Combined release notes (all minor versions)

This document lists production updates to Anthos clusters on bare metal. We recommend that Anthos clusters on bare metal developers periodically check this list for any new announcements.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or you can programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/anthos-bare-metal-release-notes.xml

May 31, 2023

1.15

Release 1.15.1

Anthos clusters on bare metal 1.15.1 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.15.1 runs on Kubernetes 1.26.

Functionality changes:

Updated the cluster snapshot capability so that information can be captured for the target cluster even when the cluster custom resource is missing or unavailable.
Improved bmctl error reporting for failures during the creation of a bootstrap cluster.
Added support for using the baremetal.cluster.gke.io/maintenance-mode-deadline-seconds cluster annotation to specify the maximum node draining duration, in seconds. By default, a 20-minute (1200 seconds) timeout is enforced. When the timeout elapses, all pods are stopped and the node is put into maintenance mode. For example to change the timeout to 10 minutes, add the annotation baremetal.cluster.gke.io/maintenance-mode-deadline-seconds: "600" to your cluster.
Added node_pool_name to the anthos_baremetal_node_os_count metric.

Fixes:

Fixed an issue that caused the bmctl restore command to stop responding for clusters with manually configured load balancers.
Fixed an issue that caused health checks to report failure when they find a Pod with a status of TaintToleration even when the replicaset for the Pod has sufficient Pods running.
Fixed an issue that prevented Anthos clusters on bare metal from restoring a high-availability quorum for nodes that use /var/lib/etcd as a mountpoint.
Fixed an issue that caused conflicts with third-party Ansible automation.
Fixed an issue where invalid kubelet image pull settings, such as negative values, resulted in update job failures. Unchecked job failures generate an excessive accumulation of kubelet configuration backup files.
Fixed a cluster upgrade issue that prevented some control plane nodes from rejoining a cluster configured for high availability.
The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos clusters on bare metal known issues in the Troubleshooting section.

May 24, 2023

1.14

Release 1.14.5

Anthos clusters on bare metal 1.14.5 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.14.5 runs on Kubernetes 1.25.

Fixes:

Fixed an issue that caused a continuous increase in memory usage for stackdriver-log-forwarder Pods.
Fixed an issue that caused the bmctl restore command to stop responding for clusters with manually configured load balancers.
Fixed an issue that caused preflight checks to fail for clusters configured with spec.proxy.noProxy settings.
Fixed an upgrade issue where adding upgradeStrategy.parallelUpgrade.concurrentNodes to the NodePool spec (for a parallel upgrade) caused the upgrade operation to fail.
Fixed an issue that caused conflicts with third-party Ansible automation.
Fixed an issue that prevented Anthos clusters on bare metal from restoring a high-availability quorum for nodes that use /var/lib/etcd as a mountpoint.
Fixed a cluster upgrade issue that prevented some control plane nodes from rejoining a cluster configured for high availability.
Fixed an upgrade race condition between a node and the CNI, which could result in two worker nodes to upgrade simultaneously.
The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos clusters on bare metal known issues in the Troubleshooting section.

May 10, 2023

1.6 & 1.7 & 1.8 & 1.9 & 1.10 & 1.11 & 1.12 & 1.13 & 1.14 & 1.15

CentOS Linux 8 Support Deprecated

CentOS Linux 8 reached its end of life (EOL) on December 31st, 2021. We strongly recommend that you migrate to one of the other supported operating systems from Anthos clusters on bare metal. All support for CentOS is removed from Anthos clusters for bare metal release 1.17 (December 2023) and subsequent releases.

April 27, 2023

1.15

Release 1.15.0

Anthos clusters on bare metal 1.15.0 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.15.0 runs on Kubernetes 1.26.

Version 1.12 end of life: In accordance with the Anthos Version Support Policy, version 1.12 (all patch releases) of Anthos clusters on bare metal has reached its end of life and is no longer supported.

Cluster lifecycle:

Upgraded from Kubernetes version 1.25 to version 1.26.
GA: Set in-place upgrade (without bootstrap cluster) as the default upgrade method for self-managed clusters.
GA: Added support for configuring worker node pools for parallel node upgrades to significantly reduce upgrade times. Added a minimumAvailableNodes field to specify a minimum number of nodes to keep available for workloads throughout the upgrade.
Preview: Added support for parallel upgrades of worker node pools.
Added support for Red Hat Enterprise Linux (RHEL) version 8.7.
Added support for Ubuntu 22.04 LTS.
GA: Added support for increasing the number of IP addresses for Services after cluster creation. For more information, see Increase service network range.
Preview: Added ability to configure kubelet image pull settings for node pools. For more information, see Configure kubelet image pull settings.
Streamlined the snapshot uploading and sharing process.
GA: Added support of Control group v2 (cgroup v2).
Preview: Added a separate instance of etcd for the etcd-events object.
Updated cert-manager to version 1.17.2.
Updated automated API enablement when you run bmctl create config with the --enable-apis flag. The following APIs are added to the enablement list:
- Enable storage.googleapis.com as a required API.
- Enable gkeonprem.googleapis.com as a recommended API.
Added a new field status.failures to the NodePool custom resource to aggregate failures across machines in the NodePool.
Added a new condition type PreflightCheckSuccessful to the NodePool custom resource. This condition type summarizes the preflight check status across machines in the NodePool.

Networking:

Added support for ClusterDNS to specify order for upstreamNameServers with an orderPolicy. Allowed values for orderPolicy are random, round_robin, or sequential. The default value is random.

Observability:

Added support for filtering application logs. This feature can reduce application logging billing and network traffic from the cluster to Cloud Logging. For more information, see Filter application logs.
GA: Fully managed Cloud Monitoring Integration dashboards:
- In the next Anthos release (version 1.16), the following dashboards in Cloud Monitoring Sample Library are unavailable:
  - Anthos cluster control plane uptime
  - Anthos cluster node status
  - Anthos cluster pod status
  - Anthos utilization metering
  - GKE on-prem node status
  - GKE on-prem control plane uptime
  - GKE on-prem pod status
  - GKE on-prem vSphere vm health status
- In the next Anthos release (version 1.16), the following customized dashboards aren't created when you create a new cluster:
  - Anthos cluster control plane uptime
  - Anthos cluster pod status
  - Anthos cluster node status
  - Anthos cluster VM status
- An added Anthos integration page is available from the Cloud Monitoring Integration page. The Anthos integration includes descriptions and previews for the predefined Anthos dashboards:
  - Anthos Cluster Control Plane Uptime
  - Anthos Cluster Node Status
  - Anthos Cluster Pod Status
  - Anthos Cluster KubeVirt VM Status
  - Anthos Cluster Utilization Metering
For more information, see Use predefined dashboards.
Preview: Added support for system metrics when you use Google Cloud Managed Service for Prometheus.

Security and Identity:

Preview: Added support for Binary Authorization, a service on Google Cloud that provides software supply-chain security for container-based applications. For more information, see Binary Authorization for Anthos clusters overview.
Preview: Added support for VPC Service Controls, which provides additional security for your clusters to help mitigate the risk of data exfiltration.
Improved security by disabling port 10255, the kubelet read-only port, by default. For more information, see Disable kubelet read-only port in Hardening your cluster's security.

Functionality changes:

Replacing taints and labels. Clusters created and upgraded to Anthos clusters on bare metal version 1.15.0 and higher have node-role.kubernetes.io/control-plane:* taints and node-role.kubernetes.io/control-plane labels. These new taints and labels replace the node-role.kubernetes.io/master label and node-role.kubernetes.io/master:* taints on new and upgraded control plane nodes.

Networking changes:

Replaced the anetd CNI plugin for the bootstrap cluster with kindnet.
Increased eBPF map limit to 512 K to allow for more load balancer Services.
Upgraded CoreDNS to version 1.9.4.

Anthos VM Runtime:

Moved the Anthos VM Runtime release notes to a separate page in the Anthos VM Runtime documentation section.

Fixes:

Fixed an issue that caused the bmctl reset nodes command to fail if the bmctl-workspace directory was empty.
Fixed an intermittent issue that caused the bmctl upgrade cluster command to indicate that the operation was complete before the cluster was in a ready state.

Known issues:

For information about the latest known issues, see Anthos clusters on bare metal known issues in the Troubleshooting section.

April 25, 2023

1.13

Release 1.13.7

Anthos clusters on bare metal 1.13.7 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.13.7 runs on Kubernetes 1.24.

Fixes:

The following container image security vulnerability has been fixed:

Known issues:

For information about the latest known issues, see Anthos clusters on bare metal known issues in the Troubleshooting section.

April 19, 2023

1.14

Release 1.14.4

Anthos clusters on bare metal 1.14.4 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.14.4 runs on Kubernetes 1.25.

Fixes:

The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos clusters on bare metal known issues in the Troubleshooting section.

April 12, 2023

1.6 & 1.7 & 1.8 & 1.9 & 1.10 & 1.11 & 1.12 & 1.13 & 1.14

Kubernetes image registry redirect

As of March 21, 2023, traffic to k8s.gcr.io is redirected to registry.k8s.io, following the community announcement. This change is happening gradually to reduce disruption, and should be transparent for most Anthos clusters.

To check for edge cases and mitigate potential impact to your clusters, follow the step-by-step guidance in k8s.gcr.io Redirect to registry.k8s.io - What You Need to Know.

March 31, 2023

1.13 & 1.14

Cluster lifecycle improvements 1.13.1 and later

Starting with Anthos clusters on bare metal release 1.13.1, you can use the Google Cloud console or the gcloud CLI to create admin clusters. For more information, see the documentation for your version of Anthos clusters on bare metal:

March 28, 2023

1.12

Release 1.12.9

Anthos clusters on bare metal 1.12.9 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.12.9 runs on Kubernetes 1.23.

FIxes:

The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos clusters on bare metal known issues in the Troubleshooting section.

March 24, 2023

1.14

Release 1.14.3

Anthos clusters on bare metal 1.14.3 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.14.3 runs on Kubernetes 1.25.

Fixes:

Improved maintenance mode operation by ignoring non-running pods on nodes.
Updated etcd version to version 3.4.21-0-gke.1 to resolve an issue that could lead to watch starvation and non-operational watch for resources.
Updated kubernetes version to 1.25.6-gke.1000 to honor exponential backoff in job controller.
The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos clusters on bare metal known issues in the Troubleshooting section.

March 21, 2023

1.13

Release 1.13.6

Anthos clusters on bare metal 1.13.6 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.13.6 runs on Kubernetes 1.24.

Fixes:

The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos clusters on bare metal known issues in the Troubleshooting section.

March 09, 2023

1.13 & 1.14

Cluster lifecycle improvements 1.13.1 and later

Starting with Anthos clusters on bare metal release 1.13.1, you can use the Google Cloud console or the gcloud CLI to upgrade admin and user clusters managed by the Anthos On-Prem API. If your cluster is at version 1.13.0 or lower, you must use bmctl to upgrade the cluster.

For more information about using the console or the gcloud CLI for upgrades, see the documentation for your version of Anthos clusters on bare metal:

March 02, 2023

1.12

Release 1.12.8

Anthos clusters on bare metal 1.12.8 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.12.8 runs on Kubernetes 1.23.

Fixes:

Updated Anthos Identity Service to better handle concurrent authentication webhook requests.
The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos clusters on bare metal known issues in the Troubleshooting section.

March 01, 2023

1.14

Release 1.14.2

Anthos clusters on bare metal 1.14.2 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.14.2 runs on Kubernetes 1.25.

Fixes:

Updated Anthos Identity Service to better handle concurrent authentication webhook requests.
Updated stackdriver-operator to set CPU and memory resource limits.
The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos clusters on bare metal known issues in the Troubleshooting section.

February 23, 2023

1.13

Release 1.13.5

Anthos clusters on bare metal 1.13.5 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.13.5 runs on Kubernetes 1.24.

Fixes:

Updated Anthos Identity service to better handle concurrent authentication webhook requests.
The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos clusters on bare metal known issues in the Troubleshooting section.

February 07, 2023

1.12

Release 1.12.7

Anthos clusters on bare metal 1.12.7 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.12.7 runs on Kubernetes 1.23.

Fixes:

The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos clusters on bare metal known issues in the Troubleshooting section.

January 27, 2023

1.14

1.14.0 Upgrade problem

Control plane nodes for Anthos clusters on bare metal use Kubernetes taints to prevent workload pods from being scheduled on them. When you upgrade version 1.13 Anthos clusters to version 1.14.0, the control plane nodes lose required taints. We recommend that you skip upgrading to version 1.14.0 and upgrade to version 1.14.1 directly.

This problem doesn't cause upgrade failures, but pods that aren't supposed to run on the control plane nodes may start doing so. These workload pods can overwhelm control plane nodes and lead to cluster instability. This issue has security implications, as well. We strongly recommend that you not upgrade your clusters to version 1.14.0, but upgrade instead to a subsequent release version with the fix.

For more information about the issue, including workaround instructions, see the Clusters upgraded to 1.14.0 lose master taints known issue.

Release 1.14.1

Anthos clusters on bare metal 1.14.1 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.14.1 runs on Kubernetes 1.25.

Fixes:

Fixed an issue with the anthos-cluster-operator that caused CertificateSigningRequest (CSR) events to be missed during reconciliation steps. The lack of signing resulted in Istio crashlooping.
Fixed an issue that prevented the Pod CIDR for nodes from being adjusted from the default /24 mask size to account for the maxPodsPerNode cluster setting.
Fixed an issue that removed taints from control plane nodes when upgrading clusters to version 1.14.0.
The following container image security vulnerabilities have been fixed:

Functionality changes:

Changed the behavior for periodic health checks during upgrades. Now, during the upgrade process, existing periodic health checks continue to run in the admin cluster. Once the cluster is upgraded to the next version, the previous version periodic health checks are replaced with periodic health checks for the new version.
Lowered the priority of health check jobs to minimize contention for resources.
Changed the etcd history compaction interval from the default of 5 minutes to 2.5 minutes. This value is set in the kube-apiserver.yaml file.

Known issues:

For information about the latest known issues, see Anthos clusters on bare metal known issues in the Troubleshooting section.

January 26, 2023

1.13

Release 1.13.4

Anthos clusters on bare metal 1.13.4 is now available for download. To upgrade, see Upgrade clusters. Anthos clusters on bare metal 1.13.4 runs on Kubernetes 1.24.

Fixed an issue with the anthos-cluster-operator that caused CertificateSigningRequest (CSR) events to be missed during reconciliation steps. The lack of signing resulted in Istio crashlooping.

The following container image security vulnerabilities have been fixed:

CVE-2021-3759
CVE-2021-4037
CVE-2021-46848
CVE-2022-1184
CVE-2022-20421
CVE-2022-2978
CVE-2022-3169
CVE-2022-3176
CVE-2022-3524
CVE-2022-3564
CVE-2022-3565
CVE-2022-3586
CVE-2022-3594
CVE-2022-3621
CVE-2022-3640
CVE-2022-3643
CVE-2022-3646
CVE-2022-3903
CVE-2022-39188
CVE-2022-40303
CVE-2022-40304
CVE-2022-40307
CVE-2022-41849
CVE-2022-41850
CVE-2022-41916
CVE-2022-42010
CVE-2022-42011
CVE-2022-42012
CVE-2022-42328
CVE-2022-42329
CVE-2022-42895
CVE-2022-42896
CVE-2022-42898
CVE-2022-43680
CVE-2022-43750
CVE-2022-44638
CVE-2022-47518
CVE-2022-47519
CVE-2022-47520
CVE-2022-47521

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

December 21, 2022

1.13 & 1.14

Anthos clusters on bare metal release 1.14.0 is now available for download. Note that Anthos clusters on bare metal version 1.14.0 runs on Kubernetes 1.25. Multiple deprecated APIs are deleted in Kubernetes 1.25. Before you upgrade version 1.13 Anthos clusters to version 1.14, check to see if you are affected by the Kubernetes API deletions.

If you aren't affected by the API deletions, see Upgrade clusters in the 1.14 documentation for upgrade instructions.

December 19, 2022

1.13

Release 1.13.3

Anthos clusters on bare metal 1.13.3 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.13.3 runs on Kubernetes 1.24.

The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

December 14, 2022

1.12

Release 1.12.6

Anthos clusters on bare metal 1.12.6 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.12.6 runs on Kubernetes 1.23.

The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

December 13, 2022

1.14

Release 1.14.0

Anthos clusters on bare metal 1.14.0 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.14.0 runs on Kubernetes 1.25.

Improved cluster lifecycle functionalities:

Upgraded from Kubernetes version 1.24 to 1.25.
Enabled customers to run the latest health and preflight checks by running the command bmctl check cluster –check-image-version=latest. Setting the check-image-version flag to 'latest' ensures that clusters are examined for more recent issues, including issues discovered after a release.
Preview: Added support of Control group v2 (cgroup v2).
GA: Added automatic reservation of CPU and memory resources on cluster nodes so that system daemons have the resources they require.
Optimized the consumption of resources by components such as cluster-operator, cap-manager, preflight-check operator, and lifecycle-controllers-manager.
GA: Enabled automatic and periodic health checks on all clusters.

Networking:

Preview: Added support for turning on kube-proxy-free mode for cluster objects. WARNING: This operation is not reversible. Once enabled, it cannot be disabled.
Changed behavior of Dataplane V2 so that it drops a packet if no service backends are available. Previously, the packet was passed to the kernel stack.
Enabled automatic API rate limit adjustments in Dataplane V2.

Observability:

Added severity level to container logs.
Enabled collection of uptime and other Kubernetes resource metrics from the kubelet summary API.
Enabled Stackdriver log forwarder in the bootstrap cluster. This log forwarder publishes bootstrap container logs to Cloud Logging.

Security and Identity:

GA: Added feature enabling cluster administrators to configure RBAC policies based on Azure Active Directory (AD) groups. Groups information for users belonging to more than 200 groups can now be retrieved.
GA: Added secure computing mode (seccomp) support. Running containers with a seccomp profile improves the security of a cluster because it restricts the system calls that containers are allowed to make to the kernel.
Added annotation in the cluster configuration file which allows customers to disable the kubelet read-only port. After disabling the read-only port, customers have to change their cluster configurations so that workloads use the kubelet secure port.

VM Runtime:

GA: Added support for guest OS booting of UEFI. Previously, only BIOS was supported.
Preview: Enabled Terraform scripting to create VMs on an Anthos cluster. For more information, including usage instructions, an input reference, and examples, see the terraform-google-anthos-vm GitHub repository.
Preview: Add support for non-uniform memory access (NUMA) awareness. When enabled, all communication within the VM is local to the NUMA node, thus avoiding the performance cost of data transactions with remote memory locations.
Preview: Enabled multicast traffic for VMs.
Added Anthos VM Runtime preflight checks to validate hardware accelerator configuration.
Enabled configuration of storage's volume mode (block or filesystem) and access modes, such as RWO and RWX.
Enabled means to configure the storage class of a scratch space. A scratch space is sometimes required when importing or uploading a VM disk image.
Added support for configuring cloud-init, using virtctl.
Enabled ability to disable auto-installation of the guest agent binary. After the initial guest agent installation, yoiu can set the autoInstallGuestAgent flag to false so that the binary doesn't mount in subsequent restarts.
Enabled the support of multiple network interfaces, by default, for all clusters.
Improved security for creating a VM with kubectl virt create. If an initial password is specified, it is now stored in a secret and not as a VM annotation.
Reduced the permissions of the network controller.
Changed default to always use Asynchronous IO mode (AIO) in order to reduce QEMU memory pressure.
Added VM creation and disk provisioning times to Prometheus metrics.
Added support for the Tesla T4 GPU.
Enabled reset of GPU card to its original status when GPU functionality is disabled.
Enabled ability to disable Anthos VM Runtime when it's in the enabling state and custom resource definitions haven't yet been installed.
Added the following command, which allows you to display the VM screen: kubectll virt vnc --screenshot VM_NAME.
Fixed the IP address update for Windows guest VMs.
Resolved the MacVTap interface creation failure which occurred when the name of the interface was too long.
Fixed attaching VM disk using SATA driver.
Fixed issue so that setting disableCDIUploadProxyVIP to true correctly disables the cdi-uploadproxy service.
Fixed issue so that specifying a PersistentVolumeClaim (PVC) with an empty underlying PersistentVolume (PV) correctly creates the underlying empty disk format (raw or qcow2).
Enforced VM names to follow the standard RFC1123 format.
Fixed issue so that ISO image is correctly imported from a Cloud Storage bucket.
Fixed benign crash looping of the NVIDIA device plugin and the Multi-Instance GPU (MIG) manager when all GPU cards are allocated to a VM.
Fixed issue so that virt-launcher Pod can be created when advanced compute is enabled.

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

December 09, 2022

1.12

Release 1.12.5

Anthos clusters on bare metal 1.12.5 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.12.5 runs on Kubernetes 1.23.

Fixes:

The following container image security vulnerabilities have been fixed:

CVE-2019-25013
CVE-2021-3326
CVE-2021-3999
CVE-2021-4037
CVE-2021-33574
CVE-2021-35942
CVE-2022-1184
CVE-2022-1586
CVE-2022-1587
CVE-2022-2663
CVE-2022-3061
CVE-2022-3176
CVE-2022-3303
CVE-2022-3586
CVE-2022-3621
CVE-2022-3646
CVE-2022-3649
CVE-2022-20421
CVE-2022-23218
CVE-2022-23219
CVE-2022-32221
CVE-2022-33745
CVE-2022-33746
CVE-2022-33748
CVE-2022-34903
CVE-2022-37434
CVE-2022-39188
CVE-2022-40307
CVE-2022-42309
CVE-2022-42310
CVE-2022-42311
CVE-2022-42312
CVE-2022-42313
CVE-2022-42314
CVE-2022-42315
CVE-2022-42316
CVE-2022-42317
CVE-2022-42318
CVE-2022-42319
CVE-2022-42320
CVE-2022-42321
CVE-2022-42322
CVE-2022-42323
CVE-2022-42324
CVE-2022-42325
CVE-2022-42326
CVE-2022-43680
CVE-2022-43750

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

November 22, 2022

1.13

Release 1.13.2

Anthos clusters on bare metal 1.13.2 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.13.2 runs on Kubernetes 1.24.

Fixes:

Ensured the kubeadmconfig Secret is deleted when a Cluster API node is removed.
Added preflight check command (bmctl check preflight) that you can use when upgrading version 1.13 and higher clusters.
Updated the commands bmctl check preflight and bmctl create cluster so that they fail if worker or control-plane nodes have docker credentials in /root/.docker/config.json. (Anthos clusters on bare metal version 1.13 and higher can no longer use Docker Engine as a container runtime. All clusters must use the default container runtime containerd).
The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

November 18, 2022

1.11

Release 1.11.8

Anthos clusters on bare metal 1.11.8 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.11.8 runs on Kubernetes 1.22.

Fixes:

The following container image security vulnerabilities have been fixed:

CVE-2019-25013
CVE-2020-16156
CVE-2021-3326
CVE-2021-3999
CVE-2021-4037
CVE-2021-33574
CVE-2021-35942
CVE-2022-1184
CVE-2022-1586
CVE-2022-1587
CVE-2022-2663
CVE-2022-3061
CVE-2022-3116
CVE-2022-3176
CVE-2022-3303
CVE-2022-3586
CVE-2022-3621
CVE-2022-3646
CVE-2022-3649
CVE-2022-20421
CVE-2022-23218
CVE-2022-23219
CVE-2022-33745
CVE-2022-33746
CVE-2022-33748
CVE-2022-37434
CVE-2022-39188
CVE-2022-40307
CVE-2022-42309
CVE-2022-42310
CVE-2022-42311
CVE-2022-42312
CVE-2022-42313
CVE-2022-42314
CVE-2022-42315
CVE-2022-42316
CVE-2022-42317
CVE-2022-42318
CVE-2022-42319
CVE-2022-42320
CVE-2022-42321
CVE-2022-42322
CVE-2022-42323
CVE-2022-42324
CVE-2022-42325
CVE-2022-42326
CVE-2022-43750

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

November 08, 2022

1.12

Release 1.12.4

Anthos clusters on bare metal 1.12.4 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.12.4 runs on Kubernetes 1.23.

Fixes:

Increased the CPU limit for the metrics-server Pod to prevent it from frequently restarting.
The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

November 07, 2022

1.11 & 1.12 & 1.13

Security bulletin (1.11, 1.12, and 1.13)

A security vulnerability, CVE-2022-39278, has been discovered in Istio, which is used in Anthos Service Mesh, that allows a malicious attacker to crash the control plane.

For instructions and more details, see the Anthos clusters on bare metal security bulletin.

November 01, 2022

1.13

Cluster lifecycle improvements in 1.13 and later

Preview: You can use the Google Cloud console to create user clusters, delete user clusters, and to add and remove node pools from a user cluster. To explore the new feature, try out the tutorial Create an Anthos on bare metal user cluster on Compute Engine VMs using the console.

October 31, 2022

1.13

Release 1.13.1

Anthos clusters on bare metal 1.13.1 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.13.1 runs on Kubernetes 1.24.

Fixes:

Increased the CPU limit for the metrics-server Pod to prevent it from frequently restarting.
Updated the command bmctl enable/disable vmruntime to block the CLI and periodically show the status of VMRuntime. The CLI remains blocked until the command has finished and VMRuntime's ready status is true, or until a default period of 10 mins has expired.
Removed deprecated IPv6DualStack featureGate field that blocks clusters from upgrading to Anthos clusters on bare metal version 1.13.0.
Fixed the no path ID mapping for prefix error that sometimes occurred when bgpd updated bgpsession.
The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

October 28, 2022

1.11

Anthos clusters on bare metal 1.11.7 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.11.7 runs on Kubernetes 1.22.

Fixes:

The following container image security vulnerabilities have been fixed:

Known issues: For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

October 05, 2022

1.12

Release 1.12.3

Anthos clusters on bare metal 1.12.3 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.12.3 runs on Kubernetes 1.23.

Fixes:

Updated the container image to resolve a YAML text/template vulnerability.
The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

September 29, 2022

1.13

Release 1.13.0

Anthos clusters on bare metal 1.13.0 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.13.0 runs on Kubernetes 1.24.

The dockershim component in Kubernetes enables cluster nodes to use the Docker Engine container runtime. However, Kubernetes 1.24 removed the dockershim component. Since Anthos clusters on bare metal version 1.13 runs on Kubernetes 1.24, version 1.13 and higher clusters can no longer use Docker Engine as a container runtime. All clusters must use the default container runtime containerd.

Improved cluster lifecycle functionalities:

Upgraded from Kubernetes version 1.23 to 1.24:
- Reverted some of the changes Kubernetes and the kubeadm tool made to certain labels and taints on control plane nodes. Changes were reverted so that older versions of Anthos clusters on bare metal remain supported. As a result, control plane nodes have the following labels and taints:
  - node-role.kubernetes.io/master label
  - node-role.kubernetes.io/control-plane label
  - node-role.kubernetes.io/master:NoSchedule taint
- Upgraded from kubeadm.k8s.io/v1beta2 to kubeadm.k8s.io/v1beta3 since the former is deprecated.
- Stopped automatic generation of Secret API objects containing service account tokens for every Service Account. For more information, see the LegacyServiceAccountTokenNoAutoGeneration section of the upgrade notes.
Breaking change: Version 1.12 clusters that use Docker Engine can upgrade to 1.13 only if the new container runtime is specified as containerd. Blocked the creation of new 1.13 clusters that use Docker Engine as the container runtime.
Preview: Added feature so that upgrades of an admin/hybrid/standalone cluster can proceed without a bootstrap cluster. Management of Anthos clusters on bare metal is now fully conformant to the Kubernetes Resource Model.
Added support of Red Hat Enterprise Linux (RHEL) 8.6.
Removed an erroneous CustomResourceDefinition (app.k8s.io.Application) from inclusion in the cluster creation process.
Fixed vulnerability to YAML injection by switching to safetext/yamltemplate.
GA: Added support for installing Anthos clusters on bare metal, using your own registry service, instead of gcr.io. For instructions and additional information, see Use a registry mirror to create clusters.
Eliminated false error messaging when the bmctl create cluster is run. The message erroneously reported an Invalid value in the spec.labels field of NodePool specifications.
Added feature so that resetting a user cluster doesn't require the cluster configuration file.
Reduced containerd disk usage by having containerd store just the uncompressed layers of an image rather than both the compressed and uncompressed layers.
Upgraded containerd to version 1.6.6.

Networking:

GA: Enabled Dynamic Flat IP with Border Gateway Protocol (BGP) support. This feature lets you configure flat mode using BGP in clusters by leveraging Network Gateway Group and BGP. In this mode the Pod's IP address is visible and routable without masquerading across multiple subdomains. Currently supports advertising IPv4 and IPv6 routes over IPv4 sessions.
GA: Added BGP-based Load Balancer support for IPv6. Added ability to disable the Bundled Ingress feature. Customers should disable this feature if they are using full Anthos Service Mesh (ASM) instead. (Bundled Ingress is unnecessary when full ASM is installed).

Observability:

Preview: Added support of multi-line parsing for Go and Java logs.
GA: Added support for Google Cloud Managed Service for Prometheus (GMP) for application metrics.
Refined kube-state-metrics so that only core metrics are collected by default.

Security:

GA: Added Google Groups support for Connect Gateway.
Switched distroless base image for Node Problem Detector.
Changed anet-operator/cilium-operator to run as non-root container.
Secured communication between metrics-server and api-server using the Transport Layer Security (TLS) protocol.

VM Runtime:

Fixed a memory leak in libvirt-go, which caused unbounded memory growth and risked crashing long-running VMs.
Provided guaranteed compute support so that customers can get Guaranteed Quality of Service (QoS)for the VM when needed.
Preview: Enabled Anthos VM to be allocated dedicated host cores. Each VM virtual core can be pinned to a dedicated host core.
Separated GPU installation and deletion logic. If only the container GPU workload is needed, customers can enable the GPU without having to enable VM Runtime.
Added support for the T4 GPU card.
Enabled automatic use of the VirtualMachineDisk name as the disk serial number. This change makes it easier for customers to identify the disk in the VM.
Enabled KubeVM cloud-init API and startup script API.
Added new CLI command (Virtctl) for resetting Windows VM password.
Fixed the following container image security vulnerability: CVE-2022-1798
Added feature that stops NVIDIA device plugins from crashing if a GPU card hasn't been allocated to a container.
Added support for automatic VM restarts after a configuration update. Previously, customers needed to stop the VM, apply the change, and then re-start the VM. To use the feature, set the autoRestartOnConfigurationChange flag to true in the VirtualMachine custom resource.
Improved the Kubernetes audit log of VM operations so that it contains detailed VM configuration and update information.
Fixed flooding of logs with cluster events that arise when a VM encounters disk I/O errors.
Added KubeVM roles. By binding with these roles, customers are granted permission to resources that manage VMs.

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

September 26, 2022

1.11

Release 1.11.6

Anthos clusters on bare metal 1.11.6 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.11.6 runs on Kubernetes 1.22.

Fixes:

Updated the container image to resolve a yaml text/template vulnerability.
The following container image security vulnerabilities have been fixed:
- CVE-2022-2526
- CVE-2022-1798

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

August 30, 2022

1.11

Release 1.11.5

Anthos clusters on bare metal 1.11.5 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.11.5 runs on Kubernetes 1.22.

Fixes:

Increased the default storage size limit of etcd to 6 GiB.
The following container image security vulnerabilities have been fixed:
- CVE-2022-1664

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

August 25, 2022

1.12

Release 1.12.2

Anthos clusters on bare metal 1.12.2 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.12.2 runs on Kubernetes 1.23.

Features:

Added –use-disk flag to bmctl backup cluster command to use the disk instead of the in-memory buffer to back up a cluster. Use this option when available RAM is limited on your admin workstation.
Added --quiet flag to bmctl check cluster -- snapshot command to suppress logging to the console during the snapshot creation.

Fixes:

Added caching for the Cloud Audit Logging feature status to avoid unnecessary checks and improve performance.
Increased the etcd default DB size to 6GiB by default to address NO_SPACE_ALARM in high-scale clusters.
Fixed a libseccomp package incompatibility issue.
Fixed an issue with the machine-reset job getting stuck.
Fixed an issue that caused continuous, unneeded cluster reconciliation operations.
Fixed an issue that prevented the node problem detector from running after a cluster upgrade.

The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

August 23, 2022

1.10

Release 1.10.8

Anthos clusters on bare metal 1.10.8 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.10.8 runs on Kubernetes 1.21.

Fixes

The following container image security vulnerability has been fixed:

CVE-2022-1664

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

1.12

Anthos VM Runtime

Anthos VM Runtime is Generally Available (GA). Some features and capabilities are available for Preview only, as indicated in the following descriptions:

Upgraded Kubevirt to version 0.49.
Upgraded Containerized Data Importer (CDI) to version 1.43.0.
Added bmctl command to enable or disable Anthos VM Runtime on user clusters.
Added automatic upgrade of Anthos VM Runtime when upgrading Anthos clusters on bare metal.
Preview: Added ability to configure an eviction policy that controls how VMs automatically migrate to other hosts during maintenance events.
Preview: Added non-disruptive upgrading of VM runtime during live migration (that is, when VMs are unobtrusively migrated from one node to another).

VM APIs:

Simplified VM Compute API.
Added ability to create and manage disk resources for VMs that use Anthos VM Runtime.
Added ability to schedule VMs using standard Kubernetes scheduling primitives.
Preview: Added ability to use GPUs in VMs.
Added more access management capabilities to VM Guest Environment.
Preview: Added support for guest OS booting of UEFI. Previously, only BIOS was supported.

Observability:

Integrated VM telemetry and console logs into Google Cloud console. Telemetry information and log data are critical for monitoring the status of VMs and for troubleshooting problems with your cluster VMs.
Added VM CPU and memory metrics to Cloud Monitoring. These metrics can be viewed in the Anthos clusters VM status dashboard.
Added ability to view console logs for VMs that use Anthos VM Runtime.
Added logs that audit VM pods.

Guest OS support:

Added support for the following guest OS versions running on a Virtual Machine:

Windows Server 2019
Windows Server 2016
Windows 10
Red Hat Enterprise Linux (RHEL) 8
RHEL 7
CentOS 8
CentOS 7
Ubuntu 20.04
Ubuntu 18.04

VM networking features:

IPAMv4: Static IP Allocation for VM interfaces.
IP and MAC Stickiness for VM interfaces.
IPAMv4: DHCP for VM interfaces.
VLAN tagging support for VM Interfaces.
Multi-NIC for VM interfaces through native Dataplane V2 support (macvtap + Dataplane V2).
Static routes and DNS configurations at per-network basis.
NetworkPolicy enforcement at per-network basis.
Validating admission webhooks for Network and NetworkInterface object.
Network Mutation, allow the mutations of Gateway, DNS and the customized network routes in the network custom resource. The parent interface for the VM and the VLAN ID are not mutable. VMs that were already running before the network configuration change need to be restarted to pick up the change.
Added command to restart all VMs in a network.
Graceful IP release for VMs:
- During VM migration, the IP isn't released.
- IP addresses are released for VMs that are deleted or stopped.
For more information on networking, see Create and use virtual networks for Anthos VM Runtime.

VM Runtime issues:

When kubevirt is configured, customers should ensure that TOR switches have MAC learning enabled.
If you choose to manually run a DHCP ipconfig /renew command in a Windows VM, you should first perform a DHCP release, using theipconfig /release command. In other words, the sequence for manually performing a DHCP renewal in a Windows environment is the following:
```
ipconfig /release
ipconfig /renew
```

August 04, 2022

1.11

Release 1.11.4

Anthos clusters on bare metal 1.11.4 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.11.4 runs on Kubernetes 1.22.

Fixes:

Fixed issue in which cluster restores failed when /var/lib/etcd is a mount point.
Fixed issue in which attempts to skip minor versions when upgrading weren't blocked. For details about the upgrade policy, see Minor version upgrades.

The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

August 03, 2022

1.12

Release 1.12.1

Anthos clusters on bare metal 1.12.1 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.12.1 runs on Kubernetes 1.23.

Functionality changes:

Increased default memory limits for coredns, metallb-controller, metallb-speaker, metrics-server, anthos-cluster-operator, and cap-controller-manager.
Modified the dashboards Anthos cluster pod status and Anthos cluster node status. Specifically, the following changes were made:
- Replaced cadvisor resource metrics with summary API resource metrics.
- Added cpu, memory, and volume utilization metrics.
If you have already installed these dashboards in a project, you need to download the JSON files Anthos-cluster-pod-status.json and Anthos-cluster-node-status.json from the Dashboards for Anthos GitHub repository. You then need to import these JSON files into Cloud Monitoring. For details, see Install sample dashboards.

Fixes:

Fixed issue in which nodes drained or cordoned by kubectl were mistakenly marked as schedulable.
Fixed issue in which cluster controller and autoscaler conflicted with each other in the scaling of istiod, coredns, and istio-ingress Pods.
Fixed issue in which the wrong data type was used in health check log messages, resulting in panic messages.
Fixed issue in which cluster restores failed when /var/lib/etcd is a mount point.
Fixed issue in which attempts to skip minor versions when upgrading weren't blocked. For details about the upgrade policy, see Minor version upgrades.
Fixed issue in which an external VIP Service of type LoadBalancer would not respond when flat IP mode was enabled.

The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

Release 1.12.1 ships with containerd version 1.5.13, which requires libseccomp version 2.5 or higher. If your system doesn't have libseccomp version 2.5 or higher installed, update it in advance of upgrading existing clusters to version 1.12.1. Otherwise, you may see errors in cplb-update Pods for load balancer nodes such as:

runc did not terminate successfully: runc: symbol lookup error: runc:
undefined symbol: seccomp_notify_respond

To install the latest version of libseccomp in Ubuntu, run the following command:

sudo apt-get install  libseccomp-dev

To install the latest version of libseccomp in CentOS or RHEL, run the following command:

sudo dnf -y install libseccomp-devel

August 01, 2022

1.10

Release 1.10.7

Anthos clusters on bare metal 1.10.7 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.10.7 runs on Kubernetes 1.21.

Fixed a CrashLoopBackOff error generated by gke-metrics-agent when application metrics are enabled (that is, when enableStackdriverForApplications=true).
The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

July 07, 2022

1.10

Release 1.10.6

Anthos clusters on bare metal 1.10.6 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.10.6 runs on Kubernetes 1.21.

Fixes:

The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

June 29, 2022

1.12

Release 1.12.0

Anthos clusters on bare metal 1.12.0 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.12.0 runs on Kubernetes 1.23.

The dockershim component in Kubernetes enables cluster nodes to use the Docker Engine container runtime. However, Kubernetes 1.24 removed the dockershim component. Starting from Anthos clusters on bare metal 1.12.0, you will not be able to create new clusters that use the Docker Engine container runtime. All new clusters should use the default container runtime containerd.

Improved cluster lifecycle functionalities:

Upgraded Anthos clusters on bare metal to use Kubernetes version 1.23.
Upgraded container runtime to containerd 1.5.
Updated preflight check to forward default SSH key if no key is provided.
Added support for new GCPAccounts field in the cluster configuration file. This field enables the assignment of a cluster-admin role to end-users.
Added labels to control plane, control plane load balancer, and load balancer node pools, so that these different node pools can be distinguished from each other.
Added nodepool reference label to nodes so that worker nodes can be listed in the UI.

Observability:

GA: Added Summary API metrics. These metrics are scraped from the Kubernetes Summary API and provide CPU, memory, and storage metrics for Pods, containers, and Nodes.
Added separate flags to enable logging and monitoring for user applications separately: EnableCloudLoggingForApplications and EnableGMPForApplications. The legacy flag EnableStackdriverForApplications will be deprecated and removed in future releases.
Preview: Added Google Cloud Managed Service for Prometheus to collect application metrics and monitor cluster health.
Upgraded GKE Metrics Agent (gke-metrics-agent) from version 1.1.0 to 1.8.3. This tool scrapes metrics from each cluster node and publishes them in Cloud Monitoring.
Added the following resource utilization metrics. For more information about these and other metrics, see View Anthos clusters on bare metal metrics:
- container/cpu/request_utilization
- container/cpu/limit_utilization
- container/memory/request_utilization
- container/memory/limit_utilization
- node/cpu/allocatable_utilization
- node/memory/allocatable_utilization
- pod/volume/utilization
Added sample dashboards for monitoring cluster health to Cloud Monitoring sample dashboards. Customers can install these dashboards with one click.  
Scoped down the RBAC permissions of stackdriver-operator, a component that performs logging and monitoring.

Security:

AIS CA deprecation. AIS certs are now signed by cluster CA.
Changed ca-rotation container image so that it uses a distroless rather than a Debian-based image.
RBAC permissions of the cluster-operator component have been eliminated or reduced to address elevated permissions.
GA: Anthos Identity Service LDAP authentication support.

Networking:

Preview: Enabled creation of IPv6 and Dual Stack LoadBalancer services. Border Gateway Protocol (BGP) is used for Dualstack clusters. Advertising IPv4 and IPv6 routes over IPv4 sessions is supported.
Preview: Added Network Connectivity Gateway feature support to provide HA VPN between Google Cloud and an on-premises Anthos cluster.

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

June 23, 2022

1.11

Release 1.11.3

Anthos clusters on bare metal 1.11.3 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.11.3 runs on Kubernetes 1.22.

Fixes:

The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

June 09, 2022

1.9

Release 1.9.8

Anthos clusters on bare metal 1.9.8 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.9.8 runs on Kubernetes 1.21.

Fixes:

The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

June 02, 2022

1.10

Release 1.10.5

Anthos clusters on bare metal 1.10.5 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.10.5 runs on Kubernetes 1.21.

Fixes:

The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

May 26, 2022

1.11

Release 1.11.2

Anthos clusters on bare metal 1.11.2 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.11.2 runs on Kubernetes 1.22.

Starting with Anthos clusters on bare metal release 1.11.2, you can enable or disable Anthos VM Runtime by updating the VMRuntime custom resource only. The legacy spec.kubevirt settings in the cluster configuration are no longer supported. The VMRuntime custom resource is installed by default on version 1.10 and later hybrid, standalone, and user clusters. The VMRuntime custom resource can't be applied to admin clusters.

If you have Anthos VM Runtime enabled for your Anthos clusters on bare metal, you must disable it before upgrading clusters to version 1.11.2 or higher. If this step is not completed, your cluster upgrade will fail. You can re-enable Anthos VM Runtime after the upgrade is complete.

Starting with Anthos clusters on bare metal release 1.11.2, the Anthos VM Runtime API version has changed from v1alpha1 to v1. This version change doesn't affect the VMRuntime custom resource, but most other resources are affected.

Functionality changes:

The containerd runtime has been upgraded to 1.5.11-gke.0 to address CVE-2022-24769
Added a preflight check that disallows Ubuntu 18.04 distributions with 4.15.x Linux kernels.

Fixes:

Fixed cluster custom resource status reporting for pending reconciliations.
Fixed a bmctl check cluster command issue that caused the user cluster kubeconfig Secret to be overwritten.
Fixed an issue with manifest installation when last-applied-config is broken that caused upgrades to fail.
Fixed an issue to ensure that the 20-minute timeout for node draining is enforced during cluster upgrades. This timeout provides ample time for nodes to drain, but ensures that upgrades can always proceed.

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

May 04, 2022

1.10

Release 1.10.4

Anthos clusters on bare metal 1.10.4 is now available for download. To upgrade, see Upgrade Anthos on bare metal. Anthos clusters on bare metal 1.10.4 runs on Kubernetes 1.21.

Fixes:

The following container image security vulnerabilities have been fixed:
Role-based access control (RBAC) fixes:
- Set AutomountServiceAccountToken field for Node Problem Detector jobs and etcd-defrag Daemonsets to false.
- Set capi-kubeadm-bootstrap-controller-manager to use a dedicated service account.
- Scoped down configmap/(get, list, watch) permissions to metallb-config resource name.
- Scoped down configmap/get permission to core-dns-autoscaler resource name.
- Removed services.update permission for the MetalLB kube-system:controller role.
- anetd
  - Removed Cilium service account and replaced it with the account used by kubelet.
  - Removed pod and node access from Cilium cluster role.
  - Added Cilium cluster role to the kubelet service account.
  - Removed pods/(delete) role from cilium-operator cluster role.
  - Scoped down leases permissions in cilium-operator cluster role to cilium-operator-resource-lock resource name and kube-controller-manager resource name.

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

May 02, 2022

1.11

Release 1.11.1

Anthos clusters on bare metal 1.11.1 is now available for download. To upgrade, see Upgrade Anthos on bare metal. Anthos clusters on bare metal 1.11.1 runs on Kubernetes 1.22.

Fixes:

Resolved cluster installation issue in which cluster status is prematurely declared ready, resulting in a "Failed to wait for applied resources" error.
Added validation that a cluster's kubeconfig secret data is correct.
Added feature so that bmctl outputs line numbers of relevant yaml when a parsing error occurs.
Removed the misleading log "Waiting for pod to finish" on pods such as anetd that aren't meant to finish.
Added automatic inclusion of a control plane's virtual IP address to the cluster NO_PROXY list.
Role-based access control fixes:
- Set AutomountServiceAccountToken field for Node Problem Detector jobs to false.
- Set capi-kubeadm-bootstrap-controller-manager to use a dedicated service account.
- Scoped down deployment/(update,patch) permissions to the metrics-server resource name.
- Scoped down configmap/(get, list, watch) permissions to metallb-config resource name.
- anetd:
- Removed Cilium service account and replaced it with the account used by kubelet.
- Removed pod and node access from Cilium cluster role.
- Added Cilium cluster role to the kubelet service account.
- Removed pods/(delete) role from cilium-operator cluster role.
- Scoped down leases permissions in cilium-operator cluster role to cilium-operator-resource-lock resource name and kube-controller-manager resource name.
The following container image security vulnerabilities have been fixed:
- CVE-2021-3999

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

April 27, 2022

1.9

Release 1.9.7

Anthos clusters on bare metal 1.9.7 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.9.7 runs on Kubernetes 1.21.

Fixes:

The following container image security vulnerabilities have been fixed:
- CVE-2021-3999
- CVE-2022-24407

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

April 26, 2022

1.6 & 1.7 & 1.8 & 1.9 & 1.10 & 1.11

Security bulletin (all minor versions)

Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666 have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect Linux operating systems supported by Anthos clusters on bare metal. For instructions and more details, see the GCP-2022-014 security bulletin.

April 12, 2022

1.8 & 1.9 & 1.10

Security bulletin (1.8, 1.9, and 1.10)

A security vulnerability, CVE-2022-23648, has been discovered in containerd's handling of path traversal in the OCI image volume specification. Containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain full read access to arbitrary files and directories on the host.

For more information, see the GCP-2022-013 security bulletin.

March 31, 2022

1.11

Release 1.11.0

Anthos clusters on bare metal 1.11.0 is now available for download. To upgrade, see Upgrade Anthos on bare metal. Anthos clusters on bare metal 1.11.0 runs on Kubernetes 1.22.

Containerd is the default runtime in Anthos clusters on bare metal. Support for Docker as a container runtime on Kubernetes nodes will be removed from Anthos clusters on bare metal starting with version 1.13.0. If you use a node image based on Docker container runtime, please migrate your workloads to a Containerd node image as soon as possible. For more details, see Containerd node images.

The structure of the Anthos clusters on bare metal documentation is substantially different from previous versions. For details, see New documentation structure.

Kubernetes 1.22 has deprecated certain APIs, and a list of these deprecated APIs can be found in Kubernetes 1.22 deprecated APIs. In their manifests and API clients, customers need to replace references to the deprecated APIs with references to the newer API calls. For more information, see Deprecated API Migration Guide.

On January 31, 2022, CentOS 8 reached its end of life (EOL). As a result of the EOL, yum repositories stopped working for CentOS, which causes cluster creation and cluster upgrade operations to fail. For a workaround and more information, see Cluster creation or upgrades fail on CentOS.

Improved cluster lifecycle functionalities:

Upgraded Anthos clusters on bare metal to use Kubernetes version 1.22.
Updated cert-manager to version 1.5.4.
Added error messaging in the bmctl command line interface to better surface cluster installation or upgrade failure.
Incorporated audit logs into bmctl snapshots.
Added ability for registry mirror users to customize containerd configuration and have it automatically mirror public registry hosts other than gcr.io.
Changed bmctl update command so that it extracts manifests before updating a cluster.
Added feature so that a cluster kubeconfig file automatically renews when the cluster is upgraded and the kubeconfig Secret is renewed whenever cluster reconciliation takes place.
Added support for Red Hat Enterprise Linux (RHEL) and CentOS 8.5.
Added warning to bmctl command that docker containerRuntime will not be supported in version 1.13 of Anthos cluster on bare metal.
Added support for specifying CIDR blocks in the NoProxy section of the cluster's configuration file.
Added Service CIDR to NoProxy section of a cluster configuration file by default in order to fix a multinic in proxy environment issue.
Fixed a multi-NIC in proxy environment issue. Whenever the NO_PROXY environment variable is set, it includes the Service CIDR from the cluster specification.

Networking:

GA: Added egress Network Address Translation (NAT) gateway capability to provide persistent, deterministic routing for egress traffic from clusters. For more information, see Configure an egress NAT gateway for external communication.
GA: Added option for BGP bundled load balancer which advertises Load Balancer (LB) Virtual IP addresses (VIPs) to the network using the Border Gateway Protocol (BGP). This feature supports topologies across multiple subnets and can provide greater load-balancing bandwidth than bundled Layer 2 mode.
GA: Enabled SR-IOV. This feature allows you to configure Virtual Functions (VFs) on the supported devices on the nodes of their cluster. It also allows you to define the kernel module you want to bind to the VF.
GA: Enabled IPv4/IPv6 dual-stack support. Clusters can be deployed in a dual-stack network in which IPv4 and IPv6 addresses are assigned to both nodes and pods. By default, IPv4 is in island mode and IPv6 is in flat mode (a simplified network topology).
GA: Enabled static flat network (without BGP). This feature lets you configure a flat mode network for IPv4 addresses. A pod's IPv4 address is visible and routable within the same Layer 2 domain, without having to masquerade as the node's IP address.
Preview: Enabled Dynamic Flat IP with Border Gateway Protocol (BGP) support. This feature lets you configure flat mode using BGP in clusters with the help of Anthos Network Gateway and BGP. In this mode, the pod's IP address is visible and routable without masquerading across multiple subdomains. Currently supports advertising IPv4 and IPv6 routes over IPv4 sessions.
Fixed issue in which new MAC addresses of re-imaged nodes weren't updated.

Observability:

GA: Enabled collection of multiple network interfaces (multinic) logs from clusters. Logs are collected as system logs and are sent to Cloud Logging without charge to the customer.
Preview: Added Summary API metrics. These metrics provide CPU, memory, and storage statistics about pods, containers, and nodes.
Updated fluent-bit (stackdriver-log-forwarder) cri parser to avoid matching time fields multiple times.
Upgraded kube-state-metrics from version 1.9 to 2.4. This service generates metrics about Kubernetes API objects such as deployments, nodes, and pods.
Upgraded Metric Server from version 0.3.6 to 0.4.5. Metrics Server retrieves metrics from kubelets and exposes them through the Kubernetes Metrics API.

Security:

Preview: Added secure computing mode (seccomp) support. Running containers with a seccomp profile improves the security of a cluster because it restricts the system calls that containers are allowed to make to the kernel.
Added ability to disable rootless mode for system containers. Since version 1.10.0, Kubernetes control planes and Anthos clusters on bare metal system containers run as non-root containers by default.
Fixed CA rotation issues by increasing the ca-rotation timeout for admin clusters. While verifying that a static pod has been restarted after manifest update, the current hash is retrieved before the manifest changes are applied.

Known issues:

Deprecated metrics

Several Anthos metrics have been deprecated and, starting with this release, data is no longer collected for these deprecated metrics. If you use these metrics in any of your alerting policies, there won't be any data to trigger the alerting condition. For more information, including instructions to migrate to updated replacement metrics, see Deprecated metrics affects Cloud Monitoring dashboard in Known Issues.

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

1.10

Release 1.10.3

Anthos clusters on bare metal 1.10.3 is now available for download. To upgrade, see Upgrade Anthos on bare metal. Anthos clusters on bare metal 1.10.3 runs on Kubernetes 1.21.

Fixes:

The following container image security vulnerabilities have been fixed:
- CVE-2022-24407
- CVE-2022-23648

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

March 23, 2022

1.9

Release 1.9.6

Anthos clusters on bare metal 1.9.6 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.9.6 runs on Kubernetes 1.21.

Fixes:

The following container image security vulnerabilities have been fixed:

Known issues:

When you upgrade Anthos clusters on bare metal from a version with a security patch to the next minor release, we recommend that you upgrade to the highest patch version to ensure that you have the latest security fixes. Always review the release notes before upgrading so that you're aware of what has changed, including security fixes and known issues. Upgrading to a lower release version isn't supported.

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

March 14, 2022

1.8

Release 1.8.9

Anthos clusters on bare metal 1.8.9 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.8.9 runs on Kubernetes 1.20.

Fixes:

The following container image security vulnerabilities have been fixed:

Known issues:

When upgrading Anthos clusters on bare metal from a version with a security patch to the next minor release, we recommend that you upgrade to the highest patch version to ensure that you have the latest security fixes. Always review the release notes before upgrading so that you're aware of what has changed, including security fixes and known issues. Upgrading to a lower release version isn't supported.

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

February 28, 2022

1.9

Release 1.9.5

Anthos clusters on bare metal 1.9.5 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.9.5 runs on Kubernetes 1.21.

Fixes:

The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

February 25, 2022

1.10

Release 1.10.2

Anthos clusters on bare metal 1.10.2 is now available for download. To upgrade, see Upgrade Anthos on bare metal. Anthos clusters on bare metal 1.10.2 runs on Kubernetes 1.21.

Functionality changes:

A preflight check now verifies whether your node machine has enough disk space before starting an install.
Updated the bmctl check cluster --snapshot command so that snapshots now capture information about pods in cluster namespaces.
Updated the bmctl check cluster --snapshot command so that snapshots now capture information about cluster API machines and kubeadmin Secrets.

Fixes:

Fixed issue in which the edge profile's request to reserve resources is lost during the upgrade process.
Fixed bmctl upgrade command so that the log file upgrade-cluster.log is generated in the bmctl-workspace/cluster/logs directory.
Fixed issue in which the non-root login didn't have the proper permissions to perform bmctl backup or bmctl restore.
Fixed a Node Problem Detector service that sometimes failed to run on nodes after a cluster installation or upgrade.
The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

1.8 & 1.9 & 1.10

Security bulletin (1.8, 1.9, and 1.10)

Envoy recently released multiple security vulnerability fixes. The vulnerabilities affect Anthos clusters on bare metal, because Envoy is used for Metrics Server.

For instructions and more details, see the GCP-2022-008 security bulletin.

February 04, 2022

1.6 & 1.7 & 1.8 & 1.9 & 1.10

Security bulletin (all minor versions)

A security vulnerability, CVE-2021-4034, has been discovered in pkexec, a part of the Linux policy kit package (polkit), that allows an authenticated user to perform a privilege escalation attack. PolicyKit is generally used only on Linux desktop systems to allow non-root users to perform actions, such as rebooting the system, installing packages, restarting services, as governed by a policy.

For instructions and more details, see the GCP-2022-004 security bulletin.

February 01, 2022

1.8

Release 1.8.8

Anthos clusters on bare metal 1.8.8 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.8.8 runs on Kubernetes 1.20.

Fixes:

The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

January 27, 2022

1.9

Release 1.9.4

Anthos clusters on bare metal 1.9.4 is now available for download. To upgrade, see Upgrade Anthos on bare metal. Anthos clusters on bare metal 1.9.4 runs on Kubernetes 1.21.

Fixes:

The following container image security vulnerabilities have been fixed:

Known issues:

When you upgrade Anthos clusters on bare metal from a version with a security patch to the next minor release, we recommend you upgrade to the highest patch version to ensure you have the latest security fixes. Always review the release notes before upgrading so you're aware of what has changed, including security fixes and known issues. Upgrading to a lower release version isn't supported.

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

1.10

Release 1.10.1

Anthos clusters on bare metal 1.10.1 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.10.1 runs on Kubernetes 1.21.

Fixes:

Fixed PreflightCheck to allow the preflightCheck.Spec.ConfigYAML field to be empty.
Fixed PreflightCheck to allow an existing GKE Hub membership, if the cluster already exists.
Fixed issue that blocked access to external Virtual IP addresses of Services, such as a Load Balancer, when Flat IPv4 is enabled.
Fixed issue in which the use of –nodes/ and –node-ssh-key flags when taking an admin-less snapshot of a cluster resulted in an empty snapshot.
Fixed issue that caused installation of version 1.10.0 clusters to fail when the umask setting for the root user on the target machine wasn't 0022. For more information, see Failure on systems with restrictive umask setting.
Fixed issue in which BGP load balancer preflight checks failed if the Kubernetes interface had a period ('.') in the name. (For example, VLAN interfaces often have names such as eth0.1).
The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

December 22, 2021

1.9

Release 1.9.3

Anthos clusters on bare metal 1.9.3 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.9.3 runs on Kubernetes 1.21.

Fixes:

Fixed an issue in which cluster creation fails if a cluster has more than one control plane node, and the HTTPS_PROXY environment variable has been defined on one or more of the control plane nodes.
Upgraded Kubernetes version from 1.21.4 to 1.21.5 to address an error in which pods become stuck in the ContainerCreating state because libcontainer mistakenly throws a "unit already exists" error.
The following container image security vulnerability has been fixed:
- CVE-2020-21913

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

December 14, 2021

1.8

Release 1.8.7

Anthos clusters on bare metal 1.8.7 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.8.7 runs on Kubernetes 1.20.

Fixes:

The following container image security vulnerability has been fixed:

CVE-2020-21913

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

December 10, 2021

1.10

Release 1.10.0

Anthos clusters on bare metal 1.10.0 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.10.0 runs on Kubernetes 1.21.

Improved cluster lifecycle functionalities:

GA: Enabled Node Problem Detector to run by default on all nodes. You can check if a problem was detected on a node by running the kubectl describe command for the node. Then look for NodeConditions or Events reported by Node Problem Detector.
GA: Added bmctl backup cluster and bmctl restore cluster commands to facilitate disaster recovery for clusters.
Preview: Added the ability to reset individual nodes using the SSH key.
Updated the bmctl check cluster command so that the snapshot of a cluster includes the cluster's YAML file and logs that are in the bmctl-workspace directory.
Added a new status field cluster.gkeHubRegistrationStatus. The command kubectl get cluster now shows information about the cluster's membership to GKE Hub.

Networking:

Preview: Enabled Anthos multi-cluster connectivity to provide Anthos clusters a way to connect to another Anthos cluster in the same data center (intra-site, cluster-to-cluster). Pods in connected clusters can reach each other over pod IP addresses without using native address translation (NAT) in between.
Preview: Enabled IPv4/IPv6 dual stack support. Customers can deploy clusters in a dual-stack network, where IPv4 and IPv6 addresses can be assigned to both nodes and pods.
Preview: Enabled "flat mode" (a simplified network topology) for IPv4 , where the pod's IPv4 address is visible and routable without masquerading as node IP within the same Layer 2 domain.
Preview: Enabled SR-IOV. This feature lets you configure Virtual Functions (VFs) on the supported devices on the nodes of their cluster. This feature also lets you define the kernel module you want to bind to the VF.

Observability:

GA: Added ability to show severity level of an issue in Cloud Logging. Severity level is extracted from containerd and kubelet node logs.
GA: Changed collection of application metrics to use a more scalable monitoring pipeline based on OpenTelemetry. This change significantly reduces the amount of resources required to collect metrics.

Security:

GA: Enhanced the capability to rotate cluster certificate authorities (CAs). Updates include support for all cluster types, rotation of front-proxy and etcd CAs, and changes to the bmctl command syntax.
Preview: Enabled installation of Anthos clusters on bare metal using a short-lived Google Service Account token instead of using Google Service Account keys.
Enabled Kubernetes control plane and most Anthos system containers to run as non-root users. For details, see Don't run containers as root user.

VM Runtime:

Preview: Supported enabling or disabling Anthos VM Runtime on user clusters.
Preview: Enabled Anthos VM Runtime to support QEMU Copy On Write (QCOW2) format, which is a storage format for virtual disks on virtual machines. Some benefits of virtual disk capabilities are independent thin provisioning, better compression, and encryption at rest.
Preview: Enabled VMRuntime custom resource and the Network custom resource, which let you create VMs on either the node network with a static IP address or the default pod network.
Preview: Enabled VM pods audit logs for VM runtime resources.
Preview: Expanded guest OS versions that can run on the virtual machine. We support Windows Server 2019, 2016, Windows 10, Red Hat Enterprise Linux (RHEL) 8, Centos 8, and Ubuntu 20.04 as guest OS.
Preview: Enabled virtual machine high availability to provide greater uptime for virtual machines instances (VMIs) by automatically detecting and recovering from a range of host machine failures.

Breaking changes:

The gateway capability used by the egress NAT gateway and Bundled load balancing with BGP Preview features have changed in this release. The NetworkGatewayGroup custom resource replaces AnthosNetworkGateway and the capability is enabled with a new advancedNetworking field in the cluster configuration file, instead of an annotation. These changes affect the ability to upgrade clusters that use earlier versions of the features.

Anthos clusters on bare metal blocks cluster upgrades from version 1.9 to version 1.10 for clusters that use either of these two advanced networking features. You can upgrade a version 1.9 admin cluster that is managing 1.9 user clusters that use these features to version 1.10, but object reconciliation breaks for the AnthosNetworkGateway custom resource. Object reconciliation is the mechanism whereby admin clusters automatically copy/restore objects on managed user clusters when the objects have been defined alongside the cluster configuration. Any AnthosNetworkGateway custom resources are still functional and can be modified with kubectl.

To bring a version 1.9 cluster that uses either advanced networking Preview feature up to version 1.10, reset or delete the cluster and create a new 1.10 cluster.

Preview features and products are subject to change and are provided for testing and evaluation purposes only. Do not use Preview features on your production clusters.

Functionality changes:

Enabled use of ADMIN_KUBECONFIG environment variable to reduce the number of bmctl command flags.
The cluster reconciliation process now checks for differences in the GKEHub membership before attempting to update it. If the GKEHub membership needs to be changed, the cluster is unregistered and then re-registered.
The advancedNetworking field in the cluster configuration file replaces the deprecated baremetal.cluster.gke.io/enable-anthos-network-gateway annotation for enabling advanced networking capabilities.
The NetworkGatewayGroup custom resource replaces the AnthosNetworkGateway custom resource.

Fixed cluster lifecycle functionalities:

Outputs from all bmctl commands except bmctl version are now written to log files.
Fixed strict mode for decoding the cluster YAML file. Extraneous information in the cluster YAML file now results in an error.
Fixed preflight check so that it no longer ignores the no_proxy setting.
Binaries in cluster provision no longer run from /tmp, which is often mounted with noexec options. This change fixes a preflight check "permission denied" error.
Switched the default server-side containerRuntime value from docker to containerd.

Observability:

Increased the priority of the kube-state-metrics service to keep it from being stuck in a pending state. This service generates metrics about Kubernetes API objects such as deployments, nodes, and pods.
Upgraded metrics-server to version 0.3.6 to fix a missing metrics issue that occurs when a duplicated pod name is present.

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

December 09, 2021

1.7

Release 1.7.7

Anthos clusters on bare metal 1.7.7 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.7.7 runs on Kubernetes 1.19.

Fixes:

The 1.7.6 release has a known issue that blocks upgrades of 1.7.5 clusters. The 1.7.7 release allows you to upgrade from all earlier versions to get the latest security fixes.
The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

November 29, 2021

1.8

Release 1.8.6

Anthos clusters on bare metal 1.8.6 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.8.6 runs on Kubernetes 1.20.

Fixes:

The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

November 15, 2021

1.7

Release 1.7.6

Anthos clusters on bare metal 1.7.6 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.7.6 runs on Kubernetes 1.19.

Fixes:

The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

1.9

Release 1.9.2

Anthos clusters on bare metal 1.9.2 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.9.2 runs on Kubernetes 1.21.

Fixes:

Updated preflight checks to use strict mode for decoding YAML to catch issues with indentation and misplaced fields in the cluster configuration file.
Fixed an issue that caused containerRuntime to default to docker, instead of containerd in certain uncommon situations.
Fixed an issue where node_filesystem metrics report incorrect size in Cloud Monitoring for mount-points other than root.
Fixed an issue that caused communication failures between Cloud Logging metadata agent and the Cloud Monitoring API when the root certificate authority (CA) on the host node isn't set up properly.
The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

October 29, 2021

1.6 & 1.7 & 1.8 & 1.9

Security bulletin (all minor versions)

The security community recently disclosed a new security vulnerability CVE-2021-30465 found in runc that has the potential to allow full access to a node filesystem.

For more information, see the GCP-2021-011 security bulletin.

October 26, 2021

1.9

Release 1.9.1

Anthos clusters on bare metal 1.9.1 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.9.1 runs on Kubernetes 1.21.

Fixes:

Fixed bmctl to eliminate stack trace from error output.
The following container image security vulnerabilities have been fixed:

Functionality changes:

Updated the bmctl reset cluster command to prevent you from resetting an admin cluster if the admin cluster is managing user clusters.
Updated the bmctl create cluster command to block you from enabling the Anthos VM Runtime for admin clusters.

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

October 21, 2021

1.8

Release 1.8.5

Anthos clusters on bare metal 1.8.5 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.8.5 runs on Kubernetes 1.20.

Fixes:

The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

1.6 & 1.7 & 1.8 & 1.9

Security bulletin (all minor versions)

A security issue was discovered in the Kubernetes ingress-nginx controller, CVE-2021-25742. Ingress-nginx custom snippets allows retrieval of ingress-nginx service account tokens and secrets across all namespaces. For more information, see the GCP-2021-024 security bulletin.

October 19, 2021

1.7

Release 1.7.5

Anthos clusters on bare metal 1.7.5 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.7.5 runs on Kubernetes 1.19.

Fixes:

The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

October 04, 2021

1.6 & 1.7 & 1.8 & 1.9

Security bulletin (all minor versions)

A security vulnerability, CVE-2020-8561, has been discovered in Kubernetes where certain webhooks can be made to redirect kube-apiserver requests to private networks of that API server.

For more information, see the GCP-2021-021 security bulletin.

September 28, 2021

1.9

Release 1.9.0

Anthos clusters on bare metal 1.9.0 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.9.0 runs on Kubernetes 1.21.

Improved cluster lifecycle functionalities:

Preview: Added ability to reset individual nodes with the bmctl reset node command. To give access to the needed cluster configuration file, use the command with the -c flag.
Preview: Added ability to recover from HA control plane quorum loss withbmctl restore --control-plane-node command.
Added bmctl create ksa command to create a Kubernetes Service Account (KSA) and generate a bearer token. To log in to the registered cluster, you can use the token in Cloud Console Kubernetes Engine > Clusters.
Preview: Added bmctl backup cluster and bmctl restore cluster commands to facilitate disaster recovery for clusters.

Introduced new troubleshooting capabilities:

Updated the bmctl check cluster --snapshot command to support uploading cluster diagnostic snapshots to a Cloud Storage bucket for review by Cloud Customer Care.
Provided access to bootstrap cluster logs to help troubleshoot cluster creation or upgrade problems.
Preview: Added support for Node Problem Detector service on nodes for quick detection of common node problems.

Enhanced monitoring and logging:

GA: Cloud Audit Logs capability is now generally available and enabled by default. Audit logs are useful for investigating suspicious API requests and for collecting statistics. For more information, see Use Audit Logging.
Switched to new open telemetry-based metrics agents to improve reliability, ability to scale, and resource usage.

Improved networking capabilities:

GA: The multi-NIC capability to provide additional interfaces to your pods is now generally available.
Preview: Added the single root I/O virtualization (SR-IOV) container network interface (CNI) plugin for multi-NIC.
Added support to configure cluster Domain Name System (DNS) provider options, such as upstream nameservers, with the new ClusterDNS custom resource definition.

Enhanced security:

SELinux is now always enabled in the container runtime for CentOS and RHEL.
Preview: Enhanced the capability to rotate cluster certificate authorities (CAs). Updates include support for all cluster types, rotation of front-proxy and etcd CAs, and changes to the bmctl command syntax.
Preview: Added Okta group support for authentication in Anthos Identity Service.

Functionality changes:

Changed default container runtime to containerd, containerRuntime: containerd for new clusters. Customers can still choose Docker as the container runtime.
Preview: Updated bmctl command, bmctl reset nodes --force, to support force removal of control plane nodes with etcd membership cleanup.
Added checks for cluster updates to verify access to cluster machines if changes to loginUser or sshKeyPrivatePath are detected. If the checks pass, Anthos clusters on bare metal saves the secret in the cluster.
Added new Anthos cluster control plane uptime dashboard in Cloud Monitoring with new metric kubernetes.io/anthos/container/uptime for component availability.
Added new alerts for control plane components availability with new metric kubernetes.io/anthos/container/uptime to replace deprecated alerts with metric kubernetes.io/anthos/up.

Fixes:

Added missing registry mirror package required for Cloud Audit Logs to the Registry Mirror.
Fixed issue with containerd not finding crictl due to /usr/local/bin not being in the SSH user's PATH.
Fixed flapping node readiness issues caused by an unhealthy Pod Lifecycle Event Generator (PLEG).
Fixed kernel support issue for Ubuntu 18.04 and 18.04.1 that prevented the anetd networking controller from working properly. Anthos clusters on bare metal release 1.9.0 works with all kernels supplied with supported distributions.

Known issues:

Control group v2 (cgroup v2) is not officially supported in Anthos clusters on bare metal release 1.9.0 and later. The presence of /sys/fs/cgroup/cgroup.controllers indicates that your system uses cgroup v2.
Anthos Service Mesh v1.10 is incompatible with Anthos clusters on bare metal release 1.9.0 running on Red Hat Enterprise Linux (RHEL) when SELinux is enabled. If you want to use Anthos Service Mesh, you must disable SELinux or set it to permissive mode on the host.

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

September 21, 2021

1.8

Release 1.8.4

Anthos clusters on bare metal 1.8.4 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.8.4 runs on Kubernetes 1.20.

Fixes:

The following container image security vulnerabilities have been fixed: - CVE-2021-3711 - CVE-2021-3712 - CVE-2021-20305 - CVE-2021-33560

Known issues:

When you upgrade Anthos clusters on bare metal from a version with a security patch to the next minor release, we recommend you upgrade to the highest pa