Each GKE on AWS release comes with Kubernetes version notes. These are similar to release notes but are specific to a Kubernetes version and might offer more technical detail.
GKE on AWS supports the Kubernetes versions listed in the following sections. If a version isn't included in this file, it's unsupported.
Kubernetes 1.30
1.30.4-gke.400
- Bug Fix: Fixed an issue of a frequent error message "object has been modified" by updating the
csi-snapshotterto version 6.3.3. - Security Fixes:
- Fixed CVE-2023-50387
- Fixed CVE-2023-50868
- Fixed CVE-2024-0553
- Fixed CVE-2024-0567
- Fixed CVE-2024-4603
- Fixed CVE-2024-7348
1.30.3-gke.100
Feature: Added
kubeletConfignode system configuration. With this feature, you can specify custom configurations on your node pools, including CPU manager policy, CPU throttling, and process IDs (PIDs).Feature: The
gcloud beta container fleet memberships get-credentialscommand uses a preview feature of the Connect gateway that lets you run thekubectlattach,cp, andexeccommands. For more information, see Limitations in the Connect gateway documentation.Security Fixes:
- Fixed CVE-2024-21626
- Fixed CVE-2024-7264
- Fixed CVE-2024-26642
- Fixed CVE-2024-26923
Kubernetes 1.29
1.29.8-gke.600
- Bug Fix: Fixed an issue of a frequent error message "object has been modified" by updating the
csi-snapshotterto version 6.3.3. - Security Fixes:
- Fixed CVE-2023-50387
- Fixed CVE-2023-50868
- Fixed CVE-2024-0553
- Fixed CVE-2024-0567
- Fixed CVE-2024-4603
- Fixed CVE-2024-7348
1.29.7-gke.100
- Security Fixes:
- Fixed CVE-2024-7264
- Fixed CVE-2024-26642
- Fixed CVE-2024-26923
1.29.6-gke.600
- Security Fixes
- Fixed CVE-2022-40735
- Fixed CVE-2023-24329
- Fixed CVE-2023-40217
- Fixed CVE-2023-41105
- Fixed CVE-2023-50387
- Fixed CVE-2023-50868
- Fixed CVE-2023-5678
- Fixed CVE-2023-6129
- Fixed CVE-2023-6237
- Fixed CVE-2023-6597
- Fixed CVE-2024-0450
- Fixed CVE-2024-0727
- Fixed CVE-2024-28834
- Fixed CVE-2024-28835
1.29.5-gke.1100
- Security Fixes:
- Fixed CVE-2024-6387
- Fixed CVE-2024-26583
- Fixed CVE-2024-26584
- Fixed CVE-2024-26585
- Fixed CVE-2023-52447
- Fixed CVE-2024-26643
- Fixed CVE-2024-26643
- Fixed CVE-2024-26809
- Fixed CVE-2024-26808
- Fixed CVE-2024-26924
- Fixed CVE-2024-26925
1.29.5-gke.700
- Security Fixes:
- Fixed CVE-2022-3715
- Fixed CVE-2022-48303
- Fixed CVE-2023-2953
- Fixed CVE-2023-39804
- Fixed CVE-2023-4641
- Fixed CVE-2023-47038
- Fixed CVE-2023-52425
- Fixed CVE-2023-5678
- Fixed CVE-2023-5981
- Fixed CVE-2023-6004
- Fixed CVE-2023-6129
- Fixed CVE-2023-6237
- Fixed CVE-2023-6918
- Fixed CVE-2024-0553
- Fixed CVE-2024-0567
- Fixed CVE-2024-0727
- Fixed CVE-2024-0985
- Fixed CVE-2024-22365
- Fixed CVE-2024-2398
- Fixed CVE-2024-28085
- Fixed CVE-2024-28182
- Fixed CVE-2024-28757
- Fixed CVE-2024-28834
- Fixed CVE-2024-28835
1.29.4-gke.200
- Security Fixes:
- Fixed CVE-2023-52620.
- Fixed CVE-2024-1085.
- Fixed CVE-2024-26581.
1.29.3-gke.600
Breaking Change: Starting from Kubernetes 1.29, clusters require outbound HTTPS connectivity to the domain
kubernetesmetadata.googleapis.com. Please ensure that your proxy server and/or firewall configuration allows this traffic. You also need to enable the Kubernetes Metadata API, which can be enabled in the Google Cloud console.Feature: Removed the requirement for connectivity to the domain
opsconfigmonitoring.googleapis.com. This domain was previously required for logging and monitoring but is no longer needed for Kubernetes 1.29 and later. You should remove this domain from your firewall and/or proxy server configuration.Bug Fix: Fixed an issue where the Fluentbit agent becomes unresponsive and stops ingesting logs into Cloud Logging. Added a mechanism to detect and automatically restart the agent when this occurs.
Bug Fix: Fixed an issue with the cluster autoscaler so that it respects user-configured labels and taints on node pools. This enhancement enables accurate scaling up from zero nodes, and enables more precise provisioning of your clusters. This change fixes the following Known issue.
Security Fixes:
- Fixed CVE-2020-29509
- Fixed CVE-2020-29511
- Fixed CVE-2020-29652
- Fixed CVE-2021-29923
- Fixed CVE-2021-31525
- Fixed CVE-2021-33195
- Fixed CVE-2021-33196
- Fixed CVE-2021-33197
- Fixed CVE-2021-33198
- Fixed CVE-2021-34558
- Fixed CVE-2021-36221
- Fixed CVE-2021-38297
- Fixed CVE-2021-38561
- Fixed CVE-2021-39293
- Fixed CVE-2021-41771
- Fixed CVE-2021-41772
- Fixed CVE-2021-43565
- Fixed CVE-2021-44716
- Fixed CVE-2022-1705
- Fixed CVE-2022-1962
- Fixed CVE-2022-21698
- Fixed CVE-2022-23772
- Fixed CVE-2022-23773
- Fixed CVE-2022-23806
- Fixed CVE-2022-24675
- Fixed CVE-2022-24921
- Fixed CVE-2022-27191
- Fixed CVE-2022-27664
- Fixed CVE-2022-28131
- Fixed CVE-2022-28327
- Fixed CVE-2022-2879
- Fixed CVE-2022-2880
- Fixed CVE-2022-29526
- Fixed CVE-2022-30580
- Fixed CVE-2022-30629
- Fixed CVE-2022-30630
- Fixed CVE-2022-30631
- Fixed CVE-2022-30632
- Fixed CVE-2022-30633
- Fixed CVE-2022-30635
- Fixed CVE-2022-32148
- Fixed CVE-2022-32149
- Fixed CVE-2022-32189
- Fixed CVE-2022-41715
- Fixed CVE-2022-41717
- Fixed CVE-2022-41724
- Fixed CVE-2022-41725
- Fixed CVE-2023-24532
- Fixed CVE-2023-24534
- Fixed CVE-2023-24536
- Fixed CVE-2023-24537
- Fixed CVE-2023-24538
- Fixed CVE-2023-24539
- Fixed CVE-2023-24540
- Fixed CVE-2023-29400
- Fixed CVE-2023-29402
- Fixed CVE-2023-29403
- Fixed CVE-2023-29404
- Fixed CVE-2023-29405
Kubernetes 1.28
1.28.13-gke.600
- Bug Fix: Fixed an issue of a frequent error message "object has been modified" by updating the
csi-snapshotterto version 6.3.3. - Security Fixes:
- Fixed CVE-2023-50387
- Fixed CVE-2023-50868
- Fixed CVE-2024-0553
- Fixed CVE-2024-0567
- Fixed CVE-2024-4603
- Fixed CVE-2024-7348
1.28.12-gke.100
- Security Fixes:
- Fixed CVE-2024-26642
- Fixed CVE-2024-26923
1.28.11-gke.600
- Security Fixes
- Fixed CVE-2022-40735
- Fixed CVE-2023-24329
- Fixed CVE-2023-40217
- Fixed CVE-2023-41105
- Fixed CVE-2023-50387
- Fixed CVE-2023-50868
- Fixed CVE-2023-5678
- Fixed CVE-2023-6129
- Fixed CVE-2023-6237
- Fixed CVE-2023-6597
- Fixed CVE-2024-0450
- Fixed CVE-2024-0727
- Fixed CVE-2024-28834
- Fixed CVE-2024-28835
1.28.10-gke.1300
- Security Fixes:
- Fixed CVE-2024-6387
- Fixed CVE-2024-26583
- Fixed CVE-2024-26584
- Fixed CVE-2024-26585
- Fixed CVE-2023-52447
- Fixed CVE-2024-26643
- Fixed CVE-2024-26809
- Fixed CVE-2024-26808
- Fixed CVE-2024-26924
- Fixed CVE-2024-26925
1.28.10-gke.800
- Security Fixes:
- Fixed CVE-2022-3715
- Fixed CVE-2022-48303
- Fixed CVE-2023-2953
- Fixed CVE-2023-39804
- Fixed CVE-2023-4641
- Fixed CVE-2023-47038
- Fixed CVE-2023-52425
- Fixed CVE-2023-5678
- Fixed CVE-2023-5981
- Fixed CVE-2023-6004
- Fixed CVE-2023-6129
- Fixed CVE-2023-6237
- Fixed CVE-2023-6246
- Fixed CVE-2023-6779
- Fixed CVE-2023-6780
- Fixed CVE-2023-6918
- Fixed CVE-2023-7008
- Fixed CVE-2024-0553
- Fixed CVE-2024-0567
- Fixed CVE-2024-0727
- Fixed CVE-2024-0985
- Fixed CVE-2024-22365
- Fixed CVE-2024-2398
- Fixed CVE-2024-28085
- Fixed CVE-2024-28182
- Fixed CVE-2024-28757
- Fixed CVE-2024-28834
- Fixed CVE-2024-28835
1.28.9-gke.400
- Security Fixes:
- Fixed CVE-2023-52620.
- Fixed CVE-2024-1085.
- Fixed CVE-2024-26581.
1.28.8-gke.800
- Bug Fix: Fixed an issue with the cluster autoscaler so that it respects user-configured labels and taints on node pools. This enhancement enables accurate scaling up from zero nodes, and enables more precise provisioning of your clusters. This change fixes the following Known issue.
- Security Fixes:
- Fixed CVE-2020-29509
- Fixed CVE-2020-29511
- Fixed CVE-2020-29652
- Fixed CVE-2021-29923
- Fixed CVE-2021-31525
- Fixed CVE-2021-33195
- Fixed CVE-2021-33196
- Fixed CVE-2021-33197
- Fixed CVE-2021-33198
- Fixed CVE-2021-34558
- Fixed CVE-2021-36221
- Fixed CVE-2021-38297
- Fixed CVE-2021-38561
- Fixed CVE-2021-39293
- Fixed CVE-2021-41771
- Fixed CVE-2021-41772
- Fixed CVE-2021-43565
- Fixed CVE-2021-44716
- Fixed CVE-2022-1705
- Fixed CVE-2022-1962
- Fixed CVE-2022-21698
- Fixed CVE-2022-23772
- Fixed CVE-2022-23773
- Fixed CVE-2022-23806
- Fixed CVE-2022-24675
- Fixed CVE-2022-24921
- Fixed CVE-2022-27191
- Fixed CVE-2022-27664
- Fixed CVE-2022-28131
- Fixed CVE-2022-28327
- Fixed CVE-2022-2879
- Fixed CVE-2022-2880
- Fixed CVE-2022-29526
- Fixed CVE-2022-30580
- Fixed CVE-2022-30629
- Fixed CVE-2022-30630
- Fixed CVE-2022-30631
- Fixed CVE-2022-30632
- Fixed CVE-2022-30633
- Fixed CVE-2022-30635
- Fixed CVE-2022-32148
- Fixed CVE-2022-32149
- Fixed CVE-2022-32189
- Fixed CVE-2022-41715
- Fixed CVE-2022-41717
- Fixed CVE-2022-41724
- Fixed CVE-2022-41725
- Fixed CVE-2023-24532
- Fixed CVE-2023-24534
- Fixed CVE-2023-24536
- Fixed CVE-2023-24537
- Fixed CVE-2023-24538
- Fixed CVE-2023-24539
- Fixed CVE-2023-24540
- Fixed CVE-2023-29400
- Fixed CVE-2023-29402
- Fixed CVE-2023-29403
- Fixed CVE-2023-29404
- Fixed CVE-2023-29405
1.28.7-gke.1700
- Bug Fix: Fixed an issue where the Instance Metadata Service (IMDS) emulator sometimes failed to bind to an IP address on the node. The IMDS emulator enables nodes to securely access AWS EC2 instance metadata.
1.28.5-gke.1200
- Bug Fixes
- Fixed a bug for file descriptor leak in runc (CVE-2024-21626).
- Security Fixes
- Fixed CVE-2023-38039.
- Fixed CVE-2023-46219.
- Fixed CVE-2023-39326.
- Fixed CVE-2023-44487.
- Fixed CVE-2023-45142.
- Fixed CVE-2023-45285.
- Fixed CVE-2023-48795.
- Fixed CVE-2024-0193.
- Fixed CVE-2023-6932.
- Fixed CVE-2023-6931.
- Fixed CVE-2024-0193.
- Fixed CVE-2023-6817.
1.28.5-gke.100
- Security Fixes
- Fixed CVE-2022-28948.
- Fixed CVE-2023-29491.
- Fixed CVE-2023-36054.
- Fixed CVE-2023-5363.
- Fixed CVE-2023-47038.
- Fixed CVE-2023-5981.
- Fixed CVE-2023-4806.
- Fixed CVE-2023-4016.
- Fixed CVE-2023-4813.
- Fixed CVE-2022-48522.
- Fixed CVE-2023-46218.
- Fixed CVE-2023-5156.
- Fixed CVE-2023-39804.
- Fixed CVE-2023-5869.
- Fixed CVE-2023-39417.
- Fixed CVE-2023-5868.
- Fixed CVE-2023-5870.
- Fixed GHSA-6xv5-86q9-7xr8.
1.28.3-gke.700
- Breaking Change: Starting from Kubernetes 1.28, clusters require outbound HTTPS connectivity to
{GCP_LOCATION}-gkemulticloud.googleapis.com. Ensure your proxy server and/or firewall allows for this traffic. Breaking Change: Starting from Kubernetes 1.28, the Multi-Cloud API service agent role requires a new
Iam:getinstanceprofilepermission on your AWS project. This permission is used by the Multi-Cloud Service to inspect the instance profiles attached to in-cluster Virtual Machine Instances.Feature: Added rollback support for AWS node pools that have failed update operations. This allows customers to revert node pools back to their original state.
Feature: Added support for pulling images from private Google Artifact Registry and private Google Container Registry without exported Google Service Account key. The image pull credentials are managed and automatically rotated by Google.
Feature: Removed the need to explicitly add Google IAM bindings for most features.
- No longer need to add any bindings for
gke-system/gke-telemetry-agentwhen creating a cluster. - No longer need to add any bindings for
gmp-system/collectororgmp-system/rule-evaluatorwhen enabling managed data collection for Google Managed Service for Prometheus. - No longer need to add any bindings for
gke-system/binauthz-agentwhen enabling binary authorization.
- No longer need to add any bindings for
Feature: AWS Surge update is now Generally Available. Surge updates allow you to configure the speed and disruption of node pool updates. For more details about how to enable and configure Surge settings on your AWS node pools, see Configure Surge updates of node pools.
Feature: Upgraded the kernel for Ubuntu 22.04 to linux-aws 6.2.
Feature: Added support for creating node pools using the following AWS EC2 instances: G5, I4g, M7a, M7g, M7i, R7g, R7i, and R7iz.
Bug Fix: Improved launch template creation. Tags provided by customers are propagated to instances.
- This change primarily enhances support for IAM policy rules. It specifically addresses rules that prohibit the use of launch templates which don't support tag propagation, even in cases where the associated Auto Scaling Group (ASG) does propagate tags.
- This can be a breaking change, depending on the specifics of the customer's IAM policy regarding tag checks. Therefore, it's important to exercise caution during the upgrade process, as improper handling may leave a cluster in a degraded state.
- Action
ec2:CreateTagson resourcearn:aws:ec2:*:*:instance/*is required for the Anthos Multi-Cloud API service agent role. Please check https://cloud.google.com/kubernetes-engine/multi-cloud/docs/aws/how-to/create-aws-iam-roles#create_service_agent_role for latest info. - We suggest customers try creating a throw-away 1.28 cluster and confirm that IAM policies work correctly before attempting to upgrade to 1.28.
Bug Fix: Upgrading a cluster to version 1.28 will clean up obsolete resources that may have been created in older versions (up to 1.25) but are no longer relevant. The following resources in the namespace
gke-systemare deleted if they exist:- daemonsets
fluentbit-gke-windowsandgke-metrics-agent-windows - configmaps
fluentbit-gke-windows-configandgke-metrics-agent-windows-conf
- daemonsets
Bug Fix: Enhanced Cloud Logging's ingestion of logs from Anthos clusters on AWS:
- Fixed an issue in timestamp parsing.
- Assigned the correct severity level to the
anthos-metadata-agent's error logs.
Security Fixes
- Fixed CVE-2023-3610
- Fixed CVE-2023-3776
- Fixed CVE-2023-3611
- Fixed CVE-2023-5197
- Fixed CVE-2023-44487
- Fixed CVE-2023-39325
- Fixed CVE-2023-4147
- Fixed CVE-2022-1996
- Fixed CVE-2023-47108
- Fixed CVE-2023-45142
- Fixed CVE-2023-29409
- Fixed CVE-2023-3978
- Fixed CVE-2023-39323