Google Distributed Cloud (software only) for bare metal 1.30 release notes

This document lists production updates to Google Distributed Cloud (software only) for bare metal, formerly known as Google Distributed Cloud. Check this page periodically for any new announcements.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly.

August 29, 2024

Release 1.30.0-gke.1930

Google Distributed Cloud for bare metal 1.30.0-gke.1930 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.30.0-gke.1930 runs on Kubernetes 1.30.

After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.

If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.

Version 1.16 end of life: In accordance with the Version Support Policy, version 1.16 (all patch releases) of Google Distributed Cloud for bare metal has reached its end of life and is no longer supported.

New and updated features:

  • Preview: Added support for keyless mode for clusters. This feature uses short-lived tokens and Workload Identity Federation for your cluster and workload credentials, instead of the default long-lived service account keys and Kubernetes Secrets. This feature provides improved security and reduces credential maintenance.

  • Preview: Added support for Custom Scheduler Configuration for pods to automatically spread workloads across cluster nodes for increased reliability.

  • GA: Added support for admin and hybrid clusters to manage multiple versions of user clusters concurrently.

  • GA: Added support for node-level private registry configuration for workload images.

  • GA: Updated the bmctl update command to display the difference between the specs in the YAML cluster configuration file and the deployed Cluster resource. The diff covers the specs for both the Cluster resource and the NodePool resource.

  • GA: Added support for rolling back select node pool upgrades.

  • GA: Added support for specifying a session duration for Identity Service-issued tokens. You can set a session duration between 15 and 1440 minutes (24 hours). Shorter sessions provide better security (at the cost of more frequent reauthentication). Longer sessions reduce the frequency for reauthentication (at the cost of reduced security).

  • Preview: Updated the gcloud beta container fleet memberships get-credentials command to use a connect gateway preview feature that lets you run the kubectl attach, cp, and exec commands. For more information, see Limitations.

Functionality changes:

  • Updated the node pool upgrade behavior. Version 1.30 and higher clusters, support all node pool versions from the preceding two minor versions. The preview.baremetal.cluster.gke.io/two-minor-version-node-pool: enable annotation isn't required when upgrading clusters from version 1.29 to version 1.30.

  • Updated the bmctl version command to return the metadata image digest in the response. To print only the metadata image digest only, specify the new --option value metadata-digest.

  • Deprecated the spec.gkeVersion field in the Machine custom resource. Starting with version 1.30.0, the spec.gkeVersion field is set to empty. For accurate version information, use anthosBareMetalVersion (GDC for bare metal version) in the Cluster resource spec or gkeVersion (Kubernetes version) in the Cluster resource status.

  • Updated Kubernetes audit logging to include request and response payloads from the Kubernetes API server for bare metal custom resources, such as Cluster, NodePool, BareMetalMachine, and BareMetalCluster.

  • Updated registry mirror support to allow you to specify a port for host addresses.

  • Updated the networking preflight check to verify that either the ip_tables or the nf_tables kernel module is available for loading, instead of being explicitly loaded.

  • Updated the stackdriver custom resource to remove the feature gate for using Managed Service for Prometheus for system metrics featureGates.GMPForSystemMetrics. This feature gate has defaulted to on (true) since version 1.16. If you have manually disabled using Managed Service for Prometheus for system metrics, upgrading to version 1.30 might be a breaking change for some system metrics formats.

  • Added checks to validate the SSH client certificate file type before saving the certificate as a Secret.

  • Updated GKE Identity Service custom resource definition to change the description for IdentityServiceOptions and improve formatting.

  • Added preflight checks for available disk space in specific directories:

    • During cluster creation, the following directories are checked:

      • / (the root directory) has at least 4 GiB of free space

      • /var/log/fluent-bit-buffers has at least 12 GiB of free space

      • /var/opt/buffered-metrics has at least 10016 MiB of free space

    • During a cluster upgrade, the following directory is checked:

      • / (the root directory) has at least 2 GiB of free space

  • GA: Adopted the GKE audit policy, instead of the previous unpopulated policy.

Fixes:

  • Fixed an issue where old, inoperable WebHook resources caused problems with cluster upgrades.

  • Fixed an issue where upgraded clusters didn't get label updates that match the labels applied for newly created clusters, for a given version.

  • Fixed an issue where service accounts created by using the --create-service-accounts flag with the bmctl create config command don't have enough permissions.

  • Fixed an issue where the kubelet doesn't honor shortened, 1-second grace period for pod deletion during eviction-based draining.

The following container image security vulnerabilities have been fixed in 1.30.0-gke.1930:

Known issues:

For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section.