GKE release notes

This page documents production updates to Google Kubernetes Engine (GKE). You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.

This page includes release notes for all channels and releases.

Current versions

The following table lists the latest minor versions available as defaults in GKE for the specified release channels. This table includes the latest default GKE patch version and the Container-Optimized OS version for each supported minor version.

Kubernetes minor versions	1.21	1.21	1.21	1.22
GKE release channel	Static¹ (no channel)	Stable	Regular	Rapid
Default patch version	1.21.11-gke.1100	1.21.11-gke.900	1.21.11-gke.1100	1.22.8-gke.2200
COS version available	cos-89-16108-604-28	cos-89-16108-604-28	cos-89-16108-604-28	cos-93-16623-102-34

For information on the current versions rollout and support schedule, see the GKE release schedule. For information on versioning and upgrades, see GKE versioning and support and Upgrades.

Other versions may be available for static version clusters. ↩

Other resources

For more detailed information about security-related known issues, see the security bulletin page.

To view release notes for versions prior to 2020, see the Release notes archive.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or you can programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/gke-main-release-notes.xml

May 20, 2022

You can now quickly identify which of your workloads are underutilized in the Cost Optimization tab. You can also quickly apply suggested values for resource requests and limits (or your own preferred values).

This feature is now available in Preview. For more information, see GKE workload rightsizing.

May 19, 2022

(2022-R12) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

Version 1.21.11-gke.1100 is now the default version.
The following control plane and node versions are now available:
The following control plane versions are no longer available:
- 1.19.16-gke.9400
- 1.19.16-gke.9900
- 1.21.9-gke.1002
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.19.16-gke.10800 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to 1.21.11-gke.900 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.21 to 1.21.11-gke.900 with this release.

Stable channel

Version 1.21.11-gke.900 is now the default version in the Stable channel.
The following versions are now available in the Stable channel:
The following versions are no longer available in the Stable channel:
- 1.19.16-gke.9900
- 1.20.15-gke.3400
- 1.20.15-gke.3600
- 1.20.15-gke.4100
- 1.21.10-gke.2000
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.16-gke.10800 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.20 to 1.21.11-gke.900 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.21 to 1.21.11-gke.900 with this release.

Regular channel

Version 1.21.11-gke.1100 is now the default version in the Regular channel.
The following versions are now available in the Regular channel:
The following versions are no longer available in the Regular channel:
- 1.20.15-gke.5200
- 1.21.9-gke.1002
- 1.21.10-gke.400
- 1.21.10-gke.2000
- 1.21.11-gke.900
- 1.22.6-gke.300
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.20.15-gke.6000 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.21.11-gke.1100 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to 1.21.11-gke.1100 with this release.

Rapid channel

The following versions are now available in the Rapid channel:
The following versions are no longer available in the Rapid channel:
- 1.21.11-gke.1100
- 1.22.7-gke.1500
- 1.22.8-gke.200
- 1.23.5-gke.1500
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.21.11-gke.1900 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.11-gke.1900 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.23 to 1.23.5-gke.2400 with this release.

May 13, 2022

Tags are now available. You can use tags to group or organize your clusters according to custom business dimensions. This is in addition to the hierarchical resource organization provided by GCP's resource manager. The integration of tags with policy engines (via conditional rules) such as IAM or Organization Policy, also allows you to apply centralized policies to custom security perimeters defined through tag bindings.

May 11, 2022

(2022-R11) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.21.11-gke.900 is now the default version.
The following control plane versions are no longer available:
- 1.21.6-gke.1503
- 1.21.9-gke.300
- 1.21.9-gke.1001
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to 1.19.16-gke.9900 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.19.16-gke.9900 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.23 to 1.23.5-gke.1501 with this release.

Stable channel

The following versions are now available in the Stable channel:
Version 1.19.16-gke.9400 is no longer available in the Stable channel.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to 1.19.16-gke.9900 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.16-gke.9900 with this release.

Regular channel

Version 1.21.11-gke.900 is now the default version in the Regular channel.
The following versions are now available in the Regular channel:
- 1.20.15-gke.5200
- 1.21.11-gke.1100
The following versions are no longer available in the Regular channel:
- 1.20.15-gke.5000
- 1.21.6-gke.1503
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.20.15-gke.5200 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.21.11-gke.900 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to 1.21.11-gke.900 with this release.

Rapid channel

Version 1.22.8-gke.2200 is now the default version in the Rapid channel.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.22.8-gke.2200 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.22.8-gke.2200 with this release.

May 10, 2022

The europe-southwest1 region in Madrid is now available.

May 04, 2022

Spot Pods for GKE Autopilot clusters is now generally available. Use Spot Pods to run your fault-tolerant workloads at reduced costs.

Spot VMs on GKE is now generally available. Spot VMs let you run fault-tolerant workloads at lower costs.

May 03, 2022

(2022-R10) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

The following control plane and node versions are now available:
The following control plane versions are no longer available:
- 1.19.16-gke.9200
- 1.20.15-gke.2500
- 1.21.5-gke.1805
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to 1.19.16-gke.9400 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.19.16-gke.9400 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to 1.21.10-gke.2000 with this release.

Stable channel

Version 1.21.10-gke.2000 is now the default version in the Stable channel.
The following versions are now available in the Stable channel:
The following versions are no longer available in the Stable channel:
- 1.19.16-gke.9200
- 1.20.15-gke.2500
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to 1.19.16-gke.9400 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.16-gke.9400 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.20 to 1.21.10-gke.2000 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.22 to 1.22.8-gke.200 with this release.

Regular channel

The following versions are now available in the Regular channel:
The following versions are no longer available in the Regular channel:
- 1.20.15-gke.4100
- 1.21.5-gke.1805
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to 1.19.16-gke.9400 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.20.15-gke.5000 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.15-gke.5000 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.23 to 1.23.5-gke.1501 with this release.

Rapid channel

The following versions are now available in the Rapid channel:
The following versions are no longer available in the Rapid channel:
- 1.21.11-gke.900
- 1.22.7-gke.1300
- 1.23.5-gke.200
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.18 to 1.19.16-gke.9400 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to 1.20.15-gke.4100 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.21.11-gke.1100 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.11-gke.1100 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.23 to 1.23.5-gke.1500 with this release.

The europe-west9 region in Paris is now available.

April 27, 2022

Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666 have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all GKE node operating systems (Container-Optimized OS and Ubuntu). For instructions and more details, see the GCP-2022-014 security bulletin.

April 21, 2022

(2022-R9) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.21.10-gke.2000 is now the default version.
The following control plane and node versions are now available:
The following control plane versions are no longer available:
- 1.19.16-gke.8300
- 1.20.15-gke.1000
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to version 1.19.16-gke.9200 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to version 1.20.15-gke.3400 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to version 1.20.15-gke.3400 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.21 to version 1.21.10-gke.2000 with this release.

Stable channel

Note: Your clusters might not have these versions available. Rollouts begin on the day of the note and take four or more business days to be completed across all Google Cloud zones.

Version 1.21.10-gke.2000 is now the default version in the Stable channel.
The following versions are now available in the Stable channel:
The following versions are no longer available in the Stable channel:
- 1.19.16-gke.9200
- 1.20.15-gke.2500
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to 1.19.16-gke.9400 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.16-gke.9400 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.20 to 1.21.10-gke.2000 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.22 to 1.22.8-gke.200 with this release.

Regular channel

Version 1.21.10-gke.2000 is now the default version in the Regular channel.
The following versions are now available in the Regular channel:
- 1.20.15-gke.4100
- 1.22.8-gke.200
Version 1.20.15-gke.3600 is no longer available in the Regular channel.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to version 1.19.16-gke.9200 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to version 1.20.15-gke.4100 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to version 1.21.10-gke.2000 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to version 1.21.10-gke.2000 with this release.

Rapid channel

The following versions are now available in the Rapid channel:
- 1.21.11-gke.1100
- 1.23.5-gke.1500
The following versions are no longer available in the Rapid channel:
- 1.21.10-gke.2000
- 1.22.7-gke.900
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.18 to version 1.19.16-gke.9200 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to version 1.20.15-gke.2500 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to version 1.21.11-gke.900 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to version 1.21.11-gke.900 with this release.

April 20, 2022

The europe-west8 region in Milan is now available.

April 13, 2022

A security vulnerability, CVE-2022-23648, has been discovered in containerd's handling of path traversal in the OCI image volume specification. Containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain full read access to arbitrary files and directories on the host. This vulnerability may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy). This vulnerability affects all GKE node operating systems (Container-Optimized OS and Ubuntu) which use containerd by default. All GKE, Autopilot, and GKE Sandbox nodes are affected.

For more information, see the GCP-2022-013 security bulletin.

Egress NAT policy to configure IP masquerade is now generally available on GKE Autopilot clusters with Dataplane v2 in versions 1.22.7-gke.1500+ or 1.23.4-gke.1600+. For configuration examples of Egress NAT policy, see Egress NAT Policy documentation.

April 11, 2022

(2022-R8) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

The following control plane and node versions are now available:
The following control plane versions are no longer available:
- 1.19.16-gke.6800
- 1.20.15-gke.300
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to version 1.19.16-gke.8300 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to version 1.20.15-gke.2500 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to version 1.20.15-gke.2500 with this release.

Stable channel

Version 1.20.15-gke.2500 is now the default version in the Stable channel.
The following versions are now available in the Stable channel:
The following versions are no longer available in the Stable channel:
- 1.19.16-gke.6800
- 1.20.15-gke.300
- 1.21.5-gke.1805
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to version 1.19.16-gke.8300 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to version 1.20.15-gke.2500 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.20 to version 1.20.15-gke.2500 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.21 to version 1.21.10-gke.2000 with this release.

Regular channel

Version 1.20.15-gke.3600 is now available in the Regular channel.
Version 1.20.15-gke.2500 is no longer available in the Regular channel.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to version 1.19.16-gke.8300 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to version 1.20.15-gke.3600 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to version 1.21.6-gke.1503 with this release.

Rapid channel

Version 1.22.8-gke.200 is now the default version in the Rapid channel.
Version 1.21.11-gke.900 is now available in the Rapid channel.
The following versions are no longer available in the Rapid channel:
- 1.21.10-gke.1500
- 1.22.7-gke.300
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.18 to version 1.19.16-gke.8300 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to version 1.20.15-gke.1000 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to version 1.21.10-gke.2000 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to version 1.22.8-gke.200 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to version 1.22.8-gke.200 with this release.

April 08, 2022

A security vulnerability, CVE-2022-0847, has been discovered in the Linux kernel version 5.8 and later that can potentially escalate container privileges to root.

For more information, see the GCP-2022-012 security bulletin.

March 31, 2022

(2022-R7) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.21.6-gke.1503 is now the default version.
The following control plane and node versions are now available:
The following control plane versions are no longer available:
- 1.19.16-gke.6100
- 1.20.12-gke.1500
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to 1.19.16-gke.6800 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to version 1.19.16-gke.6800 with this release.

Stable channel

The following versions are now available in the Stable channel:
- 1.19.16-gke.8300.
- 1.20.15-gke.2500.
The following versions are no longer available in the Stable channel:
- 1.19.16-gke.6100
- 1.20.12-gke.1500
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to 1.19.16-gke.6800 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.16-gke.6800 with this release.

Regular channel

Version 1.21.6-gke.1503 is now the default version in the Regular channel.
The following versions are now available in the Regular channel:
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.21.6-gke.1503 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to 1.21.6-gke.1503 with this release.

Rapid channel

Version 1.22.7-gke.1500 is now the default version in the Rapid channel.
The following versions are now available in the Rapid channel:
The following versions are no longer available in the Rapid channel:
- 1.21.10-gke.1300
- 1.23.4-gke.1600
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.21.10-gke.1500 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.10-gke.1500 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.23 to 1.23.5-gke.200 with this release.

March 22, 2022

There is a misconfiguration with Simultaneous Multi-Threading (SMT), also known as Hyper-threading, on GKE Sandbox images. The misconfiguration leaves nodes potentially exposed to side channel attacks such as Microarchitectural Data Sampling (MDS) (for more context, see GKE Sandbox documentation). We do not recommend using the following affected versions:

1.22.4-gke.1501
1.22.6-gke.300
1.23.2-gke.300
1.23.3-gke.600

For instructions and more details, see the GKE security bulletin.

March 21, 2022

(2022-R6) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

The following control plane and node versions are now available:
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.20.15-gke.1000 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to 1.20.15-gke.1000 with this release.

Stable channel

Version 1.20.15-gke.1000 is now the default version in the Stable channel.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.20.15-gke.1000 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.20 to 1.20.15-gke.1000 with this release.

Regular channel

The following versions are now available in the Regular channel:
- 1.20.15-gke.2500
- 1.21.10-gke.400
The following versions are no longer available in the Regular channel:
- 1.20.15-gke.1000
- 1.21.6-gke.1503
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.20.15-gke.2500 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.15-gke.2500 with this release.

Rapid channel

Version 1.22.7-gke.900 is now the default version in the Rapid channel.
The following versions are now available in the Rapid channel:
The following versions are no longer available in the Rapid channel:
- 1.21.10-gke.400
- 1.22.6-gke.1500
- 1.23.4-gke.1300
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.21.10-gke.1300 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.10-gke.1300 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.22.7-gke.300 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.23 to 1.23.4-gke.1600 with this release.

March 16, 2022

Starting in GKE version 1.22, the Compute Engine persistent disk CSI driver is generally available for Windows clusters.

March 15, 2022

The following GKE versions fix a known issue in which random TCP connection resets might happen for GKE nodes that use Container-Optimized OS with Docker (cos). To fix the issue, upgrade your nodes to any of these versions:

1.20.15-gke.3400 and later
1.21.10-gke.1300 and later
1.22.7-gke.1300 and later
1.23.4-gke.1300 and later

March 14, 2022

(2022-R5) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.21.9-gke.1002 is now the default version.
The following control plane and node versions are now available:
The following control plane versions are no longer available:
- 1.19.16-gke.3600
- 1.20.11-gke.1300
- 1.20.11-gke.1801
- 1.22.4-gke.1501
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to 1.19.16-gke.6100 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.20.15-gke.300 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to 1.20.15-gke.300 with this release.

Stable channel

Version 1.20.15-gke.300 is now the default version in the Stable channel.
The following versions are now available in the Stable channel:
- 1.19.16-gke.6800
- 1.20.15-gke.1000
The following versions are no longer available in the Stable channel:
- 1.19.16-gke.3600
- 1.20.11-gke.1801
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to 1.19.16-gke.6100 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.20.15-gke.300 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.20 to 1.20.15-gke.300 with this release.

Regular channel

Version 1.21.9-gke.1002 is now the default version in the Regular channel.
Version 1.20.15-gke.1000 is now available in the Regular channel.
Version 1.20.15-gke.300 is no longer available in the Regular channel.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.20.15-gke.1000 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.21.9-gke.1002 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to 1.21.9-gke.1002 with this release.

Rapid channel

Version 1.22.7-gke.300 is now the default version in the Rapid channel.
The following versions are now available in the Rapid channel:
The following versions are no longer available in the Rapid channel:
- 1.21.9-gke.1002
- 1.22.6-gke.1000
- 1.23.4-gke.300
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.21.10-gke.400 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.10-gke.400 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.22 to 1.22.6-gke.1500 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.23 to 1.23.4-gke.1300 with this release.

If you specify --enable-dataplane-v2 in a Windows LTSC node pool running GKE version 1.22.7-gke.1300, Windows nodes cannot join the cluster.

March 10, 2022

In GKE version 1.23.2-gke.300 and later, you can now use network tags to dynamically apply firewall rules to nodes in your GKE Autopilot clusters and auto-provisioned GKE Standard node pools without disrupting running workloads.

March 09, 2022

The following GKE versions fix a known issue in which the CAP_NET_BIND_SERVICE file capability was dropped from the metrics-server. To fix the issue, upgrade your control plane to any of these versions:

1.21.9-gke.1002 and later
1.21.10-gke.400 and later
1.22.6-gke.300 and later
1.22.7-gke.300 and later
1.22.7-gke.900 and later
1.23.4-gke.300 and later

March 08, 2022

Setting a minimum CPU platform for node pools created by node auto-provisioning using the autoscaling.autoprovisioning_node_pool_defaults.min_cpu_platform field is deprecated. This field will be removed in a future release. In GKE versions 1.23 and later, you can request a minimum CPU platform at the workload level using a node selector or node affinity rule for cloud.google.com/requested-min-cpu-platform. For instructions, refer to Minimum CPU platform.

March 07, 2022

(2022-R4) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

The following control plane and node versions are now available:
- 1.19.16-gke.8300.
- 1.20.15-gke.2500.
- 1.21.9-gke.1002.
- 1.21.10-gke.400.
- 1.22.7-gke.300.
- 1.22.7-gke.900.
The following control plane versions are no longer available:
- 1.19.16-gke.1500
- 1.21.5-gke.1802
- 1.22.3-gke.1500
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to 1.19.16-gke.3600 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.19.16-gke.3600 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.21 to 1.21.6-gke.1503 with this release.

Stable channel

The following versions are now available in the Stable channel:
- 1.19.16-gke.6100.
- 1.20.15-gke.300.
The following versions are no longer available in the Stable channel:
- 1.19.16-gke.1500
- 1.20.11-gke.1300
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to 1.19.16-gke.3600 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.16-gke.3600 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.21 to 1.21.5-gke.1805 with this release.

Regular channel

The following versions are now available in the Regular channel:
The following versions are no longer available in the Regular channel:
- 1.20.12-gke.1500
- 1.21.5-gke.1805
- 1.22.3-gke.1500
- 1.22.4-gke.1501
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.20.15-gke.300 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.21.6-gke.1503 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to 1.21.6-gke.1503 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.22 to 1.22.6-gke.300 with this release.

Rapid channel

Version 1.22.6-gke.1500 is now the default version in the Rapid channel.
The following versions are now available in the Rapid channel:
- 1.21.9-gke.1002.
- 1.21.10-gke.400.
- 1.22.7-gke.300.
- 1.22.7-gke.900.
- 1.23.4-gke.300.
The following versions are no longer available in the Rapid channel:
- 1.21.9-gke.300
- 1.21.9-gke.1001
- 1.22.4-gke.1501
- 1.22.6-gke.300
- 1.23.3-gke.1100
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.21.9-gke.1002 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.9-gke.1002 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.22.6-gke.1000 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.23 to 1.23.4-gke.300 with this release.

Identity Service for GKE is now generally available. You can authenticate to GKE clusters with external identity providers that use OpenID Connect (OIDC).

March 04, 2022

Some unexpected paths to access the node VM on GKE Autopilot clusters could have been used to escalate privileges in the cluster. These issues have been fixed and no further action is required. The fixes address issues reported through our Vulnerability Reward Program.

For instructions and more details, see the GCP-2022-009 security bulletin.

Public clusters created on GKE versions 1.22 and later, and created between October 28, 2021 and February 17, 2022 use Private Service Connect (PSC). Therefore, each control plane is assigned to a private IP address from the cluster node subnet.

For public clusters created outside of this time frame or with a different GKE version, the control plane has a public IP address by default.

February 25, 2022

The Envoy project recently discovered a set of vulnerabilities. All issues listed below are fixed in Envoy release 1.21.1.

For more information, see the GCP-2022-008 security bulletin.

February 24, 2022

(2022-R3) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.21.6-gke.1503 is now the default version.
Control plane and node version 1.19.16-gke.6800
Control plane and node version 1.20.15-gke.1000
Control plane and node version 1.21.5-gke.1805
Control plane and node version 1.21.6-gke.1503
Control plane and node version 1.21.9-gke.1001
Control plane and node version 1.22.3-gke.1500
Control plane and node version 1.22.4-gke.1501
Control plane and node version 1.22.6-gke.1000
Node version 1.18.20-gke.6101 is now available.
Node version 1.21.6-gke.1501 is now available.
Node version 1.21.9-gke.1000 is now available.
The following control plane versions are no longer available:
- 1.19.15-gke.1801
- 1.21.6-gke.1500
Node version 1.21.6-gke.1500 is no longer available.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.21 to 1.21.6-gke.1503 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.22 to 1.22.6-gke.300 with this release.

Stable channel

Version 1.19.16-gke.3600 is now available in the Stable channel.
Version 1.21.5-gke.1805 is now available in the Stable channel.
The following versions are no longer available in the Stable channel:
- 1.19.15-gke.1801
- 1.21.5-gke.1802
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.21 to 1.21.5-gke.1805 with this release.

Regular channel

Version 1.21.6-gke.1503 is now the default version in the Regular channel.
Version 1.21.5-gke.1805 is now available in the Regular channel.
Version 1.21.6-gke.1503 is now available in the Regular channel.
Version 1.22.4-gke.1501 is now available in the Regular channel.
The following versions are no longer available in the Regular channel:
- 1.20.11-gke.1801
- 1.21.5-gke.1802
- 1.21.6-gke.1500
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.21.6-gke.1503 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to 1.21.6-gke.1503 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.22 to 1.22.4-gke.1501 with this release.

Rapid channel

Version 1.22.6-gke.300 is now the default version in the Rapid channel.
Version 1.21.9-gke.1001 is now available in the Rapid channel.
Version 1.22.6-gke.1000 is now available in the Rapid channel.
Version 1.22.6-gke.1500 is now available in the Rapid channel.
Version 1.23.3-gke.1100 is now available in the Rapid channel.
The following versions are no longer available in the Rapid channel:
- 1.21.6-gke.1500
- 1.22.3-gke.700
- 1.22.3-gke.1500
- 1.23.2-gke.300
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.21.9-gke.1001 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.9-gke.1001 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.23 to 1.23.3-gke.1100 with this release.

GKE nodes that use Container-Optimized OS with Docker (cos) may experience random TCP connection resets when two pods on the same node communicate using a Kubernetes ClusterIP Service.

For more information, see GKE Node images known issues.

February 22, 2022

GKE Gateway traffic management is now in Preview for GKE 1.22 and later version clusters. You can now autoscale Pods or dynamically shift traffic between clusters based on Service traffic capacity.

February 17, 2022

Kubernetes Network Policy API allows specifying range of ports (see KEP on port ranges) on which the policy is enforced in GKE 1.22 and later versions. If you specify endPort field in a Network Policy, it might not take effect in Dataplane V2 based on the cluster configuration. This API will be supported in Calico Network Policy enabled clusters but not in Dataplane V2 clusters.

For more information, see GKE Dataplane V2 known issues.

February 15, 2022

A security vulnerability, CVE-2022-0492, has been discovered in the Linux kernel's cgroup_release_agent_write function. The attack uses unprivileged user namespaces, and under certain circumstances, this vulnerability can be exploitable for container breakout.

For more information, see the GCP-2022-006 security bulletin.

February 14, 2022

Kubernetes 1.23 is now available in the Rapid channel. Before upgrading, read the Kubernetes 1.23 Release Notes, especially the action required and deprecation sections. Also, read the guide for ensuring compatibility of webhook and aggregated API server certificates before the upgrade.

February 11, 2022

A security vulnerability, CVE-2021-43527, has been discovered in any binary that links to the vulnerable versions of libnss3 found in NSS (Network Security Services) versions prior to 3.73 or 3.68.1.

Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS.

For more information, see the GCP-2022-005 security bulletin.

February 10, 2022

Versions 1.21.9-gke.300, 1.22.6-gke.300, and 1.23.2-gke.300 contain a fix for a race condition which could result in erroneously detaching all endpoints from network endpoint groups for a short period.

February 04, 2022

A security vulnerability, CVE-2021-4034, has been discovered in pkexec, a part of the Linux policy kit package (polkit), that allows an authenticated user to perform a privilege escalation attack. PolicyKit is generally used only on Linux desktop systems to allow non-root users to perform actions such as rebooting the system, installing packages, restarting services etc, as governed by a policy. GKE clusters are not affected.

For instructions and more details, see the GCP-2022-004 security bulletin.

You will not be able to create new node pools that use a Docker node image starting with GKE v1.23 when:

Creating a new cluster,
Adding a node pool to an existing cluster, or
Using Node Auto-provisioning (NAP) with --autoprovisioning-image-type set to Docker node images.
For existing clusters, you will also not be able to change the value of --autoprovisioning-image-type to Docker node images.

If you are upgrading your GKE clusters from GKE v1.22 to v1.23, then you will be able to continue using:

Docker node pools that were configured before the upgrade.
Cluster Autoscaler on Docker node pools.
Node Auto-provisioning (NAP) with --autoprovisioning-image-type set to Docker node images if it was configured before upgrading to v1.23. However, we highly recommend you to migrate to GKE node images that use the Containerd container runtime.

For your reference, below are the GKE node images for the Containerd and Docker container runtimes:

Containerd container runtime (recommended): cos_containerd, ubuntu_containerd, windows_ltsc_containerd, windows_sac_containerd
Docker container runtime (unsupported starting with v1.24): cos, ubuntu, windows_ltsc, windows_sac

Containerd is the default runtime on GKE. Most user workloads do not have dependencies on the container runtime. Support for Docker as a container runtime on Kubernetes nodes will be removed from OSS Kubernetes and GKE starting with v1.24. If you use a node image based on Docker container runtime, please migrate your GKE workloads to a Containerd node image as soon as possible. For more details, see Containerd node images.

February 03, 2022

(2022-R02) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Control plane and node version 1.19.16-gke.6100 is now available.
Control plane and node version 1.20.15-gke.300 is now available.
Control plane and node version 1.21.9-gke.300 is now available.
Control plane and node version 1.22.6-gke.300 is now available.
Control plane version 1.21.5-gke.1302 is no longer available.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to 1.19.16-gke.1500 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.19.16-gke.1500 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.21 to 1.21.6-gke.1500 with this release.

Stable channel

Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to 1.19.16-gke.1500 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.16-gke.1500 with this release.

Regular channel

Version 1.22.3-gke.1500 is now available in the Regular channel.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.20.12-gke.1500 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.21.6-gke.1500 with this release.

Rapid channel

Version 1.22.4-gke.1501 is now the default version in the Rapid channel.
Version 1.21.9-gke.300 is now available in the Rapid channel.
Version 1.22.6-gke.300 is now available in the Rapid channel.
Version 1.23.2-gke.300 is now available in the Rapid channel.
Version 1.21.5-gke.1802 is no longer available in the Rapid channel.
Version 1.23.1-gke.500 is no longer available in the Rapid channel.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.21.6-gke.1500 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.6-gke.1500 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.22.4-gke.1501 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.23 to 1.23.2-gke.300 with this release.

February 02, 2022

Three security vulnerabilities, CVE-2021-4154, CVE-2021-22600, and CVE-2022-0185 have been discovered in the Linux kernel, each of which can lead to either a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all GKE node operating systems and Anthos clusters on VMware node operating systems (COS and Ubuntu).

Pods using GKE Sandbox are not vulnerable to these vulnerabilities. For more information, see the GCP-2022-002 security bulletin.

January 31, 2022

In GKE, you can now filter Pub/Sub cluster notifications by notification type. For more information, see Receive cluster notifications.

When creating a maintenance exclusion window, you can restrict the exclusion to specify types of maintenance. For example, during a specific time period you can exclude minor upgrades from occurring on your cluster. For more information, see Maintenance exclusions documentation.

January 27, 2022

Starting with GKE version 1.23.0, if a Kubernetes event is created using k8s.io/api/core/v1, the LastTimestamp field is used as the timestamp of the corresponding event log if the field is non-empty. Otherwise, the timestamp field will be unset and will be determined by Cloud Logging.

If a Kubernetes event is created using k8s.io/api/events/v1, the Series.LastObservedTime field is used as the timestamp of the corresponding event log if the field is non-empty. Otherwise, the timestamp field will be unset and will be determined by Cloud Logging. An event created with k8s.io/api/events/v1 will be converted to k8s.io/api/core/v1 before exporting to Cloud Logging.

Log payload of an event log will contain the LastTimestamp field from k8s.io/api/core/v1 Event API. If an event is created using k8s.io/api/events/v1, the value of this field will be null. Instead, use the Series.LastObservedTime field in the log payload.

January 21, 2022

(2022-R01) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.21.6-gke.1500 is now the default version.
Control plane and node version 1.19.16-gke.3600 is now available.
The following control plane versions are no longer available:
- 1.19.15-gke.1300
- 1.20.10-gke.1600
- 1.20.10-gke.2100
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to 1.19.15-gke.1801 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.20.12-gke.1500 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to 1.20.12-gke.1500 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.21 to 1.21.5-gke.1802 with this release.

Stable channel

Version 1.20.12-gke.1500 is now the default version in the Stable channel.
Version 1.21.5-gke.1802 is now available in the Stable channel.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.20.12-gke.1500 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.20 to 1.20.12-gke.1500 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.21 to 1.21.5-gke.1802 with this release.

Regular channel

Version 1.21.6-gke.1500 is now the default version in the Regular channel.
Version 1.21.6-gke.1500 is now available in the Regular channel.
Version 1.21.5-gke.1302 is no longer available in the Regular channel.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.21.6-gke.1500 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to 1.21.6-gke.1500 with this release.

Rapid channel

Version 1.22.3-gke.1500 is now the default version in the Rapid channel.
Version 1.22.4-gke.1501 is now available in the Rapid channel.
Version 1.23.1-gke.500 is now available in the Rapid channel.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.21.5-gke.1802 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.5-gke.1802 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.22.3-gke.1500 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.23 to 1.23.1-gke.500 with this release.

1.23 is now available in the Rapid channel

Kubernetes 1.23 is now available in the Rapid channel. Before upgrading, read the Kubernetes 1.23 Release Notes, especially the action required and deprecation sections.

Notable features

Beta: PodSecurity admission

PodSecurity replaces the deprecated PodSecurityPolicy admission controller (which will be removed in 1.25). PodSecurity is an admission controller that enforces Pod Security Standards on Pods in a Namespace based on specific namespace labels that set the enforcement level. In 1.23, the PodSecurity feature is enabled by default, and applies to namespaces that opt into enforcement. Refer to the PodSecurity documentation and PodSecurityPolicy migration guide for more information.

Notable changes and bug fixes

Kubernetes 1.23 is built with go1.17, which requires aggregated API servers, admission webhooks, and custom resource conversion webhooks to use TLS certificates that include the service DNS name as a subjectAltName.

Before upgrading to 1.23, ensure any non-local aggregated API servers, admission webhooks, and custom resource conversion webhooks in your cluster are served using valid TLS certificates.
At cluster version 1.22.3-gke.700 or higher, GKE provides a Cloud Audit log to check if your cluster contains an affected service. You can use the following filter to search for the logs:
```
logName: "projects/$PROJECT/logs/cloudaudit.googleapis.com%2Factivity"
resource.type = "k8s_cluster"
operation.producer = "k8s.io"
"invalid-cert.webhook.gke.io"
```
If you are not affected you won't see any logs. If you do see such an audit log, it will include the name of the service (whether webhook or aggregated API).

New API versions

flowcontrol.apiserver.k8s.io/v1beta2 FlowSchema, PriorityLevelConfiguration
autoscaling/v2 HorizontalPodAutoscaler

Deprecated API versions

These APIs are still served in version 1.23 but are in a deprecation period:

PodSecurityPolicy
- policy/v1beta1 PodSecurityPolicy
- Deprecated in 1.21 with removal targeted for version 1.25.
The following Beta versions of graduated APIs will be removed in 1.25 in favor of their GA versions:
- discovery.k8s.io/v1beta1 EndpointSlice, deprecated since 1.21
- policy/v1beta1 PodDisruptionBudget, deprecated since 1.21
- batch/v1beta1 CronJob, deprecated since 1.21
- node.k8s.io/v1beta RuntimeClass
- autoscaling/v2beta1 HorizontalPodAutoscaler
The following Beta versions of graduated APIs will be removed in 1.26 in favor of newer versions:
- flowcontrol.apiserver.k8s.io/v1beta1 FlowSchema, PriorityLevelConfiguration
  - deprecated since 1.23
  - use flowcontrol.apiserver.k8s.io/v1beta2 instead, available since 1.23
- autoscaling/v2beta2 HorizontalPodAutoscaler
  - deprecated since 1.23
- use autoscaling/v2 instead, available since 1.23 (or autoscaling/v1)

Clusters running GKE node versions 1.19.16-gke.1500 and 1.19.16-gke.3600 will be unstable if Container Threat Detection (KTD) is enabled. To use KTD, create the cluster with the most recent 1.19.15 version or any GKE version 1.20 or later. If you require GKE version 1.19.16-gke.1500 or 1.19.16-gke.3600, you should disable KTD on the cluster using the Cloud Security Command Center Advanced Settings before creating or upgrading nodes to these versions

January 20, 2022

VPC-scoped DNS for GKE using Cloud DNS is now generally available for GKE versions 1.21 and later. This allows for seamless VPC-wide DNS resolution of GKE Services. Note that cluster-scoped DNS using Cloud DNS is still in public preview.

A new kubernetes metric, Network policy event count (kubernetes.io/pod/network/policy_event_count), is available (beta) for GKE Dataplane V2 clusters in GKE versions 1.22.3-gke.700 and later.

This metric can be viewed in the Metrics Explorer in Cloud Monitoring for resource type, Kubernetes Pod.

This metric provides visibility into network policy events and shows the Change in the number of network policy events seen in the dataplane, each event has the following metric labels:

verdict: Policy verdict, possible values: [allow, deny].
workload_kind: Kind of the workload, policy-enforced-pod belongs to, for example, "Deployment", "Replicaset", "StatefulSet", "DaemonSet", "Job", or "CronJob".
workload_name: Name of the workload, policy-enforced-pod belongs to.
direction: Direction of the traffic from the point of view of policy-enforced-pod, possible values: [ingress, egress].

In addition to these metric labels, customers can also see usual resource labels for resource type, Kubernetes Pod: project_id, location, cluster_name, namespace_name, and pod_name.

This metric can be used for setting up automated alerts for specific behaviors (denials higher than a threshold), identifying security issues, gaining better understanding of traffic flow, and troubleshooting.

January 17, 2022

Now available in Preview: Use a compact placement policy to specify that nodes within the node pool should be placed in closer physical proximity to each other within a zone. Having nodes closer to each other can reduce network latency between nodes, which can be useful for tightly-coupled batch workloads.

December 20, 2021

For GKE versions 1.21 and later, newly created clusters will have the DenyServiceExternalIPs admission controller enabled by default, disabling the use of ExternalIPs Services.

For existing clusters, when you upgrade the cluster to GKE version 1.21 or later, the DenyServiceExternalIPs admission controller will not be enabled. Since ExternalIPs Services are not widely used, we recommend manually auditing any external IP usage. You can choose to block ExternalIPs by using the following command:

gcloud container clusters update --no-enable-service-externalips

For more information, refer to Hardening your cluster's security.

A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs.

This issue is fixed in the following GKE versions:

1.22.3-gke.1100 or above
1.21.6-gke.700 or above
1.20.12-gke.700 or above
1.19.16-gke.700 or above

For more information about the CVE, refer to CVE-2021-41103.

December 14, 2021

File capability CAP_NET_BIND_SERVICE required by metrics-server to bind privileged port 443 is dropped in clusters that enable PodSecurityPolicy and use the Ubuntu with Docker container runtime in node pools. As a result, metrics-server fails to bootstrap and autoscaling functionality fails to function. All 1.21 and 1.22 node versions are impacted. This issue will be fixed in a future release. Automatic node upgrades from GKE version 1.20 to 1.21 will be halted until this issue is fixed.

December 09, 2021

GKE version 1.22.3-gke.1500 and later support user impersonation for all user-defined users and groups. System users and groups such as the kube-apiserver user and the system:masters group cannot be impersonated.

December 06, 2021

(2021-R34) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

The following control plane versions are no longer available:
- 1.19.13-gke.1900, 1.19.14-gke.301, 1.19.14-gke.1900, 1.19.14-gke.2300, 1.19.15-gke.500
- 1.21.3-gke.2003, 1.21.4-gke.2300, 1.21.4-gke.2302, 1.21.5-gke.1300
The following control planes and nodes with auto-upgrade enabled will be upgraded with this release:
- From version 1.18 to 1.19.15-gke.1300
- From version 1.19 to 1.20.11-gke.1300
- From version 1.20 to 1.20.11-gke.1300
- From version 1.21 to 1.21.5-gke.1302

Stable channel

Version 1.20.11-gke.1300 is now the default version in the Stable channel.
The following control plane and node versions are now available in the Stable channel:
The following versions are no longer available in the Stable channel:
- 1.19.15-gke.500, 1.19.15-gke.1300, 1.20.10-gke.1600
The following control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded with this release:
- From version 1.18 to 1.19.15-gke.1801
- From version 1.19 to 1.20.11-gke.1300
- From version 1.20 to 1.20.11-gke.1300

Regular channel

The following control plane and node versions are now available in the Regular channel:
- 1.20.12-gke.1500
- 1.21.5-gke.1802
The following versions are no longer available in the Regular channel:
- 1.20.10-gke.2100, 1.21.3-gke.2003
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.20.11-gke.1801 with this release.

Rapid channel

Version 1.22.3-gke.700 is now the default version in the Rapid channel.
The following control plane and node versions are now available in the Rapid channel:
- 1.21.6-gke.1500
- 1.22.3-gke.1500
The following versions are no longer available in the Rapid channel:
- 1.21.5-gke.1302, 1.22.2-gke.1901

PodSecurityPolicy (beta) was deprecated in Kubernetes 1.21 and is scheduled for shutdown in 1.25. For alternatives, refer to PodSecurityPolicy deprecation.

The following GKE versions fix Calico issue #4710 and Calico issue #4518, related to Pod graceful termination, in GKE clusters with Calico Network Policy enabled:

1.19.16-gke.100 and later
1.20.11-gke.1300 and later
1.21.4-gke.1500 and later

For more information about the resolved issue, see the known issues page.

December 03, 2021

The 2021-R32 release notes from October 29, 2021 were updated on December 03, 2021 with revisions to the upgrade versions for control plane and nodes in Rapid, Regular, Stable, and No Channel.

See the revision note for further details.

December 02, 2021

The following GKE versions contain an issue that might affect workloads that use GKE Sandbox:

1.19.14-gke.301, 1.19.14-gke.1900, 1.19.14-gke.2300, 1.19.15-gke.500, 1.19.15-gke.1300, 1.19.15-gke.1801
1.20.10-gke.301, 1.20.10-gke.1600, 1.20.10-gke.2100, 1.20.11-gke.1300, 1.20.11-gke.1801
1.21.4-gke.2300, 1.21.4-gke.2302, 1.21.5-gke.1300, 1.21.5-gke.1302, 1.21.5-gke.1802
1.22.2-gke.1901

What do I need to know?

Applications that use the xmm15 register and receive a signal or hit a page fault while the register is in use might have the register corrupted, leading to unpredictable application behavior. The security of the sandbox is not compromised.

What do I need to do?

Upgrade to one of the following GKE versions that fix the issue:

1.19.16-gke.1500 or later
1.20.12-gke.1500 or later
1.21.6-gke.1500 or later
1.22.3-gke.700 or later

November 19, 2021

The 2021-R33 release notes for No channel were updated with the following additions:

The following control plane and node versions are now available:
- 1.19.16-gke.1500
- 1.20.12-gke.1500
- 1.21.6-gke.1500

November 16, 2021

The southamerica-west1 region in Santiago, Chile is now available.

Google Cloud Managed Service for Prometheus is now available in Preview.

November 15, 2021

2021-11-19 update: Added new control plane and node versions for the 2021-R33 release in No channel.

(2021-R33) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.21.5-gke.1302 is now the default version.
The following control plane and node versions are now available:
The following control plane versions are no longer available:
- 1.20.10-gke.301
- 1.21.3-gke.2001
The following control planes and nodes with auto-upgrade enabled will be upgraded with this release:
- From version 1.18 to 1.19.15-gke.500
- From version 1.19 to 1.19.15-gke.500

Stable channel

The following control plane and node versions are now available:
- 1.19.15-gke.1300
- 1.20.11-gke.1300
Version 1.19.14-gke.1900 is no longer available in the Stable channel.
The following control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded with this release:
- From version 1.18 to 1.19.15-gke.500
- From version 1.19 to 1.19.15-gke.500

Regular channel

Version 1.21.5-gke.1302 is now the default version in the Regular channel.
Version 1.20.11-gke.1801 is now available in the Regular channel.
Version 1.20.10-gke.1600 is no longer available in the Regular channel.
The following control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded with this release:
- From version 1.19 to 1.20.10-gke.2100
- From version 1.20 to 1.21.5-gke.1302
- From version 1.21 to 1.21.5-gke.1302

Rapid channel

Version 1.21.5-gke.1802 is now the default version in the Rapid channel.
Version 1.22.3-gke.700 is now available in the Rapid channel.
The following control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded with this release:
- From version 1.20 to 1.21.5-gke.1802
- From version 1.21 to 1.21.5-gke.1802
- From version 1.22 to 1.22.3-gke.700

November 12, 2021

The release on September 17, 2021 (2021-R29) fixed CVEs in the Compute Engine PD CSI driver for the cluster minor version 1.18. The fixes are available in GKE version 1.18.20-gke.5900 and later.

The following CVEs were fixed: CVE-2021-3712, CVE-2021-3580, CVE-2021-33910, CVE-2020-29361, CVE-2020-29362, CVE-2021-24031, CVE-2021-3711, CVE-2021-20305, CVE-2020-24659, CVE-2021-24032, CVE-2021-20231, CVE-2021-20232, CVE-2021-33560, CVE-2020-29363, CVE-2021-3520, and CVE-2020-27350.

Legacy networks that contain GKE clusters can be converted to VPC networks, if the required control plane and node pool upgrades are performed. This feature is available in Preview. For more information, see Single-region conversion tool.

November 09, 2021

For GKE Autopilot clusters, Spot Pods are now available in Preview. Spot Pods let you run fault-tolerant workloads at lower costs.

November 04, 2021

You can now use image streaming in GKE to reduce image pull time and improve overall application startup and autoscaling performance. For more information, see Use image streaming to pull container images.

October 29, 2021

Revisions for 2021-R32

2021-12-03 update: Revised upgrade versions. Control planes and nodes with auto-upgrade enabled will be upgraded in the following channels:

Rapid: From version 1.20 to 1.21.5-gke.1302.
Regular: From version 1.19 to 1.20.10-gke.1600.
Stable:
- From version 1.18 to 1.19.14-gke.1900.
- From version 1.19 to 1.20.10-gke.1600.
No Channel:
- From version 1.18 to 1.19.14-gke.1900.
- From version 1.19 to 1.20.10-gke.1600.

(2021-R32) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

The following control plane and node versions are now available:
The following control plane versions are no longer available:
- 1.19.13-gke.1200
- 1.20.9-gke.1001
- 1.20.9-gke.2100
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to 1.19.14-gke.1900 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.20.10-gke.1600 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.21 to 1.21.3-gke.2003 with this release.

Stable channel

Version 1.20.10-gke.1600 is now the default version in the Stable channel.
Version 1.19.15-gke.500 is now available in the Stable channel.
The following versions are no longer available in the Stable channel:
- 1.19.13-gke.1900
- 1.20.10-gke.301
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to 1.19.14-gke.1900 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.20.10-gke.1600 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.20 to 1.20.10-gke.1600 with this release.

Regular channel

Version 1.20.10-gke.1600 is now the default version in the Regular channel.
The following versions are now available in the Regular channel:
The following versions are no longer available in the Regular channel:
- 1.20.9-gke.1001
- 1.20.10-gke.301
- 1.21.3-gke.2001
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.20.10-gke.1600 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.10-gke.1600 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to 1.21.3-gke.2003 with this release.

Rapid channel

Version 1.21.5-gke.1302 is now the default version in the Rapid channel.
The following versions are now available in the Rapid channel:
The following versions are no longer available in the Rapid channel:
- 1.21.4-gke.2300
- 1.21.5-gke.1300
- 1.22.2-gke.1300
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.21.5-gke.1302 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.5-gke.1302 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.22.2-gke.1901 with this release.

October 28, 2021

GKE public clusters versions 1.22 and later created on or after October 28, 2021, will move to using Private Service Connect (PSC) for private control plane communication. There is no price increase for using GKE public clusters running on PSC, however, there will be a SKU change. This change does not apply to public clusters using legacy networks.

In clusters running GKE version 1.21.0-gke.1000 and later, the destination IP address and port of the GKE metadata server has changed. If you have a cluster network policy and you use Workload Identity, you should update your network policy to allow access to the following destination IP addresses and ports. To avoid disruptions during auto-upgrades, allow access to all these destination address and destination port combinations in your network policy. For more information, see Understanding the GKE metadata server.

GKE version	GKE metadata server address
Prior to 1.21.0-gke.1000	`127.0.0.1:987` and `127.0.0.1:988`
1.21.0-gke.1000 and later	`169.254.169.252:987` and `169.254.169.252:988`

October 27, 2021

In GKE version 1.22 and later, GKE cluster autoscaler and node auto-provisioning will support working on empty (zero node) clusters, and will support scaling down nodes with pods requesting local storage.

October 21, 2021

For GKE Autopilot clusters, CMEK for boot disks and CMEK for application-layer encryption is now generally available.

For GKE Autopilot clusters, Google Groups for RBAC is now generally available.

A security issue was discovered in the Kubernetes ingress-nginx controller, CVE-2021-25742. Ingress-nginx custom snippets allows retrieval of ingress-nginx service account tokens and secrets across all namespaces. For more information, see the GCP-2021-024 security bulletin.

October 15, 2021

(2021-R31) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.20.10-gke.1600 is now the default version.
The following control plane and node versions are now available:
Control plane version 1.19.13-gke.701 is no longer available.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.19.13-gke.1900 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to 1.20.10-gke.1600 with this release.

Stable channel

Version 1.19.13-gke.1900 is now the default version in the Stable channel.
The following versions are now available in the Stable channel:
- 1.19.14-gke.1900
- 1.20.10-gke.1600
Version 1.19.13-gke.1200 is no longer available in the Stable channel.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.13-gke.1900 with this release.

Regular channel

Version 1.20.10-gke.1600 is now available in the Regular channel.

Rapid channel

Version 1.21.4-gke.2300 is now the default version in the Rapid channel.
The following versions are now available in the Rapid channel:
- 1.21.5-gke.1300
- 1.22.2-gke.1300
The following versions are no longer available in the Rapid channel:
- 1.21.4-gke.1801
- 1.22.1-gke.1602
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.4-gke.2300 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.22.2-gke.1300 with this release.

GKE Windows clusters using the persistent disk CSI driver might experience volume mount issues with existing PersistentVolumeClaim or PersistentVolume resources if upgraded to one the following versions. Please do not upgrade your Windows node pools to the following versions in the Rapid channel:

1.22.1-gke.1602 or later

The fix will be available in a future GKE 1.22 release.

October 14, 2021

StatefulSet Pods in Calico Network Policy enabled GKE clusters might experience connectivity issues in a Terminating state in the following GKE versions:

1.18
1.19
1.20 to 1.20.11-gke.1299
1.21 to 1.21.4-gke.1499

To mitigate this issue, upgrade your GKE control plane to GKE version 1.21.4-gke.1500 or later.
For more information, see the known issue and Calico issue #4710.

October 13, 2021

The following GKE versions fix containerd issue #5438. This issue caused pod IP address leaks which exhaust the IP addresses of containerd based nodes.

1.19.14-gke.1500 or later
1.20.10-gke.1500 or later
1.21.4-gke.1600 or later

For more information, see the Containerd node images known issues.

October 12, 2021

Spot VMs on GKE is now available in Preview.

With GKE version 1.19 and later, the CPU and memory usage of gke-metrics-agent have been optimized. With this change, Out Of Memory (OOM) crashes are reduced significantly.

If you are on GKE version 1.18 and earlier, you will need to upgrade your clusters to version 1.19 or later.

October 04, 2021

GKE version 1.20.8-gke.2100 or later offers a Preview of a fully managed metric collection pipeline to scrape Prometheus-style metrics exposed by any GKE workload and send those metrics to Cloud Monitoring for dashboards, alerts, and SLOs. Compared to the Prometheus Stackdriver sidecar, this new pipeline is easy to set up, allows filtering to control cost, supports larger clusters, is fully managed, supports Autopilot and horizontal Pod autoscaling, and offers better pricing. Get started with GKE workload metrics.

October 01, 2021

(2021-R30) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.20.10-gke.301 is now the default version.
The following control plane and node versions are now available:
The following control plane versions are no longer available:
- 1.18.20-gke.3001
- 1.18.20-gke.3300
- 1.18.20-gke.4100
- 1.18.20-gke.4501
- 1.18.20-gke.6000
- 1.19.12-gke.2101
- 1.20.8-gke.2101
- 1.20.9-gke.701
- 1.20.9-gke.1000
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.19.13-gke.1200 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to 1.20.10-gke.301 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.21 to 1.21.3-gke.2001 with this release.

Stable channel

Version 1.19.13-gke.1200 is now the default version.
The following control plane and node versions are now available in the Stable channel:
- 1.19.13-gke.1900
- 1.20.10-gke.301
The following versions are no longer available in the Stable channel:
- 1.19.13-gke.701
- 1.20.9-gke.1000
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.13-gke.1200 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.20.9-gke.1001 with this release.

Regular channel

Version 1.20.10-gke.301 is now the default version in the Regular channel.
Version 1.21.3-gke.2001 is now available in the Regular channel.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.10-gke.301 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to 1.21.3-gke.2001 with this release.

Rapid channel

Version 1.21.4-gke.1801 is now the default version in the Rapid channel.
The following control plane and node versions are now available in the Rapid channel:
- 1.21.4-gke.2300
- 1.22.1-gke.1602
Version 1.21.4-gke.301 is no longer available in the Rapid channel.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.4-gke.1801 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.22.1-gke.1602 with this release.

1.20 clusters with legacy ABAC authorization enabled should not upgrade to 1.21 until 1.21.4-gke.2500+ is available.

1.21 is now generally available

Kubernetes version 1.21 is now generally available. Before upgrading, read the Kubernetes 1.21 Release Notes, especially the action required and deprecation sections.

The following features are introduced in version 1.21:

CronJob (GA)

The CronJob API has graduated to General Availability (GA), bringing performance improvements and allowing scheduled jobs to be run using a stable API.

This resource is now available in the batch/v1 group/version.
The batch/v1beta1 group/version is deprecated, and will be removed in version 1.25. See the migration guide for details.

PodDisruptionBudget (GA)

The PodDisruptionBudget has graduated to GA, allowing Pod evictions to be controlled using a stable API.

This resource is now available in the policy/v1 group/version.
The policy/v1beta1 group/version is deprecated, and will be removed in version 1.25. See the migration guide for details.

EndpointSlice (GA)

The EndpointSlice API has graduated to GA, bringing performance improvements over the v1 Endpoints API.

This more scalable API for service discovery is now enabled on all clusters and is promoted to discovery.k8s.io/v1.
The discovery.k8s.io/v1beta1 group/version is deprecated, and will be removed in version 1.25. See the migration guide for details.

Default namespace label (Beta)

Namespace API objects now have a kubernetes.io/metadata.name label matching their metadata.name field to allow selecting any namespace by its name using a label selector. This can be used for objects which select namespaces by label, such as admission webhooks and network policies.

Bound service account token volumes (Beta)

The API credentials injected into containers at /var/run/secrets/kubernetes.io/serviceaccount/token are now time-limited, auto-refreshed, and invalidated when the containing pod is deleted.
By default, injected tokens are given an extended lifetime so they remain valid even after a new refreshed token is provided. The metric serviceaccount_stale_tokens_total and the audit annotation authentication.k8s.io/stale-token can be used to monitor for workloads that depend on the extended lifetime and are continuing to use tokens even after a refreshed token is provided to the container.
Clients should reload the token from disk periodically (once per minute is recommended) to ensure they use the refreshed token. k8s.io/client-go version 11.0.0+ and 0.15.0+ reload tokens automatically.

In Kubernetes 1.21, newly provisioned PersistentVolumes by gce-pd will use the topology.kubernetes.io/zone GA label instead of the failure-domain.beta.kubernetes.io/zone beta label.

New Beta and Stable APIs

The following Stable APIs are new in 1.21:

batch/v1 CronJob
policy/v1 PodDisruptionBudget
discovery.k8s.io/v1 EndpointSlice

The following Beta APIs are new in 1.21:

storage.k8s.io/v1beta1 CSIStorageCapacity

Deprecated APIs

The following APIs are deprecated in the 1.21 release:

PodSecurityPolicy
- policy/v1beta1 PodSecurityPolicy
- Deprecated in 1.21 with removal targeted for version 1.25.
The following Beta versions of newly graduated APIs will be removed in 1.25 in favor of GA versions:
- discovery.k8s.io/v1beta1 EndpointSlice
- policy/v1beta1 PodDisruptionBudget
- batch/v1beta1 CronJob
The following Beta versions of previously graduated APIs will be removed in 1.22 in favor of GA versions:
- admissionregistration.k8s.io/v1beta1, MutatingWebhookConfiguration
- admissionregistration.k8s.io/v1beta1, ValidatingWebhookConfiguration
- apiextensions.k8s.io/v1beta1, CustomResourceDefinition
- apiregistration.k8s.io/v1beta1, APIService
- authentication.k8s.io/v1beta1, TokenReview
- authorization.k8s.io/v1beta1, LocalSubjectAccessReview
- authorization.k8s.io/v1beta1, SelfSubjectAccessReview
- authorization.k8s.io/v1beta1, SubjectAccessReview
- certificates.k8s.io/v1beta1, CertificateSigningRequest
- coordination.k8s.io/v1beta1, Lease
- extensions/v1beta1, Ingress
- networking.k8s.io/v1beta1, Ingress
- networking.k8s.io/v1beta1, IngressClass
- rbac.authorization.k8s.io/v1beta1, ClusterRole
- rbac.authorization.k8s.io/v1beta1, ClusterRoleBinding
- rbac.authorization.k8s.io/v1beta1, Role
- rbac.authorization.k8s.io/v1beta1, RoleBinding
- scheduling.k8s.io/v1beta1, PriorityClass
- storage.k8s.io/v1beta1, CSIDriver
- storage.k8s.io/v1beta1, CSINode
- storage.k8s.io/v1beta1, StorageClass
- storage.k8s.io/v1beta1, VolumeAttachment

1.22 is now available in the Rapid channel

Kubernetes 1.22 is now available in the Rapid channel. Before upgrading, read the Kubernetes 1.22 Release Notes, especially the action required and deprecation sections.

Removed API versions in 1.22

The following Beta versions of previously graduated APIs are removed in 1.22 in favor of the GA versions. All existing objects can be interacted with via the stable APIs. Update API clients and manifests to use the GA APIs before upgrading. For more information, see the Kubernetes 1.22 deprecated APIs guide.

admissionregistration.k8s.io/v1beta1, MutatingWebhookConfiguration
admissionregistration.k8s.io/v1beta1, ValidatingWebhookConfiguration
apiextensions.k8s.io/v1beta1, CustomResourceDefinition
apiregistration.k8s.io/v1beta1, APIService
authentication.k8s.io/v1beta1, TokenReview
authorization.k8s.io/v1beta1, LocalSubjectAccessReview
authorization.k8s.io/v1beta1, SelfSubjectAccessReview
authorization.k8s.io/v1beta1, SubjectAccessReview
certificates.k8s.io/v1beta1, CertificateSigningRequest
coordination.k8s.io/v1beta1, Lease
extensions/v1beta1, Ingress
networking.k8s.io/v1beta1, Ingress
networking.k8s.io/v1beta1, IngressClass
rbac.authorization.k8s.io/v1beta1, ClusterRole
rbac.authorization.k8s.io/v1beta1, ClusterRoleBinding
rbac.authorization.k8s.io/v1beta1, Role
rbac.authorization.k8s.io/v1beta1, RoleBinding
scheduling.k8s.io/v1beta1, PriorityClass
storage.k8s.io/v1beta1, CSIDriver
storage.k8s.io/v1beta1, CSINode
storage.k8s.io/v1beta1, StorageClass
storage.k8s.io/v1beta1, VolumeAttachment

Deprecated API versions

These APIs are still served in version 1.22 but are in a deprecation period, and will be removed in 1.25:

PodSecurityPolicy
- policy/v1beta1 PodSecurityPolicy
- Deprecated in 1.21 with removal targeted for version 1.25.
The following Beta versions of graduated APIs will be removed in 1.25 in favor of their GA versions:
- discovery.k8s.io/v1beta1 EndpointSlice, deprecated since 1.21
- policy/v1beta1 PodDisruptionBudget, deprecated since 1.21
- batch/v1beta1 CronJob, deprecated since 1.21

New API versions in 1.22

The pods/eviction subresource now accepts policy/v1 eviction requests in addition to policy/v1beta1 eviction requests (#100724)

Notable features in 1.22

GA: Server-side Apply

Server-side Apply is a new object merge algorithm, as well as tracking of field ownership, running on the Kubernetes API server. Server-side Apply helps users and controllers create and modify their resources via declarative configurations by sending their fully specified intent. Refer to server-side apply documentation for more information. Improvements in 1.22 include:

scale subresource ownership is tracked correctly (#98377)
label selector fields are applied atomically (#97989)

Beta: DaemonSet maxSurge

DaemonSet objects now support a maxSurge rollout parameter, which allows running updated pods for the DaemonSet on nodes before removing old pods. Refer to the DaemonSet API documentation for more information.

Beta: Suspended jobs

Job objects can now be created or placed in a suspended state, to allow higher-level control over ordering and scheduling of batch workloads. Refer to the Job documentation for more information.

Beta: podAffinity namespace selection

Pod affinity rules can now specify namespaced using a label selector, in addition to a fixed list of namespace names. Refer to the pod affinity documentation for more information.

Notable changes and bug fixes in 1.22

The terminationGracePeriodSeconds field on pod specs and container probes should not be negative. Negative values of terminationGracePeriodSeconds will be treated as the value 1 on the delete path. Immutable field validation will be relaxed in order to update negative values. In a future release, negative values will not be permitted. (#98866)
As a mitigation for CVE-2021-25740, newly created Kubernetes 1.22 clusters no longer include write access to the Endpoints API in the edit and admin roles by default. Existing clusters upgraded to Kubernetes 1.22 retain previous permissions in those roles. For instructions to re-add Endpoints write access to the edit and admin roles in newly created 1.22 clusters, refer to the RBAC documentation.

September 30, 2021

A security issue was discovered in Kubernetes, CVE-2021-25741, where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. For more information, see the GCP-2021-018 security bulletin.

A security vulnerability, CVE-2020-8561, has been discovered in Kubernetes where certain webhooks can be made to redirect kube-apiserver requests to private networks of that API server. For more information, see the GCP-2021-021 security bulletin.

There is a known issue where updating a BackendConfig resource using the v1beta1 API that removes an active Google Cloud Armor security policy from its service. For more information, see the GCP-2021-019 security bulletin.

Now you can see how effectively your GKE clusters and workloads are utilizing your available compute resources. The new Cost Optimization tab lets you view, filter, and learn more about the CPU and memory usage, requests, allocation, and limit amounts of each of your clusters and workloads. This information can help you identify opportunities to optimize your clusters or workloads for more cost effective resource utilization. This feature is now available in Preview. For more information, see View cost-related optimization metrics.

September 24, 2021

GKE versions 1.18.20-gke.5100 and later fix the issue with v1beta1 of the Backendconfig API, where a Cloud Armor security policy was inadvertently deleted from the backend Service of an Ingress resource.

For more information, see Kubernetes issue #1508 and the Ingress Known issues page.

GKE clusters running node pools that use Docker might experience containers restarting every time Docker restarts.

The following versions are affected:

GKE 1.20 versions lower than 1.20.9-gke.2100
GKE 1.21 versions lower than 1.21.3-gke.1600

To fix this issue, either use Containerd or upgrade your nodes to version:

For GKE 1.20: 1.20.9-gke.2100 or higher
For GKE 1.21: 1.21.3-gke.1600 or higher

September 17, 2021

(2021-R29) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.20.9-gke.1001 is now the default version.
Control plane version 1.20.9-gke.1000 is now available.
The following control plane and node versions are now available:
The following control plane versions are no longer available:
- 1.17.17-gke.9100
- 1.18.20-gke.901
- 1.18.20-gke.2300
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to 1.18.20-gke.3001 with this release.

Stable channel

Version 1.19.13-gke.701 is now the default version in the Stable channel.
Version 1.19.13-gke.1200 is now available in the Stable channel.
Version 1.20.9-gke.1000 is now available in the Stable channel.
The following versions are no longer available in the Stable channel:
- 1.18.20-gke.901
- 1.18.20-gke.3001
- 1.19.12-gke.2101
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.13-gke.701 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.20 to 1.20.9-gke.1000 with this release.

Regular channel

Version 1.20.9-gke.1001 is now the default version in the Regular channel.
Version 1.20.10-gke.301 is now available in the Regular channel.
Version 1.20.9-gke.701 is no longer available in the Regular channel.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.9-gke.1001 with this release.

Rapid channel

Version 1.21.4-gke.301 is now the default version in the Rapid channel.
Version 1.21.4-gke.1801 is now available in the Rapid channel.
Version 1.21.3-gke.2001 is no longer available in the Rapid channel.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.4-gke.301 with this release.

September 16, 2021

In GKE versions 1.21.0-gke.1500 and later, VPC-native is the default network mode during cluster creation. To create a routes-based cluster, you can use the --no-enable-ip-alias flag:

gcloud container clusters create CLUSTER_NAME --no-enable-ip-alias

For Autopilot clusters, starting with GKE version 1.21.3-gke.900:

Users can also create mutating webhooks. However, Autopilot modifies the mutating webhooks objects to add a namespace selector which excludes the resources in managed namespaces (currently, kube-system) from being intercepted. Additionally, webhooks which specify one or more of following resources (and any of their sub-resources) in the rules, will be rejected:
```
- group: ""
  resource: nodes
- group: ""
  resource: persistentvolumes
- group: certificates.k8s.io
  resource: certificatesigningrequests
- group: authentication.k8s.io
  resource: tokenreviews
```
The SYS_PTRACE capability is allowed in user workloads.
Gatekeeper is no longer used in Autopilot policy enforcement, letting users install their own Gatekeeper instances.

When downgrading Autopilot clusters versions 1.21 to the older minor versions, the cluster might intermittently become unavailable. Once the downgrade is complete, the cluster will be available.

September 14, 2021

With GKE versions 1.21.4-gke.30 and later, users can create ServiceAttachment resources to provision Private Service Connect (PSC) for internal LoadBalancer Services. This feature is available in Preview.

Multi-cluster Ingress now supports SSL policies and HTTPS redirects using the FrontendConfig resource. This feature is generally available in GKE versions 1.17.13-gke.2600 and later.

September 13, 2021

GKE versions 1.19.14-gke.301 and later fix the issue with v1beta1 of the Backendconfig API, where a Cloud Armor security policy was inadvertently deleted from the backend Service of an Ingress resource.

For more information, see Kubernetes issue #1508 and the Ingress Known issues page.

September 09, 2021

The managed Filestore CSI driver for GKE is now available in GKE versions 1.21 and later to provision and manage Filestore instances for GKE workloads.

September 08, 2021

Several gcloud flags used to configure which logs and metrics are collected are deprecated and replaced with new flags. See Deprecated Configuration Parameters for a list of the deprecated logging and monitoring flags as well as the equivalent values for the new --logging and --monitoring flags.

September 07, 2021

The R28 release notes were updated on September 24, 2021 with the following additions:

No channel

Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to 1.19.12-gke.2101 with this release.

Stable channel

Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to 1.19.12-gke.2101 with this release.

(2021-R28) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.20.8-gke.2101 is now the default version.
The following control plane and node versions are now available:
The following control plane versions are no longer available:
- 1.18.20-gke.3000
- 1.18.20-gke.4500
- 1.19.12-gke.2100
- 1.19.13-gke.700
- 1.19.14-gke.300
- 1.20.8-gke.2100
- 1.20.9-gke.700
- 1.20.9-gke.1000
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to 1.19.12-gke.2101 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.19.12-gke.2101 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to 1.20.8-gke.2101 with this release.

Stable channel

Version 1.19.12-gke.2101 is now the default version in the Stable channel.
The following control plane and node versions are now available in the Stable channel:
The following versions are no longer available in the Stable channel:
- 1.18.20-gke.3000
- 1.19.12-gke.2100
- 1.19.13-gke.700
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to 1.19.12-gke.2101 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.12-gke.2101 with this release.

Regular channel

Version 1.20.9-gke.701 is now the default version in the Regular channel.
The following control plane and node versions are now available in the Regular channel:
- 1.20.9-gke.700
- 1.20.9-gke.1001
The following versions are no longer available in the Regular channel:
- 1.20.9-gke.700
- 1.20.9-gke.1000
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.9-gke.701 with this release.

Rapid channel

Version 1.21.3-gke.2001 is now the default version in the Rapid channel.
The following control plane and node versions are now available in the Rapid channel:
- 1.21.3-gke.2001
- 1.21.4-gke.301
Version 1.21.3-gke.2000 is no longer available in the Rapid channel.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.3-gke.2001 with this release.

Two security vulnerabilities, CVE-2021-33909 and CVE-2021-33910, have been discovered in the Linux kernel that can lead to an OS crash or an escalation to root by an unprivileged user. This vulnerability affects all GKE node operating systems (COS and Ubuntu).

For more information, see the GCP-2021-017 security bulletin.

September 02, 2021

Multi-Instance GPU on GKE is is now generally available.

August 30, 2021

GKE Autoscaling profiles are now generally available.

August 24, 2021

Identity Service for GKE (Preview) is available. Identity Service for GKE extends existing identity solutions for authentication into GKE clusters by supporting OpenID Connect (OIDC). For more information, see Authenticating with Identity Service for GKE.

You can now enable Google Virtual NIC in a new GKE cluster on GPU nodes. For more information, see Using Google Virtual NIC.

August 20, 2021

(2021-R27) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.20.8-gke.2100 is now the default version.
The following control plane and node versions are now available:
The following control plane versions are no longer available:
- 1.18.20-gke.501
- 1.19.9-gke.1900
- 1.19.10-gke.1000
- 1.19.10-gke.1001
- 1.19.10-gke.1601
- 1.19.10-gke.1701
- 1.19.11-gke.1701
- 1.19.11-gke.2101
- 1.19.12-gke.700
- 1.19.12-gke.900
- 1.19.12-gke.1100
- 1.20.8-gke.700
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to 1.18.20-gke.901 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.19.12-gke.2100 with this release.

Stable channel

There are no new releases in the Stable channel.

Regular channel

Version 1.20.8-gke.2100 is now the default version in the Regular channel.
Version 1.20.9-gke.700 is now available in the Regular channel.
Version 1.20.8-gke.900 is no longer available in the Regular channel.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.8-gke.2100 with this release.

Rapid channel

Version 1.20.8-gke.2100 is now the default version in the Rapid channel.
The following control plane and node versions are now available in the Rapid channel:
- 1.20.9-gke.2100
- 1.21.3-gke.2000
The following versions are no longer available in the Rapid channel:
- 1.20.8-gke.2100
- 1.21.3-gke.900
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.20.8-gke.2100 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.3-gke.901 with this release.

For GKE clusters running Windows Server node pools, you can proactively receive updates about new GKE versions and the Windows OS versions they use by subscribing to UpgradeAvailableEvent notifications. This feature is now available in Preview.

August 19, 2021

A simplified GKE API for configuring which logs and metrics are collected and sent to Cloud Logging and Cloud Monitoring is now available. The gcloud container clusters create and gcloud container clusters update commands now support the --logging and --monitoring flags.

For example, to collect both system and workload logs in an existing cluster, use gcloud container clusters update --logging=SYSTEM,WORKLOAD. Or, to create a new cluster with no metrics collected, use gcloud container clusters create --monitoring=NONE.

See a complete list of available logs and available metrics.

These flags are available in Google Cloud SDK version 352.0.0 and later.

August 18, 2021

GKE clusters running node pools that use containerd might experience IP leak issues and exhaust all Pod IPs on a node. A Pod scheduled on an affected node shows an error message similar to the following:

failed to allocate for range 0: no IP addresses available in range set: 10.48.131.1-10.48.131.62

For more information about the issue, see containerd issue #5438 and issue #5768.

For workarounds to mitigate this issue, see the Known issues section in containerd node images.

August 17, 2021

An issue was identified with v1beta1 of the BackendConfig API, where a Cloud Armor security policy was inadvertently deleted from the backend Service of an Ingress resource on the following affected GKE versions:

1.18.19-gke.1400 and later
1.19.10-gke.700 and later
1.20.6-gke.700 and later

To fix this issue, use v1 of the BackendConfig API, or update your clusters to one of the following GKE versions:

1.20.9-gke.900 and later
1.21.1-gke.2700 and later

For more information, see Kubernetes issue #1508 and the Ingress Known issues page.

August 12, 2021

(2021-R26) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

The following control plane and node versions are now available:
The following control plane versions are no longer available:
- 1.17.17-gke.3700
- 1.17.17-gke.4400
- 1.17.17-gke.4900
- 1.17.17-gke.5400
- 1.17.17-gke.6000
- 1.17.17-gke.6700
- 1.17.17-gke.7200
- 1.17.17-gke.7800
- 1.17.17-gke.8200
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to 1.20.8-gke.900 with this release.

Stable channel

Version 1.19.12-gke.2100 is now the default version in the Stable channel.
Version 1.18.20-gke.901 is now available in the Stable channel.
Version 1.19.11-gke.2101 is no longer available in the Stable channel.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 and version 1.19 to 1.19.12-gke.2100 with this release.

Regular channel

Version 1.20.8-gke.2100 is now available in the Regular channel.

Rapid channel

The following control plane and node versions are now available in the Rapid channel:
The following control plane and node versions are no longer available in the Rapid channel:
- 1.20.9-gke.700
- 1.21.3-gke.100
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.3-gke.900 with this release.

August 05, 2021

GKE Multi Cluster Ingress is now available through standalone per-Pod pricing in addition to Anthos licensing for all GKE release channels.

August 03, 2021

The northamerica-northeast2 region in Toronto is now available.

(2021-R25) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

The following control plane and node versions are now available:
The following control plane versions are no longer available:
- 1.18.17-gke.1901
- 1.18.19-gke.1701
- 1.18.19-gke.2101
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to version 1.18.20-gke.501 with this release.

Stable channel

Version 1.18.20-gke.900 is now the default version in the Stable channel.
Version 1.18.20-gke.501 is no longer available in the Stable channel.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to version 1.18.20-gke.900 with this release.

Regular channel

There are no new releases in the Regular release channel.

Rapid channel

Version 1.20.8-gke.900 is now the default version in the Rapid channel.
Version 1.20.9-gke.700 is now available in the Rapid channel.
Version 1.21.3-gke.900 is now available in the Rapid channel.
Version 1.20.8-gke.700 is no longer available in the Rapid channel.
Version 1.21.2-gke.600 is no longer available in the Rapid channel.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to version 1.20.8-gke.900 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to version 1.21.3-gke.100 with this release.

July 27, 2021

(2021-R24) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.20.8-gke.900 is now the default version.
The following control plane and node versions are now available:
The following control plane versions are no longer available:
- 1.18.18-gke.1101
- 1.18.18-gke.1701
- 1.20.7-gke.1800
- 1.20.7-gke.2200
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to version 1.20.8-gke.700 with this release.

Stable channel

Version 1.18.20-gke.501 is now the default version in the Stable channel.
Version 1.18.20-gke.900 is now available in the Stable channel.
Version 1.19.12-gke.2100 is now available in the Stable channel.
Version 1.18.19-gke.1701 is no longer available in the Stable channel.
Version 1.19.10-gke.1000 is no longer available in the Stable channel.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to version 1.18.20-gke.501 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to version 1.19.11-gke.2101 with this release.

Regular channel

Version 1.20.8-gke.900 is now the default version in the Regular channel.
The following versions are no longer available in the Regular channel:
- 1.19.9-gke.1900
- 1.19.11-gke.1701
- 1.19.12-gke.1100
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.20.8-gke.900 with this release.

Rapid channel

Version 1.21.3-gke.100 is now available in the Rapid channel.

July 21, 2021

Google Groups for RBAC is now generally available.

July 20, 2021

(2021-R23) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

The following control plane and node versions are now available:
The following control plane versions are no longer available:
- 1.18.17-gke.1900
- 1.19.9-gke.1400
- 1.20.6-gke.1000
- 1.20.6-gke.1400
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to version 1.18.17-gke.1901 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to version 1.19.9-gke.1900 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to version 1.20.7-gke.1800 with this release.

Stable channel

Version 1.18.19-gke.1701 is now the default version in the Stable channel.
Version 1.18.20-gke.501 is now available in the Stable channel.
Version 1.18.17-gke.1901 is no longer available in the Stable channel.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to version 1.18.19-gke.1701 with this release.

Regular channel

Version 1.19.12-gke.1100 is now available in the Regular channel.
Version 1.20.8-gke.900 is now available in the Regular channel.
Version 1.20.7-gke.1800 is no longer available in the Regular channel.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.8-gke.900 with this release.

Rapid channel

Version 1.20.8-gke.700 is now the default version in the Rapid channel.
Version 1.20.8-gke.900 is now available in the Rapid channel.
Version 1.20.7-gke.2200 is no longer available in the Rapid channel.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.20.8-gke.700 with this release.

Legacy Logging and Monitoring was deprecated December 12, 2019 and was decommissioned March 31, 2021. As described in the guide for Migrating to Cloud Operations for GKE all clusters still using Legacy Logging and Monitoring are being automatically and gradually migrated to Cloud Operations for GKE during the coming weeks.

July 14, 2021

A new security vulnerability, CVE-2021-22555, has been discovered where a malicious actor with CAP_NET_ADMIN privileges can potentially cause a container breakout to root on the host. This vulnerability affects all GKE clusters and Anthos clusters on VMware running Linux version 2.6.19 or later.

For more information, see the GCP-2021-015 security bulletin.

July 13, 2021

There is a known issue that prevents the gcloud client from interacting with multi-cluster Ingress that was introduced in gcloud version 346.0.0 and was fixed in version 348.0.0. It is recommended that you do not use gcloud versions 346.0.0 and 347.0.0 when using multi-cluster Ingress.

July 09, 2021

(2021-R22) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

The following versions are now available:
The following versions are no longer available:
- 1.18.18-gke.1100
- 1.18.18-gke.1700
- 1.18.19-gke.1700
- 1.18.19-gke.2100
- 1.19.10-gke.1600
- 1.19.10-gke.1700
- 1.19.11-gke.1700
- 1.19.11-gke.2100

Stable channel

Version 1.18.19-gke.1701 is now available in the Stable channel.
Version 1.19.11-gke.2101 is now available in the Stable channel.
Version 1.18.18-gke.1700 is no longer available in the Stable channel.

Regular channel

Version 1.19.11-gke.1701 is now available in the Regular channel.
Version 1.20.7-gke.1800 is now available in the Regular channel.
Version 1.19.10-gke.1700 is no longer available in the Regular channel.
Version 1.20.6-gke.1000 is no longer available in the Regular channel.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.7-gke.1800 with this release.

Rapid channel

Version 1.20.7-gke.2200 is now the default version.
Version 1.20.8-gke.700 is now available in the Rapid channel.
Version 1.21.2-gke.600 is now available in the Rapid channel.
Version 1.20.6-gke.1400 is no longer available in the Rapid channel.
Version 1.20.7-gke.1800 is no longer available in the Rapid channel.
Version 1.21.1-gke.2200 is no longer available in the Rapid channel.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.20.7-gke.2200 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.2-gke.600 with this release.

July 08, 2021

Microsoft published a security bulletin on a Remote code execution (RCE) vulnerability, CVE-2021-34527, that affects the print spooler in Windows servers. The CERT Coordination Center (CERT/CC) published an update note on a related vulnerability, dubbed "PrintNightmare" that also affects Windows print spoolers - PrintNightmare, Critical Windows Print Spooler Vulnerability.

For more information, see the GCP-2021-014 security bulletin.

July 02, 2021

The Istio project recently disclosed a new security vulnerability, CVE-2021-34824, affecting Istio. Istio contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces.

For more information, see the GCP-2021-012 security bulletin.

Config Management is now available on GKE. Config Management provides you with the following benefits:

You can now use Policy Controller. Policy Controller enables the enforcement of fully programmable policies for your clusters. To learn more, see Policy Controller overview.
You can now install Config Sync using the Cloud Console or the gcloud command line tool. To learn more, see Installing Config Sync.

June 29, 2021

The asia-south2 region in Delhi is now available.

June 28, 2021

In GKE node version 1.21.1-gke.2200 and later, Containerd is available as a runtime for Windows Server LTSC and SAC node images. Containerd is the recommended container runtime for GKE. For more information, see Node images.

June 25, 2021

GKE clusters on some 1.18.18+ and 1.19.10+ versions might fail to create or apply CustomResourceDefinitions containing integer validation rules using server-side apply. The following error occurs: failed to convert new object to proper version: unable to convert unstructured object to apiextensions.k8s.io/v1, Kind=CustomResourceDefinition: cannot convert int64 to float64.

The following versions are affected:

1.19.11-gke.1700
1.19.10-gke.1700
1.19.10-gke.1600
1.19.10-gke.1000
1.18.19-gke.1700
1.18.18-gke.1700
1.18.18-gke.1100

To resolve this issue, upgrade to a newer version or downgrade to one of the following versions:

1.19.9-gke.1900
1.18.17-gke.1901

(2021-R21) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.19.9-gke.1900 is now the default version.
The following versions are now available:
The following versions are no longer available:
- 1.17.17-gke.3700
- 1.17.17-gke.4400
- 1.17.17-gke.4900
- 1.17.17-gke.5400
- 1.17.17-gke.6000
- 1.17.17-gke.6700
- 1.17.17-gke.7200
- 1.17.17-gke.7800
- 1.17.17-gke.8200
- 1.17.17-gke.9100
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.17 to version 1.18.17-gke.1901 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to version 1.19.10-gke.1600 with this release.

Stable channel

Version 1.18.18-gke.1700 is now available in the Stable channel.
Version 1.18.17-gke.1900 is no longer available in the Stable channel.
Version 1.18.18-gke.1100 is no longer available in the Stable channel.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.17 to version 1.18.17-gke.1901 with this release.

Regular channel

Version 1.19.9-gke.1900 is now the default version in the Regular channel.
Version 1.19.9-gke.1900 is now available in the Regular channel.
Version 1.19.10-gke.1600 is no longer available in the Regular channel.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to 1.19.10-gke.1700 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.19.10-gke.1700 with this release.

Rapid channel

Version 1.20.7-gke.2200 is now available in the Rapid channel.
Version 1.21.1-gke.2200 is now available in the Rapid channel.
Version 1.21.1-gke.1800 is no longer available in the Rapid channel.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to 1.20.7-gke.1800 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.20.7-gke.1800 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.1-gke.2200 with this release.

June 24, 2021

Internal load balancer subsetting for GKE is now generally available in GKE versions 1.18.19-gke.1400 and later.

June 21, 2021

The australia-southeast2 region in Melbourne is now available.

June 16, 2021

(2021-R20) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.19.10-gke.1600 is now the default version.
The following versions are now available:
The following versions are no longer available:
- 1.18.17-gke.1200
- 1.18.17-gke.1201
- 1.19.9-gke.1400
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to version 1.18.17-gke.1901 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to version 1.19.9-gke.1900 with this release.

Stable channel

Version 1.18.17-gke.1901 is now the default version in the Stable channel.
Version 1.18.18-gke.1100 is now available in the Stable channel.
Version 1.18.17-gke.1200 is no longer available in the Stable channel.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to version 1.18.17-gke.1901 with this release.

Regular channel

Version 1.19.10-gke.1600 is now the default version in the Regular channel.
Version 1.19.10-gke.1700 is now available in the Regular channel.
Version 1.19.9-gke.1900 is no longer available in the Regular channel.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to 1.19.10-gke.1600 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.19.10-gke.1600 with this release.

Rapid channel

Version 1.20.7-gke.1800 is now available in the Rapid channel.
Version 1.21.1-gke.1800 is now available in the Rapid channel.
Version 1.21.1-gke.400 is no longer available in the Rapid channel.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.1-gke.1800 with this release.

June 15, 2021

The issue affecting the Datadog Agent on Autopilot has been resolved in Datadog version 2.13.1.

June 11, 2021

GKE Multi-cluster Services support for pod-specific addressing is now generally available.

June 10, 2021

Volume snapshots is now generally available. Starting in GKE version 1.21 and later, you can now use v1 snapshots; v1beta1 snapshots will continue to operate as expected until further notice.

Committed use discounts are now generally available to purchase for Google Kubernetes Engine (Autopilot Mode).

Google Kubernetes Engine (Autopilot Mode) committed use discounts apply to all Autopilot Pod workload vCPU, memory, and ephemeral storage usage in the region in which you have committed. Google Kubernetes Engine (Autopilot Mode) committed use discounts do not apply to the cluster management fee or to GKE Standard mode compute nodes.

See the documentation for more details.

For GKE clusters running Windows Server node pools, you can see the version mapping between GKE versions and Windows Server versions for all available GKE versions by using a gcloud command. This feature is now available in preview.

For more details, see Use gcloud tool to get version mapping.

June 09, 2021

(2021-R19) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.18.17-gke.1900 is now the default version.
The following versions are now available:
The following versions are no longer available:
- 1.18.17-gke.100
- 1.18.17-gke.700
- 1.19.8-gke.1600
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to version 1.18.17-gke.1200 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to version 1.20.6-gke.1000 with this release.

Stable channel

Version 1.18.17-gke.1900 is now the default version in the Stable channel.
Version 1.18.17-gke.1901 is now available in the Stable channel.
Version 1.19.10-gke.1000 is now available in the Stable channel.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to version 1.18.17-gke.1900 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to version 1.19.10-gke.1000 with this release.

Regular channel

Version 1.19.10-gke.1600 is now available in the Regular channel.
Version 1.20.6-gke.1000 is now available in the Regular channel.
Version 1.19.9-gke.1400 is no longer available in the Regular channel.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.19.9-gke.1900 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.6-gke.1000 with this release.

Rapid channel

Version 1.20.6-gke.1400 is now the default version in the Rapid channel.
Version 1.21.1-gke.400 is now available in the Rapid channel.
Version 1.20.6-gke.1000 is no longer available in the Rapid channel.
Version 1.21.1-gke.100 is no longer available in the Rapid channel.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.20.6-gke.1400 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.1-gke.400 with this release.

If you manually upgrade your cluster from 1.18 to 1.19 and the network tier configuration on an existing external network load balancer does not match the network tier annotation in the service spec (if unspecified, defaults to Premium), the load balancer will be deleted and recreated, and the network tier configuration will be enforced.

A domain-scoped project is not supported in GKE version 1.20. The cluster's CertificateSigningRequest will be denied when validating the DNS name and the nodes cannot join the cluster.

1.20 is now generally available

Kubernetes 1.20 is now generally available (GA). Before upgrading, read the Kubernetes 1.20 Release Notes especially the Urgent upgrade notes and Deprecations sections.

The node.k8s.io/v1beta1 RuntimeClass API has graduated to node.k8s.io/v1 with no changes. API clients and manifests should switch to using the node.k8s.io/v1 API after version 1.20. The node.k8s.io/v1beta1 API is deprecated and will no longer be served starting in version 1.25.

As of version 1.20, the kubelet no longer creates the target_path for NodePublishVolume in accordance with the CSI spec. If you have self-managed CSI drivers deployed in your cluster, ensure that they are idempotent and do any necessary mount creation or verification. For more information, see Kubernetes issue #88759.

Starting in version 1.20, timeouts on exec probes are honored, and default to 1 second if unspecified. If you have Pods using exec probes, ensure that they can easily complete in 1 second or explicitly set an appropriate timeout. For more information, see ConfigureProbes.

Non-deterministic treatment of objects with invalid ownerReferences was fixed in version 1.20. Run the kubectl-check-ownerreferences tool prior to upgrade to locate existing objects with invalid ownerReferences.

A namespaced object with an ownerReference to another namespaced object which does not exist in the same namespace is now consistently treated as having a missing owner and is deleted.
A cluster-scoped object with an ownerReference to a namespaced object is now consistently treated as having an unresolvable owner, and is ignored by the garbage collector.
Starting in version 1.20, when a namespace mismatch between a child and owner object is detected, an event with a reason code of OwnerRefInvalidNamespace is recorded.

The metadata.selfLink field, deprecated since version 1.16, is no longer populated in version 1.20. See Kubernetes issue #1164 for details. A related bug in the k8s.io/client-golibrary in the GetReference function was fixed in versions 0.15.9 or later, 0.16.4 or later, and 0.17.0 or later. Clients using the GetReference function should upgrade to one of those versions of client-go or newer in order to work correctly against an API Server running version 1.20 or later.

Reminder: Future beta API removals in versions 1.22 and 1.25

Kubernetes versions 1.22 and 1.25 will stop serving several deprecated beta APIs. It is recommended to begin migrating your clients and manifests to the stable replacement APIs now. More information is available in the OSS Kubernetes documentation.

June 07, 2021

You can now specify the default image type to use for new auto-provisioning node pools. See Using node auto-provisioning for more details.

June 04, 2021

The security community recently disclosed a new security vulnerability CVE-2021-30465 found in runc that has the potential to allow full access to a node filesystem.

For more information, see the GCP-2021-011 security bulletin.

May 28, 2021

(2021-R18) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.19.9-gke.1900 is now the default version.
Version 1.18.18-gke.1700 is now available.
Version 1.19.10-gke.1700 is now available.
Version 1.18.17-gke.100 is no longer available.
Version 1.19.8-gke.1600 is no longer available.

Stable channel

Version 1.18.17-gke.1200 is now the default version in the Stable channel.
Version 1.18.17-gke.1900 is now available in the Stable channel.
Version 1.17.17-gke.4900 is no longer available in the Stable channel.
Version 1.17.17-gke.5400 is no longer available in the Stable channel.
Version 1.18.17-gke.700 is no longer available in the Stable channel.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to version 1.18.17-gke.1200 with this release.

Regular channel

Version 1.19.9-gke.1900 is now the default version in the Regular channel.

Rapid channel

Version 1.20.6-gke.1400 is now available in the Rapid channel.
Version 1.21.1-gke.100 is now available in the Rapid channel.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.1-gke.100 with this release.

1.21 available in the Rapid channel

Kubernetes version 1.21 is now available in the Rapid channel. Before upgrading, read the Kubernetes 1.21 Release Notes, especially the action required and deprecation sections.

1.21 Features

The following features are introduced in version 1.21:

CronJob (GA)

The CronJob API has graduated to General Availability (GA), bringing performance improvements and allowing scheduled jobs to be run using a stable API.

This resource is now available in the batch/v1 group/version.
The batch/v1beta1 group/version is deprecated, and will be removed in version 1.25. See the migration guide for details.

PodDisruptionBudget (GA)

The PodDisruptionBudget has graduated to GA, allowing pod evictions to be controlled using a stable API.

This resource is now available in the policy/v1 group/version.
The policy/v1beta1 group/version is deprecated, and will be removed in version 1.25. See the migration guide for details.

EndpointSlice (GA)

The EndpointSlice API has graduated to GA, bringing performance improvements over the v1 Endpoints API.

This more scalable API for service discovery is now enabled on all clusters and is promoted to discovery.k8s.io/v1.
The discovery.k8s.io/v1beta1 group/version is deprecated, and will be removed in version 1.25. See the migration guide for details.

Default namespace label (Beta)

Bound service account token volumes (Beta)

The API credentials injected into containers at /var/run/secrets/kubernetes.io/serviceaccount/token are now time-limited, auto-refreshed, and invalidated when the containing pod is deleted.
By default, injected tokens are given an extended lifetime so they remain valid even after a new refreshed token is provided. The metric serviceaccount_stale_tokens_total and the audit annotation authentication.k8s.io/stale-token can be used to monitor for workloads that depend on the extended lifetime and are continuing to use tokens even after a refreshed token is provided to the container.
Clients should reload the token from disk periodically (once per minute is recommended) to ensure they use the refreshed token. k8s.io/client-go version 11.0.0+ and 0.15.0+ reload tokens automatically.

In Kubernetes 1.21, newly provisioned PersistentVolumes by gce-pd will use the topology.kubernetes.io/zone GA label instead of the failure-domain.beta.kubernetes.io/zone beta label.

1.21 New Beta and Stable APIs

The following Stable APIs are new in 1.21:

batch/v1 CronJob
policy/v1 PodDisruptionBudget
discovery.k8s.io/v1 EndpointSlice

The following Beta APIs are new in 1.21:

storage.k8s.io/v1beta1 CSIStorageCapacity

1.21 Deprecated APIs

The following APIs are deprecated in the 1.21 release:

PodSecurityPolicy
- policy/v1beta1 PodSecurityPolicy
- Deprecated in 1.21 with removal targeted for version 1.25.
The following Beta versions of newly graduated APIs will be removed in 1.25 in favor of GA versions:
- discovery.k8s.io/v1beta1 EndpointSlice
- policy/v1beta1 PodDisruptionBudget
- batch/v1beta1 CronJob
The following Beta versions of previously graduated APIs will be removed in 1.22 in favor of GA versions:
- admissionregistration.k8s.io/v1beta1, MutatingWebhookConfiguration
- admissionregistration.k8s.io/v1beta1, ValidatingWebhookConfiguration
- apiextensions.k8s.io/v1beta1, CustomResourceDefinition
- apiregistration.k8s.io/v1beta1, APIService
- authentication.k8s.io/v1beta1, TokenReview
- authorization.k8s.io/v1beta1, LocalSubjectAccessReview
- authorization.k8s.io/v1beta1, SelfSubjectAccessReview
- authorization.k8s.io/v1beta1, SubjectAccessReview
- certificates.k8s.io/v1beta1, CertificateSigningRequest
- coordination.k8s.io/v1beta1, Lease
- extensions/v1beta1, Ingress
- networking.k8s.io/v1beta1, Ingress
- networking.k8s.io/v1beta1, IngressClass
- rbac.authorization.k8s.io/v1beta1, ClusterRole
- rbac.authorization.k8s.io/v1beta1, ClusterRoleBinding
- rbac.authorization.k8s.io/v1beta1, Role
- rbac.authorization.k8s.io/v1beta1, RoleBinding
- scheduling.k8s.io/v1beta1, PriorityClass
- storage.k8s.io/v1beta1, CSIDriver
- storage.k8s.io/v1beta1, CSINode
- storage.k8s.io/v1beta1, StorageClass
- storage.k8s.io/v1beta1, VolumeAttachment

GKE clusters running version 1.18 or later now support container native Cloud DNS (available in Preview). Cloud DNS can be used as the in-cluster DNS provider instead of kube-dns.

May 21, 2021

Network Policy Logging is generally available (GA). Note that Network Policy Logging requires Dataplane V2.

May 20, 2021

In GKE version 1.20 and later, audit logging does not occur for Binary Authorization fail open events.

May 19, 2021

(2021-R17) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on the Kubernetes versioning scheme, see Versioning.

No channel

Version 1.17.17-gke.8200 is now available.
Version 1.18.18-gke.1100 is now available.
Version 1.19.10-gke.1600 is now available.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.17 to version 1.18.17-gke.700 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to version 1.18.17-gke.700 with this release.

Stable channel

Version 1.18.17-gke.700 is now the default version in the Stable channel.
Version 1.18.17-gke.1200 is now available in the Stable channel.
Version 1.18.17-gke.100 is no longer available in the Stable channel.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.17 to version 1.18.17-gke.700 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to version 1.18.17-gke.700 with this release.

Regular channel

Version 1.19.9-gke.1900 is now available in the Regular channel.
Version 1.18.17-gke.700 is no longer available in the Regular channel.

Rapid channel

Version 1.20.6-gke.1000 is now the default version in the Rapid channel.
Version 1.19.9-gke.1900 is no longer available in the Rapid channel.
Version 1.19.10-gke.1000 is no longer available in the Rapid channel.
The following control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded with this release:
- From version 1.18 to 1.19.9-gke.1900.
- From version 1.19 to 1.20.6-gke.1000.
- From version 1.20 to 1.20.6-gke.1000.

For GKE clusters running 1.18.18-gke.1200 or later, Ingress Controller only syncs NEGs that were created by the controller. Custom named NEGs that were created outside of the controller will no longer be synced.

May 17, 2021

The UpgradeAvailableEvent notification is now generally available.

May 12, 2021

(2021-R16) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.19.9-gke.1400 is now the default version.
Version 1.17.17-gke.7800 is now available.
Version 1.19.10-gke.1000 is now available.
The following versions are no longer available:
- 1.18.15-gke.1501
- 1.18.15-gke.1502
- 1.18.16-gke.1201
- 1.18.16-gke.2100
- 1.18.16-gke.300
- 1.18.16-gke.302
- 1.18.16-gke.502
The following control planes and nodes with auto-upgrade enabled will be upgraded with this release:
- From version 1.17 to 1.18.17-gke.100.
- From version 1.18 to 1.18.17-gke.100.
- From version 1.19 to 1.19.9-gke.1400.

Stable channel

Version 1.18.17-gke.700 is now available in the Stable channel.
The following control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded with this release:
- From version 1.17 to 1.18.17-gke.100.
- From version 1.18 to 1.18.17-gke.100.

Regular channel

Version 1.19.9-gke.1400 is now the default version in the Regular channel.
Version 1.18.17-gke.100 is no longer available in the Regular channel.
Version 1.19.8-gke.1600 is no longer available in the Regular channel.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to version 1.19.9-gke.1400 with this release.

Rapid channel

Version 1.19.10-gke.1000 is now available in the Rapid channel.
Version 1.20.6-gke.1000 is now available in the Rapid channel.
Version 1.20.5-gke.2000 is no longer available in the Rapid channel.
The following control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded with this release:
- From version 1.18 to 1.19.9-gke.1900.
- From version 1.19 to 1.19.9-gke.1900.
- From version 1.20 to 1.20.6-gke.1000.

Dataplane V2 is generally available in newly created clusters using GKE versions 1.20.6-gke.700 and later.

The GKE Gateway controller, Google Cloud's implementation of the Gateway API, is available in Preview in GKE version 1.20 and later. See Deploying Gateways for how to expose applications using Gateway.

In GKE version 1.20 and later, the GKE Gateway controller introduces the new gateway.networking.x-k8s.io resource. This is similar but different from the gateway.networking.istio.io resource. This may cause the kubectl get gateway command to return the incorrect Gateway resource unless the fully qualified resource name is used. To avoid seeing unexpected results when using kubectl, see Kubernetes Gateways and Istio Gateways.

The Istio project recently disclosed a new security vulnerability (CVE-2021-31920) affecting Istio. For more information, see the GCP-2021-006 security bulletin.

May 06, 2021

You can now enable and configure OS Login for private GKE clusters and nodes. This feature is enabled for private GKE clusters running node pool versions 1.20.5 or later.

The Envoy and Istio projects recently announced several new security vulnerabilities ( CVE-2021-28683, CVE-2021-28682, and CVE-2021-29258) that could allow an attacker to crash Envoy.

For more information, see the GCP-2021-004 security bulletin.

May 04, 2021

(2021-R15) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.18.17-gke.100 is now the default version.
Version 1.17.17-gke.7200 is now available.
The following versions are no longer available:
- 1.16.15-gke.12500
- 1.16.15-gke.14800
- 1.17.17-gke.1101
- 1.17.17-gke.1500
- 1.17.17-gke.2800
- 1.17.17-gke.3000
The following control planes and nodes with auto-upgrade enabled will be upgraded with this release:
- From version 1.17 to 1.18.17-gke.100.
- From version 1.18 to 1.18.17-gke.100.
- From version 1.19 to 1.19.8-gke.1600.

Stable channel

Version 1.18.17-gke.100 is now the default version in the Stable channel.
Version 1.17.17-gke.5400 is now available in the Stable channel.
The following versions are no longer available in the Stable channel:
- 1.17.17-gke.3700
- 1.18.16-gke.2100
The following control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded with this release:
- From version 1.17 to 1.18.17-gke.100.
- From version 1.18 to 1.18.17-gke.100.

Regular channel

Version 1.18.17-gke.100 is now the default version in the Regular channel.
The following versions are now available in the Regular channel:
- 1.18.17-gke.700
- 1.19.9-gke.1400
Version 1.18.16-gke.2100 is no longer available in the Regular channel.
The following control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded with this release:
- From version 1.17 to 1.18.17-gke.100.
- From version 1.18 to 1.18.17-gke.100.

Rapid channel

Version 1.19.9-gke.1900 is now the default version in the Rapid channel.
Version 1.19.9-gke.1400 is no longer available in the Rapid channel.
The following control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded with this release:
- From version 1.18 to 1.19.9-gke.1900.
- From version 1.19 to 1.19.9-gke.1900.

May 03, 2021

The kubelet graceful node shutdown feature is now enabled on preemptible and GPU accelerator nodes running versions 1.20.5-gke.500 or later.

April 29, 2021

For GKE clusters with Windows Server nodes, node names will now be limited to 15-characters to allow for Active Directory joining.

Fixes for the following GKE Autopilot clusters issues are rolling out to the Rapid release channel:

Pods with a priority lower than -10 would not trigger scale up.
Pod anti-affinity might cause overscaling.

April 27, 2021

(2021-R14) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

The following versions are now available:
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to version 1.18.16-gke.2100 with this release.

Stable channel

Version 1.17.17-gke.4900 is now available in the Stable channel.
Version 1.18.17-gke.100 is now available in the Stable channel
Version 1.18.16-gke.302 is no longer available in the Stable channel.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to version 1.18.16-gke.2100 with this release.

Regular channel

Version 1.18.16-gke.2100 is now the default version in the Regular channel.
Version 1.18.17-gke.100 is now available in the Regular channel.
Version 1.18.16-gke.502 is no longer available in the Regular channel.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.17 to version 1.18.16-gke.2100 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to version 1.18.16-gke.2100 with this release.

Rapid channel

Version 1.19.9-gke.1400 is now the default version in the Rapid channel.
Version 1.19.9-gke.1900 is now available in the Rapid channel.
Version 1.20.5-gke.2000 is now available in the Rapid channel.
Version 1.19.9-gke.700 is no longer available in the Rapid channel.
Version 1.20.5-gke.1300 is no longer available in the Rapid channel.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.18 to version 1.19.9-gke.1400 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to version 1.19.9-gke.1400 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to version 1.20.5-gke.2000 with this release.

Multi-Instance GPU on GKE is available in Preview.

April 21, 2021

See GKE release schedule for information on the current versions rollout and support schedule. See Versioning for details on the GKE version suppport and life cycle.

April 20, 2021

(2021-R13) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.17.17-gke.3700 is now the default version.
The following versions are now available:
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.16 to version 1.17.17-gke.3700 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.17 to version 1.17.17-gke.3700 with this release.

Stable channel

Version 1.17.17-gke.3700 is now the default version in the Stable channel.
Version 1.18.16-gke.2100 is now available in the Stable channel.
Version 1.17.17-gke.3000 is no longer available in the Stable channel.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.16 to version 1.17.17-gke.3700 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.17 to version 1.17.17-gke.3700 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to version 1.18.16-gke.302 with this release.

Regular channel

Version 1.18.16-gke.2100 is now available in the Regular channel.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to version 1.19.8-gke.1600 with this release.

Rapid channel

Version 1.19.9-gke.700 is now the default version in the Rapid channel.
Version 1.19.9-gke.1400 is now available in the Rapid channel.
Version 1.20.5-gke.1300 is now available in the Rapid channel.
Version 1.19.9-gke.100 is no longer available in the Rapid channel.
Version 1.20.5-gke.800 is no longer available in the Rapid channel.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.18 to version 1.19.9-gke.700 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to version 1.19.9-gke.700 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to version 1.20.5-gke.1300 with this release.

The Kubernetes project recently announced a new security vulnerability, CVE-2021-25735, that could allow node updates to bypass a Validating Admission Webhook. For more details, see the GCP-2021-003 security bulletin.

April 19, 2021

Due to GKE Autopilot restrictions on the kubelet API surface, the Datadog Agent is not operating correctly on Autopilot mode clusters.

April 14, 2021

(2021-R12) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.17.17-gke.3000 is now the default version.
The following versions are now available:
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.16 to version 1.17.17-gke.3000 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.17 to version 1.17.17-gke.3000 with this release.

Stable channel

Version 1.17.17-gke.3000 is now the default version in the Stable channel.
Version 1.17.17-gke.3700 is now available in the Stable channel.
Version 1.17.17-gke.2800 is no longer available in the Stable channel.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.16 to version 1.17.17-gke.3000 with this release.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.17 to version 1.17.17-gke.3000 with this release.

Regular channel

Version 1.19.8-gke.1600 is now available in the Regular channel.
Version 1.18.16-gke.302 is no longer available in the Regular channel.

Rapid channel

Version 1.19.9-gke.100 is now the default version in the Rapid channel.
Version 1.19.9-gke.700 is now available in the Rapid channel.
Version 1.20.5-gke.800 is now available in the Rapid channel.
Version 1.19.8-gke.2000 is no longer available in the Rapid channel.
Version 1.20.5-gke.101 is no longer available in the Rapid channel.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.18 to version 1.19.9-gke.100 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to version 1.19.9-gke.100 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to version 1.20.5-gke.800 with this release.

1.19 GA

GKE version 1.19 is now generally available (GA).

Before upgrading to 1.19, read the Kubernetes 1.19 Release Notes especially the Urgent upgrade notes.

See below for notable changes and features in version 1.19.

The basic authentication method is no longer available starting with Kubernetes version 1.19. GKE clusters also no longer support basic authentication as they gradually upgrade to Kubernetes version 1.19. Basic authentication has been disabled by default for new GKE clusters since GKE version 1.12 and its usage has been discouraged in the Hardening your cluster's security guide. Migrate away from basic authentication before your cluster control planes are upgraded to Kubernetes version 1.19 to ensure your API clients can continue accessing the API server. To learn more about recommended authentication methods in GKE, see Authenticating to the Kubernetes API Server.

Admission webhooks and custom resource conversion webhooks must use serving certificates that contain the server name in a subjectAltName extension. Server names in the certificate CommonName will not be honored in future versions.

kube-proxy now uses EndpointSlices by default.

With the release of GKE node version 1.19, the Container-Optimized OS with Docker (cos) variant is deprecated. Please migrate to the Container-Optimized OS with Containerd (cos_containerd) variant, which is now the default GKE node image. For instructions, see Containerd images.

Seccomp General Availability (GA)

Seccomp (secure computing mode) support for Kubernetes has graduated to General Availability (GA). This feature can be used to increase the workload security by restricting the system calls for a Pod (applies to all containers) or individual containers.

A new seccompProfile field is added to Pod and Container securityContext objects, starting in Kubernetes version 1.19.

securityContext:
  seccompProfile:
    # "Unconfined", "RuntimeDefault", or "Localhost"
    type: Localhost
    # only necessary if type == Localhost
    localhostProfile: my-profiles/profile-allow.json

The alpha seccomp annotations seccomp.security.alpha.kubernetes.io/pod and container.seccomp.security.alpha.kubernetes.io/... are deprecated in favor of the GA API field. The alpha annotations will not be honored in Kubernetes versions 1.22 and later.

Prepare for transition

If you are currently using Seccomp annotations on Pods or Containers, you should identify and transition workloads using the annotations to set the API fields before version 1.21 is released on GKE (approximately in June 2021). No change on PodSecurityPolicy is required, as it supports both annotation and field seccomp profiles. You can perform the following recommended steps:

Locate Seccomp annotation usages

In your Kubernetes manifest files, search for "seccomp.security.alpha.kubernetes.io/pod" and "container.seccomp.security.alpha.kubernetes.io/".

Add or update securityContext fields

Based on your annotation usage, add or update (if securityContext already exists) the securityContext field in the Pod or Container spec. The annotations can be left in place, but must match the securityContext API field.

Current annotation usage	Add or update `securityContext`
`seccomp.security.alpha.kubernetes.io/pod`	In the Pod's `securityContext`, add the `seccompProfile` field.
`container.seccomp.security.alpha.kubernetes.io/container-name`	In the `container-name` container's `securityContext`, add the `seccompProfile` field.

Set values for seccompProfile

The type field of seccompProfile corresponds to the annotation value, and localhostProfile field corresponds to the path following localhost annotation value.

Current annotation value	`seccompProfile` value
`unconfined`	seccompProfile: type: Unconfined
`runtime/default` or `docker/default`	seccompProfile: type: RuntimeDefault
`localhost/path/to/profile.json`	seccompProfile: type: Localhost localhostProfile: path/to/profile.json

More resources

The widely used Ingress API has graduated to general availability in Kubernetes 1.19. The v1beta1 Ingress API is deprecated, and will no longer be served in versions 1.22 and later. Before version 1.21, identify and transition clients and manifests using the v1beta1 Ingress API to use networking.k8s.io/v1.

Clusters with Google Cloud's operations suite enabled can use the following query to identify clients that access the Ingress v1beta1 APIs:

resource.type="k8s_cluster"
resource.labels.cluster_name="$CLUSTER_NAME"
protoPayload.authenticationInfo.principalEmail:("system:serviceaccount" OR "@")
protoPayload.request.apiVersion=("extensions/v1beta1" OR "networking.k8s.io/v1beta1")
protoPayload.request.kind="Ingress"
NOT ("kube-system")

Identify and transition clients and manifests using the v1beta1 Ingress APIs to use networking.k8s.io/v1 before version 1.21 is released on GKE (approximately in June 2021), then verify no clients are using the v1beta1 API during the version 1.21 timeframe. Workloads using the v1beta1 APIs need to be upgraded before your cluster is upgraded to GKE 1.22.

To migrate manifests to networking.k8s.io/v1, perform the following:

Rename the spec.backend field (if specified) to spec.defaultBackend.
Rename each backend.serviceName field to backend.service.name.
Rename each numeric backend.servicePort field to backend.service.port.number.
Rename each string backend.servicePort field to backend.service.port.name.
Specify a pathType field for each defined path. Options are Prefix, Exact, and ImplementationSpecific. To match the undefined v1beta1 behavior, use ImplementationSpecific.

As an example, to migrate this v1beta1 manifest to v1:

Original v1beta1 manifest	Equivalent networking.k8s.io/v1 manifest
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: example spec: backend: serviceName: default-backend servicePort: 80 rules: - http: paths: - path: /testpath backend: serviceName: test servicePort: 80	apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: example spec: defaultBackend: service: name: default-backend port: number: 80 rules: - http: paths: - path: /testpath pathType: ImplementationSpecific backend: service: name: test port: number: 80

Original v1beta1 manifest

Equivalent networking.k8s.io/v1 manifest

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: example
spec:
  backend:
    serviceName: default-backend
    servicePort: 80
  rules:
  - http:
      paths:
      - path: /testpath
        backend:
          serviceName: test
          servicePort: 80

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example
spec:
  defaultBackend:
    service:
      name: default-backend
      port:
        number: 80
  rules:
  - http:
      paths:
      - path: /testpath
        pathType: ImplementationSpecific
        backend:
          service:
            name: test
            port:
              number: 80

CertificateSigningRequest v1 API

The CertificateSigningRequest API has graduated to certificates.k8s.io/v1 in Kubernetes 1.19. The v1beta1 CertificateSigningRequest API is deprecated and will no longer be served in version 1.22 and later.

Clusters with Google Cloud's operations suite enabled can use the following query to identify clients that access the CertificateSigningRequest v1beta1 APIs:

resource.type="k8s_cluster"
resource.labels.cluster_name="$CLUSTER_NAME"
protoPayload.authenticationInfo.principalEmail:("system:serviceaccount" OR "@")
protoPayload.request.apiVersion="certificates.k8s.io/v1beta1"
NOT ("kube-system")

Identify and transition clients and manifests using the v1beta1 CertificateSigningRequest API to use certificates.k8s.io/v1 before version 1.21 is released on GKE (approximately in June 2021), then verify no clients are using the v1beta1 API during the version 1.21 timeframe. Workloads using the v1beta1 API need to be upgraded before your cluster is upgraded to GKE version 1.22.

Differences between the v1beta1 and v1 API are as follows:

For API clients requesting certificates:
- spec.signerName is now required, and requests for kubernetes.io/legacy-unknown are not allowed to be created via the certificates.k8s.io/v1 API.
- spec.usages is now required, may not contain duplicate values, and must only contain known usages.
For API clients approving or signing certificates:
- status.conditions may not contain duplicate types.
- status.conditions[*].status is now required.
- status.certificate must be PEM-encoded, and must contain only CERTIFICATE blocks.

Admission webhooks and custom resource conversion webhooks using invalid serving certificates that do not contain the server name in a subjectAltName extension cannot be contacted by the Kubernetes API server in 1.19 prior to version 1.19.9-gke.400. This will be resolved in version 1.19.9-gke.400, and automatic upgrades from 1.18 to 1.19 will not begin until this issue is resolved. However, affected webhooks should work to correct their serving certificates in order to work correctly with Kubernetes version 1.22 and later.

Service API objects with more than 100 ports do not work correctly with EndpointSlices (https://issue.k8s.io/99382). This will be resolved in version 1.19.9-gke.600, and automatic upgrades from 1.18 to 1.19 will not begin until this issue is resolved.

April 06, 2021

(2021-R11) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

The following versions are now available:
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to version 1.18.16-gke.502 with this release.

Stable channel

The following versions are now available in the Stable channel:
- 1.17.17-gke.3000
- 1.18.16-gke.302

Regular channel

Version 1.18.16-gke.502 is now the default version.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.17 to version 1.18.16-gke.502 with this release.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to version 1.18.16-gke.502 with this release.

Rapid channel

Version 1.19.8-gke.2000 is now the default version.
The following versions are now available in the Rapid channel:
- 1.19.9-gke.100
- 1.20.5-gke.100
The following versions are no longer available in the Rapid channel:
- 1.19.8-gke.1600
- 1.20.4-gke.2200
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.18 to version 1.19.8-gke.2000 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to version 1.19.8-gke.2000 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to version 1.20.5-gke.100 with this release.

Versions no longer available

The following versions are no longer available for new clusters or upgrades:

Versions 1.15 and earlier.

March 29, 2021

(2021-R10) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.17.17-gke.2800 is now the default version.
The following versions are now available:
The following versions are no longer available:
- 1.15.12-gke.6002
- 1.16.15-gke.10600
- 1.16.15-gke.11800
- 1.16.15-gke.7801
- 1.17.15-gke.800
- 1.17.17-gke.1100
- 1.18.12-gke.1210
- 1.18.14-gke.1200
- 1.18.14-gke.1600
- 1.18.15-gke.1100
- 1.18.15-gke.1102
- 1.18.15-gke.1500
- 1.18.16-gke.1200
- 1.18.16-gke.500
Control planes and nodes with auto-upgrade enabled will be upgraded from versions 1.17 and earlier to version 1.17.17-gke.2800 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to version 1.18.16-gke.302 with this release.

Stable channel

Version 1.17.17-gke.2800 is now the default version in the Stable channel.
The following versions are no longer available in the Stable channel:
- 1.16.15-gke.7801
- 1.17.17-gke.1101
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from versions 1.17 and earlier to version 1.17.17-gke.2800 with this release.

Regular channel

Version 1.18.16-gke.302 is now the default version in the Regular channel.
Version 1.18.16-gke.502 is now available in the Regular channel.
The following versions are no longer available in the Regular channel:
- 1.18.15-gke.1501
- 1.18.15-gke.1502
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to version 1.18.16-gke.302 with this release.

Rapid channel

Version 1.19.8-gke.1600 is now the default version in the Rapid channel.
The following versions are now available in the Rapid channel:
- 1.19.8-gke.2000
- 1.20.4-gke.2200
The following versions are no longer available in the Rapid channel:
- 1.19.8-gke.1000
- 1.20.4-gke.1800
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to version 1.19.8-gke.1600 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to version 1.20.4-gke.2200 with this release.

March 24, 2021

The europe-central2 region in Warsaw is now available.

March 23, 2021

Starting tomorrow, March 24, 2021, the mechanism we use to create GKE release notes will change. Although this change does not affect the content of the notes, it does affect the presentation and underlying syntax. If you subscribe to the XML feed for this page, entries for March 24 and earlier will be updated as a result of changes to formatting and syntax; the content itself did not change.

The feed URL will also change from https://cloud.google.com/feeds/kubernetes-engine-release-notes.xml to https://cloud.google.com/feeds/gke-main-release-notes.xml. We will automatically redirect from the old URL to the new one.

Workload Identity for Windows Server nodes is now available in GKE versions 1.18.16-gke.1200, 1.19.8-gke.1300, 1.20.4-gke.1500, and later.

Windows Server, version 1909 is reaching end of support on May 11, 2021. Newer Windows Server image versions are available in GKE versions 1.19.8-gke.1600+ and 1.20.4-gke.500+.

March 19, 2021

Google canonical error codes are now available in GA. GKE operations now use the canonical error model to report errors.

Added support for multiple pod CIDRs (available in Preview) which allows users to specify a different Pod CIDR for a new node pool than the one specified during cluster creation. This alleviates the problem of running out of Pod IP addresses for under provisioned clusters.

You can dynamically update the network tags, node labels and node taints of an existing GKE node pool. This feature is available in Preview. For more information, see Applying updates to node pool metadata.

March 16, 2021

(2021-R9) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.17.17-gke.3700 is now available.
Version 1.18.15-gke.1502 is now available.
Version 1.18.16-gke.302 is now available.
Version 1.18.16-gke.1200 is now available.
Control planes and nodes with auto-upgrade enabled will be upgraded from versions 1.17 and earlier to version 1.17.17-gke.1101 with this release.
Control planes and nodes with auto-upgrade enabled will be upgraded from versions 1.18 to version 1.18.15-gke.1501 with this release.

Stable channel

Version 1.17.17-gke.2800 is now available in the Stable channel.
Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from versions 1.17 and earlier to version 1.17.17-gke.1101 with this release.
Version 1.17.17-gke.1100 is no longer available in the Stable channel.

Regular channel

Version 1.18.15-gke.1501 is now the default version in the Regular channel.
Version 1.18.15-gke.1502 is now available in the Regular channel.
Version 1.18.16-gke.302 is now available in the Regular channel.
Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to version 1.18.15-gke.1501 with this release.
Version 1.18.12-gke.1210 is no longer available in the Regular channel.

Rapid channel

Version 1.19.8-gke.1000 is now the default version in the Rapid channel.
Version 1.19.8-gke.1600 is now available in the Rapid channel.
Version 1.20.4-gke.1800 is now available in the Rapid channel.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to version 1.19.8-gke.1000 with this release.
Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to version 1.20.4-gke.1800 with this release.
Version 1.19.7-gke.2503 is no longer available in the Rapid channel.
Version 1.20.4-gke.400 is no longer available in the Rapid channel.

Internal TCP/UDP load balancer subsetting (Preview) is available on GKE. With subsetting, GKE clusters using internal load balancer Services can scale beyond 250 nodes. This feature is in Preview for new GKE clusters on version 1.18 and existing clusters on version 1.19. Subsetting removes the current node scale limitations associated with GKE internal TCP/UDP load balancers.

All ports (Preview) is available for internal load balancer Services on GKE. All ports lets you open more than 5 ports on a TCP/UDP load balancer that is being used with GKE. This feature is in Preview for new GKE clusters on version 1.18 and is automatically enabled when subsetting is enabled on the GKE cluster.

March 10, 2021

40 Kubernetes metrics as part of Cloud Operations for GKE are now generally available.

Starting in version 1.19.8-gke.1000, in the Rapid release channel, the --can-ip-forward flag is disabled for all new clusters. Existing VPC-native clusters when upgraded to 1.19.8-gke.1000 will set the --can-ip-forward flag to disabled.

March 05, 2021

(2021-R8) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.17.17-gke.1101 is now available. This version is now the default.
Version 1.17.17-gke.3000 is now available.
Version 1.18.15-gke.1501 is now available.
Version 1.18.16-gke.500 is now available.
Auto-upgrading nodes and control planes upgrade from versions 1.17 and earlier to version 1.17.17-gke.1100 with this release.

Stable channel

Version 1.17.17-gke.1101 is now available in the Stable channel. This version is now the default.
Auto-upgrading nodes and control planes in the Stable channel upgrade from versions 1.17 and earlier to version 1.17.17-gke.1100 with this release.
Version 1.15.12-gke.6002 is no longer available in the Stable channel.
Version 1.16.15-gke.7800 is no longer available in the Stable channel.
Version 1.17.15-gke.800 is no longer available in the Stable channel.

Regular channel

Version 1.18.15-gke.1501 is now available in the Regular channel.
Version 1.18.15-gke.1102 is no longer available in the Regular channel.

Rapid channel

Version 1.19.7-gke.2503 is now available in the Rapid channel. This version is now the default.
Version 1.19.8-gke.1000 is now available in the Rapid channel.
Version 1.20.4-gke.400 is now available in the Rapid channel.
Auto-upgrading nodes and control planes in the Rapid channel upgrade from version 1.19 to version 1.19.7-gke.2503 with this release.
Auto-upgrading nodes and control planes in the Rapid channel upgrade from version 1.20 to version 1.20.4-gke.400 with this release.
Version 1.19.7-gke.1500 is no longer available in the Rapid channel.
Version 1.20.2-gke.2500 is no longer available in the Rapid channel.

March 02, 2021

Starting with GKE version 1.19.7-gke.2000 (minimum GKE node version: 1.18.12- gke.1203, 1.19.6-gke.800), the Compute Engine persistent disk Container Storage Interface (CSI) Driver for Windows (Preview) is available in GKE. This feature allows you to take advantage of the latest persistent disk features without having to manually manage the CSI driver lifecycle. The CSI driver provides access to features such as volume snapshot and volume expansion. For more information, see Using the Compute Engine persistent disk CSI Driver.

The GKE Service Level Agreement now covers the Regular channel for both Standard and Autopilot modes of operation.

February 25, 2021

(2021-R7) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

No channel

Version 1.16.15-gke.7801 is now available.
Version 1.16.15-gke.12500 is now available.
Version 1.17.17-gke.1101 is now available.
Version 1.17.17-gke.2800 is now available.
Version 1.18.16-gke.300 is now available.
Version 1.18.12-gke.1206 is no longer available.
Auto-upgrading control planes automatically upgrade from version 1.18 to version 1.18.12-gke.1210 with this release.
Auto-upgrading nodes automatically upgrade from version 1.18 to version 1.18.12-gke.1210 with this release.

Stable channel

Version 1.16.15-gke.7801 is now available in the Stable channel.
Version 1.17.17-gke.1100 is now available in the Stable channel.
Version 1.17.17-gke.1101 is now available in the Stable channel.

Regular channel

Version 1.18.15-gke.1102 is now available in the Regular channel.
Version 1.18.12-gke-1206 is no longer available in the Regular channel.
Auto-upgrading control planes in the Regular channel automatically upgrade from version 1.18 to version 1.18.12-gke.1210 with this release.
Auto-upgrading nodes in the Regular channel automatically upgrade from version 1.18.12-gke.1210 with this release.

Rapid channel

Version 1.19.7-gke.1500 is the new default version in the Rapid channel.
Version 1.19.7-gke.2503 is now available in the Rapid channel.
Version 1.20.2-gke.2500 is now available in the Rapid cha