This page documents production updates to GKE on AWS. Check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.
You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.
To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly.
February 12, 2025
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
December 20, 2024
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
November 07, 2024
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
October 01, 2024
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
September 05, 2024
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
August 26, 2024
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
- CVE-2024-36978
For more details, see the GCP-2024-049 security bulletin.
August 23, 2024
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
- CVE-2024-41009
For more details, see the GCP-2024-048 security bulletin.
August 20, 2024
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
- CVE-2024-39503
For more details, see the GCP-2024-047 security bulletin.
July 31, 2024
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
July 18, 2024
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
- CVE-2024-26921
For more details, see the GCP-2024-043 security bulletin.
July 17, 2024
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
- CVE-2024-26925
For more details, see the GCP-2024-045 security bulletin.
July 16, 2024
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
- CVE-2024-26809
For more information, see the GCP-2024-042 security bulletin.
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
- CVE-2024-36972
For more details, see the GCP-2024-044 security bulletin.
July 10, 2024
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
July 08, 2024
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
- CVE-2023-52654
- CVE-2023-52656
For more information, see the GCP-2024-041 security bulletin.
July 03, 2024
A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that can be used to obtain access to a remote shell, enabling attackers to gain root access. At the time of publication, exploitation is believed to be difficult and take several hours per machine being attacked. We are not aware of any exploitation attempts. This vulnerability has a Critical severity.
For mitigation steps and more details, see the GCP-2024-040 security bulletin.
December 14, 2023
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
November 14, 2023
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
- CVE-2023-4147
For more information, see the GCP-2023-042 security bulletin.
November 08, 2023
A vulnerability (CVE-2023-4004) has been discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes. For more information, see the GCP-2023-041 security bulletin.
October 30, 2023
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
October 02, 2023
You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:
December 21, 2022
A new vulnerability (CVE-2022-2602) has been discovered in the io_uring subsystem in the Linux kernel that can allow an attacker to potentially execute arbitrary code. For more information, see the GCP-2022-2025 security bulletin.
December 15, 2022
You can now launch clusters with the following Kubernetes versions:
- 1.23.14-gke.1100
- 1.24.8-gke.1300
- 1.25.4-gke.1300
To use the following features with gcloud requires gcloud v413.0.0, scheduled for release in January 2023. You can access these features through the API now:
- Dynamically updating AWS node pool tags
- Enable and update CloudWatch metrics collection on AWS node pools
You can now dynamically update AWS node pool security groups. To do so your API role must have the ec2:ModifyInstanceAttribute and ec2:DescribeInstances permissions.
You can now dynamically updating AWS node pool tags. To do so, your API role must have the autoscaling:CreateOrUpdateTags, autoscaling:DeleteTags, ec2:CreateTags, ec2:DeleteTags, and ec2:DescribeLaunchTemplates permissions.
Elastic File System (EFS) dynamic provisioning is now available in GA for clusters at version 1.25 or later. To use this feature, you must add the following permissions to the control plane role:
- ec2:DescribeAvailabilityZones
- elasticfilesystem:DescribeAccessPoints
- elasticfilesystem:DescribeFileSystems
- elasticfilesystem:DescribeMountTargets
- elasticfilesystem:CreateAccessPoint
- elasticfilesystem:DeleteAccessPoint
You can now upload workload metrics using Google Managed Service for Prometheus with managed collection to Cloud Monarch. This has been upgraded from a preview feature to GA.
You can now enable and update CloudWatch metrics collection on AWS node pool's auto scaling group. To use this feature your API role must have the autoscaling:EnableMetricsCollection and autoscaling:DisableMetricsCollection permissions.
Added a new token manager (gke-token-manager) to generate tokens for control plane components. This eliminates a control-plane component dependency on kube-apiserver, removes the need for RBAC in token generation, and permits logging to begin earlier in the startup cycle.
As a preview feature, Google Cloud Monitoring can now ingest a set of control plane metrics from kube-apiserver, kube-scheduler, kube-controller manager and etcd.
Administrators can grant AWS cluster access to all members of a Google Group by granting the required RBAC permission to the group. For details, see Set up the Connect gateway with Google Groups.
Static pods running on the cluster's control plane VMs are now restricted to run as non-root Linux users.
This release fixes the following vulnerabilities:
- CVE-2016-10228
- CVE-2019-19126
- CVE-2019-25013
- CVE-2020-10029
- CVE-2020-16156
- CVE-2020-1752
- CVE-2020-27618
- CVE-2020-6096
- CVE-2021-27645
- CVE-2021-3326
- CVE-2021-33574
- CVE-2021-35942
- CVE-2021-3671
- CVE-2021-3999
- CVE-2021-4037
- CVE-2021-43618
- CVE-2022-0171
- CVE-2022-1184
- CVE-2022-1586
- CVE-2022-1587
- CVE-2022-20421
- CVE-2022-23218
- CVE-2022-23219
- CVE-2022-2602
- CVE-2022-2663
- CVE-2022-2978
- CVE-2022-3061
- CVE-2022-3116
- CVE-2022-3176
- CVE-2022-32221
- CVE-2022-3303
- CVE-2022-35737
- CVE-2022-3586
- CVE-2022-3621
- CVE-2022-3646
- CVE-2022-3649
- CVE-2022-37434
- CVE-2022-3903
- CVE-2022-39188
- CVE-2022-39842
- CVE-2022-40303
- CVE-2022-40304
- CVE-2022-40307
- CVE-2022-40768
- CVE-2022-4095
- CVE-2022-41674
- CVE-2022-41916
- CVE-2022-42010
- CVE-2022-42011
- CVE-2022-42012
- CVE-2022-42719
- CVE-2022-42720
- CVE-2022-42721
- CVE-2022-42722
- CVE-2022-43680
- CVE-2022-43750
- CVE-2022-44638
Fixed an issue in which outdated versions of gke-connect-agent were not always removed after cluster upgrades.
Kubernetes 1.22 versions are no longer supported. To upgrade to a supported version, see Upgrade your AWS cluster version.
Kubernetes version 1.25 deprecates several APIs. For details, see the Kubernetes Deprecated API Migration Guide.
November 10, 2022
Two new vulnerabilities (CVE-2022-2585 and CVE-2022-2588) have been discovered in the Linux kernel that can lead to a full container break out to root on the node.
For more information, see the GCP-2022-024 security bulletin.
November 03, 2022
You can now launch clusters with the following Kubernetes versions:
- 1.22.15-gke.100
- 1.23.11-gke.300
- 1.24.5-gke.200
Anthos on AWS nodepools now includes the iptables utility to resolve an issue with the installation of Anthos Service Mesh.
On clusters at version 1.24.3-gke.2200, the IMDS emulator fails to start. This issue is fixed for clusters at version 1.24.5-gke.200 and later.
This release fixes the following vulnerabilities:
- CVE-2021-3999
- CVE-2022-35252
- CVE-2020-35525
- CVE-2020-35527
- CVE-2021-20223
- CVE-2022-40674
- CVE-2022-37434
- CVE-2021-46828
- CVE-2021-3999
- CVE-2022-2509
- CVE-2022-1586
- CVE-2022-1587
- CVE-2022-40674
- CVE-2022-37434
- CVE-2021-46828
- CVE-2022-2509
- CVE-2021-3999
- CVE-2022-1587
- CVE-2022-1586
- CVE-2022-1679
- CVE-2022-2795
- CVE-2022-3028
- CVE-2022-38177
- CVE-2022-38178
- CVE-2021-3502
- CVE-2021-44648
- CVE-2021-46829
- CVE-2022-2905
- CVE-2022-3080
- CVE-2022-39190
- CVE-2022-41222
- CVE-2020-8287
- CVE-2022-1184
- CVE-2022-2153
- CVE-2022-39188
- CVE-2022-20422
- CVE-2022-3176
- CVE-2022-3172
- CVE-2022-2602
October 28, 2022
A new vulnerability, CVE-2022-3176, has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve full container breakout to root on the node.
For instructions and more details, see the Anthos clusters on AWS security bulletin.
October 14, 2022
Creating a Kubernetes Service resource with type LoadBalancer and annotation service.beta.kubernetes.io/aws-load-balancer-type: nlb in a version 1.23 or 1.24 cluster would create a network load balancer whose target group would remain empty. This issue is resolved in the new Kubernetes patch versions 1.23.9-gke.2200 and 1.24.3-gke.2200.
September 29, 2022
You can now launch clusters with the following Kubernetes versions:
- 1.24.3-gke.2100
- 1.23.9-gke.2100
- 1.22.12-gke.2300
Kubernetes 1.21 versions are no longer supported. To upgrade to a supported version, see Upgrade your AWS cluster version.
Creating Arm node pools is now a preview feature. To learn more, see Run Arm workloads in Anthos clusters on AWS.
This release of Anthos Clusters on AWS supports updating your control plane tags on Kubernetes clusters with a version of 1.24 or later. Supported Kubernetes cluster versions describes the required IAM permission changes. This entry was added to the release notes on October 4, 2022.
If you have legacy workloads that don't support Workload Identity directly, you can now use the IMDS emulator to access IMDS data. To learn more, see Enable the IMDS emulator.
In Kubernetes version 1.24 and later, Google Cloud Managed Service for Prometheus (GMP) is available as an invite only private preview. GMP lets you monitor and alert on workloads, using Prometheus, without having to manually manage and operate Prometheus at scale.
Anthos clusters on AWS now supports Cloud Monitoring for Windows node pools from Kubernetes version 1.24 and later. To learn more about monitoring in Anthos Clusters on AWS, see Cloud monitoring.
In Kubernetes version 1.24 and later, Anthos clusters on AWS supports EFS dynamic provisioning in preview mode. To use this feature, you must add the following permissions to the control plane role:
ec2:DescribeAvailabilityZoneselasticfilesystem:DescribeAccessPointselasticfilesystem:DescribeFileSystemselasticfilesystem:DescribeMountTargetselasticfilesystem:CreateAccessPointelasticfilesystem:DeleteAccessPoint
To learn more, see Update your AWS cluster parameters.
In Kubernetes version 1.24 and later, there are now checks to the API to ensure that users aren't making inconsistent or erroneous requests.
Go 1.18 stops accepting certificates signed with the SHA-1 hash algorithm by default. Admission and conversion webhooks or aggregated server endpoints using these insecure certificates will break by default starting from Kubertnetes version 1.24.
The environment variable GODEBUG=x509sha1=1 is set in Anthos on AWS clusters as a temporary workaround to let these insecure certificates continue to work. However, the Go team is anticipated to remove support on this workaround. You should check and ensure there aren't any admission or conversion webhooks or aggregated server endpoints that are using such insecure certificates before upgrading to the upcoming breaking version.
Anthos Service Mesh doesn't work on Anthos Clusters on AWS when Anthos Service Mesh has the Istio Container Network Interface (CNI) enabled. To use Anthos Service Mesh with this product, disable CNI in Anthos Service Mesh.
This release fixes the following vulnerabilities:
August 29, 2022
You can now launch clusters with the following Kubernetes versions:
- 1.21.14-gke.2900
- 1.22.12-gke.1100
- 1.23.9-gke.800
This release fixes the following vulnerabilities:
August 04, 2022
You can now launch clusters with the following Kubernetes versions:
- 1.23.8-gke.1700
- 1.22.12-gke.200
- 1.21.14-gke.2100
This release fixes the following vulnerabilities:
- CVE-2016-10228.
- CVE-2018-16301.
- CVE-2018-25032.
- CVE-2019-18276.
- CVE-2019-20838.
- CVE-2020-1712.
- CVE-2019-25013.
- CVE-2020-14155.
- CVE-2020-27618.
- CVE-2020-27820.
- CVE-2020-29562.
- CVE-2020-6096.
- CVE-2020-8037.
- CVE-2021-20193.
- CVE-2021-26401.
- CVE-2021-27645.
- CVE-2021-28711.
- CVE-2021-28712.
- CVE-2021-28713.
- CVE-2021-28714.
- CVE-2021-28715.
- CVE-2021-3326.
- CVE-2021-35942.
- CVE-2021-36084.
- CVE-2021-36085.
- CVE-2021-36086.
- CVE-2021-36087.
- CVE-2021-36690.
- CVE-2021-3711.
- CVE-2021-3712.
- CVE-2021-3772.
- CVE-2021-39685.
- CVE-2021-39686.
- CVE-2021-39698.
- CVE-2021-3995.
- CVE-2021-3996.
- CVE-2021-3999.
- CVE-2021-4083.
- CVE-2021-4135.
- CVE-2021-4155.
- CVE-2021-4160.
- CVE-2021-4197.
- CVE-2021-4202.
- CVE-2021-43566.
- CVE-2021-43618.
- CVE-2021-43975.
- CVE-2021-43976.
- CVE-2021-44733.
- CVE-2021-45095.
- CVE-2021-45469.
- CVE-2021-45480.
- CVE-2022-0330.
- CVE-2022-0435.
- CVE-2022-0516.
- CVE-2022-0617.
- CVE-2022-0778.
- CVE-2022-1011.
- CVE-2022-1016.
- CVE-2022-1158.
- CVE-2022-1198.
- CVE-2022-1271.
- CVE-2022-1292.
- CVE-2022-1304.
- CVE-2022-1353.
- CVE-2022-1516.
- CVE-2022-1664.
- CVE-2022-1966.
- CVE-2022-20008.
- CVE-2022-20009.
- CVE-2022-2068.
- CVE-2022-2097.
- CVE-2022-2327.
- CVE-2022-21123.
- CVE-2022-21125.
- CVE-2022-21166.
- CVE-2022-21499.
- CVE-2022-22576.
- CVE-2022-22942.
- CVE-2022-23036.
- CVE-2022-23037.
- CVE-2022-23038.
- CVE-2022-23039.
- CVE-2022-23040.
- CVE-2022-23041.
- CVE-2022-23042.
- CVE-2022-23218.
- CVE-2022-23219.
- CVE-2022-24407.
- CVE-2022-24448.
- CVE-2022-24958.
- CVE-2022-24959.
- CVE-2022-25258.
- CVE-2022-25375.
- CVE-2022-25636.
- CVE-2022-26490.
- CVE-2022-26966.
- CVE-2022-27223.
- CVE-2022-27666.
- CVE-2022-27774.
- CVE-2022-27775.
- CVE-2022-27776.
- CVE-2022-27781.
- CVE-2022-27782.
- CVE-2022-28356.
- CVE-2022-28388.
- CVE-2022-28389.
- CVE-2022-28390.
- CVE-2022-29155.
- CVE-2022-30594.
- CVE-2022-32206.
- CVE-2022-32208.
This list has been updated to include CVE-2022-2327.
August 01, 2022
A new vulnerability (CVE-2022-2327) has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve a full container breakout to root on the node.
For more information, see the GCP-2022-018 security bulletin.
July 13, 2022
You can now launch Kubernetes 1.23 clusters.
Kubernetes 1.23.7-gke.1300 includes the following changes:
- Disable profiling endpoint (
/debug/pprof) by default in kube-scheduler and kube-controller-manager. - Update kube-apiserver and kubelet to only use Strong Cryptographic Ciphers.
- Add an instance metadata server (IMDS) emulator.
In a future release of 1.23 VolumeSnapshot v1beta1 APIs will no longer be served. Please update to VolumeSnapshot v1 APIs as soon as possible.
You can now launch clusters with the following Kubernetes versions:
- 1.23.7-gke.1300
- 1.22.10-gke.1500
- 1.21.11-gke.1900
In Kubernetes 1.23 and higher, cluster Cloud Audit Logs is now available and is enabled by default.
CIS benchmarks are now available for Kubernetes 1.23 clusters.
This release fixes the following vulnerabilities:
- Fixed CVE-2022-1786.
- Fixed CVE-2022-29582.
- Fixed CVE-2022-29581.
- Fixed CVE-2022-1116
Restrictions on IP ranges that can be used for a cluster's Pods and Services are now relaxed. Pod and Service IP ranges can now overlap with VPC's IP ranges, provided they do not intersect the control plane or node pool subnets.
June 23, 2022
Three new memory corruption vulnerabilities (CVE-2022-29581, CVE-2022-29582, CVE-2022-1116) have been discovered in the Linux kernel. These vulnerabilities allow an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node. For more information, refer to the GCP-2022-016 security bulletin.
June 06, 2022
You can now launch clusters with the following Kubernetes versions:
- 1.21.11-gke.1800
- 1.22.8-gke.2100
Windows nodes on 1.22.8-gke.2100 now use pigz to improve image layer extraction performance.
May 09, 2022
You can now launch clusters with Kubernetes versions 1.21.11-gke.1100 and 1.22.8-gke.1300
In 1.22.8-gke.1300, fixed an issue where add ons cannot be applied when Windows node pools are enabled.
In 1.22.8-gke.1300, fixed an issue where logging agent could fill up attached disk space.
These releases includes the following Role-based access control (RBAC) changes:
- Scoped down
anet-operatorpermissions for Lease update. - Scoped down
anetdDaemonset permissions for Nodes and pods. - Scoped down
fluentbit-gkepermissions for service account tokens. - Scoped down
gke-metrics-agentfor service account tokens. - Scoped down
coredns-autoscalerpermissions for Nodes, ConfigMaps and Deployments.
These releases fix the following CVEs:
- Fixed CVE-2022-1055.
- Fixed CVE-2022-0886.
- Fixed CVE-2022-0492.
- Fixed CVE-2022-24769.
April 26, 2022
Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666 have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all GKE node operating systems (Container-Optimized OS and Ubuntu). For instructions and more details, see the GCP-2022-014 security bulletin.
April 13, 2022
Anthos Clusters on AWS now supports Kubernetes versions 1.22.8-gke.200 and 1.21.11-gke.100. For more information, see the open source release notes for Kubernetes 1.22.8 and Kubernetes 1.21.11.
Kubernetes 1.22 removes support for several deprecated v1beta1 APIs. Before upgrading your clusters to v1.22, you must upgrade your workloads to use the stable v1 APIs and confirm their compatibility with v1.22. For more information, see Kubernetes 1.22 Deprecated APIs.
When you create a new cluster using Kubernetes version 1.22, you can now configure custom logging parameters.
As a preview feature, you can now choose Windows as your node pool image type when you create node pools with Kubernetes version 1.22.8.
You can now set the autoscaler's minimum node count to zero.
This release of Anthos Clusters on AWS improves your ability to update your cluster configuration, including
- control plane security group IDs
- control plane proxy
- control plane and node pool SSH
- node pool security group IDs
- node pool root volume
- node pool encryption
- node pool proxy
You can now view most common asynchronous cluster and nodepool boot errors in the long running operation error field.
As a preview feature, you can now configure nodes to be dedicated hosts.
To create new 1.22 clusters, you need to add the ec2:GetConsoleOutput permission to your Anthos Multi-Cloud API role.
This release fixes the following security issues:
A security vulnerability, CVE-2022-0847, has been discovered in the Linux kernel version 5.8 and later that can potentially escalate container privileges to root. This vulnerability affects Anthos Clusters on AWS running Kubernetes version 1.21 on Ubuntu.
For more information, see the GCP-2022-012 security bulletin.
A security vulnerability, CVE-2022-23648, has been discovered in containerd's handling of path traversal in the OCI image volume specification. Containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain full read access to arbitrary files and directories on the host.
For more information, see the GCP-2022-013 security bulletin.
Anthos Clusters on AWS now sets the default instance type to m5.large when you create a new cluster or node pool. The previous default instance type was t3.medium.
March 21, 2022
Anthos clusters on AWS now supports clusters in the ap-southeast-2 region. For more information, see Supported regions.
February 22, 2022
Kubernetes version 1.21.6-gke.1500 is now available. For more information, see the Kubernetes OSS release notes.
You can now launch clusters in the ap-northeast1 and sa-east-1 AWS regions.
Fixed CVE-2021-4154, see GCP-2022-002 for more details.
Fixed CVE-2022-0185, see GCP-2022-002 for more details.
February 04, 2022
A security vulnerability, CVE-2021-4034, has been discovered in pkexec, a part of the Linux policy kit package (polkit), that allows an authenticated user to perform a privilege escalation attack. PolicyKit is generally used only on Linux desktop systems to allow non-root users to perform actions such as rebooting the system, installing packages, restarting services etc, as governed by a policy.
Anthos clusters on AWS is unaffected.
For instructions and more details, see the GCP-2022-004 security bulletin
December 02, 2021
Anthos on AWS is now generally available through the Multi-Cloud API.
With the latest release, we've simplified installation and streamlined our cluster management technology. You can now use a single API for full lifecycle management of Anthos clusters running in AWS or Azure. This release introduces gcloud command groups for deploying Anthos clusters in AWS, Azure, and Google Cloud. Clusters you create in other clouds appear in the Google Cloud Console, creating a centralized management view complete with cluster telemetry and logging.
The Multi-Cloud API authenticates with each cloud using a service account or application registration, and allows clusters to be deployed on existing or newly created VPCs. It supports multiple instance types in each cloud across multiple regions. As a reminder, Anthos clusters on Azure or AWS integrate with each respective cloud's KMS, storage facilities, and load balancing.
Anthos on AWS is available today, with either subscription or pay-as-you-go pricing.
You can now create, update, and delete clusters on AWS with the gcloud tool. Read more about our Multi-Cloud API.
Automatic Container monitoring and system logging with Cloud Logging and Cloud Monitoring.
Built-in Connect Gateway Support.
You can now authenticate for cluster management functions with Google Cloud identities.
Clusters now use Dataplane V2 by default.
Clusters now use Workload Identity by default.