GDCV for Bare Metal 1.29 release notes

This document lists production updates to GDCV for Bare Metal. We recommend that GKE on Bare Metal developers periodically check this list for any new announcements.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/anthos-bare-metal-release-notes.xml

April 29, 2024

Release 1.29.0-gke.1449

GKE on Bare Metal 1.29.0-gke.1449 is now available for download. To upgrade, see Upgrade clusters. GKE on Bare Metal 1.29.0-gke.1449 runs on Kubernetes 1.29.

If you use a third-party storage vendor, check the GDCV Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of GKE on Bare Metal.

Version 1.15 end of life: In accordance with the Version Support Policy, version 1.15 (all patch releases) of GKE on Bare Metal has reached its end of life and is no longer supported.

GA: Support GKE Identity Service v2 capability for an improved security flow when you authenticate with third-party identity solutions.

The GA offering of GKE Identity Service v2 has the following requirements and restrictions:
- GKE Identity Service v2 now requires ports 11001 and 11002 on the control plane load balancer nodes, instead of 8443 and 8444. Ensure these ports are open and available before you upgrade a cluster to version 1.29.0-gke.1449 and higher. If the ports aren't open, upgrade preflight checks fail.
- GKE Identity Service v2 requires version 1.5.1 or higher of the Anthos Auth gcloud CLI component. If necessary, update the Anthos Auth component (gcloud components update anthos-auth). If you use the Google Cloud SDK, updating the SDK (gcloud components update) to version 474.0.0 or later also updates the Anthos Auth component to the required version.
- GKE Identity Service v2 doesn't work with GKE on Bare Metal clusters with the following configurations:
  - Clusters with a single control plane node only.
  - Clusters that use control plane nodes for load balancing. That is, clusters that aren't configured with either a separate load balancing node pool or manual load balancing.
GA: Added support for skews of up to two minor versions for selective node pool upgrades.
GA: Added capability to pause and resume cluster upgrades.
GA: Maintenance mode now uses eviction-based draining for nodes, instead of taint-based draining. Eviction-based draining uses the Eviction API, which honors Pod Disruption Budgets (PDBs). Draining nodes this way provides better protection against workload disruptions.
Preview: Added support for node-level private registry configuration for workload images.
Preview: Added support for rolling back select node pool upgrades.
Preview: Added support for admin and hybrid clusters to manage multiple versions user clusters concurrently.
Preview: Added support for using an intermediate Certificate Authority (CA) as the cluster root CA.
Preview: Added support to route workload logs to a third-party custom Kafka destination. This capability isn't enabled by default. You enable this capability in the cluster stackdriver resource spec by adding the unmanagedKafkaOutputConfig section. This section lets you specify the IP addresses of Kafka message brokers (brokers), topic names (topics), and keys to map the topics to partitions (topicKeys).
Improved command-line interface errors and error documentation.

Functionality changes:

GKE Identity Service v2 now sends extra parameters (extraParams) to your OIDC provider.
Extra node viewing permissions are added for accounts specified with the spec.clusterSecurity.authorization.clusterViewer.gcpAccounts field in the Cluster resource.
Added Status.Available field to BareMetalMachine resources to indicate whether the machine is available.
Updated preflight checks add a check for networking kernel modules (ip_tables or np_tables) and remove the iptables package check.
The Google plugin for the GKE Identity Service now caches the public keys based on max-age in cache-control header.

Fixes:

Fixed an issue where the kubelet doesn't honor shortened, 1-second grace period for pod deletion during eviction-based draining.
Fixed a cluster upgrade issue where the lifecycle-controller-deployer Pod was unable to migrate existing GKE on Bare Metal resources to the latest API version. This issue blocked upgrades to earlier version 1.28 releases.
Fixed an issue with configuring a proxy for your cluster that required you to manually set HTTPS_PROXY and NO_PROXY environment variables on the admin workstation.
Fixed an issue where upgrades are blocked because cluster-operator can't delete stale, failing preflight check resources.
Fixed an issue where the network check ConfigMap wasn't updated when nodes were added or removed.

The following container image security vulnerabilities have been fixed in version 1.29.0-gke.1449:

Critical container vulnerabilities:
High-severity container vulnerabilities:
Medium-severity container vulnerabilities:
Low-severity container vulnerabilities:

Known issues:

Clusters that use bundled load balancing with BGP might have performance degradation as the total number of Services of type LoadBalancer approaches 2,000.

For information about the latest known issues, see GKE on Bare Metal known issues in the Troubleshooting section.