For more detailed information about security-related known issues, see the security bulletin page.
To get the latest product updates delivered to you, add the URL of this page to your
feed
reader, or add the feed URL directly: https://cloud.google.com/feeds/kubernetes-engine-rapid-channel-release-notes.xml
January 8, 2020
Do not update to version 1.16.0-gke.20 if you depend on HPA. Horizontal Pod Autoscaling is not working in this version due to a recently discovered issue. A fix will be released with GKE 1.16.3+.
December 23, 2019
Global access for internal TCP/UDP load balancing Services is now Beta. Global access allows internal load balancing IP addresses to be accessed from any region within a VPC.
December 13, 2019
1.16.0-gke.20
GKE 1.16.0-gke.20 (alpha) is now available for testing and validation in the Rapid release channel.
Added support for PVMs in node auto-provisioning.
New clusters have the cos-metrics-enabled flag enabled by
default. This change allows kernel crash logs to be collected. You can
disable by adding --metadata cos-metrics-enabled=false
when you create clusters.
Retired APIs
extensions/v1beta1, apps/v1beta1, and apps/v1beta2 won't be served by default.
-
All resources under
apps/v1beta1andapps/v1beta2- useapps/v1instead. -
daemonsets,deployments,replicasetsresources underextensions/v1beta1- useapps/v1instead. -
networkpoliciesresources underextensions/v1beta1- usenetworking.k8s.io/v1instead. -
podsecuritypoliciesresources underextensions/v1beta1- usepolicy/v1beta1instead.
November 5, 2019
1.15.4-gke.18
GKE 1.15.4-gke.18 (alpha) is now available for testing and validation in the Rapid release channel.
This release includes a patch for the golang vulnerability CVE-2019-17596, fixed in go-boringcrypto 1.13.1 and 1.12.11.
October 30, 2019
1.15.4-gke.17
GKE 1.15.4-gke.17 (alpha) is now available for testing and validation in the Rapid release channel.
Fixes a known issue reported on October 11, 2019 regarding fdatasync performance regression on COS/Ubuntu. Node image for Container-Optimized OS updated to cos-77-12371-89-0. Node image for Ubuntu updated to ubuntu-gke-1804-d1903-0-v20191011a
October 18, 2019
1.15.4-gke.15
GKE 1.15.4-gke.15 (alpha) is now available for testing and validation in the Rapid release channel.
This release includes a patch for CVE-2019-11253. For more information, see the security bulletin for October 16, 2019.
October 11, 2019
1.15.3-gke.18
GKE 1.15.3-gke.18 (alpha) is now available for testing and validation in the Rapid release channel.
Upgraded Istio to 1.2.5.
Improvements to gVisor.
Node image for Container-Optimized OS updated to cos-rc-77-12371-44-0. This update includes upgrading the kernel to 4.19 from 4.14 and upgrading Docker to 19.03 from 18.09.
Node image for Ubuntu updated to ubuntu-gke-1804-d1903-0-v20190917a. This update includes upgrading the kernel to 5 from 4.15 and upgrading Docker to 19.03 from 18.09.
Do not update to this version if you have clusters with hundreds of nodes per cluster or with I/O intensive workloads. Clusters with these characteristics may be impacted by a known issue in versions 4.19 and 5.0 of the Linux kernel that introduces performance regressions in the `fdatasync` system call.
September 26, 2019
1.15.3-gke.1
GKE 1.15.3-gke.1 (alpha) is now available for testing and validation in the Rapid release channel.
For more details, refer to the release notes for Kubernetes v1.15.
Starting with GKE v1.15, the open source Kubernetes Dashboard is no longer natively supported in GKE as a managed add-on. To deploy it manually, follow the deployment instructions in the Kubernetes Dashboard documentation.
Resizing PersistentVolumes is now a beta feature. As part of this change, resizing a PersisntentVolume no longer requires you to restart the Pod.
September 16, 2019
Correction
The release notes for September 16, 2019 were incorrectly published early, on September 9. The incorrect release notes included an announcement of the availability of a security patch that was not actually made available on that date. For more information about the security patch, see the security bulletin for September 16, 2019.
v1.14.6-gke.1
This release includes a patch for CVE-2019-9512 and CVE-2019-9514. For more information, see the security bulletin for September 16, 2019.
Reduces startup time for GPU nodes running Container-Optimized OS.
September 9, 2019
The release notes for September 16, 2019 were incorrectly published early, on September 9. The incorrect release notes included an announcement of the availability of a security patch that was not actually made available on that date. For more information about the security patch, see the security bulletin for September 16, 2019.
September 5, 2019
GKE 1.14.5-gke.5 is now available in the Rapid release channel. It includes bug fixes and performance improvements. For more details, refer to the release notes for Kubernetes v1.14.
August 22, 2019
GKE 1.14.3-gke.11 (alpha) is now available for testing and validation in the Rapid release channel. For more details, refer to the release notes for Kubernetes v1.14.
This version mitigates against the vulnerability described in the security bulletin published on August 5, 2019.
Upgrade Istio to 1.1.13, to address address two vulnerabilities announced by the Istio project. These vulnerabilities can be used to mount a Denial of Service (DoS) attack against services using Istio.
The node image for Container-Optimized OS (COS) is now cos-73-11647-267-0.
When creating a new GKE cluster, Stackdriver Kubernetes Engine Monitoring is now the default Stackdriver support option. This is a change from prior versions where Stackdriver Logging and Stackdriver Monitoring were the default Stackdriver support option. For more information, see Overview of Stackdriver support for GKE.
New features
Config Connector is a Kubernetes addon that allows you to manage your Google Cloud resources through Kubernetes configuration.
August 12, 2019
1.14.3-gke.10
1.14.3-gke.10
GKE 1.14.3-gke.10 (alpha) is now available for testing and validation in the Rapid release channel. For more details, refer to the release notes for Kubernetes v1.14.
Fixes the vulnerability announced in the security bulletin for August 5, 2019.
Fixes a problem where Cluster Autoscaler can create too many nodes when scaling up.
In v1.14.3-gke.10 and higher,
GKE Sandbox
uses the gvisor.config.common-webhooks.networking.gke.io webhook, which
is created when the cluster starts and makes sandboxed nodes available faster.
Clusters running v1.13.6-gke.0 or higher can use Shielded GKE Nodes (beta), which provide strong, verifiable node identity and integrity to increase the security of your nodes.
Rollout schedule
The rollout schedule is now included in Versioning and upgrades.
August 1, 2019
For important information about the July 8, 2019 release, see the main GKE release note for August 1, 2019.
July 29, 2019
VPC-native is no longer the default cluster network mode for new
clusters created using gcloud v256.0.0 or higher. Instead, the routes-based
cluster network mode is used by default. We recommend manually enabling
VPC-native, to
avoid exhausting routes quota.
gcloud versions 251.0.0 through 255.0.0.
Routes-based clusters are created by default when using the REST API.
June 27, 2019
1.14.3-gke.9
This version contains a patch for recently discovered TCP vulnerabilities in the Linux kernel. See the associated security bulletin for more information.
June 4, 2019
v1.14.1-gke.5 is the default for new Rapid channel clusters. This version includes patched node images that address CVE-2019-11245.
GKE nodes running Kubernetes v1.14.2 are affected by CVE-2019-11245. Information about the impact and mitigation of this vulnerability is available in this Kubernetes issue report. In addition to security concerns, this bug can cause Pods that must run as a specific UID to fail.
June 3, 2019
Corrections
The rollout dates for the May 28, 2019 releases are incorrect. Day 2 spanned May 29-30, day 3 is May 31, and day 4 is June 3.
May 28, 2019
v1.14.2-gke.2 is the default for new Rapid channel clusters, and includes the following changes:
GKE Sandbox is supported on v1.14.x clusters running v1.14.2-gke.2 or higher.
The node image for Container-Optimized OS (COS) is now cos-u-73-11647-182-0.
The node image for Ubuntu is now ubuntu-gke-1804-d1809-0-v20190517.
-
Node images have been updated to fix Microarchitectural Data Sampling (MDS) vulnerabilities announced by Intel. For more information, see the security bulletin.
The patch alone is not sufficient to mitigate exposure to this vulnerability. For more information, see the security bulletin.
-
Nodes using these images are now shielded VMs with the following properties:
- UEFI boot is enabled.
- SecureBoot is disabled.
- vTPM is enabled.
- Integrity Monitoring is enabled.
The following IP ranges have been added to default non-IP-masq
iptables rules:
100.64.0.0/10192.0.0.0/24192.0.2.0/24192.88.99.0/24198.18.0.0/15198.51.100.0/24203.0.113.0/24240.0.0.0/4
May 20, 2019
No v1.14.x versions this week.
New features
Stackdriver Kubernetes Engine Monitoring is now generally available for clusters using the following GKE versions:
- 1.12.x clusters v1.12.7-gke.17 and newer
- 1.13.x clusters v1.13.5-gke.10 and newer
- 1.14.x (Alpha) clusters v1.14.1-gke.5 and newer
Users of the legacy Stackdriver support are encouraged to migrate to Stackdriver Kubernetes Engine Monitoring before support for legacy Stackdriver is removed.
Rollout schedule
The rollout schedule is now included in Versioning and upgrades.
May 13, 2019
GKE v1.14.1-gke.5 (alpha) is now available for testing and validation in the Rapid release channel. For more details, refer to the release notes for Kubernetes v1.14.
Changes
GKE v1.14.x has the following differences from Kubernetes 1.14.1.
- GKE v1.14.x uses
kube-dnsrather thancore-dns. - GKE v1.14.x does not support
Dramatically Simplify Kubernetes Cluster Creation,
a sub-feature of
kubeadm. - GKE v1.14.x does not support taint-based eviction.
You cannot yet create an alpha cluster running GKE
v1.14.x. If you attempt to use the --enable-kubernetes-alpha flag,
cluster creation fails.
