You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.
To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly.
December 20, 2024
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
November 07, 2024
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
October 01, 2024
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
September 05, 2024
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
August 26, 2024
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
- CVE-2024-36978
For more details, see the GCP-2024-049 security bulletin.
August 23, 2024
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
- CVE-2024-41009
For more details, see the GCP-2024-048 security bulletin.
August 20, 2024
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
- CVE-2024-39503
For more details, see the GCP-2024-047 security bulletin.
July 31, 2024
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
July 18, 2024
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
- CVE-2024-26921
For more details, see the GCP-2024-043 security bulletin.
July 17, 2024
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
- CVE-2024-26925
For more details, see the GCP-2024-045 security bulletin.
July 16, 2024
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
- CVE-2024-26809
For more information, see the GCP-2024-042 security bulletin.
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
- CVE-2024-36972
For more details, see the GCP-2024-044 security bulletin.
July 10, 2024
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
July 08, 2024
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
- CVE-2023-52654
- CVE-2023-52656
For more information, see the GCP-2024-041 security bulletin.
July 03, 2024
A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that can be used to obtain access to a remote shell, enabling attackers to gain root access. At the time of publication, exploitation is believed to be difficult and take several hours per machine being attacked. We are not aware of any exploitation attempts. This vulnerability has a Critical severity.
For mitigation steps and more details, see the GCP-2024-040 security bulletin.
June 28, 2024
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
- CVE-2024-26923
For more information, see the GCP-2024-039 security bulletin.
June 26, 2024
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
- CVE-2024-26924
For more information, see the GCP-2024-038 security bulletin.
June 13, 2024
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
- CVE-2024-26584
For more information, see the GCP-2024-035 security bulletin.
June 11, 2024
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:
- CVE-2024-26583
For more information, see the GCP-2024-034 security bulletin.
June 10, 2024
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:
- CVE-2022-23222
For more information, see the GCP-2024-033 security bulletin.
June 06, 2024
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
May 27, 2024
A new vulnerability (CVE-2024-4323) has been discovered in Fluent Bit that could result in remote code execution. Fluent Bit versions 2.0.7 through 3.0.3 are affected.
GKE on Azure doesn't use a vulnerable version of Fluent Bit and is unaffected.
For more information, see the GCP-2024-031 security bulletin.
May 17, 2024
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
May 15, 2024
A vulnerability (CVE-2023-52620) was discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
For more information, see the GCP-2024-030 security bulletin.
May 14, 2024
A vulnerability (CVE-2024-26581) was discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
For more information, see the GCP-2024-028 security bulletin.
A vulnerability (CVE-2024-26642) was discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
For more information, see the GCP-2024-029 security bulletin.
May 08, 2024
A vulnerability (CVE-2024-26808) was discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
For more information, see the GCP-2024-027 security bulletin.
May 07, 2024
A vulnerability (CVE-2024-26643) was discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
For more information, see the GCP-2024-026 security bulletin.
April 25, 2024
A vulnerability (CVE-2024-26585) was discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes. For more information, see the GCP-2024-024 security bulletin.
April 04, 2024
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
April 03, 2024
A Denial-of-Service (DoS) vulnerability (CVE-2023-45288) was recently discovered in multiple implementations of the HTTP/2 protocol, including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane. For more information, see the GCP-2024-022 security bulletin.
March 05, 2024
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
February 26, 2024
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
CVE-2023-3776
For more information, see the GCP-2024-014 security bulletin.
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
- CVE-2024-0193
For more information, see the GCP-2024-013 security bulletin.
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
- CVE-2023-6932
For more information, see the GCP-2024-011 security bulletin.
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
- CVE-2023-6931
For more information, see the GCP-2024-010 security bulletin.
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
- CVE-2023-6817
For more information, see the GCP-2024-004 security bulletin.
February 05, 2024
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
January 17, 2024
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.
- CVE-2023-6111
For instructions and more details, see the GCP-2024-002 security bulletin.
December 14, 2023
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
November 14, 2023
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
- CVE-2023-4147
For more information, see the GCP-2023-042 security bulletin.
November 08, 2023
A vulnerability (CVE-2023-4004) has been discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes. For more information, see the GCP-2023-041 security bulletin.
October 30, 2023
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
October 02, 2023
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
September 06, 2023
You can now launch clusters with the following Kubernetes versions:
- 1.25.8-gke.500
- 1.26.7-gke.500
- 1.27.4-gke.1600
1.27
GA: Enabled node auto repair. This feature continuously monitors the health of each node in a node pool. Added support for a new
admin-groups
flag in the create and update APIs. This flag allows customers to quickly and easily authenticate listed groups as cluster administrators, eliminating the need to manually create and apply RBAC policies.Upgraded the
snapshot-controller
andcsi-snapshot-validation-webhook
to v6.2.2. This new version introduces an important change to the API. Specifically, theVolumeSnapshot
,VolumeSnapshotContents
, andVolumeSnapshotClass
v1beta1 APIs are no longer available.Disabled the unauthenticated
kubelet
read-only port 10255. Once a node pool is upgraded to version 1.27, workloads running on it will no longer be able to connect to port 10255.Enabled gzip compression for
fluent-bit
's ingestion of logs into Cloud Logging. This improves the efficiency of log transfer for both the control plane and workloads.Optimized
audit-proxy
's audit logging ingestion by enablinggzip
compression.Improved security by adding file-integrity checks and fingerprint validation for Google-managed binary artifacts downloaded from Cloud Storage.
Added support for automatic periodic defragmentation of
etcd
andetcd-events
on the control plane. This feature reduces unnecessary disk storage and helps to preventetcd
and the control plane from becoming unavailable due to disk storage issues.Changed the metrics names for Kubernetes resource metrics to use a metrics prefix of
kubernetes.io/anthos/
rather thankubernetes.io/
. For details refer to the metrics reference documentation.Changed default
etcd
version to v3.4.21 on new clusters for improved stability. Existing clusters upgraded to this version will useetcd
v3.5.6.Improved node resource management by reserving resources for the kubelet. While this feature is crucial for preventing Out of Memory (OOM) errors by ensuring system and Kubernetes processes have the resources they need, it may lead to workload disruptions. The reservation of resources for the kubelet may affect the available resources for Pods, potentially affecting the capacity of smaller nodes to handle existing workloads. Customers should verify that smaller nodes can still support their workloads with this new feature activated.
- The reserved memory percentages are as follows:
- 255 MiB for machines with less than 1GB of memory
- 25% of the first 4GB of memory
- 20% of the next 4GB
- 10% of the next 8GB
- 6% of the next 112GB
- 2% of any memory above 128GB
- The reserved CPU percentages are as follows:
- 6% of the first core
- 1% of the next core
- 0.5% of the next 2 cores
- 0.25% of any cores above 4 cores
- The reserved memory percentages are as follows:
1.25
Expanded the list of metrics collected from node pools to include gke-metrics-agent
, cilium-agent
, cilium-operator
, coredns
, fluentbit-gke
, kubelet
, and konnectivity-agent
.
This release fixes the following vulnerabilities:
August 03, 2023
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
Anthos Multi-Cloud is disabling the unauthenticated kubelet read-only port 10255 for node pools in our next minor release with Kubernetes v1.27. This port is unauthenticated, which means potentially sensitive information passed via this port over HTTP is accessible. Once a node pool is upgraded to version 1.27, workloads running on it will no longer be able to connect to port 10255.
To determine if you have dependencies on this port, check the metrics in a Kubernetes v1.26 cluster that is running Kubernetes v1.26 node pools.
If you have dependencies on this port, perform the following steps:
Update the workload to access https://
:10250 instead of http:// :10255. Authenticate to kubelet using a service account.
Widen the RBAC rules so that this service account has sufficient permissions to request the needed kubelet APIs.
Note that popular third-party products should already support kubelet authentication, and may require no action beyond upgrade.
If you have a cluster which has dependencies on the read-only port 10255 and you aren't able to migrate, please reach out to the Anthos Multi-Cloud team.
July 13, 2023
You can now launch clusters with the following Kubernetes versions:
- 1.24.14-gke.1400
- 1.25.10-gke.1200
- 1.26.5-gke.1200
1.25
Migrated node pool metrics agent and metrics server to authenticated kubelet port.
1.26
Fixed an issue where Kubernetes 1.26.2 incorrectly applied the default StorageClass to PersistentVolumeClaims with the deprecated annotation volume.beta.kubernetes.io/storage-class
. (This issue is also fixed in release 1.15.1.)
This release fixes the following vulnerabilities:
Applications may experience timeouts due to netfilter connection tracking (conntrack) table insertion failures. Insertion failures can occur even when the conntrack table has room for new entries. The failures are caused by changes in kernel 5.15 and higher that restrict table insertions based on chain length.
June 27, 2023
With CVE-2023-31436, an out-of-bounds memory access flaw was found in the Linux kernel's traffic control (QoS) subsystem in how a user triggers the qfq_change_class
function with an incorrect MTU value of the network device used as lmax. This flaw allows a local user to crash or potentially escalate their privileges on the system.
For more information, see the GCP-2023-017 security bulletin.
A new vulnerability (CVE-2023-2235) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. For more information, see the GCP-2023-018 security bulletin.
June 06, 2023
Security bulletin
A new vulnerability (CVE-2023-2878) has been discovered in the secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. For more information, see the GCP-2023-009 security bulletin.
June 05, 2023
You can now launch clusters with the following Kubernetes versions:
- 1.24.13-gke.500
- 1.25.8-gke.500
- 1.26.4-gke.2200
Security bulletin
A new vulnerability (CVE-2023-1872) has been discovered in the Linux kernel that can lead to a privilege escalation to root on the node. For more information, see the GCP-2023-008.
1.26
Fixed an issue where Kubernetes 1.26.2 incorrectly applied the default StorageClass to PersistentVolumeClaims with the deprecated annotation volume.beta.kubernetes.io/storage-class
.
This release fixes the following vulnerability:
Known issues:
For information about the latest known issues, see Known issues for Anthos clusters on Azure.
May 18, 2023
Security bulletin
Two new vulnerabilities (CVE-2023-1281, CVE-2023-1829) have been discovered in the Linux kernel that can lead to a privilege escalation to root on the node. For more information, see the GCP-2023-005 security bulletin.
May 04, 2023
You can now launch clusters with the following Kubernetes versions:
- 1.24.11-gke.1000
- 1.25.7-gke.1000
- 1.26.2-gke.1001
Updated OS image to Ubuntu 22.04.
cgroupv2
is now used as the default control group configuration.- Ubuntu 22.04 uses
cgroupv2
by default. We recommend that you check if any of your applications access thecgroup
filesystem. If they do, they must be updated to usecgroupv2
.
- Ubuntu 22.04 uses
Improved monitoring by exporting metrics for control plane components.
Enabled sending Kubernetes resource metadata to Google Cloud Platform, improving both the user interface and cluster metrics. For the metadata to be ingested properly, customers need to enable the
Config Monitoring for Ops
API.Newly-created clusters now use etcd v3.4.21 for improved stability. Existing clusters of previous versions were already using etcd v3.5.x and will not be downgraded to v3.4.21 during cluster upgrade; these clusters will instead use v3.5.6.
Preview: Enabled node auto repair. This feature continuously monitors the health of each node in a node pool. Please contact your account team to opt into the preview.
This release fixes the following vulnerability:
Kubernetes 1.26.2 will incorrectly apply the default StorageClass to PersistentVolumeClaims which have the deprecated annotation
volume.beta.kubernetes.io/storage-class
.Applications may experience timeouts due to netfilter connection tracking (conntrack) table insertion failures. Insertion failures can occur even when the conntrack table has room for new entries. The failures are caused by changes in kernel 5.15 and higher that restrict table insertions based on chain length.
April 12, 2023
Kubernetes image registry redirect
As of March 21, 2023, traffic to k8s.gcr.io
is redirected to registry.k8s.io
, following the community announcement. This change is happening gradually to reduce disruption, and should be transparent for most Anthos clusters.
To check for edge cases and mitigate potential impact to your clusters, follow the step-by-step guidance in k8s.gcr.io Redirect to registry.k8s.io - What You Need to Know.
April 05, 2023
You can now launch clusters with the following Kubernetes versions:
- 1.23.16-gke.2800
- 1.24.10-gke.1200
- 1.25.6-gke.1600
- Fixed an issue that could cause cluster upgrades to fail if certain types of validating admission webhooks are registered.
- (1.24 only) Fixed Cilium security ID propagation so that IDs are properly passed in the tunnel header when requests are forwarded to Services of type NodePort and LoadBalancer.
This release fixes the following vulnerabilities:
March 07, 2023
You can now launch clusters with the following Kubernetes versions:
- 1.23.16-gke.200
- 1.24.9-gke.2000
- 1.25.5-gke.2000
- Fixed an issue where certain errors weren't propagated and reported during cluster create/update operations.
- Updated Anthos Identity Service to better handle concurrent authentication webhook requests.
- Updated
fluent-bit
to v1.9.9 to fix CVE-2022-42898.
This release fixes the following vulnerabilities:
February 01, 2023
You can now launch clusters with the following Kubernetes versions:
- 1.23.14-gke.1800
- 1.24.9-gke.1500
- 1.25.5-gke.1500
- Upgraded
containerd
to version 1.6.12. - Upgraded storage drivers.
This release fixes the following vulnerabilities:
December 21, 2022
A new vulnerability (CVE-2022-2602) has been discovered in the io_uring subsystem in the Linux kernel that can allow an attacker to potentially execute arbitrary code. For more information, see the GCP-2022-2025 security bulletin.
December 15, 2022
You can now launch clusters with the following Kubernetes versions:
- 1.23.14-gke.1100
- 1.24.8-gke.1300
- 1.25.4-gke.1300
You can now upload workload metrics using Google Managed Service for Prometheus with managed collection to Cloud Monarch. This has been upgraded from a preview feature to GA.
Azure ActiveDirectory is now supported in GA, letting cluster admins configure RBAC policies based on Azure AD groups for authorization in clusters and supporting retrieval of groups information for users belonging who belong to more than 200 groups.
Added a new token manager (gke-token-manager) to generate tokens for control plane components. This eliminates a control-plane component dependency on kube-apiserver, removes the need for RBAC in token generation, and permits logging to begin earlier in the startup cycle.
As a preview feature, Google Cloud Monitoring can now ingest a set of control plane metrics from kube-apiserver, kube-scheduler, kube-controller manager and etcd.
Administrators can grant Azure cluster access to all members of a Google Group by granting the required RBAC permission to the group. For details, see Set up the Connect gateway with Google Groups.
Static pods running on the cluster's control plane VMs are now restricted to run as non-root Linux users.
This release fixes the following vulnerabilities:
- CVE-2016-10228
- CVE-2019-19126
- CVE-2019-25013
- CVE-2020-10029
- CVE-2020-16156
- CVE-2020-1752
- CVE-2020-27618
- CVE-2020-6096
- CVE-2021-27645
- CVE-2021-3326
- CVE-2021-33574
- CVE-2021-35942
- CVE-2021-3671
- CVE-2021-3999
- CVE-2021-4037
- CVE-2021-43618
- CVE-2022-0171
- CVE-2022-1184
- CVE-2022-1586
- CVE-2022-1587
- CVE-2022-20421
- CVE-2022-23218
- CVE-2022-23219
- CVE-2022-2602
- CVE-2022-2663
- CVE-2022-2978
- CVE-2022-3061
- CVE-2022-3116
- CVE-2022-3176
- CVE-2022-32221
- CVE-2022-3303
- CVE-2022-35737
- CVE-2022-3586
- CVE-2022-3621
- CVE-2022-3646
- CVE-2022-3649
- CVE-2022-37434
- CVE-2022-3903
- CVE-2022-39188
- CVE-2022-39842
- CVE-2022-40303
- CVE-2022-40304
- CVE-2022-40307
- CVE-2022-40768
- CVE-2022-4095
- CVE-2022-41674
- CVE-2022-41916
- CVE-2022-42010
- CVE-2022-42011
- CVE-2022-42012
- CVE-2022-42719
- CVE-2022-42720
- CVE-2022-42721
- CVE-2022-42722
- CVE-2022-43680
- CVE-2022-43750
- CVE-2022-44638
Fixed an issue in which outdated versions of gke-connect-agent were not always removed after cluster upgrades.
Kubernetes 1.22 versions are no longer supported. To upgrade to a supported version, see Upgrade your Azure cluster version.
Kubernetes version 1.25 deprecates several APIs. For details, see the Kubernetes Deprecated API Migration Guide.
November 10, 2022
Two new vulnerabilities (CVE-2022-2585 and CVE-2022-2588) have been discovered in the Linux kernel that can lead to a full container break out to root on the node.
For more information, see the GCP-2022-024 security bulletin.
November 03, 2022
You can now launch clusters with the following Kubernetes versions:
- 1.22.15-gke.100
- 1.23.11-gke.300
- 1.24.5-gke.200
This release includes fixes for following CVEs:
- CVE-2021-3999
- CVE-2022-35252
- CVE-2020-35525
- CVE-2020-35527
- CVE-2021-20223
- CVE-2022-40674
- CVE-2022-37434
- CVE-2022-2509
- CVE-2022-2031
- CVE-2021-46828
- CVE-2022-32744
- CVE-2021-3999
- CVE-2022-32745
- CVE-2022-1586
- CVE-2022-1587
- CVE-2022-32742
- CVE-2022-32746
- CVE-2022-1586
- CVE-2022-1587
- CVE-2022-40674
- CVE-2022-37434
- CVE-2021-3999
- CVE-2022-2509
- CVE-2021-46828
- CVE-2022-1679
- CVE-2022-2795
- CVE-2022-3028
- CVE-2022-38177
- CVE-2022-38178
- CVE-2021-3502
- CVE-2021-44648
- CVE-2021-46829
- CVE-2022-2905
- CVE-2022-3080
- CVE-2022-35252
- CVE-2022-39190
- CVE-2022-41222
- CVE-2020-8287
- CVE-2022-1184
- CVE-2022-2153
- CVE-2022-39188
- CVE-2022-20422
- CVE-2022-3176
- CVE-2022-3172
- CVE-2022-2602
October 28, 2022
A new vulnerability, CVE-2022-3176, has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve full container breakout to root on the node.
For instructions and more details, see the Anthos clusters on Azure security bulletin.
September 29, 2022
You can now launch clusters with the following Kubernetes versions:
- 1.24.3-gke.2100
- 1.23.9-gke.2100
- 1.22.12-gke.2300
Kubernetes 1.21 versions are no longer supported. To upgrade to a supported version, see Upgrade your Azure cluster version.
In Kubernetes version 1.24 and later, Google Cloud Managed Service for Prometheus (GMP) is available as an invite only private preview. GMP lets you monitor and alert on workloads, using Prometheus, without having to manually manage and operate Prometheus at scale.
Anthos clusters on Azure now supports Cloud Monitoring for Windows node pools from Kubernetes version 1.24 and later. To learn more about monitoring in Anthos clusters on Azure, see Cloud monitoring.
Starting from Kubernetes version 1.24, virtual machines launched by Anthos clusters on Azure support System Assigned Managed Identities.
In Kubernetes version 1.24 and later, there are now checks to the API to ensure that users aren't making inconsistent or erroneous requests.
Starting from Kubernetes version 1.24, Anthos clusters on Azure switches to the external cloud provider. To learn more about this provider, see Cloud provider for Azure on GitHub.
Go 1.18 stops accepting certificates signed with the SHA-1 hash algorithm by default. Admission and conversion webhooks or aggregated server endpoints using these insecure certificates will break by default starting from Kubertnetes version 1.24.
The environment variable GODEBUG=x509sha1=1
is set in Anthos on AWS clusters as a temporary workaround to let these insecure certificates continue to work. However, the Go team is anticipated to remove support on this workaround. You should check and ensure there aren't any admission or conversion webhooks or aggregated server endpoints that are using such insecure certificates before upgrading to the upcoming breaking version.
This release includes fixes for following CVEs:
August 29, 2022
You can now launch clusters with the following Kubernetes versions:
- 1.21.14-gke.2900
- 1.22.12-gke.1100
- 1.23.9-gke.800
This release fixes the following vulnerabilities:
August 04, 2022
You can now launch clusters with the following Kubernetes versions:
- 1.23.8-gke.1700
- 1.22.12-gke.200
- 1.21.14-gke.2100
This release fixes the following vulnerabilities:
- CVE-2016-10228.
- CVE-2018-16301.
- CVE-2018-25032.
- CVE-2019-18276.
- CVE-2019-20838.
- CVE-2019-25013.
- CVE-2020-14155.
- CVE-2020-27618.
- CVE-2020-27820.
- CVE-2020-29562.
- CVE-2020-6096.
- CVE-2020-8037.
- CVE-2021-20193.
- CVE-2021-26401.
- CVE-2021-27645.
- CVE-2021-28711.
- CVE-2021-28712.
- CVE-2021-28713.
- CVE-2021-28714.
- CVE-2021-28715.
- CVE-2021-3326.
- CVE-2021-35942.
- CVE-2021-36084.
- CVE-2021-36085.
- CVE-2021-36086.
- CVE-2021-36087.
- CVE-2021-36690.
- CVE-2021-3711.
- CVE-2021-3712.
- CVE-2021-3772.
- CVE-2021-39685.
- CVE-2021-39686.
- CVE-2021-39698.
- CVE-2021-3995.
- CVE-2021-3996.
- CVE-2021-3999.
- CVE-2021-4083.
- CVE-2021-4135.
- CVE-2021-4155.
- CVE-2021-4160.
- CVE-2021-4197.
- CVE-2021-4202.
- CVE-2021-43566.
- CVE-2021-43618.
- CVE-2021-43975.
- CVE-2021-43976.
- CVE-2021-44733.
- CVE-2021-45095.
- CVE-2021-45469.
- CVE-2021-45480.
- CVE-2022-0330.
- CVE-2022-0435.
- CVE-2022-0516.
- CVE-2022-0617.
- CVE-2022-0778.
- CVE-2022-1011.
- CVE-2022-1016.
- CVE-2022-1158.
- CVE-2022-1198.
- CVE-2022-1271.
- CVE-2022-1292.
- CVE-2022-1304.
- CVE-2022-1353.
- CVE-2022-1516.
- CVE-2022-1664.
- CVE-2022-1966.
- CVE-2022-20008.
- CVE-2022-20009.
- CVE-2022-2068.
- CVE-2022-2097.
- CVE-2022-2327.
- CVE-2022-21123.
- CVE-2022-21125.
- CVE-2022-21166.
- CVE-2022-21499.
- CVE-2022-22576.
- CVE-2022-22942.
- CVE-2022-23036.
- CVE-2022-23037.
- CVE-2022-23038.
- CVE-2022-23039.
- CVE-2022-23040.
- CVE-2022-23041.
- CVE-2022-23042.
- CVE-2022-23218.
- CVE-2022-23219.
- CVE-2022-24407.
- CVE-2022-24448.
- CVE-2022-24958.
- CVE-2022-24959.
- CVE-2022-25258.
- CVE-2022-25375.
- CVE-2022-25636.
- CVE-2022-26490.
- CVE-2022-26966.
- CVE-2022-27223.
- CVE-2022-27774.
- CVE-2022-27775.
- CVE-2022-27776.
- CVE-2022-27781.
- CVE-2022-27782.
- CVE-2022-28356.
- CVE-2022-28388.
- CVE-2022-28389.
- CVE-2022-28390.
- CVE-2022-29155.
- CVE-2022-30594.
- CVE-2022-32206.
- CVE-2022-32208.
This list has been updated to include CVE-2022-2327.
August 01, 2022
A new vulnerability (CVE-2022-2327) has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve a full container breakout to root on the node.
For more information, see the GCP-2022-018 security bulletin.
July 13, 2022
You can now launch clusters with the following Kubernetes versions:
- 1.23.7-gke.1300
- 1.22.10-gke.1500
- 1.21.11-gke.1900
You can now launch Kubernetes 1.23 clusters.
Kubernetes 1.23.7-gke.1300 includes the following changes:
- Disable profiling endpoint (
/debug/pprof
) by default in kube-scheduler and kube-controller-manager. - Update kube-apiserver and kubelet to only use Strong Cryptographic Ciphers.
In a future release of 1.23 VolumeSnapshot v1beta1 APIs will no longer be served. Please update to VolumeSnapshot v1 APIs as soon as possible.
In Kubernetes 1.23 and higher, cluster Cloud Audit Logs is now available and is enabled by default.
CIS benchmarks are now available for Kubernetes 1.23 clusters.
This release fixes the following vulnerabilities:
- Fixed CVE-2022-1786.
- Fixed CVE-2022-29582.
- Fixed CVE-2022-29581.
- Fixed CVE-2022-1116
Added support for updating Azure control plane and node pool ssh config. For more information, see
gcloud container azure clusters update
and gcloud container azure node-pools update
Restrictions on IP ranges that can be used for a cluster's Pods and Services are now relaxed. Pod and Service IP ranges can now overlap with VPC's IP ranges, provided they do not intersect the control plane or node pool subnets.
You can no longer create clusters with the following versions:
- 1.21.11-gke.100
- 1.21.11-gke.1100
- 1.22.8-gke.200
- 1.22.8-gke.1300
These versions have a bug mentioned in a note from June 23, 2022.
June 23, 2022
Three new memory corruption vulnerabilities (CVE-2022-29581, CVE-2022-29582, CVE-2022-1116) have been discovered in the Linux kernel. These vulnerabilities allow an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node. For more information, refer to the GCP-2022-016 security bulletin.
There is a bug in the Azure OS kernels used by some of the previous Anthos clusters on Azure versions. This bug will randomly cause disks to not mount in the OS when they are attached to the Azure VM. When this happens, clusters won't start up completely.
The following versions are affected:
- 1.21.11-gke.100
- 1.21.11-gke.1100
- 1.22.8-gke.200
- 1.22.8-gke.1300
Please always use the latest patch versions when creating a new cluster to avoid this issue.
For more information, see the Linux kernel bug.
June 06, 2022
You can now launch clusters with the following Kubernetes versions:
- 1.21.11-gke.1800
- 1.22.8-gke.2100
Windows nodes on 1.22.8-gke.2100 now use pigz to improve image layer extraction performance.
May 09, 2022
You can now launch clusters with Kubernetes versions 1.21.11-gke.1100 and 1.22.8-gke.1300
In 1.22.8-gke.1300, fixed an issue where logging agent could fill up attached disk space.
In 1.22.8-gke.1300, fixed an issue where add ons cannot be applied when Windows node pools are enabled.
These releases fix the following CVEs:
- Fixed CVE-2022-1055.
- Fixed CVE-2022-0886.
- Fixed CVE-2022-0492.
- Fixed CVE-2022-24769.
These releases includes the following Role-based access control (RBAC) changes:
- Scoped down
anet-operator
permissions for Lease update. - Scoped down
anetd
Daemonset permissions for Nodes and pods. - Scoped down
fluentbit-gke
permissions for service account tokens. - Scoped down
gke-metrics-agent
for service account tokens. - Scoped down
coredns-autoscaler
permissions for Nodes, ConfigMaps and Deployments.
April 26, 2022
Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666 have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all GKE node operating systems (Container-Optimized OS and Ubuntu). For instructions and more details, see the GCP-2022-014 security bulletin.
April 13, 2022
Anthos Clusters on Azure now supports Kubernetes versions 1.22.8-gke.200 and 1.21.11-gke.100. For more information, see the open source release notes for Kubernetes 1.22.8 and Kubernetes 1.21.11.
Kubernetes 1.22 removes support for several deprecated v1beta1 APIs. Before upgrading your clusters to v1.22, you must upgrade your workloads to use the stable v1 APIs and confirm their compatibility with v1.22. For more information, see Kubernetes 1.22 Deprecated APIs.
When you create a new cluster using Kubernetes version 1.22, you can now configure custom logging parameters.
As a preview feature, you can now choose Windows as your node pool image type when you create node pools with Kubernetes version 1.22.8.
You can now set the autoscaler's minimum node count to zero.
This release of Anthos Clusters on Azure adds the ability to update your
- control plane and node pool VM size
- cluster annotations
- Azure admin users
- control plane root volume size
You can now set the autoscaler's minimum node count to zero.
You can now view most common asynchronous cluster and nodepool boot errors in the long running operation error field.
This release fixes the following security issues:
A security vulnerability, CVE-2022-0847, has been discovered in the Linux kernel version 5.8 and later that can potentially escalate container privileges to root. This vulnerability affects Anthos on Azure on Ubuntu running Kubernetes version 1.21.
For more information, see the GCP-2022-012 security bulletin.
A security vulnerability, CVE-2022-23648, has been discovered in containerd's handling of path traversal in the OCI image volume specification. Containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain full read access to arbitrary files and directories on the host.
For more information, see the GCP-2022-013 security bulletin.
March 21, 2022
Anthos clusters on Azure now supports clusters in the australiaeast
region. For more information, see Supported regions.
February 22, 2022
Kubernetes version 1.21.6-gke.1500 is now available. For more information, see the Kubernetes OSS release notes.
You can now launch clusters in the brazilsouth
Azure region.
Fixed CVE-2021-4154, see GCP-2022-002 for more details.
Fixed CVE-2022-0185, see GCP-2022-002 for more details.
Fixed CVE-2021-4034, see GCP-2022-004 for more details.
Fixed CVE-2021-43527, see GCP-2022-005 for more details.
February 14, 2022
A security vulnerability, CVE-2022-0492,
has been discovered in the Linux kernel's cgroup_release_agent_write
function.
The attack uses unprivileged user namespaces and under certain circumstances this
vulnerability can be exploitable for container breakout. For more information, see the
GCP-2022-006 security bulletin.
February 11, 2022
A security vulnerability, CVE-2021-43527, has been discovered in any binary that links to the vulnerable versions of libnss3 found in NSS (Network Security Services) versions prior to 3.73 or 3.68.1. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. For more information, see the GCP-2022-005 security bulletin.
February 04, 2022
A security vulnerability, CVE-2021-4034, has been discovered in pkexec, a part of the Linux policy kit package (polkit), that allows an authenticated user to perform a privilege escalation attack. PolicyKit is generally used only on Linux desktop systems to allow non-root users to perform actions such as rebooting the system, installing packages, restarting services etc, as governed by a policy.
For instructions and more details, see the GCP-2022-004 security bulletin
December 02, 2021
Anthos on Azure is now generally available through the Multi-Cloud API.
With the latest release, we've simplified installation and streamlined our cluster management technology. You can now use a single API for full lifecycle management of Anthos clusters running in AWS or Azure. This release introduces gcloud command groups for deploying Anthos clusters in AWS, Azure, and Google Cloud. Clusters you create in other clouds appear in the Google Cloud Console, creating a centralized management view complete with cluster telemetry and logging.
The Multi-Cloud API authenticates with each cloud using a service account or application registration, and allows clusters to be deployed on existing or newly created VNets. It supports multiple machine types in each cloud across multiple regions. As a reminder, Anthos clusters on Azure or AWS integrate with each respective cloud's KMS, storage facilities, and load balancing.
Anthos on Azure is available today, with either subscription or pay-as-you-go pricing.
You can now create, update, and delete clusters on Azure with the gcloud tool. Read more about our Multi-Cloud API.
Automatic Container monitoring and system logging with Cloud Logging and Cloud Monitoring.
Built-in Connect Gateway Support.
You can now use an Azure Key Vault Hardware Security module to bring your own key.
October 19, 2021
The security community recently disclosed a new security vulnerability CVE-2021-30465 found in runc
that has the potential to allow full access to a node filesystem.
For more information, see the GCP-2021-011 security bulletin.
September 30, 2021
A new release of Anthos clusters on Azure is now available.
Anthos clusters on Azure now supports Kubernetes 1.20 clusters
You must now manage your clusters with the gcloud
command-line tool version 358.0.0 or higher.
Kubernetes 1.20 includes a fix for CVE2021-25741. We recommend you replace all 1.19 clusters with 1.20 clusters.
Cluster updates are not supported. To use Kubernetes 1.20, you must create new clusters.
You can now use an HTTP proxy with Kubernetes 1.20 clusters
You can now launch clusters in the Singapore and Australia regions
You can now specify zone placement of control plane replicas when you create a cluster. For more information, see Control plane zonal placement
When you get credentials for a Kubernetes 1.20 cluster, use the gcloud alpha container azure clusters get-credentials
command.
June 30, 2021
The preview release of Anthos clusters on Azure is now available. With this release, you can create, use, and tear down Anthos clusters on Azure, as well as load balancers, and storage volumes.
Anthos clusters on Azure is available for customers with an existing support relationship with Google Cloud. Contact your account representative for access.
Anthos clusters on Azure supports Kubernetes version 1.19.10-gke.1000.
To create a cluster, see the Installation overview.
New features include:
- Private clusters with private IPs
gcloud alpha container azure clusters
andnode-pools
support- Application-layer secrets encryption
- Choice of volume type, size, and customer-managed encryption keys
- Cluster Autoscaler
Current limitations include the following:
- Cluster updates are not supported. You must recreate clusters when using the next version.
- Node pools have only been tested up to 20 nodes.
- In order to use the Google Cloud Console, you must register your cluster with the Connect agent.
- Not all Google Cloud and Azure regions are supported. See Supported regions for more information.