Google Cloud release notes

The following release notes cover the most recent changes over the last 60 days. For a comprehensive list of product-specific release notes, see the individual product release note pages.

You can also see and filter all release notes in the Google Cloud Console or you can programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/gcp-release-notes.xml

January 24, 2022

Anthos clusters on VMware

Anthos clusters on VMware 1.9.3-gke.4 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.9.3-gke.4 runs on Kubernetes v1.21.5-gke.1200.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.10, 1.9, and 1.8.

Fixes for version 1.9.3:

  • Fixed issue where special characters in the vSphere username are not properly escaped.

Changes in version 1.9.3:

  • Upgraded the Connect Agent version to 20211210-01-00.

    • This upgrade also fixed the issue where the Connect Agent restarts unexpectedly on a newly-created cluster that uses Anthos Identity Service to manage the Anthos Identity Service ClientConfig.

Known issue in version 1.9.3:

  • The Connect Agent restarts unexpectedly on an existing cluster that uses Anthos Identity Service to manage the Anthos Identity Service ClientConfig. If you have experienced this issue, follow these instructions to upgrade the Connect Agent version.

Anthos clusters on VMware 1.8.6-gke.4 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.8.6-gke.4 runs on Kubernetes 1.20.12-gke.1500.

Fixes for version 1.8.6:

  • Fixed issue where special characters in the vSphere username are not properly escaped.
Dialogflow

Dialogflow CX has a new agent design best practices guide.

Memorystore for Redis

Released the RDB Snapshots (Preview) feature for Memorystore for Redis. For more details, see RDB Snapshots.

Virtual Private Cloud

January 21, 2022

Cloud DNS

Managing routing policies in Cloud DNS is available in GA.

Cloud Monitoring

Private uptime checks are now available in Preview. Private uptime checks enable HTTP requests into a customer Virtual Private Cloud (VPC) network while enforcing Identity and Access Management (IAM) restrictions and VPC Service Controls perimeters. Private uptime checks can send requests over the private network to resources like a virtual machine (VM) or an L4 internal load balancer (ILB).

For more information, see Create private uptime checks.

Document AI

The Intelligent Document Quality Processor is now publicly accessible and now supports 3 more defect types:

  • quality/defect_document_cutoff
  • quality/defect_text_cutoff
  • quality/defect_glare
Google Kubernetes Engine

1.23 is now available in the Rapid channel

Kubernetes 1.23 is now available in the Rapid channel. Before upgrading, read the Kubernetes 1.23 Release Notes, especially the action required and deprecation sections.

Notable features

Beta: PodSecurity admission

PodSecurity replaces the deprecated PodSecurityPolicy admission controller (which will be removed in 1.25). PodSecurity is an admission controller that enforces Pod Security Standards on Pods in a Namespace based on specific namespace labels that set the enforcement level. In 1.23, the PodSecurity feature is enabled by default, and applies to namespaces that opt into enforcement. Refer to the PodSecurity documentation and PodSecurityPolicy migration guide for more information.

Notable changes and bug fixes

Kubernetes 1.23 is built with go1.17, which requires aggregated API servers, admission webhooks, and custom resource conversion webhooks to use TLS certificates that include the service DNS name as a subjectAltName.

  • Before upgrading to 1.23, ensure any non-local aggregated API servers, admission webhooks, and custom resource conversion webhooks in your cluster are served using valid TLS certificates.
  • At cluster version 1.22.3-gke.700 or higher, GKE provides a Cloud Audit log to check if your cluster contains an affected service. You can use the following filter to search for the logs:

    logName: "projects/$PROJECT/logs/cloudaudit.googleapis.com%2Factivity"
    resource.type = "k8s_cluster"
    operation.producer = "k8s.io"
    "invalid-cert.webhook.gke.io"
    
  • If you are not affected you won't see any logs. If you do see such an audit log, it will include the name of the service (whether webhook or aggregated API).

New API versions

  • flowcontrol.apiserver.k8s.io/v1beta2 FlowSchema, PriorityLevelConfiguration
  • autoscaling/v2 HorizontalPodAutoscaler

Deprecated API versions

These APIs are still served in version 1.23 but are in a deprecation period:

  • PodSecurityPolicy
    • policy/v1beta1 PodSecurityPolicy
    • Deprecated in 1.21 with removal targeted for version 1.25.
  • The following Beta versions of graduated APIs will be removed in 1.25 in favor of their GA versions:
    • discovery.k8s.io/v1beta1 EndpointSlice, deprecated since 1.21
    • policy/v1beta1 PodDisruptionBudget, deprecated since 1.21
    • batch/v1beta1 CronJob, deprecated since 1.21
    • node.k8s.io/v1beta RuntimeClass
    • autoscaling/v2beta1 HorizontalPodAutoscaler
  • The following Beta versions of graduated APIs will be removed in 1.26 in favor of newer versions:
    • flowcontrol.apiserver.k8s.io/v1beta1 FlowSchema, PriorityLevelConfiguration
      • deprecated since 1.23
      • use flowcontrol.apiserver.k8s.io/v1beta2 instead, available since 1.23
    • autoscaling/v2beta2 HorizontalPodAutoscaler
      • deprecated since 1.23
    • use autoscaling/v2 instead, available since 1.23 (or autoscaling/v1)

(2022-R01) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

  • Version 1.21.6-gke.1500 is now the default version.
  • Control plane and node version 1.19.16-gke.3600 is now available.
  • The following control plane versions are longer available:
    • 1.19.15-gke.1300
    • 1.20.10-gke.1600
    • 1.20.10-gke.2100
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to 1.19.15-gke.1801 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.20.12-gke.1500 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to 1.20.12-gke.1500 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.21 to 1.21.5-gke.1802 with this release.

Stable channel

  • Version 1.20.12-gke.1500 is now the default version in the Stable channel.
  • Version 1.21.5-gke.1802 is now available in the Stable channel.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.20.12-gke.1500 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.20 to 1.20.12-gke.1500 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.21 to 1.21.5-gke.1802 with this release.

Regular channel

  • Version 1.21.6-gke.1500 is now the default version in the Regular channel.
  • Version 1.21.6-gke.1500 is now available in the Regular channel.
  • Version 1.21.5-gke.1302 is no longer available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.21.6-gke.1500 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to 1.21.6-gke.1500 with this release.

Rapid channel

  • Version 1.22.3-gke.1500 is now the default version in the Rapid channel.
  • Version 1.22.4-gke.1501 is now available in the Rapid channel.
  • Version 1.23.1-gke.500 is now available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.21.5-gke.1802 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.5-gke.1802 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.22.3-gke.1500 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.23 to 1.23.1-gke.500 with this release.

Clusters running GKE node versions 1.19.16-gke.1500 and 1.19.16-gke.3600 will be unstable if Container Threat Detection (KTD) is enabled. To use KTD, create the cluster with the most recent 1.19.15 version or any GKE version 1.20 or later. If you require GKE version 1.19.16-gke.1500 or 1.19.16-gke.3600, you should disable KTD on the cluster using the Cloud Security Command Center Advanced Settings before creating or upgrading nodes to these versions

(2022-R01) Version updates

  • Version 1.22.3-gke.1500 is now the default version in the Rapid channel.
  • Version 1.22.4-gke.1501 is now available in the Rapid channel.
  • Version 1.23.1-gke.500 is now available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.21.5-gke.1802 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.5-gke.1802 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.22.3-gke.1500 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.23 to 1.23.1-gke.500 with this release.

(2022-R01) Version updates

  • Version 1.21.6-gke.1500 is now the default version in the Regular channel.
  • Version 1.21.6-gke.1500 is now available in the Regular channel.
  • Version 1.21.5-gke.1302 is no longer available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.21.6-gke.1500 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to 1.21.6-gke.1500 with this release.

(2022-R01) Version updates

  • Version 1.20.12-gke.1500 is now the default version in the Stable channel.
  • Version 1.21.5-gke.1802 is now available in the Stable channel.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.20.12-gke.1500 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.20 to 1.20.12-gke.1500 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.21 to 1.21.5-gke.1802 with this release.

(2022-R01) Version updates

  • Version 1.21.6-gke.1500 is now the default version.
  • Control plane and node version 1.19.16-gke.3600 is now available.
  • The following control plane versions are longer available:
    • 1.19.15-gke.1300
    • 1.20.10-gke.1600
    • 1.20.10-gke.2100
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to 1.19.15-gke.1801 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.20.12-gke.1500 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to 1.20.12-gke.1500 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.21 to 1.21.5-gke.1802 with this release.
Retail API

The Retail console is now available to all Recommendations AI users. The Retail Console is a new way to manage both Recommendations AI and Retail Search seamlessly in one project through a unified onboarding and admin console experience.

We recommend switching to the Retail console and using the Retail documentation, which documents Recommendations AI, the Retail console, and Retail Search.

To switch, go to the new console and click Enable the Retail API. You can then view and manage your project from the new console.

reCAPTCHA Enterprise

You can now use reCAPTCHA Enterprise account defender to detect and prevent account-related fraudulent activities. This feature is in Public Preview.

January 20, 2022

Anthos Service Mesh

1.10.6-asm.0 is now available.

This patch release contains the same bug fixes that are in Istio 1.10.6. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

1.12.2-asm.0 is now available.

This patch release contains the same bug fixes that are in Istio 1.12.2. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

Compute Engine

Learn about the differences between multi-tenancy and sole-tenancy by reading the new About VM tenancy document.

Google Cloud Deploy

Google Cloud Deploy support for Skaffold version 1.35.1 has been updated to version 1.35.2, which is now the default Skaffold version.

Google Kubernetes Engine

VPC-scoped DNS for GKE using Cloud DNS is now generally available for GKE versions 1.21 and later. This allows for seamless VPC-wide DNS resolution of GKE Services. Note that cluster-scoped DNS using Cloud DNS is still in public preview.

A new kubernetes metric, Network policy event count (kubernetes.io/pod/network/policy_event_count), is available (beta) for GKE Dataplane V2 clusters in GKE versions 1.22.3-gke.700 and later.

This metric can be viewed in the Metrics Explorer in Cloud Monitoring for resource type, Kubernetes Pod.

This metric provides visibility into network policy events and shows the Change in the number of network policy events seen in the dataplane, each event has the following metric labels:

  • verdict: Policy verdict, possible values: [allow, deny].
  • workload_kind: Kind of the workload, policy-enforced-pod belongs to, for example, "Deployment", "Replicaset", "StatefulSet", "DaemonSet", "Job", or "CronJob".
  • workload_name: Name of the workload, policy-enforced-pod belongs to.
  • direction: Direction of the traffic from the point of view of policy-enforced-pod, possible values: [ingress, egress].

In addition to these metric labels, customers can also see usual resource labels for resource type, Kubernetes Pod: project_id, location, cluster_name, namespace_name, and pod_name.

This metric can be used for setting up automated alerts for specific behaviors (denials higher than a threshold), identifying security issues, gaining better understanding of traffic flow, and troubleshooting.

Network Intelligence Center

Overly permissive rule insights are now generally available. For information about these insights, see the Firewall Insights overview.

January 19, 2022

Anthos Service Mesh

Version 1.12 is now available for managed Anthos Service Mesh and is rolling out into the Rapid Release Channel.

Version 1.11 has been promoted to the Regular Release Channel, and version 1.10 has been promoted to the Stable Release Channel.

See Select a managed Anthos Service Mesh release channel for more information.

Managed Anthos Service Mesh now supports GKE Autopilot in the Regular and Rapid channels. For more information, see Configure managed Anthos Service Mesh.

Managed Anthos Service Mesh control plane now displays its provisioning status in the ControlPlaneRevision API. For more information, see Verify the control plane has been provisioned.

Managed Anthos Service Mesh now supports deploying a proxy built on the distroless base image. Note that distroless proxy images do not work with managed data plane.

The distroless base image ensures that the proxy image contains the minimal number of packages required to run the proxy. This improves security posture by reducing the overall attack surface of the image and gets cleaner results with CVE scanners. See Distroless proxy image for more information.

App Engine standard environment Java

Updated Java SDK to version 1.9.94.

App Engine standard environment Python

Users of the App Engine Bundled Services for Python 3 can now access Blobstore, Deferred, and Mail handlers in preview, through language-idiomatic libraries.

Cloud Load Balancing

The default behavior for HTTP/3 and Google QUIC is changing for global external HTTP(S) load balancers. The default setting of quicOverride=NONE will now advertise support for HTTP/3 to your clients. This change is currently rolling out globally.

If you don't want this behavior to change, you can disable HTTP/3 by setting quicOverride to DISABLE. For instructions, see Configuring HTTP/3.

Compute Engine

Generally available: You can now use the SSH troubleshooting tool to help you determine the cause of failed SSH connections.

Generally Available: Configure commitments to renew automatically. For more information, see Renew commitments automatically.

Config Connector

Config Connector version 1.71.0 is now available.

Added support for LoggingLogMetric resource.

Added support for NetworkConnectivitySpoke resource.

Added regional support for ComputeTargetHTTP(S)Proxy resource(s).

Added spec.build.availableSecrets to CloudBuildTrigger resource.

Added spec.nodeConfig.nodeGroupRef and spec.nodeConfig.spot to ContainerCluster and ContainerNodePool resources.

Added spec.readReplicaMode, spec.replicaCount and status.nodes to RedisInstance resources.

Added spec.settings.ipConfiguration.allocatedIpRange to SQLInstance resource.

Added spec.publicAccessPrevention to StorageBucket resource.

Added spec.identityServiceConfig to ContainerCluster resource.

Dataproc

Announcing the General Availability (GA) release of Dataproc Serverless for Spark, which allows you to run your Spark jobs on Dataproc without having to spin up and manage your own cluster.

Dialogflow

Dialogflow CX now provides an IDENTITY system function, which is useful to copy a composite parameter object in a parameter preset field.

The Dialogflow CX QueryResult.match.event field previously only populated custom events. It is now also populated with no-match and no-input built-in events.

Google Cloud Deploy

Google Cloud Deploy is generally available (GA).

Google Cloud Deploy now has beta stage support for VPC Service Controls.

You can now roll back targets from the delivery pipeline visualization in Google Cloud Console.

SAP on Google Cloud

Google Cloud Connector for SAP Landscape Management version 2.3.0

Version 2.3.0 of the Google Cloud Connector for SAP Landscape Management is now available. Version 2.3.0 adds support for duplicate IP addresses in managed SAP landscapes.

For more information, see Configuring support for duplicate IP addresses.

VPC Service Controls

Preview support for the following integration:

January 18, 2022

Cloud Monitoring

When you click on an entry in the Instances table on the Monitoring VM Instances dashboard, a sliding panel now appears with the instance details, replacing the VM Instance Details page.

Dataproc

Added support for Dataproc Metastore's beta NetworkConfig field. Beta services using this field can now be used in conjunction with v1 Dataproc clusters.

Dataproc extracts the warehouse directory from the Dataproc Metastore service for the cluster-local warehouse directory.

Workflows

Workflows is now certified as SOC 1 compliant.

January 17, 2022

Dataproc

New sub-minor versions of Dataproc images:

1.4.79-debian10 and 1.4.79-ubuntu18

1.5.55-debian10, 1.5.55-ubuntu18, and 1.5.55-centos8

2.0.29-debian10, 2.0.29-ubuntu18, and 2.0.29-centos8

Migrated to Eclipse Temurin JDK in image versions 1.4, 1.5, and 2.0.

Upgraded Log4j version to 2.17.1 in image versions 1.4, 1.5, and 2.0.

The Cloud Storage connector jar is installed on the Solr server (even if dataproc:solr.gcs.path property is not set). Applies to image versions 1.4, 1.5, and 2.0.

Fixed a bug where cluster restart disabled Solr and Ranger services even if the components are selected. Applies to image versions 1.4, 1.5, and 2.0.

YARN-8865: RMStateStore contains large number of expired RMDelegationToken. Applies to 1.5 images.

RANGER-3324: Make optimized db schema script idempotent for MySQL DB. Applies to 2.0 images.

Google Cloud Deploy

Google Cloud Deploy now automatically applies provenance labels to deployed resources.

Google Kubernetes Engine

Now available in Preview: Use a compact placement policy to specify that nodes within the node pool should be placed in closer physical proximity to each other within a zone. Having nodes closer to each other can reduce network latency between nodes, which can be useful for tightly-coupled batch workloads.

January 14, 2022

Cloud Asset Inventory

The following resource types are now publicly available through the Export APIs (ExportAssets and BatchGetAssetsHistory) and the Feed API:

  • Cloud SQL
    • sqladmin.googleapis.com/BackupRun

The following resource types are now publicly available through the resource search API (SearchAllResources) and policy search API (SearchAllIamPolicies):

  • Cloud OS Config
    • osconfig.googleapis.com/VulnerabilityReport
  • Cloud Dataplex
    • dataplex.googleapis.com/Asset
    • dataplex.googleapis.com/Zone
    • dataplex.googleapis.com/Task
    • dataplex.googleapis.com/Lake
Compute Engine

Generally available: Access the Compute Engine API using Cloud Client Libraries built on our latest client library model. Updated client libraries are now available in the following languages:

  • Go
  • Java
  • .NET
  • Node.js
  • PHP
  • Python
  • Ruby

For more information, see Compute Engine client libraries.

Document AI

Document OCR processor

We have updated the Google default next version with quality improvements. Consequently, you have 90 days from today to test the new model before the changes are applied to the Google default version. After that, the original Google default version will be available for another 90 days as legacy. For more information about the processor and its versions, see the Document OCR processor.

For more information about using different versions of the processor, see Managing processor versions.

For the original announcement of this change, see the November 5, 2021 release note.

January 12, 2022

Access Transparency

For the Access Transparency logs for Cloud SQL, the prefix of the value for the accesses:resourceName field is changed from //googleapis.com/sql/ to //sqladmin.googleapis.com/. For information about the various fields in Access Transparency logs, see Understanding and using Access Transparency logs.

Datastore Firestore Google Cloud Deploy

You can now view deployment metrics on the Google Cloud Deploy page in Google Cloud Console.

You can now view a list of documentation relevant to your current screen, including tutorials, by clicking the Learn button on the Google Cloud Deploy page in Google Cloud Console.

VPC Service Controls

Preview stage support for the following integrations:

January 11, 2022

Cloud Monitoring

Cloud Monitoring now supports configuring HTTP POST uptime checks in the UI. For more information, see Managing uptime checks.

Compute Engine

Generally available: Compute Engine now supports machine images in General Availability. You can use machine images to store configuration, metadata, permission, and data required to create a VM instance.

VPC Service Controls

Beta stage support for the following integration:

January 10, 2022

Cloud Composer

(Available without upgrading) Programmatic calls to Airflow API and Airflow UI in Cloud Composer 2 must now contain OAuth tokens with the https://www.googleapis.com/auth/cloud-platform scope. You can find an example of setting this scope in Make calls to Airflow REST API.

Fixed a problem with rollback of Cloud Composer system workloads after a failed environment upgrade attempt.

Fixed the "First DAG run for an uploaded DAG file has several failed tasks" known issue for Airflow 2 environments.

Fixed levels of Airflow log messages in Cloud Composer 2 environments.

Logs from SQL proxy are now correctly passed to the customer project in environments with enabled Private Service Connect support.

Improved error handling when configuring workload identity in Cloud Composer 2 environments.

Cloud Composer 1.17.8 and 2.0.1 images are available:

  • composer-2.0.1-airflow-2.1.4
  • composer-2.0.1-airflow-2.0.2
  • composer-1.17.8-airflow-2.1.4
  • composer-1.17.8-airflow-2.0.2
  • composer-1.17.8-airflow-1.10.15 (default)

Cloud Composer 1.13.3 has reached its end of full support period.

Google Cloud Deploy

Google Cloud Deploy now supports Skaffold version 1.35.1, as the default.

Memorystore for Redis

Memorystore for Redis now supports non-RFC 1918 IP addresses networks, with the exception of privately used public IP addresses (PUPI). These additional network addresses can be used for both Memorystore for Redis instances and incoming client connections. For more details, see Supported networks and client IP ranges.

Security Command Center

Web Security Scanner, a built-in service of Security Command Center, released the INSECURE_ALLOW_ORIGIN_ENDS_WITH_VALIDATION, INSECURE_ALLOW_ORIGIN_STARTS_WITH_VALIDATION, and XXE_REFLECTED_FILE_LEAKAGE finding types to General Availability.

For more information, see Web Security Scanner findings.

January 09, 2022

Dataproc

New sub-minor versions of Dataproc images:

1.4.78-debian10, and 1.4.78-ubuntu18

1.5.54-centos8, 1.5.54-debian10, and 1.5.54-ubuntu18

2.0.28-centos8, 2.0.28-debian10, and 2.0.28-ubuntu18

Upgraded log4j version to 2.17.0 in image versions 1.4, 1.5, and 2.0.

Upgraded Cloud Storage connector version to 2.2.4 in image version 2.0.

Fixed the problem that jars added with the --jars flag in gcloud dataproc jobs submit spark-sql are missing at runtime.

January 08, 2022

Migrate for Anthos and GKE

Windows connection strings

Migrate for Anthos and GKE supports connection strings at the site and global scopes. See Setting connection strings for a data provider for more information.

Reducing system container image size

New alerts have been added to the migration plan to alert you when files may be too large for a successful image. See Specifying content to exclude from the migration for more information.

211625398: GKE 1.22 support

January 07, 2022

Cloud Logging

You can now collect MariaDB metrics and logs from the Ops Agent, starting with version 2.8.0. For more information, see Monitoring third-party applications: MariaDB.

Cloud Monitoring

You can now collect MySQL metrics from the Ops Agent, starting with version 2.8.0. For more information, see Monitoring third-party applications: MySQL.

You can now collect Memcached metrics from the Ops Agent, starting with version 2.8.0. For more information, see Monitoring third-party applications: Memcached.

Starting with version 2.8.0, the Ops Agent supports Ubuntu 21.10. For more information, see Linux operating systems.

You can now collect MariaDB metrics and logs from the Ops Agent, starting with version 2.8.0. For more information, see Monitoring third-party applications: MariaDB.

Config Connector

Config Connector 1.70.0 is now available

Added support for MonitoringUptimeCheckConfig resource.

Added support for RunService (alpha) resource.

Added support for NetworkServicesGateway (alpha), NetworkServicesMesh (alpha), NetworkServicesGRPCRoute (alpha), NetworkServicesHTTPRoute (alpha), and NetworkServicesTCPRoute (alpha) resources.

Added field spec.networkInterface.queueCount to ComputeInstance and ComputeInstanceTemplate resources.

Added fields spec.bfd.minReceiveInterval, spec.bfd.minTransmitInterval, spec.bfd.multiplier, and spec.bfd.sessionInitializationMode to ComputeRouterPeer resource.

Added fields spec.nodeConfig.gcfsConfig and spec.managedInstanceGroupUrls to ContainerNodePool resource.

Added field spec.nodeConfig.gcfsConfig (deprecated) to ContainerCluster resource. spec.nodeConfig is a deprecated field that we recommend not using in your configuration.

Added field spec.messageRetentionDuration to PubSubTopic resource.

Supported referencing Workload Identity principals in IAMPolicyMember. (Issue #583)

ComputeInstance and ComputeInstanceTemplate: Configuring field spec.serviceAccount.scopes with value trace-append or trace-ro is no longer available. Use trace instead.

ContainerCluster: The default value for spec.enableShieldedNodes is changed to true.

ContainerCluster: Output-only field status.instanceGroupUrls is removed.

ContainerCluster: It now errors out if spec.workloadIdentityConfig.identityNamespace (deprecated) and spec.workloadIdentityConfig.workloadPool are both present but with different values. We recommend using spec.workloadIdentityConfig.workloadPool field only.

ComputeSnapshot: Output-only field status.sourceDiskLink is removed.

PubSubSubscription: Output-only field status.path is removed.

SQLInstance: spec.settings.authorizedGaeApplications, spec.settings.crashSafeReplication, spec.settings.replicationType become no-ops fields. We recommend removing these fields in your configuration.

StorageBucket: It now errors out if spec.bucketPolicyOnly (deprecated) and spec.uniformBucketLevelAccess are both present but with different values. We recommend using spec.uniformBucketLevelAccess field only.

config-connector CLI removes the ability to export default ComputeNetwork, ComputeSubnetwork, and ComputeRoute via bulk-export command. Those default network assets contain invalid values in other contexts. Removing them from bulk export to avoid additional manual handling of the exported configuration.

Dataproc Metastore

Dataproc Metastore is available in the following regions:

  • asia-northeast3 (Seoul)
  • southamerica-east1 (São Paulo)

For more information, see Locations.

January 06, 2022

BigQuery

BigQuery standard SQL now supports the JSON data type for storing JSON data. The JSON data type is in Preview. For more information, see Working with JSON data in Standard SQL.

Google Cloud Marketplace

You can allow your Organization's members to request Cloud Marketplace SaaS products for procurement.

Learn more about enabling procurement requests.

Virtual Private Cloud

By default, Google Cloud blocks egress packets sent to TCP destination port 25 of an external IP address (including an external IP address of another Google Cloud resource). This restriction has been removed from projects owned by select Google Cloud customers.

For more information, see Blocked and limited traffic.

January 05, 2022

Cloud Key Management Service

Cloud HSM is now available in the Melbourne (australia-southeast2) region.

Compute Engine

Preview: You can now disable VM instance creation retries during resizing of both regional and zonal managed instance groups.

Workflows

Workflows can invoke Cloud Functions or Cloud Run services that have ingress restricted to internal traffic.

January 04, 2022

Dataflow

Dataflow now fully supports using Identity and Access Management (IAM) custom roles. You can create a custom IAM role and assign it to a user-managed service account used in Dataflow instead of assigning the Dataflow Worker role.

SAP on Google Cloud

Storage Manager for SAP HANA Standby Nodes version 2.3

Version 2.3 of the Storage Manager for SAP HANA Standby Nodes is now available. Version 2.3 improves the handling of persistent disks that are in use when a failover occurs.

Google Cloud recommends that you update to version 2.3 at your earliest convenience.

Vertex AI

You can now use a pre-built container to perform custom training with PyTorch 1.10.

December 31, 2021

Anthos

December 30, 2021

Security Command Center

Security Health Analytics, a built-in service of Security Command Center, launched the DATAPROC_IMAGE_OUTDATED detector to General Availability. This detector finds clusters created with Dataproc image versions that are affected by security vulnerabilities in the Apache Log4j 2 utility (CVE-2021-44228 and CVE-2021-45046). For more information, see Dataproc vulnerability findings.

December 28, 2021

Google Cloud VMware Engine

VMware Engine nodes are now available in the following additional region:

  • Toronto, Ontario, North America (northamerica-northeast2)

VMware Engine nodes are now available in the following additional zone:

  • Sydney, Australia, APAC (australia-southeast1-b)

December 23, 2021

Anthos clusters on VMware
  • When deploying Anthos clusters on VMware releases with a version number of 1.9.0 or higher, that have the Seesaw bundled load balancer in an environment that uses NSX-T stateful distributed firewall rules, stackdriver-operator might fail to create gke-metrics-agent-conf ConfigMap and cause gke-connect-agent Pods to be in a crash loop. The underlying issue is that stateful NSX-T distributed firewall rules terminate the connection from a client to the user cluster API server through the Seesaw load balancer because Seesaw uses asymmetric connection flows. The integration issue with NSX-T distributed firewall rules affect all Anthos clusters on VMWare releases that use Seesaw. You might see similar connection problems on your own applications when they create large Kubernetes objects whose sizes are bigger than 32K. Follow these instructions to disable NSX-T distributed firewall rules, or to use stateless distributed firewall rules for Seesaw VMs.

  • If your clusters use a manual load balancer, follow these instructions to configure your load balancer to reset client connections when it detects a backend node failure. Without this configuration, clients of the Kubernetes API server might stop responding for several minutes when a server instance goes down.

BigQuery

Documentation now includes a series of introductory topics to orient you to BigQuery including:

  • What is BigQuery? - Product overview, available tools, and learning resources
  • Storage - Infrastructure, ingestion, and optimization
  • Analytics - Strategies, SQL queries, and BI tools *Administration - Resources, workload management, security, and monitoring

In addition, the table of contents is updated to guide you through your staged BigQuery deployment with stages including: Discovery, Get started, Design, Ingest, Analyze, Administer, Secure, and Develop.

Vertex AI

There are now three Vertex AI release note feeds. Add any of the following to your feed reader:

  • For both Vertex AI and Vertex AI Workbench: https://cloud.google.com/feeds/vertex-ai-product-group-release-notes.xml
  • For Vertex AI only: https://cloud.google.com/feeds/vertex-ai-release-notes.xml
  • For Vertex AI Workbench only: https://cloud.google.com/feeds/aiplatformnotebooks-release-notes.xml

December 22, 2021

Anthos clusters on VMware

Anthos clusters on VMware 1.10.0-gke.194 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.10.0-gke.194 runs on Kubernetes v1.21.5-gke.1200.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.10, 1.9, and 1.8.

  • vCenter/ESXi host 6.7u2 and below is no longer supported. Upgrade your vCenter environment to a supported version (6.7U3 and above) before upgrading your clusters.

  • The diskformat parameter is removed from the standard vSphere driver StorageClass as the parameter has been deprecated in Kubernetes 1.21.

  • Preview: Egress NAT gateway:

    • To enable an egress NAT gateway, the advancedNetworking section in the user cluster configuration file replaces the now-deprecated enableAnthosNetworkGateway section.

    • You must create a NetworkGatewayGroup object (previously AnthosNetworkGateway) to configure the egress NAT gateway.

    • Any admin or user clusters that are version 1.9 or earlier, and that are enabled with Anthos Network Gateway, cannot be upgraded. You must delete and recreate those clusters following these instructions.

Cluster lifecycle Improvements:

  • An admin cluster upgrade is resumable after a previous failed admin cluster upgrade attempt.

  • GA: Admin cluster registration during new cluster creation is generally available.

  • Preview: Admin cluster registration when updating existing clusters is available as a preview feature.

Platform enhancements:

  • Preview: A new load balancer option, MetalLB, is available as another bundled software load balancer in addition to Seesaw.This will be the default load balancer choice instead of Seesaw when GA.

  • GA: Support for user cluster node pool autoscaling is generally available.

  • Preview: You can create admin cluster nodes and user cluster control-plane nodes with Container-Optimized OS by specifying the osImageType as cos in the admin cluster configuration file.

  • Windows Node Pool:

    • Preview: The containerd runtime is now available for Windows node pools when Dataplane V2 for Windows is enabled.
    • Node Problem Detector checks containerd service health on the nodes and surfaces problems to the API Server. For version 1.10.0, NPD does not attempt to repair the containerd service.
    • Containerd logs are exported to the Cloud Console.

    • CSI proxy is deployed automatically onto Windows nodes. You can install and use a Windows CSI driver of your choice, such as the SMB CSI driver.

  • GA: The multi-NIC capability to provide additional network interfaces to your Pods is generally available.

  • GA: You can upgrade to Ubuntu 20.04 and containerd 1.5.

Security enhancements:

  • User cluster control plane certificates are automatically rotated at each cluster upgrade. 

Simplify day-2 operations:

  • Preview: gkectl update admin supports the enabling and disabling of Cloud Monitoring and Cloud Logging in the admin cluster. 

  • Changed the collection of application metrics to use a more scalable monitoring pipeline based on OpenTelemetry. This change significantly reduces the amount of resources required to collect metrics.

  • Updated the parser of containerd and kubelet node logs to extract severity level.

  • Introduced the --share-with optional flag in the gkectl diagnose snapshot command to share the read permission after uploading the snapshot to a Google Cloud Storage bucket.

Functionality changes:

  • Replaced the SSH tunnel with Konnectivity service for communication between the user cluster control plane and the user cluster nodes. The Kubernetes SSH tunnel has been deprecated. 

    • You must create two additional firewall rules so that user worker nodes can access ports 8132 on the user control-plane VIP address and get return packets. This is required for the Konnectivity service.

    • Introduced a new konnectivityServerNodePort field in the user cluster manual load balancer configuration. This field is required when creating or upgrading a user cluster, with manual load balancer mode, to version 1.10. 

  • The Ubuntu OS image is upgraded from 18.04 to 20.04 LTS.

    • The python command is no longer available. Any python command should be updated to python3 instead, and the syntax should be updated to Python 3.

    • /etc/resolv.conf now points to /run/systemd/resolve/stub-resolv.conf, instead of /run/systemd/resolve/resolv.conf.

    • The Ubuntu CIS benchmark version changed from v2.0.1 for Ubuntu 18.04 LTS to v1.0.0 for Ubuntu 20.04 LTS.

  • Upgraded COS from m89 to m93.

  • Upgraded containerd from 1.4 to 1.5 on Ubuntu and COS.

  • Changed gkectl diagnose snapshot to use the --all-with-logs scenario by default.

  • The gkeadm command copies the admin workstation configuration file to the admin workstation during creation so it can be used as a backup to re-create the admin workstation later.

  • Increased the Pod priority of kube-state-metrics to improve its reliability when the cluster is under resource contention.

  • Fixed an issue that the Windows nodes were assigned with duplicated IP addresses.

  • Fixed CVE-2021-32760. Because of Ubuntu PPA version pinning, this vulnerability might still be reported by certain vulnerability scanning tools, and thus appear as a false positive even though the underlying vulnerability has been patched.

  • Because of the change to use an OpenTelemetry-based scalable monitoring pipeline for application metrics, Horizontal Pod Autoscaling with user-defined metrics does not work in 1.10.0 unless you explicitly set scalableMonitoring to false, while also ensuring that both enableStackdriverForApplications and enableCustomMetricsAdapter are set to true, in the Stackdriver object.

    As a workaround, you can install a custom Prometheus adapter if you want to use Horizontal Pod Autoscaling with user-defined metrics while still keeping the scalable monitoring default setting for application metrics.

  • Because of a COS 93 configuration issue, IPv6 dualstack does not work correctly for COS node pool nodes in version 1.10.0. If you are using IPv6 dualstack with a COS node pool, wait for an upcoming patch release that addresses this issue.

  • If an admin cluster is created with osImagetype of cos, and you have rotated the audit logging service account key with gkectl update admin, the changes are overridden after the admin cluster control-plane node reboot. In that case, re-run the update command after the admin cluster control-plane node reboot to apply those changes.

  • On COS nodes, the NTP server is configured to time.google.com by default. In DHCP mode, this setting cannot be overridden to use the NTP server provided by your DHCP server. The issue will be fixed in an upcoming patch release. Before then, you can deploy a DaemonSet to override the NTP setting if you want to use a different NTP server in your COS node pool.

Anthos on bare metal

Release 1.9.3

Anthos clusters on bare metal 1.9.3 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.9.3 runs on Kubernetes 1.21.

Fixes:

  • Fixed an issue in which cluster creation fails if a cluster has more than one control plane node, and the HTTPS_PROXY environment variable has been defined on one or more of the control plane nodes.

  • Upgraded Kubernetes version from 1.21.4 to 1.21.5 to address an error in which pods become stuck in the ContainerCreating state because libcontainer mistakenly throws a "unit already exists" error.

  • The following container image security vulnerability has been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

Eventarc

Support for Cloud Storage triggers is now generally available (GA).

Migrate for Anthos and GKE

Security updates

1.10.1 Security updates available. See Upgrading Migrate for Anthos and GKE for upgrade instructions.

December 21, 2021

Dataproc

Dataproc has released 1.3.95-debian10/-ubuntu18 images with a one-time patch that addresses the Apache Log4j 2 CVE-2021-44228 and CVE-2021-45046 vulnerabilities, but note that that all 1.3 images remain unsupported, and Dataproc will not provide upgrades to 1.3 images .

Security Command Center

Event Threat Detection, a built-in service of Security Command Center, launched the Active Scan: Log4j Vulnerable to RCE rule to General Availability. This rule detects active Log4j vulnerabilities by identifying DNS queries for unobfuscated domains that were initiated by supported Log4j vulnerability scanners. For more information, see Event Threat Detection rules.

December 20, 2021

Cloud Bigtable

System Event audit logs for Cloud Bigtable autoscaling are now generally available (GA).

Cloud Load Balancing

Internal TCP/UDP Load Balancing now allows you to configure a connection tracking policy for the load balancer's backend service. A connection tracking policy introduces the following new properties to let you customize your load balancer's connection tracking behavior:

  • Tracking mode
  • Connection persistence on unhealthy backends
  • Idle timeout

To learn about how connection tracking works, see Traffic distribution.

This feature is available in General Availability.

Deep Learning Containers

M88 Release

Deep Learning VM Images

M88 Release

  • As previously announced in the M87 release and M71 release, the previous format of TensorFlow 2.x image names, tf2-xxx-2-y-zzz, is unavailable starting with this release. Please use the current format of tf-xxx-2-y-zzz for image names.
  • Images from the M88 release mistakenly have M87 metadata stored in the images. For example, the welcome message upon terminal login for the base CPU image shows "Version: common-cpu.m87". This mistaken metadata is also shown in the version field in notebook Custom metadata. Users can verify they are actually using the M88 images by looking for v20211219 in the image name of the boot disk. After clicking the image, users can also verify if the image has the label release : m88. Other than the mistaken metadata, users can use the M88 images as normal.
Google Kubernetes Engine

For GKE versions 1.21 and later, newly created clusters will have the DenyServiceExternalIPs admission controller enabled by default, disabling the use of ExternalIPs Services.

For existing clusters, when you upgrade the cluster to GKE version 1.21 or later, the DenyServiceExternalIPs admission controller will not be enabled. Since ExternalIPs Services are not widely used, we recommend manually auditing any external IP usage. You can choose to block ExternalIPs by using the following command:

gcloud container clusters update --no-enable-service-externalips

For more information, refer to Hardening your cluster's security.

A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs.

This issue is fixed in the following GKE versions:

  • 1.22.3-gke.1100 or above
  • 1.21.6-gke.700 or above
  • 1.20.12-gke.700 or above
  • 1.19.16-gke.700 or above

For more information about the CVE, refer to CVE-2021-41103.

SAP on Google Cloud

Backint agent for SAP HANA version 1.0.16

Version 1.0.16 of the Google Cloud Backint agent for SAP HANA is now available. Version 1.0.16 includes bug fixes and performance enhancements.

For more information about the agent, see Cloud Storage Backint agent for SAP HANA overview.

December 18, 2021

Dataproc

Dataproc has released the following sub-minor image versions to address an Apache Log4j 2 vulnerability (also see Create a cluster and Recreate and update a cluster for more information). Note: These images supersede the 1.5 and 2.0 images listed in the December 16, 2021 release note:

1.5.53-centos8, 1.5.53-debian10, 1.5.53-ubuntu18,

2.0.27-centos8, 2.0.27-debian10, 2.0.27-ubuntu18

Note: The Geode interpreter for Zeppelin notebooks is not operational in the 1.4.77, 1.5.53, 2.0.27, and later images.

December 16, 2021

Anthos Service Mesh

1.12.0-asm.4 is now available.

Anthos Service Mesh includes the features of Istio 1.12 subject to the list of Anthos Service Mesh supported features.

Fixed a compatibility issue in the previous release between GKE 1.22, the Anthos Service Mesh Certificate Authority (Mesh CA), and Certificate Authority Service (CA Service).

Managed Anthos Service Mesh now supports Locality Load Balancing and Consistent Hash Load Balancing in the regular and rapid channels.

Anthos Service Mesh now supports Locality Load Balancing and Consistent Hash Load Balancing.

BigQuery

The row-level security feature now supports administrator access to historical data for tables with row-level access policies.

Cloud Composer

Cloud Composer 2 is now generally available (GA).

Private Service Connect support is available in Preview for Cloud Composer 2.

Authorized networks support is available in Preview.

For the latest updates of the potential impact of the open-source Apache Log4j 2 vulnerability on Google Cloud products, see the Apache Log4j 2 Vulnerability page.

Cloud Composer 2.0.0 images are available:

  • composer-2.0.0-airflow-2.1.4
  • composer-2.0.0-airflow-2.0.2
Cloud Database Migration Service

Database Migration Service now supports creating Cloud SQL for MySQL, Cloud SQL for PostgreSQL, and Cloud SQL for SQL Server instances with customer-managed encryption keys (CMEK) enabled. Click here to access the documentation.

Cloud Run

For consistency with latency reported in request logs, the request_latencies monitoring metric now excludes container startup latency.

Cloud SQL for MySQL

You can now see the database minor version when viewing information about an instance. See Database versions and version policies for a list of the latest supported versions.

You can now set or upgrade your minor version for Cloud SQL for MySQL 8.0.

Cloud SQL now supports MySQL 8.0.26. To upgrade your existing instance to the new version, see how to upgrade your minor version.

MySQL 5.7.35 has been upgraded to 5.7.36.

Cloud SQL for MySQL now supports point-in-time recovery using a timestamp. See Point-in-time recovery.

Cloud SQL for MySQL now supports database auditing. Database auditing lets you track specific user actions in the database, such as table updates, read queries, user privilege grants, and others. To learn more, see MySQL database auditing.

Cloud SQL for PostgreSQL

You can now see the database minor version when viewing information about an instance. See Database versions and version policies for a list of the latest supported versions.

Cloud SQL for SQL Server

You can now see the database minor version when viewing information about an instance. See Database versions and version policies for a list of the latest supported versions.

Compute Engine

Preview: Compute-optimized C2D machine types are now available in preview. C2D machine types are built on top of third generation AMD EPYC Milan processors and are a great fit for high-performance computing (HPC) workloads. For more information, see Compute-optimized machine family.

Accelerator-optimized (A2) machine types with gVNIC are currently experiencing a known issue.

Data Catalog

Starring is now generally available (GA). You can now mark your favorite entries as starred and see them on the Data Catalog's main page in the corresponding list. The list of starred entries is private to you.

Dataproc

Dataproc has released the following sub-minor image versions to address an Apache Log4j 2 vulnerability (also see Create a cluster and Recreate and update a cluster for more information):

1.4.77-debian10, 1.4.77-ubuntu18,

1.5.52-centos8, 1.5.52-debian10, 1.5.52-ubuntu18,

2.0.26-centos8, 2.0.26-debian10, 2.0.26-ubuntu18

Upgraded log4j version to 2.16.0. Applies to 1.4, 1.5, and 2.0 image versions.

Eventarc Filestore

The following Filestore features are now generally available (GA):

  • Enterprise tier
  • Customer-managed encryption key support
  • Snapshots
  • Private services access support

Filestore snapshots now support reverting to a snapshot.

SAP on Google Cloud

Filestore Enterprise for SAP systems

The Enterprise tier of Filestore (Filestore Enterprise) is now generally available (GA) as a file sharing solution for SAP systems on Google Cloud. The GA release of Filestore Enterprise includes support for multi-zone, high-availability configurations of SAP systems.

For more information, see File sharing solutions for SAP on Google Cloud.

Security Command Center

Event Threat Detection, a built-in service of Security Command Center, launched the Initial Access: Log4j Compromise Attempt rule to General Availability. This rule detects Java Naming and Directory Interface (JNDI) lookups within headers or URL parameters. These lookups may indicate attempts at Log4Shell exploitation. For more information, see Event Threat Detection rules.

Traffic Director

December 15, 2021

Cloud Monitoring

The Slack notification channel for alerting is now generally available (GA). You can now test your connection from Google Cloud when adding new Slack channels. The notification has been updated with the latest template and now includes your resource, system, and user labels. For more information, see Creating channels.

Cloud SQL for PostgreSQL

PostgreSQL version 14 is now generally available. To start using PostgreSQL 14, see Create instances.

Cloud Storage

Public Access Prevention is now in GA.

orgpolicy.policy.get permission is now included in certain Cloud Storage IAM roles.

  • This permission is now included in the following roles when they're set at the project-level: Storage Object Creator, Storage Object Admin, Storage HMAC Key Admin, and Storage Admin.
  • This permission allows principals to know the organizational policy constraints that a project is subject to.
Compute Engine

Generally available: When rolling out configuration or application updates to a stateful or stateless managed instance group, use the minimum and most disruptive allowed actions to control disruption to your workload.

Public preview: You can use the gcloud tool or API to configure stateful IP addresses in a managed instance group. Stateful IP addresses are preserved when VM instances in the group are autohealed, updated, and recreated.

Datastore

Key Visualizer for Datastore is now generally available (GA).

Dialogflow

Dialogflow CX auto sync for agent collaboration is now GA (generally available).

Dialogflow CX change history is now GA (generally available).

The Dialogflow CX simulator now allows you to specify flow versions when interacting with the simulator.

Document AI

New Lending Processors (Preview)

The following new processors are now available in limited preview:

New Versions of Lending Processors

We have launched new versions of the following lending processors.

These new versions use a new lending document splitting and classification model with improved quality and support for more document types. For more information, see the Document types identified by the Lending Splitter & Classifier.

Firestore

Key Visualizer for Firestore is now generally available (GA).

Google Cloud VMware Engine

Added ability to forward syslog messages of a desired severity (like Error or Warning) to Cloud Logging from NSX-T. You can set up alerts and dashboards based on those messages in Google Cloud's operations suite.

For details about this feature, see Configure a private cloud for syslog forwarding.

SAP on Google Cloud

Monitoring agent for SAP HANA, version 2.2

Version 2.2 of the monitoring agent for SAP HANA is now available. This version updates the JRE that is used by the agent.

For more information, see Monitoring agent for SAP HANA.

Google Cloud monitoring agent for SAP NetWeaver, version 2.1

Version 2.1 of the monitoring agent for SAP NetWeaver is now available. This version updates the JRE that is used by the agent and fixes an issue when upgrading.

For more information, see SAP NetWeaver Planning Guide.

Backint agent for SAP HANA version 1.0.15

Version 1.0.15 of the Google Cloud Backint agent for SAP HANA is now available. Version 1.0.15 updates an internal library (maven-artifact) used by the agent.

For more information about the agent, see Cloud Storage Backint agent for SAP HANA overview.

Virtual Private Cloud

When you create a custom mode VPC network, you can select predefined firewall rules which address common use cases for connectivity to instances. This feature is available in General Availability.

December 14, 2021

Access Transparency

Access Transparency supports Secret Manager in Preview stage. For the complete list of services that Access Transparency supports, see Supported services.

Anthos Service Mesh

This release note was updated on December 16, 2021. Managed Anthos Service Mesh still supports 1.9 in the Stable Release Channel.

Anthos Service Mesh 1.7-1.9 are no longer supported. For more information, see Supported versions.

Anthos clusters on AWS (previous generation)

Anthos Clusters on AWS aws-1.10.0-gke.5 (previous generation) is now available.

Anthos clusters on AWS aws-1.10.0-gke.5 (previous generation) clusters run the following Kubernetes versions:

  • 1.19.16-gke.1000
  • 1.20.12-gke.1000
  • 1.21.6-gke.1000

This release supports creating instances in the c5a, c5ad, i3en, m5a, m5ad, r5a, r5ad, and t3a families.

Kubernetes 1.18 is no longer supported. You can no longer launch Kubernetes 1.17 clusters. Your existing 1.17 clusters will continue to run.

This release fixes the following security issues:

This release fixes an earlier issue with 1.21 clusters that use both OIDC and an HTTP proxy.

To install Anthos Service Mesh, follow the steps in Connecting to your cluster before starting your Anthos Service Mesh installation.

You no longer need the ServiceUsageViewer role to install Anthos clusters on AWS.

Anthos on bare metal

Release 1.8.7

Anthos clusters on bare metal 1.8.7 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.8.7 runs on Kubernetes 1.20.

Fixes:

The following container image security vulnerability has been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

BigQuery Chronicle

Role-based access control (RBAC)

Role-based access control (RBAC) enables you to tailor access to Chronicle features based on an employee's role in the organization. Assigning a role to a user grants that user the permissions associated with the role, which enables the user to access role-appropriate Chronicle features.

Cloud Monitoring

The Pub/Sub notification channel for alerting is now generally available (GA). You can now test your connection from Google Cloud when adding new Pub/Sub channels. For more information, see Creating channels.

Cloud Run

The ability to configure Cloud Run services to have CPU allocated for the entire lifetime of container instances is now at general availability (GA).

Compute Engine

Generally available: You can now share reservations of Compute Engine zonal resources between multiple projects. Learn about shared reservations and creating a shared reservation.

Config Connector

Config Connector 1.69.0 is now available

Added support for VPCAccessConnector resource

Added support for ComputePacketMirroring resource

Added support for PrivateCACAPool resource

Added support for IAMWorkloadIdentityPool resource

Added support for IAMWorkloadIdentityPoolProvider resource

Added support for CloudIdentityMembership resource

Rollout support for state-into-spec: absent to ContainerCluster resource (Issue #576)

Add billgProject flag in ConfigConnectorContext to specify a quota project to send along with user_project_override header, used for all requests sent from Config Connector. If set on a resource that supports sending the resource project, this value will supersede the resource project. This field can only be set if requestProjectPolicy takes BILLING_PROJECT value

Fixed the issues in config-connector export that the exported YAML now include zero primitives to match the Google Cloud resource live state

Fixed the issues in ContainerCluster with creating autopilot clusters

Dataproc Metastore

An Apache Log4j 2 vulnerability that impacted Dataproc clusters has been addressed (see Recreate and update a cluster, which provides guidance to Dataproc users). Dataproc Metastore users do not need to take any action; the fix applied by Dataproc Metastore is sufficient to address the issue.

Datastream

Datastream now supports customer-managed encryption keys (CMEK). Click here to access the documentation.

Google Kubernetes Engine

File capability CAP_NET_BIND_SERVICE required by metrics-server to bind privileged port 443 is dropped in clusters that enable PodSecurityPolicy and use the Ubuntu with Docker container runtime in node pools. As a result, metrics-server fails to bootstrap and autoscaling functionality fails to function. All 1.21 and 1.22 node versions are impacted. This issue will be fixed in a future release. Automatic node upgrades from GKE version 1.20 to 1.21 will be halted until this issue is fixed.

Kf

Added buildDisableIstioSidecar configuration feature.

Added buildPodResources configuration feature.

Added controllerCACerts configuration feature.

Added buildRetentionCount configuration feature.

Added V3 Google stack as build option.

Added V3 kf-v2-to-v3-shim stack as build option.

Fixed an issue that could prevent SIGTERM from reaching an app.

Fixed an issue that caused extra reconciliation loops and logs.

Improved CLI performance.

Improved subresource API server resilience.

Updated Config Connect to v1.66.0.

Updated Tekton to v0.29.0.

Support for Anthos Service Mesh (ASM) v1.11+, which recommends ingress gateways be outside of the istio-system namespace.

Changed build ImagePullPolicy default from always download to prefer cached.

Improved Workload Identity reliability.

Secret Manager

Access Transparency supports Secret Manager in Preview stage.

Service Directory

December 13, 2021

Access Approval

Access Approval provides a preview feature that uses a cryptographic key to sign an access request. Access Approval uses this signature to verify the integrity of the approval.

You can either use the default Google-managed signing key or bring your own signing key. To bring your own signing key, you must meet certain requirements. Using the default Google-managed signing key doesn't require any additional configuration.

For more information about how signing of an access request works, see Overview of Access Approval.

Anthos Service Mesh

Managed Anthos Service Mesh now supports VPC Service Controls (VPC-SC) as a preview feature in the rapid channel. For more information, see Configure VPC Service Control for Managed Anthos Service Mesh.

1.11.5-asm.3 is now available.

Anthos Service Mesh 1.11 includes the features of Istio 1.11 subject to the list of Anthos Service Mesh supported features.

Cloud Bigtable

A Cloud Bigtable instance can now have clusters in up to 8 regions. This lets you create an instance with as many clusters as there are zones in your chosen Bigtable regions. Previously, an instance was limited to 4 clusters.

Cloud Data Loss Prevention

The ICCID_NUMBER infoType detector is available in all regions.

Cloud SQL for SQL Server

A new feature enables more flexibility for integrating Cloud SQL for SQL Server with Managed Service for Microsoft Active Directory. You can integrate your SQL Server instance with a managed AD domain located in a different project.

Cloud Tasks

You can now create Cloud Tasks queues in multiple GCP Regions around the world. If you are using HTTP Targets, you no longer need to deploy an App Engine application.

Compute Engine

You can now save copies of all charts from the Observability tab on Compute Engine's VM instance details page to one of your custom dashboards. To save copies of the charts, click Add Charts to Dashboard. You then select a new or existing custom dashboard as the destination.

Dataproc

Dataproc has added new images, listed in this release note, to address an Apache Log4j 2 vulnerability. Note: these images have been superseded. by the 12/16/21 images (see the December 16, 2021 release note). Also see Create a cluster and Recreate and update a cluster for more information.

New sub-minor versions of Dataproc images:

1.4.76-debian10, 1.4.76-ubuntu18,

1.5.51-centos8, 1.5.51-debian10, 1.5.51-ubuntu18,

2.0.25-centos8, 2.0.25-debian10, 2.0.25-ubuntu18

HIVE-21040: msck does unnecessary file listing at last level of directory tree. Applies to 1.5 and 2.0 images.

Fixed executor log links on Spark History Server Web UI for running and completed applications. Applies to 1.4 and 1.5 images.

Fixed a bug where driver log links on PHS Web UI stop working once the job cluster is deleted. Applies to 1.4 and 1.5 images.

YARN-8990: Fixed a Fairscheduler race condition. Applies to 2.0 images.

SPARK-7768: Make user-defined type (UDT) API public. Applies to 2.0 images.

SPARK-35817: Queries against wide Avro tables can be slow. Applies to 2.0 images.

Dialogflow

Dialogflow CX now supports the asia-southeast1 (Jurong West, Singapore) and europe-west3 (Frankfurt, Germany) regions.

Eventarc

A dedicated user interface is now available in Preview.

Security Command Center

Event Threat Detection, a built-in service of Security Command Center, launched the Persistence: New API Method rule to Preview. This rule detects anomalous API behavior by examining Cloud Audit Logs for requests to Google Cloud services that a principal has not seen before. For more information, see Event Threat Detection rules.

Storage Transfer Service

Integration with AWS Security Token Service is now generally available (GA) for Storage Transfer Service.

Security conscious customers can use Storage Transfer Service to perform transfers from AWS S3 without passing long-term AWS S3 credentials, which have to be rotated or explicitly revoked when they are no longer needed. Refer to the Amazon S3 > Federated Identity tab when setting up access to your data source.

Creating and managing data transfers with the gcloud command-line tool is now available in Preview. You can use gcloud commands to perform agent installation, manage agent pool lifecycles, and orchestrate transfer jobs. This launch simplifies writing scripts to automate transfer workflow.

Traffic Director

Control plane observability is now in Preview. This lets you view logs and metrics for the Traffic Director control plane. For more information, see Control plane observability.

Virtual Private Cloud

Accessing published services using a Private Service Connect endpoint from on-premises hosts that are connected to a VPC network using Cloud VPN is now available in General Availability.

Connectivity from on-premises hosts to a Private Service Connect endpoint that is used to access managed services now correctly establishes for all service attachment configurations.

December 10, 2021

Anthos on bare metal

Release 1.10.0

Anthos clusters on bare metal 1.10.0 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.10.0 runs on Kubernetes 1.21.

Improved cluster lifecycle functionalities:

  • GA: Enabled Node Problem Detector to run by default on all nodes. You can check if a problem was detected on a node by running the kubectl describe command for the node. Then look for NodeConditions or Events reported by Node Problem Detector.

  • GA: Added bmctl backup cluster and bmctl restore cluster commands to facilitate disaster recovery for clusters.

  • Preview: Added the ability to reset individual nodes using the SSH key.

  • Updated the bmctl check cluster command so that the snapshot of a cluster includes the cluster's YAML file and logs that are in the bmctl-workspace directory.

  • Added a new status field cluster.gkeHubRegistrationStatus. The command kubectl get cluster now shows information about the cluster's membership to GKE Hub.

Networking:

  • Preview: Enabled Anthos multi-cluster connectivity to provide Anthos clusters a way to connect to another Anthos cluster in the same data center (intra-site, cluster-to-cluster). Pods in connected clusters can reach each other over pod IP addresses without using native address translation (NAT) in between.

  • Preview: Enabled IPv4/IPv6 dual stack support. Customers can deploy clusters in a dual-stack network, where IPv4 and IPv6 addresses can be assigned to both nodes and pods.

  • Preview: Enabled "flat mode" (a simplified network topology) for IPv4 , where the pod's IPv4 address is visible and routable without masquerading as node IP within the same Layer 2 domain.

  • Preview: Enabled SR-IOV. This feature lets you configure Virtual Functions (VFs) on the supported devices on the nodes of their cluster. This feature also lets you define the kernel module you want to bind to the VF.

Observability:

  • GA: Added ability to show severity level of an issue in Cloud Logging. Severity level is extracted from containerd and kubelet node logs.

  • GA: Changed collection of application metrics to use a more scalable monitoring pipeline based on OpenTelemetry. This change significantly reduces the amount of resources required to collect metrics.

Security:

  • GA: Enhanced the capability to rotate cluster certificate authorities (CAs). Updates include support for all cluster types, rotation of front-proxy and etcd CAs, and changes to the bmctl command syntax.

  • Preview: Enabled installation of Anthos clusters on bare metal using a short-lived Google Service Account token instead of using Google Service Account keys.

  • Enabled Kubernetes control plane and most Anthos system containers to run as non-root users. For details, see Don't run containers as root user.

VM Runtime:

  • Preview: Supported enabling or disabling Anthos VM Runtime on user clusters.

  • Preview: Enabled Anthos VM Runtime to support QEMU Copy On Write (QCOW2) format, which is a storage format for virtual disks on virtual machines. Some benefits of virtual disk capabilities are independent thin provisioning, better compression, and encryption at rest.

  • Preview: Enabled VMRuntime custom resource and the Network custom resource, which let you create VMs on either the node network with a static IP address or the default pod network.

  • Preview: Enabled VM pods audit logs for VM runtime resources.

  • Preview: Expanded guest OS versions that can run on the virtual machine. We support Windows Server 2019, 2016, Windows 10, Red Hat Enterprise Linux (RHEL) 8, Centos 8, and Ubuntu 20.04 as guest OS.

  • Preview: Enabled virtual machine high availability to provide greater uptime for virtual machines instances (VMIs) by automatically detecting and recovering from a range of host machine failures.

Breaking changes:

The gateway capability used by the egress NAT gateway and Bundled load balancing with BGP Preview features have changed in this release. The NetworkGatewayGroup custom resource replaces AnthosNetworkGateway and the capability is enabled with a new advancedNetworking field in the cluster configuration file, instead of an annotation. These changes affect the ability to upgrade clusters that use earlier versions of the features.

Anthos clusters on bare metal blocks cluster upgrades from version 1.9 to version 1.10 for clusters that use either of these two advanced networking features. You can upgrade a version 1.9 admin cluster that is managing 1.9 user clusters that use these features to version 1.10, but object reconciliation breaks for the AnthosNetworkGateway custom resource. Object reconciliation is the mechanism whereby admin clusters automatically copy/restore objects on managed user clusters when the objects have been defined alongside the cluster configuration. Any AnthosNetworkGateway custom resources are still functional and can be modified with kubectl.

To bring a version 1.9 cluster that uses either advanced networking Preview feature up to version 1.10, reset or delete the cluster and create a new 1.10 cluster.

Preview features and products are subject to change and are provided for testing and evaluation purposes only. Do not use Preview features on your production clusters.

Functionality changes:

  • Enabled use of ADMIN_KUBECONFIG environment variable to reduce the number of bmctl command flags.

  • The cluster reconciliation process now checks for differences in the GKEHub membership before attempting to update it. If the GKEHub membership needs to be changed, the cluster is unregistered and then re-registered.

  • The advancedNetworking field in the cluster configuration file replaces the deprecated baremetal.cluster.gke.io/enable-anthos-network-gateway annotation for enabling advanced networking capabilities.

  • The NetworkGatewayGroup custom resource replaces the AnthosNetworkGateway custom resource.

Fixed cluster lifecycle functionalities:

  • Outputs from all bmctl commands except bmctl version are now written to log files.

  • Fixed strict mode for decoding the cluster YAML file. Extraneous information in the cluster YAML file now results in an error.

  • Fixed preflight check so that it no longer ignores the no_proxy setting.

  • Binaries in cluster provision no longer run from /tmp, which is often mounted with noexec options. This change fixes a preflight check "permission denied" error.

  • Switched the default server-side containerRuntime value from docker to containerd.

Observability:

  • Increased the priority of the kube-state-metrics service to keep it from being stuck in a pending state. This service generates metrics about Kubernetes API objects such as deployments, nodes, and pods.

  • Upgraded metrics-server to version 0.3.6 to fix a missing metrics issue that occurs when a duplicated pod name is present.

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

Cloud Asset Inventory

The following resource types are now publicly available through the Analyze Policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

  • Dialogflow
    • dialogflow.googleapis.com/Agent
    • dialogflow.googleapis.com/LocationSettings
  • Artifactregistry
    • artifactregistry.googleapis.com/DockerImage
  • GKE
    • networking.k8s.io/NetworkPolicy
  • DLP
    • dlp.googleapis.com/DlpJob
    • dlp.googleapis.com/DeidentifyTemplate
    • dlp.googleapis.com/InspectTemplate
    • dlp.googleapis.com/JobTrigger
    • dlp.googleapis.com/StoredInfoType
  • Service Management
    • servicemanagement.googleapis.com/ManagedService

The following resource types are now publicly available through the resource search API (SearchAllResources) and policy search API (SearchAllIamPolicies):

  • Game Service
    • gameservices.googleapis.com/GameServerCluster
    • gameservices.googleapis.com/GameServerConfig
    • gameservices.googleapis.com/GameServerDeployment
    • gameservices.googleapis.com/Realm
Compute Engine

The n2-node-128-864 sole-tenant node type is now available in Preview.

Security Command Center

Event Threat Detection, a built-in service of Security Command Center, launched the Evasion: Access from Anonymizing Proxy rule to General Availability. This rule detects Google Cloud service modifications that originated from anonymous proxy IP addresses, like Tor IP addresses. For more information, see Event Threat Detection rules.

Workflows

Dynamic keys are now supported.

December 09, 2021

Anthos Config Management

This note was updated on December 14, 2021:
Config Sync admission webhook is disabled by default. In addition, you can configure to enable and disable Config Sync admission webhook. Config Sync blocks drifts in the cluster when the admission webhook is enabled. To learn more, see Prevent config drift.

  • If you install Config Sync using Google Cloud Console or gcloud, you can enable the webhook by adding the following setting to your apply-spec.yaml configuration file: spec.configSync.preventDrift: true (requires Cloud SDK 367.0.0 or later)
  • If you install Config Sync manually with kubectl, you can enable the webhook by adding the following setting to your config-management-operator.yaml configuration file: spec.preventDrift: true

Policy Controller has deprecated the K8sPSPSELinux (v1) ConstraintTemplate. The K8sPSPSELinuxV2 template has been available since Anthos Config Management 1.5.2. Constraints created against K8sPSPSELinux (v1) are not compatible with the K8sPSPSELinuxV2 template. Customers using constraints based on the K8sPSPSELinux (v1) template will need to recreate those constraints against K8sPSPSELinuxV2.

The Config Sync feature to render Kustomize configurations and Helm charts is generally available (GA). To learn more, see Use a repo with Kustomize configurations and Helm charts.

The Policy Controller feature to support mutation is generally available (GA). To learn more, see Mutate Resources.

Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: c36e3d8).

Use nomos migrate to easily enable the RootSync and RepoSync APIs in the cluster. These APIs provide you with additional features and gives you the flexibility to sync to a single repository, or multiple repositories.

Added a new metric pipeline_error_observed to capture if there is any error from different stages: rendering, sync, source, readiness.

nomos status surfaces messages from resource conditions when the managed resources are not ready or healthy.

Increased memory request for git-sync container to 200Mi.

Fixed the issue causing nomos hydrate not to render Kustomize configs if it references files in parent directories.

Fixed the issue causing nomos vet --namespace to fail because it incorrectly defaults --source-format to hierarchy.

This note was updated on December 14, 2021:
Reduced the latency to sync a root repository in RootSync and RepoSync APIs by reducing GET calls to the API server.

Fixed the issue causing some resources not to be applied when the status updates of all the resources in a Git repository take longer than 1 minute.

Fixed the issue in RootSync and RepoSync APIs causing proxy to incorrectly fail validation when auth is set to cookiefile or none.

Anthos Service Mesh

1.12.0-asm.3 is now available.

Anthos Service Mesh 1.12 includes the features of Istio 1.12 subject to the list of Anthos Service Mesh supported features.

Managed Anthos Service Mesh isn't rolling out to the rapid release channel at this time. You can periodically check this page for the announcement of the rollout of Managed Anthos Service Mesh to the rapid channel. See Select a managed Anthos Service Mesh release channel for more information.

Anthos Service Mesh now supports installations and upgrades on Microsoft Azure Kubernetes Service (AKS) clusters.

Anthos Service Mesh now supports the Certificate Authority Service integration on on-premises platforms (both Anthos on VMware and bare metal). See install and upgrade with default features and CA Service.

Anthos Service Mesh now supports deploying a proxy built on the distroless base image. The distroless base image ensures that the proxy image contains the minimal number of packages required to run the proxy. This improves security posture by reducing the overall attack surface of the image and gets cleaner results with CVE scanners. See Distroless proxy image for more information.

For unmanaged Anthos Service Mesh installations, the installer will automatically set up the default tag (the istio-revision-tag-default and istio-default-validator webhooks). When the default tag exists, it is possible to use the istio-injection=enabled namespace label and the sidecar.istio.io/inject workload label to enable sidecar injection for that revision.

Anthos on bare metal

Release 1.7.7

Anthos clusters on bare metal 1.7.7 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.7.7 runs on Kubernetes 1.19.

Fixes:

  • The 1.7.6 release has a known issue that blocks upgrades of 1.7.5 clusters. The 1.7.7 release allows you to upgrade from all earlier versions to get the latest security fixes.

  • The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

Cloud Bigtable

Autoscaling for Cloud Bigtable is now generally available (GA). Autoscaling helps prevent over-provisioning or under-provisioning by letting Cloud Bigtable automatically add or remove nodes to a cluster when usage changes. In addition, new metrics are available to help you understand how autoscaling is working.

You can now use customer managed encryption keys (CMEK) in Cloud Bigtable instances that are replicated across multiple regions. Previously, CMEK was limited to instances that had clusters in a single region. This feature is generally available (GA).

Cloud Composer

We delay switching Python 3.6 to Python 3.8 in Cloud Composer images with Airflow 1.10.15. This change will happen in February 2022. For existing environments, migration from Python 3.6 to 3.8 will happen during the upgrade process. New environments will use Python 3.8.

Fixed the issue with continuous web server reloading when syncing plugins.

(Cloud Composer 2) Messages in web server logs now have correctly assigned severity.

(Airflow 2.1.4) The apache-airflow-providers-hashicorp package is added to images with Airflow 2.1.4.

(Airflow 2.1.4) Backported the fix for the SerializedDagNotFound: DAG not found in serialized_dag table Airflow bug.

(Airflow 2.1.4) Users with the Admin role can now create users in the Airflow UI.

Cloud Composer 1.17.7 and 2.0.0-preview.7 images are available:

  • composer-1.17.7-airflow-1.10.15 (default)
  • composer-1.17.7-airflow-2.0.2
  • composer-1.17.7-airflow-2.1.4
  • composer-2.0.0-preview.7-airflow-2.0.2
  • composer-2.0.0-preview.7-airflow-2.1.4

Cloud Composer 1.13.2 has reached its end of full support period.

Cloud SQL for MySQL

Cloud SQL now limits the rate for backup and restore operations on the data disk. For more information, see Backup rate limitations and Restore rate limitations.

Cloud SQL for PostgreSQL

Cloud SQL now limits the rate for backup and restore operations on the data disk. For more information, see Backup rate limitations and Restore rate limitations.

Google Kubernetes Engine

GKE version 1.22.3-gke.1500 and later support user impersonation for all user-defined users and groups. System users and groups such as the kube-apiserver user and the system:masters group cannot be impersonated.

December 08, 2021

AI Platform Training

Runtime version 2.7 is available. You can use runtime version 2.7 to train with TensorFlow 2.7, scikit-learn 1.0.1, or XGBoost 1.5.0. Runtime version 2.7 supports training with CPUs, GPUs, or TPUs.

See the full list of updated dependencies in runtime version 2.7.

Access Transparency

You can view Access Transparency logs for Google Workspace services in the Google Cloud Console. For more information, see Viewing Access Transparency logs for Google Workspace.

App Engine standard environment Go
  • Updated Go SDK to version 1.9.72.
  • Added ARM version support for app-engine-go component.
Chronicle

Dashboards

Chronicle provides a set of default dashboards to monitor data ingestion status, health, rule detection context, IOC matches and alert prioritization, and user sign-ins. Reporting is available by converting a dashboard to a shareable file (PDF, Excel, CSV, etc.). You can also create custom personal and shared dashboards.

Cloud Functions

Cloud Functions has added support for customer-managed encryption keys, available at the Preview release level.

Dialogflow

The Dialogflow CX simulator now provides page lifecycle navigation to help you understand the execution steps taken for each conversational turn.

Migrate for Anthos and GKE

Replatform Tomcat applications to containers

Version 1.10 introduces a new public offering for replatforming VMs based on Tomcat applications into containers using Apache Tomcat OSS community images. Migrate for GKE now enables: * Detect VMs that host Tomcat web servers and indicate their fit level for containerization. * Discover Tomcat applications as part of the migration processing and their breakdown into individual containers over the Tomcat community images.

See Migrating Tomcat Workloads Migrating Tomcat Workloads.

Fit assessment for Tomcat application servers workloads

The fit assessment tool now supports assessments of Linux workloads running Tomcat application servers. The new assessment capability allows users to inspect their Tomcat applications for automated containerization to GKE, GKE Autopilot, or Cloud Run

Migrate to GKE Autopilot clusters and Cloud Run now in GA

Simplified Linux service manager, which lets you deploy containers to GKE Autopilot clusters and to Cloud Run, is now the default service manager for any migrations performed with Migrate for Anthos and GKE.

See Migrating to Autopilot clusters and Cloud Run for more on these new features.

Assessment of workloads for Shift to Google Compute Engine

Added support for assessing Lift & Shift migrations to Google Compute Engine. The fit assessment tool is enhanced with additional assessment capabilities which can indicate a VM's fit score toward a Lift & Shift migration using Migrate for Compute Engine. The fit assessment report provides users recommended actions based on conditions that can impact automated migration. With the advanced details users can choose the best workloads for migration and fix issues before they impact the automated migration process.

Fit assessment of AWS EC2 workloads

The fit assessment tool now supports assessments of AWS EC2 workloads by running the collection scripts directly on the assessed AWS EC2 VM, or through a remote SSH from the CLI. The new assessment feature enables users to inspect their workload for automated containerization to GKE, GKE AutoPilot and Cloud Run using Migrate For Anthos and GKE.

Fit assessment of Google Compute Engine VM workloads

The fit assessment tool now supports assessment of Google Compute Engine VM workloads by running the collection scripts directly on the assessed Google Compute Engine VM, or through a remote SSH from the CLI. The new assessment feature enables users to inspect their workload for automated containerization to GKE, GKE AutoPilot and Cloud Run using Migrate For Anthos and GKE.

Source platform indication and VM path on Fit Assessment reports

The fit assessment reports in HTML and Cloud Console include information on the source platform of the assessed VM, and a unique ID per platform. This allows users to compare and view information on their assessed workloads from various platforms.

Assessment for containerization on Cloud Run

The fit assessment tool now supports assessments of workloads for containerization to Google Cloud Run - A Google cloud fully managed serverless platform. The new assessment allows users to inspect their workloads for automated containerization using Migrate for Anthos and GKE.

Assessment for containerization on GKE Auto Pilot

The fit assessment tool now supports assessments of workloads for containerization to GKE Auto Pilot - A new mode of operation in Google Kubernetes Engine (GKE) that is designed to reduce the operational cost of GKE clusters. The new assessment capability allows users to inspect their workloads for automated containerization to GKE Auto Pilot using Migrate for Anthos and GKE.

Using RVTools output as a data source for fit assessment

The fit assessment tool now supports analyzing the RVTools .xlsx report file from a single VMware vCenter by running $./mfit discover rvtools name.xlsx. RVTools utilities are used to retrieve VMWare VSphere management data. With the RVTools data source users can easily generate detailed fit assessment reports based on their existing RVTools export.

Fit assessment automatic version checks

The fit assessment tool now checks for the availability of a new version by probing a version check Google Cloud Storage resource.

190704603: Change to mFIT CLI Help text - 'Import collector script artifacts'.

190575888: Design updates to mFIT HTML report, fonts changes, layout bugs and graphs position on report.

206772515: Fixed a bug where ** in a v2kServiceManager log path was not supported.

205159324: Fixed a bug where services-config.yaml was not created even when the migration completed successfully in the new Linux system container runtime.

199382909: Data migration plans will not have comments when using the UI.

205159086: On newer Ubuntu versions migrated workloads will fail.

208040681: Operating system field 'disappears' after running guest level discovery.

194186514: Migration done in Anthos on AWS might succeed even though the files were not uploaded.

Uninstall might be stuck when a sourcesnapshot CRD cannot be deleted. To workaround please run kubectl edit sourcesnapshot -n v2k-system and remove all finalizers

204879458: If your image repository permissions are invalid, migration will get stuck in ExtractImage instead of the UploadImage step.

Pub/Sub

Extended topic retention allows you to retain published messages for a maximum of 31 days.

For more information, see Topic message retention.

December 07, 2021

Cloud Functions Cloud Key Management Service

The Cloud EKM cryptographic requests quota has been increased from 10 QPS to 100 QPS. If you use quotas to determine how much you are billed, this change could increase the amount you spend on Cloud KMS. See Cloud EKM quotas for more details.

Cloud Run for Anthos

Preview: Cloud Run for Anthos is now available as a Preview for the following Anthos cluster types: Attached, AWS, Azure, and Bare metal on-premises. Learn more

Security Command Center

To facilitate the flow of information between Security Command Center and third-party systems, a resource called ExternalSystems was added under the Finding object. A finding can contain multiple ExternalSystems fields.

The ExternalSystems resource can contain any of the following:

  • Third-party SIEM/SOAR fields within Security Command Center
  • External system information
  • External system finding fields

A caller with the Security Center External Systems Editor (roles/securitycenter.externalSystemsEditor) IAM role can update an ExternalSystems object using the organizations.sources.findings.externalSystems.patch API.

Event Threat Detection, a built-in service of Security Command Center, released the Exfiltration: BigQuery Data Extraction rule. This rule is available in Preview. It detects events where an organization's BigQuery data is exported to an externally visible Cloud Storage bucket. For more information, see Event Threat Detection rules.

Workflows

Resource limits for variable memory and argument size have been increased to 256 KB.

December 06, 2021

BigQuery ML

Anomaly detection in BigQuery ML is now generally available (GA). You can use the ML.DETECT_ANOMALIES function with the ARIMA_PLUS model to detect anomalies in time-series data. You can also use this function with the K-means, Autoencoder, or PCA models to detect anomalies in independent and identically distributed (IID) data.

Deep Learning Containers

M87 Release

  • TensorFlow 2.x container image names are available in two formats: the current standard, which includes a tf- prefix, and the previous standard, which includes a tf2- prefix. For example, both gcr.io/deeplearning-platform-release/tf-gpu.2-7 and gcr.io/deeplearning-platform-release/tf2-gpu.2-7 are available although they are the same container images. Starting within approximately six months, releases of TensorFlow 2 container images will only be named with the current standard.
Deep Learning VM Images

M87 Release

  • The M87 release is the last release in which TensorFlow 2.x image names are available in two formats: the current standard, tf-xxx-2-y-zzz and the previous standard, tf2-xxx-2-y-zzz. For example, both tf-ent-2-7-cpu and tf2-ent-2-7-cpu are available although they are the same images. The next release will only contain TensorFlow 2 images named with the current standard, as originally announced in the M71 release notes from June 2021.
Google Kubernetes Engine

(2021-R34) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

  • The following control plane versions are no longer available:
    • 1.19.13-gke.1900, 1.19.14-gke.301, 1.19.14-gke.1900, 1.19.14-gke.2300, 1.19.15-gke.500
    • 1.21.3-gke.2003, 1.21.4-gke.2300, 1.21.4-gke.2302, 1.21.5-gke.1300
  • The following control planes and nodes with auto-upgrade enabled will be upgraded with this release:

Stable channel

Regular channel

  • The following control plane and node versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.20.10-gke.2100, 1.21.3-gke.2003
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.20.11-gke.1801 with this release.

Rapid channel

  • Version 1.22.3-gke.700 is now the default version in the Rapid channel.
  • The following control plane and node versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.21.5-gke.1302, 1.22.2-gke.1901

PodSecurityPolicy (beta) was deprecated in Kubernetes 1.21 and is scheduled for shutdown in 1.25. For alternatives, refer to PodSecurityPolicy deprecation.

The following GKE versions fix Calico issue #4710 and Calico issue #4518, related to Pod graceful termination, in GKE clusters with Calico Network Policy enabled:

  • 1.19.16-gke.100 and later
  • 1.20.11-gke.1300 and later
  • 1.21.4-gke.1500 and later

For more information about the resolved issue, see the known issues page.

(2021-R34) Version updates

  • The following control plane versions are no longer available:
    • 1.19.13-gke.1900, 1.19.14-gke.301, 1.19.14-gke.1900, 1.19.14-gke.2300, 1.19.15-gke.500
    • 1.21.3-gke.2003, 1.21.4-gke.2300, 1.21.4-gke.2302, 1.21.5-gke.1300
  • The following control planes and nodes with auto-upgrade enabled will be upgraded with this release:

(2021-R34) Version updates

(2021-R34) Version updates

  • The following control plane and node versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.20.10-gke.2100, 1.21.3-gke.2003
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.20.11-gke.1801 with this release.

(2021-R34) Version updates

  • Version 1.22.3-gke.700 is now the default version in the Rapid channel.
  • The following control plane and node versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.21.5-gke.1302, 1.22.2-gke.1901
Network Intelligence Center

It is now possible to export Firewall Insights data in CSV format. For details, see Exporting insights.

Storage Transfer Service

Storage Transfer Service now offers Preview support for detailed logging for objects copied between AWS S3, Azure Blob, ADLS Gen 2, and Cloud Storage. With detailed logs of individual objects available in Cloud Logging, you can verify what was transferred and perform additional data integrity checks. This launch simplifies monitoring, reporting, and troubleshooting. Read Configure transfer logs for details.

VPC Service Controls

Beta stage support for the following integration:

Workflows

A Workflows Service Level Agreement (SLA) is now available and applicable.

December 03, 2021

BigQuery ML

The principal component analysis (PCA) model and the autoencoder model are now generally available (GA). You can use these models for common machine learning tasks such as dimensionality reduction, feature embedding, and unsupervised anomaly detection.

For more information, see the PCA and autoencoder sections in the end-to-end user journey page.

Cloud Asset Inventory

The following resource types are now publicly available through the Export APIs (ExportAssets and BatchGetAssetsHistory) and the Feed API:

  • Data Loss Prevention
    • dlp.googleapis.com/DlpJob
    • dlp.googleapis.com/DeidentifyTemplate
    • dlp.googleapis.com/InspectTemplate
    • dlp.googleapis.com/JobTrigger
    • dlp.googleapis.com/StoredInfoType
Cloud Bigtable

A new tutorial is available that uses open-source benchmarking tools to evaluate Cloud Bigtable performance. For more information, see Benchmarking Bigtable with PerfKit Benchmarker – Batch Testing on GitHub.

Compute Engine

Generally available: Use OS configuration management to deploy and automate software configurations on your virtual machine (VM) instances using the Google Cloud console, gcloud command-line, and OS Config API.

With the OS configuration management GA, you can now edit assignments from the Cloud console and view OS policy assignment reports. For more information, see OS configuration management.

Generally available: NVIDIA® A100 GPUs are now available in the following additional regions and zones:

  • Moncks Corner, South Carolina : us-east1-b
  • The Dalles, Oregon : us-west1-b
  • Council Bluffs, Iowa : us-central1-f
  • Jurong West, Singapore : asia-southeast1-b

For more information about using GPUs on Compute Engine, see GPUs on Compute Engine.

Google Kubernetes Engine

The 2021-R32 release notes from October 29, 2021 were updated on December 03, 2021 with revisions to the upgrade versions for control plane and nodes in Rapid, Regular, Stable, and No Channel.

See the revision note for further details.

Identity and Access Management

The IAM documentation now explains how to choose the most appropriate predefined roles.

Storage Transfer Service

Support for transferring data from Azure ADLS Gen 2 to Cloud Storage with Storage Transfer Service is now generally available (GA).

December 02, 2021

Anthos clusters on AWS

Anthos on AWS is now generally available through the Multi-Cloud API.

With the latest release, we've simplified installation and streamlined our cluster management technology. You can now use a single API for full lifecycle management of Anthos clusters running in AWS or Azure. This release introduces gcloud command groups for deploying Anthos clusters in AWS, Azure, and Google Cloud. Clusters you create in other clouds appear in the Google Cloud Console, creating a centralized management view complete with cluster telemetry and logging.

The Multi-Cloud API authenticates with each cloud using a service account or application registration, and allows clusters to be deployed on existing or newly created VPCs. It supports multiple instance types in each cloud across multiple regions. As a reminder, Anthos clusters on Azure or AWS integrate with each respective cloud's KMS, storage facilities, and load balancing.

Anthos on AWS is available today, with either subscription or pay-as-you-go pricing.

You can now create, update, and delete clusters on AWS with the gcloud tool. Read more about our Multi-Cloud API.

Automatic Container monitoring and system logging with Cloud Logging and Cloud Monitoring.

You can now authenticate for cluster management functions with Google Cloud identities.

Clusters now use Dataplane V2 by default.

Clusters now use Workload Identity by default.

Anthos clusters on AWS (previous generation)

If your cluster uses both a proxy and OIDC authentication, do not upgrade to version 1.21.4 or 1.21.5. If you encounter an issue during an upgrade, contact support for assistance.

Anthos clusters on Azure

Anthos on Azure is now generally available through the Multi-Cloud API.

With the latest release, we've simplified installation and streamlined our cluster management technology. You can now use a single API for full lifecycle management of Anthos clusters running in AWS or Azure. This release introduces gcloud command groups for deploying Anthos clusters in AWS, Azure, and Google Cloud. Clusters you create in other clouds appear in the Google Cloud Console, creating a centralized management view complete with cluster telemetry and logging.

The Multi-Cloud API authenticates with each cloud using a service account or application registration, and allows clusters to be deployed on existing or newly created VNets. It supports multiple machine types in each cloud across multiple regions. As a reminder, Anthos clusters on Azure or AWS integrate with each respective cloud's KMS, storage facilities, and load balancing.

Anthos on Azure is available today, with either subscription or pay-as-you-go pricing.

You can now create, update, and delete clusters on Azure with the gcloud tool. Read more about our Multi-Cloud API.

Automatic Container monitoring and system logging with Cloud Logging and Cloud Monitoring.

You can now use an Azure Key Vault Hardware Security module to bring your own key.

Cloud Functions Cloud Run

Internal ingress from Workflows to Cloud Run is now at general availability (GA).

Cloud TPU

Cloud TPU team just released TF-2.4.4, TF-2.5.2 and TF-2.6.2 on Cloud TPUs. The TensorFlow release notes for these releases are shown below.

Google Kubernetes Engine

The following GKE versions contain an issue that might affect workloads that use GKE Sandbox:

  • 1.19.14-gke.301, 1.19.14-gke.1900, 1.19.14-gke.2300, 1.19.15-gke.500, 1.19.15-gke.1300, 1.19.15-gke.1801
  • 1.20.10-gke.301, 1.20.10-gke.1600, 1.20.10-gke.2100, 1.20.11-gke.1300, 1.20.11-gke.1801
  • 1.21.4-gke.2300, 1.21.4-gke.2302, 1.21.5-gke.1300, 1.21.5-gke.1302, 1.21.5-gke.1802
  • 1.22.2-gke.1901

What do I need to know?

Applications that use the xmm15 register and receive a signal or hit a page fault while the register is in use might have the register corrupted, leading to unpredictable application behavior. The security of the sandbox is not compromised.

What do I need to do?

Upgrade to one of the following GKE versions that fix the issue:

  • 1.19.16-gke.1500 or later
  • 1.20.12-gke.1500 or later
  • 1.21.6-gke.1500 or later
  • 1.22.3-gke.700 or later
Storage Transfer Service

The Storage Transfer Service API for managing on-premises transfers is now generally available (GA). Customers can use RESTful APIs to automate their on-prem to Cloud transfer workflow.

For more information, see Managing Transfer for on-premises jobs.

Storage Transfer Service now offers preview support for Manifest. You can use Manifest to transfer a specific list of objects, object versions, and files from cloud and on-premises sources. Programmatic users can use the output of an upstream operation generating a list of files and objects as an input for Storage Transfer Service to act upon.

Vertex AI

You can now use a pre-built container to perform custom training with TensorFlow 2.7.

December 01, 2021

App Engine standard environment Java

Updated Java SDK to version 1.9.93.

BigQuery Data Transfer Service

BigQuery Data Transfer Service now supports Audit Logging, Cloud Logging, and Cloud Monitoring. These features are in preview status.

Cloud Composer

(Available without upgrading) Web server network access control settings can now be configured in Cloud Composer 2 environments.

(Cloud Composer 2) The /dags directory from the environment's bucket is no longer synced to the web server. With this change, the web server startup times are improved.

(Cloud Composer 2) The performance of syncing files to schedulers and workers was improved.

(Cloud Composer 2) Clusters that remain after failed environment creation operations are now deleted.

(Airflow 1.10.15) The apache-airflow-backport-providers-google package is updated:

  • Wait mechanism for DataprocJobSensor was implemented to handle transient issues when a Job status is not available after creation.
  • Support for impersonation_chain in the GKEStartPodOperator.
  • New Operators for Dataproc Metastore and Dataproc Serverless.
  • Fixed a bug in Dataflow hook when no jobs are returned.
  • Google Secret Manager clients are no longer cached.
  • Use correct project and location in the on_kill method for Dataflow operators.

New versions of Cloud Composer images:

  • composer-1.17.6-airflow-1.10.15 (default)
  • composer-1.17.6-airflow-2.0.2
  • composer-1.17.6-airflow-2.1.4
  • composer-2.0.0-preview.6-airflow-2.0.2
  • composer-2.0.0-preview.6-airflow-2.1.4

Airflow versions 2.1.2, 1.10.14, and 1.10.12 are no longer included in Cloud Composer images.

Cloud Composer 1.13.1 has reached its end of full support period.

Cloud Interconnect

Partner Interconnect users receive notifications about scheduled infrastructure maintenance events. For more information, see the Cloud Interconnect FAQ.

Config Connector

Config Connector 1.68.0 is now available.

Added support for MonitoringService resource.

Added support for MonitoringServiceLevelObjective resource.

Added support for NetworkConnectivityHub resource.

Added support for OSConfigOSPolicyAssignment resource.

Added support for RecaptchaEnterpriseKey resource.

Added support for regional ComputeSSLCertificate resource.

Added support for resourceID field for SecretManagerSecretVersion resource.

Traffic Director

Traffic Director support for Client Status Discovery Service (CSDS) API is now in General Availability. The CSDS API enables you to see which clients are connected to Traffic Director and to inspect the configuration that Traffic Director generates for its clients. For more information, see Understanding Traffic Director client status.

Vertex AI

Vertex AI TensorBoard is generally available (GA).

November 30, 2021

Anthos

Anthos component releases for November 2021

Anthos clusters on VMware:

Anthos clusters on bare metal:

Anthos clusters on AWS:

  • N/A

Anthos clusters on Azure:

  • N/A

Anthos Config Management:

  • N/A

Anthos Service Mesh:

Connect:

  • N/A

Cloud Run for Anthos:

Migrate for Anthos and GKE:

  • N/A

Cloud Logging:

Cloud Monitoring:

Anthos clusters on VMware

Anthos clusters on VMware 1.7.6-gke.6 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.7.6-gke.6 runs on Kubernetes v1.19.15-gke.1900.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.9, 1.8, and 1.7.

  • Fixed issue where special characters in the vSphere username are not properly escaped.
  • Alleviated the high CPU and memory usage by /etc/cron.daily/aide discussed in this issue.
  • Fixed issue where user cluster node is not synching time.
  • Fixed CVE-2021-41103. Because of Ubuntu PPA version pinning, this vulnerability might still be reported by certain vulnerability scanning tools, and appear as a false positive even though the underlying vulnerability has been patched.
Datastream

Datastream is now generally available (GA) in all Google Cloud regions.

As part of this launch, the Stream details page now has an OBJECTS tab with detailed information about each object included in the stream (backfill status, object-level errors, and so on).

Click here to access the documentation.

Google Cloud VMware Engine

The process of allocating an external IP address for an internal workload VM now includes the private cloud field. This field is visible when viewing IP address details and logically associates the external IP address to the private cloud that contains the workload VM.

Added ability to create private clouds that contain a single node for testing and proofs of concept with VMware Engine.

Note that VMware Engine deletes private clouds that contain only 1 node after 60 days, and a private cloud must contain at least 3 nodes to be eligible for coverage based on the SLA.

SAP on Google Cloud

Google Cloud Connector for SAP Landscape Management version 2.2.16

Version 2.2.16 of the Google Cloud Connector for SAP Landscape Management is now available. Version 2.2.16 adds support for managing SAP systems that are running on the Windows Server, Data Center edition, operating system.

For more information about the software requirements for the systems that are managed by SAP Landscape Management with the Google Cloud Connector for LaMa, see Managed SAP landscape requirements.

November 29, 2021

Anthos clusters on VMware

Anthos clusters on VMware 1.8.5-gke.3 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.8.5-gke.3 runs on Kubernetes v1.20.9-gke.701.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.9, 1.8, and 1.7.

  • Fixed issue where special characters in the vSphere username are not properly escaped.
  • Alleviated the high CPU and memory usage by /etc/cron.daily/aide discussed in this issue.
  • Fixed issue where user cluster node is not synching time.
  • Fixed CVE-2021-41103. Because of Ubuntu PPA version pinning, this vulnerability might still be reported by certain vulnerability scanning tools, and appear as a false positive even though the underlying vulnerability has been patched.
Anthos on bare metal

Release 1.8.6

Anthos clusters on bare metal 1.8.6 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.8.6 runs on Kubernetes 1.20.

Fixes:

The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

App Engine standard environment Go

The Go 1.16 runtime for App Engine standard environment is now generally available.

App Engine standard environment Node.js

The NodeJS 16 runtime for App Engine standard environment is now generally available.

Dataproc Metastore

Fixed the issue causing Dataproc Metastore service creations in a VPC-SC perimeter to fail due to a known issue that requires Google-managed service accounts to have access to Dataproc Metastore and Cloud Storage APIs.