Release notes (Rapid channel)

This page documents updates to releases in the Google Kubernetes Engine Rapid release channel. You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality. The overall release notes also include the information in this page.

GKE follows a predictable multi-day rollout schedule for making new versions available, as well as auto-upgrading cluster control planes and nodes. For more information, see the Rollout schedule.

For more detailed information about security-related known issues, see the security bulletin page.

To view release notes for versions prior to 2020, see the Release notes archive.

You can see the latest product updates for all of Google Cloud on the Google Cloud release notes page.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/kubernetes-engine-rapid-channel-release-notes.xml

February 17, 2021 (2021-R6)

Version 1.19.7-gke.1302 is now available in the Rapid channel. This version is now the default.

Version 1.19.7-gke.1500 is now available in the Rapid channel.

Version 1.18.12-gke.1206 is no longer available in the Rapid channel.

Version 1.19.7-gke.800 is no longer available in the Rapid channel.

Auto-upgrading control planes in the Rapid channel automatically upgrade from version 1.18 to version 1.19.7-gke.1302 with this release.

Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.18 to version 1.19.7-gke.1302 with this release.

February 9, 2021 (2021-R5)

Version 1.18.12-gke.1210 is now available in the Rapid channel. This version is now the default.

Version 1.19.7-gke.1302 is now available in the Rapid channel.

Version 1.18.12-gke.1205 is no longer available in the Rapid channel.

Version 1.19.6-gke.1700 is no longer available in the Rapid channel.

Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.18 to version 1.18.12-gke.1206 with this release.

Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.19 to version 1.19.7-gke.800 with this release.

February 2, 2021 (2021-R4)

Version 1.18.12-gke.1206 is now available in the Rapid channel.

Version 1.19.7-gke.800 is now available in the Rapid channel.

Version 1.19.6-gke.600 is no longer available in the Rapid channel.

Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.19 to version 1.19.6-gke.1700 with this release.

January 28, 2021

For clusters using a 1.19 version, with the Container-Optimized OS with Containerd (cos_containerd) node image, dockerd (the Docker Daemon) is not running at boot. It needs to be started manually. This issue will be fixed in a future release.

January 25, 2021 (2021-R3)

Version 1.19.6-gke.1700 is now available in the Rapid channel.

January 19, 2021 (2021-R2)

Version 1.18.12-gke.1205 is now available in the Rapid channel. This version is now the default.

Version 1.19.6-gke.600 is now available in the Rapid channel.

Before upgrading to 1.19.6-gke.600, read the 1.19 available in the Rapid channel section in the release notes.

Version 1.18.12-gke.1200 is no longer available in the Rapid channel.

Version 1.18.12-gke.1202 is no longer available in the Rapid channel.

Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.18 to version 1.18.12-gke.1205 with this release.

Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.19 to version 1.19.6-gke.600 with this release.

1.19 available in the Rapid channel

Kubernetes 1.19 is now available in Rapid channel. Before upgrading to 1.19.6-gke.600, read Kubernetes 1.19 Release Notes especially the Urgent upgrade notes section.

Changes

Basic authentication with a password has been removed in Kubernetes 1.19. Clusters upgraded to 1.19 can no longer use basic authentication to authenticate users to the control plane.

Features

Seccomp (secure computing mode) support for Kubernetes has graduated to General Availability (GA). This feature can be used to increase the workload security by restricting the system calls for a Pod (applies to all containers) or individual containers.

A new seccompProfile field is added to Pod and Container securityContext objects, starting in Kubernetes 1.19.

securityContext:
  seccompProfile:
    # "Unconfined", "RuntimeDefault", or "Localhost"
    type: Localhost
    # only necessary if type == Localhost
    localhostProfile: my-profiles/profile-allow.json

The alpha seccomp annotations seccomp.security.alpha.kubernetes.io/pod and container.seccomp.security.alpha.kubernetes.io/…are deprecated in favor of the GA API field. The alpha annotations will not be honored in Kubernetes 1.22+.

If you are currently using Seccomp annotations on Pods or Containers, you should identify and transition workloads using the annotations to set the API fields before 1.21 is released on GKE (approximately in June 2021). No change on PodSecurityPolicy is required, as it supports both annotation and field seccomp profiles. You can follow the recommended steps below:

  1. Locate Seccomp annotation usages. In your Kubernetes manifest files, search for "seccomp.security.alpha.kubernetes.io/pod" and "container.seccomp.security.alpha.kubernetes.io/"".

  2. Add or update securityContext fields. Based on your annotation usage, add or update (if securityContext already exists) the securityContext field in Pod or Container spec. The annotations can be left in place, but must match the securityContext API field.

    Current annotation usage Add or update securityContext
    seccomp.security.alpha.kubernetes.io/pod In Pod's securityContext, add seccompProfile field.
    container.seccomp.security.alpha.kubernetes.io/CONTAINER_NAME In CONTAINER_NAME's securityContext, add seccompProfile field.
  3. Set values for seccompProfile. The type field of seccompProfile corresponds to the annotation value, and localhostProfile field corresponds to the path following localhost annotation value.

    Current annotation value seccompProfile value
    unconfined seccompProfile:
    type: Unconfined
    runtime/default
    or docker/default
    seccompProfile:
    type: RuntimeDefault
    localhost/path/to/profile.json seccompProfile:
    type: Localhost
    localhostProfile: path/to/profile.json

For more details, see the following pages:

The widely used Ingress API has graduated to general availability in Kubernetes 1.19. The v1beta1 Ingress API is deprecated, and will no longer be served in 1.22+. Before 1.21, identify and transition clients and manifests using the v1beta1 Ingress API to use networking.k8s.io/v1.

Clusters withGoogle Cloud's operations suite enabled can use the following query to identify clients that access the Ingress v1beta1 APIs:

resource.type="k8s_cluster"
resource.labels.cluster_name="$CLUSTER_NAME"
protoPayload.authenticationInfo.principalEmail:("system:serviceaccount" OR "@")
protoPayload.request.apiVersion=("extensions/v1beta1" OR "networking.k8s.io/v1beta1")
protoPayload.request.kind="Ingress"
NOT ("kube-system")

Identify and transition clients and manifests using the v1beta1 Ingress APIs to use networking.k8s.io/v1 before v1.21 is released on GKE (approximately in June 2021), then verify no clients are using the v1beta1 API during the 1.21 timeframe. Workloads using the v1beta1 APIs need to be upgraded before your cluster is upgraded to GKE 1.22.

To migrate manifests to networking.k8s.io/v1:

  1. Rename the spec.backend field (if specified) to spec.defaultBackend
  2. Rename each backend.serviceName field to backend.service.name
  3. Rename each numeric backend.servicePort field to backend.service.port.number
  4. Rename each string backend.servicePort field to backend.service.port.name
  5. Specify a pathType field for each defined path. Options are Prefix, Exact, and ImplementationSpecific. To match the undefined v1beta1 behavior, use ImplementationSpecific.

As an example, to migrate this v1beta1 manifest to v1:

v1beta1 manifest

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: example
spec:
  backend:
    serviceName: default-backend
    servicePort: 80
  rules:
  - http:
      paths:
      - path: /testpath
        backend:
          serviceName: test
          servicePort: 80

v1 manifest

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example
spec:
  defaultBackend:
    service:
      name: default-backend
      port:
        number: 80
  rules:
  - http:
      paths:
      - path: /testpath
        pathType: ImplementationSpecific
        backend:
          service:
            name: test
            port:
              number: 80

The CertificateSigningRequest API has graduated to certificates.k8s.io/v1 in Kubernetes 1.19. The v1beta1 CertificateSigningRequest API is deprecated and will no longer be served in 1.22+.

Clusters with Google Cloud's operations suite enabled can use the following query to identify clients that access the CertificateSigningRequest v1beta1 APIs:

resource.type="k8s_cluster"
resource.labels.cluster_name="$CLUSTER_NAME"
protoPayload.authenticationInfo.principalEmail:("system:serviceaccount" OR "@")
protoPayload.request.apiVersion="certificates.k8s.io/v1beta1"
NOT ("kube-system")

Identify and transition clients and manifests using the v1beta1 CertificateSigningRequest API to use certificates.k8s.io/v1 before 1.21 is released on GKE (approximately in June 2021), then verifying no clients are using the v1beta1 API during the 1.21 timeframe. Workloads using the v1beta1 API need to be upgraded before your cluster is upgraded to GKE 1.22.

Differences between the v1beta1 and v1 API are as follows:

  • For API clients requesting certificates:

    • spec.signerName is now required, and requests for kubernetes.io/legacy-unknown are not allowed to be created using the certificates.k8s.io/v1 API
    • spec.usages is now required, cannot contain duplicate values, and must only contain known usages
  • For API clients approving or signing certificates:

    • status.conditions cannot contain duplicate types
    • status.conditions[*].status is now required
    • status.certificate must be PEM-encoded, and must contain only CERTIFICATE blocks

January 8, 2021 (2021-R1)

Version 1.18.12-gke.1201 is now available in the Rapid channel. This version is now the default.

Version 1.18.12-gke.1205 is now available in the Rapid channel.

Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.18 to version 1.18.12-gke.1201 with this release.

December 14, 2020 (R41)

Version 1.18.12-gke.1201 is now available in the Rapid channel.

Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.18 to version 1.18.12-gke.1200 with this release.

December 7, 2020 (R40)

Version 1.18.12-gke.1200 is now available in the Rapid channel.

Version 1.18.12-gke.300 is now the default in the Rapid channel.

Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.18 to version 1.18.12-gke.300 with this release.

Version 1.18.10-gke.2701 is no longer available in the Rapid channel.

December 1, 2020 (R39)

Version 1.18.12-gke.300 is now available in the Rapid channel. This version is now the default.

1.18.10-gke.2701 is now the default version in the Rapid channel.

Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.18 to version 1.18.10-gke.2701 with this release.

Version 1.18.10-gke.2101 is no longer available in the Rapid channel.

November 25, 2020

Auto-upgrade status

GKE Auto-Upgrade is currently suspended for control planes, and nodes. Manual upgrades are available.

November 24, 2020

The November 17, 2020 release removed the following GKE version.

Version 1.18.10-gke.1500 is no longer available in the Rapid channel.

November 12, 2020 (R38)

This note was updated on November 24, 2020.

Version 1.18.10-gke.2701 is now available in the Rapid channel. This version is now the default.

Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.18 to version 1.18.10-gke.2101 with this release.

The issue from September 28, 2020 with Container Threat Detection on GKE 1.18 is resolved in GKE versions versions 1.18.9-gke.1300 and later and 1.19.2-gke.2000 and later.

November 12, 2020 (R37)

Version 1.18.10-gke.2101 is now available in the Rapid channel.

Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.18 to version 1.18.10-gke.1500 with this release.

Version 1.18.10-gke.1500 is the new default version in the Rapid channel.

November 4, 2020 (R36)

Version 1.18.10-gke.1500 is now available in the Rapid channel.

This release sets sysctl net.netfilter.nf_conntrack_tcp_be_liberal=1 on the node image. This discourages netfilter from resetting TCP connections.

Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.18 to version 1.18.10-gke.601 with this release.

October 28, 2020 (R35)

Version 1.18.10-gke.601 is now available in the Rapid channel.

Version 1.18.9-gke.1501 is no longer available in the Rapid channel.

October 20, 2020 (R34)

Version 1.18.9-gke.2501 is now available in the Rapid channel.

Version 1.18.9-gke.2501 is the new default version for clusters in the Rapid channel.

Version 1.18.9-gke.801 is no longer available in the Rapid channel.

October 12, 2020 (R33)

Version 1.18.9-gke.1501 is now available in the Rapid channel.

Version 1.18.9-gke.801 is the new default version for clusters in the Rapid channel.

Version 1.17.9-gke.1504 is no longer available in the Rapid channel.

Version 1.18.6-gke.4801 is no longer available in the Rapid channel.

Auto-upgrading control planes upgrade from versions 1.17, 1.18 to version 1.18.9-gke.801 during this release.

October 02, 2020 (R32)

Version 1.18.9-gke.801 is now available in the Rapid channel.

September 25, 2020 (R31)

Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.18.6-gke.3504 to version 1.18.6-gke.4801 with this release.

Version 1.18.6-gke.3504 is no longer available in the Rapid channel.

September 15, 2020 (R30)

Version 1.18.6-gke.4801 is now available in the Rapid channel.

Version 1.18.6-gke.3504 is the new default version in the Rapid channel.

Version 1.17.9-gke.1503 is no longer available in the Rapid channel.

Version 1.18.6-gke.3503 is no longer available in the Rapid channel.

Auto-upgrading nodes and control planes upgrade from version 1.17 to version 1.17.9-gke.1504 during this release.

September 14, 2020 (R29.1)

Version 1.17.9-gke.1504 is now available in the Rapid channel. This version is now the default.

Known issues

There is a known issue that prevents creating Rapid channel clusters on 1.18. To create a 1.18 cluster on the Rapid channel, create a Rapid channel cluster on 1.17, and then manually upgrade to 1.18.

September 3, 2020 (R29)

Version 1.18.6-gke.3503 is now available in the Rapid channel.

August 27, 2020 (R28)

Version 1.17.9-gke.1703 is no longer available.

August 20, 2020 (R27)

Version 1.17.9-gke.1703 is now available in the Rapid channel.

Version 1.17.9-gke.1503 is now available in the Rapid channel. This version is now the default.

Version 1.17.9-gke.600 is no longer available.

August 06, 2020 (R26)

Version 1.17.9-gke.1500 is now available in the Rapid channel.

Version 1.17.9-gke.600 is now available in the Rapid channel.

July 28, 2020 (R25)

Version 1.17.9-gke.600 is now available in the Rapid channel.

Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.17.7-gke.15 to version 1.17.8-gke.17 with this release.

July 22, 2020 (R24)

Version 1.17.8-gke.17 is now available in the Rapid channel.

This version includes node image upgrades for Ubuntu (ubuntu-gke-1804-1-17-v20200610) and Windows Server (windows-server-1909-dc-core-uefi-gke-v1592940889 and windows-server-2019-dc-core-uefi-gke-v1592939281).

Version 1.17.7-gke.15 is now available in the Rapid channel.

This version is now the default.

Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.17.6-gke.11 to version 1.17.7-gke.15 with this release.

July 13, 2020 (R23)

Version 1.17.7-gke.15 is now available in the Rapid channel.

Fixed issues

A bug in gVisor has been fixed. Default gVisor node labels are now applied when user-specified labels.

June 29, 2020

1.17.6-gke.11 is now available.

June 23, 2020

1.17.6-gke.7 is now available.

June 8, 2020

1.17.6-gke.4 is now available.

June 1, 2020

1.17.5-gke.9 is now available.

May 27, 2020

Known issue

Due to a newly discovered issue, version 1.17.5-gke.6 is no longer available.

May 19, 2020

1.17.5-gke.6 is now available in the Rapid release channel.

All GKE clusters running 1.17.3-gke.3 and up will have etcd upgraded to 3.4.7-0-gke.1. All new GKE clusters with 1.17.3-gke.3 and up will be created with etcd 3.4.7-0-gke.1.

May 13, 2020

1.17.5-gke.0 is now available in the Rapid release channel.

April 27, 2020

1.17.4-gke.10 is now available in the Rapid release channel.

Although clusters in the Rapid channel upgrade automatically, you should still review:

New features

The RunAsUsername feature is now beta and allows specifying the username when running a Windows container.

The RuntimeClass scheduler simplifies scheduling Windows Pods to appropriate nodes

Deprecations

The following node labels are deprecated:

Cluster Versions Deprecated Label New Label
1.14+ beta.kubernetes.io/os kubernetes.io/os
1.14+ beta.kubernetes.io/arch kubernetes.io/arch
1.17+ beta.kubernetes.io/instance-type node.kubernetes.io/instance-type
1.17+ failure-domain.beta.kubernetes.io/zone topology.kubernetes.io/zone
1.17+ failure-domain.beta.kubernetes.io/region topology.kubernetes.io/region

You must identify any node selectors using beta labels and modify them to use GA labels.

RBAC in the apps/v1alpha1 and apps/v1beta1 API versions are deprecated in 1.17 and will no longer be served in 1.20. Update your manifests and API clients to use the rbac.authorization.k8s.io/v1 APIs before 1.20 to avoid any issues.

April 15, 2020

1.16.8-gke.9 is now available in the Rapid release channel.

April 07, 2020

1.16.8-gke.8 is now available in the Rapid release channel. The node image for Container-Optimized OS is updated to cos-77-12371-208-0.

April 1, 2020

1.16.8-gke.4 is now available in the Rapid release channel.

March 26, 2020

1.16.8-gke.3 is now available in the Rapid release channel.

March 20, 2020

1.16.6-gke.18 is now available in the Rapid release channel.

March 16, 2020

1.16.6-gke.13 is now available in the Rapid release channel.

March 6, 2020

New features

The user interface for creating clusters in Google Cloud Console has been redesigned. The new design makes it easier to follow GKE best practices.

Version updates

1.16.6-gke.12 is now available in the Rapid release channel.

Important: Existing clusters enrolled in the Rapid release channel will be auto-upgraded to this version.

February 24, 2020

New features

Ingress for Internal HTTP(S) Load Balancing is now available in Beta. This enables private L7 load balancing inside the VPC that can be deployed with Ingress resources.

February 18, 2020

1.16.5-gke.2 is now available in the Rapid release channel.

Node image for Container-Optimized OS updated to cos-77-12371-141-0.

February 11, 2020

1.16.4-gke.30 is now available in the Rapid release channel.

February 4, 2020

1.16.4-gke.27 is now available in the Rapid release channel.

January 29, 2020

1.16.4-gke.25 is now available in the Rapid release channel.

January 27, 2020

January 22, 2020

1.16.4-gke.22 is now available in the Rapid release channel.

Added ability to specify minimum CPU Platform for auto-provisioned node pools.

January 8, 2020

Do not update to version 1.16.0-gke.20 if you depend on HPA. Horizontal Pod Autoscaling is not working in this version due to a recently discovered issue. A fix will be released with GKE 1.16.3+.