This documentation is for the most recent version of Anthos clusters on Azure, released on November 3rd. See the Release notes for more information.

Release notes

Stay organized with collections Save and categorize content based on your preferences.
This page documents production updates to Anthos clusters on Azure. Check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or you can programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: http://cloud.google.com/feeds/anthos-on-azure-release-notes.xml

November 10, 2022

Two new vulnerabilities (CVE-2022-2585 and CVE-2022-2588) have been discovered in the Linux kernel that can lead to a full container break out to root on the node.

For more information, see the GCP-2022-024 security bulletin.

November 03, 2022

You can now launch clusters with the following Kubernetes versions:

  • 1.22.15-gke.100
  • 1.23.11-gke.300
  • 1.24.5-gke.200

October 28, 2022

A new vulnerability, CVE-2022-3176, has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve full container breakout to root on the node.

For instructions and more details, see the Anthos clusters on Azure security bulletin.

September 29, 2022

You can now launch clusters with the following Kubernetes versions:

  • 1.24.3-gke.2100
  • 1.23.9-gke.2100
  • 1.22.12-gke.2300

Kubernetes 1.21 versions are no longer supported. To upgrade to a supported version, see Upgrade your Azure cluster version.

You can now use the Google Cloud console to update, upgrade, and delete clusters on Azure.

In Kubernetes version 1.24 and later, Google Cloud Managed Service for Prometheus (GMP) is available as an invite only private preview. GMP lets you monitor and alert on workloads, using Prometheus, without having to manually manage and operate Prometheus at scale.

Anthos clusters on Azure now supports Cloud Monitoring for Windows node pools from Kubernetes version 1.24 and later. To learn more about monitoring in Anthos clusters on Azure, see Cloud monitoring.

Starting from Kubernetes version 1.24, virtual machines launched by Anthos clusters on Azure support System Assigned Managed Identities.

In Kubernetes version 1.24 and later, there are now checks to the API to ensure that users aren't making inconsistent or erroneous requests.

Starting from Kubernetes version 1.24, Anthos clusters on Azure switches to the external cloud provider. To learn more about this provider, see Cloud provider for Azure on GitHub.

Go 1.18 stops accepting certificates signed with the SHA-1 hash algorithm by default. Admission and conversion webhooks or aggregated server endpoints using these insecure certificates will break by default starting from Kubertnetes version 1.24.

The environment variable GODEBUG=x509sha1=1 is set in Anthos on AWS clusters as a temporary workaround to let these insecure certificates continue to work. However, the Go team is anticipated to remove support on this workaround. You should check and ensure there aren't any admission or conversion webhooks or aggregated server endpoints that are using such insecure certificates before upgrading to the upcoming breaking version.

August 29, 2022

You can now launch clusters with the following Kubernetes versions:

  • 1.21.14-gke.2900
  • 1.22.12-gke.1100
  • 1.23.9-gke.800

August 04, 2022

You can now launch clusters with the following Kubernetes versions:

  • 1.23.8-gke.1700
  • 1.22.12-gke.200
  • 1.21.14-gke.2100

This release fixes the following vulnerabilities:

This list has been updated to include CVE-2022-2327.

August 01, 2022

A new vulnerability (CVE-2022-2327) has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve a full container breakout to root on the node.
For more information, see the GCP-2022-018 security bulletin.

July 13, 2022

You can now launch clusters with the following Kubernetes versions:

  • 1.23.7-gke.1300
  • 1.22.10-gke.1500
  • 1.21.11-gke.1900

You can now launch Kubernetes 1.23 clusters.

Kubernetes 1.23.7-gke.1300 includes the following changes:

  • Disable profiling endpoint (/debug/pprof) by default in kube-scheduler and kube-controller-manager.
  • Update kube-apiserver and kubelet to only use Strong Cryptographic Ciphers.

In a future release of 1.23 VolumeSnapshot v1beta1 APIs will no longer be served. Please update to VolumeSnapshot v1 APIs as soon as possible.

In Kubernetes 1.23 and higher, cluster Cloud Audit Logs is now available and is enabled by default.

CIS benchmarks are now available for Kubernetes 1.23 clusters.

This release fixes the following vulnerabilities:

Added support for updating Azure control plane and node pool ssh config. For more information, see gcloud container azure clusters update and gcloud container azure node-pools update

Restrictions on IP ranges that can be used for a cluster's Pods and Services are now relaxed. Pod and Service IP ranges can now overlap with VPC's IP ranges, provided they do not intersect the control plane or node pool subnets.

You can no longer create clusters with the following versions:

  • 1.21.11-gke.100
  • 1.21.11-gke.1100
  • 1.22.8-gke.200
  • 1.22.8-gke.1300

These versions have a bug mentioned in a note from June 23, 2022.

June 23, 2022

Three new memory corruption vulnerabilities (CVE-2022-29581, CVE-2022-29582, CVE-2022-1116) have been discovered in the Linux kernel. These vulnerabilities allow an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node. For more information, refer to the GCP-2022-016 security bulletin.

There is a bug in the Azure OS kernels used by some of the previous Anthos clusters on Azure versions. This bug will randomly cause disks to not mount in the OS when they are attached to the Azure VM. When this happens, clusters won't start up completely.

The following versions are affected:

  • 1.21.11-gke.100
  • 1.21.11-gke.1100
  • 1.22.8-gke.200
  • 1.22.8-gke.1300

Please always use the latest patch versions when creating a new cluster to avoid this issue.

For more information, see the Linux kernel bug.

June 06, 2022

You can now launch clusters with the following Kubernetes versions:

  • 1.21.11-gke.1800
  • 1.22.8-gke.2100

Windows nodes on 1.22.8-gke.2100 now use pigz to improve image layer extraction performance.

May 09, 2022

You can now launch clusters with Kubernetes versions 1.21.11-gke.1100 and 1.22.8-gke.1300

In 1.22.8-gke.1300, fixed an issue where logging agent could fill up attached disk space.

In 1.22.8-gke.1300, fixed an issue where add ons cannot be applied when Windows node pools are enabled.

These releases fix the following CVEs:

These releases includes the following Role-based access control (RBAC) changes:

  • Scoped down anet-operator permissions for Lease update.
  • Scoped down anetd Daemonset permissions for Nodes and pods.
  • Scoped down fluentbit-gke permissions for service account tokens.
  • Scoped down gke-metrics-agent for service account tokens.
  • Scoped down coredns-autoscaler permissions for Nodes, ConfigMaps and Deployments.

April 26, 2022

Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666 have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all GKE node operating systems (Container-Optimized OS and Ubuntu). For instructions and more details, see the GCP-2022-014 security bulletin.

April 13, 2022

Anthos Clusters on Azure now supports Kubernetes versions 1.22.8-gke.200 and 1.21.11-gke.100. For more information, see the open source release notes for Kubernetes 1.22.8 and Kubernetes 1.21.11.

Kubernetes 1.22 removes support for several deprecated v1beta1 APIs. Before upgrading your clusters to v1.22, you must upgrade your workloads to use the stable v1 APIs and confirm their compatibility with v1.22. For more information, see Kubernetes 1.22 Deprecated APIs.

When you create a new cluster using Kubernetes version 1.22, you can now configure custom logging parameters.

As a preview feature, you can now choose Windows as your node pool image type when you create node pools with Kubernetes version 1.22.8.

You can now set the autoscaler's minimum node count to zero.

This release of Anthos Clusters on Azure adds the ability to update your

  • control plane and node pool VM size
  • cluster annotations
  • Azure admin users
  • control plane root volume size

You can now set the autoscaler's minimum node count to zero.

You can now view most common asynchronous cluster and nodepool boot errors in the long running operation error field.

A security vulnerability, CVE-2022-0847, has been discovered in the Linux kernel version 5.8 and later that can potentially escalate container privileges to root. This vulnerability affects Anthos on Azure on Ubuntu running Kubernetes version 1.21.

For more information, see the GCP-2022-012 security bulletin.

A security vulnerability, CVE-2022-23648, has been discovered in containerd's handling of path traversal in the OCI image volume specification. Containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain full read access to arbitrary files and directories on the host.

For more information, see the GCP-2022-013 security bulletin.

March 21, 2022

Anthos clusters on Azure now supports clusters in the australiaeast region. For more information, see Supported regions.

February 22, 2022

Kubernetes version 1.21.6-gke.1500 is now available. For more information, see the Kubernetes OSS release notes.

You can now launch clusters in the brazilsouth Azure region.

Fixed CVE-2021-4154, see GCP-2022-002 for more details.

Fixed CVE-2022-0185, see GCP-2022-002 for more details.

Fixed CVE-2021-4034, see GCP-2022-004 for more details.

Fixed CVE-2021-43527, see GCP-2022-005 for more details.

February 14, 2022

A security vulnerability, CVE-2022-0492, has been discovered in the Linux kernel's cgroup_release_agent_write function. The attack uses unprivileged user namespaces and under certain circumstances this vulnerability can be exploitable for container breakout. For more information, see the GCP-2022-006 security bulletin.

February 11, 2022

A security vulnerability, CVE-2021-43527, has been discovered in any binary that links to the vulnerable versions of libnss3 found in NSS (Network Security Services) versions prior to 3.73 or 3.68.1. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. For more information, see the GCP-2022-005 security bulletin.

February 04, 2022

A security vulnerability, CVE-2021-4034, has been discovered in pkexec, a part of the Linux policy kit package (polkit), that allows an authenticated user to perform a privilege escalation attack. PolicyKit is generally used only on Linux desktop systems to allow non-root users to perform actions such as rebooting the system, installing packages, restarting services etc, as governed by a policy.

For instructions and more details, see the GCP-2022-004 security bulletin

December 02, 2021

Anthos on Azure is now generally available through the Multi-Cloud API.

With the latest release, we've simplified installation and streamlined our cluster management technology. You can now use a single API for full lifecycle management of Anthos clusters running in AWS or Azure. This release introduces gcloud command groups for deploying Anthos clusters in AWS, Azure, and Google Cloud. Clusters you create in other clouds appear in the Google Cloud Console, creating a centralized management view complete with cluster telemetry and logging.

The Multi-Cloud API authenticates with each cloud using a service account or application registration, and allows clusters to be deployed on existing or newly created VNets. It supports multiple machine types in each cloud across multiple regions. As a reminder, Anthos clusters on Azure or AWS integrate with each respective cloud's KMS, storage facilities, and load balancing.

Anthos on Azure is available today, with either subscription or pay-as-you-go pricing.

You can now create, update, and delete clusters on Azure with the gcloud tool. Read more about our Multi-Cloud API.

Automatic Container monitoring and system logging with Cloud Logging and Cloud Monitoring.

You can now use an Azure Key Vault Hardware Security module to bring your own key.

October 19, 2021

The security community recently disclosed a new security vulnerability CVE-2021-30465 found in runc that has the potential to allow full access to a node filesystem.

For more information, see the GCP-2021-011 security bulletin.

September 30, 2021

A new release of Anthos clusters on Azure is now available.

Anthos clusters on Azure now supports Kubernetes 1.20 clusters

You must now manage your clusters with the gcloud command-line tool version 358.0.0 or higher.

Kubernetes 1.20 includes a fix for CVE2021-25741. We recommend you replace all 1.19 clusters with 1.20 clusters.

Cluster updates are not supported. To use Kubernetes 1.20, you must create new clusters.

You can now use an HTTP proxy with Kubernetes 1.20 clusters

You can now launch clusters in the Singapore and Australia regions

You can now specify zone placement of control plane replicas when you create a cluster. For more information, see Control plane zonal placement

When you get credentials for a Kubernetes 1.20 cluster, use the gcloud alpha container azure clusters get-credentials command.

June 30, 2021

The preview release of Anthos clusters on Azure is now available. With this release, you can create, use, and tear down Anthos clusters on Azure, as well as load balancers, and storage volumes.

Anthos clusters on Azure is available for customers with an existing support relationship with Google Cloud. Contact your account representative for access.

Anthos clusters on Azure supports Kubernetes version 1.19.10-gke.1000.

To create a cluster, see the Installation overview.

New features include:

  • Private clusters with private IPs
  • gcloud alpha container azure clusters and node-pools support
  • Application-layer secrets encryption
  • Choice of volume type, size, and customer-managed encryption keys
  • Cluster Autoscaler

Current limitations include the following:

  • Cluster updates are not supported. You must recreate clusters when using the next version.
  • Node pools have only been tested up to 20 nodes.
  • In order to use the Google Cloud Console, you must register your cluster with the Connect agent.
  • Not all Google Cloud and Azure regions are supported. See Supported regions for more information.