The following release notes cover the most recent changes over the last 60 days. For a comprehensive list of product-specific release notes, see the individual product release note pages.
You can also see and filter all release notes in the Google Cloud console or you can programmatically access release notes in BigQuery.
To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly.
April 23, 2025
BigQueryYou can now set a maximum slot limit for a reservation. You can configure the maximum reservation size when creating or updating a reservation. This feature is in public preview.
You can now specify which reservation a query uses at runtime, and set IAM policies directly on reservations. This provides more flexibility and fine-grained control over resource management. This feature is in public preview.
You can now allocate idle slots fairly across reservations within a single admin project. This ensures each reservation receives an approximately equal share of available capacity. This feature is in public preview.
Cloud Billing supports Dark theme in the Google Cloud console (in preview)
Dark theme is now available in the Billing section of the Google Cloud console (preview). To enable the Dark theme, in the Google Cloud console, click Settings > Preferences > Appearance. Choose Dark theme and click Save.
April 22, 2025
Apigee Integrated PortalOn April 22, 2025 we released a new version of the Apigee integrated portal.
This release adds the Apigee Integrated Developer Portal Admin UI from the Classic Apigee UI into the Google Cloud console.
Leveraging Google Cloud console components provides API providers and Portal Admins with a centralized platform to efficiently configure, publish, and manage your API consumer portals, eliminating the need to switch between different UIs.
No new APIs have been introduced in this release.
See Publishing overview to get started.
You can now specify build dependencies in your build configuration file. For more information, see Manage build dependencies.
Cloud KMS with Autokey is now in General Availability (GA) for Cloud Run.
Public Preview: General purpose C4D machine types have reached Public Preview. C4D is powered by the fifth generation AMD EPYC processor (Turin) and Google Titanium.
C4D is designed to run mission critical workloads including web app and game servers, AI inference, web serving, video streaming, and data centric applications like analytics, relational, and in-memory databases.
C4D is available in standard, highmem, and highcpu machine types and only supports Google Cloud Hyperdisk storage.
To learn where to create C4D instances, see the Regions and zones page.
Release 6.3
- Cortex for Meridian.
- Cortex Framework for Meridian, Google's open-source Marketing Mix Modeling (MMM) tool (v1.0.5), delivers ready data models and automation of Meridian Model execution using Google Cloud tools like Enterprise Colab and Cloud Workflows.
- This integration empowers users to make data-driven marketing decisions by providing accurate campaign performance measurement and budget optimization.
- Cortex for Meridian simplifies the pre-modeling process by gathering and transforming data from core Cortex Framework data sources, including:
- Task Dependent DAGs:
- Provided out-of-the-box, recommended DAGs and task dependencies for SAP ECC/S4 reporting.
- Enabled the creation and deployment of customized task-dependent reporting settings for all data sources.
- CATGAP has been deprecated.
- SAP Machine Learning (ML) models have been deprecated.
- Resolved duplicate entries from
VendorsMD - Fixed DATE_ADD overflow issue in
InventoryByPlant. - Fixed mislabeled columns in
AccountingDocumentsReceivable. - Addressed JSON parsing errors related to FLOAT numbers in Meta Raw to DAG Change Data Capture (CDC).
- Fixed a typo in the
LeadsCaptureConversionsSalesforce (SFDC) reporting table:LeadFirstResponeDatestampcorrected toLeadFirstResponseDatestamp.
Dataproc Metastore multi-regional services now support the use of customer-managed encryption keys (CMEKs) -- (in preview).
Committed use discounts are now generally available (GA) for Firestore in exchange for a commitment to continuously spend a certain amount on Firestore read/write/delete operations for one year or three years. For details, see Committed use discounts.
Committed use discounts are now generally available (GA) for Firestore in Datastore mode in exchange for a commitment to continuously spend a certain amount on read/write/delete operations for one year or three years. For details, see Committed use discounts.
The following parser documentation is now available:
Collect Barracuda Email Security Gateway logs
Collect CrowdStrike Falcon logs in CEF
Collect Juniper NetScreen Firewall logs
Collect Micro Focus NetIQ Access Manager logs
Collect Aruba Wireless Controller and Access Point logs
Collect BeyondTrust Secure Remote Access logs
Collect CyberArk Privileged Threat Analytics logs
Collect Fortinet FortiMail logs
Collect Sophos XG Firewall logs
Collect Cisco Stealthwatch logs
Collect Cisco Umbrella audit logs
Collect Cisco Umbrella DNS logs
Collect Cisco Umbrella Web Proxy logs
Collect CommVault Backup and Recovery logs
Collect Fortinet FortiAnalyzer logs
Collect Fortinet FortiAuthenticator logs
Collect Fortinet Firewall logs
Collect Palo Alto Networks Traps logs
Collect SecureAuth Identity Platform logs
Collect A10 Network Load Balancer logs
Collect AlgoSec Security Management logs
Collect Arbor Edge Defense logs
Collect Fortra Digital Guardian DLP logs
The following parser documentation is now available:
Collect Barracuda Email Security Gateway logs
Collect CrowdStrike Falcon logs in CEF
Collect Juniper NetScreen Firewall logs
Collect Micro Focus NetIQ Access Manager logs
Collect Aruba Wireless Controller and Access Point logs
Collect BeyondTrust Secure Remote Access logs
Collect CyberArk Privileged Threat Analytics logs
Collect Fortinet FortiMail logs
Collect Sophos XG Firewall logs
Collect Cisco Stealthwatch logs
Collect Cisco Umbrella audit logs
Collect Cisco Umbrella DNS logs
Collect Cisco Umbrella Web Proxy logs
Collect CommVault Backup and Recovery logs
Collect Fortinet FortiAnalyzer logs
Collect Fortinet FortiAuthenticator logs
Collect Fortinet Firewall logs
Collect Palo Alto Networks Traps logs
Collect SecureAuth Identity Platform logs
Collect A10 Network Load Balancer logs
Collect AlgoSec Security Management logs
Collect Arbor Edge Defense logs
Collect Fortra Digital Guardian DLP logs
The Looker Mobile (Legacy) application will be deprecated on March 1, 2026. Use the Looker application instead.
Looker (Google Cloud core) now supports Google group mirroring when using OAuth authentication.
Memorystore for Valkey supports storing and querying vector data. This feature is now Generally Available (GA). For more information, see About vector search.
April 21, 2025
App Engine flexible environment PythonPython 3.13 is now available in Preview.
Python 3.13 is now available in Preview.
There is a new committed use discount (CUD) for customers using Backup and DR Service to protect Oracle databases into a backup vault. This is a way to lower backup costs in consideration of a 1-year or 3-year commitment. You can purchase CUDs from Google Cloud Marketplace via the standard process.
Introduced logging and alerting capabilities to monitor the health and status of your backup/recovery appliances. You can configure email notifications via Cloud Logging to receive timely alerts on appliance status changes or potential issues.
Backup and DR Service now supports backup and restore of Db2 databases using persistent disk snapshots. This is typically faster and simpler than previous methods and in some cases may also reduce costs.
These issues have been fixed:
- An issue in which multiple snapshot/Direct OnVault jobs became stuck in an unresponsive state after attempting to connect to vCenter with an openssl command.
- An issue in which database persistent disk snapshot backup jobs failed with the unhelpful error message
resource not foundnow has a useful error message. - An issue in which Log explorer was showing some spurious "read error, check permissions" results on backup/recovery appliances.
- An issue in which a backup/recovery appliance could come out of synchronization with a management console following a
Trying to release lockorFailed to acquire lockerror. - A rare issue in which a backup/recovery appliance became unresponsive after a very heavy load exhausted all job threads and /var/log/ was 100% full. Thread management is now more efficient.
- An issue in which persistent disk database snapshot images were failing to import log backups, and the recovery range was missing on imported backups.
- An issue in which some backups of PostgreSQL version 15 failed due to a premature timeout.
- An issue in which some mount jobs failed if the host's lvmconfig has global/system_id_source set to
uname. - An issue in which database names provided in mount screen were not honored correctly when creating child applications on the target host.
- The
Staging disk is fullerror message has been made more useful.
Vulnerabilities CVE-2024-42301, CVE-2024-42284, and CVE-2024-41092 have been fixed at kernel version 4.18.0-553.33.1.el8_10.
Introduced management console events for the Appliance Connectivity Events and Dynamic Protection Events.
A weekly digest of client library updates from across the Cloud SDK.
Node.js
Changes for @google-cloud/bigquery
7.9.4 (2025-04-02)
Bug Fixes
BigQuery now provides spend-based committed use discounts (CUDs). Spend-based committed use discounts provide a discount in exchange for your commitment to spend a minimum amount per hour on PAYG compute resources listed here. You can purchase CUDs with a one or three year commitment period.
You can now enable fine-grained access control on BigQuery metastore Iceberg tables. This feature is generally available (GA).
You can get the required permissions to use BigQuery data preparation through the BigQuery Studio User (roles/bigquery.studioUser) and Gemini for Google Cloud User (roles/cloudaicompanion.user) roles, and permission to access the data you're preparing.
BigQuery data preparation no longer requires that you have the permissions granted by the following IAM roles:
- BigQuery Data Editor (
roles/bigquery.dataEditor) - Service Usage Consumer (
roles/serviceusage.serviceUsageConsumer)
For more information about the required roles, see Manage data preparations.
A weekly digest of client library updates from across the Cloud SDK.
Python
Changes for google-cloud-bigtable
2.30.1 (2025-04-17)
Bug Fixes
A weekly digest of client library updates from across the Cloud SDK.
Python
Changes for google-cloud-logging
3.12.0 (2025-04-10)
Features
- Add REST Interceptors which support reading metadata (681bcc5)
- Add support for opt-in debug logging (681bcc5)
- Added flushes/close functionality to logging handlers (#917) (d179304)
Bug Fixes
- Allow protobuf 6.x (#977) (6757890)
- deps: Require google-cloud-audit-log >= 0.3.1 (#979) (1cc00ec)
- Fix typing issue with gRPC metadata when key ends in -bin (681bcc5)
Documentation
Support for the Python 3.13 runtime is now in Preview.
Cloud Run functions now supports the Python 3.13 runtime at the Preview release level.
The notebook gallery is now available.
The notebook gallery is a curated collection of notebooks to help you get started using Colab Enterprise. This collection consists of ready-to-use templates and examples to make it easier to learn new techniques, understand best practices, and get projects started quickly. Browse the notebooks by category or use the search bar to find a notebook that helps you get started. See the notebook gallery.
Generally available: Compute flexible committed use discounts (CUDs) are available for the sole-tenancy premium that you pay for eligible sole-tenant node types. Flexible CUDs add flexibility to your Compute Engine spending capabilities by eliminating the need to restrict your commitments to a single project, region, or machine series.
For more information, see Compute flexible CUDs.
A weekly digest of client library updates from across the Cloud SDK.
Go
Changes for dataflow/apiv1beta3
0.10.6 (2025-04-15)
Bug Fixes
- dataflow: Update google.golang.org/api to 0.229.0 (3319672)
A weekly digest of client library updates from across the Cloud SDK.
Python
Changes for google-cloud-datastore
2.21.0 (2025-04-10)
Features
- Add REST Interceptors which support reading metadata (7be9c4c)
- Add support for opt-in debug logging (7be9c4c)
Bug Fixes
Curated Detections has been enhanced with new detection content for Cloud Threats to include rule packs covering Office 365 and Okta. These rule packs are in public preview for customers with a Google Security Operations or Enterprise Plus license.
Curated Detections has been enhanced with new detection content for Cloud Threats to include rule packs covering Office 365 and Okta. These rule packs are in public preview for customers with a Google Security Operations or Enterprise Plus license.
Network Analyzer includes an insight that indicates if a GKE cluster's pod CIDR range isn't included in the ip-masq-agent ConfigMap. For more information, see GKE IP masquerade configuration insights.
The Execution: Ingress Nightmare Vulnerability Execution detector of Container Threat Detection is in Preview.
April 20, 2025
Google SecOps SOARRelease 6.3.43 is being rolled out to the first phase of regions as listed here.
This release contains internal and customer bug fixes.
April 19, 2025
Google SecOps SOARRelease 6.3.42 is now available for all regions. is now available for all regions.
April 18, 2025
Developer ConnectThe ability to use Git proxy for Git calls to your SCM connections is now generally available.
Parallel file systems for HPC workloads: Added guidance about Google Cloud Managed Lustre.
(2025-R15) Version updates
GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.
Rapid channel
- Version 1.32.2-gke.1182003 is now the default version for cluster creation in the Rapid channel.
- The following versions are now available in the Rapid channel:
- The following versions are no longer available in the Rapid channel:
- 1.29.14-gke.1132000
- 1.29.15-gke.1017000
- 1.29.15-gke.1058000
- 1.29.15-gke.1108000
- 1.29.15-gke.1134000
- 1.30.10-gke.1145000
- 1.30.10-gke.1227000
- 1.30.10-gke.1227001
- 1.30.11-gke.1008001
- 1.30.11-gke.1072000
- 1.30.11-gke.1093000
- 1.31.5-gke.1169001
- 1.31.5-gke.1233001
- 1.31.6-gke.1020001
- 1.31.6-gke.1064000
- 1.31.6-gke.1099000
- 1.31.6-gke.1140000
- 1.31.6-gke.1221000
- 1.31.6-gke.1221001
- 1.31.7-gke.1013001
- 1.31.7-gke.1112000
- 1.31.7-gke.1149000
- 1.32.2-gke.1182001
- 1.32.2-gke.1182002
- 1.32.2-gke.1297001
- 1.32.2-gke.1400003
- 1.32.2-gke.1652000
- 1.32.2-gke.1652003
- 1.32.3-gke.1057001
- 1.32.3-gke.1170000
- 1.32.3-gke.1440000
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.31.6-gke.1064001 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.2-gke.1182003 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.31.6-gke.1064001 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.2-gke.1182003 with this release.
Regular channel
- Version 1.32.2-gke.1182003 is now the default version for cluster creation in the Regular channel.
- The following versions are now available in the Regular channel:
- The following versions are no longer available in the Regular channel:
- 1.30.10-gke.1022000
- 1.31.6-gke.1020000
- 1.31.6-gke.1064000
- 1.32.1-gke.1357001
- 1.32.2-gke.1182001
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.10-gke.1070000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.31.6-gke.1064001 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.10-gke.1070000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.31.6-gke.1064001 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.32.2-gke.1182003 with this release.
Stable channel
- Version 1.31.6-gke.1064001 is now the default version for cluster creation in the Stable channel.
- The following versions are now available in the Stable channel:
- The following versions are no longer available in the Stable channel:
- 1.29.13-gke.1109000
- 1.30.9-gke.1127000
- 1.30.9-gke.1201000
- 1.30.10-gke.1022000
- 1.31.5-gke.1169000
- 1.31.5-gke.1233000
- 1.31.6-gke.1020000
- 1.31.6-gke.1064000
- 1.32.2-gke.1182001
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.30.10-gke.1070000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.30.10-gke.1070000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.31 to version 1.31.6-gke.1064001 with this release.
Extended channel
- Version 1.32.2-gke.1182003 is now the default version for cluster creation in the Extended channel.
- The following versions are now available in the Extended channel:
- The following versions are no longer available in the Extended channel:
- 1.27.16-gke.2451000
- 1.27.16-gke.2477000
- 1.27.16-gke.2528000
- 1.27.16-gke.2573000
- 1.27.16-gke.2650000
- 1.28.15-gke.1844000
- 1.28.15-gke.1881000
- 1.28.15-gke.1940000
- 1.28.15-gke.2003000
- 1.28.15-gke.2097000
- 1.30.10-gke.1022000
- 1.31.6-gke.1020000
- 1.31.6-gke.1064000
- 1.32.1-gke.1357001
- 1.32.2-gke.1182001
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.27.16-gke.2595000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.2027000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.10-gke.1070000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.31 to version 1.31.6-gke.1064001 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.32 to version 1.32.2-gke.1182003 with this release.
No channel
- Version 1.32.2-gke.1182003 is now the default version for cluster creation.
- The following versions are now available:
- The following node versions are now available:
- The following versions are no longer available:
- 1.29.13-gke.1109000
- 1.29.14-gke.1132000
- 1.29.15-gke.1017000
- 1.29.15-gke.1058000
- 1.29.15-gke.1108000
- 1.29.15-gke.1134000
- 1.30.9-gke.1046000
- 1.30.9-gke.1201000
- 1.30.10-gke.1022000
- 1.30.10-gke.1145000
- 1.30.10-gke.1227000
- 1.30.10-gke.1227001
- 1.30.11-gke.1008001
- 1.30.11-gke.1072000
- 1.30.11-gke.1093000
- 1.31.5-gke.1169000
- 1.31.5-gke.1169001
- 1.31.5-gke.1233000
- 1.31.5-gke.1233001
- 1.31.6-gke.1020001
- 1.31.6-gke.1064000
- 1.31.6-gke.1099000
- 1.31.6-gke.1140000
- 1.31.6-gke.1221000
- 1.31.6-gke.1221001
- 1.31.7-gke.1013001
- 1.31.7-gke.1112000
- 1.31.7-gke.1149000
- 1.32.1-gke.1729000
- 1.32.2-gke.1182002
- 1.32.2-gke.1297001
- 1.32.2-gke.1400003
- 1.32.2-gke.1652000
- 1.32.2-gke.1652003
- 1.32.3-gke.1057001
- 1.32.3-gke.1170000
- 1.32.3-gke.1440000
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.29 to version 1.30.10-gke.1070000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.30 to version 1.30.10-gke.1070000 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.31 to version 1.31.6-gke.1064001 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.32 to version 1.32.2-gke.1182003 with this release.
(2025-R15) Version updates
- Version 1.32.2-gke.1182003 is now the default version for cluster creation in the Rapid channel.
- The following versions are now available in the Rapid channel:
- The following versions are no longer available in the Rapid channel:
- 1.29.14-gke.1132000
- 1.29.15-gke.1017000
- 1.29.15-gke.1058000
- 1.29.15-gke.1108000
- 1.29.15-gke.1134000
- 1.30.10-gke.1145000
- 1.30.10-gke.1227000
- 1.30.10-gke.1227001
- 1.30.11-gke.1008001
- 1.30.11-gke.1072000
- 1.30.11-gke.1093000
- 1.31.5-gke.1169001
- 1.31.5-gke.1233001
- 1.31.6-gke.1020001
- 1.31.6-gke.1064000
- 1.31.6-gke.1099000
- 1.31.6-gke.1140000
- 1.31.6-gke.1221000
- 1.31.6-gke.1221001
- 1.31.7-gke.1013001
- 1.31.7-gke.1112000
- 1.31.7-gke.1149000
- 1.32.2-gke.1182001
- 1.32.2-gke.1182002
- 1.32.2-gke.1297001
- 1.32.2-gke.1400003
- 1.32.2-gke.1652000
- 1.32.2-gke.1652003
- 1.32.3-gke.1057001
- 1.32.3-gke.1170000
- 1.32.3-gke.1440000
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.31.6-gke.1064001 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.2-gke.1182003 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.31.6-gke.1064001 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.2-gke.1182003 with this release.
(2025-R15) Version updates
- Version 1.32.2-gke.1182003 is now the default version for cluster creation in the Regular channel.
- The following versions are now available in the Regular channel:
- The following versions are no longer available in the Regular channel:
- 1.30.10-gke.1022000
- 1.31.6-gke.1020000
- 1.31.6-gke.1064000
- 1.32.1-gke.1357001
- 1.32.2-gke.1182001
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.10-gke.1070000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.31.6-gke.1064001 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.10-gke.1070000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.31.6-gke.1064001 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.32.2-gke.1182003 with this release.
(2025-R15) Version updates
- Version 1.31.6-gke.1064001 is now the default version for cluster creation in the Stable channel.
- The following versions are now available in the Stable channel:
- The following versions are no longer available in the Stable channel:
- 1.29.13-gke.1109000
- 1.30.9-gke.1127000
- 1.30.9-gke.1201000
- 1.30.10-gke.1022000
- 1.31.5-gke.1169000
- 1.31.5-gke.1233000
- 1.31.6-gke.1020000
- 1.31.6-gke.1064000
- 1.32.2-gke.1182001
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.30.10-gke.1070000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.30.10-gke.1070000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.31 to version 1.31.6-gke.1064001 with this release.
(2025-R15) Version updates
- Version 1.32.2-gke.1182003 is now the default version for cluster creation in the Extended channel.
- The following versions are now available in the Extended channel:
- The following versions are no longer available in the Extended channel:
- 1.27.16-gke.2451000
- 1.27.16-gke.2477000
- 1.27.16-gke.2528000
- 1.27.16-gke.2573000
- 1.27.16-gke.2650000
- 1.28.15-gke.1844000
- 1.28.15-gke.1881000
- 1.28.15-gke.1940000
- 1.28.15-gke.2003000
- 1.28.15-gke.2097000
- 1.30.10-gke.1022000
- 1.31.6-gke.1020000
- 1.31.6-gke.1064000
- 1.32.1-gke.1357001
- 1.32.2-gke.1182001
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.27.16-gke.2595000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.2027000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.10-gke.1070000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.31 to version 1.31.6-gke.1064001 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.32 to version 1.32.2-gke.1182003 with this release.
(2025-R15) Version updates
- Version 1.32.2-gke.1182003 is now the default version for cluster creation.
- The following versions are now available:
- The following node versions are now available:
- The following versions are no longer available:
- 1.29.13-gke.1109000
- 1.29.14-gke.1132000
- 1.29.15-gke.1017000
- 1.29.15-gke.1058000
- 1.29.15-gke.1108000
- 1.29.15-gke.1134000
- 1.30.9-gke.1046000
- 1.30.9-gke.1201000
- 1.30.10-gke.1022000
- 1.30.10-gke.1145000
- 1.30.10-gke.1227000
- 1.30.10-gke.1227001
- 1.30.11-gke.1008001
- 1.30.11-gke.1072000
- 1.30.11-gke.1093000
- 1.31.5-gke.1169000
- 1.31.5-gke.1169001
- 1.31.5-gke.1233000
- 1.31.5-gke.1233001
- 1.31.6-gke.1020001
- 1.31.6-gke.1064000
- 1.31.6-gke.1099000
- 1.31.6-gke.1140000
- 1.31.6-gke.1221000
- 1.31.6-gke.1221001
- 1.31.7-gke.1013001
- 1.31.7-gke.1112000
- 1.31.7-gke.1149000
- 1.32.1-gke.1729000
- 1.32.2-gke.1182002
- 1.32.2-gke.1297001
- 1.32.2-gke.1400003
- 1.32.2-gke.1652000
- 1.32.2-gke.1652003
- 1.32.3-gke.1057001
- 1.32.3-gke.1170000
- 1.32.3-gke.1440000
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.29 to version 1.30.10-gke.1070000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.30 to version 1.30.10-gke.1070000 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.31 to version 1.31.6-gke.1064001 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.32 to version 1.32.2-gke.1182003 with this release.
Chrome Enterprise Threats Category
This feature is currently in Preview.
Google SecOps has introduced a new detection category, Chrome Enterprise Threats, as part of the Curated Detections feature. This category provides rule sets for extension and browser threats. For more information, see Overview of Chrome Enterprise Threats Category.
Chrome Enterprise Threats Category
This feature is currently in Preview.
Google SecOps has introduced a new detection category, Chrome Enterprise Threats, as part of the Curated Detections feature. This category provides rule sets for extension and browser threats. For more information, see Overview of Chrome Enterprise Threats Category.
You can now manage backups for Memorystore for Valkey instances. This feature is Generally Available (GA).
Oracle Database@Google Cloud now lets you provision the Exadata Infrastructure instances with the new model X11M. This feature is generally available (GA). See Create Exadata Infrastructure instances.
The ability of Event Threat Detection to analyze foundational log sources is generally available (GA).
April 17, 2025
BigQueryYou can now use BigQuery DataFrames version 2.0, which makes security and performance improvements to the BigQuery DataFrames API, adds new features, and introduces breaking changes.
You can use partial ordering mode in BigQuery DataFrames to generate efficient queries. This feature is generally available (GA).
A new Cloud Composer release has started on April 17, 2025. Get ready for upcoming changes and features as we roll out the new release to all regions. This release is in progress at the moment. Listed changes and features might not be available in some regions yet.
Airflow 2.10.5 is available in Cloud Composer.
Database retention policy is now enabled by default in Google Cloud console and remains disabled in Google Cloud CLI, API, and Terraform.
This feature helps to maintain the Airflow database size. You can enable or disable the database retention policy or adjust the retention period for new and existing environments.
The default environment's service account setting is gradually removed in Cloud Composer. After the change, you'll need to explicitly specify a service account when you create a new Cloud Composer environment. For more information about addressing the change, see the eariler announcement of this change.
In this release, the change is rolling out to the following regions: africa-south1, asia-northeast2, asia-south2, australia-southeast2, europe-north2, europe-southwest1, europe-west8, europe-west10, europe-west12, me-central1, me-central2, me-west1, northamerica-northeast2, northamerica-south1, southamerica-west1, us-east7, and us-south1. It will be rolled out to more regions in future releases.
Cloud Composer 2 environments now always use the environment's service account for performing PyPI packages installations:
- Existing Cloud Composer 2 environments that previously used the default Cloud Build service account now use the environment's service account instead.
- Cloud Composer 2 environments created in versions 2.10.2 and later already have this change.
- Cloud Composer 3 environments already use the environment's service account, and are not affected by this change.
- This change is gradually rolled out to all regions supported by Cloud Composer 2.
Cloud Composer now detects situations when asynchronous tasks are blocked in Airflow triggerers. If a trigger's execution is blocked for more than five minutes, Cloud Composer restarts the triggerer, which solves this transient issue.
(Cloud Composer 3) Key Access Justifications now correctly works for Customer Managed Encryption Keys (CMEK).
The bucket synchronization process doesn't fail if the /plugins folder isn't available in the environment's bucket.
(Cloud Composer 3) It's now possible to override the default scopes of access tokens. Before the fix, the scope always defaulted to https://www.googleapis.com/auth/cloud-platform and https://www.googleapis.com/auth/userinfo.email. This resulted in authentication failures when accessing non-Google Cloud services.
The change is gradually rolled out to the following regions: africa-south1, asia-south2, australia-southeast2, europe-north2, europe-west3, europe-west10, europe-west12, northamerica-south1, southamerica-west1, us-east7, and us-south1. It will be rolled out to more regions in future releases.
New Airflow builds are available in Cloud Composer 3:
- composer-3-airflow-2.10.5-build.0
- composer-3-airflow-2.10.2-build.13 (default)
- composer-3-airflow-2.9.3-build.20
New images are available in Cloud Composer 2:
- composer-2.12.1-airflow-2.10.5
- composer-2.12.1-airflow-2.10.2 (default)
- composer-2.12.1-airflow-2.9.3
Support dates for previous Cloud Composer 3 builds are available. All Cloud Composer 3 builds with Airflow 2.10.2 are supported until April 17, 2026.
In the Logs Explorer, you can now view the most frequently occurring fields and values in the JSON payload of your logs. For more information, see the Fields pane documentation.
New Dataproc on Compute Engine subminor image versions:
- 2.0.137-debian10, 2.0.137-rocky8, 2.0.137-ubuntu18
- 2.1.85-debian11, 2.1.85-rocky8, 2.1.85-ubuntu20, 2.1.85-ubuntu20-arm
- 2.2.53-debian12, 2.2.53-rocky9, 2.2.53-ubuntu22
Dataproc on Compute Engine: The Spark BigQuery connector has been upgraded to version 0.34.1 in the latest 2.2 image version.
Fixed a bug in which Jupyter fails to restart upon cluster restart on Personal Authentication clusters.
You can now use custom constraints with Organization Policy to provide more granular control over specific fields for some Filestore resources. For more information, see Creating custom constraints for Filestore.
Gemini 2.5 Flash with thinking and other well-rounded capabilities is now available in Preview.
(New guide) Oracle E‑Business Suite with Oracle Database on Compute Engine VMs: Shows how to build the infrastructure to run Oracle E‑Business Suite applications with Oracle Database on Compute Engine VMs in Google Cloud.
GKE Inference Gateway is now available to significantly improve the performance, efficiency, and observability of generative AI workloads on GKE.
GKE Inference Gateway provides:
- Improved performance: AI serving tail latency is reduced, and AI serving throughput is increased through inference-optimized load balancing.
- Efficient resource utilization: Enables dense multi-workload serving of multiple LoRA fine-tuned models on a shared accelerator, leading to higher GPU/TPU utilization.
- Simplified operations: Features include model-aware routing, model-specific serving priority, and integrated AI Safety.
- Enhanced observability: Golden signals of observability are provided for inference requests.
Entity Context in Search
This feature enhances security investigations and incident response by letting users search for and view context events related to entities. It incorporates UDM entity context data to provide deeper insights into security incidents.
This feature is currently in Preview.
Entity Context in Search
This feature enhances security investigations and incident response by letting users search for and view context events related to entities. It incorporates UDM entity context data to provide deeper insights into security incidents.
This feature is currently in Preview.
Looker connector enhancements
You can now authorize the Looker connector to use the BigQuery OAuth credentials that you use with Looker, letting you view and interact with Looker Explores that use BigQuery data in Looker Studio. Learn more about how to authorize Looker data sources to use BigQuery OAuth credentials.
Custom organization policies are now generally available for Filestore. For more information, see Creating custom constraints for Filestore.
April 16, 2025
Cloud Service MeshNew troubleshooting tools for your service mesh are now available. You can get detailed error codes for your Istio resources and check the state of your mesh to identify and resolve configuration problems. Learn more about Resolving configuration issues and Understanding Feature State Conditions.
In-cluster Cloud Service Mesh 1.21 is no longer supported. For more information and to view the earliest end-of-life dates for other versions, see Supported versions.
M129 release
- Updated the Dataproc JupyterLab plugin to version 0.1.85.
You can now create Memorystore for Valkey instances with the Cluster Mode Disabled configuration. This configuration is in addition to the Cluster Mode Enabled configuration that we support already. The Cluster Mode Disabled feature is available in Preview. For more information, see Enable and disable cluster mode.
Persistent resources for custom training is generally available (GA) and supports rebooting.
M129 release
The M129 release of Vertex AI Workbench instances includes the following:
- Updated the Dataproc JupyterLab plugin to version 0.1.85.
April 15, 2025
Apigee AnalyticsOn April 15, 2025 we released an updated version of Apigee Analytics and the Apigee UI.
Starting with this release, the Analytics dashboards available in the Apigee Classic UI redirect to the comparable dashboards in Apigee UI in Cloud console. These dashboards are available exclusively in the Apigee UI in Cloud console going forward.
For information and usage instructions for the Analytics dashboards, see Apigee API Analytics overview.
On April 15, 2025 we released an updated version of Apigee Analytics and the Apigee UI.
Starting with this release, the Analytics dashboards available in the Apigee Classic UI redirect to the comparable dashboards in Apigee UI in Cloud console. These dashboards are available exclusively in the Apigee UI in Cloud console going forward.
For information and usage instructions for the Analytics dashboards, see Apigee API Analytics overview.
Artifact Registry attachments are available in Preview for all repository formats. Attachments are artifacts that store metadata about a related artifact stored in Artifact Registry. To get started with attachments, see Store artifact metadata in attachments.
Fixed markdown rendering issues in chat for IntelliJ Gemini Code Assist.
We are releasing updated versions of the following premium parsers:
- Crowdstrike Detection Monitoring (CS_DETECTS)
- Crowdstrike Falcon (CS_EDR)
- Microsoft Defender for Endpoint
These updates include significant improvements to parser mappings. For a detailed list of all mapping changes, contact your Google SecOps representative.
The new versions will remain in an extended Release Candidate period through the end of May 2025. We recommend that you opt-in early and make any necessary adjustments before these updates become the default.
We are releasing updated versions of the following premium parsers:
- Crowdstrike Detection Monitoring (CS_DETECTS)
- Crowdstrike Falcon (CS_EDR)
- Microsoft Defender for Endpoint
These updates include significant improvements to parser mappings. For a detailed list of all mapping changes, contact your Google SecOps representative.
The new versions will remain in an extended Release Candidate period through the end of May 2025. We recommend that you opt-in early and make any necessary adjustments before these updates become the default.
Regional endpoints are now available in Secure Source Manager. For more information, see Configure data locality by using regional endpoints.
April 14, 2025
Apigee XOn April 14, 2025 we released an updated version of Apigee.
Announcing data collectors data residency (DRZ) compliance for Apigee and Apigee hybrid.
Data collectors can be used with data residency for Subscription and Pay-as-you-go organizations and hybrid versions 1.14.0 and later.
See Data residency compatibility for information.
hybrid 1.11.2-hotfix.3
On April 14, 2025 we released an updated version of the Apigee hybrid software, 1.11.2-hotfix.3.
Apply this hotfix with the following steps:
In your overrides file, update the
image.urlandimage.tagproperties ofaoandruntime:runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.11.2-hotfix.3"Install the hotfix release:
For Helm-managed releases, update the
apigee-envchart with thehelm upgradecommand and your current overrides files:For each environment in your Apigee org:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --namespace APIGEE_NAMESPACE \ --set env=ENV_NAME \ --atomic \ -f OVERRIDES_FILE- ENV_RELEASE_NAME is a name used to keep track of installation and upgrades of the
apigee-env chart. This name must be unique from the other Helm release names in your installation. Usually this is the same as ENV_NAME. However, if your environment has the same name as your environment group, you must use different release names for the environment and environment group, for exampledev-env-releaseanddev-envgroup-release. For more information on releases in Helm, see Three big concepts in the Helm documentation. - APIGEE_NAMESPACE is your installation's namespace. The default is
apigee. - ENV_NAME is the name of the environment you are upgrading.
- OVERRIDES_FILE is your edited overrides file.
- ENV_RELEASE_NAME is a name used to keep track of installation and upgrades of the
For
apigeectl-managed releases:Install the hotfix release with
apigeectl initusing your updated overrides file:${APIGEECTL_HOME}/apigeectl init -f OVERRIDES_FILE --dry-run=clientFollowed by:
${APIGEECTL_HOME}/apigeectl init -f OVERRIDES_FILEApply the hotfix release with
apigeectl apply:${APIGEECTL_HOME}/apigeectl apply -f OVERRIDES_FILE --all-envs --dry-run=clientFollowed by:
${APIGEECTL_HOME}/apigeectl apply -f OVERRIDES_FILE --all-envs
- For information on upgrading, see Upgrading Apigee hybrid to version 1.11.
- For information on new installations, see The big picture.
- For recommended actions after upgrading, see Validate policies after upgrade to 1.12-hotfix.3.
Stricter class instantiation checks included in this release.
JavaCallout policy now includes additional security during Java class instantiation. The enhanced security measure prevents the deployment of policies that directly or indirectly attempt actions that require permissions that are not allowed.
In most cases, existing policies will continue to function as expected without any issues. However, there is a possibility that policies relying on third-party libraries, or those with custom code that indirectly triggers operations requiring elevated permissions, could be affected.
To test your installation, follow the procedure in Validate policies after upgrade to 1.11.2-hotfix.3 to validate policy behavior.
| Bug ID | Description |
|---|---|
| 382967738 | Fixed a vulnerability in PythonScript policy. |
On April 14, 2025 we released an updated version of Apigee.
Announcing data collectors data residency (DRZ) compliance for Apigee and Apigee hybrid.
Data collectors can be used with data residency for Subscription and Pay-as-you-go organizations and hybrid versions 1.14.0 and later.
See Data residency compatibility for information.
cos-dev-125-18986-0-0
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.86 | v27.5.1 | v2.0.4 | See List |
Updated app-containers/containerd to v2.0.4.
Updated the Linux kernel to v6.6.86.
Modified toolbox to use unified cgroup hierarchy mode, when possible, instead of hybrid mode.
Upgraded app-admin/google-guest-agent to v20250331.00.
Upgraded app-admin/google-guest-configs to v20250328.00.
Upgraded app-containers/docker-credential-helpers to v0.9.3.
Fixed EINTR error in app-container/cni-plugins.
Upgraded chromeos-base/chromeos-common-script to v0.0.1-r662.
Upgraded chromeos-base/shill-client to v0.0.1-r4848.
Upgraded chromeos-base/power_manager-client to v0.0.1-r2966.
Upgraded sys-apps/dbus to v1.14.10-r196.
Upgraded chromeos-base/google-breakpad to v2025.04.01.213855-r235.
Upgraded chromeos-base/debugd-client to v0.0.1-r2731.
Upgraded chromeos-base/session_manager-client to v0.0.1-r2827.
Upgraded chromeos-base/update_engine-client to v0.0.1-r2478.
Upgraded chromeos-base/minijail to v18-r164.
Upgraded sys-apps/diffutils to v3.11-r2.
Upgraded net-nds/rpcbind to v1.2.7.
Upgraded net-misc/rsync to v3.4.1.
Upgraded dev-libs/nss to v3.110.
Upgraded sys-libs/libseccomp to v2.6.0-r2.
Upgraded dev-libs/expat to v2.7.1.
Upgraded app-arch/unzip to v6.0_p29.
Runtime sysctl changes:
- Changed: fs.file-max: 811816 -> 811798
cos-121-18867-0-94
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.74 | v27.5.1 | v2.0.4 | See List |
Updated app-containers/containerd to v2.0.4.
Modified toolbox to use unified cgroup hierarchy mode, when possible, instead of hybrid mode.
Fixed EINTR error in app-container/cni-plugins.
Upgraded sys-apps/diffutils to v3.11-r2.
Fixed CVE-2024-58083 in the Linux kernel.
Fixed CVE-2025-21999 in the Linux kernel.
Fixed CVE-2025-21887 in the Linux kernel.
Fixed CVE-2025-21867 in the Linux kernel.
Fixed CVE-2024-58070 in the Linux kernel.
Fixed CVE-2025-21853 in the Linux kernel.
Fixed CVE-2025-21853 in the Linux kernel.
Fixed CVE-2025-21763 in the Linux kernel.
Fixed CVE-2025-21762 in the Linux kernel.
Fixed CVE-2025-21764 in the Linux kernel.
Fixed CVE-2025-21759 in the Linux kernel.
Fixed CVE-2025-21760 in the Linux kernel.
Fixed CVE-2025-21726 in the Linux kernel.
Fixed CVE-2025-21796 in the Linux kernel.
Fixed CVE-2024-50138 in the Linux kernel.
Fixed KCTF-0c3057a in the Linux kernel.
Fixed CVE-2024-57979 in the Linux kernel.
Fixed CVE-2025-21727 in the Linux kernel.
Fixed CVE-2025-21812 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 811827 -> 811714
cos-117-18613-164-109
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.72 | v24.0.9 | v1.7.24 | See List |
Modified toolbox to use unified cgroup hierarchy mode, when possible, instead of hybrid mode.
Upgraded sys-apps/diffutils to v3.11-r2.
Upgraded dev-libs/libusb to v1.0.28.
Fixed CVE-2025-21999 in the Linux kernel.
Fixed CVE-2025-21887 in the Linux kernel.
Fixed CVE-2025-21867 in the Linux kernel.
Fixed CVE-2024-58083 in the Linux kernel.
Fixed CVE-2024-58070 in the Linux kernel.
Fixed CVE-2025-21853 in the Linux kernel.
Fixed CVE-2025-21853 in the Linux kernel.
Fixed CVE-2025-21763 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 811785 -> 811760
cos-113-18244-291-102
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.1.123 | v24.0.9 | v1.7.24 | See List |
Modified toolbox to use unified cgroup hierarchy mode, when possible, instead of hybrid mode.
Upgraded sys-apps/diffutils to v3.11-r2.
Upgraded dev-libs/libusb to v1.0.28.
Fixed CVE-2025-22868 in dev-go/oauth2.
Updated dev-libs/expat to v2.7.0. This fixes CVE-2024-8176.
Fixed KCTF-0c3057a in the Linux kernel.
Fixed CVE-2024-35866 in the Linux kernel.
Fixed CVE-2025-21999 in the Linux kernel.
Fixed CVE-2024-58083 in the Linux kernel.
Fixed CVE-2025-21887 in the Linux kernel.
Fixed CVE-2025-21867 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 812050 -> 812031
cos-109-17800-436-99
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.1.124 | v24.0.9 | v1.7.24 | See List |
Modified toolbox to use unified cgroup hierarchy mode, when possible, instead of hybrid mode.
Upgraded net-firewall/iptables to v1.8.11-r1.
Upgraded dev-libs/libusb to v1.0.28.
Upgraded sys-apps/diffutils to v3.11-r2.
Fixed CVE-2025-22868 in dev-go/oauth2.
Updated dev-libs/expat to v2.7.0. This fixes CVE-2024-8176.
Fixed CVE-2024-35866 in the Linux kernel.
Fixed KCTF-0c3057a in the Linux kernel.
Fixed CVE-2024-58083 in the Linux kernel.
Fixed CVE-2025-21887 in the Linux kernel.
Fixed CVE-2025-21867 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 812258 -> 812288
Encrypting Dataplex data with customer-managed encryption keys (CMEK) is now available.
Headless web SDK 3.6.4 is released
Headless web SDK 3.6.4 fixes a problem where the virtual agent was sending multiple repeated messages to end-users in chat sessions.
Google Distributed Cloud (software only) for VMware 1.30.800-gke.66 is now available for download. To upgrade, see Upgrade a cluster or a node pool. Google Distributed Cloud 1.30.800-gke.66 runs on Kubernetes v1.30.11-gke.500.
If you are using a third-party storage vendor, check the GDC Ready storage partners document to make sure the storage vendor has already passed the qualification for this release.
After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
The following functional change was made in 1.30.800-gke.66:
- Removed support in the Konnectivity server (
konnectivity-server) for the following weak cryptographic cipher suites: TLS_RSA_WITH_AES_256_GCM_SHA384 and TLS_RSA_WITH_AES_128_GCM_SHA256.
Fixed an issue that prevented user cluster upgrades when Dataplane V2 was explicitly configured with forward mode.
The 1.30.800-gke.66 release includes many vulnerability fixes. For a list of all vulnerabilities fixed in this release, see Vulnerability fixes.
Release 1.30.800-gke.66
Google Distributed Cloud for bare metal 1.30.800-gke.66 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.30.800-gke.66 runs on Kubernetes v1.30.11-gke.500.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
The following functional change was made in 1.30.800-gke.66:
- Updated the cluster upgrade operation to keep only the three latest
kubeadmbackups of etcd and configuration information for a node. Previously,kubeadmkept node backups for every attempted upgrade.
The following issues are fixed in 1.30.800-gke.66:
Fixed an issue that resulted in an excessive creation of periodic
kube-proxy-cleanupjobs on cluster nodes with high pod utilization.Fixed an issue that caused cluster creation to fail because kubelet restarted before required static pods are running.
Fixed an issue that allowed
bmctl resetto run in situations where the reset resulted in the loss of quorum for control plane nodes. To run the command without enforcing the quorum, use the newly added--bypass-quorum-checkflag.
The 1.30.800-gke.66 release includes many vulnerability fixes. For a list of all vulnerabilities fixed in this release, see Vulnerability fixes.
For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section.
ABAP SDK for Google Cloud version 1.10 (On-premises or any cloud edition)
Version 1.10 of the on-premises or any cloud edition of the ABAP SDK for Google Cloud is generally available (GA). In addition to offering expanded support for Google Cloud APIs and few other enhancements, this version introduces the BigQuery AI and ML SDK for ABAP, Business Eventing Toolkit, and the ability to use Cloud Storage as content repository for SAP.
For more information, see What's new with the on-premises or any cloud edition of the ABAP SDK for Google Cloud.
End-to-end tracing is now generally available (GA). Spanner now supports end-to-end tracing, along with client-side tracing in the Node.js and Python client libraries, in addition to Java and Go. For more information, see Trace collection overview.
April 11, 2025
Agent AssistAgent Assist offers a UI Connector with Salesforce to integrate with voice conversations.
For applicable events, if a context attribute value size limit is exceeded, you are notified through a publishing error (Eventarc Advanced), or attribute names for truncated values are listed in an extension attribute (Eventarc Standard). For more information, see Quotas and limits.
(New guide) Harness CI/CD pipeline for RAG applications: Shows how to implement a continuous integration (CI) and continuous deployment (CD) pipeline for a retrieval-augmented generation (RAG) application in Google Cloud. The architecture uses CI/CD products from Harness to deploy containers to Cloud Run services.
Use of Oracle Linux images provided by Compute Engine with Oracle Database
To run Oracle Database with SAP NetWeaver based applications on Google Cloud, SAP and Oracle have validated the use of the Oracle Linux images provided by Compute Engine.
For more information, see Supported operating systems.
If you set InfoType.version to latest when including the MAC_ADDRESS infoType in your InspectConfig, Sensitive Data Protection will now include MAC_ADDRESS_LOCAL findings as type MAC_ADDRESS in the scan results.
You can still use the old functionality by setting InfoType.version to stable, by leaving InfoType.version unset when using the MAC_ADDRESS infoType, or by using the MAC_ADDRESS_UNIVERSAL infoType. In 30 days, the new functionality will be promoted to stable.
April 10, 2025
Apigee XOn April 10, 2025, we released an updated version of Apigee.
The Apigee Extension Processor is now generally available (GA).
The Apigee Extension Processor lets Apigee customers add API management capabilities to Google Cloud and third-party products and services exposed using Cloud Load Balancing. Select from a range of Apigee policies that enable you to:
- Secure access to your workloads.
- Apply quota enforcement to network traffic.
- Manage Google access token and Google ID token injection to authenticate requests.
- Support native protocols like gRPC, SSE, and HTTP/3.
For more information, see the Apigee Extension Processor overview.
The Bigtable CQL client library for Java is available in Preview.
The Cassandra-Bigtable proxy adapter, which lets you connect your Apache Cassandra-based applications to Bigtable, is available in Preview.
The Bigtable Kafka sink, which lets you directly connect Apache Kafka and Google Cloud Managed Service for Apache Kafka, is now generally available (GA).
Managed APIs for Llama 4 Maverick and Scout are in Preview on Vertex AI. For more information, see the Llama 4 model card.
Design an optimal storage strategy for your cloud workload: Added guidance about Google Cloud Managed Lustre.
The following partner connectors have been added to the Looker Studio Connector Gallery:
- Netsuite by Windsor.ai
- Simplesat by Simplesat
- Pinterest Ads by Porter Metrics
- Recharge by Supermetrics
- Hurma by Hurma
- Shopware 6 Order Analytics by SHOPSY
- Instagram Public by Windsor.ai
When you create a Private Service Connect endpoint to connect to a regional endpoint of a supported service, you can use the public hostname in your configuration—for example, spanner.me-central2.rep.googleapis.com.
April 09, 2025
AlloyDB OmniAlloyDB Omni is in General Availability on the Aiven Platform. Aiven provides managed AlloyDB Omni as a service on multiple public clouds. For more information, see Store your data on any major cloud.
The alloydb_scann extension is updated to include the following vector search improvements. These features are generally available (GA):
Inline filtering enables the execution of vector search and filter evaluation through the combined use of vector and secondary indexes. For more information, see "Inline filtering" in the documentation for AlloyDB PostgreSQL and AlloyDB Omni 15.7.1 and 16.3.0.
You can let AlloyDB automatically create multiple parallel workers during index creation when the dataset grows, leading to faster build times. For more information, see "Build indexes in parallel" in the documentation for AlloyDB PostgreSQL and AlloyDB Omni 15.7.1 and 16.3.0.
A distribution histogram is available in the
pg_stat_ann_indexesview, which helps you understand the distribution of vectors between partitions of your ScaNN index. For more information, including recommendations about tuning thedistributionpercentilemetric, see "Tuning metrics" in the documentation for AlloyDB PostgreSQL, and AlloyDB Omni 15.7.1 and 16.3.0.You can use a query recall evaluator to find the recall for a vector query for a given configuration, and to tune your parameters to achieve the desired vector query recall results for different vector indexes. For more information, see "Measure vector query recall" in the documentation for AlloyDB PostgreSQL, and AlloyDB Omni 15.7.1 and 16.3.0.
The alloydb_scann extension is updated to include the following vector search improvements in (Preview):
You can enable auto-maintenance for your ScaNN index and let incrementally manage the index such that when your dataset grows, AlloyDB splits large outlier partitions, and tries to provide better QPS and search results. For more information, see "Maintain indexes automatically" in the documentation for AlloyDB PostgreSQL and AlloyDB Omni 15.7.1 and 16.3.0.
Adaptive filtering for ScaNN significantly improves the speed of filtered vector searches. Adaptive filtering automatically selects the most efficient filtering method at runtime. For more information, see "Filtered vector search" and "Adaptive filtering" in the documentation for AlloyDB for PostgreSQL and AlloyDB Omni 15.7.1 and 16.3.0.
You can enable index auto maintenance and adaptive inline filtering together using the
scann.enable_preview_featuresGrand Unified Configuration (GUC) parameters. For more information, see "AlloyDB flags" for AlloyDB for PostgreSQL and AlloyDB Omni 15.7.1 and 16.3.0.
AlloyDB for PostgreSQL supports a 1 virtual central processing unit (vCPU) configuration with 8GB of memory, which is suitable for development and sandbox environments. For information about 1 vCPU supported regions and limitations, see Considerations when using 1 vCPU. This feature is generally available (GA).
AlloyDB supports AI-assisted troubleshooting that helps you resolve complex database performance issues like slow queries and high load. AI-assisted troubleshooting is available in Preview.
AlloyDB for PostgreSQL supports parameterized secure views, which provide a secure interface for application developers by improving data security and row access control while using SQL. This feature is in (Preview). For more information, see Parameterized secure views overview.
AlloyDB AI natural language (Preview) delivers secure and accurate responses for application end user natural language questions. For more information, see AlloyDB AI natural language overview.
AlloyDB AI query engine that builds on model endpoint management, and adds support for AI operators and Vertex AI multimodal and ranking models is available in (Preview). You can combine natural language phrases with SQL queries, like ai.if() for filters and joins, ai.rank() for ordering using ranking models, and ai.generate() for generating summaries of your data, and generate multimodal embeddings.
The alloydb_scann extension is updated to include the following vector search improvements. These features are generally available (GA):
Inline filtering enables the execution of vector search and filter evaluation through the combined use of vector and secondary indexes. For more information, see "Inline filtering" in the documentation for AlloyDB PostgreSQL and AlloyDB Omni 15.7.1 and 16.3.0.
You can let AlloyDB automatically create multiple parallel workers during index creation when the dataset grows, leading to faster build times. For more information, see "Build indexes in parallel" in the documentation for AlloyDB PostgreSQL and AlloyDB Omni 15.7.1 and 16.3.0.
A distribution histogram is available in the
pg_stat_ann_indexesview, which helps you understand the distribution of vectors between partitions of your ScaNN index. For more information, including recommendations about tuning thedistributionpercentilemetric, see "Tuning metrics" in the documentation for AlloyDB PostgreSQL, and AlloyDB Omni 15.7.1 and 16.3.0.You can use a query recall evaluator to find the recall for a vector query for a given configuration, and to tune your parameters to achieve the desired vector query recall results for different vector indexes. For more information, see "Measure vector query recall" in the documentation for AlloyDB PostgreSQL, and AlloyDB Omni 15.7.1 and 16.3.0.
The alloydb_scann extension is updated to include the following vector search improvements in (Preview):
You can enable auto-maintenance for your ScaNN index and let incrementally manage the index such that when your dataset grows, AlloyDB splits large outlier partitions, and tries to provide better QPS and search results. For more information, see "Maintain indexes automatically" in the documentation for AlloyDB PostgreSQL and AlloyDB Omni 15.7.1 and 16.3.0.
Adaptive filtering for ScaNN significantly improves the speed of filtered vector searches. Adaptive filtering automatically selects the most efficient filtering method at runtime. For more information, see "Filtered vector search" and "Adaptive filtering" in the documentation for AlloyDB for PostgreSQL and AlloyDB Omni 15.7.1 and 16.3.0.
You can enable index auto maintenance and adaptive inline filtering together using the
scann.enable_preview_featuresGrand Unified Configuration (GUC) parameters. For more information, see "AlloyDB flags" for AlloyDB for PostgreSQL and AlloyDB Omni 15.7.1 and 16.3.0.
AlloyDB supports C4A Arm VMs on Google's custom-built Axiom processors. C4A VMs are available as predefined configurations from 1, 4, 8, 16, 32, 48, 64, and 72 vCPUs, up to 576 GB of DDR5 memory. C4A machines are available in limited regions. This feature is in Preview. For more information, see Considerations when using the 1 vCPU machine type.
AlloyDB now supports managed connection pooling in Preview. You can use managed connection pooling on your instances to improve the reliability, scalability, and performance of your workloads by optimizing resource utilization. For more information, see Configure managed connection pooling.
A bug was identified that can occasionally lead to parties appearing multiple times in prediction results. For engine versions v004.005 and later, this can also impact risk scores.
As of April 09, 2025 this bug has been fixed in-place for all existing engine versions in major version v004.004 and later.
Google recommends checking the risk scores output generated prior to this fix, or with engine versions that have not been fixed.
- For impacted engine versions within major versions v003.000, v004.002 or v004.004: Check whether the same party_id occurs multiple times in predictions output for a given risk_period_end_time. If so, remove these duplicate rows. The risk scores themselves are not affected.
- For impacted engine versions within major version v004.005 or later: Re-run prediction results. Risk scores might have been impacted for this run.
You can create and manage your App Hub applications using app-enabled folders, now available in Preview.
Gemini Cloud Assist in App Hub is supported in Preview. You can use the chat panel to retrieve information about your application in your app-enabled folder with Gemini assistance.
Gemini Cloud Assist for Artifact Registry is in Preview. You can learn about your container images with Gemini assistance.
To learn more, read the Gemini Cloud Assist overview.
Updated pricing, packaging, and setup guidance is now available for Gemini in BigQuery.
You can now combine raster and vector data with the ST_REGIONSTATS geography function to perform geospatial analysis in BigQuery. For more information, see Work with raster data and try the tutorial that shows you how to use raster data to analyze global temperature by country. This feature is in preview.
You can now use the Apache Arrow format to stream data to BigQuery with the Storage Write API. This feature is available in preview.
Analytics Hub has been renamed BigQuery sharing. You'll see this new name in the documentation set and the marketing collateral. The product functionality and endpoints remain the same. For more information, see Introduction to data governance in BigQuery.
Dataplex Catalog has been renamed BigQuery universal catalog. You'll see this new name in the product page of the Google Cloud console, the documentation set, and the marketing collateral. Universal catalog brings together the data catalog capabilities of Dataplex Catalog and the runtime metastore capabilities of BigQuery metastore. For more information, see Introduction to data governance in BigQuery.
Continuous materialized views for Bigtable are available in Preview.
SQL support for Bigtable is generally available (GA), including an UNPACK feature that lets you read time series data in a tabular format.
Logical views of Bigtable tables are available in Preview.
The Bigtable Studio query editor is generally available (GA).
The Airflow web server in Cloud Composer 3 requires at least 2 GB of memory when an environment is created or updated. This might lead to longer operation times or failures to perform these operations.
As a workaround, when you create a new Cloud Composer 3 environment or upgrade an existing environment, provide at least 2 GB of memory (default value) to the Airflow web server.
Gemini-powered auto-conversion is now available in Preview for all heterogeneous migration scenarios. You can use code and schema conversion enhancements automatically provided by Gemini to significantly reduce the time and complexity of your database migrations.
For more information about auto-conversion and other AI conversion features, such as conversion assistant or pattern matching, see Accelerate code and schema conversion with Gemini.
Database Migration Service support for heterogeneous SQL Server to PostgreSQL migrations is now available in Preview.
For more information, see:
Cross-Site Interconnect is available in Preview.
Cross-Site Interconnect is a new feature of Cloud Interconnect that helps you establish reliable, high-bandwidth Layer 2 connectivity between your on-premises network sites.
When you order Cross-Site Interconnect wires, Google provisions a transparent Layer 2 overlay over its global network between your two Cross-Site Interconnect locations.
For more information, see the Cross-Site Interconnect overview.
To help you get the right Cloud KMS keys on-demand, for consistent alignment with recommended encryption practices, Cloud KMS Autokey now has a free tier. The free tier covers the following usage:
- 100 free active key versions monthly
- 10,000 free cryptographic operations monthly
The free tier only applies to keys created using Cloud KMS Autokey. Key administration operations including key rotation are always free. For more details, see Cloud Key Management Service pricing
Application Monitoring lets you monitor the resources and infrastructure from the perspective of an App Hub application. The out-of-the-box (OOTB) dashboards generated for your application display log, metric, and incident data. These dashboards can help you understand how your application's resources are performing, and they can help you to diagnose issues. This feature is in Public Preview.
- Application Monitoring overview provides a brief overview of this feature.
- Set up application monitoring describes how to configure an observability scope so that you have an aggregated view of your log, metric, and trace data.
- View application telemetry describes the labels attached to your telemetry data, and it provides guidance about how to explore the OOTB dashboards.
Application Monitoring now supports app-enabled folders and App Hub host projects. For app-enabled folders, the metrics scope of the management project is automatically synchronized with the list of projects in the folder, provided quota is available. This feature is in Public Preview.
- Metrics scopes for app-enabled folders describes the synchronization algorithm and how to view your usage of the metrics scope quota.
Gemini Cloud Assist in Cloud Run is supported in Preview. You can use the chat panel to design, optimize, and troubleshoot your Cloud Run apps with Gemini assistance.
Cloud SQL Enterprise Plus edition now supports a new machine series called the C4A machine series, which provides optimized price-performance and delivers predictable high performance for high demand Cloud SQL workloads. C4A uses a new type of storage called Hyperdisk Balanced, and offers up to 72 vCPUs and up to 576 GB memory. The C4A machine series is available in Preview.
For more information about the C4A machine series and its availability, see Machine series overview.
Query insights for Cloud SQL Enterprise Plus edition is now generally available (GA) for your Cloud SQL Enterprise Plus edition for MySQL instances. Query insights for Cloud SQL Enterprise Plus edition offers fine-grained metrics such as wait events and granular query plan samples for faster root-cause analysis and intelligent index recommendations.
For more information, see Use query insights to improve query performance.
Cloud SQL for Enterprise Plus edition supports AI-assisted troubleshooting. With AI-assisted troubleshooting, you can resolve complex database performance issues like slow queries and high load for your instances in a guided manner. To use AI-assisted troubleshooting, you need Gemini Cloud Assist and query insights for Enterprise Plus edition. AI-assisted troubleshooting is available in Preview.
Cloud SQL Enterprise Plus edition now supports a new machine series called the C4A machine series, which provides optimized price-performance and delivers predictable high performance for high demand Cloud SQL workloads. C4A uses a new type of storage called Hyperdisk Balanced, and offers up to 72 vCPUs and up to 576 GB memory. The C4A machine series is available in Preview.
For more information about the C4A machine series and its availability, see Machine series overview.
Query insights for Cloud SQL Enterprise Plus edition is now generally available (GA) for your Cloud SQL Enterprise Plus edition for PostgreSQL instances. Query insights for Cloud SQL Enterprise Plus edition offers fine-grained metrics such as wait events and granular query plan samples for faster root-cause analysis and intelligent index recommendations.
For more information, see Use query insights to improve query performance.
Cloud SQL for Enterprise Plus edition supports AI-assisted troubleshooting. With AI-assisted troubleshooting, you can resolve complex database performance issues like slow queries and high load for your instances in a guided manner. To use AI-assisted troubleshooting, you need Gemini Cloud Assist and query insights for Enterprise Plus edition. AI-assisted troubleshooting is available in Preview.
Query insights for Cloud SQL Enterprise edition and Cloud SQL Enterprise Plus edition is now generally available (GA) for Cloud SQL for SQL Server. You can also now view the query details, query plans, and statistical query execution charts for your top queries.
For more information, see Use query insights to improve query performance.
Dataplex Catalog has been renamed BigQuery universal catalog.
Dataplex Catalog has been renamed BigQuery universal catalog. You'll see this new name in the product page of the Google Cloud console, the documentation set, and the marketing collateral. Universal catalog brings together the data catalog capabilities of Dataplex Catalog and the runtime metastore capabilities of BigQuery metastore. For more information, see Introduction to data governance in BigQuery.
Dataproc Serverless for Spark: Gemini Cloud Assist Investigations is available in Preview for the following runtimes:
- 1.1
- 1.2
- 2.2
The Datastream API now supports streaming data to BigLake managed tables. For more information, see Stream data to BigLake managed tables (BLMT).
You can now use account connectors to connect your Google Cloud account with individual accounts on supported non-Google Developer Tools providers. This feature is in Preview.
You can now use Query insights to view query performance metrics for your database. This feature is in Preview.
Firestore is now available on Database Center. You can track your Firestore resources in the fleet inventory section and the resource table in the Database Center. You can also use Database Center to monitor the following health issues for your Firestore resources:
- No automated backup policy
- No point-in-time recovery
For more information about Database Center, see Database Center overview. For more information about health issues supported for Firestore, see Supported health issues.
You can now use Query insights to view query performance metrics for your database. This feature is in Preview.
Gemini Code Assist tools are in Preview. You can use tools to access external services from your IDE. To learn more about tools, see the Gemini Code Assist Tools overview.
Agent Development Kit (ADK) is now available in Preview. For more information, see Agent Development Kit.
Vertex AI Agent Engine
The following features are now available for Vertex AI Agent Engine in Preview:
The following features are now generally available for Vertex AI Agent Engine:
Gemini Live API is now available as a public preview offering and has been updated with the following features:
- Support for responses in 8 voices and 31 languages using Chirp 3
- Updated UI support in Vertex AI Studio
- Expanded conversation session window
- Ability to extend conversation sessions
- Support to share your current screen with Gemini during conversations
- Transcription support for audio in and audio out
- Support to change or update the system instructions mid-session
For more information, see Gemini 2.0 Flash Live API.
Agent Garden is now available in Preview. For more information, see Vertex AI Agent Builder overview or go directly to Agent Garden in the Cloud Console.
Gemini 2.5 Pro is now available as a public preview offering.
For more information, see Gemini 2.5 Pro.
Vertex AI Agent Builder now refers to a suite of features for building and deploying AI agents in Vertex AI. For more information see, Vertex AI Agent Builder overview.
The original Vertex AI Agent Builder product has been renamed AI Applications. The product functionality and endpoints remain the same. For more information, see What is AI Applications?.
Grounding: Grounding with Google Maps is now available as a Public Experimental feature. For more information, see Grounding with Google Maps.
Grounding: Web Grounding for Enterprise is now Generally available. For more information, see Web Grounding for Enterprise.
Design storage for AI and ML workloads in Google Cloud: Updated to include Cloud Storage FUSE, Anywhere Cache, Hyperdisk ML, and Google Cloud Managed Lustre.
(New guide) Optimize AI and ML workloads with Cloud Storage FUSE: Learn how to optimize performance for AI and ML workloads on Google Kubernetes Engine (GKE) by using Cloud Storage FUSE.
Web SDK 2.24.4 patch is released
This patch fixes a cross-site scripting vulnerability.
Looker 25.6 is expected to include the following changes, features, and fixes:
Expected Looker (original) deployment start: Monday, April 14, 2025
Expected Looker (original) final deployment and download available: Thursday, April 24, 2025
Expected Looker (Google Cloud core) deployment start: Monday, April 14, 2025
Expected Looker (Google Cloud core) final deployment: Monday, April 28, 2025
In the Chart Config Editor, you can save a configuration as a template so that you can reuse it in other visualizations or share it as a starting point for other users.
The classification for the version, versions, and page_events API endpoints have been changed from "Admin" to "N/A" in System Activity queries. These endpoints no longer count toward Admin API endpoint quotas.
The Druid JDBC driver has been updated from 1.22.0 to 1.25.0.
The Athena JDBC driver has been updated from 2.0.35.1000 to 2.1.5.1000.
The Dremio JDBC driver has been updated from 4.5.0 to 25.2.0.
The Spark Databricks JDBC driver has been updated from 2.6.34 to 2.7.1.
The Exasol JDBC driver has been updated from 6.2.3 to 24.2.1.
The Denodo JDBC driver has been updated from 8.8.0 to 9.1.3.
The Trino JDBC driver has been updated from 402 to 468.
An issue has been fixed where an Action Hub query could finish with a complete status even if the query failed. This feature now performs as expected.
An issue has been fixed where sorting on a table visualization could fail to retrieve cached results, even if cached results were available for the query. This feature now performs as expected.
An issue has been fixed where a dashboard tile could appear to load indefinitely if a user didn't have permission to the model. This feature now performs as expected.
The file browser in the Looker IDE can now display files nested in 21 or fewer folders. The previous limit was 6.
An issue has been fixed where certain LookML validation errors could prevent Looker from successfully retrieving a list of models on the instance. This feature now performs as expected.
If a user doesn't have an email address associated with their Looker account, the schedule dialog will not display the Send Test button.
An issue has been fixed where an empty manifest file could cause the LookML Validator to display an error. This feature now performs as expected.
An issue has been fixed where changing the subtotal column sort on dashboard tiles wouldn't properly update the sort order. This feature now performs as expected.
An issue has been fixed where schedules to SFTP destinations could time out because of long SSH key generation times. This feature now performs as expected.
An issue has been fixed where an embedded folder could still be loading content but not display a loading indicator. This feature now performs as expected.
When uploading a JSON database authentication file to a connection, Looker now requires the file to be configured with the service_account type.
An issue has been fixed where Looker would return a 500 error when it displayed a visualization with no results when the Grid Layout was set to By Row. This feature now performs as expected.
A new Labs feature, Fast Dev Mode Transition, improves the performance of Development Mode on your instance by loading LookML projects in read-only mode until a developer clicks the Create Developer Copy button for the project.
The New Database Connection Setup feature is now out of Labs and generally available. This feature updates the Add/Edit Connection page with a modernized UI, enhanced validation, connection testing capabilities, and a comprehensive configuration summary. If you want to revert to the legacy connections workflow, you can enable the Use Legacy Connections Page legacy toggle.
The Content Validator scoping feature is now generally available for customer-hosted Looker deployments (the feature is already available for Looker-hosted deployments). This feature lets developers scope the validation to specific LookML projects and a specific content folder (including its subfolders, if any). This can improve the performance of the Content Validator.
An issue has been fixed where embed users could save Looks to shared folders that they didn't have access to if the New Explore & Look Saving Labs feature was enabled. This feature now performs as expected.
The New Database Connection Setup feature is now generally available. This feature updates the Add/Edit Connection page with a modernized UI, enhanced validation, connection testing capabilities, and a comprehensive configuration summary. If you want to revert to the legacy connections workflow, you can enable the Use Legacy Connections Page legacy toggle.
Recommendations for Memorystore for Redis are now available at Database Center. With this release, Database Center displays health issues about the manageability and performance of Memorystore for Redis. This feature is in Preview. For more information, see Database Center overview and Database health issues.
Recommendations for Memorystore for Redis Cluster are now available at Database Center. With this release, Database Center displays health issues about the manageability and performance of Memorystore for Redis. This feature is in Preview. For more information, see Database Center overview and Database health issues.
Gemini Cloud Assist for Flow Analyzer is in Preview. You can generate SQL queries for VPC Flow Logs with Gemini assistance.
Model Armor and GKE integration
Model Armor now enforces security policies uniformly on generative AI inference traffic using a traffic extension. This applies to all application load balancers, including Google Kubernetes Engine Inference Gateway. This feature is in Preview. For more information, see Integration with Google Kubernetes Engine.
IAM recommender findings are now available with project-level activations of Security Command Center.
The Google Kubernetes Engine (GKE) Gateway supports using extensions to add custom logic into the load balancing processing path. For more information, see GKE extensions. This feature is in Preview.
You can configure Model Armor with Service Extensions to protect AI workloads on supported Application Load Balancers. For more information, see Callouts to Google services. This feature is in Preview.
You can use Gemini assistance to help you use system insights to optimize and troubleshoot Spanner resources. For more information, see Optimize and troubleshoot with Gemini assistance.
Spanner offers Cassandra compatibility with API support and new migration tools allowing seamless lift-and-shift migrations of Cassandra applications. For more information, see Migrate from Cassandra to Spanner.
General availability support for the following integration:
April 08, 2025
AlloyDB OmniAlloyDB Omni version 16.3.0 is generally available (GA). Version 16.3.0 includes the following features and changes:
- AlloyDB Omni supports PostgreSQL version 16.3.
- Asynchronous I/O improves performance on systems with atomic writes for high concurrency Online Transaction Processing (OLTP) workloads. This feature is available in Preview.
- You can upgrade your AlloyDB Omni PostgreSQL 15-based containers to AlloyDB Omni PostgreSQL 16 using
pg_upgrade. For more information, see Upgrade to AlloyDB Omni version 16.3.0 on a VM. - AlloyDB Omni provides additional low-level logs (called "internal logs"), which are useful for debugging database issues. Production users are encouraged to enable this feature for greater observability. We recommend that you enable this feature to improve production observability.
- Active Directory integration lets you use your Active Directory Server to authenticate users for accessing your AlloyDB Omni 16.3.0 databases. This feature is available in Preview. For more information, see Integrate Active Directory with AlloyDB Omni.
- Multiple extensions are updated.
- Multiple GUCs have been updated or added.
- Security fixes for CVE-2024-7348 are implemented.
- Various bug fixes.
AlloyDB Omni version 15.7.1 is generally available (GA). Version 15.7.1 includes the following features and changes:
- AlloyDB Omni supports PostgreSQL version 15.7.
- AlloyDB Omni provides additional low-level logs (called internal logs), which are useful for debugging database issues. Production users are encouraged to enable this feature for greater observability. We recommend that you enable this feature to improve production observability.
- Multiple extensions are updated.
- Multiple GUCs have been updated or added.
- Security fixes for CVE-2024-7348 are implemented.
- Bug fixes.
The PostgreSQL Audit Extension (pgaudit) logging fix In AlloyDB Omni 15.7.0, which enables the pgAudit extension together with the PostgreSQL logging_collector parameter, might have resulted in audit logs loss. This issue is fixed in AlloyDB Omni versions 15.7.1 and 16.3.0.
The AlloyDB Omni Kubernetes operator version 1.4.0 is generally available (GA). Version 1.4.0 includes the following new features and changes:
- You can enable Active Directory integration on your Kubernetes-based AlloyDB Omni database cluster so that you can allow your existing Active Directory-based users to access your AlloyDB Omni database. This feature is available in Preview. For more information, see Integrate Active Directory with AlloyDB Omni on Kubernetes.
- You can create backups in any cloud or on-premises object storage systems that are compatible with the Amazon S3 API. For more information, see Create backups to S3-compatible storage (AlloyDB Omni 15.7.1 and 16.3.0).
- You can now access log files from sidecar containers.
- You can manually upgrade your AlloyDB Omni 15 database clusters to AlloyDB Omni 16.3.0 using
pg_upgrade. For more information, see Migrate to the latest version of AlloyDB Omni on Kubernetes. - Beginning with Kubernetes operator version 1.4.0, the
alloydb_omni_instance_postgresql_wait_time_second_totalmetric is renamed toalloydb_omni_instance_postgresql_wait_time_us_totalto reflect the correct unit of the metric value. If you are not already using microseconds (us) for your metric unit, your queries and dashboard calculations need to change to reflect the correct unit of this metric:seconds->us. For more information, see Upgrade your AlloyDB Omni Kubernetes operator to version 1.4.0. - The PgBouncer connection pooler is generally available (GA). This release includes g-pgBouncer 1.4.0, which incorporates features and bug fixes from PgBouncer 1.24.0.
- You can configure the monitoring dashboard on your Grafana operator to visualize metrics using the monitoring endpoint of the Kubernetes operator.
- When the AlloyDB Omni Kubernetes Operator detects low disk space, the Kubernetes Operator reports a low disk space Critical Incident (CI) on the database cluster.
- AlloyDB Omni provides internal logs for debugging database issues. We recommend that you enable this feature to improve production observability. See "Enable internal logging" for AlloyDB Omni 15.7.1 and 16.3.0 for details.
- Disk cache metrics
alloydb_omni_database_postgresql_chill_cache_get_entry_calls_totalandalloydb_omni_database_postgresql_chill_cache_num_hits_totalare exposed when you enable disk cache on AlloyDB Omni versions 15.7.1 and 16.3.0. These metrics are database container-level metrics. For more information, see AlloyDB Omni metrics (15.7.1 and 16.3.0). - Use
alloydb_omni_instance_postgresql_versionto get the current PostgreSQL major version. For more information, see "Database container-level metrics" for AlloyDB Omni 15.7.1 and 16.3.0. - Various bug fixes and performance improvements.
The Kubernetes 1.4.0 DBCluster might have a status of DBClusterReady even though its endpoint, which allows clients to connect, is not yet ready.
If you use mutating admission webhooks in your Kubernetes cluster, you might experience issues when you create database clusters and the webhooks conflict with the AlloyDB Omni Kubernetes Operator. Examples of mutating admission webhooks include LimitRanger and DefaultTolerationSecond. When the conflict occurs, the database pod repeatedly switches between running and terminating. To work around this issue, disable these webhooks where you run your AlloyDB Omni database cluster.
Action required: You can access Kubernetes operator 1.4.0 high availability (HA) improvements for automatic setup, failover, and healing capabilities starting with AlloyDB Omni 15.7.1 and later. To access these features, see "Migrate to the latest version of AlloyDB Omni on Kubernetes" for AlloyDB Omni 15.7.1 and 16.3.0.
The command to connect to the interactive serial console of a server is changing on May 1, 2025.
Old command:
ssh -i SSH_KEY_ID -p 9600 PROJECT_ID.REGION.SERVER_NAME.USERNAME.bms=true@ssh-serialport.googleapis.com
New command:
ssh -i SSH_KEY_ID -p 9600 PROJECT_ID.REGION.SERVER_NAME.USERNAME.bms=true@\REGION\-ssh-serialport.googleapis.com
We recommend that you update your configurations by April 30, 2025 to avoid any disruptions. For instructions, see Configure serial console.
BigQuery ML now offers a built-in TimesFM univariate time series forecasting model that implements Google Research's open source TimesFM model. You can use BigQuery ML's built-in TimesFM model with the AI.FORECAST function to perform forecasting without having to create and train your own model. This lets you avoid the need for model management.
To try using a TimesFM model with the AI.FORECAST function, see Forecast a time series with a TimesFM univariate model.
This feature is in preview.
You can now create, view, modify, and delete Apache Iceberg resources in BigQuery metastore. This feature is generally available (GA).
You can now connect BigQuery metastore to Apache Flink. This feature is generally available (GA).
New Dataproc on Compute Engine subminor image versions:
- 2.2.52-debian12, 2.2.52-rocky9, 2.2.52-ubuntu22
Dataproc on Compute Engine: Fixed an issue with the retrieval of an Access token when using the ranger-gcs-plugin with 2.2 images.
Previous Custom Extractor versions pretrained-foundation-model-v1.0-2023-08-22 and pretrained-foundation-model-v1.1-2024-03-12 will be deprecated on April 9, 2025. To ensure uninterrupted service, prediction traffic to these versions, including any fine-tuned variants, will be automatically redirected to the latest version, pretrained-foundation-model-v1.4-2025-02-05.
For guidance on how to fine-tune a new version, refer to the fine tuning documentation.
(New guide) Oracle E-Business Suite with Oracle Exadata in Google Cloud: Shows how to build the infrastructure to run Oracle E-Business Suite applications with Oracle Cloud Infrastructure Exadata in Google Cloud.
Headless web SDK 3.6.3 is released
Headless web SDK 3.6.3 fixes a cross-site scripting vulnerability.
(2025-R14) Version updates
GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.
Rapid channel
- The following versions are now available in the Rapid channel:
Regular channel
There are no new releases in the Regular channel.
Stable channel
There are no new releases in the Stable channel.
Extended channel
- The following versions are now available in the Extended channel:
No channel
- The following versions are now available:
- The following node versions are now available:
(2025-R14) Version updates
- The following versions are now available in the Rapid channel:
(2025-R14) Version updates
There are no new releases in the Regular channel.
(2025-R14) Version updates
There are no new releases in the Stable channel.
(2025-R14) Version updates
- The following versions are now available in the Extended channel:
(2025-R14) Version updates
- The following versions are now available:
- The following node versions are now available:
Google Cloud Managed Lustre is now Generally Available (GA) with access by invitation.
Managed Lustre provides a fully managed parallel file system optimized for AI and HPC applications, with storage capacity up to 1 PB.
To request access to Managed Lustre in your Google Cloud project, contact your sales representative.
Custom organization policies are now generally available for Identity-Aware Proxy. For more information, see Use custom organization policies.
April 07, 2025
AI ApplicationsVertex AI Search: Stream Google Cloud Storage buckets to data stores
In addition to one time and periodic imports from Cloud Storage, you can stream unstructured data from Cloud Storage into a data store. This lets you serve results from the bucket to your users in near real time.
Streaming must be set up at the bucket-level (not at the folder- or file-level), and the bucket may only contain unstructured data.
For general information about creating data stores, see Create a search data store.
Vertex AI Search: Grounded generation with the generateGroundedContent API
The generateGroundedContent API to that grounds your answers with your inline text, Vertex AI Search data store, and Google Search is no longer available.
Instead, to generate grounded answers, Google recommends that you use the Generally available groundContent API. You can either ground your answers with Google Search or with your own data. For more information, see Overview.
BigQuery data preparation is generally available (GA). It offers AI-powered suggestions from Gemini for data cleansing, transformation, and enrichment. BigQuery supports visual data preparation pipelines and pipeline scheduling with Dataform.
You can now create remote models in BigQuery ML based on Llama and Mistral AI models in Vertex AI.
Use the ML.GENERATE_TEXT function with these remote models to perform generative natural language tasks for text stored in BigQuery tables. Try this feature with the Generate text by using the ML.GENERATE_TEXT function tutorial.
This feature is generally available (GA).
An updated version of JDBC driver for BigQuery is now available.
Smart-tuning is now supported for materialized views when they are in the same project as one of their base tables, or when they are in the project running the query. This feature is generally available (GA).
BigQuery ML now uses dynamic token-based batching for embedding generation requests. Dynamic token-based batching puts as many rows as possible into one request. This change boosts per-request utilization and improves scalability for any queries per minute (QPM) quota. Actual performance varies based on the embedding content length, with an average 10x improvement.
A weekly digest of client library updates from across the Cloud SDK.
All Cloud Composer environment's GKE clusters are set up with maintenance exclusions from March 27, 2025 to April 12, 2025. For more information, see Maintenance exclusions.
Direct VPC egress support for Cloud Run jobs is now generally available (GA).
You can now configure Identity-Aware Proxy (IAP) for Cloud Run to secure your services with a single click from all ingress paths (in Preview).
Configuring GPU in your Cloud Run service is now generally available (GA).
Cloud Run Threat Detection is available in Preview.
Cloud SQL now supports the Enterprise Plus recommender. Based on your application workloads and resource utilization, the recommender helps you optimize performance by identifying SQL Server instances that might see performance improvements when upgraded to Cloud SQL Enterprise Plus edition.
Config Connector version 1.130.2 is now available.
New Beta resources (direct reconciler)
New Fields
-
- Added
spec.configmanagement.configSync.stopSyncingin version1.129.
- Added
-
- Added
spec.defaultBackupScheduleTypefield. - Added
spec.labelsfield
- Added
New Alpha resources (direct reconciler)
ApphubApplicationBackupDRManagementServerBackupDRBackupVaultBackupDRBackupPlanBackupDRBackupPlanAssociationBatchJobBigLakeTableBigQueryReservationCodeDeployDeliveryPipelineDataplexLakeDatastreamPrivateConnectionDatastreamConnectionProfileDocumentAIProcessorGKEBackupBackupPlanGKEBackupRestorePlanNetAppBackupPolicyNotebooksEnvironmentSpannerInstanceConfigVertexAIFeaturestoreVMwareEnginePrivateCloudVMwareEngineNetworkVMwareEngineNetworkPeeringVMwareEngineNetworkPolicyWorkflowExecution
Reconciliation Improvements
Added support for direct reconciliation to more resources, with opt-in behaviour. The API is backward compatible. To use the direct reconciler, add the alpha.cnrm.cloud.google.com/reconciler: direct annotation to the corresponding Config Connector object. The following resources now have direct reconciliation support (and we list some of the issues that this fixes):
- SpannerInstance
- You can use
spec.editionfield to optimize your enterprise edition type - You can use
spec.autoscalingConfigto automate the scaling instead of manually configurespec.processingUnitorspec. numNodes. - You can use the
defaultBackupScheduleTypenow. - Behavior Change If you use the SpannerInstance Kubernetes
metadata.labelsto configure your GCP labels, please change them to use thespec.labelsfield instead.
- You can use
Premium parsers
Specific high-volume parsers are now categorized as premium. Google aims to address customer issues related to premium parsers as quickly as possible, typically within a few days.
For a complete list of different types of parsers and the level of support that Google provides for each, see Manage prebuilt and custom parsers.
For a complete list of premium parsers, see Default parser configuration and ingestion.
Premium parsers
Specific high-volume parsers are now categorized as premium. Google aims to address customer issues related to premium parsers as quickly as possible, typically within a few days.
For a complete list of different types of parsers and the level of support that Google provides for each, see Manage prebuilt and custom parsers.
For a complete list of premium parsers, see Default parser configuration and ingestion.
Preview: You can now enable IAP directly on your Cloud Run services without configuring load balancers.
For more information, see Configure Identity-Aware Proxy for Cloud Run.
Looker has released version 1.4.2 of the Looker–Power BI Connector. See the Looker–Power BI Connector change log for details about version 1.4.2.
IPv6 subnet exchange is generally available.
You can use export filters to configure a VPC spoke to exchange IPv6 subnet ranges or both IPv4 and IPv6 subnet ranges. For more information, see VPC connectivity with export filters.
For Autonomous Databases, you now have the options to set up public network access and private network access in Google Cloud. This feature is generally available (GA).
A weekly digest of client library updates from across the Cloud SDK.
Go
Changes for pubsub/apiv1
1.48.1 (2025-04-01)
Bug Fixes
- pubsub/pstest: Message ordering issue (#11603) (1d6ffc0)
- pubsub: Update golang.org/x/net to 0.37.0 (1144978)
Documentation
- pubsub: Update documentation for JavaScriptUDF to indicate that the
message_idmetadata field is optional instead of required (f437f08)
Cloud Run Threat Detection is available in Preview.
April 06, 2025
Google SecOpsCreate a quick action (Preview)
Administrators can now predefine quick actions for analysts to execute directly within cases and alerts.
The Quick Actions widget can be added to default case and alert views, and customized alert views within playbooks.
For more information, see Create a quick action.
What's New in Google SecOps
At the top of your Google SecOps screen, click the question mark and select What's New to display the top five new features in the Google SecOps platform.
Release 6.3.41 is now available for all regions.
April 05, 2025
Google SecOps SOARRelease 6.3.42 is being rolled out to the first phase of regions as listed here.
Create a quick action (Preview)
Administrators can now predefine quick actions for analysts to execute directly within cases and alerts.
The Quick Actions widget can be added to default case and alert views, and customized alert views within playbooks.
For more information, see Create a quick action.
April 04, 2025
Access ApprovalAccess Approval supports Document AI in the GA stage.
Access Approval supports Storage Intelligence in the GA stage.
BigQuery ML now supports the following generative AI functions, which let you analyze text using a Vertex AI Gemini model. The function output includes a response that matches the type in the function name:
This feature is in preview.
The following resource types are now publicly available through the analyze policy (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning) APIs.
- Compute Engine
compute.googleapis.com/StoragePool
- Discovery Engine
discoveryengine.googleapis.com/Engine
You can include pipe syntax in the SQL queries you run on the Log Analytics page. Pipe syntax supports a linear query structure designed to make your queries easier to read, write, and maintain. The pipe syntax feature is generally available (GA).
If you have enabled logging for failures of an uptime check, you can view the logs from the Uptime details page. For more information, see View details of an uptime check.
The rollout of the following extension versions and plugin versions is complete:
Extensions and plugins
- PostGIS is upgraded from 3.4.4 to 3.5.2.
To use these versions of the extensions, update your instance to [PostgreSQL version]. R20250302.00_04.
If you use a maintenance window, then the updates to the minor, extension, and plugin versions happen according to the timeframe that you set in the window. Otherwise, the updates occur within the next few weeks.
For more information on checking your maintenance version, see Self-service maintenance. To find your maintenance window or to manage maintenance updates, see Find and set maintenance windows.
1.25.0-asm.8 is now available for in-cluster Cloud Service Mesh.
You can now download 1.25.0-asm.8 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.25.0 subject to the list of supported features.
The following environment variables are not supported:
- PILOT_MX_ADDITIONAL_LABELS
- PILOT_DNS_CARES_UDP_MAX_QUERIES
- PILOT_DNS_JITTER_DURATION
- PILOT_SEND_UNHEALTHY_ENDPOINTS
The following annotations are not supported:
- networking.istio.io/traffic-distribution
- istio.io/reroute-virtual-interfaces
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh version 1.25.0-asm.8 uses Envoy v1.33.1-dev.
There is a known issue where all gateway CRs will see a downtime for status updates when upgrading from 1.24.3 to 1.25.x .
On June, 30, 2024, Red Hat Enterprise Linux (RHEL) 7 will reach end of support and the images marked deprecated on Google Cloud. If you use RHEL 7 images in your project, review RHEL end of support.
On June 30th, 2024, CentOS 7 will reach end of support and the images marked deprecated on Google Cloud. If you use CentOS 7 images in your project, review CentOS end of support guidance .
Optimize log management using extractors
This feature is currently in Preview.
You can now optimize log management by creating extractors to pull specific fields from high-volume log sources. For more information, see Work with extractors.
Optimize log management using extractors
This feature is currently in Preview.
You can now optimize log management by creating extractors to pull specific fields from high-volume log sources. For more information, see Work with extractors.
Google Cloud NetApp Volumes now supports SnapMirror-based volume migration for allow-listed users. This feature lets you migrate from ONTAP-based Flex volumes to NetApp Volumes. For more information, see Volume migration.
Risk Manager is now called Cyber Insurance Hub. Additional insurance partners have been added with expanded customer eligibility.
For detailed information about this product, see the Cyber Insurance Hub documentation.
The Secret Manager add-on for Google Kubernetes Engine (GKE) now supports the automatic rotation of secrets. You can configure the Secret Manager add-on to automatically rotate secrets so that secrets updated in Secret Manager after initial pod deployment are automatically and periodically pushed to the pod. This feature is available in Preview.
For more information, see Configure automatic rotation of secrets.
Spanner has added the PARAMETER_DEFAULT column to the INFORMATION_SCHEMA.PARAMETERS table. This column returns the default value of change stream read functions parameters.
April 03, 2025
BigQueryBigQuery migration assessment now includes support for Amazon Redshift Serverless. This feature is in preview.
You can now generate structured data by using BigQuery ML's AI.GENERATE_TABLE function with Gemini 1.5 Pro, Gemini 1.5 Flash, and Gemini 2.0 Flash models. You can use the AI.GENERATE_TABLE function's output_schema argument to more easily format the model's response. The output_schema argument lets you specify a SQL schema for formatting, similar to the schema used in the CREATE TABLE statement. By creating structured output, you can more easily convert the function output into a BigQuery table.
Try this feature with the Generate structured data by using the AI.GENERATE_TABLE function tutorial.
This feature is in preview.
The unification of Cloud Composer 3 billing with BigQuery is paused until further notice. The change was previously scheduled for April 13, 2025.
In recently released Airflow builds of Cloud Composer 3, the Airflow web server requires more CPU to finish its initialization when an environment is created or updated. This might lead to longer operation times or failures to perform these operations.
As a workaround, when you create a new Cloud Composer 3 environment or upgrade an existing environment, provide at least 1 CPU to the Airflow web server.
This issue currently affects composer-3-airflow-2.10.2-build.12 and composer-3-airflow-2.9.3-build.19 Airflow builds.
You can now integrate Cloud SQL for MySQL and Vertex AI (in Preview). This allows you to invoke predictions and generate vector embeddings using models hosted in Vertex AI. To use this integration, update your instance to [MySQL version].R20250304.00_01.
For more information, see Integrate Cloud SQL with Vertex AI.
New Dataproc Serverless for Spark runtime versions:
- 1.1.98
- 1.2.42
- 2.2.42
Dataproc Serverless for Spark: Installed CUDA, cuDNN and NCCL NVIDIA libraries in 1.2 and 2.2 runtimes.
Google Cloud VMware Engine now supports 24 ve2 node types, enabling precise and efficient environment sizing. See VMware Engine node types for full details.
GKE now provides insights and recommendations that help you identify workloads without resource requests or limits so that you can specify the resource needs for these workloads. Configuring CPU and memory requests and limits for containers is the best practice for improving reliability and performance, and is a necessary prerequisite for understanding and optimizing resource utilization by your workloads and their cost.
Migrate to Virtual Machines supports importing Arm disk images to Google Cloud. For information on operating systems supporting this feature, see Supported operating systems.
In Spanner Graph you can view a visualization of graph elements returned by a Spanner Graph query and of a Spanner Graph schema. A graph query visualization helps you understand the query results by revealing patterns, dependencies, and anomalies in the returned graph elements. A graph schema visualization helps you understand how the nodes and edges in a schema are related. For more information, see Work with Spanner Graph visualizations.
April 02, 2025
AI ApplicationsAI Applications: Renamed from Vertex AI Agent Builder
The Vertex AI Agent Builder product has been renamed AI Applications. You'll see this new name in the product console, the documentation set, and the marketing collateral. The product functionality and endpoints remain the same.
On April 2, 2025, we released an updated version of API Gateway.
With this release, API Gateway meets the regulatory and compliance requirements for support of data residency for data at rest.
For more information, see Google Cloud Platform Services with Data residency.
When the ScaNN index creation updates the reltuples statistics of a heap table, performance might be degraded for queries involving that table. For information to mitigate the issue, see Analyze your indexed table.
When the ScaNN index creation updates the reltuples statistics of a heap table, performance might be degraded for queries involving that table. For information to mitigate the issue, see "Analyze your indexed table" in the documentation for AlloyDB for PostgreSQL and AlloyDB Omni.
VPC Service Controls (VPC-SC) integration (Preview)
API hub now integrates with VPC Service Controls, providing enhanced network security for your API hub instance provisioned in Google Cloud. Establish service perimeters to control ingress and egress traffic. For more information, see VPC Service Controls for API hub.
Data Residency Zone (DRZ) compliance
API hub is now compliant with Data Residency Zone (DRZ) C3 requirements. For more information, see API hub locations.
Terraform support for provisioning
You can now provision API hub instances programmatically using Terraform for Google Cloud within Cloud Shell, enabling infrastructure-as-code practices. For more information, see Provision API hub using Terraform.
Plugin Framework
API hub now uses a plugin framework to connect and ingest API metadata from various Google Cloud services and external sources where your APIs are managed or defined. This provides a flexible and extensible way to integrate with your existing API landscape. For more information, see Plugins overview.
API Metadata Curations
API hub introduces a curation process to transform and enrich API metadata ingested by plugins. This ensures consistency across different sources, enabling effective governance, discovery, and management of your APIs. For more information, see Curations overview.
API Supply chain graph view
Visualize and understand the dependencies within your API ecosystem with the new interactive API supply chain graph view. This directed graph allows you to explore the relationships between your APIs and API operations. For more information, see API Supply chain views.
Enhancements to the Operations entity [API only]
You can now add, edit, or delete operations for an API version even if it lacks a specification file or has an unparsable one. For more information, see Manage operations.
Attach API documents
You can now enhance your API documentation by attaching additional relevant files, such as requirements, design documents, and functionality details, directly to your APIs in API hub.
Deprovision an API hub instance [API only]
You can now delete an API hub instance from your Google Cloud project using the ApiHubInstance API. For more information, see Deprovision Apigee API hub.
Build Conversational Agents with Dialogflow CX (Preview)
Application Integration now simplifies the creation of conversational experiences with direct integration with Conversational Agents (Dialogflow CX). Using API triggers, you can now build intelligent chatbots and automated tools directly within your integration workflows, enhancing user interactions and automating tasks.
For more information, see Build conversational agents with Application Integration.
Enhancements to Replay Execution
Application Integration Replay Execution now provides the following enhancements:
- Modify input parameters on replay: You can now modify the input parameters of an integration execution when initiating a replay. This provides greater flexibility in fixing failed executions.
- Continue execution from point of failure: When replaying an integration, you can now choose to continue the execution from the point of the last failure. This will retry the failed task and, upon success, continue the execution from that point, saving time and effort.
For more information, see Introduction to replay executions.
You can now create and use Python user-defined functions (UDFs) in BigQuery. Python UDFs support the use of additional libraries and external APIs. This feature is in preview.
The Python code that you generate using Gemini in BigQuery Notebooks is now much more likely to leverage your data. With this change, BigQuery Notebooks can intelligently pull relevant table names directly from your BigQuery project, resulting in personalized, executable Python code.
You can now generate Dataframes code in BigQuery Notebooks that use BigFrames libraries. In your code generation prompt, include the word BigFrames to generate code that uses BigQuery DataFrames. This feature is in preview.
Deploying multiple containers (sidecars) to a Cloud Run job is now generally available. (GA)
Generally available: You can manage OS policy assignments across projects and zones at scale in large organizations using the OS policy orchestrator feature in VM Manager. OS policy assignment was previously available only for zonal resources in a project. For more information, see About OS Policy Orchestrator.
All processors can now extend the Maximum page limit for online and synchronous requests up to 30 pages.
To do so, enable imageless_mode in ProcessRequest.
For Custom Extractor, you will need to first request to be allowlisted for this feature by filling out the form Allowlist Request for 30 Page limit in CDE.
Version 3.33 is released
All release notes published on this date are part of version 3.33.
The timing of the update to your instance depends on the deployment schedule that you have chosen. For more information, see Deployment schedules.
Salesforce CRMs: attach a CCaaS session object to a CRM record if a matching CRM record is found
For Salesforce CRMs, when you append a call or chat session to the latest open record, you have the option to attach a CCaaS session object to a CRM record if a matching CRM record is found. For more information, see Session data mapping by CRM.
New options for CRM comments when saving call recordings and chat transcripts to external storage
When you save call recordings and chat transcripts to external storage, you can control how these are referenced in the CRM record. You now have the following options:
- Add a call recording or chat transcript link as a comment in the CRM record.
- Add the call recording or chat transcript filename as a comment in the CRM record.
- Don't add any reference to the call recording or chat transcript in the CRM record.
To make comments consistent across CRM platforms, we've standardized on the following phrases in CRM comments: Chat Transcripts, Call Recordings, and Voicemails.
For more information, see Configure CRM comments.
New call type in reports: Voice Outbound (UCaaS)
We've added the Voice Outbound (UCaaS) report type to the Create Reports page for calls and chats so you can generate reports that contain this type of call. For more information, see Call and chat types.
Conditional overcapacity deflections
You can now enable conditional overcapacity deflections for calls. You can choose from a number of wait-time conditions or time-of-day conditions, and you can create a distinct deflection message for each each condition that you configure. For more information, see Configure call settings .
New post events for virtual task assistants
The following new virtual task assistant post events are available:
- Virtual task assistant joined
- Virtual task assistant left
- Virtual task assistant session variables received
The agent adapter can use the browser's postMessage() method to send events to the parent iFrame to trigger various actions in your custom CRM application. For more information, see Post events for virtual task assistants.
Bulk agent status import improvements
When you import agent statuses in bulk, the Import Statuses dialog now indicates when the upload is complete and sends you a confirmation email. For more information, see Bulk status management.
Configure a contact list destination to pass data parameters to a SIP header
You can configure a contact list destination to pass data parameters to a SIP URI when an agent uses the destination to make an outbound call or transfer a call. For more information, see Add a destination to a contact list.
View transcripts for completed chats
If you save chat transcripts in external storage, you can view them from the Completed Chats dashboard. This capability is not available in version 3.33. We expect to include it in an upcoming release.
Session metadata contains conversation IDs for virtual agents and Agent Assist
The session metadata file now contains the conversation ID for a virtual agent or for Agent Assist if either of those are involved in a session. For more information, see Sessions metadata content.
Fixed a cross-site scripting vulnerability
This update fixes a cross-site scripting vulnerability.
The following issues were addressed in this release:
- Fixed an issue where users couldn't deactivate a disposition code or list that was assigned to a queue when the queue was deleted prior to the deactivation.
- Fixed an issue in Kustomer integrations where an outbound call to a number that wasn't in the CRM wasn't creating a record.
- Fixed an issue where the button to assign a record ID to a session was missing from the agent adapter.
- Fixed an issue for the Customer End User Dial '0' Behavior queue settings. After a user selected and saved the Dialing '0' moves user back up one level in IVR setting, an error was returned when they attempted to select a different setting.
- Fixed an issue where NICE call recordings failed and returned an
Exception 12error. - Fixed an issue where agents couldn't transfer call or chat sessions to another queue. This occurred when all assigned agents in the destination queue were unavailable or at the concurrency limit.
- Fixed an issue where searches for chat shortcuts were case sensitive. These searches are now case insensitive.
- Fixed an issue where the option to select the account ID and record ID for a session appeared in the agent adapter even when they were configured in the platform to not appear.
- Fixed an issue where the call flexible inbound record ID for a session was not automatically suggested in the agent adapter.
- Fixed an issue where no records were displayed in the Record ID field during wrap up.
- Fixed an issue where the first open record created by the end-user was selected instead of Create New Record being selected.
- Fixed an issue where the default value for the record ID for a session was not the most recently closed and updated record.
- Fixed an issue in Salesforce integrations where the Answer button in the agent adapter didn't appear for incoming calls. This happened after the agent clicked the Assign button multiple times while attempting to assign a record ID or account ID to a session during wrap up.
- Fixed an issue where the Assign button appeared in the agent adapter during wrap-up even when the account ID and record ID were already assigned to the session.
- Fixed an issue where the Assign button in the agent adapter was clickable multiple times during wrap up. Now, after an agent assigns a record ID or account ID to a session, the Assign button is no longer active.
- Fixed an issue where the option to assign a record ID or account ID to a session didn't appear during wrap up even though the agent didn't make these assignments during the call.
- Fixed an issue where the Next button for assigning a record ID or account ID to a session was inactive until the agent made a different selection.
- Fixed an issue where the Agent Assist icon didn't appear in the agent adapter when an agent returned to an inactive chat.
- Fixed an issue where an error was returned when a user attempted to assign an email session to another user.
- Fixed an issue in workforce management where the day planner didn't display the green checkmark after a file was imported.
- Fixed an issue in workforce management where the green success message didn't appear for some forecast types.
- Fixed an intermittant issue where the chat adapter was not appearing when incoming chat sessions arrived.
- Fixed an issue to preserve expected chat adapter behavior when switching to a custom CRM.
- Fixed an issue where the data passed in SIP headers was malformatted if the SIP endpoint was selected from the contact list.
- Fixed an issue in the agent desktop where the chat window was unavailable after an agent ended a session that was transferred or routed from a virtual agent chat session.
- Fixed an issue to ensures that a customer who returns to an inactive chat after hours sees an "after hours" message.
- Fixed an issue where agents couldn't add attachments to emails.
- Fixed a date and time mismatch issue in Alvaria agent productivity files generated by Google Cloud CCaaS.
(2025-R13) Version updates
GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.
Rapid channel
- The following versions are now available in the Rapid channel:
Regular channel
There are no new releases in the Regular channel.
Stable channel
There are no new releases in the Stable channel.
Extended channel
- The following versions are now available in the Extended channel:
No channel
- The following versions are now available:
- The following node versions are now available:
(2025-R13) Version updates
- The following versions are now available in the Rapid channel:
(2025-R13) Version updates
There are no new releases in the Regular channel.
(2025-R13) Version updates
There are no new releases in the Stable channel.
(2025-R13) Version updates
- The following versions are now available in the Extended channel:
(2025-R13) Version updates
- The following versions are now available:
- The following node versions are now available:
Automatic application monitoring is now generally available in GKE versions 1.28 and later. When configured on GKE clusters, this feature automatically collects key metrics with Google Cloud Managed Service for Prometheus and provides out-of-the-box dashboards for monitoring the supported workloads. Automatic application monitoring supports six new AI model servers (NVIDIA Triton, vLLM, TGI, JetStream, TorchServe and TensorFlow Serving). For more information, see Configure automatic application monitoring.
Medium Priority rule set
Google SecOps has introduced a new rule set, Medium Priority, in Applied Threat Intelligence (ATI). This rule set extends the capabilities of the ATI indicator prioritization model and expands prioritization logic to include commodity malware. For more information, see Applied Threat Intelligence priority overview.
Medium Priority rule set
Google SecOps has introduced a new rule set, Medium Priority, in Applied Threat Intelligence (ATI). This rule set extends the capabilities of the ATI indicator prioritization model and expands prioritization logic to include commodity malware. For more information, see Applied Threat Intelligence priority overview.
Memorystore for Valkey is now Generally Available (GA).
Multi-VPC support for Memorystore for Valkey is now Generally Available (GA). This functionality enables you to create Private Service Connect endpoints in multiple VPCs to connect to the same Memorystore for Valkey instance. This provides you with enhanced flexibility and resilience for your network architecture. For more information, see About multiple VPC networking.
The cross-region replication feature for Memorystore for Valkey is now Generally Available (GA). This release includes Terraform support for cross-region replication on Memorystore for Valkey.
You can now upgrade the version of your Memorystore for Valkey instance from 7.2 to 8.0. For more information, see About upgrading the Valkey version of an instance. This feature is Public Preview.
When activating Security Command Center Enterprise, you can monitor the provisioning status and progress of initial scans. This capability is in Preview.
The MAC_ADDRESS_UNIVERSAL infoType detector is available in all regions. For more information about all built-in infoTypes, see InfoType detector reference.
Chirp 3: HD voices with 8 speakers and 31 locales is now GA. It offers real-time streaming and batch processing capabilities and is accessible in global, us, eu, and asia-southeast1 regions.
Explore the latest Chirp 3: HD voices capabilities. Find out their full potential by visiting our updated documentation, specifically the voice controls section.
General availability support for the following integration:
April 01, 2025
BigQueryPipe syntax supports a linear query structure designed to make your queries easier to read, write, and maintain. This feature is generally available (GA).
You can use a CREATE MODEL statement to create a contribution analysis model in BigQuery ML. The top_k_insights_by_apriori_support and pruning_method model options are now supported. You can use a contribution analysis model with the ML.GET_INSIGHTS function to generate insights about changes to key metrics in your multi-dimensional data. The following metric types are supported:
This feature is generally available (GA).
New Dataproc on Compute Engine subminor image versions:
- 2.2.51-debian12, 2.2.51-rocky9, 2.2.51-ubuntu22
Dataproc on Compute Engine: Hyperdisk-Balanced is now the default primary disk type when creating a cluster from the console.
Dataproc on Compute Engine: Fixed incorrectly attributed Dataproc job logs in Cloud Logging for clusters created with 2.2+ image versions. This happened when multiple Dataproc jobs were running concurrently on the same cluster.
Dialogflow CX (Conversational Agents): Data store tools no longer require the use of a playbook and can be used with any agent. For information about configuring data store tools for a flow-based agent, see the data store tools documentation.
Dialogflow CX (Conversational Agents): The gemini-1.0-pro model is deprecated as of March 24, 2025 and has been automatically upgraded to the gemini-1.5-flash-001 model. This change applies to the following features:
- Playbooks
- Data stores
- Generators
Dialogflow CX (Conversational Agents): AI generation of language-specific information, entities and training phrases is now GA.
Dialogflow CX (Conversational Agents): All prebuilt agents are now GA.
Code customization for chat is generally available (GA) for VS Code and IntelliJ Gemini Code Assist. This feature provides contextually relevant code suggestions and insights in your IDE's Gemini Code Assist chat interface. Code customization for chat is available without any additional configuration required. For more information on how to use code customization for chat effectively, see Use code customization.
The following features have been added to Studio in Looker, which is available in preview:
- You can connect to Google BigQuery and Google Sheets using Owner's Credentials.
- Localized number formatting is supported.
Terraform support for using NFS solutions with SAP HANA scale-out HA deployments
While using Terraform to deploy an SAP HANA scale-out HA system on Google Cloud, you can use existing NFS solutions to share the /hana/shared and /hanabackup volumes with the worker hosts in your deployment:
- For the
/hana/sharedvolume, use theprimary_sap_hana_shared_nfsandsecondary_sap_hana_shared_nfsarguments. - For the
/hanabackupvolume, use theprimary_sap_hana_backup_nfsandsecondary_sap_hana_backup_nfsarguments.
These optional arguments are available from version 1.3.730053050 of the sap_hana_ha Terraform module provided by Google Cloud. For more information, see Terraform: SAP HANA scale-out high-availability cluster configuration guide.
March 31, 2025
AlloyDB for PostgreSQLIf your cluster is encrypted with a customer-managed encryption key (CMEK), and no specific CMEK key is configured for continuous or automated backups, then backups will be created with the cluster CMEK. For more information, see About CMEK and Configure backup plans.
On March 31, 2025, we released an updated version of Apigee (1-15-0-apigee-2).
New flow variable suffixes available for accessing base64-encoded message content.
There are two new read-only flow variable suffixes available for accessing message content in base64-encoded form:
content.as.base64content.as.url.safe.base64
These variable suffixes can be used with the request, response, and message objects, as well as with any Message object created implicitly during API proxy execution when using the AssignMessage or ServiceCallout policies.
For more information, see Flow variables reference.
| Bug ID | Description |
|---|
| N/A | Updates to security infrastructure and libraries.
Iceberg external tables now support merge-on-read. You can query Iceberg tables with position deletes and equality deletes. This feature is generally available (GA).
A weekly digest of client library updates from across the Cloud SDK.
Python
Changes for google-cloud-bigquery
3.31.0 (2025-03-20)
Features
- Add query text and total bytes processed to RowIterator (#2140) (2d5f932)
- Add support for Python 3.13 (0842aa1)
Bug Fixes
- Add property setter for table constraints, #1990 (#2092) (f8572dd)
- Allow protobuf 6.x (0842aa1)
- Avoid "Unable to determine type" warning with JSON columns in
to_dataframe(#1876) (968020d) - Remove setup.cfg configuration for creating universal wheels (#2146) (d7f7685)
Dependencies
On the Scheduling page, you can now view existing schedules, create new schedules, and perform other actions for data preparations, notebooks, BigQuery pipelines, and scheduled queries. For more information, see Create a pipeline schedule. This feature is generally available (GA).
You can build BigQuery pipelines (formerly workflows), composed of SQL queries or notebooks, in BigQuery Studio. You can then run these pipelines on a schedule. You can also configure notebook runtimes for a pipeline, share a pipeline, or share a pipeline link. This feature is generally available (GA).
You can now define a _CHANGE_SEQUENCE_NUMBER for BigQuery change data capture (CDC) to manage streaming UPSERT ordering for BigQuery. This feature is generally available (GA).
BigQuery now supports subqueries in row level access policies. It also includes support for BigLake managed tables and the BigQuery Storage Read API. This feature is now generally available (GA).
You can now use BigQuery Data Transfer Service for Search Ads to view Performance Max (PMax) campaign data for the following tables:
- CartDataSalesStats
- ProductAdvertised
- ProductAdvertisedDeviceStats
- ProductAdvertisedConversionActionAndDeviceStats
This feature is generally available (GA).
You can now configure the repeat frequency of BigQuery Data Transfer Service for Google Ad Manager. This option has a default of every 8 hours and a minimum of every 4 hours. This feature is generally available (GA).
You can now skip loading match tables for BigQuery Data Transfer Service for Google Ad Manager. If match tables are not needed, you can set parameter load_match_tables to FALSE. This feature is generally available (GA).
You can include data preparation tasks in BigQuery pipelines that execute your code assets in sequence at a scheduled time. This feature is in Preview.
A weekly digest of client library updates from across the Cloud SDK.
The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, and Search (SearchAllResources, SearchAllIamPolicies) APIs.
- Security Command Center Management API
securitycentermanagement.googleapis.com/EventThreatDetectionCustomModulesecuritycentermanagement.googleapis.com/SecurityCenterServicesecuritycentermanagement.googleapis.com/SecurityHealthAnalyticsCustomModule
The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, and Feed APIs.
- Eventarc
eventarc.googleapis.com/Enrollmenteventarc.googleapis.com/GoogleApiSourceeventarc.googleapis.com/MessageBuseventarc.googleapis.com/Pipeline
Cloud Deploy support for timed promote is now generally available.
Cloud Deploy support for deploy policies is now generally available.
Cloud Deploy support for repair rollout automation is now generally available.
Cloud SQL now supports Managed Connection Pooling (MCP) in Preview, which lets you scale your workloads by optimizing resource utilization for your Cloud SQL instances using pooling. To use Managed Connection Pooling, update your instance to [MySQL version].R20250302.00_04.
For more information, see Managed Connection Pooling overview.
Cloud SQL now supports Managed Connection Pooling (MCP) in Preview, which lets you scale your workloads by optimizing resource utilization for your Cloud SQL instances using pooling. To use Managed Connection Pooling, update your instance to [PostgreSQL version].R20250302.00_04.
For more information, see Managed Connection Pooling overview.
Additional functionality is now available for the bucket IP filtering feature:
You can use IP filtering for buckets in all regions, dual-regions, and multi-regions.
You can use custom organization policies to enforce IP filtering.
Storage batch operations for Cloud Storage is now generally available (GA). Using storage batch operations, you can perform operations on billions of Cloud Storage objects in a serverless manner. To learn more about storage batch operations, see Overview of storage batch operations.
You can now use metrics to monitor Cloud Storage FUSE performance. For more information, see Cloud Storage FUSE metrics.
Flex-start for Cloud TPU, powered by Dynamic Workload Scheduler, is available in Preview. Flex-start is a flexible and cost-effective consumption option for AI workloads. Flex-start enables you to dynamically provision TPUs for up to 7 days using the queued resources API, without long-term reservations. This option is ideal for quick experimentation, small-scale testing, dynamic inference provisioning, and model fine-tuning. For more information about Flex-start for Cloud TPU, see Request Cloud TPUs using Flex-start.
Preview: You can switch to a default runtime with GPUs by using a button in your Colab Enterprise notebook. To enable a default runtime with GPUs for your users, see Enable default runtimes with GPUs.
Compute Engine provides the interactive serial console for troubleshooting malfunctioning instances. The serial console SSH key endpoint is deprecated and a new serial SSH key endpoint is available. For more information, see Serial console SSH host key endpoint deprecation.
Support for Confidential Space on Intel CPUs (C3 machine family) with Intel TDX is now generally available.
Confidential Space now allows adding specific Linux capabilities, including CAP_SYS_ADMIN, and provides a namespaced read or write cgroup.
New Confidential Space images (250300 and 250301) are now available.
cos-105-17412-535-98
| Kernel | Docker | Containerd | GPU Drivers |
| COS-5.15.173 | v23.0.3 | v1.7.23 | See List |
Updated dev-go/net to v0.33.0. This fixed CVE-2023-45288.
Fixed CVE-2025-21763 in the Linux kernel.
Fixed CVE-2025-21764 in the Linux kernel.
Fixed CVE-2025-21762 in the Linux kernel.
Fixed CVE-2025-21760 in the Linux kernel.
Fixed CVE-2025-21726 in the Linux kernel.
Fixed KCTF-fcdd224 in the Linux kernel.
Fixed CVE-2024-53174 in the Linux kernel.
Fixed CVE-2024-53194 in the Linux kernel.
Fixed CVE-2024-56558 in the Linux kernel.
Fixed CVE-2024-57979 in the Linux kernel.
Fixed CVE-2025-21727 in the Linux kernel.
Fixed CVE-2025-21796 in the Linux kernel.
Fixed CVE-2024-58005 in the Linux kernel.
Fixed CVE-2025-21846 in the Linux kernel.
Fixed CVE-2025-21844 in the Linux kernel.
Fixed CVE-2024-57977 in the Linux kernel.
Fixed CVE-2024-57977 in the Linux kernel.
Fixed CVE-2025-21745 in the Linux kernel.
Fixed CVE-2025-21814 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 812690 -> 812692
cos-109-17800-436-91
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.1.124 | v24.0.9 | v1.7.24 | See List |
Updated dev-go/net to v0.33.0. This fixed CVE-2023-45288.
Fixed CVE-2025-21763 in the Linux kernel.
Fixed CVE-2025-21764 in the Linux kernel.
Fixed CVE-2025-21760 in the Linux kernel.
Fixed CVE-2025-21762 in the Linux kernel.
Fixed CVE-2025-21726 in the Linux kernel.
Fixed KCTF-fcdd224 in the Linux kernel.
Fixed CVE-2024-57979 in the Linux kernel.
Fixed CVE-2025-21727 in the Linux kernel.
Fixed CVE-2025-21796 in the Linux kernel.
Fixed CVE-2025-21812 in the Linux kernel.
Fixed CVE-2024-56549 in the Linux kernel.
Fixed CVE-2023-52927 in the Linux kernel.
Fixed CVE-2024-57977 in the Linux kernel.
Fixed CVE-2024-57977 in the Linux kernel.
Fixed CVE-2024-58005 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 812224 -> 812258
cos-117-18613-164-98
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.72 | v24.0.9 | v1.7.24 | See List |
Updated dev-libs/expat to v2.7.0. This fixes CVE-2024-8176.
Fixed CVE-2025-21762 in the Linux kernel.
Fixed CVE-2025-21759 in the Linux kernel.
Fixed CVE-2025-21764 in the Linux kernel.
Fixed CVE-2025-21760 in the Linux kernel.
Fixed CVE-2025-21726 in the Linux kernel.
Fixed CVE-2024-56549 in the Linux kernel.
Fixed KCTF-0c3057a in the Linux kernel.
Fixed CVE-2024-57979 in the Linux kernel.
Fixed CVE-2025-21727 in the Linux kernel.
Fixed CVE-2025-21796 in the Linux kernel.
Fixed CVE-2025-21812 in the Linux kernel.
Fixed CVE-2024-50138 in the Linux kernel.
Fixed CVE-2024-57977 in the Linux kernel.
Fixed CVE-2024-57977 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 811744 -> 811785
cos-113-18244-291-93
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.1.123 | v24.0.9 | v1.7.24 | See List |
Update dev-go/net to v0.33.0. This fixed CVE-2023-45288.
Fixed CVE-2025-21763 in the Linux kernel.
Fixed CVE-2025-21762 in the Linux kernel.
Fixed CVE-2025-21764 in the Linux kernel.
Fixed CVE-2025-21760 in the Linux kernel.
Fixed CVE-2025-21726 in the Linux kernel.
Fixed KCTF-fcdd224 in the Linux kernel.
Fixed CVE-2024-57979 in the Linux kernel.
Fixed CVE-2025-21727 in the Linux kernel.
Fixed CVE-2025-21796 in the Linux kernel.
Fixed CVE-2025-21812 in the Linux kernel.
Fixed CVE-2024-56549 in the Linux kernel.
Fixed CVE-2023-52927 in the Linux kernel.
Fixed CVE-2024-57977 in the Linux kernel.
Fixed CVE-2024-57977 in the Linux kernel.
cos-beta-121-18867-0-75
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.74 | v27.5.1 | v2.0.2 | See List |
Updated dev-libs/expat to v2.7.0. This fixes CVE-2024-8176.
Fixed CVE-2024-57977 in the Linux kernel.
Fixed CVE-2024-57977 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 811789 -> 811827
cos-dev-125-18971-0-0
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.84 | v27.5.1 | v2.0.2 | See List |
Updated the Linux kernel to v6.6.84.
Runtime sysctl changes:
- Changed: fs.file-max: 811727 -> 811816
New Dataproc Serverless for Spark runtime versions:
- 1.1.97
- 1.2.41
- 2.2.41
Dataproc Metastore federation now supports multi-regional Dataproc Metastore services.
Public preview: Google Cloud Managed Service for Apache Kafka now supports Kafka Connect. Kafka Connect provides a curated set of built-in connector plugins hosted in Connect clusters. Configure these connector plugins to create connectors that let you stream data at scale between Managed Service for Apache Kafka clusters and other systems, such as external Kafka deployments, BigQuery, Cloud Storage, or Pub/Sub. For more information, see Kafka Connect overview.
Modern charts general availability
Modern charts offers new chart styling, new default theme colors, new chart configuration options, new axis customization options, and new chart settings that give report creators greater control over how data is curated and presented to users.
This feature is now generally available and is the default for all new Looker Studio reports. Existing reports must be upgraded to use modern charts. Classic report themes are still available in the Themes panel.
Looker connector enhancements
The following enhancements to the Looker connector are now generally available:
- The Looker connector can now connect to a private IP (private services access) only Looker (Google Cloud core) instance or to a private IP (Private Service Connect) Looker (Google Cloud core) instance using the Looker instance ID.
Responsive reports
You can now select between Freeform and Responsive layouts when creating a report.
- The freeform report layout is the default option. This layout is tailored for desktop screens.
- The responsive report layout scales well across many different screen sizes. Choose this layout if you expect your users to regularly view the report on a tablet or other mobile device.
Query results variables
Query result variables let you insert data directly into text elements.You can choose a cell from a table as a "query result" to insert into a text element, and Looker Studio will keep the result up to date.
YouTube Connector update
On March 31, 2025, YouTube changed the way views are calculated. Learn more about this change.
Release 1.5.0
This release is not a critical update, unless you are directly impacted by the bug fixes, you don't need to update, and you can wait for future releases before updating.
- Metadata Versioning: To enhance the query readability of the metadata instances, MDE v1.5.0 introduced a new field called
validFromthat designates the time when a particular metadata instance is effective. MDE uses this field to check which metadata instance picks based on the source message event time, not processing time, enabling accurate historical data representation. For more information, see Versioning metadata buckets.
- Configuration Packages: Introduces a file-based configuration package system for atomic deployments and GitOps integration. For more information, see Upload configuration package and File content.
- Development Mode: Adds a "Development Mode" to allow deletion of MDE entities and configuration packages, use with caution. For more information, see Development mode.
A weekly digest of client library updates from across the Cloud SDK.
Node.js
Changes for @google-cloud/pubsub
4.11.0 (2025-03-27)
Features
Bug Fixes
Spanner now supports the following GoogleSQL JSON mutator functions:
JSON_ARRAY_APPEND()JSON_ARRAY_INSERT()JSON_REMOVE()JSON_SET()JSON_STRIP_NULLS()
Spanner now supports the following PostgreSQL JSONB mutator functions:
jsonb_insert()jsonb_set()jsonb_set_lax()jsonb_strip_nulls()
Spanner also supports the following PostgreSQL JSONB operators:
- concat:
jsonb || jsonb -> jsonb - delete:
jsonb - text -> jsonb
For more information, see JSON functions in GoogleSQL and Supported PostgreSQL functions.
The GoogleSQL JSON_KEYS and PostgreSQL json_object_keys functions, which extract unique JSON keys from a JSON expression, are generally available.
JSON search indexes are generally available in Spanner. This extension of Spanner's full-text index capabilities accelerates many JSON document queries, even without prior knowledge of the documents' structure. You can create search indexes over any JSON document stored in a JSON column. The JSON_CONTAINS function in GoogleSQL and the @> and <@ operators in PostgreSQL can use search indexes to determine if one document structure is contained in another. Search indexing supports JSON types in GoogleSQL-dialect databases and JSONB in PostgreSQL-dialect databases. For more information, see JSON search indexes.
A monthly digest of client library updates from across the Cloud SDK.
Go
Changes for spanner/admin/database/apiv1
1.77.0 (2025-03-03)
Features
- spanner: A new enum
IsolationLevelis added (#11624) (2c4fb44) - spanner: A new field
isolation_levelis added to message.google.spanner.v1.TransactionOptions(2c4fb44) - spanner: Add a last field in the PartialResultSet (#11645) (794ecf7)
- spanner: Add option for LastStatement in transaction (#11638) (d662a45)
Bug Fixes
Documentation
- spanner: A comment for enum value
OPTIMISTICin enumReadLockModeis changed (2c4fb44) - spanner: A comment for enum value
PESSIMISTICin enumReadLockModeis changed (2c4fb44) - spanner: A comment for enum value
READ_LOCK_MODE_UNSPECIFIEDin enumReadLockModeis changed (2c4fb44) - spanner: A comment for field
chunked_valuein message.google.spanner.v1.PartialResultSetis changed (794ecf7) - spanner: A comment for field
precommit_tokenin message.google.spanner.v1.PartialResultSetis changed (794ecf7) - spanner: A comment for field
precommit_tokenin message.google.spanner.v1.ResultSetis changed (794ecf7) - spanner: A comment for field
query_planin message.google.spanner.v1.ResultSetStatsis changed (794ecf7) - spanner: A comment for field
row_count_lower_boundin message.google.spanner.v1.ResultSetStatsis changed (794ecf7) - spanner: A comment for field
row_typein message.google.spanner.v1.ResultSetMetadatais changed (794ecf7) - spanner: A comment for field
rowsin message.google.spanner.v1.ResultSetis changed (794ecf7) - spanner: A comment for field
statsin message.google.spanner.v1.PartialResultSetis changed (794ecf7) - spanner: A comment for field
statsin message.google.spanner.v1.ResultSetis changed (794ecf7) - spanner: A comment for field
valuesin message.google.spanner.v1.PartialResultSetis changed (794ecf7) - spanner: A comment for message
ResultSetMetadatais changed (794ecf7) - spanner: A comment for message
ResultSetStatsis changed (794ecf7)
1.78.0 (2025-03-24)
Features
- spanner/spansql: Add support for tokenlist and create search index (#11522) (cd894f8)
- spanner: Support multiplexed sessions for ReadWriteStmtBasedTransaction (#11852) (528d9dd)
Bug Fixes
Java
Changes for google-cloud-spanner
6.88.0 (2025-02-27)
Features
- Add a last field in the PartialResultSet (7c714be)
- Automatically set default sequence kind in JDBC and PGAdapter (#3658) (e8abf33)
- Default authentication support for external hosts (#3656) (ace11d5)
- spanner: A new enum
IsolationLevelis added (3fd33ba) - spanner: Add instance partitions field in backup proto (3fd33ba)
Bug Fixes
- deps: Update the Java code generator (gapic-generator-java) to 2.54.0 (57497ad)
Dependencies
6.89.0 (2025-03-20)
Features
- Enable ALTS hard bound token in DirectPath (#3645) (42cc961)
- Next release from main branch is 6.89.0 (#3669) (7a8a29b)
- Support isolation level REPEATABLE_READ for R/W transactions (#3670) (e62f5ab)
Bug Fixes
- deps: Update the Java code generator (gapic-generator-java) to 2.55.1 (b959f4c)
- Revert the ALTS bound token enablement (#3679) (183c1f0)
Performance Improvements
- Get database dialect using multiplexed session (#3684) (f641a40)
- Skip gRPC trailers for StreamingRead & ExecuteStreamingSql (#3661) (bd4b1f5)
Dependencies
Node.js
Changes for @google-cloud/spanner
7.19.0 (2025-02-26)
Features
- Add AddSplitPoints API (e4d389a)
- Paging changes for bigquery (e4d389a)
- spanner: A new enum
IsolationLevelis added (#2225) (e4d389a) - spanner: A new field
isolation_levelis added to message.google.spanner.v1.TransactionOptions(e4d389a) - spanner: Add instance partitions field in backup proto (e4d389a)
- spanner: Add support for Multiplexed Session for Read Only Tran… (#2214) (3a7a51b)
- x-goog-spanner-request-id: Add bases (#2211) (0008038)
Bug Fixes
- Add x-goog-request params to headers for LRO-polling methods (e4d389a)
- Error from fill method should not be emitted (#2233) (2cc44cf), closes #2103
- Finalize fixing typings for headers in generator (e4d389a)
- Fix typings for headers in generator (e4d389a)
- Remove extra protos in ESM & capture ESM in headers (e4d389a)
- Rollback with no id (#2231) (a6919b1), closes #2103
7.19.1 (2025-03-13)
Bug Fixes
- CreateQueryPartition with query params (91f5afd)
Python
Changes for google-cloud-spanner
3.53.0 (2025-03-12)
Features
- Add AddSplitPoints API (7a5afba)
- Add Attempt, Operation and GFE Metrics (#1302) (fb21d9a)
- Add REST Interceptors which support reading metadata (7a5afba)
- Add support for opt-in debug logging (7a5afba)
- Add support for reading selective GAPIC generation methods from service YAML (7a5afba)
- Add the last statement option to ExecuteSqlRequest and ExecuteBatchDmlRequest (7a5afba)
- Add UUID in Spanner TypeCode enum (7a5afba)
- End to end tracing (#1315) (aa5d0e6)
- Exposing FreeInstanceAvailability in InstanceConfig (7a5afba)
- Exposing FreeInstanceMetadata in Instance configuration (to define the metadata related to FREE instance type) (7a5afba)
- Exposing InstanceType in Instance configuration (to define PROVISIONED or FREE spanner instance) (7a5afba)
- Exposing QuorumType in InstanceConfig (7a5afba)
- Exposing storage_limit_per_processing_unit in InstanceConfig (7a5afba)
- Snapshot isolation (#1318) (992fcae)
- spanner: A new enum
IsolationLevelis added (#1224) (7a5afba)
Bug Fixes
- Allow Protobuf 6.x (#1320) (1faab91)
- Cleanup after metric integration test (#1322) (d7cf8b9)
- deps: Require grpc-google-iam-v1>=0.14.0 (7a5afba)
- Fix typing issue with gRPC metadata when key ends in -bin (7a5afba)
Performance Improvements
Documentation
- A comment for enum
DefaultBackupScheduleTypeis changed (7a5afba) - A comment for enum value
AUTOMATICin enumDefaultBackupScheduleTypeis changed (7a5afba) - A comment for enum value
GOOGLE_MANAGEDin enumTypeis changed (7a5afba) - A comment for enum value
NONEin enumDefaultBackupScheduleTypeis changed (7a5afba) - A comment for enum value
USER_MANAGEDin enumTypeis changed (7a5afba) - A comment for field
base_configin message.google.spanner.admin.instance.v1.InstanceConfigis changed (7a5afba) - A comment for field
default_backup_schedule_typein message.google.spanner.admin.instance.v1.Instanceis changed (7a5afba) - A comment for field
filterin message.google.spanner.admin.instance.v1.ListInstanceConfigOperationsRequestis changed (7a5afba) - A comment for field
filterin message.google.spanner.admin.instance.v1.ListInstancePartitionOperationsRequestis changed (7a5afba) - A comment for field
instance_configin message.google.spanner.admin.instance.v1.CreateInstanceConfigRequestis changed (7a5afba) - A comment for field
instance_partition_deadlinein message.google.spanner.admin.instance.v1.ListInstancePartitionOperationsRequestis changed (7a5afba) - A comment for field
locationin message.google.spanner.admin.instance.v1.ReplicaInfois changed (7a5afba) - A comment for field
node_countin message.google.spanner.admin.instance.v1.Instanceis changed (7a5afba) - A comment for field
node_countin message.google.spanner.admin.instance.v1.InstancePartitionis changed (7a5afba) - A comment for field
operationsin message.google.spanner.admin.instance.v1.ListInstanceConfigOperationsResponseis changed (7a5afba) - A comment for field
operationsin message.google.spanner.admin.instance.v1.ListInstancePartitionOperationsResponseis changed (7a5afba) - A comment for field
optional_replicasin message.google.spanner.admin.instance.v1.InstanceConfigis changed (7a5afba) - A comment for field
parentin message.google.spanner.admin.instance.v1.ListInstancePartitionsRequestis changed (7a5afba) - A comment for field
processing_unitsin message.google.spanner.admin.instance.v1.Instanceis changed (7a5afba) - A comment for field
processing_unitsin message.google.spanner.admin.instance.v1.InstancePartitionis changed (7a5afba) - A comment for field
referencing_backupsin message.google.spanner.admin.instance.v1.InstancePartitionis changed (7a5afba) - A comment for field
replicasin message.google.spanner.admin.instance.v1.InstanceConfigis changed (7a5afba) - A comment for field
storage_utilization_percentin message.google.spanner.admin.instance.v1.AutoscalingConfigis changed (7a5afba) - A comment for field
unreachablein message.google.spanner.admin.instance.v1.ListInstancePartitionsResponseis changed (7a5afba) - A comment for message
CreateInstanceConfigRequestis changed (7a5afba) - A comment for message
DeleteInstanceConfigRequestis changed (7a5afba) - A comment for message
UpdateInstanceConfigRequestis changed (7a5afba) - A comment for method
CreateInstancein serviceInstanceAdminis changed (7a5afba) - A comment for method
CreateInstanceConfigin serviceInstanceAdminis changed (7a5afba) - A comment for method
CreateInstancePartitionin serviceInstanceAdminis changed (7a5afba) - A comment for method
ListInstanceConfigOperationsin serviceInstanceAdminis changed (7a5afba) - A comment for method
ListInstanceConfigsin serviceInstanceAdminis changed (7a5afba) - A comment for method
ListInstancePartitionOperationsin serviceInstanceAdminis changed (7a5afba) - A comment for method
MoveInstancein serviceInstanceAdminis changed (7a5afba) - A comment for method
UpdateInstancein serviceInstanceAdminis changed (7a5afba) - A comment for method
UpdateInstanceConfigin serviceInstanceAdminis changed (7a5afba) - A comment for method
UpdateInstancePartitionin serviceInstanceAdminis changed (7a5afba) - Fix typo timzeone -> timezone (7a5afba)
Transfers over a Google-managed private network are now supported from more AWS regions, including regions in Europe and Asia. See the full list of supported regions.
You can access global Google APIs by using Private Service Connect backends that are based on cross-region internal Application Load Balancers. This feature is available in General Availability. For more information, see Access global Google APIs through backends.
March 30, 2025
Google SecOps SOARRelease 6.3.40 is now available for all regions.
March 29, 2025
Google SecOps SOARRelease 6.3.41 is being rolled out to the first phase of regions as listed here.
Configure user preferences
The ability to manage platform time zones, date/time settings, and notifications have moved to the new User Preferences dialog, accessible from your avatar.
In addition, a new accessibility option in the User Preferences dialog lets you customize how long feedback messages remain on the screen.
For more information, see Configure user preferences.
March 28, 2025
Access ApprovalAccess Approval supports Org Lifecycle API in the GA stage.
Access Approval supports Integration Connectors in the GA stage.
Access Transparency supports Integration Connectors in the GA stage.
Access Transparency supports Org Lifecycle API in the GA stage.
The ability to disable the Invoker IAM check for Cloud Run services is now at general availability (GA).
When you create a Cloud SQL for SQL Server instance, version SQL Server 2022 Standard is now the default.
AWS token support for Confidential Space is now generally available.
You can now integrate Confidential Space with AWS resources. For more information, see Integrate AWS resources.
New Dataproc Serverless for Spark runtime versions:
- 1.1.96
- 1.2.40
- 2.2.40
Dataproc Serverless for Spark: Hadoop Native libraries are installed by default in all runtimes.
Instance replication is now generally available (GA).
Local codebase awareness is now available for IntelliJ Gemini Code Assist. You can now include files from your local IDE project in the prompt context by typing @ in the chat prompt box.
You can now see what files are used by IntelliJ Gemini Code Assist chat and can customize the context as needed.
Google Distributed Cloud (software only) for VMware 1.29.1200-gke.99 is now available for download. To upgrade, see Upgrade a cluster or a node pool. Google Distributed Cloud 1.29.1200-gke.99 runs on Kubernetes v1.29.13-gke.500. This is the final patch for the 1.29 minor release.
If you are using a third-party storage vendor, check the GDC Ready storage partners document to make sure the storage vendor has already passed the qualification for this release.
After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
The 1.29.1200-gke.99 release includes many vulnerability fixes. For a list of all vulnerabilities fixed in this release, see Vulnerability fixes.
Release 1.29.1200-gke.98
Google Distributed Cloud for bare metal 1.29.1200-gke.98 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.29.1200-gke.98 runs on Kubernetes v1.29.13-gke.500. This is the final patch for the 1.29 minor release.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
Updated the cluster upgrade operation to keep only the three latest kubeadm backups of etcd and configuration information for a node. Previously, kubeadm kept node backups for every attempted upgrade.
Fixed an issue that caused cluster creation to fail because kubelet restarted before required static pods are running.
The 1.29.1200-gke.98 release includes many vulnerability fixes. For a list of all vulnerabilities fixed in this release, see Vulnerability fixes.
For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section.
In version 1.32.1-gke.1729000 and later, you can customize specific kubelet and Linux kernel parameters like sysctls and huge pages by using the nodeSystemConfig field in your GKE compute classes. Additionally, you can now specify default values for fields that are omitted in individual rules in a compute class by using the priorityDefaults field. For details, see About custom compute classes.
Finding and setting maintenance windows are now Generally Available (GA) on Memorystore for Redis Cluster.
You can now perform maintenance on a Memorystore for Valkey instance. This feature is Public Preview.
The auto-tiering feature which is previously available to allow-listed users, is now generally available. For more information, see Auto-tiering.
You can now create and manage quota rules on a NetApp Volumes volume using the Google Cloud console. For more information, see Manage quota rules.
Added performance benchmark information for the electronic design automation workload.
Spanner vector index and approximate nearest neighbor (ANN) distance functions in the GoogleSQL-dialect are Generally Available. If you have a table with a large amount of vector data, you can use a vector index to accelerate similarity searches and nearest neighbor queries. Spanner now also supports the following:
ALTER VECTOR INDEXDDL syntax- Import and export databases that use ANN
- Use the
STORINGclause to store a copy of a column in the vector index to accelerate queries that filter by those columns - Use ANN in instances smaller than one node or 1000 processing units
For more information, see Find approximate nearest neighbors, create vector indexes, and query vector embeddings.
Spanner ANN indexes are now supported in Langchain. For more information, see LangChain Quickstart for Spanner.
VPC Service Controls feature (Status: Preview): VPC Service Controls adds support for using IAM roles in ingress and egress rules to allow access to resources protected by service perimeters. This feature is available in Preview.
For more information, see Configure IAM roles in ingress and egress rules.
General availability support for the following integration:
Support for a Kubernetes API connector is generally available (GA). The connector allows you to interact with Kubernetes objects in a Google Kubernetes Engine cluster. For more information, see Access Kubernetes API objects using a connector.
March 27, 2025
Anthos Config ManagementAddressed multiple Common Vulnerabilities and Exposures (CVEs) by updating dependencies.
On March 27, 2025, we released an updated version of Apigee.
Availability of client IP resolution functionality with Apigee hybrid.
Client IP resolution functonality is now available with Apigee hybrid versions 1.14.0 and later.
See Client IP resolution for information.
On March 26, 2025, we released an updated version of Apigee (1-14-0-apigee-5). This Apigee version applies only to organizations using the JavaCallout policy in production environments.
| Bug ID | Description |
|---|---|
| N/A | Updates to security infrastructure and libraries. |
On March 27, 2025, we released an updated version of Apigee.
Availability of client IP resolution functionality with Apigee hybrid.
Client IP resolution functonality is now available with Apigee hybrid versions 1.14.0 and later.
See Client IP resolution for information.
You can now enable metadata caching for SQL translation, which can significantly reduce latency for subsequent translation requests. This feature is in preview.
In the filtering toolbar of the Build history page, you can now filter builds by region. The region drop-down has been removed. For more information, see View build results.
1.24.3-asm.6 is now available for in-cluster Cloud Service Mesh.
You can now download 1.24.3-asm.6 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.24.3 subject to the list of supported features. Cloud Service Mesh version 1.24.3-asm.6 uses envoy v1.32.4-dev.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.
1.23.5-asm.3 is now available for in-cluster Cloud Service Mesh.
You can now download 1.23.5-asm.3 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.23.5 subject to the list of supported features. Cloud Service Mesh version 1.23.5-asm.3 uses envoy v1.31.6-dev.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.
1.22.8-asm.5 is now available for in-cluster Cloud Service Mesh.
You can now download 1.22.8-asm.5 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.22.8 subject to the list of supported features. Cloud Service Mesh version 1.22.8-asm.5 uses envoy v1.30.10-dev.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.
1.21.5-asm.34 is now available for in-cluster Cloud Service Mesh.
You can now download 1.21.5-asm.34 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.21.5 subject to the list of supported features. Cloud Service Mesh version 1.21.5-asm.34 uses envoy v1.29.12-dev.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.
Cloud Workstations is available in the me-central2 region (Dammam, Saudi Arabia, Middle East). For more information, see Locations.
Dialogflow CX (Conversational Agents) data stores: Dialogflow now supports additional native and third-party data store sources as a private GA feature. For a list of data store sources, integration instructions, and the request form to be added to the allowlist, see the data stores documentation.
Dialogflow CX (Conversational Agents) data store handlers: The method of adding data store handlers to an agent has been streamlined. You are no longer required to create a Chat app on Agent Builder. For updated implementation instructions, see the data stores tools documentation.
Google SecOps is renaming Applied Threat Intelligence (ATI) rules to improve clarity and better reflect the associated UDM fields with each rule detection.
Currently, multiple underlying ATI rules with the same name can appear in the Google SecOps console, even though the rules apply to different UDM fields.
This change modifies the rule_name field in the customer metadata to specify the relevant UDM field for each rule.
For example:
Old rule name: ATI Active Breach Rule Match for File IoCs (SHA256)
New rule name: ATI Active Breach Rule Match for File IoCs (about.file.sha256)
Google SecOps is renaming Applied Threat Intelligence (ATI) rules to improve clarity and better reflect the associated UDM fields with each rule detection.
Currently, multiple underlying ATI rules with the same name can appear in the Google SecOps console, even though the rules apply to different UDM fields.
This change modifies the rule_name field in the customer metadata to specify the relevant UDM field for each rule.
For example:
Old rule name: ATI Active Breach Rule Match for File IoCs (SHA256)
New rule name: ATI Active Breach Rule Match for File IoCs (about.file.sha256)
Site-to-site data transfer locations in the following countries have been added to Network Connectivity Center:
- Belgium
- Canada
- Chile
- Finland
- Israel
- Mexico
- Sweden
Parameter Manager, an extension to the Secret Manager service, is now Generally available (GA). Parameter Manager lets you store, access, and manage the lifecycle of workload parameters. You can interact with Parameter Manager using the console, gcloud CLI, REST API, and client libraries.
For information, see the Parameter Manager documentation.
You can save and manage your SQL scripts in Spanner Studio. This feature is in preview. For more information, see Saved queries overview.
Chirp 3: HD voices in en-US now support experimental features for pace and pause controls.
General availability support for the following integration:
March 26, 2025
API GatewayOn March 26, 2025, we released an updated version of API Gateway.
With this release, customer data in API Gateway is now CMEK-compliant at rest. No configuration is required.
For more information, see CMEK compliance in API Gateway.
To learn more about CMEK, see Customer-managed encryption keys (CMEK).
You can now set the column granularity when you create a search index, which stores additional column information in your search index to further optimize your search query performance. This feature is in preview.
The Monitoring page in the Google Cloud console for Bigtable has been renamed to System insights.
Data lineage in Cloud Composer now uses OpenLineage.
Data lineage support for a specific Airflow operator is now provided by the provider package where the operator is located. See Supported classes in the apache-airflow-providers-openlineage documentation for a list of latest supported operators.
For more information about data lineage in Cloud Composer, see Data lineage with Dataplex.
This feature is gradually rolled out. It will be available in us-west1, us-south1, europe-north1, me-west1, asia-northeast2, asia-southeast2, and africa-south1 regions. We plan to provide this feature in other regions in future releases.
(Available without upgrading) Fixed an issue with updating maintenance windows when there is an upcoming Cloud Composer 3 infrastructure operation.
(Airflow 2.10.2 and 2.9.3) The apache-airflow-providers-google package was upgraded to version 14.0.0 in Cloud Composer 2 images and Cloud Composer 3 builds.
This package is a new major version where many previously deprecated Airflow operators are removed. It is not possible to use these operators in your DAGs.
Make sure that you update your DAGs to use up-to-date alternatives of the removed operators. For more information about removed and deprecated Airflow operators and their up-to-date alternatives, see Deprecated and removed Airflow operators.
For more information about changes, see the apache-airflow-providers-google changelog from version 10.26.0 to version 14.0.0.
(Airflow 2.10.2 and 2.9.3) The apache-airflow-providers-cncf-kubernetes package was upgraded to version 10.3.0 in Cloud Composer 2 images and Cloud Composer 3 builds. For more information about changes, see the apache-airflow-providers-cncf-kubernetes changelog from version 10.1.0 to version 10.3.0.
(Airflow 2.10.2 and 2.9.3) Changes in preinstalled packages:
apache-airflow-providers-postgreswas upgraded to 6.1.0 from 5.14.0.apache-airflow-providers-smtpwas upgraded to 2.0.0 from 1.9.0.types-requestswas removed from preinstalled packages.
New Airflow builds are available in Cloud Composer 3:
- composer-3-airflow-2.10.2-build.12 (default)
- composer-3-airflow-2.9.3-build.19
New images are available in Cloud Composer 2:
- composer-2.12.0-airflow-2.10.2 (default)
- composer-2.12.0-airflow-2.9.3
Cloud Composer versions 2.6.4, 2.6.5, and 2.6.6 have reached their end of support period.
Cloud Deploy is now available in the following regions:
northamerica-south1(Mexico)europe-north2(Stockholm)
Cloud Run services configured with Direct VPC egress now use only 2 times (2X) as many IP addresses as the number of instances for the duration of the instance plus up to 20 minutes, reduced from 4X as many IP addresses.
Generally available: You can use instant snapshots to take in-place backups of the following types of disks:
- Hyperdisk Balanced
- Hyperdisk Balanced High Availability
- Hyperdisk Extreme
Instant snapshots are ideal for rapid data restoration only within the same location as the source disk. You can use an instant snapshot to create a new disk in under a minute. For more information, see About instant snapshots.
Generally available: You can specify a custom ephemeral internal IPv6 address when creating an instance. For more information, see Create instances that use IPv6 addresses.
Generally available: Asynchronous Replication is now generally available for Hyperdisk Balanced, Hyperdisk Balanced High Availability, and Hyperdisk Extreme disks. Asynchronous Replication provides low-RPO and low-RTO block storage replication for cross-region disaster recovery. For more information, see About Asynchronous Replication.
Google Cloud Private Marketplace now lets you control access at the product level, across all deployment surfaces (Cloud Marketplace, API, and the command line), for the following types of products:
- Compute Engine products
- Google Kubernetes Engine products
- Cloud Run
- Procurable Vertex AI products
- Procurable data products
If you've ever previously turned on Private Marketplace, you must upgrade it to ensure that it properly blocks API deployments of unapproved products. For more information, see Upgrade Google Cloud Private Marketplace's enforcement capabilities.
(2025-R12) Version updates
GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.
Rapid channel
- The following versions are now available in the Rapid channel:
Regular channel
There are no new releases in the Regular channel.
Stable channel
- The following versions are now available in the Stable channel:
Extended channel
- The following versions are now available in the Extended channel:
No channel
- The following versions are now available:
- The following node versions are now available:
(2025-R12) Version updates
- The following versions are now available in the Rapid channel:
(2025-R12) Version updates
There are no new releases in the Regular channel.
(2025-R12) Version updates
- The following versions are now available in the Stable channel:
(2025-R12) Version updates
- The following versions are now available in the Extended channel:
(2025-R12) Version updates
- The following versions are now available:
- The following node versions are now available:
The managed BigQuery resources and API keys associated with the chronicle-tla Google Cloud project will be fully deprecated by April 30, 2025. This applies to non-Enterprise+ customers only.
The managed BigQuery resources and API keys associated with the chronicle-tla Google Cloud project will be fully deprecated by April 30, 2025. This applies to non-Enterprise+ customers only.
Custom organization policies are now available in Preview for Cloud Resource Manager. For more information, see Manage resources with custom constraints.
Generally available: You can consume reservations of VMs that have GPUs attached with your custom training jobs or prediction jobs. Reservations of Compute Engine zonal resources help you gain a high level of assurance that your jobs have the necessary resources to run. For more information, see the following:
The ability to back up and restore data on a Vertex AI Workbench instance is now generally available. For more information, see Back up and restore data on an instance.
Support for the following is available in General availability for dual-stack configurations:
- IPv6 static routes with a next hop internal passthrough Network Load Balancer (
next-hop-ilb) - IPv6 static routes with a next hop instance identified by address (
next-hop-address)
For more information, see Next hops and features in the static routes overview.
March 25, 2025
API GatewayOn March 25, 2025, we released an updated version of API Gateway.
API Gateway now supports Workforce Identity Federation.
Workforce Identity Federation lets you use an external identity provider (IdP) to authenticate and authorize a workforce — a group of users, such as employees, partners, and contractors — using Identity and Access Management (IAM) to access API Gateway services.
See Identity federation: products and limitations for more information.
On March 25, 2025 we released an updated version of Advanced API Security.
Risk Assessment v2 is now the default Risk Assessment version
Starting with this release, Risk Assessment v2 is the default Risk Assessment version in the UI. You will see the see v2 functionality and interfaces unless you choose to switch back to v1 by clicking Switch to v1 in the upper right of the UI.
Note: Rollouts of this functionality to production instances will begin within two business days and may take four or more business days to complete across all Google Cloud zones. Your instances may not have the feature available until the rollout is complete.
New Advanced API Security support when using data residency (DRZ) with Apigee hybrid
Advanced API Security is now available for Apigee hybrid orgs using DRZ, for hybrid versions 1.14.0 and later. See Using data residency with Apigee hybrid.
See Introduction to data residency for information on DRZ and Advanced API Security support across organization types.
New features added to public preview of Risk Assessment v2
This release introduces new features to the Risk Assessment v2 preview:
- Security monitoring conditions. Security monitoring conditions allow you to map resources (proxies or environments) to security profiles. Cloud Monitoring can then use this mapping to alert or create dedicated dashboards so that you can track security scores over time.
- Alerts on security monitoring conditions. Once you've created a monitoring condition, you can set up alerts using Alerting in Cloud Monitoring so that you're notified when the security scores change.
For information on monitoring conditions features and usage see monitoring conditions and alerts. For usage information and a list of all features in Risk Assessment v2, see the Risk Assessment v2 customer documentation.
Note: Rollouts of this functionality to production instances will begin within two business days and may take four or more business days to complete across all Google Cloud zones. Your instances may not have the feature available until the rollout is complete.
On March 25, 2025 we released an updated version of Advanced API Security.
New Advanced API Security support when using data residency (DRZ) with Apigee hybrid
Advanced API Security is now available for Apigee hybrid orgs using DRZ, for hybrid versions 1.14.0 and later. See Using data residency with Apigee hybrid.
See Introduction to data residency for information on DRZ and Advanced API Security support across organization types.
BigQuery ML now supports visualization of model monitoring metrics. This feature lets you use charts and graphs to analyze model monitoring function output. The following functions support metric visualization:
ML.VALIDATE_DATA_SKEW: compute the statistics for a set of serving data, and then compare them to the statistics for the data used to train a BigQuery ML model in order to identify anomalous differences between the two data sets.ML.VALIDATE_DATA_DRIFT: compute and compare the statistics for two sets of serving data in order to identify anomalous differences between the two data sets.
This feature is in preview.
New services using GPUs by default will have zonal redundancy turned on. However, you can now specify GPUs with zonal redundancy or without zonal redundancy, and request quota for either of these configurations. (In Preview)
Cloud SQL read pools provide operational simplicity and scaling for your large read workloads.
Read pools provide a single endpoint in front of up to 20 read pool nodes and automatically load balance traffic.
You can scale your read pool in several ways:
- Scale in or out: scale load balancing capacity horizontally by modifying the number of read pool nodes in the read pool. Each read pool supports up to 20 read pool nodes.
- Scale up or down: scale load balancing capacity vertically by modifying the machine type associated with a read pool node. Once defined, configuration is uniformly applied across each read pool node in the read pool.
For more information, see About read pools.
Cloud SQL read pools provide operational simplicity and scaling for your large read workloads.
Read pools provide a single endpoint in front of up to 20 read pool nodes and automatically load balance traffic.
You can scale your read pool in several ways:
- Scale in or out: scale load balancing capacity horizontally by modifying the number of read pool nodes in the read pool. Each read pool supports up to 20 read pool nodes.
- Scale up or down: scale load balancing capacity vertically by modifying the machine type associated with a read pool node. Once defined, configuration is uniformly applied across each read pool node in the read pool.
For more information, see About read pools.
To send trace data to your Google Cloud project, we recommend that you use the new Telemetry API, which implements the OpenTelemetry OTLP API and provides compatibility and support for the open source ecosystem. The limits for the Telemetry API are often more generous than those for the proprietary Cloud Trace API, which you can continue to use. The Telemetry API supports VPC Service Controls. For more information about the Telemetry API, see the following documents:
Resolved: Fixed the issue that caused Persistent Disks attached to VMs with n2d-standard-64 machine types to inconsistently reach the maximum performance limit of 100,000 IOPS.
For more information, see Known issues.
On February 18, 2025, Google released a security fix for Confidential VM instances using AMD SEV-SNP on N2D machine types, which might result in performance degradation. The extent of the performance impact varies depending on the specific workload.
- DeepSeek-V3-0324, TxGemma and Sesame CSM are now available in Model Garden.
- DeepSeek-R1, V3 and V3-0324 can be deployed with H200 GPUs and improved vLLM support.
- You can deploy a model in Model Garden by using the Python SDK, gcloud CLI, or API, which are available in Preview. You can get started with the "Equivalent code" in the deploy panel in the Model Garden console.
Since release 1.30.0-gke.1930, the featureGates.enableGMPForSystemMetrics field in the stackdriver custom resource is always on and can't be disabled. It has been enabled by default since 1.16. If you have manually turned this feature off, upgrading clusters to version 1.30 means a breaking change in the format of some system metrics. For information on this feature, see Using Managed Service for Prometheus.
Since release 1.30.0-gke.1930, the featureGates.enableGMPForSystemMetrics field in the stackdriver custom resource is always on and can't be disabled. It has been enabled by default since 1.16. If you've manually turned this feature off, upgrading clusters to version 1.30 means a breaking change in the format of some system metrics. For information on this feature, see Use Google Cloud Managed Service for Prometheus for selected system components.
The backups feature for the Flex service level is now generally available. For more information, see About NetApp Volumes.
Google Cloud NetApp Volumes now supports cross-region backup vaults in Preview. For more information, see Backup vaults.
The Flex service level of Google Cloud NetApp Volumes now supports custom performance in Preview, enabling independent provisioning of capacity and performance with zonal pools in selected regions. For more information, see NetApp Volumes key features.
Preview stage support for the following integration:
March 24, 2025
Apigee XOn March 24, 2025, we released an updated version of Apigee.
Apigee Spaces is now generally available (GA) for use in Apigee organizations.
Apigee Spaces enables identity-based isolation and grouping of API resources within an Apigee organization. With Apigee Spaces, you can have granular IAM control over access to your API proxies, shared flows, and API products.
Spaces also provide the option of resource isolation at a team level, providing a clear separation of resources associated with different teams operating within the same Apigee organization. IAM policies can be applied at the Space level, eliminating the need to manage permissions individually for every API proxy, shared flow, and API product.
Spaces are a brand new resource type with resource-level permissions. This means that Space permissions are not subject to the 64k limitation for project-level IAM conditions. Each space has its own 64k limit.
To learn more, see Apigee Spaces overview.
The Backup and DR service has added support for activating the management console, for creating backup plans, and for storing backup vault data in the following regions: northamerica-northeast1 (Montréal), northamerica-northeast2 (Toronto), and asia-east2 (Hong Kong).
A weekly digest of client library updates from across the Cloud SDK.
Node.js
Changes for @google-cloud/bigquery
7.9.3 (2025-03-17)
Bug Fixes
Go
Changes for bigquery/storage/apiv1beta1
1.67.0 (2025-03-14)
Features
- bigquery/reservation: Add a new field
enable_gemini_in_bigqueryto.google.cloud.bigquery.reservation.v1.Assignmentthat indicates if "Gemini in BigQuery" (601e742) - bigquery/reservation: Add a new field
replication_statusto.google.cloud.bigquery.reservation.v1.Reservationto provide visibility into errors that could arise during Disaster Recovery(DR) replication (#11666) (601e742) - bigquery/reservation: Add the CONTINUOUS Job type to
.google.cloud.bigquery.reservation.v1.Assignment.JobTypefor continuous SQL jobs (601e742) - bigquery: Support MetadataCacheMode for ExternalDataConfig (#11803) (af5174d), refs #11802
Bug Fixes
- bigquery: Increase timeout for storage api test and remove usage of deprecated pkg (#11810) (f47e038), refs #11801
- bigquery: Update golang.org/x/net to 0.37.0 (1144978)
Documentation
- bigquery/reservation: Remove the section about
EDITION_UNSPECIFIEDin the comment forslot_capacityin.google.cloud.bigquery.reservation.v1.Reservationto clarify that (601e742) - bigquery/reservation: Update the
google.api.field_behaviorfor the.google.cloud.bigquery.reservation.v1.Reservation.primary_locationand.google.cloud.bigquery.reservation.v1.Reservation.original_primary_locationfields to clarify that they areOUTPUT_ONLY(601e742)
Java
Changes for google-cloud-bigquery
2.49.0 (2025-03-20)
Features
- bigquery: Implement getArray in BigQueryResultImpl (#3693) (e2a3f2c)
- Next release from main branch is 2.49.0 (#3706) (b46a6cc)
Bug Fixes
Dependencies
- Exclude io.netty:netty-common from org.apache.arrow:arrow-memor… (#3715) (11b5809)
- Update actions/upload-artifact action to v4.6.2 (#3724) (426a59b)
- Update actions/upload-artifact action to v4.6.2 (#3724) (483f930)
- Update dependency com.google.api.grpc:proto-google-cloud-bigqueryconnection-v1 to v2.61.0 (#3703) (53b07b0)
- Update dependency com.google.api.grpc:proto-google-cloud-bigqueryconnection-v1 to v2.62.0 (#3726) (38e004b)
- Update dependency com.google.apis:google-api-services-bigquery to v2-rev20250302-2.0.0 (#3720) (c0b3902)
- Update dependency com.google.apis:google-api-services-bigquery to v2-rev20250313-2.0.0 (#3723) (b8875a8)
- Update dependency com.google.cloud:google-cloud-datacatalog-bom to v1.65.0 (#3704) (53b68b1)
- Update dependency com.google.cloud:google-cloud-datacatalog-bom to v1.66.0 (#3727) (7339f94)
- Update dependency com.google.cloud:sdk-platform-java-config to v3.45.1 (#3714) (e4512aa)
- Update dependency com.google.oauth-client:google-oauth-client-java6 to v1.39.0 (#3710) (c0c6352)
- Update dependency com.google.oauth-client:google-oauth-client-jetty to v1.39.0 (#3711) (43b86e9)
- Update dependency node to v22 (#3713) (251def5)
- Update netty.version to v4.1.119.final (#3717) (08a290a)
Documentation
You can now use KLL quantile functions to efficiently compute approximate quantiles. This feature is in preview.
You can now set labels on reservations. These labels can be used to organize your reservations and for billing analysis. This feature is in preview.
The BigQuery Data Transfer Service can now transfer reporting and configuration data from Google Analytics 4 into BigQuery. This feature is in preview.
We have redesigned the Add Data dialog to guide you through loading data into BigQuery with a source-first experience and enhanced search and filtering capabilities. This feature is generally available (GA).
A weekly digest of client library updates from across the Cloud SDK.
Java
Changes for google-cloud-bigtable
2.56.0 (2025-03-18)
Features
- bigtable: Add support for Logical Views in Admin API (#2519) (6dac3fd)
- bigtable: Add support for Materialized Views in Admin API (#2511) (55cd719)
Bug Fixes
- deps: Update the Java code generator (gapic-generator-java) to 2.55.1 (7992af0)
Dependencies
Python
Changes for google-cloud-bigtable
2.30.0 (2025-03-18)
Features
Bug Fixes
The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, and Search (SearchAllResources, SearchAllIamPolicies) APIs.
- Binary Authorization
binaryauthorization.googleapis.com/Attestorbinaryauthorization.googleapis.com/PlatformPolicybinaryauthorization.googleapis.com/Policy
- Compute Engine
compute.googleapis.com/InstanceSettings
- Network Security
networksecurity.googleapis.com/AuthorizationPolicynetworksecurity.googleapis.com/ClientTlsPolicynetworksecurity.googleapis.com/ServerTlsPolicy
A weekly digest of client library updates from across the Cloud SDK.
Java
Changes for google-cloud-logging
3.22.0 (2025-03-18)
Features
Bug Fixes
- deps: Update the Java code generator (gapic-generator-java) to 2.55.1 (dd25992)
Dependencies
Cloud SQL now lets you retain existing backups after an instance is deleted. These consist of on-demand and automatic backups created when the instance was live. For more information, see Retained backups.
Cloud SQL now lets you retain existing backups after an instance is deleted. These consist of on-demand and automatic backups created when the instance was live. For more information, see Retained backups.
Cloud SQL now lets you retain existing backups after an instance is deleted. These consist of on-demand and automatic backups created when the instance was live. For more information, see Retained backups.
Generally available: Multi-writer support for Hyperdisk Balanced High Availability disks. You can give up to 8 VMs, across two zones, simultaneous read-write access to the same disk. For more information, see Share disks between instances.
cos-dev-125-18964-0-0
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.83 | v27.5.1 | v2.0.2 | See List |
Fixed an issue that resulted in missing grub boot measurements in some machine configurations.
Updated Python to v3.11.
Upgraded app-containers/docker to v27.5.1, Upgraded app-containers/docker-test to v27.5.1, Upgraded app-containers/docker-cli to v27.5.1.
Updated app-admin/google-guest-configs to v20250207.00.
Updated the default tag of the GPU driver supporting the NVIDIA H200 GPU device to 570.86.15.
Upgrade cloud-init from 23.4.3 to 24.4.1.
Added support for NVIDIA GB200 GPU with 570.124.06 GPU driver. This driver version has been assigned the latest, default, and R570 tags for this GPU type.
Added support for the Lustre 2.14.0 client drivers.
Added support for NVIDIA 570.124.06 GPU driver. Updated the LATEST GPU driver label to version 570.124.06 for all GPU devices. Updated the DEFAULT GPU driver label to version 570.124.06 for NVIDIA_B200 and NVIDIA_H200 GPU devices.
Add support for iRDMA devices.
Updated cos-gpu-installer to v2.4.8: Add the -skip-nvidia-smi flag to disable the execution of nvidia-smi verification during gpu driver installation.
Applied Intel patches to add iRDMA support in the Linux kernel.
Support for NVIDIA B200 GPU – Added support for the R570 driver series, including version 570.86.15. This version has been assigned the latest, default, and R570 tags.
Updated cos-gpu-installer to v2.4.7: 1.Added Support for NVIDIA B200 GPU. 2.Enabled --prepare-build-tools flag to preload GPU driver metadata for ARM64
Upgraded sys-auth/pambase to v20250228.
Upgraded app-admin/google-guest-agent to v20250304.03.
Upgraded app-containers/docker-credential-helpers to v0.9.2.
Disabled martian logging for ConnectX-7 network cards. These cards only communicate locally, but martian logging during communications with the host can lead to a race condition which causes GID table construction to sometimes fail.
Upgraded app-containers/runc to v1.2.5, Upgraded app-containers/runc-test to v1.2.5.
Upgraded app-admin/google-guest-configs to v20250221.00.
Upgraded app-admin/google-guest-agent to v20250225.00.
Upgraded app-admin/google-guest-agent to v20250204.02.
Upgraded app-admin/node-problem-detector to v0.8.20.
Upgraded app-admin/fluent-bit to v3.2.5.
Upgraded app-admin/google-guest-agent to v20250122.00.
Upgraded app-admin/google-guest-configs to v20250124.00.
Upgraded chromeos-base/chromeos-common-script to v0.0.1-r659.
Upgraded chromeos-base/session_manager-client to v0.0.1-r2821.
Upgraded chromeos-base/shill-client to v0.0.1-r4838.
Upgraded chromeos-base/session_manager-client to v0.0.1-r2820.
Upgraded chromeos-base/debugd-client to v0.0.1-r2728.
Upgraded chromeos-base/shill-client to v0.0.1-r4834.
Upgraded chromeos-base/update_engine-client to v0.0.1-r2474.
Upgraded chromeos-base/power_manager-client to v0.0.1-r2963.
Upgraded sys-apps/dbus to v1.14.10-r195.
Upgraded chromeos-base/minijail to v18-r163.
Upgraded chromeos-base/shill-client to v0.0.1-r4825.
Upgraded chromeos-base/minijail to v18-r160.
Upgraded chromeos-base/update_engine-client to v0.0.1-r2471.
Upgraded chromeos-base/session_manager-client to v0.0.1-r2818.
Upgraded chromeos-base/chromeos-common-script to v0.0.1-r658.
Upgraded sys-apps/dbus to v1.14.10-r194.
Upgraded chromeos-base/debugd-client to v0.0.1-r2727.
Upgraded chromeos-base/power_manager-client to v0.0.1-r2962.
Upgraded chromeos-base/power_manager-client to v0.0.1-r2961.
Upgraded chromeos-base/update_engine-client to v0.0.1-r2470.
Upgraded chromeos-base/shill-client to v0.0.1-r4818.
Upgraded chromeos-base/debugd-client to v0.0.1-r2726.
Upgraded chromeos-base/google-breakpad to v2024.02.16.014630-r227.
Upgraded chromeos-base/session_manager-client to v0.0.1-r2817.
Upgraded chromeos-base/chromeos-common-script to v0.0.1-r657.
Upgraded sys-libs/libseccomp to v2.6.0-r1.
Upgraded sys-apps/acl to v2.3.2-r2.
Upgraded sys-apps/pv to v1.9.31.
Upgraded dev-libs/nss to v3.109.
Updated app-admin/awscli to v1.38.4.
Updated dev-python/s3transfer to v0.11.4.
Updated dev-python/botocore to v1.37.9.
Updated dev-python/python-dateutil to v2.9.0.
Upgraded sys-apps/which to v2.23.
Upgraded dev-db/sqlite to v3.49.1.
Upgraded dev-libs/nss to v3.108.
Upgraded sys-apps/diffutils to v3.11-r1.
Upgraded dev-libs/double-conversion to v3.3.1.
Upgraded net-misc/socat to v1.8.0.3.
Upgraded sys-apps/diffutils to v3.11.
Upgraded sys-apps/pv to v1.9.27.
Upgraded sys-apps/hwdata to v0.391.
Upgraded dev-db/sqlite to v3.47.2-r1.
Upgraded sys-libs/libseccomp to v2.6.0.
Fixed a race condition that could cause a kernel panic.
Upgraded dev-go/crypto to v0.35.0. This fixes CVE-2025-22869.
Updated dev-go/oauth2 to v0.27.0. Fixes CVE-2025-22868.
Fixed CVE-2024-13176 in dev-libs/openssl.
Fixed CVE-2025-0395 in sys-libs/glibc.
Fixed CVE-2024-9287 in dev-lang/python.
Fixed CVE-2025-0840 in binutils.
Upgraded net-misc/openssh to version 9.9_p2. This fixed CVE-2025-26465 and CVE-2025-26466.
Upgrade sys-libs/binutils-libs to 2.44-r1. This fixes CVE-2024-53589.
Upgraded net-misc/wget to version 1.25.0. Fixes CVE-2024-10524.
Upgraded dev-libs/libxml2 to version 1.12.10. Fixes CVE-2025-27113.
Runtime sysctl changes:
- Changed: fs.file-max: 811701 -> 811727
cos-beta-121-18867-0-73
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.74 | v27.5.1 | v2.0.2 | See List |
Fixed an issue that resulted in missing grub boot measurements in some machine configurations.
Updated Python to v3.11.
Added support for NVIDIA GB200 GPU with 570.124.06 GPU driver. This driver version has been assigned the latest, default, and R570 tags for this GPU type.
Added support for the Lustre 2.14.0 client drivers.
Added support for NVIDIA 570.124.06 GPU driver. Updated the LATEST GPU driver label to version 570.124.06 for all GPU devices. Updated the DEFAULT GPU driver label to version 570.124.06 for NVIDIA_B200 and NVIDIA_H200 GPU devices.
Upgraded app-admin/node-problem-detector to v0.8.20.
Updated app-admin/awscli to v1.38.4.
Updated dev-python/s3transfer to v0.11.4.
Updated dev-python/botocore to v1.37.9.
Updated dev-python/python-dateutil to v2.9.0.
Upgraded sys-apps/which to v2.23.
Upgraded sys-apps/pv to v1.9.31.
Fixed a race condition that could cause a kernel panic.
Fixed CVE-2024-58005 in the Linux kernel.
Fixed CVE-2024-57996 in the Linux kernel.
Fixed CVE-2024-57996 in the Linux kernel.
Fixed CVE-2024-57996 in the Linux kernel.
Fixed KCTF-647cef2 in the Linux kernel.
Fixed CVE-2025-21785 in the Linux kernel.
Fixed CVE-2025-21716 in the Linux kernel.
Fixed CVE-2025-21857 in the Linux kernel.
Fixed CVE-2024-58088 in the Linux kernel.
Fixed CVE-2025-21844 in the Linux kernel.
Fixed CVE-2025-21779 in the Linux kernel.
Fixed CVE-2025-21854 in the Linux kernel.
Fixed CVE-2025-21846 in the Linux kernel.
Fixed CVE-2025-21864 in the Linux kernel.
Fixed CVE-2025-21858 in the Linux kernel.
Fixed CVE-2025-21791 in the Linux kernel.
Fixed CVE-2025-21863 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 811701 -> 811789
cos-109-17800-436-79
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.1.124 | v24.0.9 | v1.7.24 | See List |
Added support for NVIDIA 570.124.06 GPU driver. Updated the R570, LATEST GPU driver label to version 570.124.06 for all GPU devices. Updated the DEFAULT GPU driver label to version 570.124.06 for NVIDIA_B200 and NVIDIA_H200 GPU devices.
Upgraded sys-apps/which to v2.23.
Fixed a race condition that could cause a kernel panic.
Fixed CVE-2023-45288 in app-containers/docker.
Fixed CVE-2024-53166 in the Linux kernel.
Fixed CVE-2024-53166 in the Linux kernel.
Fixed KCTF-647cef2 in the Linux kernel.
Fixed CVE-2025-21716 in the Linux kernel.
Fixed CVE-2025-21785 in the Linux kernel.
Fixed CVE-2025-21844 in the Linux kernel.
Fixed CVE-2025-21779 in the Linux kernel.
Fixed CVE-2025-21846 in the Linux kernel.
Fixed CVE-2025-21864 in the Linux kernel.
Fixed CVE-2025-21858 in the Linux kernel.
Fixed CVE-2025-21791 in the Linux kernel.
Fixed CVE-2024-26982 in the Linux kernel.
Fixed CVE-2024-57996 in the Linux kernel.
Fixed CVE-2024-57996 in the Linux kernel.
Fixed CVE-2024-57996 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 812258 -> 812224
cos-117-18613-164-93
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.72 | v24.0.9 | v1.7.24 | See List |
Fixed an issue that resulted in missing grub boot measurements in some machine configurations.
Added support for NVIDIA GB200 GPU with 570.124.06 GPU driver. This driver version has been assigned the latest, default, and R570 tags for this GPU type.
Added support for the Lustre 2.14.0 client drivers.
Upgraded dev-lang/go to v1.23.7.
Fixed a race condition that could cause a kernel panic.
Fixed CVE-2024-58005 in the Linux kernel.
Fixed KCTF-647cef2 in the Linux kernel.
Fixed CVE-2025-21785 in the Linux kernel.
Fixed CVE-2025-21716 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 811752 -> 811744
cos-113-18244-291-82
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.1.123 | v24.0.9 | v1.7.24 | See List |
Fixed an issue that resulted in missing grub boot measurements in some machine configurations.
Fixed a race condition that could cause a kernel panic.
Fixed CVE-2024-58005 in the Linux kernel.
Fixed CVE-2024-53166 in the Linux kernel.
Fixed CVE-2024-53166 in the Linux kernel.
Fixed KCTF-647cef2 in the Linux kernel.
Fixed CVE-2025-21716 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 812031 -> 812050
cos-105-17412-535-84
| Kernel | Docker | Containerd | GPU Drivers |
| COS-5.15.173 | v23.0.3 | v1.7.23 | See List |
Fixed CVE-2024-58017 in the Linux kernel.
Fixed CVE-2022-49728 in the Linux kernel.
Fixed CVE-2025-21785 in the Linux kernel.
Fixed KCTF-638ba50 in the Linux kernel.
Fixed KCTF-647cef2 in the Linux kernel.
Fixed CVE-2025-21858 in the Linux kernel.
Fixed CVE-2025-21791 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 812699 -> 812690
As we launch Custom Extractor version pretrained-foundation-model-v1.4-2025-02-05 in GA with fine tuning (in Preview), these versions will no longer be accessible effective September 24, 2025:
pretrained-foundation-model-v1.2-2024-05-10pretrained-foundation-model-v1.3-2024-08-31
To avoid service disruptions, migrate to a later version, such as pretrained-foundation-model-v1.4-2025-02-05. To learn more about the migration process, refer to our Manage processor versions documentation.
Customers and projects can access pretrained-foundation-model-v1.2-2024-05-10 and pretrained-foundation-model-v1.3-2024-08-31 until September 24, 2025. This includes the ability to create tuning jobs and access fine-tuned processor versions.
Starting March 24, 2025:
- Newly created processor versions using
pretrained-foundation-model-v1.2-2024-05-10can only be used for batch processing. - Newly created processor versions using
pretrained-foundation-model-v1.2-2024-05-10 and pretrained-foundation-model-v1.3-2024-08-31will have a quota limit of 120 pages per minute.
This update requires planning, but if you have questions or need assistance, contact Google Cloud support.
Cloud Firestore now supports multi-region nam7 United States (Central and East), which consists of regions us-central1 (Iowa) and us-east4 (Northern Virginia).
For a full list of supported locations, see Locations.
Firestore in Datastore mode now supports multi-region nam7 United States (Central and East), which consists of regions us-central1 (Iowa) and us-east4 (Northern Virginia).
For a full list of supported locations, see Locations.
A weekly digest of client library updates from across the Cloud SDK.
Java
Changes for google-cloud-datastore
2.27.1 (2025-03-18)
Bug Fixes
- deps: Update the Java code generator (gapic-generator-java) to 2.55.1 (ba1ad98)
Dependencies
Purging of expired raw logs and normalized events is now based on the Ingestion Timestamp instead of the Event Timestamp.
Purging of expired raw logs and normalized events is now based on the Ingestion Timestamp instead of the Event Timestamp.
The following features have been added to Studio in Looker, which is available in preview:
- The Looker connector can now connect to a private IP (private services access) only Looker (Google Cloud core) instance or to a private IP (Private Service Connect) Looker (Google Cloud core) instance using the Looker instance ID.
- The Looker connector now supports Looker export, download, and scheduling permissions.
- Looker System Activity now includes usage, historical, and performance information about Looker reports.
- You can now enable Studio in Looker on Looker instances that use Google OAuth authentication.
- The Looker connector now supports some calculated field functions.
Looker connector enhancements
The following enhancements to the Looker connector are available in Preview:
- The Looker connector can now connect to a private IP (private services access) only Looker (Google Cloud core) instance or to a private IP (Private Service Connect) Looker (Google Cloud core) instance using the Looker instance ID.
- The Looker connector now supports some calculated field functions.
Partner connection launch update
The following partner connectors have been added to the Looker Studio Connector Gallery:
- SEMSTORM Reports by SEMSTORM
- Pango by Pango Solutions AB
- AppsFlyer by Dataslayer
- Vista Social by Vista Social
- Linkedin Pages -Free by Data Bloo
- WooCommerce - Free by Data Bloo
Media CDN supports dynamic compression in General Availability.
After you create a Memorystore for Redis Cluster instance, you can now change the node type for the instance. For more information, see Scale an instance.
After you create a Memorystore for Valkey instance, you can now change the node type for the instance. For more information, see Scale an instance.
A weekly digest of client library updates from across the Cloud SDK.
Python
Changes for google-cloud-pubsub
2.29.0 (2025-03-19)
Features
- Add REST Interceptors which support reading metadata (4363179)
- Add support for opt-in debug logging (4363179)
- Deprecate
enabledfield for message transforms and adddisabledfield (4363179)
Bug Fixes
- Allow logs to propagate upstream for caplog testing (#1374) (fa39b0e)
- Allow Protobuf 6.x (#1369) (c95b7a5)
- Fix typing issue with gRPC metadata when key ends in -bin (4363179)
Documentation
- A comment for field
codein message.google.pubsub.v1.JavaScriptUDFis changed (4363179) - Add samples and test for ingestion from Kafka sources (#1354) (820f986)
- Deprecate
enabledfield for message transforms and adddisabledfield (4363179) - samples: Increase example max_bytes setting for cloud storage subscriptions to encourage more performant subscribe (#1324) (cb760a7)
Preview stage support for the following integration:
March 23, 2025
Google SecOps SOARRelease 6.3.40 is being rolled out to the first wave of regions as listed here.
Theme enhancement for SOAR platform
The header and left hand navigation menu now fully reflect the selected theme. If you select the light theme, both the header and side menu will also appear in light mode. This might impact customers who are using the rebranding feature.
March 22, 2025
Google SecOps SOARRelease 6.3.39 is now available for all regions.
March 21, 2025
Access Context ManagerAccess Context Manager now supports custom organization policies. This feature is generally available (GA). For more information, see Create custom constraints for Access Context Manager.
In the filtering toolbar of the Triggers page, you can now filter by trigger repository and region. The region drop-down has been removed. For more information, see Create and manage build triggers.
You can now specify, in your build config file, a custom Pub/Sub topic for build notifications. For more information, see Pub/Sub topics for build notifications.
Cloud Deploy now uses Skaffold 2.14 as the default Skaffold version, as of March 21, 2025, for all target types.
The Google-Built OpenTelemetry Collector is now available. This Collector is an open-source, production-ready build of the upstream OpenTelemetry Collector that is built with upstream OpenTelemetry Collector components. The Google-built Collector lets you send correlated OTLP traces, metrics, and logs to Cloud Observability and other backends from applications instrumented by using OpenTelemetry SDKs. The Collector also captures metadata for Google Cloud resources, so you can correlate application performance data with infrastructure telemetry data.
For information about using this Collector, see Overview of the Google-Built OpenTelemetry Collector.
Storage Intelligence for Cloud Storage is now generally available (GA). Storage Intelligence simplifies data management in Cloud Storage at scale by providing a unified platform for data exploration, cost optimization, security enforcement, and governance implementation. To learn more about Storage Intelligence, see Overview of Storage Intelligence.
Storage Insights datasets is now generally available (GA). Storage Insights datasets helps you get insights for your Cloud Storage resources and export the data to BigQuery. Storage Insights datasets is an exclusive feature only available through the Storage Intelligence subscription. To learn more about Storage Insights, see Overview of Storage Insights datasets.
Cross-bucket replication is now generally available (GA). You can use cross-bucket replication to copy new and updated objects asynchronously from a source bucket to a destination bucket.
Generally available: Resource-based committed use discounts (CUDs) are available for licenses of RHEL operating system images. You can purchase commitments with a 1-year plan for these licenses and receive up to 20% discounts over on-demand prices.
To learn how to purchase these commitments, see Purchase commitments for licenses. For pricing information, reach out to your Technical account manager (TAM).
Config Controller now uses the following versions of its included products:
- Config Sync v1.19.2, release notes
The Conversational Agents console is now generally available (GA). This console combines the power of Generative AI playbooks and data stores with deterministic flows. Additional features:
- The console is now hosted at
https://conversational-agents.cloud.google.com/. - There is a new menu option for managing languages. Selecting Manage languages from the language drop-down menu at the top of the console now automatically redirects you to the Agent Settings language management section in the Deterministic Flows tab.
- The simulator now has feature parity with the Dialogflow CX console.
Conversational Agents: Conversational Agents now supports multiple tool versions in addition to playbooks and flows. See the versions and environments documentation for details.
Conversational Agents: You can now toggle a Show latency option in the Conversational Agents Console simulator to view latency per conversation turn for simulator conversations. To view latency breakdown, click the total latency value for the conversation turn. Latency values are also shown in the original response, Cloud logging, and BigQuery export.
Be aware that latency values are not recorded directly in the logs, but are represented as startTime and completeTime values in the traceBlocks field.
Conversational Agents playbooks: New model gemini-2.0-flash (Preview) is now available. For more information and supported regions, see Model support.
Conversational Agents: New Chirp 3 HD Cloud Text-to-Speech voices are now available.
Conversational Agents playbooks: Playbooks now support 38 languages. Playbook language support is displayed on the language support page. Supported languages have been tested for quality with the gemini-2.0-flash-001 and gemini-1.5-flash-002 models.
Conversational Agents playbooks: You can now enable DTMF in playbook Settings and as a conditional actions as a Preview feature. See the playbook settings and DTMF for telephony integrations pages for more information.
In GKE version 1.32.2-gke.1652000 and later, new external LoadBalancer Services use zonal Network Endpoint Group (NEG) backends by default. This applies only to new backend service-based external LoadBalancer Services. Existing LoadBalancer Services are not affected. To learn more, see Create a backend service-based external load balancer.
All GKE clusters now export four new rollup metrics by default at no additional charge. These new metrics are for monitoring GKE TPU NodePools and JobSets:
kubernetes.io/node_pool/accelerator/times_to_recover: Distribution of recovery period durations. Each sample indicates a single recovery operation for the NodePool to recover from a downtime period. The data is sampled within 60s after the completion of NodePool recovery, and emitted within 24h. This metric does not include a sample for downtime period longer than 7 days. This metric is only applicable for GKE multi-host TPU node pools.kubernetes.io/jobset/times_between_interruptions: Distribution of times between the end of last interruption and beginning of current interruption for a JobSet. Each sample indicates a single duration between last and current interruption. The data is sampled within 60s after the current interruption starts, and emitted within 24h. The metric does not include a sample for duration between interruptions longer than 7 days. This metric is only applicable for JobSets running on nodes with GPU/TPU and having a single replicated job.kubernetes.io/jobset/times_to_recover: Distribution of recovery period durations. Each sample indicates a single recovery operation for the JobSet to recover from a downtime period. The data is sampled within 60s after the completion of JobSet recovery, and emitted within 24h. This metric does not include samples for downtime periods longer than 7 days. This metric is only applicable for JobSets running on nodes with GPU/TPU and having a single replicated job.kubernetes.io/jobset/uptime: Total time the JobSet has been available. The data is sampled every 60s and emitted within 24h after sampling. This metric is only applicable for JobSets running on nodes with GPU/TPU and having a single replicated job.
Starting in GKE version 1.32.1-gke.1729000, Autopilot clusters will automatically use the new Performance HPA Profile. This new profile enables faster autoscaling on CPU and Memory metrics for up to 1,000 HorizontalPodAutoscaler objects by routing autoscaling metrics through the gke-metrics-agent Daemonset. If desired, users can revert to the old autoscaling profile by disabling the Peformance HPA Profile.
Upgraded server-side dependencies - Tekton Pipelines, Config Connector
Upgrade upload-pages-artifact dependency
Custom organization policies are now generally available for Access Context Manager and VPC Service Controls. For more information, see Manage Access Context Manager resources with custom constraints and Create custom constraints for VPC Service Controls.
Model Armor filter update
The prompt injection and jailbreak detection filter in Model Armor is upgraded with increased efficacy and higher model quality scores.
VPC Service Controls now supports custom organization policies. This feature is generally available (GA). For more information, see Create custom constraints for VPC Service Controls.
March 20, 2025
BigQueryBigQuery workflows have been renamed to BigQuery pipelines in the Google Cloud console. For more information, see Introduction to BigQuery pipelines.
You can now use repositories and workspaces in BigQuery to perform version control.
Repositories perform version control on files by using Git to record changes and manage file versions. You can use workspaces within repositories to edit the code stored in the repository.
You can have a repository use Git directly on BigQuery, or you can connect a repository to a third-party Git provider.
This feature is in preview.
You can now create remote models in BigQuery ML based on the Anthropic Claude model in Vertex AI.
Use the ML.GENERATE_TEXT function with these remote models to perform generative natural language tasks for text stored in BigQuery tables. Try this feature with the Generate text by using the ML.GENERATE_TEXT function tutorial.
You can also evaluate Claude models by using the ML.EVALUATE function.
This feature is generally available (GA).
The following resource types are now publicly available through the analyze policy (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning) APIs.
- Developer Connect
developerconnect.googleapis.com/Connectiondeveloperconnect.googleapis.com/GitRepositoryLink
You can now use custom constraints with Organization Policy to provide more granular control over specific fields for some networksecurity and networkservices resources.
Cloud Service Mesh now supports dual-stack, extending IPv6 capability to both proxy-based Envoy and proxyless gRPC. For more information, see Configure IPv6 dual-stack for Cloud Service Mesh.
If you use the managed Cloud Service Mesh with the ISTIOD control plane implementation, important changes have been made to how and when you'll receive notifications of upcoming modernization. For details, see Managed control plane modernization.
You can now use Secret Manager to securely store authentication resources with Datastream. For more information, see Use Secret Manager to store sensitive data.
Anthropic's Claude Sonnet 3.7 is GA on Vertex AI and supports Provision Throughput. To learn more, view the Claude Sonnet 3.7 model card in Model Garden.
Quotas for scheduled emails
Looker Studio now limits the number of recipients to whom a user can send scheduled emails per day and per month. See the Quotas for scheduled email delivery section for more information. If you have Looker Studio Pro, no such quotas apply. However, any reports in the Owned by me folder are considered to be personal reports and will be subject to quotas. To resolve this, you can upgrade a report to Looker Studio Pro.
Scheduled email updates
The following features are now available only for Looker Studio Pro reports:
- Send Now: The ability to immediately send a report with email using the "Send Now" option is available only for Pro reports.
- Custom Subject and Messages: The option to customize the email subject and message is available only for Pro reports. Any custom messages in existing schedules will be preserved, but you will no longer be able to edit them.
- Image in Preview: A preview of the report will be added to emails only for Pro reports.
These features are also unavailable for reports in the Owned by me folder, even if you have Looker Studio Pro. To resolve this, you can upgrade a report to Looker Studio Pro.
Preview your data
The data source editor displays a preview of the data in your fields. This feature is now generally available.
Partner connection launch update
The following partner connectors have been added to the Looker Studio Connector Gallery:
- Reddit Ads by Dataslayer
- Odoo Accounting AppiWorks by Jivrus Technologies
- Spotify Advertising by Power My Analytics
- Instagram Insights by Data Bloo
- Niteco Performance Insights by Niteco Group
- Yahoo! Japan Display by Catchr
- Line Ads by Catchr Sources
- Yahoo! Japan Search Ads by Catchr
- Oracle AppiWorks by Jivrus Technologies
- Trackingplan by Trackingplan
- Facebook Ads by Master Metrics
- YouTube Analytics by everythingData
- YouTube Analytics by Two Minute Reports
- X Ads by Two Minute Reports
- Google Ads by everythingData
- Hubspot by everythingData
- IOT Dashzoom by Dashzoom
- ad:personam Analytics by ad:personam GmbH
- 快客-Thread 社群洞察 by 黑客數位
- Datastore AppiWorks by Jivrus Technologies
- Google PageSpeed by Catchr
- Yelp Review by Catchr
- Xero by Windsor.ai
- Google Trends by Catchr
- Appstore Review by Catchr
- Branch by Catchr
- Airbnb Review by Catchr
- Booking Review by Catchr
- Facebook Review by Catchr
- Glassdoor Review by Catchr
- Capterra Review by Catchr
- g2 Review by Catchr
- Indeed Review by Catchr
- Tripadvisor Review by Catchr
- Google Play Review by Catchr
- Trustpilot Review by Catchr
- DynamoDB AppiWorks by Jivrus Technologies
- 快客-Instagram 社群洞察 by 黑客數位
- Capterra PPC by everythingData
- ProfitWell by Catchr
- Zoho CRM by Catchr
- ChartMogul by Catchr
- HubSpot by Dataslayer
For Autonomous Databases, you can now set up cross-region disaster recovery with Autonomous Data Guard in Google Cloud. You can create and manage peer databases, and perform switchover operations. This feature is generally available (GA).
The Risk section of the SecOps console has been updated for Security Command Center Enterprise, introducing the following features in Preview:
- Issues are the most important security risks Security Command Center Enterprise has found in your cloud environments. Sourced from Security Command Center's virtual red teaming and security graph, issues give you all the details you need to understand, triage, and remediate a risk. Explore attack path diagrams, attack exposure scores, exposed resources, related findings, and whether multiple issues exist on a primary resource, all from the one place.
- Security graph is a graph database that has cloud resources like assets, identities, apps, and data assigned to its nodes, while the edges of the graph determine the risk relationship between those resources following detection rules. When a relationship risk is discovered, the security graph generates an issue.
- Chokepoints are critical severity issues that focus on common resources or resource groups where multiple attack paths converge. Because of this focus on a common point, resolving a chokepoint can resolve other issues too, like toxic combinations.
The Risk Overview dashboard has also been updated, and a new Issues page added to the Risk section. You can navigate through different security domains in the Risk section using the tabs near the top of the page, such as All risk, Vulnerabilities, and Code.
Encrypt your data-in-use by using Confidential Computing. This feature is now available in Preview. You can enable the Confidential VM service when you create a Vertex AI Workbench instance. To get started, see Create an instance with Confidential Computing.
March 19, 2025
AI ApplicationsVertex AI Search: Generate and return charts in answers and with follow-ups (Public preview)
The answer method can include a chart in an answer, as well as text. The chart is generated from the data in the data store. A chart is generated if there is sufficient data, and the query either asks for a chart or the answer is sufficiently complex that the method itself determines that a chart is helpful.
This feature is in public preview and is only available through the API. For more information, see Generate charts for answers.
Vertex AI Search: Return corpus images in answers and with follow-ups (Public preview)
The answer method can return images in answers, along with text.
If appropriate, one image from the data store can be returned with the answer. Citations can also include images from the data store.
This feature is restricted to queries made to unstructured data stores where the layout parser is in effect and is only available through the API. For more information, see Retrieve existing images from the data store.
Build your own Gen AI Assist is available in preview. BYOA is available in all customer engagement suite regions and offers the following:
- Foundation models
- Gemini access
- New trigger events based on agent and customer messages
Agent Assist offers Vertex extensions for Build your own assist (BYOA) in preview. Enable BYOA to access remote APIs with Vertex LLM extensions.
Performing an in-place major version upgrade of your AlloyDB cluster is generally available (GA). You can upgrade your AlloyDB cluster to any higher supported PostgreSQL version. For information about supported PostgreSQL versions, see Database version policies.
Preview: You can create regionally scoped snapshots. Setting a regional scope ensures that all snapshot data and the metadata necessary to use the snapshot are co-located within the scoped region. Regionally scoped snapshots also support additional location control by letting you restrict allowed snapshot creation and restore locations.
For more information, see Snapshot scopes.
Custom Extractor model pretrained-foundation-model-v1.4-2025-02-05 is in General Availability (GA), and has fine-tuning available in Preview for the US and EU.
From version v1.4 and later, we will use a new quota for online processing called Number of online process document pages per minute per processor_type_and_model_version. This quota will be enforced at a per-page and per-foundation model level. There will be no change to the batch processing quota.
(2025-R11) Version updates
GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.
Rapid channel
- Version 1.32.2-gke.1182001 is now the default version for cluster creation in the Rapid channel.
- The following versions are now available in the Rapid channel:
- The following versions are no longer available in the Rapid channel:
- 1.32.2-gke.1182000
- 1.32.2-gke.1400001
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.2-gke.1182001 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.2-gke.1182001 with this release.
Regular channel
- Version 1.32.2-gke.1182001 is now available in the Regular channel.
- Version 1.32.2-gke.1182000 is no longer available in the Regular channel.
Stable channel
- The following versions are now available in the Stable channel:
Extended channel
- The following versions are now available in the Extended channel:
- Version 1.32.2-gke.1182000 is no longer available in the Extended channel.
No channel
- The following versions are now available:
- The following node versions are now available:
- The following versions are no longer available:
- 1.32.2-gke.1182000
- 1.32.2-gke.1400001
(2025-R11) Version updates
- Version 1.32.2-gke.1182001 is now the default version for cluster creation in the Rapid channel.
- The following versions are now available in the Rapid channel:
- The following versions are no longer available in the Rapid channel:
- 1.32.2-gke.1182000
- 1.32.2-gke.1400001
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.2-gke.1182001 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.2-gke.1182001 with this release.
(2025-R11) Version updates
- Version 1.32.2-gke.1182001 is now available in the Regular channel.
- Version 1.32.2-gke.1182000 is no longer available in the Regular channel.
(2025-R11) Version updates
- The following versions are now available in the Stable channel:
(2025-R11) Version updates
- The following versions are now available in the Extended channel:
- Version 1.32.2-gke.1182000 is no longer available in the Extended channel.
(2025-R11) Version updates
- The following versions are now available:
- The following node versions are now available:
- The following versions are no longer available:
- 1.32.2-gke.1182000
- 1.32.2-gke.1400001
The following parser documentation is now available:
Collect AWS Elastic Load Balancing logs
Collect AWS S3 server access logs
Collect Azure Application Gateway logs
Collect Carbon Black App Control logs
Collect Delinea Secret Server logs
Collect AWS Control Tower logs
Collect AWS Elastic MapReduce logs
Collect AWS Key Management Service logs
Collect AWS Network Firewall logs
Collect AWS Session Manager logs
Collect Zscaler ZPA Audit logs
Collect Azure API Management logs
Collect Azure APP Service logs
Collect Azure Storage Audit logs
Collect CrowdStrike Falcon Stream logs
Collect SentinelOne Deep Visibility logs
Collect Cloud Compute context logs
Collect Cloud Intrusion Detection System (Cloud IDS) logs
Collect Cloud Next Generation Firewall Enterprise logs
Collect Cloud Storage context logs
Collect Cloud Identity and Access Management (IAM) Analysis logs
Collect Cloud Identity Devices logs
Collect Cloud Identity Device Users logs
Collect Cloud Security Command Center Error logs
Collect Cloud Security Command Center Observation logs
Collect Cloud Security Command Center Posture Violation logs
Collect Cloud Security Command Center Toxic Combination logs
Generally available: Migrate to Virtual Machines support for the Arm64 migration journey is now generally available. This feature lets you migrate Arm virtual machine (VM) instances from AWS and Azure cloud services to Arm VM instances on Compute Engine, and it is supported for the following operating systems:
- Debian 11 and 12
- RHEL 9
- Rocky Linux 8 and 9
- SLES 15 SP5
- Ubuntu 20.04 and 22.04
The CZECHIA_PASSPORT infoType detector is available in all regions. For more information about all built-in infoTypes, see InfoType detector reference.
March 18, 2025
AI HypercomputerGenerally available: The A4 accelerator-optimized machine type is now generally available. A4 VMs are powered by NVIDIA B200 GPUs and provide up to 3x performance of previous GPU machine types for most GPU accelerated workloads. A4 is especially recommended for ML training workloads at large scales. A4 is available in the following region and zone:
- Council Bluffs, Iowa:
us-central1-b
When provisioning A4 machine types, you can use Hypercompute Cluster to request capacity and create VMs or clusters. To get started see Overview of creating VMs and clusters.
Software stack updates
The following new Docker images are also released to support workloads running on your A4 GKE clusters that are deployed using Hypercompute Cluster.
- NeMo docker image:
nemo25.02-gib1.0.5-A4 - MaxText docker image:
jax-maxtext-gpu:jax0.5.1-cuda_dl25.02-rev1-maxtext-20150317
For more information, see AI Hypercomputer images.
You can use a query recall evaluator (Preview) to find the recall for a vector query for a given configuration, and to tune your parameters to achieve the desired vector query recall results. For more information, see Measure vector query recall.
Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.
Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.
Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.
Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.
Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.
Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.
Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.
Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.
Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.
Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.
Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.
Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.
Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.
Container Registry is now shut down. We recommend that you use Artifact Registry for storing and managing container images. By default, new deployments created after March 5, 2025, use Artifact Registry instead of Container Registry for storing application build images. For more information, see Migrate App Engine container images to Artifact Registry.
After April 15, 2025 the database retention policy feature will be enabled by default in newly created Cloud Composer 3 environments.
This feature helps to maintain the Airflow database size. You can enable or disable the database retention policy or adjust the retention period for new and existing environments.
The issue with Cloud Composer 2 upgrade operations is now resolved. The upgrade operations are unblocked in all regions.
Container Registry is shut down and writing images to Container Registry is unavailable. For more information about the Container Registry shut down and how to migrate to Artifact Registry, see Container Registry deprecation.
Streamed chat responses are now available in public preview for IntelliJ and VS Code Gemini Code Assist. You can disable this feature in settings.
You can now configure and use custom commands in the inline chat menu and lightbulb menu for VS Code Gemini Code Assist. To view custom commands settings, go to Settings > Gemini Code Assist > Custom Commands.
Fixed an issue with an infinite progress bar while trying to log in to IntelliJ Gemini Code Assist.
VMware Engine is integrated with Google Cloud Essential Contacts for email notifications. Automatic emails are sent to the appropriate Essential Contacts notification categories for service-impacting events. For more information, see Overview of VMware Engine monitoring.
Google Distributed Cloud (software only) for VMware 1.31.300-gke.81 is now available for download. To upgrade, see Upgrade a cluster or a node pool. Google Distributed Cloud 1.31.300-gke.81 runs on Kubernetes v1.30.9-gke.500.
If you are using a third-party storage vendor, check the GDC Ready storage partners document to make sure the storage vendor has already passed the qualification for this release.
After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
The 1.31.300-gke.81 release includes many vulnerability fixes. For a list of all vulnerabilities fixed in this release, see Vulnerability fixes.
Release 1.31.300-gke.81
Google Distributed Cloud for bare metal 1.31.300-gke.81 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.31.300-gke.81 runs on Kubernetes v1.31.5-gke.700.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
The 1.31.300-gke.81 release includes many vulnerability fixes. For a list of all vulnerabilities fixed in this release, see Vulnerability fixes.
On GKE clusters running versions 1.32.2-gke.1182000 to 1.32.2-gke.1297000, Pods using Cloud Storage FUSE CSI driver volumes (persistent or CSI ephemeral) fail to schedule when both of the following are true:
- The Pods run on the host network (
hostNetwork: true) - You use a custom sidecar image built with a Cloud Storage FUSE CSI driver version earlier than v1.12.2.
The fix is available on GKE cluster version 1.32.2-gke.1297001 or later.
Statistics and aggregations in UDM search using YARA-L 2.0
You can now run statistical queries on UDM events and group the results for analysis using YARA-L 2.0. You can use the statistical queries to track critical metrics, detect anomalous behavior, and analyze trends over time. For more information on how to run statistical queries on UDM events, see Statistics and aggregations in UDM search using YARA-L 2.0.
Statistics and aggregations in UDM search using YARA-L 2.0
You can now run statistical queries on UDM events and group the results for analysis using YARA-L 2.0. You can use the statistical queries to track critical metrics, detect anomalous behavior, and analyze trends over time. For more information on how to run statistical queries on UDM events, see Statistics and aggregations in UDM search using YARA-L 2.0.
Custom organization policies are now generally available for Cloud Service Mesh. For more information, see Set up custom constraints.
Cloud Infrastructure Entitlement Management (CIEM) has launched support for the following:
- Log ingestion from Amazon SQS queues.
- An alternate
CIEM onlyfeed to reduce costs.
For more information, see Configure AWS log ingestion for CIEM.
This feature is available in General Availability to the Security Command Center Enterprise tier.
The default time zone of your Spanner databases can now be set. For more information, see Set the default time zone of a database. This feature is generally available (GA).
March 17, 2025
AlloyDB for PostgreSQLOutbound connectivity for Private Service Connect-enabled AlloyDB clusters is generally available (GA). Enabling outbound connectivity allows secure connection between your project and an AlloyDB instance during outbound operations such as migrations or foreign data wrappers (FDW).
On March 17, 2025, Apigee announced the GA support for DNS peering for Apigee organizations that have VPC peering disabled.
For Apigee organizations set up without VPC peering, you can now configure Apigee to resolve your private domains by peering your DNS zones with Apigee. See Connecting with private DNS peering zones.
You can now use EXPORT DATA statements to reverse ETL BigQuery data to Spanner. This feature is generally available (GA).
You can now create an external dataset in BigQuery that links to an existing database in Spanner. This feature is generally available (GA).
You can now use the TYPEOF function to determine the data type of an expression. This feature is generally available (GA).
A weekly digest of client library updates from across the Cloud SDK.
Java
Changes for google-cloud-bigtable
2.55.0 (2025-03-11)
Features
- Add MaterializedViewName to ReadRows and SampleRowKeys (1763c6e)
- Add MaterializedViews and LogicalViews APIs (1763c6e)
- Add MaterializedViews and LogicalViews APIs (7340527)
- Add PrepareQuery api and update ExecuteQuery to support it (1763c6e)
- bigtable: Add support for data APIs for materialized views (#2508) (6310a63)
- large-row-skip: Added large-row-skip-callable with configurable rowadapter (#2509) (ba193ef)
- Next release from main branch is 2.55.0 (#2506) (4e45837)
- Publish row_key_schema fields in table proto and relevant admin APIs to setup a table with a row_key_schema (7340527)
Bug Fixes
- deps: Update the Java code generator (gapic-generator-java) to 2.54.0 (91e4369)
Documentation
- Fixed formatting of resource path strings (7340527)
Cloud Data Fusion version 6.11.0 is available in Preview.
You can view instance metrics and pipeline metrics in Cloud Monitoring and in the dashboard provided by Cloud Data Fusion. For more information, see Metrics overview and Monitor Cloud Data Fusion system, instance, and pipeline health.
You can view instance logs and pipeline logs in Cloud Logging, and in the dashboard provided by Cloud Data Fusion. For more information, see View Cloud Data Fusion logs.
When a pipeline run fails, you can retrieve detailed error information on the pipeline details page of the Cloud Data Fusion web interface.
Cloud Data Fusion classifies pipeline errors by category, reason, and message. This classification speeds up resolution and reduces the need to examine complex logs. For more information, see Retrieve error information for a failed pipeline run.
Cloud Data Fusion 6.11.0 offers high availability with reduced upgrade downtime.
Changes in Cloud Data Fusion 6.11.0:
To create ephemeral clusters, Cloud Data Fusion uses the Dataproc 2.2 image by default. For more information about its limitations in Cloud Data Fusion, see Change the Dataproc image to version 2.1.
The maximum concurrent runs limit for triggers is displayed in the console (CDAP-21072).
Added support for destination table write preference in the BigQuery Execute plugin (PLUGIN-1438).
Fixed in Cloud Data Fusion 6.11.0:
Fixed a null pointer exception in the BigQuery multi-sink plugin when used without a reference name (PLUGIN-1843).
Fixed Joiner plugin failures observed on Dataproc 2.2-debian12 instances (CDAP-21075).
Fixed an issue that prevented pipelines from accepting empty input in Amazon S3 and Google Cloud Storage source plugins (PLUGIN-1742).
Fixed an issue in RBAC-enabled instances where the pipeline details page displayed an incorrect author name (CDAP-21069).
A soft limit of 2 MB for pipeline JSON size is introduced in 6.11.0. Pipelines exceeding this size might encounter deployment failures.
The following APIs for searching and querying metrics are deprecated in 6.11.0:
POST v3/metrics/queryPOST v3/metrics/search
The following APIs for downloading system service and pipeline run logs are deprecated in 6.11.0:
GET /v3/namespaces/<NAMESPACE_ID>/apps/<APP_ID>/<PROGRAM_TYPE>/<PROGRAM_ID>/logsGET /v3/system/services/<SERVICE_ID>/logs
The ability to retrieve all applications without pagination using the GET /v3/namespaces/<NAMESPACE_ID>/apps endpoint is deprecated in 6.11.0.
Google Cloud periodically renews Google-managed certificates by requesting them from certificate authorities (CAs). Certificate authorities verify domain control by checking DNS settings of the domain and in case of load balancer authorization attempting to contact the server behind the domain's IP address. The CAs that Google Cloud works with have introduced a verification method called Multi-Perspective Issuance Corroboration, that is becoming mandatory for all public CAs and that consists in performing the verification from multiple locations in the world. As a result, if DNS settings do not correctly and consistently resolve from all locations, the validation fails and Google-managed certificates will fail to renew.
To learn more about preventing multi-perspective domain validation failures for misconfigured DNS records, see Multi-perspective domain validation.
You can now enable and disable uptime-checks by using the disabled field in the Cloud Monitoring API.
Cloud SQL for SQL Server supports transparent data encryption (TDE) to encrypt data stored in your Cloud SQL for SQL Server instances.
TDE automatically encrypts data before it is written to storage, and automatically decrypts data when the data is read from storage.
TDE provides another layer of encryption in addition to Google's default offering of encryption for data at rest and Google's optional offering of customer-managed encryption keys (CMEK). TDE helps you meet regulatory compliance requirements and supports import or export operations of TDE encrypted backups. For more information, see About transparent data encryption.
A weekly digest of client library updates from across the Cloud SDK.
Go
Changes for storage/internal/apiv2
1.51.0 (2025-03-12)
Features
- storage/append: Support appends in w1r3. (#11483) (48bb391)
- storage: Benchmark with experimental MRD. (#11501) (7b49152)
- storage: Implement RetryChunkDeadline for grpc writes (#11476) (03575d7)
- storage: Specify benchmark integrity check. (#11465) (da18845)
- storage: Use ReadHandle for faster re-connect (#11510) (cac52f7)
- storage: Wrap NotFound errors for buckets and objects (#11519) (0dd7d3d)
Bug Fixes
- storage/append: Report progress for appends. (#11503) (96dbb6c)
- storage: Add a safety check for readhandle (#11549) (c9edb37)
- storage: Add universe domain to defaultSignBytesFunc (#11521) (511608b)
- storage: Clone the defaultRetry to avoid modifying it directly (#11533) (7f8d69d)
- storage: Fix adding multiple range on stream with same read id (#11584) (0bb3434)
- storage: Modify the callback of mrd to return length of data read instead of limit. (#11687) (9e359f0)
- storage: Propagate ctx from invoke to grpc upload reqs (#11475) (9ad9d76)
- storage: Remove duplicate routing header (#11534) (8eeb59c)
- storage: Return sentinel ErrObjectNotExist for copy and compose (#11369) (74d0c10), refs #10760
- storage: Wait for XML read req to finish to avoid data races (#11527) (782e12a)
Java
Changes for google-cloud-storage
2.50.0 (2025-03-14)
Features
Bug Fixes
- deps: Update the Java code generator (gapic-generator-java) to 2.54.0 (22e7e3d)
- deps: Update the Java code generator (gapic-generator-java) to 2.55.1 (81c8c61)
- Improve 503 handling for json resumable uploads (#2987) (9bc2b14)
- Update usages of String.format to explicitly pass Locale.US (#2974) (8bcb2de), closes #2972
Dependencies
Cloud Storage now offers the DE configurable dual-region code, which can be used when creating a dual-region bucket in europe-west3 (Frankfurt) and europe-west10 (Berlin). To learn more about Cloud Storage configurable dual-regions, see Configurable dual-regions
Generally available: The A4 accelerator-optimized machine type is now generally available. A4 instances are powered by NVIDIA B200 GPUs and provide up to 3x performance of previous GPU instance types for most GPU accelerated workloads. A4 is especially recommended for ML training workloads at large scales. A4 is available in the a4-highgpu-8g machine type in the us-central1-b zone.
To create A4 instances, you must either use AI Hypercomputer to request capacity and create VMs or clusters, or use Spot VMs. For detailed instructions, see Create an A3 Ultra or A4 VM.
cos-dev-121-18867-0-53
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.74 | v27.5.1 | v2.0.2 | See List |
Upgraded app-containers/docker to v27.5.1, Upgraded app-containers/docker-test to v27.5.1, Upgraded app-containers/docker-cli to v27.5.1.
Added support for iRDMA devices.
Applied Intel patches to add iRDMA support in the Linux kernel.
Updated cos-gpu-installer to v2.4.8: Add the -skip-nvidia-smi flag to disable the execution of nvidia-smi verification during gpu driver installation.
Disabled martian logging for ConnectX-7 network cards. These cards only communicate locally, but martian logging during communications with the host can lead to a race condition which causes GID table construction to sometimes fail.
Upgraded net-misc/socat to v1.8.0.3.
Upgraded dev-go/crypto to v0.35.0. This fixes CVE-2025-22869.
Upgraded dev-go/oauth2 to v0.27.0. This fixes CVE-2025-22868.
Upgraded net-misc/openssh to version 9.9_p2. This fixed CVE-2025-26465 and CVE-2025-26466.
Upgrade sys-libs/binutils-libs to 2.44-r1. This fixes CVE-2024-53589.
Upgraded net-misc/wget to version 1.25.0. This fixes CVE-2024-10524.
Upgraded dev-libs/libxml2 to version 1.12.10. This fixes CVE-2025-27113.
Fixed CVE-2024-58017 in the Linux kernel.
Fixed CVE-2025-21745 in the Linux kernel.
Fixed CVE-2025-21814 in the Linux kernel.
Fixed CVE-2024-50017 in the Linux kernel.
Fixed CVE-2024-50146 in the Linux kernel.
Fixed CVE-2024-50304 in the Linux kernel.
Fixed KCTF-8802766 in the Linux kernel.
Fixed KCTF-fcdd224 in the Linux kernel.
Fixed CVE-2024-56549 in the Linux kernel.
Fixed KCTF-638ba50 in the Linux kernel.
Fixed CVE-2024-50014 in the Linux kernel.
Fixed CVE-2024-49994 in the Linux kernel.
Fixed CVE-2025-21690 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 811788 -> 811701
- Deleted: net.bridge.bridge-nf-call-arptables: 1
- Deleted: net.bridge.bridge-nf-call-ip6tables: 1
- Deleted: net.bridge.bridge-nf-call-iptables: 1
- Deleted: net.bridge.bridge-nf-filter-pppoe-tagged: 0
- Deleted: net.bridge.bridge-nf-filter-vlan-tagged: 0
- Deleted: net.bridge.bridge-nf-pass-vlan-input-dev: 0
cos-beta-121-18867-0-53
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.74 | v27.5.1 | v2.0.2 | See List |
Upgraded app-containers/docker to v27.5.1, Upgraded app-containers/docker-test to v27.5.1, Upgraded app-containers/docker-cli to v27.5.1.
Added support for iRDMA devices.
Applied Intel patches to add iRDMA support in the Linux kernel.
Updated cos-gpu-installer to v2.4.8: Add the -skip-nvidia-smi flag to disable the execution of nvidia-smi verification during gpu driver installation.
Disabled martian logging for ConnectX-7 network cards. These cards only communicate locally, but martian logging during communications with the host can lead to a race condition which causes GID table construction to sometimes fail.
Upgraded net-misc/socat to v1.8.0.3.
Upgraded dev-go/crypto to v0.35.0. This fixes CVE-2025-22869.
Upgraded dev-go/oauth2 to v0.27.0. This fixes CVE-2025-22868.
Upgraded net-misc/openssh to version 9.9_p2. This fixed CVE-2025-26465 and CVE-2025-26466.
Upgraded sys-libs/binutils-libs to 2.44-r1. This fixes CVE-2024-53589.
Upgraded net-misc/wget to version 1.25.0. This fixes CVE-2024-10524.
Upgraded dev-libs/libxml2 to version 1.12.10. This fixes CVE-2025-27113.
Fixed CVE-2024-58017 in the Linux kernel.
Fixed CVE-2025-21745 in the Linux kernel.
Fixed CVE-2025-21814 in the Linux kernel.
Fixed CVE-2024-50017 in the Linux kernel.
Fixed CVE-2024-50146 in the Linux kernel.
Fixed CVE-2024-50304 in the Linux kernel.
Fixed KCTF-8802766 in the Linux kernel.
Fixed KCTF-fcdd224 in the Linux kernel.
Fixed CVE-2024-56549 in the Linux kernel.
Fixed KCTF-638ba50 in the Linux kernel.
Fixed CVE-2024-50014 in the Linux kernel.
Fixed CVE-2024-49994 in the Linux kernel.
Fixed CVE-2025-21690 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 811788 -> 811701
- Deleted: net.bridge.bridge-nf-call-arptables: 1
- Deleted: net.bridge.bridge-nf-call-ip6tables: 1
- Deleted: net.bridge.bridge-nf-call-iptables: 1
- Deleted: net.bridge.bridge-nf-filter-pppoe-tagged: 0
- Deleted: net.bridge.bridge-nf-filter-vlan-tagged: 0
- Deleted: net.bridge.bridge-nf-pass-vlan-input-dev: 0
cos-117-18613-164-81
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.72 | v24.0.9 | v1.7.24 | See List |
Added support for NVIDIA 570.124.06 GPU driver. Updated the R570, LATEST GPU driver label to version 570.124.06 for all GPU devices. Updated the DEFAULT GPU driver label to version 570.124.06 for NVIDIA_B200 and NVIDIA_H200 GPU devices.
Added support for iRDMA devices.
Upgraded net-misc/socat to v1.8.0.3.
Fixed CVE-2023-45288 in app-containers/docker.
Fixed CVE-2025-21857 in the Linux kernel.
Fixed CVE-2024-58088 in the Linux kernel.
Fixed CVE-2025-21844 in the Linux kernel.
Fixed CVE-2025-21779 in the Linux kernel.
Fixed CVE-2025-21854 in the Linux kernel.
Fixed CVE-2025-21846 in the Linux kernel.
Fixed CVE-2025-21864 in the Linux kernel.
Fixed CVE-2025-21858 in the Linux kernel.
Fixed CVE-2025-21791 in the Linux kernel.
Fixed CVE-2025-21863 in the Linux kernel.
Fixed CVE-2024-57996 in the Linux kernel.
Fixed CVE-2024-57996 in the Linux kernel.
Fixed CVE-2024-57996 in the Linux kernel.
Fixed CVE-2025-21745 in the Linux kernel.
Fixed CVE-2024-58017 in the Linux kernel.
Fixed CVE-2025-21814 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 811757 -> 811752
cos-113-18244-291-73
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.1.123 | v24.0.9 | v1.7.24 | See List |
Added support for NVIDIA 570.124.06 GPU driver. Updated the R570, LATEST GPU driver label to version 570.124.06 for all GPU devices. Updated the DEFAULT GPU driver label to version 570.124.06 for NVIDIA_B200 and NVIDIA_H200 GPU devices.
Fixed CVE-2023-45288 in app-containers/docker.
Fixed CVE-2025-21785 in the Linux kernel.
Fixed CVE-2025-21844 in the Linux kernel.
Fixed CVE-2025-21779 in the Linux kernel.
Fixed CVE-2025-21846 in the Linux kernel.
Fixed CVE-2025-21864 in the Linux kernel.
Fixed CVE-2025-21858 in the Linux kernel.
Fixed CVE-2025-21791 in the Linux kernel.
Fixed CVE-2024-26982 in the Linux kernel.
Fixed CVE-2024-57996 in the Linux kernel.
Fixed CVE-2024-57996 in the Linux kernel.
Fixed CVE-2024-57996 in the Linux kernel.
Fixed CVE-2024-58017 in the Linux kernel.
Fixed CVE-2025-21745 in the Linux kernel.
Fixed CVE-2025-21814 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 812049 -> 812031
cos-105-17412-535-78
| Kernel | Docker | Containerd | GPU Drivers |
| COS-5.15.173 | v23.0.3 | v1.7.23 | See List |
Updated the default tag of the GPU driver supporting the NVIDIA H200 GPU device to 570.86.15.
Upgraded gzip to v1.13.
Added support for NVIDIA 570.124.06 GPU driver. Updated the R570, LATEST GPU driver label to version 570.124.06 for all GPU devices. Updated the DEFAULT GPU driver label to version 570.124.06 for NVIDIA_H200 GPU devices.
Updated cos-gpu-installer to v2.4.8: Add the -skip-nvidia-smi flag to disable the execution of nvidia-smi verification during gpu driver installation.
Fixed console TTY leak in runc shim in containerd.
Fixed CVE-2023-45288 in app-containers/docker.
Upgraded dev-go/crypto to v0.35.0. This fixes CVE-2025-22869.
Fixed CVE-2025-26465 and CVE-2025-26466 in net-misc/openssh.
Fixed CVE-2024-53589 in sys-libs/libutils-libs.
Upgraded net-misc/wget to version 1.25.0. This fixes CVE-2024-10524.
Upgraded dev-libs/libxml2 to version 1.12.10. This fixes CVE-2024-56171, CVE-2025-27113 and CVE-2025-24928.
Fixed CVE-2024-26982 in the Linux kernel.
Fixed CVE-2024-57946 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 812677 -> 812699
cos-109-17800-436-64
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.1.124 | v24.0.9 | v1.7.24 | See List |
Fixed CVE-2025-21814 in the Linux kernel.
Fixed CVE-2024-58017 in the Linux kernel.
Fixed CVE-2025-21745 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 812157 -> 812258
Data Catalog is available in the europe-north2 (Stockholm) region.
A weekly digest of client library updates from across the Cloud SDK.
Go
Changes for dataflow/apiv1beta3
0.10.5 (2025-03-13)
Bug Fixes
- dataflow: Update golang.org/x/net to 0.37.0 (1144978)
Dataplex and data lineage are available in the europe-north2 (Stockholm) region.
New Dataproc on Compute Engine subminor image versions:
- 2.0.136-debian10, 2.0.136-rocky8, 2.0.136-ubuntu18
- 2.1.84-debian11, 2.1.84-rocky8, 2.1.84-ubuntu20, 2.1.84-ubuntu20-arm
- 2.2.50-debian12, 2.2.50-rocky9, 2.2.50-ubuntu22
Dataproc on Compute Engine: Spark upgraded to version 3.5.3 in the latest Dataproc image version 2.2.
Dataproc on Compute Engine: The latest Dataproc 2.2 image version now supports Spark data lineage.
Dataproc on Compute Engine: Added support for Enhanced Flexibility Mode (EFM) with primary worker shuffle mode on Spark for image version 2.2.50 and above.
Eventarc Standard is available in the europe-north2 (Stockholm, Sweden) region.
Mistral Small 3.1 (25.03) feature multimodal capabilities and a context of up to 128,000 tokens. For more information, see the Mistral Small 3.1 (25.03) model card in Model Garden.
The following features have been added to Studio in Looker, which is available in preview:
- If Studio in Looker is disabled and then re-enabled, reports that had been saved within the previous 30 days will still be available. Recovered reports may appear in the Recovered reports folder after an admin re-enables Studio in Looker.
- The Looker Search function will include reports.
- The Looker Trash folder will now contain deleted reports, and Looker admins can restore previously deleted reports.
- The ability to set an instance or a group locale for Studio in Looker.
- Looker admins can manage the data source connectors that are available in Studio in Looker.
Note: This item was updated on March 19, 2025.
Looker connector enhancements
More Looker permissions have been propagated to Looker Studio and can now be granted to Looker Studio Pro users to perform the following the tasks on Looker Studio reports that are built with the Looker connector:
- Scheduling report deliveries
- Create alerts
- Download and export chart and report data
A weekly digest of client library updates from across the Cloud SDK.
Go
Changes for pubsub/apiv1
1.48.0 (2025-03-12)
Features
- pubsub/pstest: Support listening on custom address (#11606) (63865a2)
- pubsub: Add support for message transforms to Topic and Subscription (59fe58a)
- pubsub: Deprecate
enabledfield for message transforms and adddisabledfield (dd0d1d7)
Documentation
Java
Changes for google-cloud-pubsub
1.138.0 (2025-03-14)
Features
- Deprecate
enabledfield for message transforms and adddisabledfield (76b2a3d) - Next release from main branch is 1.138.0 (#2361) (b6ba56c)
Bug Fixes
- deps: Update the Java code generator (gapic-generator-java) to 2.55.1 (76b2a3d)
- Prevent excessive string parsing when publishing and receiving messages to improve performance (#2317) (07b1350)
Dependencies
- Update dependency com.google.cloud:google-cloud-bigquery to v2.48.1 (#2356) (7d3d2e4)
- Update dependency com.google.cloud:google-cloud-storage to v2.49.0 (#2358) (81d3435)
- Update dependency com.google.cloud:sdk-platform-java-config to v3.45.1 (#2366) (15899d1)
- Update googleapis/sdk-platform-java action to v2.55.1 (#2367) (de6f84a)
You can enforce mandatory tags on resources using custom organization policies. When a user attempts to create a resource, the system checks for the presence of the mandatory tags. If any mandatory tag is missing or does not have a value, the resource creation is blocked. By defining mandatory tags within an organization policy, you can ensure that all newly created resources adhere to your organization's tagging standards. This feature is available in Preview.
For more information, see Enforcing mandatory tags on resources.
A weekly digest of client library updates from across the Cloud SDK.
Go
Changes for secretmanager/apiv1
1.14.6 (2025-03-13)
Bug Fixes
- secretmanager: Update golang.org/x/net to 0.37.0 (1144978)
You can now create an external dataset in BigQuery that links to an existing database in Spanner. This feature is generally available (GA).
You can now use EXPORT DATA statements to reverse ETL BigQuery data to Spanner. This feature is generally available (GA).
Chirp 3: HD voices are only available in the global, us, eu, and asia-southeast1 regions. To use these voices, switch your endpoint to a supported region.
Generally available: Workload Manager supports deploying Microsoft SQL Server workloads on Google Cloud. You can configure and deploy a SQL Server system using the Guided Deployment Automation tool in Workload Manager. For more information, see Overview of SQL Server deployment.
Workload Manager supports the following features when you deploy SAP S/4HANA workloads on Google Cloud:
- Deploy SAP S/4HANA workloads on X4 instances.
- Customize the names of application server VMs.
- Specify network tags for the deployed instances.
- Skip the creation of automatic firewall rules.
- Skip the DNS configuration.
- Choose an existing NFS shared storage.
- Specify a service account to be attached to instances for each layer of the deployment.
For more information, see Deploy an SAP S/4HANA application
March 16, 2025
Google SecOpsRemote agent high availability
This feature is currently in preview.
Remote agents can now leverage high availability deployment, ensuring increased reliability for remote connectors, actions, and jobs.
This feature also introduces a new cloud-based remote connector scheduler for improved performance and scalability.
For more information, see Deploy high availability in remote agents.
Remote agent downtime notifications
Customers using remote agents can now opt in to receive in-app or email notifications when the agent is down.
Pause or resume Case SLA
Users can now pause and resume service level agreement (SLA) timers on cases.
For more information, see Pause and resume a case SLA.
Release 6.3.38 is now in General Availability.
Theme enhancement for SOAR platform
The header and left hand navigation menu now fully reflect the selected theme. If you select the light theme, both the header and side menu will also appear in light mode. This might impact customers who are using the rebranding feature. We recommend taking a look at your logo in the light mode before we roll out and making any necessary changes.
This change will be rolled out to the first regional wave on March 23, 2025.
March 15, 2025
Cloud ComposerThe Custom constraints with Organization Policy feature is now generally available (GA).
This feature provides more granular control over Cloud Composer environment configuration fields. You can use custom organization policies to allow or deny specific configuration values for Cloud Composer environments.
Release 6.3.39 is being rolled out to the first wave of regions as listed here. This release includes the following features.
Remote agent high availability
This feature is currently in preview.
Remote agents can now leverage high availability deployment, ensuring increased reliability for remote connectors, actions, and jobs.
This feature also introduces a new cloud-based remote connector scheduler for improved performance and scalability.
For more information, see Deploy high availability in remote agents.
Remote agent downtime notifications
Customers using remote agents can now opt in to receive in-app or email notifications when the agent is down.
Pause or resume Case SLA
Users can now pause and resume service level agreement (SLA) timers on cases.
For more information, see Pause and resume a case SLA.
March 14, 2025
Access ApprovalAccess Approval supports Access Transparency in the GA stage.
Access Transparency supports Access Transparency in the GA stage.
Agent Assist offers a new version of summarization with custom sections in preview. Summarization with custom sections V4.0 uses gemini-2.0-flash and supports concise summary for situation and action.
On March 14, 2025, we released an updated version of the Apigee UI.
| Bug ID | Description |
|---|---|
| 401574741 | Fixed issue with loading API resource and path configurations when opening the Product detail pages of legacy API products. API resources and paths are now properly populated and applied when viewing the Product detail pages for legacy API products in the Apigee UI. |
App Hub supports resources from the following sources in Preview:
- AlloyDB for PostgreSQL
- Cloud Data Fusion
- Cloud Deploy
- Cloud Logging
- Cloud Run jobs
- Firestore
- Google Kubernetes Engine (GKE) workloads
- GKE single cluster Gateway
- Managed Service for Microsoft Active Directory
- Secret Manager
- Vertex AI
Artifact Registry remote repositories and virtual repositories for Go are now Generally Available. To learn more about Go format repositories, read Work with Go modules.
Security Command Center ingests Artifact Analysis scanning findings from images scanned in Artifact Registry and deployed to supported runtimes.
In Security Command Center, you can view container image vulnerabilities within your running workloads across all projects alongside your other security risks in. You can also export these findings to BigQuery for in-depth analysis and long-term storage. This feature is in Preview. For more information, see vulnerability assessment.
Generally available: The Create an instance page in the Google Cloud console has a Data protection pane where you can specify how to back up and replicate your data. For more information, see Configuration options during instance creation and Data protection options.
An issue resulting in unusually high emissions data for the service Identity Platform has been resolved. This affected some customers in their January 2025 data and was caused by an incorrect internal resource mapping for Identity Platform.
To correct your January emissions data, schedule a manual data backfill for the month. Note that there is a half-month lag of our data release. For example, to backfill January 2025 data, run the backfill for February 15, 2025, which will update the data for January 2025 in your BigQuery table.
Updated carbon model to version 13 to reflect the above-mentioned fixes.
March 18, 2025 update: The issue is resolved.
Some upgrade operations for Cloud Composer 2 might lead to unhealthy environments. That is why upgrades for Cloud Composer 2 versions will be blocked until the issue is fully resolved.
Database Migration Service now supports MySQL minor version 8.0.41 for homogeneous MySQL migrations. For more information, see Supported source and destination databases in Cloud SQL for MySQL migrations.
Generally available: The Create an instance page in the Google Cloud console has a Data protection pane where you can specify how to back up and replicate your data. For more information, see Configuration options during instance creation and Data protection options.
Generally available: Memory-optimized M4 VMs are now generally available. M4 3T VMs run on Intel's 5th generation Emerald Rapids CPU. They offer up to 224 vCPUs with up to 3 TB of memory.
M4 is available in five predefined machine types. The megamem VMs have a GB/vCPU ratio of 13.29:1 and the ultramem VMs have a GB/vCPU ratio of 25.57:1.
New Dataproc Serverless for Spark runtime versions:
- 1.1.95
- 1.2.39
- 2.2.39
Dialogflow CX (Conversational Agents): Customer-managed encryption keys (CMEK) is now a GA feature.
Judge model evaluation and customization tools are now available in Preview for the Gen AI evaluation service in Vertex AI.
JobSet metrics are automatically available on new GKE Standard and Autopilot clusters starting from version 1.32.1-gke.1357001 or later. For existing clusters, you can upgrade your clusters and manually enable the JobSet metrics package. For more details on the list of JobSet metrics, see JobSet metrics.
Custom organization policies are now generally available for Cloud Composer. For more information, see Create custom organization policy constraints.
New SAP certifications: M4 series of memory-optimized machine types
For use with SAP HANA scale-up (OLAP and OLTP) and SAP NetWeaver workloads, SAP has certified the Compute Engine memory-optimized M4 series machine types with the Intel Emerald Rapids CPU platform.
For more information, see:
- For SAP HANA, M4 memory-optimized VM types
- For SAP NetWeaver, M4 memory-optimized VM types
The Execution: Malicious Python Executed detector in Container Threat Detection released to General Availability.
The following Event Threat Detection rules for Google Kubernetes Engine have been released to General Availability:
GKE_NODEPORT_SERVICE_CREATEDGKE_SENSITIVE_NAMESPACE_WORKLOAD_TRIGGEREDGKE_STATIC_POD_CREATEDGKE_TOR_PROXY_IP_REQUESTGKE_WEBHOOK_CONFIG_CREATEDYL2_GKE_ANONYMOUS_USERS_GRANTED_ACCESSYL2_GKE_APPROVE_CSR_FORBIDDENYL2_GKE_CRB_CLUSTERROLE_AGGREGATION_CONTROLLERYL2_GKE_MANUALLY_DELETED_CSRYL2_GKE_POD_MASQUERADINGYL2_GKE_REVERSE_SHELL_PODYL2_GKE_SERVICE_ACCOUNT_CREATION_SENSITIVE_NAMESPACEYL2_GKE_SUSPICIOUS_CRYPTOMINING_POD
March 13, 2025
BigQueryDataform now supports the CMEK organization policy.
You can now use Gemini Cloud Assist chat to generate SQL queries and Python code. This feature is in preview.
The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, and Search (SearchAllResources, SearchAllIamPolicies) APIs.
- Storage Transfer Service
storagetransfer.googleapis.com/TransferJob
Improved consistency in resource-based committed use discount (CUD) string names across experiences.
We have improved consistency by standardizing CUD string names across the various experiences. This update helps provide a seamless experience in resource-based CUD purchase flows, recommendations, analysis, and the FinOps hub.
App Hub application labels are now attached to your log entries. The Log Fields pane of the Logs Explorer now includes facets for application, service, and workload labels. For more information, see Log Fields pane.
Documentation for Slack notification channels now supports Markdown. For more information, see Annotate notifications with user-defined documentation.
You can now see changes made to a dashboard by viewing the version history. For more information, see View dashboard version history.
Anywhere Cache for Cloud Storage is now generally available (GA). Anywhere Cache enables you to create SSD-backed caches in the same zones as your workloads, helping you get access to your data faster and avoid multi-region data transfer fees. To learn more about Anywhere Cache, see Overview of Anywhere Cache.
Dataflow now supports data lineage. Data lineage lets you track how data moves through your systems. This feature is generally available (GA). For more information, see Use data lineage in Dataflow.
Data lineage for Dataflow is generally available (GA). For more information, see Use data lineage in Dataflow.
Context caching for Gemini on Vertex AI is generally available (GA).
To improve data quality, we've updated the data source for the domain field in the detailed disbursement and insights reports.
Google Distributed Cloud (software only) for VMware 1.30.700-gke.56 is now available for download. To upgrade, see Upgrade a cluster or a node pool. Google Distributed Cloud 1.30.700-gke.56 runs on Kubernetes v1.30.9-gke.500.
If you are using a third-party storage vendor, check the GDC Ready storage partners document to make sure the storage vendor has already passed the qualification for this release.
After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
The 1.30.700-gke.56 release includes many vulnerability fixes. For a list of all vulnerabilities fixed in this release, see Vulnerability fixes.
Release 1.30.700-gke.56
Google Distributed Cloud for bare metal 1.30.700-gke.56 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.30.700-gke.56 runs on Kubernetes v1.30.9-gke.100.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
The following issue is fixed in 1.30.700-gke.56:
- Fixed an issue where node upgrades failed due to missing
super-admin.conffile.
The 1.30.700-gke.56 release includes many vulnerability fixes. For a list of all vulnerabilities fixed in this release, see Vulnerability fixes.
For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section.
Looker Gemini permission now enforced
The gemini_in_looker Looker permission, available only in the Looker Gemini role, is now being enforced in Looker. This permission is required to use Conversational Analytics.
Improved event logging for Looker-based reports
When data is downloaded or exported from a Looker Studio report that uses at least one Looker data source, the connector type for all charts in the report will be included in the Looker Studio audit log.
Learn more about Looker Studio log events (opens in the Google Workspace Help Center).
Security Command Center has released the Artifact Registry vulnerability assessment detection service, which includes the CONTAINER_IMAGE_VULNERABILITY detector. This detector generates vulnerability findings for container images that are stored and scanned in Artifact Registry. The detector generates findings for vulnerable container images deployed to the following assets:
- Google Kubernetes Engine cluster
- Cloud Run revision
- Cloud Run job
- App Engine
This feature is available in Preview to all Security Command Center tiers.
March 12, 2025
AlloyDB for PostgreSQLYou can automatically create CMEKs using Cloud KMS Autokey to protect your AlloyDB resources. This feature is generally available (GA).
On March 12, 2025, we released an updated version of the Apigee UI.
With this release, the Filter display name for the proxy field in the Custom reports page of the Apigee UI in Cloud console is changed to Proxy Endpoint.
This change should help users differentiate between Proxy and Proxy Endpoint values when configuring filters for custom reports using Apigee API Analytics.
For more information, see Creating and managing custom reports.
On March 12, 2025, we released an updated version of Apigee (1-15-0-apigee-1).
| Bug ID | Description |
|---|---|
| 396944778 | Security fix for Apigee infrastructure. This addresses the following vulnerabilities: |
The Nimbus JOSE + JWT library may cause a java.lang.ClassCircularityError when using a JavaCallout policy.
For more information, see Apigee known issues.
| Bug ID | Description |
|---|---|
| N/A | Updates to security infrastructure and libraries. |
v1.13.3 , v1.14.1, v1.12.4
The Nimbus JOSE + JWT library may cause a java.lang.ClassCircularityError when using a JavaCallout policy.
For more information, see Apigee known issues.
You can configure reusable, default Cloud resource connections in a project. Default connections are available in Preview.
An updated version of ODBC driver for BigQuery is now available.
The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, and Search (SearchAllResources, SearchAllIamPolicies) APIs.
- GKE On-Prem API
gkeonprem.googleapis.com/BareMetalClustergkeonprem.googleapis.com/BareMetalNodePoolgkeonprem.googleapis.com/VmwareClustergkeonprem.googleapis.com/VmwareNodePool
You can now use the Observability API to set the default log scope. This feature is in Public Preview. For more information, see the following documents:
The rollout of managed Cloud Service Mesh version 1.20 to the rapid channel has completed.
cos-117-18613-164-68
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.72 | v24.0.9 | v1.7.24 | See List |
Applied Intel patches to add iRDMA support in the Linux kernel.
Updated cos-gpu-installer to v2.4.8: Add the -skip-nvidia-smi flag to disable the execution of nvidia-smi verification during gpu driver installation.
Disabled martian logging for ConnectX-7 network cards. These cards only communicate locally, but martian logging during communications with the host can lead to a race condition which causes GID table construction to sometimes fail.
Fixed console TTY leak in runc shim in containerd.
Upgraded sys-apps/which to v2.23.
Upgraded sys-apps/diffutils to v3.11-r1.
Upgraded dev-go/crypto to v0.35.0. This fixes CVE-2025-22869.
Updated dev-go/oauth2 to v0.27.0. This fixes CVE-2025-22868.
Fixed CVE-2025-26465 and CVE-2025-26466 in net-misc/openssh.
Fixed CVE-2024-53589 in sys-libs/libutils-libs.
Upgraded net-misc/wget to v1.25.0. This fixes CVE-2024-10524.
Upgraded dev-libs/libxml2 to v1.12.10. This fixes CVE-2025-27113.
Fixed KCTF-8802766 in the Linux kernel.
Fixed CVE-2024-50017 in the Linux kernel.
Fixed KCTF-fcdd224 in the Linux kernel.
Fixed CVE-2024-50146 in the Linux kernel.
Fixed KCTF-638ba50 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 811762 -> 811757
cos-109-17800-436-60
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.1.124 | v24.0.9 | v1.7.24 | See List |
Updated gzip to v1.13.
Updated google.golang.org/grpc to v1.56.3 and upgrade golang.org/x/net to v0.23.0 in docker and cri-tools. This fixes CVE-2023-44487 and CVE-2023-45288.
Fixed console TTY leak in runc shim in containerd.
Upgraded dev-go/crypto to v0.35.0. This fixes CVE-2025-22869.
Fixed CVE-2025-26465 and CVE-2025-26466 in net-misc/openssh.
Fixed CVE-2024-53589 in sys-libs/libutils-libs.
Upgraded net-misc/wget to v1.25.0. This fixes CVE-2024-10524.
Upgraded dev-libs/libxml2 to v1.12.10. This fixes CVE-2024-56171, CVE-2025-27113 and CVE-2025-24928.
Fixed KCTF-638ba50 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 812266 -> 812157
cos-113-18244-291-63
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.1.123 | v24.0.9 | v1.7.24 | See List |
Fixed console TTY leak in runc shim in containerd.
Upgraded dev-go/crypto to v0.35.0. This fixes CVE-2025-22869.
Fixed CVE-2025-26465 and CVE-2025-26466 in net-misc/openssh.
Fixed CVE-2024-53589 in sys-libs/libutils-libs.
Upgraded net-misc/wget to v1.25.0. This fixes CVE-2024-10524.
Upgraded dev-libs/libxml2 to v1.12.10. This fixes CVE-2025-27113.
Runtime sysctl changes:
- Changed: fs.file-max: 812054 -> 812049
M128 release
- Except for TensorFlow container images, new container images don't include conda. This change was made to improve size, performance, and vulnerability management. The existing container image names now point to container images that don't include conda (for example:
gcr.io/deeplearning-platform-release/base-cpu.py310). - Container images that include conda will be available until at least September 30, 2025. These container images now have
-condaappended to the name (for example:gcr.io/deeplearning-platform-release/base-cpu-conda.py310). - All TensorFlow container images still include conda, but M128 container image names have
-condaappended. Specifying container images without-condaappended references older container images, which also include conda.
M128 release
- Except for TensorFlow images, new images don't include conda. This change was made to improve size, performance, and vulnerability management. The existing image names and image family names now point to images and image families that don't include conda (for example: the image name
common-cpu-v20250310-debian-11-py310and corresponding image family namecommon-cpu-debian-11-py310). - Images that include conda will be available until at least September 30, 2025. These images now have
-condaappended to the name (for example: the image namecommon-cpu-v20250310-debian-11-py310-condaand corresponding image family namecommon-cpu-debian-11-py310-conda). - All TensorFlow images and image families still include conda, but M128 image names and image family names have
-condaappended. Specifying images or image families without-condaappended references older images, which also include conda.
Gemini Code Assist now supports data residency at rest. Data residency meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Gemini Code Assist data is stored.
You can now use code customization for Gemini Code Assist Enterprise with VPC Service Controls. This allows secure access to on-premises source control systems. For more information, see Configure VPC Service Controls for Gemini.
- Gemma 3 and ShieldGemma 2 are now available in Model Garden.
- CogVideoX-2b is now available in Model Garden.
Model Garden fine tuning updates:
- Added a workbench-based notebook for Llama 3.1 finetuning.
- Updated Llama 3.1 and Gemma 2 UI fine-tuning with the updated PEFT docker.
(2025-R10) Version updates
GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.
Rapid channel
- Version 1.32.2-gke.1182000 is now the default version for cluster creation in the Rapid channel.
- The following versions are now available in the Rapid channel:
- The following versions are no longer available in the Rapid channel:
- 1.29.14-gke.1018000
- 1.30.10-gke.1022000
- 1.31.6-gke.1020000
- 1.32.1-gke.1357001
- 1.32.1-gke.1729000
- 1.32.2-gke.1297000
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.28 to version 1.29.14-gke.1067000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.30.10-gke.1070000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.31.6-gke.1064000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.2-gke.1182000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.29.14-gke.1067000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.30.10-gke.1070000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.31.6-gke.1064000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.2-gke.1182000 with this release.
Regular channel
- Version 1.31.6-gke.1020000 is now the default version for cluster creation in the Regular channel.
- The following versions are now available in the Regular channel:
- The following versions are no longer available in the Regular channel:
- 1.29.13-gke.1169000
- 1.30.9-gke.1201000
- 1.31.5-gke.1233000
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.28 to version 1.29.14-gke.1018000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.10-gke.1022000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.31.6-gke.1020000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.29.14-gke.1018000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.10-gke.1022000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.31.6-gke.1020000 with this release.
Stable channel
- Version 1.30.9-gke.1127000 is now the default version for cluster creation in the Stable channel.
- The following versions are now available in the Stable channel:
- The following versions are no longer available in the Stable channel:
- 1.30.9-gke.1046000
- 1.31.5-gke.1068000
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.30.9-gke.1127000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.30.9-gke.1127000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.31 to version 1.31.5-gke.1169000 with this release.
Extended channel
- Version 1.31.6-gke.1020000 is now the default version for cluster creation in the Extended channel.
- The following versions are now available in the Extended channel:
- The following versions are no longer available in the Extended channel:
- 1.27.16-gke.2270000
- 1.27.16-gke.2489000
- 1.28.15-gke.1781000
- 1.28.15-gke.1897000
- 1.29.13-gke.1169000
- 1.30.9-gke.1201000
- 1.31.5-gke.1233000
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.27.16-gke.2451000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.1844000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.29 to version 1.29.14-gke.1018000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.10-gke.1022000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.31 to version 1.31.6-gke.1020000 with this release.
No channel
- Version 1.31.6-gke.1020000 is now the default version for cluster creation.
- The following versions are now available:
- The following node versions are now available:
- The following versions are no longer available:
- 1.30.9-gke.1009000
- 1.31.5-gke.1068000
- 1.32.1-gke.1489001
- 1.32.2-gke.1297000
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.28 to version 1.29.14-gke.1018000 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.29 to version 1.30.9-gke.1127000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.29 to version 1.29.14-gke.1018000 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.30 to version 1.30.9-gke.1127000 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.31 to version 1.31.6-gke.1020000 with this release.
(2025-R10) Version updates
- Version 1.32.2-gke.1182000 is now the default version for cluster creation in the Rapid channel.
- The following versions are now available in the Rapid channel:
- The following versions are no longer available in the Rapid channel:
- 1.29.14-gke.1018000
- 1.30.10-gke.1022000
- 1.31.6-gke.1020000
- 1.32.1-gke.1357001
- 1.32.1-gke.1729000
- 1.32.2-gke.1297000
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.28 to version 1.29.14-gke.1067000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.30.10-gke.1070000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.31.6-gke.1064000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.32.2-gke.1182000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.29.14-gke.1067000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.30.10-gke.1070000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.31.6-gke.1064000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.32 to version 1.32.2-gke.1182000 with this release.
(2025-R10) Version updates
- Version 1.31.6-gke.1020000 is now the default version for cluster creation in the Regular channel.
- The following versions are now available in the Regular channel:
- The following versions are no longer available in the Regular channel:
- 1.29.13-gke.1169000
- 1.30.9-gke.1201000
- 1.31.5-gke.1233000
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.28 to version 1.29.14-gke.1018000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.10-gke.1022000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.31.6-gke.1020000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.29.14-gke.1018000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.10-gke.1022000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.31.6-gke.1020000 with this release.
(2025-R10) Version updates
- Version 1.30.9-gke.1127000 is now the default version for cluster creation in the Stable channel.
- The following versions are now available in the Stable channel:
- The following versions are no longer available in the Stable channel:
- 1.30.9-gke.1046000
- 1.31.5-gke.1068000
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.30.9-gke.1127000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.30.9-gke.1127000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.31 to version 1.31.5-gke.1169000 with this release.
(2025-R10) Version updates
- Version 1.31.6-gke.1020000 is now the default version for cluster creation in the Extended channel.
- The following versions are now available in the Extended channel:
- The following versions are no longer available in the Extended channel:
- 1.27.16-gke.2270000
- 1.27.16-gke.2489000
- 1.28.15-gke.1781000
- 1.28.15-gke.1897000
- 1.29.13-gke.1169000
- 1.30.9-gke.1201000
- 1.31.5-gke.1233000
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.27 to version 1.27.16-gke.2451000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.1844000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.29 to version 1.29.14-gke.1018000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.10-gke.1022000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.31 to version 1.31.6-gke.1020000 with this release.
(2025-R10) Version updates
- Version 1.31.6-gke.1020000 is now the default version for cluster creation.
- The following versions are now available:
- The following node versions are now available:
- The following versions are no longer available:
- 1.30.9-gke.1009000
- 1.31.5-gke.1068000
- 1.32.1-gke.1489001
- 1.32.2-gke.1297000
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.28 to version 1.29.14-gke.1018000 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.29 to version 1.30.9-gke.1127000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.29 to version 1.29.14-gke.1018000 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.30 to version 1.30.9-gke.1127000 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.31 to version 1.31.6-gke.1020000 with this release.
Looker 25.4 is expected to include the following changes, features, and fixes:
Expected Looker (original) deployment start: Monday, March 17, 2025
Expected Looker (original) final deployment and download available: Thursday, March 27, 2025
Expected Looker (Google Cloud core) deployment start: Monday, March 17, 2025
Expected Looker (Google Cloud core) final deployment: Monday, March 31, 2025
The gemini_in_looker permission, available only in the Looker Gemini role, is now being enforced at the Looker instance level. This permission is required for any Looker user who will be using Gemini assistance to perform the following tasks:
Query data with Conversational Analytics
Use of Conversational Analytics in Looker no longer requires Studio in Looker to be enabled for the Looker instance. Gemini in Looker enablement is still required. Admins must disable and then re-enable Gemini in Looker to access Conversational Analytics. Note: This item was added on March 18, 2025.
By default, Looker connects to your database using the latest version of the JDBC driver for your database dialect. If your selected database dialect has more than one JDBC driver version that is supported by Looker, you can now select an earlier version of the JDBC driver for your dialect. See the Connecting Looker to your database documentation page for more information. Update April 8, 2025: This feature is not available in Looker 25.4, and will instead be available in Looker 25.6.
The Open SQL Interface feature now supports Explores that use the conditionally_filters parameter. Previously disabled Explores are now enabled.
The Chart Config Editor now supports dynamic annotations. Use the annotationsSource and annotationsTarget parameters to use data from a field as an annotation on a visualization.
Looker now supports key-pair authentication for Snowflake connections. Note: This feature is not currently available but will be available later in the release cycle (early April 2025).
An issue has been fixed where deployed LookML could still appear on the Uncommitted Changes pages. This feature now performs as expected.
An issue has been fixed where the PDT Activity Dashboard would only include one model that the PDT is included in. This feature now performs as expected.
An issue has been fixed where the text for the Query Tracker was misaligned in German. This feature now performs as expected.
An issue has been fixed where circular references in Liquid could cause the LookML validator to crash. This feature now performs as expected.
An issue has been fixed where an unspecified 'hidden' attribute could cause the LookML validator to crash if localization was enabled. This feature now performs as expected.
An issue has been fixed where some schedules did not appear in the User Schedules page. This feature now performs as expected.
An issue has been fixed where Liquid references to parameters required view scoping even if the parameter was defined in the same view file. This feature now performs as expected.
An issue has been fixed where downloading a dashboard with a radial chart with no data as a PDF in the French locale could cause a rendering failure. This feature now performs as expected.
An issue has been fixed where using the legacy dashboards-next URL path for an embedded dashboard could cause a blank screen. This feature now performs as expected.
An issue has been fixed where the Explore page could crash while using Google Chrome. This feature now performs as expected.
An issue has been fixed where dashboard filters could not be saved if two or more filters shared a name. This feature now performs as expected.
An issue has been fixed where Snowflake connection certificates in the .p12 file format were not accepted. This feature now performs as expected.
When you change the sorting type or direction for folder contents, Looker now brings you to the first page of results. This feature now performs as expected.
An issue has been fixed where selecting "Sort by Favorited Date" in a folder would sort incorrectly. This feature now performs as expected.
An issue has been fixed where users with different "bqserviceaccount" user attribute values could access the same cached results. This feature now performs as expected.
The Content Validator scoping feature is now out of Labs and generally available for Looker-hosted instances. This feature allows developers to scope the validation to specific LookML projects and a specific content folder (including its subfolders, if any). This can improve the performance of the Content Validator. Update April 8, 2025: This feature is not supported for customer-hosted Looker deployments in Looker 25.4, and will instead be available for customer-hosted Looker deployments in Looker 25.6.
The New Database Connection Setup feature is now out of Labs and generally available. This feature updates the Add/Edit Connection page with a modernized UI, enhanced validation, connection testing capabilities, and a comprehensive configuration summary. If you want to revert to the legacy connections workflow, you can enable the Use Legacy Connections Page legacy toggle. Note: This item was updated on March 17, 2025. Update April 4, 2025: This feature is still in Labs in Looker 25.4, and will be generally available in Looker 25.6.
A new Labs feature, Fast Dev Mode Transition, improves the performance of Development Mode on your instance by loading LookML projects in read-only mode until a developer clicks the Create Developer Copy button for the project. Update April 4, 2025: This Labs feature is not available in Looker 25.4, and will instead be available in Looker 25.6.
Looker (Google Cloud core) instances now support the Admin via IAM Looker role. This role has full administrative privileges within a Looker (Google Cloud core) instance, but it's managed exclusively through Identity and Access Management (IAM), providing a direct sync between a principal's Looker Admin IAM role and admin privileges within the instance.
The Content Validator scoping feature is now generally available. This feature allows developers to scope the validation to specific LookML projects and a specific content folder (including its subfolders, if any). This can improve the performance of the Content Validator.
The Add/Edit Connection page is updated with a modernized UI, enhanced validation, connection testing capabilities, and a comprehensive configuration summary. Update April 8, 2025: This feature is not available in Looker 25.4, and will instead be available in Looker 25.6.
Experimental: Migrate to Virtual Machines now supports the migration of VM instances running Amazon Linux 2 to Rocky Linux 8 as part of an open access experimental program. In order to migrate a VM running Amazon Linux 2, Migrate to Virtual Machines first converts Amazon Linux 2 to Rocky Linux 8, and then completes the migration.
M128 release
The M128 release of Vertex AI Workbench user-managed notebooks includes the following:
- Miscellaneous package updates.
The M128 release of Vertex AI Workbench managed notebooks includes the following:
- Miscellaneous package updates.
M128 release
The M128 release of Vertex AI Workbench instances includes the following:
- Miscellaneous package updates.
March 11, 2025
Apigee Integrated PortalOn March 11, 2025 we released a new version of the Apigee integrated portal.
| Bug ID | Description |
|---|---|
| 380076166 | For an app in a portal, the status for each key will now show approved, revoked, partially approved or inactive based on the approval status of all the API products on that key (or if the key has been revoked). Additionally, the status of an API Product for an app will show approved, partially approved, or pending approval based on the approval status for all keys associated to that API product. If a key is revoked, it will not effect the approval status of the API product. |
You can use Cloud KMS Autokey to automate the creation and use of customer-managed encryption keys (CMEK) in Bigtable clusters. This feature is generally available (GA).
Data lineage for Dataflow jobs is generally available (GA) in the Bigtable Beam connector (BigtableIO) and the Bigtable HBase Beam connector (CloudBigtableIO). For more information, see Tracking lineage.
(Cloud Composer 3) Validation error messages now use the correct format for image versions.
New Airflow builds are available in Cloud Composer 3:
- composer-3-airflow-2.10.2-build.11 (default)
- composer-3-airflow-2.9.3-build.18
New images are available in Cloud Composer 2:
- composer-2.11.5-airflow-2.10.2 (default)
- composer-2.11.5-airflow-2.9.3
The API to create and manage Log Scopes is now Generally Available (GA). You can create and manage log scopes by using the Cloud Console, the Google Cloud CLI, and Terraform. For more information, see Create and manage log scopes.
A new region is now available for Cloud Run GPUs: europe-west1.
Dialogflow CX (Conversational Agents) generators: Model gemini-2.0-flash-001 is now a GA feature available in the following regions: global, us, us-central1, us-east1, us-west1, europe-west1, europe-west4.
Dialogflow CX (Conversational Agents) data store handlers: Model gemini-2.0-flash-lite-001 is now a Preview feature available in the following regions: global, us, us-central1, us-east1, us-west1, europe-west1, europe-west4.
Gemini 2.0 Flash Tuning
Gemini 2.0 Flash fine-tuning is now generally available (GA).
Added support for tuning function calling.
Within Curated Detections, the following rules have been added to the Cloud Hacktool rule pack for Google Cloud data in the "Broad" category. These rules are intended to detect the behavior of common open source hacktools.
- Collection: Set GCP Cloud Storage Bucket to Public
- Discovery: Cloud Run Enumeration
- Discovery: CloudFunctions Enumeration of GCP Cloud Functions
- Discovery: CloudKMS Enumeration of GCP Cloud KMS
- Discovery: CloudResourceManager Resource Manager Enumeration
- Discovery: Compute Enumeration
- Discovery: GCP Cloud IAM Enumeration
- Discovery: Secret Manager Cloud Secrets Enumeration
- Discovery: Storage Cloud Storage Enumeration
- Exfiltration: Download Cloud Function Code
- Exfiltration: Export a Compute Image Instance
- Persistence: Generate Signed URL for Modifying Cloud Function Code
- Privilege Escalation: Compute Set Instance or Project Metadata to Enable OS Login
URL indicators are now available for matching as part of Applied Threat Intelligence. For more information about Applied Threat Intelligence, see Applied Threat Intelligence overview.
Within Curated Detections, the following rules have been added to the Cloud Hacktool rule pack for Google Cloud data in the "Broad" category. These rules are intended to detect the behavior of common open source hacktools.
- Collection: Set GCP Cloud Storage Bucket to Public
- Discovery: Cloud Run Enumeration
- Discovery: CloudFunctions Enumeration of GCP Cloud Functions
- Discovery: CloudKMS Enumeration of GCP Cloud KMS
- Discovery: CloudResourceManager Resource Manager Enumeration
- Discovery: Compute Enumeration
- Discovery: GCP Cloud IAM Enumeration
- Discovery: Secret Manager Cloud Secrets Enumeration
- Discovery: Storage Cloud Storage Enumeration
- Exfiltration: Download Cloud Function Code
- Exfiltration: Export a Compute Image Instance
- Persistence: Generate Signed URL for Modifying Cloud Function Code
- Privilege Escalation: Compute Set Instance or Project Metadata to Enable OS Login
URL indicators are now available for matching as part of Applied Threat Intelligence. For more information about Applied Threat Intelligence, see Applied Threat Intelligence overview.
VPC spoke updates for IPv6 subnet exchange is available in public preview.
You can update, or propose updates to, an existing VPC spoke to enable or disable the exchange of IPv6 subnet ranges. For information about updating spokes, see Update whether a VPC spoke exports IPv6 subnet ranges. For information about accepting proposed updates to spokes, see Review proposed spokes.
Network Security Integration, including the Out-of-band integration, is available in General Availability.
Use out-of-band integration service to analyze your workloads' network traffic at scale. For more information, see Out-of-band integration overview.
Vertex AI Search for commerce: Conversational commerce
Conversational commerce uses LLM and conversational product filtering to provide users with a real-time, ongoing conversational experience. The conversational product filtering feature functions as part of the Guided Search package, helping narrow down search queries sooner by presenting users with either relevant products, follow-up questions, or both.
Conversational commerce is in private preview. For more information, see Conversational commerce and Conversational product filtering.
March 10, 2025
BatchCancelling jobs is generally available (GA).
Analytics Hub egress controls and data clean room subscriptions are now available in all BigQuery editions and on-demand pricing.
A weekly digest of client library updates from across the Cloud SDK.
Cloud SQL for MySQL introduces a set of improvements that adjust MySQL configurations dynamically based on workload demands and underlying infrastructure to optimize write performance and reduce latency. By default these improvements are enabled for all new Cloud SQL Enterprise Plus edition instances that you create or that you upgrade to from Cloud SQL Enterprise edition. Existing Cloud SQL Enterprise Plus instances that are updated with maintenance version [MySQL_version].R20250304.00_01 will also enable these improvements automatically.
For more information about these improvements, see Configure database flags.
Generally available: Compute flexible committed use discounts (CUDs) are available for Local SSD disks that you attach to instances of eligible machine types. Flexible CUDs add flexibility to your Compute Engine spending capabilities by eliminating the need to restrict your commitments to a single project, region, or machine series.
For more information, see Compute flexible CUDs.
Generally available: Configure the host error detection time, which is the the maximum amount of time Compute Engine waits to restart or terminate an instance after detecting that the instance is unresponsive. For more information, see Set VM host maintenance policy.
A weekly digest of client library updates from across the Cloud SDK.
Go
Changes for dataflow/apiv1beta3
0.10.4 (2025-03-06)
Bug Fixes
- dataflow: Fix out-of-sync version.go (28f0030)
New Dataproc on Compute Engine subminor image versions:
- 2.0.135-debian10, 2.0.135-rocky8, 2.0.135-ubuntu18
- 2.1.83-debian11, 2.1.83-rocky8, 2.1.83-ubuntu20, 2.1.83-ubuntu20-arm
- 2.2.49-debian12, 2.2.49-rocky9, 2.2.49-ubuntu22
Dialogflow CX (Conversational Agents): The Conversational Agents console has moved to a new location.
Dialogflow CX (Conversational Agents): You can now use the console search feature to search for all resources, including playbooks, examples, and tools.
Dialogflow CX (Conversational Agents): Playbooks now support the following new features:
- Two different playbook types: Task playbooks and routine playbooks.
- Connector tools.
- Conditional actions.
- DTMF.
Dialogflow CX (Conversational Agents): You can now use the Conversational Agents console to manage languages.
Dialogflow CX (Conversational Agents) data store handlers: New model gemini-2.0-flash-001 is now available to data store handlers as a Preview feature. This launch is limited to the following regions: global, us, us-central1, us-east1, us-west1, europe-west1, europe-west4.
Dialogflow CX (Conversational Agents): Text-to-speech used by Dialogflow now supports new Chirp 3 HD voices.
Dialogflow CX (Conversational Agents): Git export/restore now supports additional Git providers and Google Secrets for token storage.
The following rule has been removed from its associated rule pack in Curated Detections due to high alert volume across the Google SecOps customer base:
- Serverless Threats
- Potential Cryptomining Payload running in Cloud Run Service or Cloud Run Job
The following rule has been removed from its associated rule pack in Curated Detections due to high alert volume across the Google SecOps customer base:
- Serverless Threats
- Potential Cryptomining Payload running in Cloud Run Service or Cloud Run Job
The following detectors have been added to Container Threat Detection.
- Execution: Program Run with Disallowed HTTP Proxy Env
- Exfiltration: Launch Remote File Copy Tools in Container
For more information, see Container Threat Detection detectors.
Tiered storage is Generally Available in Spanner. Tiered storage is a fully-managed feature that lets you store your data across solid-state drives (SSD) or hard disk drives (HDD). Using tiered storage lets you take advantage of both SSD storage, which supports the high performance of active data, and HDD storage, which supports infrequent data access at a lower cost. For more information, see Tiered storage.
The following LangChain solutions can be used with Spanner Graph:
- Graph store for Spanner: Use to retrieve and store nodes and edges from a graph database. For more information, see Graph store for Spanner.
- Graph QA chain for Spanner: Uses a Spanner graph to answer questions. For more information, see Graph QA chain for Spanner.
March 09, 2025
Google SecOpsThe session timeout duration is being extended from 3 hours to 8 hours. After 8 hours of activity, you are automatically logged out and required to sign in again. To prevent data loss, we recommend that you manually log out in advance if you anticipate being away from the platform for an extended period of time. This feature will be gradually rolled out starting March 17, 2025.
The session timeout duration is being extended from 3 hours to 8 hours. After 8 hours of activity, you are automatically logged out and required to sign in again. To prevent data loss, we recommend that you manually log out in advance if you anticipate being away from the platform for an extended period of time. This feature will be gradually rolled out starting March 17, 2025.
Release 6.3.37 is now in General Availability.
March 08, 2025
Google SecOpsMap users in the platform for Google Cloud Identity customers
Administrators can now provision and map new users into the platform by adding them to groups in bulk using their email addresses. This streamlines user management and access control for organizations using Google Cloud Identity.
For more information, see Map users with email groups to the platform.
Release 6.3.38 is currently in Preview. This release contains internal and customer bug fixes.
March 07, 2025
Apigee Advanced API SecurityOn March 7, 2025 we released an updated version of Apigee Advanced API Security.
Availability of data obfuscation support with Advanced API Security
With this release, data obfuscation can be used with Advanced API Security.
For usage information, see Obfuscate user data for Apigee API Analytics and Data obfuscation with Advanced API Security.
You can integrate Agent Assist summarization generators with Conversational Insights. Summarization uses existing LLM generators to automatically summarize conversations. You can then export those summaries along with your other Insights data.
Infrastructure for a RAG-capable generative AI application using Vertex AI and Vector Search: Added information about the Terraform configuration sample to deploy the architecture.
GKE now allows you to enable logging of Horizontal Pod Autoscaler decisions starting from GKE version 1.31.5-gke.1090000 or later, or version 1.32.1-gke.1260000 or later. These logs include atomic recommendations (based on individual metrics) and final recommendations (consolidated HPA decisions). The logs are stored in Cloud Logging and offer insights into the decision-making process of the Horizontal Pod Autoscaler.
You can now monitor startup latency of Kubernetes workloads and nodes using the new Startup Latency dashboard available in the Observability tab on the Deployment details and Cluster details pages in the GKE Console. The dashboard is useful for tracking, troubleshooting and optimizing startup latency of your GKE workloads.
The following features of internal ranges are available in Preview:
- Reserving internal ranges with IPv6 addresses
- Creating immutable internal ranges (ranges that can't be updated, except for the description)
- Editable descriptions
For more information, see Internal ranges overview.
You can exclude IP address ranges from internal range automatic IP address allocation. This feature is available in Preview. For more information, see Reserve internal ranges.
You can create internal ranges that overlap with routes and subnets. This feature is available in General Availability. For more information, see Internal ranges overview.
March 06, 2025
Anthos Config ManagementFixed an issue where ConfigManagement uninstall could get stuck when Policy Controller was enabled via ConfigManagement. This was caused by Policy Controller finalizers not being properly removed during the uninstallation process.
BigQuery Data Transfer Service now supports custom reports for Google Ads. You can use Google Ads Query Language (GAQL) queries in your transfer configuration to ingest custom Google Ads reports and fields beyond those available in the standard reports and fields. This feature is now generally available (GA).
Cloud Router support for BGP route policies is now generally available. For more information, see BGP route policies overview.
The following new region is now available: europe-north2.
Conversational Insights offers Rule-based analysis as a GA feature to customize your conversation analyses. Rule-based analysis provides the following customizations:
- Filter conversations.
- Select a percentage of your dataset.
- Designate different types of analysis.
The schedule for the Container Registry shutdown has changed. After March 18, 2025, writing images to Container Registry is unavailable. After May 20, 2025, reading images from Container Registry is unavailable. For more information about the shutdown, see Container Registry deprecation.
Partner connection launch update
The following partner connectors have been added to the Looker Studio Connector Gallery:
- Google AdSense by Kentaro Shiomi SOURCES: GOOGLE_ADSENSE
- PostgreSQL by Windsor.ai SOURCES: POSTGRESQL
- Redshift by Windsor.ai SOURCES: AMAZON_REDSHIFT
- MongoDB by Windsor.ai SOURCES: MONGODB
- Snowflake by Windsor.ai SOURCES: SNOWFLAKE
- 快客-META串接 by 黑客數位 SOURCES: FACEBOOK_ADS
- Drip by Jivrus Technologies SOURCES: DRIP
- Really Simple Systems by Jivrus Technologies SOURCES: REALLY_SIMPLE_SYSTEMS
- Survey Sparrow by Windsor.ai SOURCES: SURVEYSPARROW
- TikTok Insights by Porter Metrics SOURCES: TIKTOK
- Walmart US by Windsor.ai SOURCES: WALMART
- Threads Insights by Supermetrics SOURCES: THREADS
- Active Campaign by Power My Analytics SOURCES: ACTIVECAMPAIGN
- Odoo CRM AppiWorks by Jivrus Technologies SOURCES: ODOO-CRM
The AWS connector has changed to enable additional use cases and requires the collection of AWS organization and organizational unit (OU) data. This change may require you to take additional action. For details about the change, see the AWS connector changelog.
Chirp 3: HD voices now supports 8 new speakers in 31 new locales: ar-XA, bn-IN, cmn-CN, de-DE, en-AU, en-GB, en-IN, en-US, es-ES, es-US, fr-CA, fr-FR, gu-IN, hi-IN, id-ID, it-IT, ja-JP, kn-IN, ko-KR, ml-IN, mr-IN, nl-NL, pl-PL, pt-BR, ru-RU, sw-KE, ta-IN, te-IN, th-TH, tr-TR, and vi-VN.
March 05, 2025
Apigee UIOn March 5, 2025, we released an updated version of the Apigee UI.
| Bug ID | Description |
|---|---|
| 368686537 | Resolved issue causing delay when loading API product pages in the Apigee UI in Cloud console. Members of Apigee organizations with large number of API proxies experienced long load times when accessing the API product create or API product edit pages in the Apigee UI in Cloud console. |
You can now specify an order in which Airflow searches for secrets by overriding the
[secrets]backends_order Airflow configuration option.
Fixed an issue in Cloud Composer REST API that allowed some environment.patch operations to succeed when multiple update masks that aren't related to each other were passed in a request. Now operations with such masks fail with an error.
New Airflow builds are available in Cloud Composer 3:
- composer-3-airflow-2.10.2-build.10 (default)
- composer-3-airflow-2.9.3-build.17
New images are available in Cloud Composer 2:
- composer-2.11.4-airflow-2.10.2 (default)
- composer-2.11.4-airflow-2.9.3
Cloud Composer versions 2.6.2 and 2.6.3 have reached their end of support period.
Configurable dual-regions now include the Turin, Italy (europe-west12) region. For more information, see Cloud Storage configurable dual-regions.
cos-beta-121-18867-0-24
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.74 | v25.0.7 | v2.0.2 | See List |
Updates to Major Packages:
Upgraded app-admin/google-osconfig-agent to v20250121.00-r1.
Upgraded app-containers/cri-tools to v1.31.1-r1.
Upgraded app-containers/docker to v25.0.7.
Upgraded app-containers/runc to v1.2.4-r1.
Upgraded net-misc/openssh to v9.9_p1.
Upgraded app-admin/fluent-bit to v3.2.5-r1.
Upgraded app-containers/containerd to v2.0.2-r1.
Upgraded app-emulation/cloud-init to v24.4.1-r1.
Upgraded app-admin/google-guest-agent to v20250204.02-r1.
Upgraded app-admin/oslogin to 20241216.00-r1.
Upgraded app-containers/cni-plugins to v1.6.2-r1.
New Features and Changes in the Linux Kernel:
Removed the capability to change the kernel's preemption model on the kernel command line.
Added support for nftables flow offload and the flowtable infrastructure.
New Features and Changes in the Image:
Removed support for R550, R560, and R565 Nvidia drivers.
Updates to Minor Packages:
Removed dev-libs/confuse.
Removed sys-libs/libsepol.
Removed dev-go/protobuf.
Removed chromeos-base/chromeos-ec-headers.
Removed sys-libs/libselinux.
Removed dev-go/protobuf-legacy-api.
Removed sys-libs/gdbm.
Removed dev-go/appengine.
Removed dev-python/more-itertools.
Removed dev-python/typing-extensions.
Removed dev-python/webcolors.
Removed dev-python/ordered-set.
Removed dev-python/platformdirs.
Removed dev-python/trove-classifiers.
Removed dev-python/tomli.
Removed dev-python/jaraco-context.
Removed dev-python/autocommand.
Removed dev-python/zipp.
Removed dev-python/zope-interface.
Removed dev-python/wheel.
Removed dev-python/jaraco-functools.
Removed dev-python/importlib_resources.
Removed dev-python/pydantic.
Removed dev-python/inflect.
Removed dev-python/jaraco-text.
Removed dev-libs/libusb.
Removed virtual/libusb.
Removed dev-embedded/libftdi.
Removed chromeos-base/dlcservice-client.
Removed chromeos-base/libec.
Removed dev-python/setuptools.
Removed dev-python/setuptools_scm.
Updated dev-libs/expat to v2.6.4.
Updated net-libs/libtirpc to v1.3.6.
Updated sys-libs/libcap to v2.71.
Updated chromeos-base/power_manager-client to v0.0.1-r2960.
Updated chromeos-base/chromeos-common-script to v0.0.1-r656.
Updated chromeos-base/debugd-client to v0.0.1-r2725.
Updated chromeos-base/session_manager-client to v0.0.1-r2816.
Updated sys-apps/diffutils to v3.11.
Updated net-dns/c-ares to v1.34.4.
Updated app-admin/extensions-manager to v0.0.1-r58.
Updated sys-apps/gentoo-functions to v1.7.3.
Updated sys-libs/libseccomp to v2.5.5-r2.
Updated chromeos-base/minijail to v18-r158.
Updated net-libs/libnetfilter_conntrack to v1.1.0.
Updated sys-apps/pv to v1.9.27.
Updated net-firewall/iptables to v1.8.10-r3.
Updated dev-db/sqlite to v3.47.2.
Updated dev-libs/nss to v3.107.
Updated dev-go/oauth2 to v0.23.0-r1.
Updated sys-fs/xfsprogs to v6.9.0.
Updated dev-python/chardet to v3.0.4-r2.
Updated net-misc/curl to v8.11.1-r2.
Updated app-admin/sudo to v1.9.16_p2-r1.
Updated sys-apps/flashrom to v0.9.9-r1626.
Updated chromeos-base/shill-client to v0.0.1-r4812.
Updated chromeos-base/update_engine-client to v0.0.1-r2469.
Updated chromeos-base/update_engine to v0.0.3-r4806.
Updated chromeos-base/crash-reporter to v0.0.1-r4257.
Various bug fixes and minor product enhancements for IntelliJ Gemini Code Assist extension.
Infrastructure for a RAG-capable generative AI application using Vertex AI and Vector Search: Updated the data processing component in the reference architecture to use a Cloud Run function in place of a Cloud Run job.
The Envoy project recently announced several new security vulnerabilities (CVE-2024-53269, CVE-2024-53270, and CVE-2024-53271) that could allow an attacker to crash Envoy.
For more details, see the GCP-2025-009 security bulletin.
Security bulletin
The Envoy project recently announced several new security vulnerabilities (CVE-2024-53269, CVE-2024-53270, and CVE-2024-53271) that could allow an attacker to crash Envoy.
For more details, see the GCP-2025-009 security bulletin.
(2025-R09) Version updates
GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.
Rapid channel
- The following versions are now available in the Rapid channel:
- The following versions are no longer available in the Rapid channel:
- 1.29.14-gke.1020000
- 1.30.10-gke.1042000
- 1.31.6-gke.1027000
Regular channel
- Version 1.31.5-gke.1233000 is now the default version for cluster creation in the Regular channel.
- The following versions are now available in the Regular channel:
- The following versions are no longer available in the Regular channel:
- 1.29.13-gke.1109000
- 1.30.9-gke.1127000
- 1.31.5-gke.1169000
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.28 to version 1.29.13-gke.1169000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.9-gke.1201000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.29.13-gke.1169000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.9-gke.1201000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.31.5-gke.1233000 with this release.
Stable channel
- Version 1.30.9-gke.1046000 is now the default version for cluster creation in the Stable channel.
- The following versions are now available in the Stable channel:
- The following versions are no longer available in the Stable channel:
- 1.29.13-gke.1006000
- 1.30.9-gke.1009000
- 1.31.5-gke.1023000
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.28 to version 1.29.13-gke.1038000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.30.9-gke.1046000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.29.13-gke.1038000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.30.9-gke.1046000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.31 to version 1.31.5-gke.1068000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.32 to version 1.32.1-gke.1357001 with this release.
Extended channel
- Version 1.31.5-gke.1233000 is now the default version for cluster creation in the Extended channel.
- The following versions are now available in the Extended channel:
- The following versions are no longer available in the Extended channel:
- 1.27.16-gke.2477000
- 1.28.15-gke.1641000
- 1.28.15-gke.1881000
- 1.29.13-gke.1109000
- 1.30.9-gke.1127000
- 1.31.5-gke.1169000
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.1781000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.29 to version 1.29.13-gke.1169000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.9-gke.1201000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.31 to version 1.31.5-gke.1233000 with this release.
No channel
- Version 1.31.5-gke.1233000 is now the default version for cluster creation.
- The following versions are now available:
- The following node versions are now available:
- The following versions are no longer available:
- 1.29.13-gke.1006000
- 1.29.13-gke.1109000
- 1.29.14-gke.1020000
- 1.30.8-gke.1261000
- 1.30.10-gke.1042000
- 1.31.5-gke.1023000
- 1.31.6-gke.1027000
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.28 to version 1.29.13-gke.1169000 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.29 to version 1.30.9-gke.1046000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.29 to version 1.29.13-gke.1169000 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.30 to version 1.30.9-gke.1046000 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.31 to version 1.31.5-gke.1233000 with this release.
The Envoy project recently announced several new security vulnerabilities (CVE-2024-53269, CVE-2024-53270, and CVE-2024-53271) that could allow an attacker to crash Envoy.
For more details, see the GCP-2025-009 security bulletin.
(2025-R09) Version updates
- The following versions are now available in the Rapid channel:
- The following versions are no longer available in the Rapid channel:
- 1.29.14-gke.1020000
- 1.30.10-gke.1042000
- 1.31.6-gke.1027000
(2025-R09) Version updates
- Version 1.31.5-gke.1233000 is now the default version for cluster creation in the Regular channel.
- The following versions are now available in the Regular channel:
- The following versions are no longer available in the Regular channel:
- 1.29.13-gke.1109000
- 1.30.9-gke.1127000
- 1.31.5-gke.1169000
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.28 to version 1.29.13-gke.1169000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.9-gke.1201000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.29.13-gke.1169000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.9-gke.1201000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.31.5-gke.1233000 with this release.
(2025-R09) Version updates
- Version 1.30.9-gke.1046000 is now the default version for cluster creation in the Stable channel.
- The following versions are now available in the Stable channel:
- The following versions are no longer available in the Stable channel:
- 1.29.13-gke.1006000
- 1.30.9-gke.1009000
- 1.31.5-gke.1023000
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.28 to version 1.29.13-gke.1038000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.30.9-gke.1046000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.29.13-gke.1038000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.30.9-gke.1046000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.31 to version 1.31.5-gke.1068000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.32 to version 1.32.1-gke.1357001 with this release.
(2025-R09) Version updates
- Version 1.31.5-gke.1233000 is now the default version for cluster creation in the Extended channel.
- The following versions are now available in the Extended channel:
- The following versions are no longer available in the Extended channel:
- 1.27.16-gke.2477000
- 1.28.15-gke.1641000
- 1.28.15-gke.1881000
- 1.29.13-gke.1109000
- 1.30.9-gke.1127000
- 1.31.5-gke.1169000
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.1781000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.29 to version 1.29.13-gke.1169000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.9-gke.1201000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.31 to version 1.31.5-gke.1233000 with this release.
(2025-R09) Version updates
- Version 1.31.5-gke.1233000 is now the default version for cluster creation.
- The following versions are now available:
- The following node versions are now available:
- The following versions are no longer available:
- 1.29.13-gke.1006000
- 1.29.13-gke.1109000
- 1.29.14-gke.1020000
- 1.30.8-gke.1261000
- 1.30.10-gke.1042000
- 1.31.5-gke.1023000
- 1.31.6-gke.1027000
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.28 to version 1.29.13-gke.1169000 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.29 to version 1.30.9-gke.1046000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.29 to version 1.29.13-gke.1169000 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.30 to version 1.30.9-gke.1046000 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.31 to version 1.31.5-gke.1233000 with this release.
Gemini documentation summaries
You can use Gemini to answer questions about Google SecOps based on the documentation. Enter a prompt in the Gemini pane to request information about any aspect of how to use Google SecOps. Gemini generates a summary based on relevant documentation. This feature is in public preview.
For more information, see Gemini documentation summaries.
Gemini documentation summaries
You can use Gemini to answer questions about Google SecOps based on the documentation. Enter a prompt in the Gemini pane to request information about any aspect of how to use Google SecOps. Gemini generates a summary based on relevant documentation. This feature is in public preview.
For more information, see Gemini documentation summaries.
The phased rollout to regions as described here is postponed to Sunday, March 16th, 2025.
Memorystore for Redis Cluster supports storing and querying vector data. This feature is now Generally Available (GA). For more information, see About Vector Search.
Google Cloud's Agent for SAP version 3.7
Version 3.7 of Google Cloud's Agent for SAP is generally available (GA). This version introduces the following:
- Support for the disk snapshot based backup and recovery of SAP HANA scale-out systems, except those with the host auto-failover solution.
- Enhancements for Backint based backup and recovery of SAP HANA.
- Enhancements for evaluating Pacemaker configurations by using Workload Manager.
- Support for showing annotations for SAP events in Cloud Monitoring and predefined observability dashboards.
- Support to validate the Google Cloud setup for using the agent features.
- Automatic polling of agent configuration, negating the need to restart the agent after you change its configuration.
For more information, see What's new with Google Cloud's Agent for SAP.
March 04, 2025
AlloyDB for PostgreSQLAlloyDB for PostgreSQL is available in the following region: europe-north2 (Stockholm). For more information, see AlloyDB Locations.
Artifact Registry is available in the europe-north2 region (Stockholm). For more information, see Global locations.
BigQuery is now available in the Stockholm (europe-north2) region.
Bigtable is available in the europe-north2 (Stockholm) region. For more information, see Bigtable locations.
Cloud Build is now available in the northamerica-south1 region.
For more information, see Cloud Build locations.
Cloud Composer 3 supports Customer Managed Encryption Keys (CMEK).
Dedicated Cloud Interconnect support is available in the following colocation facilities:
- Stockholm, Sweden
For more information, see the Locations table and Global Locations.
Cloud KMS is available in the following region:
europe-north2
For more information, see Cloud KMS locations.
Application Load Balancers now support the use of custom metrics that let you configure your load balancer's traffic distribution behavior to be based on metrics specific to your application or infrastructure requirements, rather than Google Cloud's standard utilization or rate-based metrics. Defining custom metrics for your load balancer gives you the flexibility to route application requests to the backend instances and endpoints that are most optimal for your workload.
For more information, see Custom metrics for Application Load Balancers.
This capability is in Preview.
The following new region is now available: northamerica-south1.
Cloud SQL Enterprise edition now supports the europe-north2 (Stockholm) region.
Cloud SQL for MySQL now supports minor version 8.0.41. To upgrade your existing instance to the new version, see Upgrade the database minor version.
Cloud SQL Enterprise edition now supports the europe-north2 (Stockholm) region.
Cloud SQL Enterprise edition now supports the europe-north2 (Stockholm) region.
Cloud Storage now offers support in the Stockholm, Sweden (europe-north2) region. To learn more about supported locations, see Cloud Storage bucket locations.
Cloud VPN is now available in region europe-north2 (Stockholm, Sweden). For more information, see Global locations.
Pricing is available on the Cloud VPN pricing page.
Generally available: Stockholm, Sweden, Europe (europe-north2-a,b,c) has launched with N4, C3D highmem, C4 highmem, and E2 machine types available in all three zones. For more information, see Cloud locations and VM instance pricing.
Release 6.2
New Data Sources
- Marketing: Cross Media & Product Connected Insights. Understand the effectiveness of marketing campaigns running across media platforms such as Google Ads, YouTube (with DV360), Meta, and TikTok for product and product category sales performance with the power of Gemini Flash 2.0. Access the Looker Block for Cross Media with sample dashboards for further analytics.
- Cortex Common Dimensions: Newly added utility views and tables created within the Data Foundation to enable advanced use cases across different data sources, such as Cross Media & Product Connected Insights. Currently Country, Product Hierarchy and Currency Conversion are available.
- Minor refactoring for Data Mesh configuration specs code, which are now moved to the
/src/common/py_libsdirectory.
- SAP CDC Deployer now provides detailed error messages on failure.
- SAP Reporting - Fixing abundant join condition in
PurchaseDocuments_Flowview. - For all DAGs, BigQuery execution now happens in the same location as the dataset.
- 1-click deployer usability fixes for CM360 and SFMC bucket names.
The following standalone accelerators and samples are removed from Cortex Framework:
- Demand Sensing
- AppLayer
- CATGAP
- SAP ML Model samples
Dataflow is now available in Stockholm (europe-north2).
Dataproc is now available in the europe-north2 region (Stockholm, Sweden).
Firestore now supports the europe-north2 Stockholm region.
For a full list of supported locations, see Locations.
Firestore in Datastore mode now supports the europe-north2 Stockholm region.
For a full list of supported locations, see Locations.
Vertex AI Agent Engine
Vertex AI Agent Engine is now generally available (GA).
Billing for Vertex AI Agent Engine starts on March 4, 2025. We recommend that you delete unused resources to avoid incurring unwanted costs. For more information, see Pricing.
LangChain on Vertex AI has been renamed to Vertex AI Agent Engine.
The europe-north2 region in Stockholm, Sweden is now available. For more information, see the Global Locations.
The europe-north2 region in Stockholm, Sweden is now available. For more information, see the Global Locations.
Memorystore is available in the europe-north2 (Stockholm) region. For more information, see Regions and zones.
Memorystore is available in the europe-north2 (Stockholm) region. For more information, see Regions and zones.
Memorystore is available in the europe-north2 (Stockholm) region. For more information, see Memorystore for Redis Cluster locations.
You can now start, stop, and restart your Autonomous Databases through the Google Cloud console. This feature is generally available (GA).
Pub/Sub is now available in the europe-north2 region (Stockholm, Sweden, Europe). For more information, see Cloud locations.
Sensitive Data Protection is available in the europe-north2 region. For more information, see Sensitive Data Protection locations.
You can create Spanner regional instance configurations in Stockholm, Sweden (europe-north2). For more information, see Google Cloud locations and Spanner pricing.
A new multi-region instance configuration is now available in Europe - eur7 (Milan/Frankfurt/Turin).
For auto mode VPC networks, added a new subnet 10.226.0.0/20 for the Stockholm europe-north2 region. For more information, see Global Locations and Auto mode IP ranges.
March 03, 2025
AI ApplicationsVertex AI Search: Ranking visibility and custom ranking (Private preview)
You can access the signals that contribute to your ranking and then tune these signals to customize the ranking. To tune the ranking signals, you can modify predefined ranking expressions or specify custom ranking expressions.
Ranking visibility and custom ranking is a Private preview feature. For more information, see the rankingExpression field.
Go 1.23 is now generally available.
Go 1.23 is now generally available.
App Engine now sets the automatic scaling maximum instances default for standard environment deployments to 20. This change doesn't impact existing apps. To override the default, specify a new max_instances value in your app.yaml file, and deploy a new version or redeploy over an existing version.
App Engine now sets the automatic scaling maximum instances default for standard environment deployments to 20. This change doesn't impact existing apps. To override the default, specify a new max_instances value in your app.yaml file, and deploy a new version or redeploy over an existing version.
App Engine now sets the automatic scaling maximum instances default for standard environment deployments to 20. This change doesn't impact existing apps. To override the default, specify a new max_instances value in your app.yaml file, and deploy a new version or redeploy over an existing version.
App Engine now sets the automatic scaling maximum instances default for standard environment deployments to 20. This change doesn't impact existing apps. To override the default, specify a new max_instances value in your app.yaml file, and deploy a new version or redeploy over an existing version.
App Engine now sets the automatic scaling maximum instances default for standard environment deployments to 20. This change doesn't impact existing apps. To override the default, specify a new max_instances value in your app.yaml file, and deploy a new version or redeploy over an existing version.
App Engine now sets the automatic scaling maximum instances default for standard environment deployments to 20. This change doesn't impact existing apps. To override the default, specify a new max_instances value in your app.yaml file, and deploy a new version or redeploy over an existing version.
A weekly digest of client library updates from across the Cloud SDK.
Java
Changes for google-cloud-bigquery
2.48.1 (2025-02-26)
Dependencies
- Update actions/upload-artifact action to v4.6.1 (#3691) (9c0edea)
- Update dependency com.google.api.grpc:proto-google-cloud-bigqueryconnection-v1 to v2.60.0 (#3680) (6d9a40d)
- Update dependency com.google.apis:google-api-services-bigquery to v2-rev20250216-2.0.0 (#3688) (e3beb6f)
- Update dependency com.google.cloud:google-cloud-datacatalog-bom to v1.64.0 (#3681) (9e4e261)
- Update dependency com.google.cloud:sdk-platform-java-config to v3.44.0 (#3694) (f69fbd3)
- Update dependency com.google.oauth-client:google-oauth-client-java6 to v1.38.0 (#3685) (53bd7af)
- Update dependency com.google.oauth-client:google-oauth-client-jetty to v1.38.0 (#3686) (d71b2a3)
- Update ossf/scorecard-action action to v2.4.1 (#3690) (cdb61fe)
Python
Changes for google-cloud-bigquery
3.30.0 (2025-02-26)
Features
- Add roundingmode enum, wiring, and tests (#2121) (3a48948)
- Adds foreign_type_info attribute to table class and adds unit tests. (#2126) (2c19681)
- Support resource_tags for table (#2093) (d4070ca)
Bug Fixes
- Avoid blocking in download thread when using BQ Storage API (#2034) (54c8d07)
- Retry 404 errors in
Client.query(...)(#2135) (c6d5f8a)
Dependencies
- Updates required checks list in github (#2136) (fea49ff)
- Use pandas-gbq to determine schema in
load_table_from_dataframe(#2095) (7603bd7)
Documentation
You can create a SQL user-defined aggregate function by using the CREATE AGGREGATE FUNCTION statement. This feature is generally available (GA).
Gemini in BigQuery can help you complete Python code with contextually appropriate recommendations that are based on content in the query editor. This feature is now generally available (GA).
A weekly digest of client library updates from across the Cloud SDK.
Java
Changes for google-cloud-bigtable
2.53.0 (2025-02-21)
Features
Python
Changes for google-cloud-bigtable
2.29.0 (2025-02-26)
Features
Bug Fixes
Certificate Authority Service is now available in the following region:
- europe-north2 (Stockholm)
For more information, see Certificate Authority Service locations.
A weekly digest of client library updates from across the Cloud SDK.
Java
Changes for google-cloud-logging
3.21.4 (2025-02-26)
Bug Fixes
- deps: Update the Java code generator (gapic-generator-java) to 2.54.0 (67fa9fb)
Dependencies
Support for the Go 1.23 runtime is now in general availability (GA).
Cloud Run functions now supports the Go 1.23 runtime at the General Availability release level.
The rollout of the following minor versions, extension versions, and plugin versions is complete:
Minor versions
- 12.21 is upgraded to 12.22.
- 13.18 is upgraded to 13.20.
- 14.15 is upgraded to 14.17.
- 15.10 is upgraded to 15.12
- 16.6 is upgraded to 16.8.
- 17.2 is upgraded to 17.4.
Extensions and plugins
- PostGIS is upgraded from 3.4.3 to 3.4.4.
To use these versions of the extensions, update your instance to [PostgreSQL version].R20250112.01_14.
If you use a maintenance window, then the updates to the minor, extension, and plugin versions happen according to the timeframe that you set in the window. Otherwise, the updates occur within the next few weeks.
For more information on checking your maintenance version, see Self-service maintenance. To find your maintenance window or to manage maintenance updates, see Find and set maintenance windows.
A weekly digest of client library updates from across the Cloud SDK.
Java
Changes for google-cloud-storage
2.49.0 (2025-02-26)
Features
- Add new Options to allow per method header values (#2941) (297802d)
- transfer-manager: Add ParallelUploadConfig.Builder#setUploadBlobInfoFactory (#2936) (86e9ae8), closes #2638
Bug Fixes
- Categorize a WatchdogTimeoutException as retriable for grpc ReadObject (#2954) (b53bd53)
- deps: Update the Java code generator (gapic-generator-java) to 2.53.0 (9946d6b)
- Update grpc based Storage to defer project id validation (#2930) (cc03784)
- Update kms key handling when opening a resumable upload to clear the value in the json to be null rather than empty string (#2939) (43553de)
Dependencies
Documentation
Python
Changes for google-cloud-storage
3.1.0 (2025-02-27)
Features
cos-113-18244-291-53
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.1.123 | v24.0.9 | v1.7.24 | See List |
Updated cos-gpu-installer to v2.4.8: Add the -skip-nvidia-smi flag to disable the execution of nvidia-smi verification during gpu driver installation.
Upgraded moby/buildkit to v0.12.5. This fixes CVE-2024-23653 in app-containers/docker v24.0.9.
Upgraded sys-apps/which to v2.23.
Upgraded sys-apps/diffutils to v3.11-r1.
Upgraded net-misc/socat to v1.8.0.3.
Fixed KCTF-638ba50 in the Linux kernel.
Fixed CVE-2025-21690 in the Linux kernel.
cos-109-17800-436-48
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.1.124 | v24.0.9 | v1.7.24 | See List |
Updated cos-gpu-installer to v2.4.8: Add the -skip-nvidia-smi flag to disable the execution of nvidia-smi verification during gpu driver installation.
Upgraded sys-apps/diffutils to v3.11-r1.
Upgraded moby/buildkit to v0.12.5. This fixes CVE-2024-23653 in app-containers/docker v24.0.9.
Fixed CVE-2025-21690 in the Linux kernel.
cos-105-17412-535-63
| Kernel | Docker | Containerd | GPU Drivers |
| COS-5.15.173 | v23.0.3 | v1.7.23 | See List |
Upgraded sys-apps/diffutils to v3.11-r1.
Upgraded sys-apps/which to v2.23.
Fixed CVE-2025-21690 in the Linux kernel.
cos-117-18613-164-49
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.72 | v24.0.9 | v1.7.24 | See List |
Upgraded moby/buildkit to v0.12.5. This fixes CVE-2024-23653 in app-containers/docker v24.0.9.
Fixed CVE-2025-21690 in the Linux kernel.
New Dataproc Serverless for Spark runtime versions:
- 1.1.94
- 1.2.38
- 2.2.38
The Custom Fields feature is now in General Availability.
Beginning on Sunday, March 9, 2025, we will initiate a phased rollout of releases.
The first stage will be rolled out in the following regions on Sunday, March 9, 2025:
- Japan
- India
- Australia
- Canada
- Germany
- Switzerland
The second stage will be rolled out in the remaining regions on Sunday, March 16, 2025:
- Singapore
- Qatar
- Saudi Arabia
- Israel
- UK (London)
- Italy
- EU (multi-region)
- US (multi-region)
If you're unsure of your assigned region, contact your Google SecOps representative.
You can now choose an Exadata Infrastructure instance from a project other than your default current project while creating a VM cluster. This feature is in Public Preview.
Policy Controller version 1.20.1 is now available.
You can now ingest streaming data into Pub/Sub by using an import topic, from the following external sources:
A weekly digest of client library updates from across the Cloud SDK.
Java
Changes for google-cloud-pubsub
1.137.1 (2025-02-26)
Bug Fixes
- deps: Update the Java code generator (gapic-generator-java) to 2.54.0 (ccf670f)
Dependencies
- Update dependency com.google.cloud:google-cloud-bigquery to v2.48.0 (#2343) (3bbd7e1)
- Update dependency com.google.cloud:google-cloud-core to v2.52.0 (#2348) (f0977b4)
- Update dependency com.google.cloud:sdk-platform-java-config to v3.44.0 (#2349) (90ed10b)
- Update googleapis/sdk-platform-java action to v2.54.0 (#2347) (ac8db2d)
Secret Manager is now available in the following region:
- europe-north2 (Stockholm)
For more information, see Secret Manager locations.
You can use Virtual Machine Threat Detection to scan your Amazon Elastic Compute Cloud (EC2) VM disks for malware. To enable this feature, see Enable VM Threat Detection for AWS. This feature is in Preview.
March 02, 2025
Google SecOps SOARRelease 6.3.37 is currently in Preview. This release contains internal and customer bug fixes.
March 01, 2025
Apigee hybridhybrid v1.13.3
On March 1, 2025 we released an updated version of the Apigee hybrid software, 1.13.3.
This release enhances the security posture within the JavaCallout and PythonScript policies. This release does not include any new features or general bug fixes.
- For information on upgrading, see Upgrading Apigee hybrid to version 1.13.
- For information on new installations, see The big picture.
- For recommended actions after upgrading, see Validate policies after upgrade to 1.13.3.
| Bug ID | Description |
|---|---|
| 396886110 | Fixed a bug where the HPA max replicas could be lower than min. |
| 391861216 | Restore for Google Cloud Platform and HYBRID Cloud Providers no longer affects system keyspaces. This fixes Known Issue 391861216. |
| 390258745, 388608440 | Any left over Cassandra snapshots are automatically removed. This fixes known issue 388608440. |
| 390019667 | Fixed bug where the daemonsets had an invalid pod disruption budget which prevented downscaling. |
| 383441226 | Added the following metrics configuration properties:
|
Manage process ID limits
The procedure to manage the process ID limits in your clusters has been added to the documentation.
A Process ID limit is a Kubernetes resource constraint on nodes and pods to prevent excessive process creation, which can impact node stability. Setting process ID limits in Kubernetes can improve system stability, security, and resource management. This is also consistent with Kubernetes best practices. Apigee Hybrid supports the Kubernetes feature to set process ID limits.
See: Manage process ID limits.
Stricter class instantiation checks included in this release.
JavaCallout policy now includes additional security during Java class instantiation. The enhanced security measure prevents the deployment of policies that directly or indirectly attempt actions that require permissions that are not allowed.
In most cases, existing policies will continue to function as expected without any issues. However, there is a possibility that policies relying on third-party libraries, or those with custom code that indirectly triggers operations requiring elevated permissions, could be affected.
To test your installation, follow the procedure in Validate policies after upgrade to 1.13.3 to validate policy behavior.
| Bug ID | Description |
|---|---|
| Bug ID | Description |
| 385394193, 383850393, 383778273 | Security fixes for apigee-cassandra-backup-utility, apigee-cassandra-client, and apigee-hybrid-cassandra. This addresses the following vulnerabilities: |
| 382967738 | Fixed a vulnerability in PythonScript policy. |
| N/A | Security fixes for apigee-envoy. This addresses the following vulnerability: |
| N/A | Security fixes for apigee-fluent-bit. This addresses the following vulnerability: |
| N/A | Security fixes for apigee-mint-task-scheduler. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-open-telemetry-collector. This addresses the following vulnerability: |
| 392174215 | Security fixes for apigee-operator. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-redis. This addresses the following vulnerabilities: |
| 391786033 | Security fixes for apigee-watcher. This addresses the following vulnerability: |
| N/A | Security fixes for livenessprobe. This addresses the following vulnerability: |
hybrid v1.14.1
On March 1, 2025 we released an updated version of the Apigee hybrid software, 1.14.1.
This release enhances the security posture within the JavaCallout and PythonScript policies. This release does not include any new features or general bug fixes.
- For information on upgrading, see Upgrading Apigee hybrid to version 1.14.
- For information on new installations, see The big picture.
- For recommended actions after upgrading, see Validate policies after upgrade to 1.14.1.
| Bug ID | Description |
|---|---|
| 396886110 | Fixed a bug where the HPA max replicas could be lower than min. |
| 392547038 | Add Helm chart template checks for non-existent environments and virtualhosts. |
| 391861216 | Restore for Google Cloud Platform and HYBRID Cloud Providers no longer affects system keyspaces. This fixes Known Issue 391861216. |
| 390019667 | Fixed bug where the daemonsets had an invalid pod disruption budget which prevented downscaling. |
| 383441226 | Added the following metrics configuration properties:
|
Manage process ID limits
The procedure to manage the process ID limits in your clusters has been added to the documentation.
A Process ID limit is a Kubernetes resource constraint on nodes and pods to prevent excessive process creation, which can impact node stability. Setting process ID limits in Kubernetes can improve system stability, security, and resource management. This is also consistent with Kubernetes best practices. Apigee Hybrid supports the Kubernetes feature to set process ID limits.
See: Manage process ID limits.
Stricter class instantiation checks included in this release.
JavaCallout policy now includes additional security during Java class instantiation. The enhanced security measure prevents the deployment of policies that directly or indirectly attempt actions that require permissions that are not allowed.
In most cases, existing policies will continue to function as expected without any issues. However, there is a possibility that policies relying on third-party libraries, or those with custom code that indirectly triggers operations requiring elevated permissions, could be affected.
To test your installation, follow the procedure in Validate policies after upgrade to 1.14.1 to validate policy behavior.
| Bug ID | Description |
|---|---|
| 385394193, 383850393, 383778273 | Security fixes for apigee-cassandra-backup-utility, apigee-cassandra-client, and apigee-hybrid-cassandra. This addresses the following vulnerabilities: |
| 383113773, 382967738 | Fixed a vulnerability in PythonScript policy. |
| 365178914 | Security fixes for apigee-cassandra-backup-utility and apigee-hybrid-cassandra. This addresses the following vulnerability: |
| N/A | Security fixes for apigee-asm-istiod. This addresses the following vulnerability: |
| N/A | Security fixes for apigee-hybrid-cassandra. This addresses the following vulnerability: |
| N/A | Security fixes for apigee-mint-task-scheduler. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-open-telemetry-collector. This addresses the following vulnerability: |
| 392174215 | Security fixes for apigee-operator. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-prometheus-adapter. This addresses the following vulnerabilities: |
| 391786033 | Security fixes for apigee-watcher. This addresses the following vulnerability: |
hybrid v1.12.4
On March 1, 2025 we released an updated version of the Apigee hybrid software, 1.12.4.
This release enhances the security posture within the JavaCallout and PythonScript policies. This release does not include any new features or general bug fixes.
- For information on upgrading, see Upgrading Apigee hybrid to version 1.12.
- For information on new installations, see The big picture.
- For recommended actions after upgrading, see Validate policies after upgrade to 1.12.4.
| Bug ID | Description |
|---|---|
| 390258745, 388608440 | Any left over Cassandra snapshots are automatically removed. This fixes known issue 388608440. |
Stricter class instantiation checks included in this release.
JavaCallout policy now includes additional security during Java class instantiation. The enhanced security measure prevents the deployment of policies that directly or indirectly attempt actions that require permissions that are not allowed.
In most cases, existing policies will continue to function as expected without any issues. However, there is a possibility that policies relying on third-party libraries, or those with custom code that indirectly triggers operations requiring elevated permissions, could be affected.
To test your installation, follow the procedure in Validate policies after upgrade to 1.12.4 to validate policy behavior.
| Bug ID | Description |
|---|---|
| 391923260 | Security fixes for apigee-watcher. This addresses the following vulnerabilities: |
| 385394193, 383850393, 383778273 | Security fixes for apigee-cassandra-backup-utility, apigee-cassandra-client, and apigee-hybrid-cassandra. This addresses the following vulnerabilities: |
| 382967738 | Fixed a vulnerability in PythonScript policy. |
| 365178914 | Security fixes for apigee-cassandra-backup-utility and apigee-hybrid-cassandra. This addresses the following vulnerability: |
| N/A | Security fixes for apigee-fluent-bit. This addresses the following vulnerability: |
| N/A | Security fixes for apigee-kube-rbac-proxy. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-fluent-bit. This addresses the following vulnerability: |
| N/A | Security fixes for apigee-kube-rbac-proxy. This addresses the following vulnerabilities: |
| N/A | Security fixes for apigee-mint-task-scheduler. This addresses the following vulnerability: |
| N/A | Security fixes for apigee-open-telemetry-collector. This addresses the following vulnerability: |
| N/A | Security fixes for apigee-udca. This addresses the following vulnerability: |
New Dataproc on Compute Engine subminor image versions:
- 2.0.134-debian10, 2.0.134-rocky8, 2.0.134-ubuntu18
- 2.1.82-debian11, 2.1.82-rocky8, 2.1.82-ubuntu20, 2.1.82-ubuntu20-arm
- 2.2.48-debian12, 2.2.48-rocky9, 2.2.48-ubuntu22
Dataproc on Compute Engine: Explicitly disabled sha1, md5 algorithms for use with kex and kex-gss sshd features.
Release 6.3.36 is now in General Availability.
February 28, 2025
AI ApplicationsVertex AI Search: Document-relevance scores for search results (GA)
You can ask to have a relevance score returned for each search result associated with a query. The returned score can be used to do post-search ranking or filtering of the results. This feature is available for search apps associated with structured and unstructured data stores.
This feature is Generally available (GA). For more information, see Get document-relevance score with search results.
On February 28, 2025, we released an updated version of Apigee (1-14-0-apigee-8).
| Bug ID | Description |
|---|---|
| 382883585 | Fixed a vulnerability in the JavaCallout policy. |
| N/A | Updates to security infrastructure and libraries. |
Artifact Registry is now enabled for use with Cloud KMS Autokey.
Using keys generated by Autokey can help you consistently align with industry standards and recommended practices for data security, including the HSM protection level, separation of duties, key rotation, location, and key specificity. Keys requested using Autokey function identically to other Cloud HSM keys with the same settings.
For more information, see Enabling customer-managed encryption keys. To learn more about Cloud KMS Autokey, see Autokey overview.
The IL4 and IL5 control packages now supports the following products. See Supported products by control package for more information:
- Artifact Registry
- Cloud Composer
- Cloud Run
- Cloud Tasks
- Spanner
Security Command Center adds threat detection support for Backup Vault, Backup Plans, and vaulted backups.
Security Command Center released new rules for Google Cloud Backup and DR Service. Security Command Center can now do the following:
- Detect Backup Vault deletions
- Detect Backup Plan deletions
- Detect deletion of backups stored in a Backup Vault
These detectors are available to all Security Command Center Premium and Enterprise customers. For more information, see Security Command Center for Backup and DR Service.
The Backup and DR service has added support for activating the management console and for storing backup vault data in the following regions: us-west3 (Salt Lake City), europe-west9 (Paris), me-west1 (Israel), europe-north1 (Finland), europe-west6 (Zürich), asia-northeast3 (Seoul), southamerica-west1 (Santiago).
The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, and Search (SearchAllResources, SearchAllIamPolicies) APIs.
Config Connector version 1.129.2 is now available.
New Beta resources (direct reconciler)
Reconciliation Improvements
-
- All SQLInstance types are now reconciled using the new direct controller instead of the legacy Terraform-based controller. The previous "opt-in" annotation (document reference) no longer applies. Users no longer need to apply the "opt-in" annotation to SQLInstance resources to enable the direct controller. Regardless of the presence (or absence) of an opt-in annotation on SQLInstance resources, the direct reconciler will be used.
- This change enables all SQLInstance resources to switch from edition ENTERPRISE to ENTERPRISE_PLUS and fixes the bug that prevented SQL Instance upgrade.
New Alpha resources (direct reconciler)
ManagedKafkaTopicApigeeInstanceAttachmentApigeeEnvgroupAttachmentApigeeEndpointAttachment
New recommendations of NODE_SA_MISSING_PERMISSIONS subtype are added to the portfolio of GKE Recommendations. Use the new recommendations to identify clusters with node service accounts missing IAM permissions that are critical for normal cluster operations.
If your organization has a policy to disable automatic role grants to default service accounts, the created default GKE node service account will not get the necessary permissions. Missing critical permissions can degrade your essential cluster operations, such as logging and monitoring.
Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have changed. Each parser is listed by product name and log_type value, if applicable. This list now includes both released default parsers and pending parser updates.
- 1Password Audit Events (
ONEPASSWORD_AUDIT_EVENTS) - AIX system (
AIX_SYSTEM) - Akamai DataStream 2 (
AKAMAI_DATASTREAM_2) - Alveo Risk Data Management (
ALVEO_RDM) - Amazon API Gateway (
AWS_API_GATEWAY) - Apache Tomcat (
TOMCAT) - Appian Cloud (
APPIAN_CLOUD) - Arcsight CEF (
ARCSIGHT_CEF) - Asset Panda (
ASSET_PANDA) - Aware Audit (
AWARE_AUDIT) - Aware Signals (
AWARE_SIGNALS) - AWS Cloudtrail (
AWS_CLOUDTRAIL) - AWS CloudWatch (
AWS_CLOUDWATCH) - AWS ECS Metrics (
AWS_ECS_METRICS) - AWS Elastic Load Balancer (
AWS_ELB) - AWS GuardDuty (
GUARDDUTY) - AWS Inspector (
AWS_INSPECTOR) - AWS Lambda Function (
AWS_LAMBDA_FUNCTION) - AWS RDS (
AWS_RDS) - AWS Redshift (
AWS_REDSHIFT) - AWS Route 53 DNS (
AWS_ROUTE_53) - AWS Security Hub (
AWS_SECURITY_HUB) - AWS VPC Flow (
AWS_VPC_FLOW) - AWS WAF (
AWS_WAF) - Azure AD Directory Audit (
AZURE_AD_AUDIT) - Azure AD Organizational Context (
AZURE_AD_CONTEXT) - Azure Application Gateway (
AZURE_GATEWAY) - Azure Firewall (
AZURE_FIREWALL) - Azure Key Vault logging (
AZURE_KEYVAULT_AUDIT) - Barracuda CloudGen Firewall (
BARRACUDA_CLOUDGEN_FIREWALL) - Barracuda WAF (
BARRACUDA_WAF) - BeyondTrust BeyondInsight (
BEYONDTRUST_BEYONDINSIGHT) - Blue Coat Proxy (
BLUECOAT_WEBPROXY) - Broadcom Support Portal Audit Logs (
BROADCOM_SUPPORT_PORTAL) - Cato Networks (
CATO_NETWORKS) - Cequence Bot Defense (
CEQUENCE_BOT_DEFENSE) - Check Point (
CHECKPOINT_FIREWALL) - ChromeOS XDR (
CHROMEOS_XDR) - Cisco Email Security (
CISCO_EMAIL_SECURITY) - Cisco EStreamer (
CISCO_ESTREAMER) - Cisco Firepower NGFW (
CISCO_FIREPOWER_FIREWALL) - Cisco FireSIGHT Management Center (
CISCO_FIRESIGHT) - Cisco Internetwork Operating System (
CISCO_IOS) - Cisco IronPort (
CISCO_IRONPORT) - Cisco ISE (
CISCO_ISE) - Cisco NX-OS (
CISCO_NX_OS) - Cisco Switch (
CISCO_SWITCH) - Cisco Umbrella Cloud Firewall (
UMBRELLA_FIREWALL) - Cisco vManage SD-WAN (
CISCO_SDWAN) - Cisco VPN (
CISCO_VPN) - Citrix Netscaler (
CITRIX_NETSCALER) - Citrix Storefront (
CITRIX_STOREFRONT) - Claroty Xdome (
CLAROTY_XDOME) - Cloud Audit Logs (
N/A) - Cloud Data Loss Prevention (
N/A) - Cloudflare Network Analytics (
CLOUDFLARE_NETWORK_ANALYTICS) - Cloudflare WAF (
CLOUDFLARE_WAF) - Cloudflare Warp (
CLOUDFLARE_WARP) - CommVault (
COMMVAULT) - CrowdStrike Detection Monitoring (
CS_DETECTS) - CrowdStrike Falcon (
CS_EDR) - CrowdStrike Falcon Stream (
CS_STREAM) - Crowdstrike Identity Protection Services (
CS_IDP) - CrushFTP (
CRUSHFTP) - Custom Application Access Logs (
CUSTOM_APPLICATION_ACCESS) - CyberArk Privileged Access Manager (PAM) (
CYBERARK_PAM) - Cybereason EDR (
CYBEREASON_EDR) - Cyolo Secure Remote Access for OT (
CYOLO_OT) - Datadog (
DATADOG) - Delinea Secret Server (
DELINEA_SECRET_SERVER) - Dell CyberSense (
DELL_CYBERSENSE) - Digicert (
DIGICERT) - Edgio WAF (
EDGIO_WAF) - Elastic Packet Beats (
ELASTIC_PACKETBEATS) - F5 ASM (
F5_ASM) - F5 DNS (
F5_DNS) - Forcepoint DLP (
FORCEPOINT_DLP) - Forcepoint NGFW (
FORCEPOINT_FIREWALL) - Forgerock OpenIdM (
FORGEROCK_OPENIDM) - FortiGate (
FORTINET_FIREWALL) - Fortinet FortiAnalyzer (
FORTINET_FORTIANALYZER) - Fortinet Fortimanager (
FORTINET_FORTIMANAGER) - Fortinet Web Application Firewall (
FORTINET_FORTIWEB) - GitHub (
GITHUB) - Gitlab (
GITLAB) - Harness IO (
HARNESS_IO) - Hashicorp Vault (
HASHICORP) - Hillstone Firewall (
HILLSTONE_NGFW) - Huawei Switches (
HUAWEI_SWITCH) - IBM Guardium (
GUARDIUM) - Imperva Database (
IMPERVA_DB) - Intel Endpoint Management Assistant (
INTEL_EMA) - JAMF Security Cloud (
JAMF_SECURITY_CLOUD) - JFrog Artifactory (
JFROG_ARTIFACTORY) - JumpCloud Directory Insights (
JUMPCLOUD_DIRECTORY_INSIGHTS) - Juniper (
JUNIPER_FIREWALL) - Kaspersky AV (
KASPERSKY_AV) - Kaspersky Endpoint (
KASPERSKY_ENDPOINT) - Kolide Endpoint Security (
KOLIDE) - Kubernetes Audit (
KUBERNETES_AUDIT) - Layer7 SiteMinder (
SITEMINDER_SSO) - Linux Auditing System (AuditD) (
AUDITD) - Looker Audit (
LOOKER_AUDIT) - ManageEngine ADAudit Plus (
ADAUDIT_PLUS) - ManageEngine ADManager Plus (
ADMANAGER_PLUS) - McAfee Web Gateway (
MCAFEE_WEBPROXY) - Metabase (
METABASE) - Microsoft AD FS (
ADFS) - Microsoft Azure Activity (
AZURE_ACTIVITY) - Microsoft Azure NSG Flow (
AZURE_NSG_FLOW) - Microsoft CyberX (
CYBERX) - Microsoft Defender for Endpoint (
MICROSOFT_DEFENDER_ENDPOINT) - Microsoft Defender for Identity (
MICROSOFT_DEFENDER_IDENTITY) - Microsoft Defender for Office 365 (
MICROSOFT_DEFENDER_MAIL) - Microsoft IIS (
IIS) - Microsoft PowerShell (
POWERSHELL) - Microsoft Sentinel (
MICROSOFT_SENTINEL) - Microsoft System Center Endpoint Protection (
MICROSOFT_SCEP) - Mikrotik Router (
MIKROTIK_ROUTER) - Mimecast (
MIMECAST_MAIL) - MISP Threat Intelligence (
MISP_IOC) - NetIQ eDirectory (
NETIQ_EDIRECTORY) - Netskope V2 (
NETSKOPE_ALERT_V2) - Nozomi Networks Scada Guardian (
NOZOMI_GUARDIAN) - Office 365 (
OFFICE_365) - Okta (
OKTA) - Okta User Context (
OKTA_USER_CONTEXT) - One Identity Identity Manager (
ONE_IDENTITY_IDENTITY_MANAGER) - Oort Security Tool (
OORT) - Open Cybersecurity Schema Framework (OCSF) (
OCSF) - Open LDAP (
OPENLDAP) - Opnsense (
OPNSENSE) - Ops Genie (
OPS_GENIE) - Oracle (
ORACLE_DB) - Oracle Cloud Guard (
OCI_CLOUDGUARD) - Oracle Cloud Infrastructure Audit Logs (
OCI_AUDIT) - Orca Cloud Security Platform (
ORCA) - Palo Alto Cortex XDR Alerts (
CORTEX_XDR) - Palo Alto Networks Firewall (
PAN_FIREWALL) - Palo Alto Panorama (
PAN_PANORAMA) - Palo Alto Prisma Access (
PAN_CASB) - Palo Alto Prisma Cloud Alert payload (
PAN_PRISMA_CA) - Pharos (
PHAROS) - Privacy-I (
PRIVACY_I) - Proofpoint On Demand (
PROOFPOINT_ON_DEMAND) - Proofpoint Tap Alerts (
PROOFPOINT_MAIL) - Proofpoint Threat Response (
PROOFPOINT_TRAP) - Radware Web Application Firewall (
RADWARE_FIREWALL) - ReviveSec (
REVIVESEC) - Rubrik (
RUBRIK) - Salesforce (
SALESFORCE) - Sangfor Proxy (
SANGFOR_PROXY) - Security Command Center Posture Violation (
GCP_SECURITYCENTER_POSTURE_VIOLATION) - Security Command Center Threat (
N/A) - Security Command Center Toxic Combination (
GCP_SECURITYCENTER_TOXIC_COMBINATION) - ServiceNow CMDB (
SERVICENOW_CMDB) - Snare System Diagnostic Logs (
SNARE_SOLUTIONS) - Snipe-IT (
SNIPE_IT) - Snyk Group level audit/issues logs (
SNYK_ISSUES) - SonicWall (
SONIC_FIREWALL) - Sophos Central (
SOPHOS_CENTRAL) - Swimlane Platform (
SWIMLANE) - Symantec DLP (
SYMANTEC_DLP) - Symantec Event export (
SYMANTEC_EVENT_EXPORT) - Symantec Web Security Service (
SYMANTEC_WSS) - Tanium Question (
TANIUM_QUESTION) - Tanium Threat Response (
TANIUM_THREAT_RESPONSE) - Teleport Access Plane (
TELEPORT_ACCESS_PLANE) - Tenable Active Directory Security (
TENABLE_ADS) - Tenable CSPM (
TENABLE_CSPM) - tenable.io (
TENABLE_IO) - Terraform Enterprise Audit (
TERRAFORM_ENTERPRISE) - Thinkst Canary (
THINKST_CANARY) - ThreatX WAF (
THREATX_WAF) - Trend Micro Email Security Advanced (
TRENDMICRO_EMAIL_SECURITY) - Trend Micro Vision One (
TRENDMICRO_VISION_ONE) - TrendMicro Apex Central (
TRENDMICRO_APEX_CENTRAL) - TXOne Stellar (
TRENDMICRO_STELLAR) - UKG (
UKG) - Unix system (
NIX_SYSTEM) - UPX AntiDDoS (
UPX_ANTIDDOS) - VanDyke SFTP (
VANDYKE_SFTP) - Varonis (
VARONIS) - Vectra Alerts (
VECTRA_ALERTS) - Vectra Stream (
VECTRA_STREAM) - VMware AirWatch (
AIRWATCH) - Vmware Avinetworks iWAF (
VMWARE_AVINETWORKS_IWAF) - VMware ESXi (
VMWARE_ESX) - VMware Horizon (
VMWARE_HORIZON) - Watchguard EDR (
WATCHGUARD_EDR) - Windows Defender AV (
WINDOWS_DEFENDER_AV) - Windows DHCP (
WINDOWS_DHCP) - Windows DNS (
WINDOWS_DNS) - Windows Event (
WINEVTLOG) - Windows Event (XML) (
WINEVTLOG_XML) - Windows Sysmon (
WINDOWS_SYSMON) - Workday Audit Logs (
WORKDAY_AUDIT) - Workday User Activity (
WORKDAY_USER_ACTIVITY) - WPEngine (
WPENGINE) - Zimperium (
ZIMPERIUM) - Zscaler (
ZSCALER_WEBPROXY) - ZScaler DNS (
ZSCALER_DNS) - Zscaler Internet Access Audit Logs (
ZSCALER_INTERNET_ACCESS) - ZScaler NGFW (
ZSCALER_FIREWALL)
The following log types were added without a default parser. Each parser is listed by product name and log_type value, if applicable.
- Autodesk Cad Cam (
AUTODESK_CAD_CAM) - Azure Risk Events (
AZURE_RISK_EVENTS) - Azure Risky Users (
AZURE_RISKY_USERS) - Azure Service Principal Logins (
AZURE_SERVICE_PRINCIPAL_LOGINS) - Belden Switch (
BELDEN_SWITCH) - Blue Voyant (
BLUE_VOYANT) - Cisco NetFlow (
CISCO_NETFLOW) - Citrix Receiver (
CSG_CITRIX_RX) - Clavistier Firewall (
CLAVISTER_FIREWALL) - ClickHouse (
CLICKHOUSE) - Cloudflare Pageshield (
CLOUDFLARE_PAGESHIELD) - CrowdStrike DLP (
CROWDSTRIKE_DLP) - Crowdstrike Recon (TI) (
CROWDSTRIKE_RECON) - Cynerio Healthcare NDR (
CYNERIO_NDR_H) - Exterro FTK Central (
EXTERRO_FTK_CENTRAL) - Fortra Vulnerability Management (
FORTRA_VM) - GCP Cloud Asset Inventory (
GCP_CLOUD_ASSET_INVENTORY) - Health ISAC (
H_ISAC) - HP Router (
HP_ROUTER) - Huawei Wireless (
HUAWEI_WIRELESS) - IBM Sense (
IBM_SENSE) - IIJ_LanScope (
IIJ_LANSCOPE) - Joblogic (
JOBLOGIC) - OneIdentity Safeguard (
ONEIDENTITY_SAFEGUARD) - OpenText Cordy (
OPENTEXT_CORDY) - Pave (
PAVE) - Proofpoint Identity Threat Platform (
PROOFPOINT_IDENTITY_THREAT_PLATFORM) - Rapid Identity (
RAPID_IDENTITY) - Raven DB (
RAVEN_DB) - SolidServer (
SOLIDSERVER) - Spacelift (
SPACELIFT) - Trend Micro Vision One Activity (
TRENDMICRO_VISION_ONE_ACTIVITY) - Trend Micro Vision One Container Vulnerabilities (
TRENDMICRO_VISION_ONE_CONTAINER_VULNERABILITIES) - Trend Micro Vision One Detections (
TRENDMICRO_VISION_ONE_DETECTIONS) - Vectra XDR (
VECTRA_XDR) - Vicarious VRX Events (
VICARIUS_VRX_EVENTS) - WireGuard VPN Logs (
WIREGUARD_VPN) - Zero Networks (
ZERO_NETWORKS) - Zoho Assist (
ZOHO_ASSIST)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have changed. Each parser is listed by product name and log_type value, if applicable. This list now includes both released default parsers and pending parser updates.
- 1Password Audit Events (
ONEPASSWORD_AUDIT_EVENTS) - AIX system (
AIX_SYSTEM) - Akamai DataStream 2 (
AKAMAI_DATASTREAM_2) - Alveo Risk Data Management (
ALVEO_RDM) - Amazon API Gateway (
AWS_API_GATEWAY) - Apache Tomcat (
TOMCAT) - Appian Cloud (
APPIAN_CLOUD) - Arcsight CEF (
ARCSIGHT_CEF) - Asset Panda (
ASSET_PANDA) - Aware Audit (
AWARE_AUDIT) - Aware Signals (
AWARE_SIGNALS) - AWS Cloudtrail (
AWS_CLOUDTRAIL) - AWS CloudWatch (
AWS_CLOUDWATCH) - AWS ECS Metrics (
AWS_ECS_METRICS) - AWS Elastic Load Balancer (
AWS_ELB) - AWS GuardDuty (
GUARDDUTY) - AWS Inspector (
AWS_INSPECTOR) - AWS Lambda Function (
AWS_LAMBDA_FUNCTION) - AWS RDS (
AWS_RDS) - AWS Redshift (
AWS_REDSHIFT) - AWS Route 53 DNS (
AWS_ROUTE_53) - AWS Security Hub (
AWS_SECURITY_HUB) - AWS VPC Flow (
AWS_VPC_FLOW) - AWS WAF (
AWS_WAF) - Azure AD Directory Audit (
AZURE_AD_AUDIT) - Azure AD Organizational Context (
AZURE_AD_CONTEXT) - Azure Application Gateway (
AZURE_GATEWAY) - Azure Firewall (
AZURE_FIREWALL) - Azure Key Vault logging (
AZURE_KEYVAULT_AUDIT) - Barracuda CloudGen Firewall (
BARRACUDA_CLOUDGEN_FIREWALL) - Barracuda WAF (
BARRACUDA_WAF) - BeyondTrust BeyondInsight (
BEYONDTRUST_BEYONDINSIGHT) - Blue Coat Proxy (
BLUECOAT_WEBPROXY) - Broadcom Support Portal Audit Logs (
BROADCOM_SUPPORT_PORTAL) - Cato Networks (
CATO_NETWORKS) - Cequence Bot Defense (
CEQUENCE_BOT_DEFENSE) - Check Point (
CHECKPOINT_FIREWALL) - ChromeOS XDR (
CHROMEOS_XDR) - Cisco Email Security (
CISCO_EMAIL_SECURITY) - Cisco EStreamer (
CISCO_ESTREAMER) - Cisco Firepower NGFW (
CISCO_FIREPOWER_FIREWALL) - Cisco FireSIGHT Management Center (
CISCO_FIRESIGHT) - Cisco Internetwork Operating System (
CISCO_IOS) - Cisco IronPort (
CISCO_IRONPORT) - Cisco ISE (
CISCO_ISE) - Cisco NX-OS (
CISCO_NX_OS) - Cisco Switch (
CISCO_SWITCH) - Cisco Umbrella Cloud Firewall (
UMBRELLA_FIREWALL) - Cisco vManage SD-WAN (
CISCO_SDWAN) - Cisco VPN (
CISCO_VPN) - Citrix Netscaler (
CITRIX_NETSCALER) - Citrix Storefront (
CITRIX_STOREFRONT) - Claroty Xdome (
CLAROTY_XDOME) - Cloud Audit Logs (
N/A) - Cloud Data Loss Prevention (
N/A) - Cloudflare Network Analytics (
CLOUDFLARE_NETWORK_ANALYTICS) - Cloudflare WAF (
CLOUDFLARE_WAF) - Cloudflare Warp (
CLOUDFLARE_WARP) - CommVault (
COMMVAULT) - CrowdStrike Detection Monitoring (
CS_DETECTS) - CrowdStrike Falcon (
CS_EDR) - CrowdStrike Falcon Stream (
CS_STREAM) - Crowdstrike Identity Protection Services (
CS_IDP) - CrushFTP (
CRUSHFTP) - Custom Application Access Logs (
CUSTOM_APPLICATION_ACCESS) - CyberArk Privileged Access Manager (PAM) (
CYBERARK_PAM) - Cybereason EDR (
CYBEREASON_EDR) - Cyolo Secure Remote Access for OT (
CYOLO_OT) - Datadog (
DATADOG) - Delinea Secret Server (
DELINEA_SECRET_SERVER) - Dell CyberSense (
DELL_CYBERSENSE) - Digicert (
DIGICERT) - Edgio WAF (
EDGIO_WAF) - Elastic Packet Beats (
ELASTIC_PACKETBEATS) - F5 ASM (
F5_ASM) - F5 DNS (
F5_DNS) - Forcepoint DLP (
FORCEPOINT_DLP) - Forcepoint NGFW (
FORCEPOINT_FIREWALL) - Forgerock OpenIdM (
FORGEROCK_OPENIDM) - FortiGate (
FORTINET_FIREWALL) - Fortinet FortiAnalyzer (
FORTINET_FORTIANALYZER) - Fortinet Fortimanager (
FORTINET_FORTIMANAGER) - Fortinet Web Application Firewall (
FORTINET_FORTIWEB) - GitHub (
GITHUB) - Gitlab (
GITLAB) - Harness IO (
HARNESS_IO) - Hashicorp Vault (
HASHICORP) - Hillstone Firewall (
HILLSTONE_NGFW) - Huawei Switches (
HUAWEI_SWITCH) - IBM Guardium (
GUARDIUM) - Imperva Database (
IMPERVA_DB) - Intel Endpoint Management Assistant (
INTEL_EMA) - JAMF Security Cloud (
JAMF_SECURITY_CLOUD) - JFrog Artifactory (
JFROG_ARTIFACTORY) - JumpCloud Directory Insights (
JUMPCLOUD_DIRECTORY_INSIGHTS) - Juniper (
JUNIPER_FIREWALL) - Kaspersky AV (
KASPERSKY_AV) - Kaspersky Endpoint (
KASPERSKY_ENDPOINT) - Kolide Endpoint Security (
KOLIDE) - Kubernetes Audit (
KUBERNETES_AUDIT) - Layer7 SiteMinder (
SITEMINDER_SSO) - Linux Auditing System (AuditD) (
AUDITD) - Looker Audit (
LOOKER_AUDIT) - ManageEngine ADAudit Plus (
ADAUDIT_PLUS) - ManageEngine ADManager Plus (
ADMANAGER_PLUS) - McAfee Web Gateway (
MCAFEE_WEBPROXY) - Metabase (
METABASE) - Microsoft AD FS (
ADFS) - Microsoft Azure Activity (
AZURE_ACTIVITY) - Microsoft Azure NSG Flow (
AZURE_NSG_FLOW) - Microsoft CyberX (
CYBERX) - Microsoft Defender for Endpoint (
MICROSOFT_DEFENDER_ENDPOINT) - Microsoft Defender for Identity (
MICROSOFT_DEFENDER_IDENTITY) - Microsoft Defender for Office 365 (
MICROSOFT_DEFENDER_MAIL) - Microsoft IIS (
IIS) - Microsoft PowerShell (
POWERSHELL) - Microsoft Sentinel (
MICROSOFT_SENTINEL) - Microsoft System Center Endpoint Protection (
MICROSOFT_SCEP) - Mikrotik Router (
MIKROTIK_ROUTER) - Mimecast (
MIMECAST_MAIL) - MISP Threat Intelligence (
MISP_IOC) - NetIQ eDirectory (
NETIQ_EDIRECTORY) - Netskope V2 (
NETSKOPE_ALERT_V2) - Nozomi Networks Scada Guardian (
NOZOMI_GUARDIAN) - Office 365 (
OFFICE_365) - Okta (
OKTA) - Okta User Context (
OKTA_USER_CONTEXT) - One Identity Identity Manager (
ONE_IDENTITY_IDENTITY_MANAGER) - Oort Security Tool (
OORT) - Open Cybersecurity Schema Framework (OCSF) (
OCSF) - Open LDAP (
OPENLDAP) - Opnsense (
OPNSENSE) - Ops Genie (
OPS_GENIE) - Oracle (
ORACLE_DB) - Oracle Cloud Guard (
OCI_CLOUDGUARD) - Oracle Cloud Infrastructure Audit Logs (
OCI_AUDIT) - Orca Cloud Security Platform (
ORCA) - Palo Alto Cortex XDR Alerts (
CORTEX_XDR) - Palo Alto Networks Firewall (
PAN_FIREWALL) - Palo Alto Panorama (
PAN_PANORAMA) - Palo Alto Prisma Access (
PAN_CASB) - Palo Alto Prisma Cloud Alert payload (
PAN_PRISMA_CA) - Pharos (
PHAROS) - Privacy-I (
PRIVACY_I) - Proofpoint On Demand (
PROOFPOINT_ON_DEMAND) - Proofpoint Tap Alerts (
PROOFPOINT_MAIL) - Proofpoint Threat Response (
PROOFPOINT_TRAP) - Radware Web Application Firewall (
RADWARE_FIREWALL) - ReviveSec (
REVIVESEC) - Rubrik (
RUBRIK) - Salesforce (
SALESFORCE) - Sangfor Proxy (
SANGFOR_PROXY) - Security Command Center Posture Violation (
GCP_SECURITYCENTER_POSTURE_VIOLATION) - Security Command Center Threat (
N/A) - Security Command Center Toxic Combination (
GCP_SECURITYCENTER_TOXIC_COMBINATION) - ServiceNow CMDB (
SERVICENOW_CMDB) - Snare System Diagnostic Logs (
SNARE_SOLUTIONS) - Snipe-IT (
SNIPE_IT) - Snyk Group level audit/issues logs (
SNYK_ISSUES) - SonicWall (
SONIC_FIREWALL) - Sophos Central (
SOPHOS_CENTRAL) - Swimlane Platform (
SWIMLANE) - Symantec DLP (
SYMANTEC_DLP) - Symantec Event export (
SYMANTEC_EVENT_EXPORT) - Symantec Web Security Service (
SYMANTEC_WSS) - Tanium Question (
TANIUM_QUESTION) - Tanium Threat Response (
TANIUM_THREAT_RESPONSE) - Teleport Access Plane (
TELEPORT_ACCESS_PLANE) - Tenable Active Directory Security (
TENABLE_ADS) - Tenable CSPM (
TENABLE_CSPM) - tenable.io (
TENABLE_IO) - Terraform Enterprise Audit (
TERRAFORM_ENTERPRISE) - Thinkst Canary (
THINKST_CANARY) - ThreatX WAF (
THREATX_WAF) - Trend Micro Email Security Advanced (
TRENDMICRO_EMAIL_SECURITY) - Trend Micro Vision One (
TRENDMICRO_VISION_ONE) - TrendMicro Apex Central (
TRENDMICRO_APEX_CENTRAL) - TXOne Stellar (
TRENDMICRO_STELLAR) - UKG (
UKG) - Unix system (
NIX_SYSTEM) - UPX AntiDDoS (
UPX_ANTIDDOS) - VanDyke SFTP (
VANDYKE_SFTP) - Varonis (
VARONIS) - Vectra Alerts (
VECTRA_ALERTS) - Vectra Stream (
VECTRA_STREAM) - VMware AirWatch (
AIRWATCH) - Vmware Avinetworks iWAF (
VMWARE_AVINETWORKS_IWAF) - VMware ESXi (
VMWARE_ESX) - VMware Horizon (
VMWARE_HORIZON) - Watchguard EDR (
WATCHGUARD_EDR) - Windows Defender AV (
WINDOWS_DEFENDER_AV) - Windows DHCP (
WINDOWS_DHCP) - Windows DNS (
WINDOWS_DNS) - Windows Event (
WINEVTLOG) - Windows Event (XML) (
WINEVTLOG_XML) - Windows Sysmon (
WINDOWS_SYSMON) - Workday Audit Logs (
WORKDAY_AUDIT) - Workday User Activity (
WORKDAY_USER_ACTIVITY) - WPEngine (
WPENGINE) - Zimperium (
ZIMPERIUM) - Zscaler (
ZSCALER_WEBPROXY) - ZScaler DNS (
ZSCALER_DNS) - Zscaler Internet Access Audit Logs (
ZSCALER_INTERNET_ACCESS) - ZScaler NGFW (
ZSCALER_FIREWALL)
The following log types were added without a default parser. Each parser is listed by product name and log_type value, if applicable.
- Autodesk Cad Cam (
AUTODESK_CAD_CAM) - Azure Risk Events (
AZURE_RISK_EVENTS) - Azure Risky Users (
AZURE_RISKY_USERS) - Azure Service Principal Logins (
AZURE_SERVICE_PRINCIPAL_LOGINS) - Belden Switch (
BELDEN_SWITCH) - Blue Voyant (
BLUE_VOYANT) - Cisco NetFlow (
CISCO_NETFLOW) - Citrix Receiver (
CSG_CITRIX_RX) - Clavistier Firewall (
CLAVISTER_FIREWALL) - ClickHouse (
CLICKHOUSE) - Cloudflare Pageshield (
CLOUDFLARE_PAGESHIELD) - CrowdStrike DLP (
CROWDSTRIKE_DLP) - Crowdstrike Recon (TI) (
CROWDSTRIKE_RECON) - Cynerio Healthcare NDR (
CYNERIO_NDR_H) - Exterro FTK Central (
EXTERRO_FTK_CENTRAL) - Fortra Vulnerability Management (
FORTRA_VM) - GCP Cloud Asset Inventory (
GCP_CLOUD_ASSET_INVENTORY) - Health ISAC (
H_ISAC) - HP Router (
HP_ROUTER) - Huawei Wireless (
HUAWEI_WIRELESS) - IBM Sense (
IBM_SENSE) - IIJ_LanScope (
IIJ_LANSCOPE) - Joblogic (
JOBLOGIC) - OneIdentity Safeguard (
ONEIDENTITY_SAFEGUARD) - OpenText Cordy (
OPENTEXT_CORDY) - Pave (
PAVE) - Proofpoint Identity Threat Platform (
PROOFPOINT_IDENTITY_THREAT_PLATFORM) - Rapid Identity (
RAPID_IDENTITY) - Raven DB (
RAVEN_DB) - SolidServer (
SOLIDSERVER) - Spacelift (
SPACELIFT) - Trend Micro Vision One Activity (
TRENDMICRO_VISION_ONE_ACTIVITY) - Trend Micro Vision One Container Vulnerabilities (
TRENDMICRO_VISION_ONE_CONTAINER_VULNERABILITIES) - Trend Micro Vision One Detections (
TRENDMICRO_VISION_ONE_DETECTIONS) - Vectra XDR (
VECTRA_XDR) - Vicarious VRX Events (
VICARIUS_VRX_EVENTS) - WireGuard VPN Logs (
WIREGUARD_VPN) - Zero Networks (
ZERO_NETWORKS) - Zoho Assist (
ZOHO_ASSIST)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
Parameter Manager, currently in Preview, now offers a console for storing, accessing, and managing the lifecycle of your workload parameters. For more information, see the Parameter Manager documentation.
Event Threat Detection, a built-in service of Security Command Center, has released new detectors. The following detectors, which are available in Preview with the Enterprise and Premium tiers of Security Command Center, allow users to manage threats to their Google Cloud Backup and Disaster Recovery assets in Security Command Center:
BACKUP_DELETE_VAULTBACKUP_DELETE_VAULT_BACKUPBACKUP_DELETE_BACKUP_PLAN_ASSOCIATION
In addition, we updated the existing BACKUP_REMOVE_PLAN detector to support findings on Google Cloud Backup and Disaster Recovery assets that are managed in the Google Cloud console. This detector will dynamically generate finding descriptions based on the finding source.
Full-text search is now generally available for PostgreSQL-dialect databases.
A monthly digest of client library updates from across the Cloud SDK.
Go
Changes for spanner/admin/database/apiv1
1.74.0 (2025-01-24)
Features
- spanner/admin/instance: Exposing FreeInstanceAvailability in InstanceConfig (4254053)
- spanner/admin/instance: Exposing FreeInstanceMetadata in Instance configuration (to define the metadata related to FREE instance type) (4254053)
- spanner/admin/instance: Exposing InstanceType in Instance configuration (to define PROVISIONED or FREE spanner instance) (4254053)
- spanner/admin/instance: Exposing QuorumType in InstanceConfig (4254053)
- spanner/admin/instance: Exposing storage_limit_per_processing_unit in InstanceConfig (4254053)
- spanner: Add the last statement option to ExecuteSqlRequest and ExecuteBatchDmlRequest (8dedb87)
- spanner: Add UUID in Spanner TypeCode enum (46fc993)
- spanner: Implement generation and propagation of "x-goog-spanner-request-id" Header (#11048) (10960c1)
Bug Fixes
- spanner/spansql: PROTO BUNDLE and protobuf type parsing fixes (#11279) (b1ca714)
- spanner/test/opentelemetry/test: Update golang.org/x/net to v0.33.0 (e9b0b69)
- spanner: ReadWriteStmtBasedTransaction would not remember options for retries (#11443) (7d8f0c5)
- spanner: Support setting monitoring host via env and override any endpoint override from spanner options with default one (#11141) (3d61545)
- spanner: Update golang.org/x/net to v0.33.0 (e9b0b69)
Documentation
- spanner/admin/database: Fix typo timzeone -> timezone (a694e11)
- spanner/admin/instance: A comment for enum
DefaultBackupScheduleTypeis changed (4254053) - spanner/admin/instance: A comment for enum value
AUTOMATICin enumDefaultBackupScheduleTypeis changed (4254053) - spanner/admin/instance: A comment for enum value
GOOGLE_MANAGEDin enumTypeis changed (4254053) - spanner/admin/instance: A comment for enum value
NONEin enumDefaultBackupScheduleTypeis changed (4254053) - spanner/admin/instance: A comment for enum value
USER_MANAGEDin enumTypeis changed (4254053) - spanner/admin/instance: A comment for field
base_configin message.google.spanner.admin.instance.v1.InstanceConfigis changed (4254053) - spanner/admin/instance: A comment for field
default_backup_schedule_typein message.google.spanner.admin.instance.v1.Instanceis changed (4254053) - spanner/admin/instance: A comment for field
filterin message.google.spanner.admin.instance.v1.ListInstanceConfigOperationsRequestis changed (4254053) - spanner/admin/instance: A comment for field
filterin message.google.spanner.admin.instance.v1.ListInstancePartitionOperationsRequestis changed (4254053) - spanner/admin/instance: A comment for field
instance_configin message.google.spanner.admin.instance.v1.CreateInstanceConfigRequestis changed (4254053) - spanner/admin/instance: A comment for field
instance_partition_deadlinein message.google.spanner.admin.instance.v1.ListInstancePartitionOperationsRequestis changed (4254053) - spanner/admin/instance: A comment for field
locationin message.google.spanner.admin.instance.v1.ReplicaInfois changed (4254053) - spanner/admin/instance: A comment for field
node_countin message.google.spanner.admin.instance.v1.Instanceis changed (4254053) - spanner/admin/instance: A comment for field
node_countin message.google.spanner.admin.instance.v1.InstancePartitionis changed (4254053) - spanner/admin/instance: A comment for field
operationsin message.google.spanner.admin.instance.v1.ListInstanceConfigOperationsResponseis changed (4254053) - spanner/admin/instance: A comment for field
operationsin message.google.spanner.admin.instance.v1.ListInstancePartitionOperationsResponseis changed (4254053) - spanner/admin/instance: A comment for field
optional_replicasin message.google.spanner.admin.instance.v1.InstanceConfigis changed (4254053) - spanner/admin/instance: A comment for field
parentin message.google.spanner.admin.instance.v1.ListInstancePartitionsRequestis changed (4254053) - spanner/admin/instance: A comment for field
processing_unitsin message.google.spanner.admin.instance.v1.Instanceis changed (4254053) - spanner/admin/instance: A comment for field
processing_unitsin message.google.spanner.admin.instance.v1.InstancePartitionis changed (4254053) - spanner/admin/instance: A comment for field
referencing_backupsin message.google.spanner.admin.instance.v1.InstancePartitionis changed (4254053) - spanner/admin/instance: A comment for field
replicasin message.google.spanner.admin.instance.v1.InstanceConfigis changed (4254053) - spanner/admin/instance: A comment for field
storage_utilization_percentin message.google.spanner.admin.instance.v1.AutoscalingConfigis changed (4254053) - spanner/admin/instance: A comment for field
unreachablein message.google.spanner.admin.instance.v1.ListInstancePartitionsResponseis changed (4254053) - spanner/admin/instance: A comment for message
CreateInstanceConfigRequestis changed (4254053) - spanner/admin/instance: A comment for message
DeleteInstanceConfigRequestis changed (4254053) - spanner/admin/instance: A comment for message
UpdateInstanceConfigRequestis changed (4254053) - spanner/admin/instance: A comment for method
CreateInstancein serviceInstanceAdminis changed (4254053) - spanner/admin/instance: A comment for method
CreateInstanceConfigin serviceInstanceAdminis changed (4254053) - spanner/admin/instance: A comment for method
CreateInstancePartitionin serviceInstanceAdminis changed (4254053) - spanner/admin/instance: A comment for method
ListInstanceConfigOperationsin serviceInstanceAdminis changed (4254053) - spanner/admin/instance: A comment for method
ListInstanceConfigsin serviceInstanceAdminis changed (4254053) - spanner/admin/instance: A comment for method
ListInstancePartitionOperationsin serviceInstanceAdminis changed (4254053) - spanner/admin/instance: A comment for method
MoveInstancein serviceInstanceAdminis changed (4254053) - spanner/admin/instance: A comment for method
UpdateInstancein serviceInstanceAdminis changed (4254053) - spanner/admin/instance: A comment for method
UpdateInstanceConfigin serviceInstanceAdminis changed (4254053) - spanner/admin/instance: A comment for method
UpdateInstancePartitionin serviceInstanceAdminis changed (4254053)
1.75.0 (2025-02-02)
Features
- spanner/admin/database: Add AddSplitPoints API (59fe58a)
Bug Fixes
- spanner: Inject "x-goog-spanner-request-id" into outgoing client context (#11544) (a8f16ef), refs #11543
1.76.0 (2025-02-20)
DO NOT USE This version is retracted due to https://github.com/googleapis/google-cloud-go/issues/11630, use version >=v1.76.1
Features
- spanner/admin/database: Add instance partitions field in backup proto (c6a6dc7)
- spanner: Support multiplexed session for read-write transactions & partition ops (#11615) (4b40201)
Performance Improvements
1.76.1 (2025-02-21)
Bug Fixes
Java
Changes for google-cloud-spanner
6.86.0 (2025-01-31)
Features
- Add sample for asymmetric autoscaling instances (#3562) (3584b81)
- Support graph and pipe queries in Connection API (#3586) (71c3063)
Bug Fixes
- Always add instance-id for built-in metrics (#3612) (705b627)
- deps: Update the Java code generator (gapic-generator-java) to 2.51.1 (3e27251)
- deps: Update the Java code generator (gapic-generator-java) to 2.52.0 (bf69673)
- spanner: Moved mTLSContext configurator from builder to construtor (#3605) (ac7c30b)
Dependencies
- Update dependency com.google.cloud:sdk-platform-java-config to v3.42.0 (#3616) (2ea59f0)
- Update dependency io.opentelemetry:opentelemetry-bom to v1.46.0 (#3530) (d505850)
Documentation
- Clarify how async updates can overtake each other (#3581) (1be250f)
- Fix typo timzeone -> timezone (bf69673)
- Fixed parameter arguments for AbstractResultSet's Listener's on TransactionMetadata doc (#3602) (1f143a4)
- samples: Add samples and tests for change streams transaction exclusion (#3098) (1f81600)
6.87.0 (2025-02-20)
Features
- Add AddSplitPoints API (a5ebcd3)
- Add option for multiplexed sessions with partitioned operations (#3635) (dc89b4d)
- Add option to indicate that a statement is the last in a transaction (#3647) (b04ea80)
- Adding gfe_latencies metric to built-in metrics (#3490) (314dadc)
- spanner: Support multiplexed session for read-write transactions (#3608) (bda78ed)
Bug Fixes
- deps: Update the Java code generator (gapic-generator-java) to 2.53.0 (20a3d0d)
- spanner: End spans for read-write methods (#3629) (4a1f99c)
- spanner: Release resources in TransactionManager (#3638) (e0a3e5b)
Dependencies
Node.js
Changes for @google-cloud/spanner
7.18.0 (2025-01-29)
Features
7.18.1 (2025-02-05)
Bug Fixes
Python
Changes for google-cloud-spanner
3.52.0 (2025-02-19)
Features
- Add additional opentelemetry span events for session pool (a6811af)
- Add GCP standard otel attributes for python client (#1308) (0839f98)
- Add updated span events + trace more methods (#1259) (ad69c48)
- MetricsTracer implementation (#1291) (8fbde6b)
- Support GRAPH and pipe syntax in dbapi (#1285) (959bb9c)
- Support transaction and request tags in dbapi (#1262) (ee9662f)
- x-goog-spanner-request-id: Introduce AtomicCounter (#1275) (f2483e1)
Bug Fixes
- Retry UNAVAILABLE errors for streaming RPCs (#1278) (ab31078), closes #1150
- tracing: Ensure nesting of Transaction.begin under commit + fix suggestions from feature review (#1287) (d9ee75a)
- tracing: Only set span.status=OK if UNSET (#1248) (1d393fe), closes #1246
- Update retry strategy for mutation calls to handle aborted transactions (#1279) (0887eb4)
Accessing supported global Google APIs through Private Service Connect backends is available in General Availability.
Support to create and manage tags is available. You can use tags to group workflows and other resources for reporting, auditing, and access control.
February 27, 2025
AlloyDB for PostgreSQLAlloyDB's cross-region replication supports up to five secondary regions. You can use additional secondary regions to further harden disaster recovery response, or to serve geographically distributed workloads. For more information, see Cross-region replication overview and Work with cross-region replication.
On February 27, 2025, we released an updated version of the Apigee Proxy Debug tool.
Overview
This release introduces a redesigned debugging experience for API proxies in the Apigee UI, which is available in Google Cloud console.
This new feature, Debug Sequence View (v2), addresses user feedback and aims to streamline the process of identifying and resolving issues in your API proxies.
We believe that Debug Sequence View will significantly improve the API proxy debugging experience. We encourage you to try it out and provide your valuable feedback as we continue to refine and enhance this feature!
Key highlights
- Intuitive horizontal layout:
The new Debug Sequence View (v2) features a horizontal sequence diagram, mirroring the familiar layout of the classic Apigee Console UI, making it easier to understand the flow of your API proxy transactions at a glance. - Enhanced clarity:
The horizontal visualization, coupled with improved grouping of events, provides a clearer picture of policy execution, highlighting errors and their context within the transaction flow. - Streamlined workflow:
Debug Sequence View (v2) is designed to reduce the need for disruptive pop-ups and sifting through events, offering a smoother and more focused debugging experience. Reimagined icons help quickly understand a transaction at a glance. - Feature parity:
Debug Sequence View (v2) is designed for users already familiar with debugging in Apigee Classic UI to quickly be proficient. - Search:
You can now search for a specific string in the sequence diagram and details pane. - Improved API status display:
The API status display in the transaction list has been improved for increased readability. - Consolidated FlowInfo events:
FlowInfo events are now grouped together in the sequence diagram. - Target URL displayed:
Displayed target URL on "Request Sent" node when relevant
Backup and DR now supports the latest RHEL and SLES OS and kernels in backup/recovery appliance 11.0.13 and later:
RHEL 8.8: 4.18.0-477.36.1, 4.18.0-477.43.1, 4.18.0-477.51.1, 4.18.0-477.55.1, 4.18.0-477.58.1, 4.18.0-477.64.1, 4.18.0-477.67.1, 4.18.0-477.70.1, 4.18.0-477.75.1, 4.18.0-477.81.1, 4.18.0-477.83.1
RHEL 8.10: 4.18.0-553.30.1, 4.18.0-553.32.1, 4.18.0-553.33.1
RHEL 9.3: 5.14.0-362.24.1
RHEL 9.4: 5.14.0-427.13.1, 5.14.0-427.16.1, 5.14.0-427.18.1, 5.14.0-427.20.1, 5.14.0-427.22.1, 5.14.0-427.24.1, 5.14.0-427.26.1, 5.14.0-427.28.1, 5.14.0-427.31.1, 5.14.0-427.33.1, 5.14.0-427.35.1, 5.14.0-427.37.1, 5.14.0-427.40.1, 5.14.0-427.42.1
RHEL 9.5: 5.14.0-503.11.1, 5.14.0-503.14.1, 5.14.0-503.15.1, 5.14.0-503.16.1, 5.14.0-503.19.1
SLES 15 SP6: All kernels
Database retention policy is available in Cloud Composer 3. You can use this feature to automatically delete older records from the Airflow database, which helps to maintain the Airflow database's size.
In typical HTTPS communication, neither the load balancer nor the backend verify each other's identity, assuming that they are within a secure perimeter and can be trusted. However, when perimeter security needs reinforcement or communication extends beyond the perimeter, backend mTLS becomes essential. Backend mTLS ensures secure communication by requiring both the load balancer and the backend to mutually verify their identities.
With backend authenticated TLS, the load balancer verifies the backend server's certificate by checking its chain of trust, thereby confirming the backend's identity. Conversely, with backend mTLS, the backend server verifies the client certificate presented by the load balancer. Together, these mechanisms enable backend mTLS, ensuring that both parties validate each other's identity.
Backend mTLS complements frontend mTLS, which is already generally available (GA).
For details, see the following:
This capability is in Preview for global external Application Load Balancers.
On your custom dashboards, you can reduce the load time of the dashboard by using group widgets. The tab-group widget displays one member of a collection, and it provides tabs on the toolbar to let you select which member to display:
Organize dashboard widgets describes grouping widgets and provides configuration information for the different types.
Dashboard with a
SingleViewGroupwidget describes which API fields to use to configure a tab-group widget.
You can use Terraform resources to schedule notebook runs, and to manage runtimes and runtime templates. To learn more, see the following:
Datastream now supports Salesforce as a source. The feature is in Preview.
For more information, see the Datastream documentation.
Patch 3.31.36
This patch does the following:
- Fixes an issue where the chat adapter was not appearing in the agent desktop when an incoming chat was received.
- Fixes an issue where agents in Unavailable or Wrap up status were not receiving incoming contacts and were put into Unresponsive status.
- Fixes a security vulnerability.
Google Distributed Cloud (software only) for VMware 1.29.1100-gke.82 is now available for download. To upgrade, see Upgrade a cluster or a node pool. Google Distributed Cloud 1.29.1100-gke.82 runs on Kubernetes v1.29.13-gke.500.
If you are using a third-party storage vendor, check the GDC Ready storage partners document to make sure the storage vendor has already passed the qualification for this release.
After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
The 1.29.1100-gke.82 release includes many vulnerability fixes. For a list of all vulnerabilities fixed in this release, see Vulnerability fixes.
Release 1.30.600-gke.69
Google Distributed Cloud for bare metal 1.30.600-gke.69 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.30.600-gke.69 runs on Kubernetes v1.30.9-gke.100.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
The following functional change was made in 1.30.600-gke.69:
- Cluster deletion now deletes worker node pools prior to deleting any control plane node pools.
The following issues are fixed in 1.30.600-gke.69:
The 1.30.600-gke.69 release includes many vulnerability fixes. For a list of all vulnerabilities fixed in this release, see Vulnerability fixes.
For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section.
Release 1.30.500-gke.127
Google Distributed Cloud for bare metal 1.30.500-gke.127 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.30.500-gke.127 runs on Kubernetes 1.30.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
The following issues are fixed in 1.30.500-gke.127:
Fixed an issue where node upgrades failed due to missing
super-admin.conffile.Fixed an issue where prompting during
bmctl update clusterprevented use of automation. You can now use the--quietflag to skip prompting.Fixed an issue where node machines didn't update when the registry mirror
hostsfield was updated.
The 1.30.500-gke.127 release includes many vulnerability fixes. For a list of all vulnerabilities fixed in this release, see Vulnerability fixes.
For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section.
Release 1.31.200-gke.59
Google Distributed Cloud for bare metal 1.31.200-gke.59 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.31.200-gke.59 runs on Kubernetes v1.31.5-gke.300.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
The following issue is fixed in 1.31.200-gke.69:
- Fixed an issue where node upgrades failed due to missing
super-admin.conffile.
The 1.31.200-gke.59 release includes many vulnerability fixes. For a list of all vulnerabilities fixed in this release, see Vulnerability fixes.
For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section.
Release 1.29.1100-gke.84
Google Distributed Cloud for bare metal 1.29.1100-gke.84 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.29.1100-gke.84 runs on Kubernetes v1.29.13-gke.500.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
The 1.29.1100-gke.84 release includes many vulnerability fixes. For a list of all vulnerabilities fixed in this release, see Vulnerability fixes.
The initial patch releases for 1.30.500, 1.30.600, and 1.31.200 contained a known issue that blocked cluster upgrades. This issue is fixed in the following updated patches:
- 1.31.200-gke.59
- 1.30.600-gke.69
- 1.30.500-gke.127
The release notes and related documentation have been updated to reflect the updated patch version information.
The GKE Autopilot partner program now lets partners create and manage allowlists that correspond to specific partner workloads. In GKE version 1.32.1-gke.1729000 and later, you can explicitly install allowlists in your clusters to run only the partner solutions that you need.
To learn more, see Run privileged workloads from GKE Autopilot partners.
Producer VPC Spokes is generally available.
If you have a VPC network that consumes a service offered through private services access, you can use a Network Connectivity Center producer VPC spoke to make the service reachable by other spokes on a hub.
Flow Analyzer is available in General availability.
Custom organization policies are now generally available for Service Management. For more information, see Manage Service Management resources with custom constraints.
Custom organization policies are now generally available for the Video Stitcher API. For more information, see Create custom constraints for the Video Stitcher API.
Custom organization policies are now generally available for Service Management. For more information, see Manage Service Management resources with custom constraints.
Custom organization policies are now generally available for the Video Stitcher API. For more information, see Create custom constraints for the Video Stitcher API.
Preview stage support for the following integration:
The following Private Service Connect monitoring metrics are available for both producers and consumers in General Availability:
- Closed connections count
- Received packets dropped count
- Sent packets dropped count
- New connections count
- Open connections
- Received bytes count
- Received packets count
- Sent bytes count
- Sent packets count
Additionally, the NAT IP address capacity metric is available for producers in General Availability.
You can use these metrics to help monitor and troubleshoot published services, endpoints that connect to published services, and backends that connect to published services. For more information, see Monitor Private Service Connect connections.
February 26, 2025
AI ApplicationsVertex AI Search: Personalize responses from the answer method (GA)
When making a query call to the answer method, you can provide information about the user to personalize the generated answer.
This feature is Generally available (GA). For more information, see Personalize answers.
Backup and DR Service 11.0.14.302 is now available to update your backup/recovery appliance. Refer to these instructions to update your appliance.
Backup and DR Service 11.0.14.302 includes the following fixes and improvements:
- The following CVEs have been addressed in this hotfix: CVE-2024-42301, CVE-2024-42284, CVE-2024-41092
- In some cases, a database that has data on multiple volumes can be mounted successfully, but a subsequent unmount operation fails. This has been fixed.
- In rare cases, the management console could lose the connection to the backup appliance for up to an hour, after which it automatically recovered. During the disconnection, the scheduled backups continued to be taken but the jobs monitor could not show progress and new on-demand jobs could not be run. This has been fixed.
- A Db2 log backup to a full disk failed without notification. With this hotfix, upon failure the disk is resized and the backup job is retried successfully.
- A persistent disk backup job for an SAP HANA or an IBM Db2 database fails if the backup/recovery appliance includes another host with the same name in a different project. This has been fixed.
- Imported persistent disk snapshots of SAP HANA and Db2 databases sometimes failed to mount or to restore if the database host had a custom (non-default) PD disk names. This fix ensures that these imported databases can be successfully mounted and restored.
- For SAP IQ databases, the INC_BKP.1 file (a config file) is backed up. It can be a large file that consumes much storage, so starting with this hotfix the config file is compressed for backup.
- Recovery of an IBM Db2 database from a standby image sometimes failed. This has been fixed.
- Backup and DR now supports "Import without ownership" for SAP HANA and IBM Db2 databases and logs.
Database Migration Service for homogeneous Cloud SQL for PostgreSQL migrations now lets you migrate specific databases from your source instance. You can view metrics, statuses, and errors separately for each database.
For more information about migrating specific databases, see:
You can now enable and disable the logging of uptime-check failures by using the log_check_failures field in the Cloud Monitoring API.
You can now include replicas when you perform an in-place major version upgrade using gcloud or the Cloud SQL Admin API. For more information, see Upgrade the database major version in-place.
You can now include replicas when you perform an in-place major version upgrade using gcloud or the Cloud SQL Admin API. For more information, see Upgrade the database major version in-place.
Bucket relocation for Cloud Storage is generally available (GA). You can use bucket relocation to relocate buckets between geographic locations.
(2025-R08) Version updates
GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.
Rapid channel
- Version 1.32.1-gke.1729000 is now the default version for cluster creation in the Rapid channel.
- The following versions are now available in the Rapid channel:
- The following versions are no longer available in the Rapid channel:
- 1.29.13-gke.1109000
- 1.29.13-gke.1169000
- 1.30.9-gke.1201000
- 1.30.9-gke.1231000
- 1.31.5-gke.1169000
- 1.31.5-gke.1233000
- 1.32.1-gke.1489001
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.28 to version 1.29.14-gke.1018000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.30.10-gke.1022000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.31.6-gke.1020000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.29.14-gke.1018000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.30.10-gke.1022000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.31.6-gke.1020000 with this release.
Regular channel
- Version 1.31.5-gke.1169000 is now the default version for cluster creation in the Regular channel.
- The following versions are now available in the Regular channel:
- The following versions are no longer available in the Regular channel:
- 1.29.13-gke.1038000
- 1.30.9-gke.1046000
- 1.31.5-gke.1068000
- 1.32.1-gke.1200003
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.28 to version 1.29.13-gke.1109000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.9-gke.1127000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.29.13-gke.1109000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.9-gke.1127000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.31.5-gke.1169000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.32.1-gke.1357001 with this release.
Stable channel
- Version 1.30.9-gke.1009000 is now the default version for cluster creation in the Stable channel.
- The following versions are now available in the Stable channel:
- The following versions are no longer available in the Stable channel:
- 1.29.12-gke.1270000
- 1.30.8-gke.1261000
- 1.31.4-gke.1372000
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.28 to version 1.29.13-gke.1006000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.30.9-gke.1009000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.29.13-gke.1006000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.30.9-gke.1009000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.31 to version 1.31.5-gke.1023000 with this release.
Extended channel
- Version 1.31.5-gke.1169000 is now the default version for cluster creation in the Extended channel.
- The following versions are now available in the Extended channel:
- The following versions are no longer available in the Extended channel:
- 1.27.16-gke.2440000
- 1.28.15-gke.1612000
- 1.28.15-gke.1844000
- 1.29.13-gke.1038000
- 1.30.9-gke.1046000
- 1.31.5-gke.1068000
- 1.32.1-gke.1200003
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.1641000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.29 to version 1.29.13-gke.1109000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.9-gke.1127000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.31 to version 1.31.5-gke.1169000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.32 to version 1.32.1-gke.1357001 with this release.
No channel
- Version 1.31.5-gke.1169000 is now the default version for cluster creation.
- The following versions are now available:
- The following node versions are now available:
- The following versions are no longer available:
- 1.29.12-gke.1270000
- 1.30.8-gke.1162001
- 1.30.9-gke.1231000
- 1.31.4-gke.1372000
- 1.32.1-gke.1200003
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.28 to version 1.29.13-gke.1109000 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.29 to version 1.30.9-gke.1009000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.29 to version 1.29.13-gke.1109000 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.30 to version 1.30.9-gke.1009000 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.31 to version 1.31.5-gke.1169000 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.32 to version 1.32.1-gke.1357001 with this release.
(2025-R08) Version updates
- Version 1.32.1-gke.1729000 is now the default version for cluster creation in the Rapid channel.
- The following versions are now available in the Rapid channel:
- The following versions are no longer available in the Rapid channel:
- 1.29.13-gke.1109000
- 1.29.13-gke.1169000
- 1.30.9-gke.1201000
- 1.30.9-gke.1231000
- 1.31.5-gke.1169000
- 1.31.5-gke.1233000
- 1.32.1-gke.1489001
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.28 to version 1.29.14-gke.1018000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.30.10-gke.1022000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.31.6-gke.1020000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.29.14-gke.1018000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.30 to version 1.30.10-gke.1022000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.31 to version 1.31.6-gke.1020000 with this release.
(2025-R08) Version updates
- Version 1.31.5-gke.1169000 is now the default version for cluster creation in the Regular channel.
- The following versions are now available in the Regular channel:
- The following versions are no longer available in the Regular channel:
- 1.29.13-gke.1038000
- 1.30.9-gke.1046000
- 1.31.5-gke.1068000
- 1.32.1-gke.1200003
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.28 to version 1.29.13-gke.1109000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.30.9-gke.1127000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.29.13-gke.1109000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.30 to version 1.30.9-gke.1127000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.31 to version 1.31.5-gke.1169000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.32 to version 1.32.1-gke.1357001 with this release.
(2025-R08) Version updates
- Version 1.30.9-gke.1009000 is now the default version for cluster creation in the Stable channel.
- The following versions are now available in the Stable channel:
- The following versions are no longer available in the Stable channel:
- 1.29.12-gke.1270000
- 1.30.8-gke.1261000
- 1.31.4-gke.1372000
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.28 to version 1.29.13-gke.1006000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.30.9-gke.1009000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.29 to version 1.29.13-gke.1006000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.30 to version 1.30.9-gke.1009000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.31 to version 1.31.5-gke.1023000 with this release.
(2025-R08) Version updates
- Version 1.31.5-gke.1169000 is now the default version for cluster creation in the Extended channel.
- The following versions are now available in the Extended channel:
- The following versions are no longer available in the Extended channel:
- 1.27.16-gke.2440000
- 1.28.15-gke.1612000
- 1.28.15-gke.1844000
- 1.29.13-gke.1038000
- 1.30.9-gke.1046000
- 1.31.5-gke.1068000
- 1.32.1-gke.1200003
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.28 to version 1.28.15-gke.1641000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.29 to version 1.29.13-gke.1109000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.30 to version 1.30.9-gke.1127000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.31 to version 1.31.5-gke.1169000 with this release.
- Control planes and nodes with auto-upgrade enabled in the Extended channel will be upgraded from version 1.32 to version 1.32.1-gke.1357001 with this release.
(2025-R08) Version updates
- Version 1.31.5-gke.1169000 is now the default version for cluster creation.
- The following versions are now available:
- The following node versions are now available:
- The following versions are no longer available:
- 1.29.12-gke.1270000
- 1.30.8-gke.1162001
- 1.30.9-gke.1231000
- 1.31.4-gke.1372000
- 1.32.1-gke.1200003
- Auto-upgrade targets are now available for the following minor versions:
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.28 to version 1.29.13-gke.1109000 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.29 to version 1.30.9-gke.1009000 with this release.
- The following patch-only version auto-upgrade targets are now available for clusters with maintenance exclusions or other factors preventing minor version upgrades:
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.29 to version 1.29.13-gke.1109000 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.30 to version 1.30.9-gke.1009000 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.31 to version 1.31.5-gke.1169000 with this release.
- Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.32 to version 1.32.1-gke.1357001 with this release.
Private Service Connect connection propagation is asynchronous after spoke creation or deletion. When a VPC spoke is removed from a hub, it can take some time to update propagated Private Service Connect connections. While the Private Service Connect propagation connection update is in progress, traffic from the VM within the VPC network can flow to the backend, even after the VPC spoke is added to a new hub. To avoid this issue, we recommend that before adding the spoke to another hub, make sure that all of the propagation status entries for the VPC network in the previous hub, whether as a source spoke or a target spoke, are deleted.
Private Service Connect connection propagation is generally available.
Connection propagation through the Network Connectivity Center hub provides access to Private Service Connect endpoints from other VPC networks.
Private Service Connect propagated connections are available in General Availability. With propagated connections, services that are accessible in one consumer VPC spoke through Private Service Connect endpoints can be privately accessed by other consumer VPC spokes that are connected to the same Network Connectivity Center hub.
February 25, 2025
AlloyDB for PostgreSQLThe alloydb_scann extension is updated to include the following vector search improvements in Preview:
- AlloyDB for PostgreSQL introduces inline filtering for vector search. With inline filtering, SQL filter evaluation is performed at the same time as vector search. This feature mitigates potential issues from existing pre and post-filter evaluation mechanisms. For more information about
scann.enable_inline_filtering, see ScaNN index reference. - A distribution histogram is available in the
pg_stat_ann_indexesview, which helps you understand the distribution of vectors between partitions andnum_leavesof your ScaNN index. For more information, including recommendations about tuning thedistributionpercentilemetric, see Tuning metrics.
You can now see a list of BigQuery API and service dependencies. You can also review the effects of disabling an API or service.
You can use the best sellers and price competitiveness migration guides to transition to the newer version of the reports. This feature is in preview.
BigQuery resource utilization charts provide metrics views and more chart configuration options in Preview.
Cloud Composer 3 is now available in Stockholm (europe-north2). The change is gradually rolling out.
You can now export or import all user databases in an instance using a directory-formatted, parallel export or import operation.
Managed Cloud Service Mesh with the Traffic Director control plane now supports configuring the network topology to use X-Forwarded-For and X-Forwarded-Client-Cert headers by MeshConfig or annotations of workloads.
Config Controller now uses the following versions of its included products:
- Config Connector v1.128.0, release notes
Gemini 2.0 Flash-Lite is now generally available
Gemini 2.0 Flash-Lite is now generally available. For more information, see Gemini 2.0.
Generally available: VMware Engine Update center on the Google Cloud console is now generally available. Update center lets you view and manage updates to your private clouds, including specifying start dates and times for schedulable VMware version updates, and viewing the status of in-progress schedulable and non-schedulable updates, such as security patches. For more information, see Update a private cloud.
Three new metrics are added for checking node and node pool status:
kubernetes.io/node/status_condition: The condition of a node from the node status condition field. TheReadyfield hasUnknownstatus if the node controller has not heard from the node in the lastnode-monitor-grace-periodperiod. This metric is available for clusters with GKE version 1.32.1-gke.1260000 and later.kubernetes.io/node_pool/multi_host/available: The multi-host NodePool availability. When all the nodes in the node pool are available, the value isTrue. If any of the nodes in the node pool are unavailable, the value isFalse. This metric is available for Multi-host TPU node pools only.kubernetes.io/node_pool/status: The current status of the node pool from theNodePoolinstance. Status updates happen after GKE API operations complete. This metric is available for Multi-host TPU node pools only.
The Custom Fields feature has been rolled back.
You can now use Organization Policy Service custom constraints to provide more granular control over specific fields for some Security Command Center resources. For more information, see Configure custom organization policies. This feature is in General Availability.
February 24, 2025
App HubApp Hub supports resources from the following sources in Preview:
- Bigtable
- Cloud SQL
- Cloud Storage
- Memorystore for Redis
- Pub/Sub
- Spanner
You can now use the @@location system variable to set the location in which to run a query. This feature is in preview.
Bigtable Data Boost, a serverless compute service designed for high-throughput read jobs and queries, is generally available (GA).
Automated backup for Bigtable is generally available (GA). For more information, see the Backups overview.
If you're a user of managed Cloud Service Mesh with the ISTIOD control plane implementation, you can now fine-tune your control plane modernization. See the Managed control plane modernization page for details.
A weekly digest of client library updates from across the Cloud SDK.
Node.js
Changes for @google-cloud/storage
7.15.2 (2025-02-20)
Bug Fixes
You can move an object within a bucket with hierarchical namespace enabled using the Objects: move method.
cos-dev-121-18867-0-24
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.74 | v25.0.7 | v2.0.2 | See List |
Updated app-admin/google-guest-configs to v20250207.00.
Upgraded app-admin/google-guest-agent to v20250204.02.
Updated the default tag of the GPU driver supporting the NVIDIA H200 GPU device to 570.86.15.
Upgraded cloud-init from 23.4.3 to 24.4.1.
Updated Konlet to v0.13.4.
Fixed CVE-2025-0840 in binutils.
Support for NVIDIA B200 GPU – Added support for the R570 driver series, including version 570.86.15. This version has been assigned the latest, default, and R570 tags.
Updated cos-gpu-installer to v2.4.7: 1.Added Support for NVIDIA B200 GPU. 2.Enabled --prepare-build-tools flag to preload GPU driver metadata for ARM64
Upgraded app-admin/fluent-bit to v3.2.5.
Upgraded sys-apps/hwdata to v0.391.
Upgraded sys-apps/diffutils to v3.11.
Upgraded sys-apps/pv to v1.9.27.
Fixed CVE-2024-13176 in dev-libs/openssl.
Fixed CVE-2025-0395 in sys-libs/glibc.
Fixed CVE-2024-9287 in dev-lang/python.
Runtime sysctl changes:
- Changed: fs.file-max: 811771 -> 811788
cos-109-17800-436-42
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.1.124 | v24.0.9 | v1.7.24 | See List |
Updated app-admin/google-guest-configs to v20250207.00.
Fixed CVE-2024-13176 in dev-libs/openssl.
Fixed CVE-2025-0395 in sys-libs/glibc.
Fixed CVE-2024-9287 in dev-lang/python.
Fixed CVE-2024-56664 in the Linux kernel.
Fixed CVE-2024-57949 in the Linux kernel.
Fixed CVE-2024-57951 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 812276 -> 812258
cos-117-18613-164-47
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.72 | v24.0.9 | v1.7.24 | See List |
Fixed CVE-2025-0395 in sys-libs/glibc.
Fixed CVE-2024-9287 in dev-lang/python.
Updated app-admin/google-guest-configs to v20250207.00.
Fixed CVE-2024-13176 in dev-libs/openssl.
Fixed CVE-2024-57949 in the Linux kernel.
Fixed CVE-2024-57951 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 811817 -> 811792
cos-113-18244-291-46
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.1.123 | v24.0.9 | v1.7.24 | See List |
Updated app-admin/google-guest-configs to v20250207.00.
Fixed CVE-2024-13176 in dev-libs/openssl.
Fixed CVE-2025-0395 in sys-libs/glibc.
Fixed CVE-2024-9287 in dev-lang/python.
Fixed CVE-2024-57949 in the Linux kernel.
Fixed CVE-2024-57951 in the Linux kernel.
Runtime sysctl changes:
- Changed: fs.file-max: 812031 -> 812058
cos-105-17412-535-61
| Kernel | Docker | Containerd | GPU Drivers |
| COS-5.15.173 | v23.0.3 | v1.7.23 | See List |
Fixed CVE-2025-0395 in sys-libs/glibc.
Fixed CVE-2024-9287 in dev-lang/python.
Fixed CVE-2023-27043 in dev-lang/python.
Fixed CVE-2024-57951 in the Linux kernel.
Fixed CVE-2024-53215 in the Linux kernel.
Fixed CVE-2024-56569 in the Linux kernel.
New Dataproc on Compute Engine subminor image versions:
- 2.0.133-debian10, 2.0.133-rocky8, 2.0.133-ubuntu18
- 2.1.81-debian11, 2.1.81-rocky8, 2.1.81-ubuntu20, 2.1.81-ubuntu20-arm
- 2.2.47-debian12, 2.2.47-rocky9, 2.2.47-ubuntu22
New Dataproc Serverless for Spark runtime versions:
- 1.1.93
- 1.2.37
- 2.2.37
Dialogflow CX (Conversational Agents): Text-to-speech used by Dialogflow now supports new Chirp HD voices.
Dialogflow CX (Conversational Agents) & ES: Text-to-speech removed support for voices across European markets. Affected users were sent an email announcement.
Anthropic's Claude Sonnet 3.7 is in Preview on Vertex AI. To learn more, view the Claude Sonnet 3.7 model card in Model Garden.
Workforce Identity Federation can map up to 400 groups from Microsoft Entra ID. The feature is generally available. To learn more, see Configure Workforce Identity Federation with Microsoft Entra ID and a large number of groups.
Workforce Identity Federation supports an attribute mapping of up to 400 groups and a maximum size of 16 KB.
The following Gemini in Looker features are available in Preview for instances on Looker 25.2 and later:
- Create custom Looker visualizations: The Visualization Assistant helps you generate custom formatting options for Looker visualizations by using natural language.
- Generate LookML: Use Gemini assistance to generate LookML code suggestions in response to natural language prompts. In the Looker IDE, click the Help me code icon to get Gemini assistance to create dimensions, dimension groups, and measures in your LookML project.
To learn more about how to activate these features, see Admin settings – Gemini in Looker.
Conversational Analytics is now available in Preview for Looker (original) and Looker (Google Cloud core) instances on Looker 25.0 and later that have both Studio in Looker and Gemini in Looker enabled. You can use Conversational Analytics to query your Looker Explore data in natural language.
VPC Service Controls feature (Status: Preview): The VPC Service Controls violation analyzer lets you diagnose access denial events for services in your perimeters using an encrypted troubleshooting token generated by VPC Service Controls. The violation analyzer also provides troubleshooting results that can help you understand and resolve the access denial events. This feature is available in Preview.
For more information, see Diagnose an access denial event using the VPC Service Controls violation analyzer.