Release notes

This page documents production updates to Anthos Config Management. Check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud Console, or you can programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly:

July 30, 2020

Updated the git-sync image to fix security vulnerability CVE-2019-5482.

June 15, 2020

A regression in Anthos Config Management 1.3.2 results in unnecessary patches to the API server for the gatekeeper-system namespace and spurious logging for error KNV2005. This "fight" results when the gatekeeper-system namespace is managed in the Git repo, and two Anthos Config Management components (the operator and syncer) are both trying to reconcile the state of the namespace with the API server. The only workaround at this time is to unmanage the gatekeeper-system namespace. The issue will be fixed in Anthos Config Management 1.4.1.

May 21, 2020

This release includes several performance and memory improvements.

In order to help prevent accidental deletion, Anthos Config Management will no longer allow a user to remove all namespaces or cluster-scoped resources in a single commit. If you wish to delete the full set of resources under management, it now requires two steps: remove all but one in a first commit, allow ACM to sync those changes, then remove the final resource in a second commit.

Error documentation has been updated to add more information on error codes. Errors that are no longer encountered in the product have been removed. Most error references have been embellished with examples and steps for remediation.

Anthos Config Management now supports a GKE-only authentication mechanism based on the service account of the cluster's node pool. Documentation on its use is here.

Anthos Config Management now includes Config Connector v1.8.0.

Anthos Config Management will now attempt to detect when resources that it manages are also managed by other controllers. Documentation on this behavior is available in error knv2005 which ACM will log in that case.

Policy Controller has been upgraded to include a newer version of Open Policy Agent Gatekeeper.

This version includes updates to improve the management of policy resources. As a consequence, finalizers are no longer used to manage Constraints and Constraint Templates.

The following metrics have been made obsolete due to these changes and have been removed:

  • gatekeeper_watch_manager_is_running

  • gatekeeper_watch_manager_last_restart_check_time

  • gatekeeper_watch_manager_last_restart_time

  • gatekeeper_watch_manager_restart_attempts

The following metrics were removed and will be re-implemented in a later version:

  • gatekeeper_watch_manager_intended_watch_gvk

  • gatekeeper_watch_manager_watched_gvk

April 23, 2020

Anthos Config Management images are now included in the Google-provided system images for Binary Authorization.

Policy Agent now allows configuration of namespaces that will bypass the admission controller. For more information, see Excluding Namespaces from Policy Controller

You can now exempt Namespaces from Policy Controller enforcement

Anthos Config Management v1.3.1 now supports Kubernetes v1.16 and higher. Earlier versions of Anthos Config Management relied on APIs that have been deprecated in Kubernetes v1.16.

The Anthos Config Management Syncer pod now reports when it detects that it is fighting with another process over a resource.

Anthos Config Management no longer allows managing resources in unmanaged Namespaces.

If you define a CRD with an integer field that has min/max values, Anthos Config Management will be unable to update the CRD.

Anthos Config Management no longer overwrites undeclared labels and annotations on Namespaces.

March 24, 2020

Anthos Policy Controller is now Generally Available

Anthos Config Management now includes the generally-available version of Config Connector.

Anthos Config Management now supports the use of a Personal Access Tokens for authentication against supported Git providers. More information can be found in Installing Anthos Config Management.

Anthos Config Management now supports the use of an HTTP or HTTPS proxy to connect with your Git host. More information can be found at Installing Anthos Config Management.