GKE follows a predictable multi-day rollout schedule for making new versions available, as well as auto-upgrading cluster control planes and nodes. For more information, see the Rollout schedule.
For more detailed information about security-related known issues, see the security bulletin page.
To view release notes for versions prior to 2020, see the Release notes archive.
You can see the latest product updates for all of Google Cloud on the Google Cloud release notes page.
To get the latest product updates delivered to you, add the URL of this page to your
feed
reader, or add the feed URL directly: https://cloud.google.com/feeds/kubernetes-engine-rapid-channel-release-notes.xml
February 17, 2021 (2021-R6)
Version 1.19.7-gke.1302 is now available in the Rapid channel. This version is now the default.
Version 1.19.7-gke.1500 is now available in the Rapid channel.
Version 1.18.12-gke.1206 is no longer available in the Rapid channel.
Version 1.19.7-gke.800 is no longer available in the Rapid channel.
Auto-upgrading control planes in the Rapid channel automatically upgrade from version 1.18 to version 1.19.7-gke.1302 with this release.
Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.18 to version 1.19.7-gke.1302 with this release.
February 9, 2021 (2021-R5)
Version 1.18.12-gke.1210 is now available in the Rapid channel. This version is now the default.
Version 1.19.7-gke.1302 is now available in the Rapid channel.
Version 1.18.12-gke.1205 is no longer available in the Rapid channel.
Version 1.19.6-gke.1700 is no longer available in the Rapid channel.
Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.18 to version 1.18.12-gke.1206 with this release.
Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.19 to version 1.19.7-gke.800 with this release.
February 2, 2021 (2021-R4)
Version 1.18.12-gke.1206 is now available in the Rapid channel.
Version 1.19.7-gke.800 is now available in the Rapid channel.
Version 1.19.6-gke.600 is no longer available in the Rapid channel.
Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.19 to version 1.19.6-gke.1700 with this release.
January 28, 2021
cos_containerd
)
node image,
dockerd
(the Docker Daemon) is not running at boot. It needs to be started manually.
This issue will be fixed in a future release.
January 25, 2021 (2021-R3)
Version 1.19.6-gke.1700 is now available in the Rapid channel.
January 19, 2021 (2021-R2)
Version 1.18.12-gke.1205 is now available in the Rapid channel. This version is now the default.
Version 1.19.6-gke.600 is now available in the Rapid channel.
Before upgrading to 1.19.6-gke.600, read the 1.19 available in the Rapid channel section in the release notes.
Version 1.18.12-gke.1200 is no longer available in the Rapid channel.
Version 1.18.12-gke.1202 is no longer available in the Rapid channel.
Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.18 to version 1.18.12-gke.1205 with this release.
Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.19 to version 1.19.6-gke.600 with this release.
1.19 available in the Rapid channel
Kubernetes 1.19 is now available in Rapid channel. Before upgrading to 1.19.6-gke.600, read Kubernetes 1.19 Release Notes especially the Urgent upgrade notes section.
Changes
Features
A new seccompProfile
field is added to Pod and Container securityContext
objects, starting in Kubernetes 1.19.
securityContext:
seccompProfile:
# "Unconfined", "RuntimeDefault", or "Localhost"
type: Localhost
# only necessary if type == Localhost
localhostProfile: my-profiles/profile-allow.json
The alpha seccomp annotations seccomp.security.alpha.kubernetes.io/pod
and
container.seccomp.security.alpha.kubernetes.io/…
are deprecated in favor of the
GA API field. The alpha annotations will not be honored in Kubernetes 1.22+.
If you are currently using Seccomp annotations on Pods or Containers, you should identify and transition workloads using the annotations to set the API fields before 1.21 is released on GKE (approximately in June 2021). No change on PodSecurityPolicy is required, as it supports both annotation and field seccomp profiles. You can follow the recommended steps below:
Locate Seccomp annotation usages. In your Kubernetes manifest files, search for "seccomp.security.alpha.kubernetes.io/pod" and "container.seccomp.security.alpha.kubernetes.io/"".
Add or update securityContext fields. Based on your annotation usage, add or update (if securityContext already exists) the securityContext field in Pod or Container spec. The annotations can be left in place, but must match the securityContext API field.
Current annotation usage Add or update securityContext seccomp.security.alpha.kubernetes.io/pod
In Pod's securityContext, add seccompProfile field. container.seccomp.security.alpha.kubernetes.io/CONTAINER_NAME
In CONTAINER_NAME's securityContext, add seccompProfile field. Set values for seccompProfile. The
type
field of seccompProfile corresponds to the annotation value, andlocalhostProfile
field corresponds to the path followinglocalhost
annotation value.Current annotation value seccompProfile value unconfined
seccompProfile:
type: Unconfinedruntime/default
ordocker/default
seccompProfile:
type: RuntimeDefaultlocalhost/path/to/profile.json
seccompProfile:
type: Localhost
localhostProfile: path/to/profile.json
For more details, see the following pages:
The widely used
Ingress API
has graduated to general availability in Kubernetes 1.19. The v1beta1 Ingress
API is deprecated, and will no longer be served in 1.22+. Before 1.21,
identify and transition clients and manifests using the v1beta1 Ingress API to
use networking.k8s.io/v1
.
Clusters withGoogle Cloud's operations suite enabled can use the following query to identify clients that access the Ingress v1beta1 APIs:
resource.type="k8s_cluster"
resource.labels.cluster_name="$CLUSTER_NAME"
protoPayload.authenticationInfo.principalEmail:("system:serviceaccount" OR "@")
protoPayload.request.apiVersion=("extensions/v1beta1" OR "networking.k8s.io/v1beta1")
protoPayload.request.kind="Ingress"
NOT ("kube-system")
Identify and transition clients and manifests using the v1beta1 Ingress APIs to
use networking.k8s.io/v1
before v1.21 is released on GKE
(approximately in June 2021), then verify no clients are using the v1beta1 API
during the 1.21 timeframe. Workloads using the v1beta1 APIs need to be upgraded
before your cluster is upgraded to GKE 1.22.
To migrate manifests to networking.k8s.io/v1:
- Rename the
spec.backend
field (if specified) tospec.defaultBackend
- Rename each
backend.serviceName
field tobackend.service.name
- Rename each numeric
backend.servicePort
field tobackend.service.port.number
- Rename each string
backend.servicePort
field tobackend.service.port.name
- Specify a
pathType
field for each defined path. Options arePrefix
,Exact
, andImplementationSpecific
. To match the undefined v1beta1 behavior, useImplementationSpecific
.
As an example, to migrate this v1beta1 manifest to v1:
v1beta1 manifest
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: example
spec:
backend:
serviceName: default-backend
servicePort: 80
rules:
- http:
paths:
- path: /testpath
backend:
serviceName: test
servicePort: 80
v1 manifest
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example
spec:
defaultBackend:
service:
name: default-backend
port:
number: 80
rules:
- http:
paths:
- path: /testpath
pathType: ImplementationSpecific
backend:
service:
name: test
port:
number: 80
The CertificateSigningRequest API has graduated to certificates.k8s.io/v1
in
Kubernetes 1.19. The v1beta1 CertificateSigningRequest API is deprecated and
will no longer be served in 1.22+.
Clusters with Google Cloud's operations suite enabled can use the following query to identify clients that access the CertificateSigningRequest v1beta1 APIs:
resource.type="k8s_cluster"
resource.labels.cluster_name="$CLUSTER_NAME"
protoPayload.authenticationInfo.principalEmail:("system:serviceaccount" OR "@")
protoPayload.request.apiVersion="certificates.k8s.io/v1beta1"
NOT ("kube-system")
Identify and transition clients and manifests using the v1beta1
CertificateSigningRequest API to use certificates.k8s.io/v1
before 1.21 is
released on GKE (approximately in June 2021), then verifying no
clients are using the v1beta1 API during the 1.21 timeframe. Workloads using
the v1beta1 API need to be upgraded before your cluster is upgraded to
GKE 1.22.
Differences between the v1beta1 and v1 API are as follows:
For API clients requesting certificates:
- spec.signerName
is now required, and requests for
kubernetes.io/legacy-unknown
are not allowed to be created using thecertificates.k8s.io/v1
API spec.usages
is now required, cannot contain duplicate values, and must only contain known usages
- spec.signerName
is now required, and requests for
For API clients approving or signing certificates:
status.conditions
cannot contain duplicate typesstatus.conditions[*].status
is now requiredstatus.certificate
must be PEM-encoded, and must contain onlyCERTIFICATE
blocks
January 8, 2021 (2021-R1)
Version 1.18.12-gke.1201 is now available in the Rapid channel. This version is now the default.
Version 1.18.12-gke.1205 is now available in the Rapid channel.
Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.18 to version 1.18.12-gke.1201 with this release.
December 14, 2020 (R41)
Version 1.18.12-gke.1201 is now available in the Rapid channel.
Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.18 to version 1.18.12-gke.1200 with this release.
December 7, 2020 (R40)
Version 1.18.12-gke.1200 is now available in the Rapid channel.
Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.18 to version 1.18.12-gke.300 with this release.
Version 1.18.10-gke.2701 is no longer available in the Rapid channel.
December 1, 2020 (R39)
Version 1.18.12-gke.300 is now available in the Rapid channel. This version is now the default.
Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.18 to version 1.18.10-gke.2701 with this release.
Version 1.18.10-gke.2101 is no longer available in the Rapid channel.
November 25, 2020
Auto-upgrade status
November 24, 2020
The November 17, 2020 release removed the following GKE version.
Version 1.18.10-gke.1500 is no longer available in the Rapid channel.
November 12, 2020 (R38)
This note was updated on November 24, 2020.
Version 1.18.10-gke.2701 is now available in the Rapid channel. This version is now the default.
Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.18 to version 1.18.10-gke.2101 with this release.
November 12, 2020 (R37)
Version 1.18.10-gke.2101 is now available in the Rapid channel.
Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.18 to version 1.18.10-gke.1500 with this release.
Version 1.18.10-gke.1500 is the new default version in the Rapid channel.
November 4, 2020 (R36)
Version 1.18.10-gke.1500 is now available in the Rapid channel.
This release sets sysctl
net.netfilter.nf_conntrack_tcp_be_liberal=1
on the node image. This
discourages netfilter
from resetting TCP connections.
Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.18 to version 1.18.10-gke.601 with this release.
October 28, 2020 (R35)
Version 1.18.10-gke.601 is now available in the Rapid channel.
Version 1.18.9-gke.1501 is no longer available in the Rapid channel.
October 20, 2020 (R34)
Version 1.18.9-gke.2501 is now available in the Rapid channel.
Version 1.18.9-gke.2501 is the new default version for clusters in the Rapid channel.
Version 1.18.9-gke.801 is no longer available in the Rapid channel.
October 12, 2020 (R33)
Version 1.18.9-gke.1501 is now available in the Rapid channel.
Version 1.18.9-gke.801 is the new default version for clusters in the Rapid channel.
Version 1.17.9-gke.1504 is no longer available in the Rapid channel.
Version 1.18.6-gke.4801 is no longer available in the Rapid channel.
Auto-upgrading control planes upgrade from versions 1.17, 1.18 to version 1.18.9-gke.801 during this release.
October 02, 2020 (R32)
Version 1.18.9-gke.801 is now available in the Rapid channel.
September 25, 2020 (R31)
Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.18.6-gke.3504 to version 1.18.6-gke.4801 with this release.
Version 1.18.6-gke.3504 is no longer available in the Rapid channel.
September 15, 2020 (R30)
Version 1.18.6-gke.4801 is now available in the Rapid channel.
Version 1.18.6-gke.3504 is the new default version in the Rapid channel.
Version 1.17.9-gke.1503 is no longer available in the Rapid channel.
Version 1.18.6-gke.3503 is no longer available in the Rapid channel.
September 14, 2020 (R29.1)
Version 1.17.9-gke.1504 is now available in the Rapid channel. This version is now the default.
Known issues
There is a known issue that prevents creating Rapid channel clusters on 1.18. To create a 1.18 cluster on the Rapid channel, create a Rapid channel cluster on 1.17, and then manually upgrade to 1.18.
September 3, 2020 (R29)
Version 1.18.6-gke.3503 is now available in the Rapid channel.
August 27, 2020 (R28)
August 20, 2020 (R27)
Version 1.17.9-gke.1703 is now available in the Rapid channel.
Version 1.17.9-gke.1503 is now available in the Rapid channel. This version is now the default.
August 06, 2020 (R26)
Version 1.17.9-gke.1500 is now available in the Rapid channel.
Version 1.17.9-gke.600 is now available in the Rapid channel.
July 28, 2020 (R25)
Version 1.17.9-gke.600 is now available in the Rapid channel.
Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.17.7-gke.15 to version 1.17.8-gke.17 with this release.
July 22, 2020 (R24)
Version 1.17.8-gke.17 is now available in the Rapid channel.
This version includes node image upgrades for Ubuntu
(ubuntu-gke-1804-1-17-v20200610
) and Windows Server
(windows-server-1909-dc-core-uefi-gke-v1592940889
and
windows-server-2019-dc-core-uefi-gke-v1592939281
).
Version 1.17.7-gke.15 is now available in the Rapid channel.
This version is now the default.Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.17.6-gke.11 to version 1.17.7-gke.15 with this release.
July 13, 2020 (R23)
Version 1.17.7-gke.15 is now available in the Rapid channel.
Fixed issues
June 29, 2020
1.17.6-gke.11 is now available.
June 23, 2020
1.17.6-gke.7 is now available.
June 8, 2020
1.17.6-gke.4 is now available.
June 1, 2020
1.17.5-gke.9 is now available.
May 27, 2020
Known issue
Due to a newly discovered issue, version 1.17.5-gke.6 is no longer available.
May 19, 2020
1.17.5-gke.6 is now available in the Rapid release channel.
All GKE clusters running 1.17.3-gke.3 and up will have etcd upgraded to 3.4.7-0-gke.1. All new GKE clusters with 1.17.3-gke.3 and up will be created with etcd 3.4.7-0-gke.1.
May 13, 2020
1.17.5-gke.0 is now available in the Rapid release channel.
April 27, 2020
1.17.4-gke.10 is now available in the Rapid release channel.
Although clusters in the Rapid channel upgrade automatically, you should still review:
New features
The RunAsUsername feature is now beta and allows specifying the username when running a Windows container.
The RuntimeClass scheduler simplifies scheduling Windows Pods to appropriate nodes
Deprecations
The following node labels are deprecated:
Cluster Versions | Deprecated Label | New Label |
---|---|---|
1.14+ | beta.kubernetes.io/os | kubernetes.io/os |
1.14+ | beta.kubernetes.io/arch | kubernetes.io/arch |
1.17+ | beta.kubernetes.io/instance-type | node.kubernetes.io/instance-type |
1.17+ | failure-domain.beta.kubernetes.io/zone | topology.kubernetes.io/zone |
1.17+ | failure-domain.beta.kubernetes.io/region | topology.kubernetes.io/region |
You must identify any node selectors using beta labels and modify them to use GA labels.
RBAC in the apps/v1alpha1
and apps/v1beta1
API
versions are deprecated in 1.17 and will no longer be served in 1.20. Update
your manifests and API clients to use the rbac.authorization.k8s.io/v1
APIs before 1.20 to avoid any issues.
April 15, 2020
1.16.8-gke.9 is now available in the Rapid release channel.
April 07, 2020
1.16.8-gke.8 is now available in the Rapid release channel. The node image for Container-Optimized OS is updated to cos-77-12371-208-0.
April 1, 2020
1.16.8-gke.4 is now available in the Rapid release channel.
March 26, 2020
1.16.8-gke.3 is now available in the Rapid release channel.
March 20, 2020
1.16.6-gke.18 is now available in the Rapid release channel.
March 16, 2020
1.16.6-gke.13 is now available in the Rapid release channel.
March 6, 2020
New features
The user interface for creating clusters in Google Cloud Console has been redesigned. The new design makes it easier to follow GKE best practices.
Version updates
1.16.6-gke.12 is now available in the Rapid release channel.
Important: Existing clusters enrolled in the Rapid release channel will be auto-upgraded to this version.
February 24, 2020
New features
Ingress for Internal HTTP(S) Load Balancing is now available in Beta. This enables private L7 load balancing inside the VPC that can be deployed with Ingress resources.
February 18, 2020
1.16.5-gke.2 is now available in the Rapid release channel.
Node image for Container-Optimized OS updated to cos-77-12371-141-0.
February 11, 2020
1.16.4-gke.30 is now available in the Rapid release channel.
February 4, 2020
1.16.4-gke.27 is now available in the Rapid release channel.
January 29, 2020
1.16.4-gke.25 is now available in the Rapid release channel.
January 27, 2020
The ability to create clusters with node pools running Microsoft Windows Server is now in Beta.
January 22, 2020
1.16.4-gke.22 is now available in the Rapid release channel.
Added ability to specify minimum CPU Platform for auto-provisioned node pools.
January 8, 2020
Do not update to version 1.16.0-gke.20 if you depend on HPA. Horizontal Pod Autoscaling is not working in this version due to a recently discovered issue. A fix will be released with GKE 1.16.3+.