Google Distributed Cloud air-gapped 1.14.3 release notes

February 28, 2025

Google Distributed Cloud (GDC) air-gapped 1.14.3 is available.
See the product overview to learn about the features of Distributed Cloud.
The following new features are available:

Backup and restore:

  • Added the ability to create scoped VM backups and restores to target specific VM workloads. Create these VM backups manually, or create backup plans that automatically perform backups on a schedule you define. For more information, see Overview.
  • Added fine-grained restores which let you restore a subset of resources from a backup. This feature provides the flexibility to refine the restore scope defined in the restore plan. For more information, see Create a fine-grained restore.

Billing:

  • Added the ability to upload monthly billing costs to the Argentum console.

Firewall:

  • Added the ability to configure NTP PANW authentication on GDC firewalls using symmetric keys.

IAM:

  • IAM APIs that control identity providers, service accounts, and role bindings are global by default, spanning all zones in a GDC universe. For more information, see the Multi-zone overview.

Marketplace:

  • Neo4j is available in the GDC air-gapped marketplace. Neo4j is an open-source, NoSQL, built-in graph database that provides an ACID-compliant transactional backend for your applications.
  • MariaDB Operator is available in the GDC air-gapped marketplace. MariaDB Operator uses supported Docker images to provide a fleet management and HA/DR solution for MariaDB Enterprise Server and MaxScale.
  • HashiCorp Vault (BYOL) is available in the Google Distributed Cloud air-gapped marketplace. HashiCorp Vault is an identity-based secrets and encryption management system.
  • Apache Kafka on Confluent Platform (BYOL) is available in the GDC air-gapped marketplace. Confluent Platform is a solution that allows real-time access, storage, and management of continuous data streams.
  • Redis Software for Kubernetes (BYOL) is available in the GDC air-gapped marketplace. Redis is the world's fastest in-memory database for building and scaling fast applications.

MHS:

  • The Managed Harbor Service (MHS) now includes Harbor backup and restore. Configure backups and create restores for Harbor instances. For more information, see Overview.
  • Added the MHS credential helper that lets you use your GDC identity to sign in to the Docker or Helm CLI. For more information, see Sign in to Docker and Helm.
  • Added the ability to scan all of the artifacts in a Harbor instance. For more information, see Scan for vulnerabilities.

Monitoring:

Networking:

  • Use multi-zone internal and external load balancers to distribute traffic for VM and pod workloads. For more information, see Overview.

  • Configure interconnect resources to establish physically dedicated connectivity to external private networks. For more information, see the interconnect Overview.

  • Configure an internal or external load balancer for pod and VM workloads using the Networking KRM API or gdcloud CLI. For more information, see Manage load balancers.

  • Use zonal and global project network policies to establish connectivity between projects and organizations.

  • Create workload-level network policies to define specific access rules for individual VMs and pods within a project.

Resource Manager:

  • Projects are global resources by default that span all zones in a GDC universe. For more information, see the Multi-zone overview.

Virtual machines:

Updated the Rocky OS image version to 20250124 to apply the latest security patches and important updates.

The following security vulnerabilities are fixed:

The following issues are identified:

Firewall

  • The organization is not reachable through the global UI console DNS.

Harbor backup and restore:

  • After a Harbor backup and restore, the CLI secrets become invalid and need to be created again.

Identity and access management:

  • Role bindings fail if generated IAM role binding names exceed 63 characters.

  • New projects experience delays with predefined role creation.

Multi-zone:

  • When a zone is inaccessible, the GDC console displays an authentication error.

Networking:

  • Node is not reachable on the Data Network.

  • The network experiences a drop of around 50% in cross-zone traffic between nodes.

Resource Manager:

  • Projects cannot be updated or deleted from the GDC console.

Storage:

  • Pods fail to mount due to a Trident mkfs.ext4 error.
The following issues are fixed:

Harbor:

  • Fixed the issue where the nodepool is stuck in a state of Provisioning. For more information, see Known issues.
The following changes are identified:

Core:

  • The requirements to interact with the org admin cluster and system cluster in several service workflows have been removed. The Management API server, which is available for managing all non-container workloads and services, serves as the replacement for all affected service workflows.

  • The global API server is provided by default for customer-managed resources that are designed for global deployment across a GDC universe. For more information, see Global and zonal API servers.

Marketplace:

  • The Marketplace Viewer role permissions are restricted to view the available services only, with no access to the installed instances or their configurations. To view the configuration of running instances, users need the Marketplace Editor (marketplace-editor) role.

Resource Manager:

  • Removed the capability to attach a Kubernetes cluster when creating a project in the GDC console. You must attach Kubernetes clusters to a project from the Kubernetes Engine > Clusters page. For more information, see Create a project.

Version updates:

Virtual machines:

  • Updated the Performance Test as a Service (PTaaS) documentation to include new names and descriptions for the available benchmarks in PTaaS.