbuntu2204,
 			kubernetesVersion:                "1.31.0",
 			imageDistro:                      "aks-ubuntu-containerd-22.04-gen2",
-			expectedArtifactStreamingEnabled: true,
-		},
-		{
-			name:                             "AMD64 Ubuntu2404 - Artifact streaming enabled (default)",
-			arch:                             karpv1.ArchitectureAmd64,
-			ossku:                            customscriptsbootstrap.ImageFamilyOSSKUUbuntu2404,
-			kubernetesVersion:                "1.34.0",
-			imageDistro:                      "aks-ubuntu-containerd-24.04-gen2",
-			expectedArtifactStreamingEnabled: true,
-		},
-		{
-			name:                             "AMD64 AzureLinux2 - Artifact streaming disabled (default)",
-			arch:                             karpv1.ArchitectureAmd64,
-			ossku:                            customscriptsbootstrap.ImageFamilyOSSKUAzureLinux2,
-			kubernetesVersion:                "1.31.0",
-			imageDistro:                      "aks-azurelinux-v2-gen2",
-			expectedArtifactStreamingEnabled: false,
-		},
-		{
-			name:                             "AMD64 AzureLinux3 - Artifact streaming disabled (default)",
-			arch:                             karpv1.ArchitectureAmd64,
-			ossku:                            customscriptsbootstrap.ImageFamilyOSSKUAzureLinux3,
-			kubernetesVersion:                "1.32.0",
-			imageDistro:                      "aks-azurelinux-v3-gen2",
 			expectedArtifactStreamingEnabled: false,
 		},
 		{
-			name:                             "ARM64 Ubuntu2204 - Artifact streaming disabled",
+			name:                             "ARM64 default - Artifact streaming disabled",
 			arch:                             karpv1.ArchitectureArm64,
 			ossku:                            customscriptsbootstrap.ImageFamilyOSSKUUbuntu2204,
 			kubernetesVersion:                "1.31.0",
 			imageDistro:                      "aks-ubuntu-arm64-containerd-22.04-gen2",
 			expectedArtifactStreamingEnabled: false,
 		},
-		{
-			name:                             "ARM64 AzureLinux2 - Artifact streaming disabled",
-			arch:                             karpv1.ArchitectureArm64,
-			ossku:                            customscriptsbootstrap.ImageFamilyOSSKUAzureLinux2,
-			kubernetesVersion:                "1.31.0",
-			imageDistro:                      "aks-azurelinux-v2-arm64-gen2",
-			expectedArtifactStreamingEnabled: false,
-		},
-		{
-			name:                             "ARM64 AzureLinux3 - Artifact streaming disabled",
-			arch:                             karpv1.ArchitectureArm64,
-			ossku:                            customscriptsbootstrap.ImageFamilyOSSKUAzureLinux3,
-			kubernetesVersion:                "1.32.0",
-			imageDistro:                      "aks-azurelinux-v3-arm64-gen2",
-			expectedArtifactStreamingEnabled: false,
-		},
 		{
 			name:                   "AMD64 Custom OSSKU - error",
 			arch:                   karpv1.ArchitectureAmd64,
@@ -779,7 +731,7 @@ func TestArtifactStreamingEnablement(t *testing.T) {
 		},
 		// Explicit artifact streaming values
 		{
-			name:                             "AMD64 Ubuntu2204 - Artifact streaming explicitly enabled",
+			name:                             "AMD64 - Artifact streaming explicitly enabled",
 			arch:                             karpv1.ArchitectureAmd64,
 			ossku:                            customscriptsbootstrap.ImageFamilyOSSKUUbuntu2204,
 			kubernetesVersion:                "1.31.0",
@@ -788,7 +740,7 @@ func TestArtifactStreamingEnablement(t *testing.T) {
 			expectedArtifactStreamingEnabled: true,
 		},
 		{
-			name:                             "AMD64 Ubuntu2204 - Artifact streaming explicitly disabled",
+			name:                             "AMD64 - Artifact streaming explicitly disabled",
 			arch:                             karpv1.ArchitectureAmd64,
 			ossku:                            customscriptsbootstrap.ImageFamilyOSSKUUbuntu2204,
 			kubernetesVersion:                "1.31.0",
@@ -797,40 +749,13 @@ func TestArtifactStreamingEnablement(t *testing.T) {
 			expectedArtifactStreamingEnabled: false,
 		},
 		{
-			name:                             "AMD64 Ubuntu2004 - Artifact streaming explicitly enabled",
-			arch:                             karpv1.ArchitectureAmd64,
-			ossku:                            customscriptsbootstrap.ImageFamilyOSSKUUbuntu2004,
-			kubernetesVersion:                "1.31.0",
-			imageDistro:                      "aks-ubuntu-fips-containerd-20.04-gen2",
-			artifactStreaming:                &v1beta1.ArtifactStreaming{Enabled: lo.ToPtr(true)},
-			expectedArtifactStreamingEnabled: true,
-		},
-		{
-			name:                             "AMD64 Ubuntu2404 - Artifact streaming explicitly enabled",
-			arch:                             karpv1.ArchitectureAmd64,
-			ossku:                            customscriptsbootstrap.ImageFamilyOSSKUUbuntu2404,
-			kubernetesVersion:                "1.34.0",
-			imageDistro:                      "aks-ubuntu-containerd-24.04-gen2",
-			artifactStreaming:                &v1beta1.ArtifactStreaming{Enabled: lo.ToPtr(true)},
-			expectedArtifactStreamingEnabled: true,
-		},
-		{
-			name:                             "AMD64 AzureLinux2 - Artifact streaming explicitly enabled",
-			arch:                             karpv1.ArchitectureAmd64,
-			ossku:                            customscriptsbootstrap.ImageFamilyOSSKUAzureLinux2,
+			name:                             "ARM64 - Artifact streaming explicitly enabled still disabled (unsupported)",
+			arch:                             karpv1.ArchitectureArm64,
+			ossku:                            customscriptsbootstrap.ImageFamilyOSSKUUbuntu2204,
 			kubernetesVersion:                "1.31.0",
-			imageDistro:                      "aks-azurelinux-v2-gen2",
-			artifactStreaming:                &v1beta1.ArtifactStreaming{Enabled: lo.ToPtr(true)},
-			expectedArtifactStreamingEnabled: true,
-		},
-		{
-			name:                             "AMD64 AzureLinux3 - Artifact streaming explicitly enabled",
-			arch:                             karpv1.ArchitectureAmd64,
-			ossku:                            customscriptsbootstrap.ImageFamilyOSSKUAzureLinux3,
-			kubernetesVersion:                "1.32.0",
-			imageDistro:                      "aks-azurelinux-v3-gen2",
+			imageDistro:                      "aks-ubuntu-arm64-containerd-22.04-gen2",
 			artifactStreaming:                &v1beta1.ArtifactStreaming{Enabled: lo.ToPtr(true)},
-			expectedArtifactStreamingEnabled: true,
+			expectedArtifactStreamingEnabled: false,
 		},
 	}
 

diff --git a/pkg/providers/labels/labels_test.go b/pkg/providers/labels/labels_test.go
@@ -477,13 +477,11 @@ func TestLabelsGet(t *testing.T) {
 		},
 		// Artifact streaming label cases
 		{
-			name:              "AMD64 with nil artifact streaming (default) should have label set to true",
+			name:              "AMD64 with nil artifact streaming (default) should NOT have label",
 			imageFamily:       v1beta1.UbuntuImageFamily,
 			kubernetesVersion: "1.35.0",
 			arch:              "amd64",
-			expectedLabels: map[string]string{
-				labels.AKSArtifactStreamingEnabledLabelKey: "true",
-			},
+			unexpectedLabels:  []string{labels.AKSArtifactStreamingEnabledLabelKey},
 		},
 		{
 			name:              "ARM64 with nil artifact streaming (default) should NOT have label",

diff --git a/test/suites/integration/artifactstreaming_test.go b/test/suites/integration/artifactstreaming_test.go
@@ -63,16 +63,16 @@ var _ = Describe("ArtifactStreaming", func() {
 		verifyArtifactStreamingOnNode(node, true)
 	})
 
-	It("should set artifact streaming label and enable infrastructure when not specified (defaults to enabled)", func() {
+	It("should not set artifact streaming label or enable infrastructure when not specified (defaults to disabled)", func() {
 		// nodeClass.Spec.ArtifactStreaming is nil by default
 
 		pod := coretest.Pod()
 		env.ExpectCreated(nodeClass, nodePool, pod)
 		env.EventuallyExpectHealthy(pod)
 
 		node := env.EventuallyExpectInitializedNodeCount("==", 1)[0]
-		Expect(node.Labels).To(HaveKeyWithValue(artifactStreamingEnabledLabelKey, "true"))
-		verifyArtifactStreamingOnNode(node, true)
+		Expect(node.Labels).ToNot(HaveKey(artifactStreamingEnabledLabelKey))
+		verifyArtifactStreamingOnNode(node, false)
 	})
 
 	It("should not set artifact streaming label or enable infrastructure when explicitly disabled", func() {