Google Cloud release notes

The following release notes cover the most recent changes over the last 60 days. For a comprehensive list of product-specific release notes, see the individual product release note pages.

You can also see and filter all release notes in the Google Cloud Console or you can programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/gcp-release-notes.xml

October 25, 2021

BigQuery

BigQuery Omni, a multi-cloud analytics solution, is now generally available.

Cloud Router

Bidirectional Forwarding Detection (BFD) for Cloud Router is available in Preview.

SAP on Google Cloud

New SAP certifications: SAP has certified the following operating systems for SAP HANA on Google Cloud:

  • Red Hat Enterprise Linux 8.2
  • Red Hat Enterprise Linux 8.4
  • SUSE Linux Enterprise Server 15 SP3

See Certified operating systems for SAP HANA.

Vertex AI

Vertex ML Metadata is generally available (GA).

October 22, 2021

Dataproc

The dataproc:dataproc.cluster-ttl.consider-yarn-activity cluster property is now set to true by default for image versions 1.4.64+, 1.5.39+, and 2.0.13+. With this change, with clusters created with these image versions, Dataproc Cluster Scheduled Deletion by default will consider YARN activity, in addition to Dataproc Jobs API activity, when determining cluster idle time . This change does not affect clusters with images with lower version numbers: cluster idle time for those clusters will continue to be computed based on Dataproc Jobs API activity only. When using image versions 1.4.64+, 1.5.39+, and 2.0.13+, you can opt out of this changed behavior by setting this property to false when you create the cluster.

October 21, 2021

Anthos clusters on VMware

A security issue was discovered in the Kubernetes ingress-nginx controller, CVE-2021-25742. Ingress-nginx custom snippets allow retrieval of ingress-nginx service account tokens and secrets across all namespaces. For more information, see the GCP-2021-024 security bulletin.

Anthos on bare metal

Release 1.8.5

Anthos clusters on bare metal 1.8.5 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.8.5 runs on Kubernetes 1.20.

Fixes:

The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

Security bulletin (all minor versions)

A security issue was discovered in the Kubernetes ingress-nginx controller, CVE-2021-25742. Ingress-nginx custom snippets allows retrieval of ingress-nginx service account tokens and secrets across all namespaces. For more information, see the GCP-2021-024 security bulletin.

Cloud Bigtable

Cloud Bigtable app profile cluster groups let you route an app profile's traffic to a subset of an instance's clusters. This feature is generally available (GA).

Compute Engine

Preview: You can now configure up to 48 vCPUs and 312 GB memory on virtual machine (VM) instances that have a single T4 GPU attached.

For more information, see Network bandwidths and GPUs.

Google Kubernetes Engine

For GKE Autopilot clusters, CMEK for boot disks and CMEK for application-layer encryption is now generally available.

For GKE Autopilot clusters, Google Groups for RBAC is now generally available.

A security issue was discovered in the Kubernetes ingress-nginx controller, CVE-2021-25742. Ingress-nginx custom snippets allows retrieval of ingress-nginx service account tokens and secrets across all namespaces. For more information, see the GCP-2021-024 security bulletin.

Traffic Director

Traffic Director with internet NEGs of the type INTERNET_FQDN_PORT is now in General Availability. For full details, see Traffic Director with internet network endpoint groups.

Virtual Private Cloud

This issue is now fixed: Connectivity from on-premises hosts to a Private Service Connect endpoint that is used to access published services might not establish for some existing Cloud VPN connections. As a workaround, recreate the VPN gateway and the VPN tunnels.

October 20, 2021

Anthos clusters on VMware

Anthos clusters on VMware 1.9.1-gke.6 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.9.1-gke.6 runs on Kubernetes v1.21.5-gke.400.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.9, 1.8, and 1.7.

  • In version 1.9.0, there was a known issue with restoring an admin cluster using a backup when using a private registry. That has been fixed in version 1.9.1.
  • Fixed gkectl check-config failure that occurs when Anthos clusters are configured with a proxy whose url contains special characters.
  • Fixed "cert-manager" cainjector leader-election failure.
Cloud Logging

You can now collect MySQL logs from the Ops Agent, starting with version 2.5.0. For more information, see Collecting logs from third-party applications: MySQL.

You can now collect Redis logs from the Ops Agent, starting with version 2.5.0. For more information, see Collecting logs from third-party applications: Redis.

You can now collect Cassandra logs from the Ops Agent, starting with version 2.5.0. For more information, see Collecting logs from third-party applications: Cassandra.

Cloud Shell

Cloud Shell Editor is now built with Theia 1.18.0

Review the Theia release notes for a complete list of features/updates/bug fixes.

Cloud Code Extension updated to v1.14.1

Update includes a Kubernetes Development Sessions explorer which provides more insight into task execution and streamlines examining session logs. See the Cloud Code release notes for a full listing of features/updates/bug fixes.

Dialogflow

Dialogflow ES V2 API now supports regionalization.

Kf

Anthos clusters on VMware (GKE on-prem) support promoted to GA.

Anthos clusters on bare metal support promoted to GA.

New wrap-v2-buildpack experimental command available.

Known issue: some buildpacks (ex: https://github.com/cloudfoundry/java-buildpack) produce directories that do not work with the pack CLI.

Added support for kubectl explain to inspect Kf CRDs.

Fixed condition where CLI may not always show build logs.

Fixed issue where kf doctor expects the ASM ingress gateway deployment to be in the kf namespace.

Addressed scenario where the Kf operator could overwrite ASM Gateway customization.

Config Connector dependency updated to v1.60.

Tekton dependency updated to v0.26.0.

Traffic Director

Traffic Director security service with GKE is now in General Availability for gRPC proxyless services. The changes in this release include:

  • Support for the Certificate Authority Service GA API, using CA pools instead of individual CAs.
  • Promoting the network-services and network-security CLI/APIs to general availability.
  • Security is enabled by default in gRPC libraries and the gRPC PSM bootstrap generator.
  • Cloud Logging enhancements to aid in debugging run-time errors and conflicts.
  • Support for proxyless gRPC and Envoy interoperability with security enabled.
  • Config Connector support for proxyless gRPC security.
  • Use of the new --enable-mesh-certificates GKE flag.
  • Support for the GA version (security.cloud.google.com/v1) of WorkloadCertificateConfig and TrustConfig in GKE.
  • Wallet example upgraded to use PSM security .
VPC Service Controls

General availability for the following integration:

October 19, 2021

Anthos clusters on Azure

The security community recently disclosed a new security vulnerability CVE-2021-30465 found in runc that has the potential to allow full access to a node filesystem.

For more information, see the GCP-2021-011 security bulletin.

Anthos on bare metal

Release 1.7.5

Anthos clusters on bare metal 1.7.5 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.7.5 runs on Kubernetes 1.19.

Fixes:

The following container image security vulnerabilities have been fixed:

Known issues:

When you upgrade Anthos clusters on bare metal from a version with a security patch to the next minor release, we recommend you upgrade to the highest patch version to ensure you have the latest security fixes. Always review the release notes before upgrading so you're aware of what has changed, including security fixes and known issues. Upgrading to a lower release version isn't supported.

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

Cloud Domains

Cloud Domains is available in GA. Cloud Domains enables you to search, register, and manage domain names with Google Cloud. Cloud Domains also lets you transfer a domain to or from a third-party provider.

As announced in the MSA sent on September 16, 2021, Cloud Domains has a new billing model.

Dialogflow

Dialogflow CX change history is now available from the API.

Dialogflow CX now provides a continuous testing and deployment preview feature.

Identity and Access Management

The IAM page of the Cloud Console now lists lateral movement insights in addition to policy insights. Lateral movement insights are in Preview.

October 18, 2021

Cloud Composer

Cloud Composer 2 supports Airflow web server plugins.

Cloud Composer is now available in Oregon (us-west1).

Added the google-cloud-aiplatform package to Cloud Composer images with Airflow versions 2.1.2, 2.0.2, and 1.10.15.

(New environments only) Cloud Composer 2 environments create Autopilot clusters using the Regular release channel. Before this change, the Rapid channel was used.

Fixed an issue with the Airflow web server availability in Cloud Composer 2.

(New environments only) Shielded Nodes and Secure Boot features are enabled for Cloud Composer 1 environment clusters.

(New environments only) Cloud Composer 1 environment creation no longer fails when the constraints/compute.requireShieldedVm policy is turned on.

(Available without upgrading) Fixed a problem with Airflow 2 configuration changes not propagating to Airflow workers.

Fixed a bug that caused the __pycache__ folder to sometimes appear in an environment's bucket.

New versions of Cloud Composer images:

  • composer-1.17.3-airflow-2.1.2
  • composer-1.17.3-airflow-2.0.2
  • composer-1.17.3-airflow-1.10.15 (default)
  • composer-1.17.3-airflow-1.10.14
  • composer-1.17.3-airflow-1.10.12
  • composer-2.0.0-preview.4-airflow-2.1.2
  • composer-2.0.0-preview.4-airflow-2.0.2

Cloud Composer versions 1.12.2 and 1.12.3 have reached their end of full support period.

Cloud Data Loss Prevention

The IMSI_ID infoType detector is available in all regions.

Network Connectivity Center

Network Connectivity Center is now generally available. For more information, see the Network Connectivity Center overview.

It is now possible to add or remove router appliance instances from an existing spoke, as long as you don't try to add instances that belong to a different VPC network. For details, see Working with hubs and spokes.

VPC Service Controls

General availability for the following integration:

October 15, 2021

Chronicle

Detection Engine API

The ListDetections method has been updated to allow customers to list detections efficiently across rule versions and rules by either detection timestamp or commit timestamp. Parameters originally used to list detections by detection timestamp will eventually be deprecated.

Dialogflow

Dialogflow CX has a new feature for side-by-side flow version comparison.

Document AI

Contract DocAI (Preview) released

The Contract parser is now available.

Google Kubernetes Engine

(2021-R31) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

  • Version 1.20.10-gke.1600 is now the default version.
  • The following control plane and node versions are now available:

  • Control plane version 1.19.13-gke.701 is no longer available.

  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.19.13-gke.1900 with this release.

  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to 1.20.10-gke.1600 with this release.

Stable channel

  • Version 1.19.13-gke.1900 is now the default version in the Stable channel.
  • The following versions are now available in the Stable channel:

  • Version 1.19.13-gke.1200 is no longer available in the Stable channel.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.13-gke.1900 with this release.

Regular channel

Rapid channel

  • Version 1.21.4-gke.2300 is now the default version in the Rapid channel.
  • The following versions are now available in the Rapid channel:

  • The following versions are no longer available in the Rapid channel:

    • 1.21.4-gke.1801
    • 1.22.1-gke.1602
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.4-gke.2300 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.22.2-gke.1300 with this release.

(2021-R31) Version updates

  • Version 1.20.10-gke.1600 is now the default version.
  • The following control plane and node versions are now available:

  • Control plane version 1.19.13-gke.701 is no longer available.

  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.19.13-gke.1900 with this release.

  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to 1.20.10-gke.1600 with this release.

(2021-R31) Version updates

  • Version 1.19.13-gke.1900 is now the default version in the Stable channel.
  • The following versions are now available in the Stable channel:

  • Version 1.19.13-gke.1200 is no longer available in the Stable channel.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.13-gke.1900 with this release.

(2021-R31) Version updates

(2021-R31) Version updates

  • Version 1.21.4-gke.2300 is now the default version in the Rapid channel.
  • The following versions are now available in the Rapid channel:

  • The following versions are no longer available in the Rapid channel:

    • 1.21.4-gke.1801
    • 1.22.1-gke.1602
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.4-gke.2300 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.22.2-gke.1300 with this release.

GKE Windows clusters using the persistent disk CSI driver ​might experience volume mount issues with existing PersistentVolumeClaim or PersistentVolume resources if upgraded to one the following versions. Please do not upgrade your Windows node pools to the following versions in the Rapid channel:

  • 1.22.1-gke.1602 or later

The fix will be available in a future GKE 1.22 release.

Migrate for Compute Engine

v.4.11.7 Security updates available. See Migrate for Compute Engine Downloads for downloads and upgrade instructions.

October 14, 2021

Dialogflow

GA (general availability) launch of the following languages in Dialogflow CX:

  • Arabic
  • Bengali
  • Filipino
  • Finnish
  • Malay
  • Marathi
  • Romanian
  • Sinhala
  • Tamil
  • Telugu
  • Vietnamese

GA (general availability) launch of the following languages in Dialogflow ES:

  • Bengali
  • Filipino
  • Finnish
  • Malay
  • Marathi
  • Romanian
  • Sinhala
  • Tamil
  • Telugu
  • Vietnamese
Google Kubernetes Engine

StatefulSet Pods in Calico Network Policy enabled GKE clusters might experience connectivity issues in a Terminating state in the following GKE versions:

  • 1.18
  • 1.19
  • 1.20 to 1.20.11-gke.1299
  • 1.21 to 1.21.4-gke.1499

To mitigate this issue, upgrade your GKE control plane to GKE version 1.21.4-gke.1500 or later.
For more information, see the known issue and Calico issue #4710.

October 13, 2021

Cloud Asset Inventory

The following resource types are now publicly available through the Analyze Policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

  • App Engine Memcache
    • memcache.googleapis.com/Instance
  • Filestore
    • file.googleapis.com/Instance
    • file.googleapis.com/Backup
Cloud Spanner

You can now assign request tags and transaction tags in your application code to easily troubleshoot query performance, transaction latency, and lock contentions by correlating introspection statistics to application code.

Cloud Storage

Cloud EKM keys can now be used to encrypt Cloud Storage data.

Compute Engine

Preview: Spot VMs are now available! Spot VMs are the latest version of preemptible VM instances. Use Spot VMs for fault-tolerant workloads to get a 60-91% discount over the price of standard VMs. Spot prices can change up to once a month to reflect the underlying supply and demand. Like preemptible VMs, Spot VMs are available for all machine types, regions, and zones.

Preemptible VMs continue to be supported for new and existing VMs, and preemptible VMs now use the same pricing model as Spot VMs. However, Spot VMs provide new features that are not supported for preemptible VMs. For example, preemptible VMs can only run for up to 24 hours at a time, but Spot VMs do not have a maximum runtime.

Learn more about Spot VMs and preemptible VMs.

Google Cloud VMware Engine

All new VMware Engine private clouds now deploy with VMware vSphere version 7.0 Update 2 and NSX-T version 3.1.2. Existing private clouds will be upgraded to vSphere version 7.0 Update 2 and NSX-T version 3.1.2 over a period of time in October 2021.

See Service announcements for more details on the contents of this upgrade.

Generally available: vSAN data encryption for data at rest now uses keys generated by Cloud Key Management Service for all new private clouds.

For details about this feature, see About vSAN encryption.

Google Kubernetes Engine

The following GKE versions fix containerd issue #5438. This issue caused pod IP address leaks which exhaust the IP addresses of containerd based nodes.

  • 1.19.14-gke.1500 or later
  • 1.20.10-gke.1500 or later
  • 1.21.4-gke.1600 or later

For more information, see the Containerd node images known issues.

Identity and Access Management

You can now use workload identity federation with any SAML 2.0-compatible identity provider. This feature is in Preview.

Security Command Center

Event Threat Detection, a built-in service of Security Command Center Premium, launched an integration with Chronicle that lets you perform advanced analysis of threat findings.

The integration lets you seamlessly send findings to Chronicle, a Google Cloud service that you can use to investigate threats and pivot through related actions and events in a unified timeline. Chronicle enriches Event Threat Detection findings, helping you identify indicators of interest and simplify investigations.

To learn more about Chronicle, see Chronicle overview. For instructions on sending Event Threat Detection findings to Chronicle, see Investigate findings in Chronicle.

October 12, 2021

BigQuery

The BigQuery Storage Write API is now generally available (GA). The Storage Write API combines the functionality of high-throughput streaming ingestion and batch loading into a single API.

Carbon Footprint

Google Cloud Carbon Footprint is in Public Preview

Cloud Data Loss Prevention

The data profiler for BigQuery is available in Preview. For more information, see Data profiles for BigQuery data.

Cloud Spanner

The PostgreSQL interface is available in Preview, making the capabilities of Spanner accessible from the PostgreSQL ecosystem. The release supports a subset of the PostgreSQL SQL dialect, including core data types, functions, and operators. Applications can connect using updated Spanner drivers for JDBC, Java, Go, and Python. Starting initially with psql, community tools can connect using PGAdapter, a sidecar proxy that implements the PostgreSQL wire protocol. Sign up for the preview today.

Cloud Storage

Objects uploaded using XML API multipart uploads cannot be rewritten or copied within Cloud Storage.

Compute Engine

Preview: Third generation Intel Xeon Scalable Processor (Ice Lake) N2 VMs are now available in select regions and zones. These new N2 VMs are offered at the same price as existing N2 VMs on second generation Intel Xeon Scalable Processors.

Deep Learning Containers

M81 release

  • Upgraded R to 4.1.
  • Fixed bug that prevented R kernels from working properly.
Deep Learning VM Images

M81 release

  • Upgraded R to 4.1.
  • Improved Cloud Storage sync logic so that only newer files sync.
  • Fixed bug that prevented R kernels from working properly.
Google Kubernetes Engine

Spot VMs on GKE is now available in Preview.

With GKE version 1.19 and later, the CPU and memory usage of gke-metrics-agent have been optimized. With this change, Out Of Memory (OOM) crashes are reduced significantly.

If you are on GKE version 1.18 and earlier, you will need to upgrade your clusters to version 1.19 or later.

Virtual Private Cloud

Using Private Service Connect to publish services that are hosted on the backends of an internal HTTP(S) load balancer is now Generally Available.

Accessing published services using a Private Service Connect endpoint is now available from on-premises hosts that are connected to a VPC network using Cloud VPN. This feature is available in Preview.

Connectivity from on-premises hosts to a Private Service Connect endpoint that is used to access published services might not establish for some existing Cloud VPN connections. As a workaround, recreate the VPN gateway and the VPN tunnels.

Connectivity from on-premises hosts to a Private Service Connect endpoint that is used to access managed services does not establish if both of the following conditions are met:

  • The service is published with explicit project approval

  • Your project is not already approved before you create the endpoint.

See known issues for a workaround while this feature is in Preview.

October 11, 2021

Cloud Logging

Cloud Logging now supports the asia-south2, asia-southeast2, australia-southeast2, northamerica-northeast2, and us-west4 regions. For a full list or regions, see Regionalization.

Compute Engine

Preview: Tau T2D VMs are now available in select regions and zones. T2D VMs are ideal for a wide variety of workloads in a cloud-native environment. See VM instance pricing for details.

SAP on Google Cloud

Storage Manager for SAP HANA Standby Nodes version 2.2

Version 2.2 of the Google Cloud storage manager for SAP HANA standby nodes is now available. Version 2.2 adds support for SAP HANA 2.0 rev 56 and above, and includes minor bug fixes and performance enhancements. Version 2.2 does not include any other changes to the features or functionality of the storage manager for SAP HANA.

For more information about the storage manager for SAP HANA, see SAP HANA host auto-failover on Google Cloud.

Backint agent for SAP HANA version 1.0.12

Version 1.0.12 of the Google Cloud Backint agent for SAP HANA is now available. Version 1.0.12 provides compatibility for Backint protocol 1.5, as well as other minor fixes and enhancements. Version 1.0.12 does not include any changes to the features or functionality of the Backint agent for SAP HANA.

For more information about the agent, see Cloud Storage Backint agent for SAP HANA overview.

October 08, 2021

Cloud SQL for MySQL

Access Approval is now GA for Cloud SQL. Access Approval enables you to require explicit approval before Google Support may access your database for support purposes.To learn about access approval, see Overview of Access Approval. To set up access approval now, see the Access Approval Quickstart.

Cloud SQL for PostgreSQL

Access Approval is now GA for Cloud SQL. Access Approval enables you to require explicit approval before Google Support may access your database for support purposes.To learn about access approval, see Overview of Access Approval. To set up access approval now, see the Access Approval Quickstart.

Cloud SQL for SQL Server

Access Approval is now GA for Cloud SQL. Access Approval enables you to require explicit approval before Google Support may access your database for support purposes.To learn about access approval, see Overview of Access Approval. To set up access approval now, see the Access Approval Quickstart.

Dataproc

In a future announcement (on approximately October 22, 2021), Dataproc will announce that Cluster Scheduled Deletion by default will consider YARN activity, in addition to Dataproc Jobs API activity, when determining cluster idle time. This change will affect image versions 1.4.64+, 1.5.39+, and 2.0.13+. To test this feature now, create a cluster with a recent image, setting the dataproc:dataproc.cluster-ttl.consider-yarn-activity cluster property to true. Note: After this behavior becomes the default, you can opt out when you create a cluster by setting the property to false.

Video Intelligence API

The SHOT_CHANGE_DETECTION model will undergo an upgrade over the next 90 days to a newer version. The API interface and client library will remain the same as the previous version.

Note that you have 30 days from today to test the new model by specifying "builtin/latest" in the model field of the config object for shot change detection. At the end of 30 days, the new model will be promoted to the default model accessible as "builtin/stable". After that event, the original model, currently accessible by default or using "builtin/stable" will still be available for another 60 days using "builtin/legacy".

Until this 30 day period ends, the model formerly accessible as "builtin/latest" will be available as "builtin/legacy". Thank you for your feedback on that model, now labeled "builtin/legacy" version. The new model launched today as "builtin/latest" has been improved over this model as well as the current default "builtin/stable" model.

If you encounter problems with this upgrade, contact the Video Intelligence API engineering team by submitting a ticket in the private issue tracker.

October 07, 2021

Access Approval

Access Approval supports the following services in GA stage:

  • Cloud SQL
  • Google Kubernetes Engine
  • Speaker ID
Dataproc Metastore

Fixed the issue causing Dataproc Metastore service creations with CMEK enabled to fail if a service without CMEK enabled has never been created before in the project.

Storage Transfer Service

Storage Transfer Service now enforces the Resource Location Restriction, which is part of the Org Policy Service on transfer resources. For existing projects aren't compliant with this policy, active transfer jobs will continue to run as-is, but new transfer jobs created after November 20, 2021 will result in a "violates constraint constraints" error.

October 06, 2021

AI Platform Training

Runtime version 2.6 is available. You can use runtime version 2.6 to train with TensorFlow 2.6, scikit-learn 0.24.2, or XGBoost 1.4.2. Runtime version 2.6 supports training with CPUs, GPUs, or TPUs.

See the full list of updated dependencies in runtime version 2.6.

Anthos Service Mesh

1.11.2-asm.17 is now available.

Anthos Service Mesh 1.11 includes the features of Istio 1.11 subject to the list of Anthos Service Mesh supported features.

Managed Anthos Service Mesh isn't rolling out to the rapid release channel at this time. You can periodically check this page for the announcement of the rollout of Managed Anthos Service Mesh to the rapid channel. See Select a Managed Anthos Service Mesh release channel for more information.

asmcliis generally available for new installations and upgrades of Anthos Service Mesh. You can use asmcli to:

The in-cluster control plane is supported on the on the following platforms using asmcli:

  • GKE clusters in a single project
  • GKE clusters in multiple projects
  • Anthos clusters on VMware
  • Anthos on bare metal
  • Anthos clusters on AWS
  • Amazon EKS

Note: Upgrades from Anthos Service Mesh 1.7 on EKS to Anthos Service Mesh 1.11 aren't supported. You will need to set up a new EKS cluster to install Anthos Service Mesh 1.11.

asmcli requires clusters to be registered with a fleet. asmcli can automatically register a cluster as long as it meets the requirements specified in fleet requirements. asmcli does not support automatic fleet registration for GKE 1.22 clusters, which must be registered manually before installation.

Using install_asm and istioctl install is deprecated and support for these tools for installations and upgrades of Anthos Service Mesh will be removed when Anthos Service Mesh 1.12 is released. Please update your scripts and tools to use asmcli. For more information see Transitioning to asmcli.

The Anthos Service Mesh integration with Certificate Authority Service (CA Service) is generally available. You can use CA Service as the certificate authority for signing mutual TLS certificates. See Configure Anthos Service Mesh to use CA Service for details.

Anthos Service Mesh uses a proxy that is based on OSS Envoy. The Anthos Service Mesh 1.11 proxy is based on Envoy v1.19.1.

Cloud Logging

You can now collect Apache httpd logs from the Ops Agent, starting with version 2.4.0. For more information, see Collecting logs from third-party applications: Apache httpd.

The Ops Agent now supports collecting logs from the systemd-journald service, starting with Ops Agent version 2.4.0. For information on configuring the systemd_journald receiver, see Configuring the Ops Agent: Logging receivers.

Cloud Spanner

You can now specify the statistics package for the query optimizer to use, to ensure predictability in your query plans.

Document AI

Document AI is now generally available (GA) in the following new locations:

  • europe-west2
  • northamerica-northeast1

You must request access to use the new locations. For more information, see Regional and multi-regional support.

October 05, 2021

Cloud Asset Inventory

The following resource types are now publicly available through the resource search API (SearchAllResources), policy search API (SearchAllIamPolicies), and Analyze Policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning) : + Eventarc + eventarc.googleapis.com/Trigger

Cloud Composer

Python Client for Cloud Composer version 1.0.0 is released. You can use this library to interact with Cloud Composer API from Python.

Cloud Storage

Turbo replication is a premium feature designed to provide inter-region replication for newly written objects within 15 minutes.

This feature is now available in Preview.

Cloud VPN

Classic VPN partial deprecation update

Starting on March 31, 2022, you will no longer be able to create new Classic VPN tunnels that use dynamic routing (BGP) unless you are creating a specifically supported configuration.

On or after March 31, 2022, you can still create the following Classic VPN configurations:

  • Classic VPN tunnels that use dynamic routing and connect to VPN gateway software running inside a Compute Engine VM.
  • Classic VPN tunnels that use static (route-based or policy-based) routing.

This notice replaces any previous notice about the deprecation of static routing configurations in Classic VPN.

Although Google will not proactively disable existing connections on the deprecation date, deprecated Classic VPN configurations will only receive maintenance updates going forward.

For more information, see Classic VPN partial deprecation for a video tutorial and documentation to help you migrate to the more reliable High Availability Cloud VPN solution.

Filestore

You can now get support for preview features for Filestore. For details see the Support page.

Migrate for Anthos and GKE

Fit assessment tool now in GA

The migration fit assessment tool has moved from the Public Preview to General Availability. The migrate fit assessment tool helps users assess their workloads' fit for containerization. The provides users with detailed technical insights and a fit score per workload. The HTML fit assessment report enables users to easily share assessment data offline. The JSON file report allows them to view their assessment directly on the cloud console.

194605214 Use controller storage by default for pod log collection for logging migration tasks. Setup max log file size and file rotation.

187922406 Fixed LVM mount failure caused from broken device mapper devices.

198092293 [MFIT] vSphere level <-> guest level data correlation failure with certain NIC configurations.

197432816 [MFIT] More granular assessment of supported Windows versions.

197206783 [MFIT] Fixed failure to run guest collect script via SSH with a non-root remote user.

196712456, 201610944 [MFIT] Minor html report UI improvements.

Security Command Center

Security Health Analytics, a built-in service of Security Command Center, released new detectors in general availability.

The following detectors, available only in Security Command Center's Premium tier, detect vulnerabilities in your Google Kubernetes Engine clusters and expand the number of detectors that support the CIS Google Kubernetes Engine (GKE) Benchmark v1.0.0:

For more information, see Container vulnerability findings. To learn how to remediate vulnerabilities, see Remediating Security Health Analytics findings

Vertex AI

Vertex Feature Store is generally available (GA).

October 04, 2021

Anthos clusters on VMware

A security vulnerability, CVE-2020-8561, has been discovered in Kubernetes where certain webhooks can be made to redirect kube-apiserver requests to private networks of that API server. For more information, see the GCP-2021-021 security bulletin.

Anthos on bare metal

Security bulletin (all minor versions)

A security vulnerability, CVE-2020-8561, has been discovered in Kubernetes where certain webhooks can be made to redirect kube-apiserver requests to private networks of that API server.

For more information, see the GCP-2021-021 security bulletin.

Artifact Registry

You can now specify a release or snapshot version policy for Maven repositories when you create them. You cannot change the version policy of an existing repository. Repositories created before availability of this feature accept both snapshot and release packages.

BigQuery Cloud Bigtable

Cloud Bigtable provides a CPU utilization by app profile, method, and table metric that gives you more granular observability into the cluster's CPU usage. This metric is generally available (GA).

Cloud Monitoring

GKE version 1.20.8-gke.2100 or later offers a Preview of a fully managed metric collection pipeline to scrape Prometheus-style metrics exposed by any GKE workload and send those metrics to Cloud Monitoring for dashboards, alerts, and SLOs. Compared to the Prometheus Stackdriver sidecar, this new pipeline is easy to set up, allows filtering to control cost, supports larger clusters, is fully managed, supports Autopilot and horizontal Pod autoscaling, and offers better pricing. Get started with GKE workload metrics.

Cloud Run for Anthos

Preview: Newly deployed services are now automatically configured to use nip.io as the default domain, providing immediate access to each of your services without configuration. The nip.io default domain is only available through Cloud Run for Anthos fleet installations. Existing services in your fleet that use the previous example.com default domain are automatically upgraded to use the new nip.io domain. Learn more about test domains.

Cloud SQL for MySQL

Cloud SQL now supports the ability for you to specify IP CIDR ranges from your VPC network for your Cloud SQL instances allowing you to manage your IP address space better. For more information, see Allocated IP address ranges. To start using this feature now, see Configuring private IP for a new instance.

Google Kubernetes Engine

GKE version 1.20.8-gke.2100 or later offers a Preview of a fully managed metric collection pipeline to scrape Prometheus-style metrics exposed by any GKE workload and send those metrics to Cloud Monitoring for dashboards, alerts, and SLOs. Compared to the Prometheus Stackdriver sidecar, this new pipeline is easy to set up, allows filtering to control cost, supports larger clusters, is fully managed, supports Autopilot and horizontal Pod autoscaling, and offers better pricing. Get started with GKE workload metrics.

Virtual Private Cloud

The number of Private Service Connect endpoints that are connected to a service attachment is now correctly adjusted when an endpoint is deleted.

If you are using Private Service Connect endpoints to access services in another VPC network, and you create more endpoints than are allowed by the limit set by the service producer, any endpoints created after the limit is reached have a status of Pending, as expected. Now, if you remove endpoints to get below the limit, the status of those endpoints correctly changes to Accepted.

October 03, 2021

Migrate for Compute Engine

Migrate for Computer Engine now supports the configuration of multiple network interfaces to migrated VMs.

October 01, 2021

BigQuery

BigQuery pricing has changed as follows:

  1. BigQuery Storage Read API has moved from a single regional SKU to a set of regional SKUs for bytes scanned. All BigQuery Storage Read API users can now read up to 300 TB of data per month at no charge. For more information, see BigQuery data extraction pricing.

  2. BigQuery now charges BigQuery Storage Read API users for network egress. For more information, see BigQuery Storage Read API Network Egress Within Google Cloud.

BigQuery now supports the following geospatial data functions:

  • ST_BUFFER: Returns a GEOGRAPHY that represents the buffer around the input GEOGRAPHY. You specify the number of segments to determine how much the resulting geography can deviate from the ideal buffer radius.

  • ST_BUFFERWITHTOLERANCE: Returns a GEOGRAPHY that represents the buffer around the input GEOGRAPHY. You specify the tolerance to determine how much the resulting geography can deviate from the ideal buffer radius.

These functions are available as a preview.

Cloud Vision

OCR Model Update

An improved model is now available for Text Detection (OCR). The new model can be used with TEXT_DETECTION and DOCUMENT_TEXT_DETECTION features. The same model is used for requests sent to both features. With the new model, the distribution of confidence scores of responses will change. For more information, see Service announcements.

Please note that you have 90 days from today to test the new model by specifying "builtin/latest" in the model field of the Feature object. At the end of that period, it will be promoted to the default model accessible as "builtin/stable". After that event, the original models will still be available for another 90 days using "builtin/legacy". If you encounter problems with this upgrade, please contact Vision API engineering team by submitting a ticket in the private issue tracker.

Deprecate region forwarding In 90 days, specifying the location "us" or "eu" in the request to the global endpoint vision.googleapis.com will no longer be supported. Instead you should directly call the "us" or "eu" region endpoints (us-vision.googleapis.com or eu-vision.googleapis.com). You can find more information in the Multi-regional support section of the feature pages.

New multi-regional support for features

The Vision API now offers multi-regional support (us and eu) for the LABEL_DETECTION and SAFE_SEARCH features.

Config Connector

Config Connector 1.63.0 is now available.

Added spec.configSync.git.gcpServiceAccountRef to GKEHubFeatureMembership.

Added spec.destroyScheduledDuration to KMSCryptoKey.

ComputeDisk: spec.interface has been deprecated. The value of spec.interface is no longer used by the API, so all validation has been removed and values will not be populated. You should remove this field from your configuration.

ComputeRouterPeer: ipAddress is no longer a read-only field, and can be set with the spec.ipAddress field.

Dataproc

New sub-minor versions of Dataproc images:

1.4.73-debian10, 1.4.73-ubuntu18,

1.5.48-centos8, 1.5.48-debian10, 1.5.48-ubuntu18,

2.0.22-centos8, 2.0.22-debian10, 2.0.22-ubuntu18

Fixed an issue where complete YARN container logs were not visible in 1.5 and 2.0 Images.

HADOOP-15129: Fixed in 2.0 Images: Datanode cached namenode DNS lookup failure and could not startup on.

Google Kubernetes Engine

(2021-R30) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

  • Version 1.20.10-gke.301 is now the default version.
  • The following control plane and node versions are now available:
  • The following control plane versions are no longer available:
    • 1.18.20-gke.3001
    • 1.18.20-gke.3300
    • 1.18.20-gke.4100
    • 1.18.20-gke.4501
    • 1.18.20-gke.6000
    • 1.19.12-gke.2101
    • 1.20.8-gke.2101
    • 1.20.9-gke.701
    • 1.20.9-gke.1000
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.19.13-gke.1200 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to 1.20.10-gke.301 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.21 to 1.21.3-gke.2001 with this release.

Stable channel

  • Version 1.19.13-gke.1200 is now the default version.
  • The following control plane and node versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.19.13-gke.701
    • 1.20.9-gke.1000
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.13-gke.1200 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.20.9-gke.1001 with this release.

Regular channel

  • Version 1.20.10-gke.301 is now the default version in the Regular channel.
  • Version 1.21.3-gke.2001 is now available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.10-gke.301 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to 1.21.3-gke.2001 with this release.

Rapid channel

  • Version 1.21.4-gke.1801 is now the default version in the Rapid channel.
  • The following control plane and node versions are now available in the Rapid channel:
  • Version 1.21.4-gke.301 is no longer available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.4-gke.1801 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.22.1-gke.1602 with this release.

1.20 clusters with legacy ABAC authorization enabled should not upgrade to 1.21 until 1.21.4-gke.2500+ is available.

1.21 is now generally available

Kubernetes version 1.21 is now generally available. Before upgrading, read the Kubernetes 1.21 Release Notes, especially the action required and deprecation sections.

The following features are introduced in version 1.21:

CronJob (GA)

The CronJob API has graduated to General Availability (GA), bringing performance improvements and allowing scheduled jobs to be run using a stable API.

  • This resource is now available in the batch/v1 group/version.
  • The batch/v1beta1 group/version is deprecated, and will be removed in version 1.25. See the migration guide for details.

PodDisruptionBudget (GA)

The PodDisruptionBudget has graduated to GA, allowing Pod evictions to be controlled using a stable API.

  • This resource is now available in the policy/v1 group/version.
  • The policy/v1beta1 group/version is deprecated, and will be removed in version 1.25. See the migration guide for details.

EndpointSlice (GA)

The EndpointSlice API has graduated to GA, bringing performance improvements over the v1 Endpoints API.

  • This more scalable API for service discovery is now enabled on all clusters and is promoted to discovery.k8s.io/v1.
  • The discovery.k8s.io/v1beta1 group/version is deprecated, and will be removed in version 1.25. See the migration guide for details.

Default namespace label (Beta)

Namespace API objects now have a kubernetes.io/metadata.name label matching their metadata.name field to allow selecting any namespace by its name using a label selector. This can be used for objects which select namespaces by label, such as admission webhooks and network policies.

Bound service account token volumes (Beta)

  • The API credentials injected into containers at /var/run/secrets/kubernetes.io/serviceaccount/token are now time-limited, auto-refreshed, and invalidated when the containing pod is deleted.
  • By default, injected tokens are given an extended lifetime so they remain valid even after a new refreshed token is provided. The metric serviceaccount_stale_tokens_total and the audit annotation authentication.k8s.io/stale-token can be used to monitor for workloads that depend on the extended lifetime and are continuing to use tokens even after a refreshed token is provided to the container.
  • Clients should reload the token from disk periodically (once per minute is recommended) to ensure they use the refreshed token. k8s.io/client-go version 11.0.0+ and 0.15.0+ reload tokens automatically.

In Kubernetes 1.21, newly provisioned PersistentVolumes by gce-pd will use the topology.kubernetes.io/zone GA label instead of the failure-domain.beta.kubernetes.io/zone beta label.

New Beta and Stable APIs

The following Stable APIs are new in 1.21:

  • batch/v1 CronJob
  • policy/v1 PodDisruptionBudget
  • discovery.k8s.io/v1 EndpointSlice

The following Beta APIs are new in 1.21:

  • storage.k8s.io/v1beta1 CSIStorageCapacity

Deprecated APIs

The following APIs are deprecated in the 1.21 release:

  • PodSecurityPolicy
    • policy/v1beta1 PodSecurityPolicy
    • Deprecated in 1.21 with removal targeted for version 1.25.
  • The following Beta versions of newly graduated APIs will be removed in 1.25 in favor of GA versions:
    • discovery.k8s.io/v1beta1 EndpointSlice
    • policy/v1beta1 PodDisruptionBudget
    • batch/v1beta1 CronJob
  • The following Beta versions of previously graduated APIs will be removed in 1.22 in favor of GA versions:
    • admissionregistration.k8s.io/v1beta1, MutatingWebhookConfiguration
    • admissionregistration.k8s.io/v1beta1, ValidatingWebhookConfiguration
    • apiextensions.k8s.io/v1beta1, CustomResourceDefinition
    • apiregistration.k8s.io/v1beta1, APIService
    • authentication.k8s.io/v1beta1, TokenReview
    • authorization.k8s.io/v1beta1, LocalSubjectAccessReview
    • authorization.k8s.io/v1beta1, SelfSubjectAccessReview
    • authorization.k8s.io/v1beta1, SubjectAccessReview
    • certificates.k8s.io/v1beta1, CertificateSigningRequest
    • coordination.k8s.io/v1beta1, Lease
    • extensions/v1beta1, Ingress
    • networking.k8s.io/v1beta1, Ingress
    • networking.k8s.io/v1beta1, IngressClass
    • rbac.authorization.k8s.io/v1beta1, ClusterRole
    • rbac.authorization.k8s.io/v1beta1, ClusterRoleBinding
    • rbac.authorization.k8s.io/v1beta1, Role
    • rbac.authorization.k8s.io/v1beta1, RoleBinding
    • scheduling.k8s.io/v1beta1, PriorityClass
    • storage.k8s.io/v1beta1, CSIDriver
    • storage.k8s.io/v1beta1, CSINode
    • storage.k8s.io/v1beta1, StorageClass
    • storage.k8s.io/v1beta1, VolumeAttachment

1.22 is now available in the Rapid channel

Kubernetes 1.22 is now available in the Rapid channel. Before upgrading, read the Kubernetes 1.22 Release Notes, especially the action required and deprecation sections.

Removed API versions in 1.22

The following Beta versions of previously graduated APIs are removed in 1.22 in favor of the GA versions. All existing objects can be interacted with via the stable APIs. Update API clients and manifests to use the GA APIs before upgrading. For more information, see the Kubernetes 1.22 deprecated APIs guide.

  • admissionregistration.k8s.io/v1beta1, MutatingWebhookConfiguration
  • admissionregistration.k8s.io/v1beta1, ValidatingWebhookConfiguration
  • apiextensions.k8s.io/v1beta1, CustomResourceDefinition
  • apiregistration.k8s.io/v1beta1, APIService
  • authentication.k8s.io/v1beta1, TokenReview
  • authorization.k8s.io/v1beta1, LocalSubjectAccessReview
  • authorization.k8s.io/v1beta1, SelfSubjectAccessReview
  • authorization.k8s.io/v1beta1, SubjectAccessReview
  • certificates.k8s.io/v1beta1, CertificateSigningRequest
  • coordination.k8s.io/v1beta1, Lease
  • extensions/v1beta1, Ingress
  • networking.k8s.io/v1beta1, Ingress
  • networking.k8s.io/v1beta1, IngressClass
  • rbac.authorization.k8s.io/v1beta1, ClusterRole
  • rbac.authorization.k8s.io/v1beta1, ClusterRoleBinding
  • rbac.authorization.k8s.io/v1beta1, Role
  • rbac.authorization.k8s.io/v1beta1, RoleBinding
  • scheduling.k8s.io/v1beta1, PriorityClass
  • storage.k8s.io/v1beta1, CSIDriver
  • storage.k8s.io/v1beta1, CSINode
  • storage.k8s.io/v1beta1, StorageClass
  • storage.k8s.io/v1beta1, VolumeAttachment

Deprecated API versions

These APIs are still served in version 1.22 but are in a deprecation period, and will be removed in 1.25:

  • PodSecurityPolicy
    • policy/v1beta1 PodSecurityPolicy
    • Deprecated in 1.21 with removal targeted for version 1.25.
  • The following Beta versions of graduated APIs will be removed in 1.25 in favor of their GA versions:
    • discovery.k8s.io/v1beta1 EndpointSlice, deprecated since 1.21
    • policy/v1beta1 PodDisruptionBudget, deprecated since 1.21
    • batch/v1beta1 CronJob, deprecated since 1.21

New API versions in 1.22

The pods/eviction subresource now accepts policy/v1 eviction requests in addition to policy/v1beta1 eviction requests (#100724)

Notable features in 1.22

GA: Server-side Apply

Server-side Apply is a new object merge algorithm, as well as tracking of field ownership, running on the Kubernetes API server. Server-side Apply helps users and controllers create and modify their resources via declarative configurations by sending their fully specified intent. Refer to server-side apply documentation for more information. Improvements in 1.22 include:

  • scale subresource ownership is tracked correctly (#98377)
  • label selector fields are applied atomically (#97989)
Beta: DaemonSet maxSurge

DaemonSet objects now support a maxSurge rollout parameter, which allows running updated pods for the DaemonSet on nodes before removing old pods. Refer to the DaemonSet API documentation for more information.

Beta: Suspended jobs

Job objects can now be created or placed in a suspended state, to allow higher-level control over ordering and scheduling of batch workloads. Refer to the Job documentation for more information.

Beta: podAffinity namespace selection

Pod affinity rules can now specify namespaced using a label selector, in addition to a fixed list of namespace names. Refer to the pod affinity documentation for more information.

Notable changes and bug fixes in 1.22

  • The terminationGracePeriodSeconds field on pod specs and container probes should not be negative. Negative values of terminationGracePeriodSeconds will be treated as the value 1 on the delete path. Immutable field validation will be relaxed in order to update negative values. In a future release, negative values will not be permitted. (#98866)

  • As a mitigation for CVE-2021-25740, newly created Kubernetes 1.22 clusters no longer include write access to the Endpoints API in the edit and admin roles by default. Existing clusters upgraded to Kubernetes 1.22 retain previous permissions in those roles. For instructions to re-add Endpoints write access to the edit and admin roles in newly created 1.22 clusters, refer to the RBAC documentation.

(2021-R30) Version updates

  • Version 1.20.10-gke.301 is now the default version.
  • The following control plane and node versions are now available:
  • The following control plane versions are no longer available:
    • 1.18.20-gke.3001
    • 1.18.20-gke.3300
    • 1.18.20-gke.4100
    • 1.18.20-gke.4501
    • 1.18.20-gke.6000
    • 1.19.12-gke.2101
    • 1.20.8-gke.2101
    • 1.20.9-gke.701
    • 1.20.9-gke.1000
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.19.13-gke.1200 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to 1.20.10-gke.301 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.21 to 1.21.3-gke.2001 with this release.

(2021-R30) Version updates

  • Version 1.19.13-gke.1200 is now the default version.
  • The following control plane and node versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.19.13-gke.701
    • 1.20.9-gke.1000
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.13-gke.1200 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.20.9-gke.1001 with this release.

(2021-R30) Version updates

  • Version 1.20.10-gke.301 is now the default version in the Regular channel.
  • Version 1.21.3-gke.2001 is now available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.10-gke.301 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to 1.21.3-gke.2001 with this release.

(2021-R30) Version updates

  • Version 1.21.4-gke.1801 is now the default version in the Rapid channel.
  • The following control plane and node versions are now available in the Rapid channel:
  • Version 1.21.4-gke.301 is no longer available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.4-gke.1801 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.22.1-gke.1602 with this release.

September 30, 2021

Anthos GKE on AWS

Anthos Clusters on AWS aws-1.9.0-gke.2 is now available.

Anthos clusters on AWS aws-1.9.0-gke.2 clusters run the following Kubernetes versions:

  • 1.18.20-gke.6300
  • 1.19.14-gke.2200
  • 1.20.10-gke.2000
  • 1.21.4-gke.2100

You can now launch Kubernetes 1.21 clusters.

Anthos Identity Service is available on Kubernetes clusters version 1.21 and above.

Kubernetes 1.21 clusters now support the Kubernetes Konnectivity tool for communication between nodes and the control plane. When you launch a 1.21 cluster, you must allow connections between control plane nodes and node pool nodes on port 8132.

You can now update the OIDC configuration on a running cluster.

You can now specify a Cloud Storage Bucket name where Anthos clusters on AWS stores configuration data.

You can now launch node pools with AWS R5 instances.

The VolumeSnapshot resource API version v1beta1 is deprecated in Kubernetes 1.21 clusters. Use API version v1 for 1.21 clusters and above. All previously persisted VolumeSnapshot objects remain functional.

A security vulnerability, CVE-2020-8561, has been discovered in Kubernetes where certain webhooks can be made to redirect kube-apiserver requests to private networks of that API server. For more information, see the GCP-2021-021 security bulletin.

You cannot create new 1.16 clusters. Existing 1.16 clusters continue to function.

Error messages when upgrading or downgrading your clusters have been clarified.

Anthos clusters on Azure

A new release of Anthos clusters on Azure is now available.

Anthos clusters on Azure now supports Kubernetes 1.20 clusters

You must now manage your clusters with the gcloud command-line tool version 358.0.0 or higher.

Kubernetes 1.20 includes a fix for CVE2021-25741. We recommend you replace all 1.19 clusters with 1.20 clusters.

Cluster updates are not supported. To use Kubernetes 1.20, you must create new clusters.

You can now use an HTTP proxy with Kubernetes 1.20 clusters

You can now launch clusters in the Singapore and Australia regions

You can now specify zone placement of control plane replicas when you create a cluster. For more information, see Control plane zonal placement

When you get credentials for a Kubernetes 1.20 cluster, use the gcloud alpha container azure clusters get-credentials command.

Cloud Bigtable

Storage limits for Cloud Bigtable nodes have been doubled. Each node now supports twice as much storage, with no increase in per-node costs. This feature is generally available (GA).

Cloud Monitoring

Cloud Monitoring dashboards now support displays of data in tabular form. For information about this feature, see Configure tables with the Cloud Console and Configure tables by using the API.

Dataproc Metastore

CMEK integration with Dataproc Metastore is generally available (GA).

Filestore

You can now use Customer-Managed Encryption Keys (CMEK) to protect all data at rest in Filestore's Enterprise tier instances. CMEK in Filestore is a preview feature. For more information, see Encrypt data with customer-managed encryption keys.

Filestore's Enterprise tier now supports snapshots. A snapshot is a preserved state of your file share data that can be used to restore data. For more information, see the snapshots documentation page.

Google Cloud Armor

Google Cloud Armor Adaptive Protection is now in General Availability.

Google Kubernetes Engine

A security issue was discovered in Kubernetes, CVE-2021-25741, where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. For more information, see the GCP-2021-018 security bulletin.

A security vulnerability, CVE-2020-8561, has been discovered in Kubernetes where certain webhooks can be made to redirect kube-apiserver requests to private networks of that API server. For more information, see the GCP-2021-021 security bulletin.

There is a known issue where updating a BackendConfig resource using the v1beta1 API that removes an active Google Cloud Armor security policy from its service. For more information, see the GCP-2021-019 security bulletin.

Now you can see how effectively your GKE clusters and workloads are utilizing your available compute resources. The new Cost Optimization tab lets you view, filter, and learn more about the CPU and memory usage, requests, allocation, and limit amounts of each of your clusters and workloads. This information can help you identify opportunities to optimize your clusters or workloads for more cost effective resource utilization. This feature is now available in Preview. For more information, see View cost-related optimization metrics.

Identity and Access Management

IAM role recommendations for folder- and organization-level roles are now generally available.

Network Connectivity Center

Cloud DNS forwarding services and Private Google Access cannot be accessed through Router appliance spokes. This issue is being worked on.

Transcoder API

Transcoder API is GA: The Transcoder API has graduated out of beta and has reached v1. All API endpoints are updated to use https://transcoder.googleapis.com/v1/.

Added Troubleshooting guide.

VPC Service Controls

Preview stage support for the following integration:

September 29, 2021

Anthos clusters on VMware

Anthos clusters on VMware 1.9.0-gke.8 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.9.0-gke.8 runs on Kubernetes v1.21.4-gke.200.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.9, 1.8, and 1.7.

Features:

Cluster lifecycle Improvements:

  • GA: You can register an admin cluster during its creation by filling in the gkeConnect section in the admin cluster configuration file, similar to user cluster registration.

Platform enhancements:

  • Preview: User clusters can now be in a different vSphere datacenter from the admin cluster, resulting in datacenter isolation between the admin cluster and user clusters. This provides greater resiliency in the case of vSphere environment failures.

  • GA: Support for Windows node pools is generally available.This release adds:

    • Preview: Windows DataplaneV2 support, which allows for using Windows Network Policy
    • Node Problem Detector (NPD) support on Windows
    • Streamlined process for preparing Windows images in a private registry
    • Enhanced Flannel CNI support on Windows

    The upstream fixes for the "Windows Pod stuck at terminating status" error are also applied to this release, which improves the stability of running Windows workloads.

  • GA: Support for Container-Optimized OS (COS) node pools is generally available.

  • GA: CoreDNS is now the cluster DNS provider.

    • Clusters that are upgraded to 1.9 will have their KubeDNS provider replaced with CoreDNS. During the upgrade, CoreDNS is first deployed and then KubeDNS is removed, so applications should not observe DNS unavailability. However before upgrading, ensure that your cluster has enough additional resources to deploy CoreDNS. CoreDNS requires 100 millicpu and 170 MiB of memory per instance, all clusters require a minimum of 2 instances, and there is an additional instance deployed for every 16 nodes in the cluster.
    • You can configure cluster DNS options such as upstream name servers by using the new ClusterDNS custom resource.

Security enhancements:

  • GA: Always-on secrets encryption: You can enable secrets encryption with internally generated keys instead of a hardware security module (HSM). Use the gkectl update command to rotate these keys or to enable or disable secrets encryption after cluster creation.
  • Preview: Windows network policy support. This release introduces a new network plugin, Antrea, for Windows nodes. In addition to network connectivity and services support, it provides network policy support. When creating a user cluster, you can set enableWindowsDataplaneV2 to true to enable this feature. Enabling this feature replaces Flannel with Antrea on Windows nodes.
  • Preview: Azure AD group support for Authentication: This feature allows cluster admins to configure RBAC policies based on Azure AD groups for authorization in clusters. This supports retrieval of groups information for users belonging to more than 200 groups, thus overcoming a limitation of regular OIDC configured with Azure AD as the identity provider.

Simplify day-2 operations:

  • Preview: When creating a user cluster, you can set enableVMTracking in the configuration file to true to enable vSphere tag creation and attachment to the VMs in the user cluster. This allows easy mapping of VMs to clusters and node pools. See Enable VM tracking.
  • GA: New metrics agents based on open telemetry are introduced to improve reliability, scalability and resource usage.
  • Preview: You can enable or disable Stackdriver with gkectl update on existing user clusters. You can enable or disable cloud audit logging and monitoring with gkectl update on both admin and user clusters.

Breaking changes:

  • User cluster registration is now required and enforced. You must fill in the gkeConnect section of the user cluster configuration file before creating a new user cluster. You cannot upgrade a user cluster unless that cluster is registered. To unblock the cluster upgrade, add the gkeConnect section to the configuration file and run gkectl update cluster to register an existing 1.8 user cluster.

  • User clusters must be upgraded before the admin cluster. The flag --force-upgrade-admin to allow the old upgrade flow (admin cluster upgrade first) is no longer supported.

  • The following requirements are now enforced when you create a cluster that has logging and monitoring enabled.

    • The Config Monitoring for Ops API is enabled in your logging-monitoring project.
    • The Ops Config Monitoring Resource Metadata Writer role is granted to your logging-monitoring service account.
    • The URL opsconfigmonitoring.googleapis.com is added to your proxy allowlist (if applicable).

Changes:

  • There is now a checkpoint file for the admin cluster, located in the same datastore folder as the admin cluster data disk, with the name DATA_DISK_NAME-checkpoint.yaml, or DATA_DISK_NAME.yaml if the length of DATA_DISK_NAME is greater than the filename length limit. This file is required for future upgrades and should be considered as important as the admin cluster data disk.

    Note: If you have enabled VM encryption in vCenter, you must grant Cryptographer.Access permission to the vCenter credentials specified in your admin cluster configuration file, before trying to create or upgrade your admin cluster.

  • The admin cluster backup with gkectl preview feature introduced in 1.8 now allows updates to clusterBackup.datastore. This datastore may be different from vCenter.datastore so long as it is in the same datacenter as the cluster.

  • The k8s 1.21 release includes the following metrics changes:

    • Add new field status for storage_operation_duration_seconds, so that you can know about all status storage operation latency.
    • The storage metrics storage_operation_errors_total and storage_operation_status_count are marked deprecated. In both cases, the storage_operation_duration_seconds metric can be used to recover equivalent counts (using status=fail-unknown in the case of storage_operations_errors_total).

    • Rename the metric etcd_object_counts to apiserver_storage_object_counts and mark it as stable. The original etcd_object_counts metrics name is marked as "Deprecated" and will be removed in the future.

  • A new GKE on-prem control plane uptime dashboard is introduced with a new metric, kubernetes.io/anthos/container/uptime, for component availability. The old GKE on-prem control plane status dashboard and old kubernetes.io/anthos/up metric are deprecated. New alerts for admin cluster control plane components availability and user cluster control plane components availability are introduced with a new kubernetes.io/anthos/container/uptime metric to replace deprecated alerts and the old kubernetes.io/anthos/up metric.

  • You can now skip certain health checks performed by gkectl diagnose cluster with the –skip-validation-xxx flag.

Fixes:

  • Fixed the issue of gkeadm trying to set permissions for the component access service account when --auto-create-service-accounts=false.
  • Fixed the timeout issue for admin cluster creation or upgrade that was caused by high network latency to reach the container registry.
  • Fixed the gkectl create-config admin and gkectl create-config cluster panic issue in the 1.8.0-1.8.3 releases.
  • Fixed the /run/aide disk usage issue that was caused by the accumulated cron log for aide.

Restoring an admin cluster from a backup using gkectl repair admin-master –restore-from-backup fails when using a private registry. The issue will be resolved in a future release.

Cloud Composer

Cloud Composer supports the IP Masquerade agent in Preview. This feature is available in new Cloud Composer 1 environments.

Changes in the preinstalled apache-airflow-backport-providers-google package for Airflow 1.10.15:

  • Dataflow job operators can be run in async mode.
  • Dataflow Hook handles no Job Type.

New versions of Cloud Composer images:

  • composer-1.17.2-airflow-2.1.2
  • composer-1.17.2-airflow-2.0.2
  • composer-1.17.2-airflow-1.10.15 (default)
  • composer-1.17.2-airflow-1.10.14
  • composer-1.17.2-airflow-1.10.12
  • composer-2.0.0-preview.3-airflow-2.1.2 (default)
  • composer-2.0.0-preview.3-airflow-2.0.2

Cloud Composer 1.12.1 has reached its end of full support period.

Cloud Data Fusion

Preview: You can now use SAP as a source for batch-based and delta-based data extraction in Cloud Data Fusion through Operational Data Provisioning (ODP). For more information, see the SAP ODP plugin overview. This plugin is available in Cloud Data Fusion version 6.4.0 and later.

Cloud Load Balancing

External HTTP(S) Load Balancing is now available in a regional mode. The new regional external HTTP(S) load balancer contains many of the features of our existing global load balancer, but with an ever-growing list of advanced traffic management capabilities. You can use this load balancer for workloads with jurisdictional compliance requirements or to access the Standard Network Tier.

For details, see:

This load balancer is available in Public Preview.

Network Connectivity Center

Previously, if you used a Router appliance spoke to connect more than 1,000 VMs, you might have experienced problems establishing BGP sessions between the router appliance instance and the Cloud Router. This issue has been resolved.

Network Connectivity Center includes new limits on the number of underlying resources that can be associated with a spoke. For information about the new limits, see Network Connectivity Center quotas and limits.

SAP on Google Cloud

SAP HANA certification: 12 TB m2-ultramem-416 VMs certified for OLAP scale out

SAP has certified the Compute Engine 12 TB m2-ultramem-416 machine type for SAP HANA OLAP workloads in scale-out configurations with up to 16 nodes. SAP workload-based sizing is required.

For more information, see Certified Compute Engine VMs for SAP HANA.

VPC Service Controls

General availability for the following integration:

September 28, 2021

Anthos on bare metal

Release 1.9.0

Anthos clusters on bare metal 1.9.0 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.9.0 runs on Kubernetes 1.21.

Improved cluster lifecycle functionalities:

  • Preview: Added ability to reset individual nodes with the bmctl reset node command. To give access to the needed cluster configuration file, use the command with the -c flag.

  • Preview: Added ability to recover from HA control plane quorum loss withbmctl restore --control-plane-node command.

  • Added bmctl create ksa command to create a Kubernetes Service Account (KSA) and generate a bearer token. To log in to the registered cluster, you can use the token in Cloud Console Kubernetes Engine > Clusters.

  • Preview: Added bmctl backup cluster and bmctl restore cluster commands to facilitate disaster recovery for clusters.

Introduced new troubleshooting capabilities:

  • Updated the bmctl check cluster --snapshot command to support uploading cluster diagnostic snapshots to a Cloud Storage bucket for review by Cloud Customer Care.

  • Provided access to bootstrap cluster logs to help troubleshoot cluster creation or upgrade problems.

  • Preview: Added support for Node Problem Detector service on nodes for quick detection of common node problems.

Enhanced monitoring and logging:

  • GA: Cloud Audit Logs capability is now generally available and enabled by default. Audit logs are useful for investigating suspicious API requests and for collecting statistics. For more information, see Use Audit Logging.

  • Switched to new open telemetry-based metrics agents to improve reliability, ability to scale, and resource usage.

Improved networking capabilities:

  • GA: The multi-NIC capability to provide additional interfaces to your pods is now generally available.

  • Preview: Added the single root I/O virtualization (SR-IOV) container network interface (CNI) plugin for multi-NIC.

  • Added support to configure cluster Domain Name System (DNS) provider options, such as upstream nameservers, with the new ClusterDNS custom resource definition.

Enhanced security:

  • SELinux is now always enabled in the container runtime for CentOS and RHEL.

  • Preview: Enhanced the capability to rotate cluster certificate authorities (CAs). Updates include support for all cluster types, rotation of front-proxy and etcd CAs, and changes to the bmctl command syntax.

  • Preview: Added Okta group support for authentication in Anthos Identity Service.

Functionality changes:

  • Changed default container runtime to containerd, containerRuntime: containerd for new clusters. Customers can still choose Docker as the container runtime.
  • Preview: Updated bmctl command, bmctl reset nodes --force, to support force removal of control plane nodes with etcd membership cleanup.

  • Added checks for cluster updates to verify access to cluster machines if changes to loginUser or sshKeyPrivatePath are detected. If the checks pass, Anthos clusters on bare metal saves the secret in the cluster.

  • Added new Anthos cluster control plane uptime dashboard in Cloud Monitoring with new metric kubernetes.io/anthos/container/uptime for component availability.

  • Added new alerts for control plane components availability with new metric kubernetes.io/anthos/container/uptime to replace deprecated alerts with metric kubernetes.io/anthos/up.

Fixes:

  • Added missing registry mirror package required for Cloud Audit Logs to the Registry Mirror.

  • Fixed issue with containerd not finding crictl due to /usr/local/bin not being in the SSH user's PATH.

  • Fixed flapping node readiness issues caused by an unhealthy Pod Lifecycle Event Generator (PLEG).

  • Fixed kernel support issue for Ubuntu 18.04 and 18.04.1 that prevented the anetd networking controller from working properly. Anthos clusters on bare metal release 1.9.0 works with all kernels supplied with supported distributions.

Known issues:

  • Control group v2 (cgroup v2) is not officially supported in Anthos clusters on bare metal release 1.9.0 and later. The presence of /sys/fs/cgroup/cgroup.controllers indicates that your system uses cgroup v2.

  • Anthos Service Mesh v1.10 is incompatible with Anthos clusters on bare metal release 1.9.0 running on Red Hat Enterprise Linux (RHEL) when SELinux is enabled. If you want to use Anthos Service Mesh, you must disable SELinux or set it to permissive mode on the host.

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

BigQuery

Table functions are now generally available (GA). With the GA release, authorized table functions are now supported.

Binary Authorization

Binary Authorization for Cloud Run is now generally available (GA).

View the quickstart or set up Binary Authorization for Cloud Run on your service.

Chronicle

Uppercase has been rebranded as Google Cloud Threat Intelligence (GCTI).

Cloud Run

Customer managed encryption keys are now at general availability (GA).

Binary Authorization for Cloud Run is now at generally availability (GA).

Cloud SQL for MySQL

Cloud SQL supports the preview version of two recommenders that help you optimize your database costs:

When a database instance is nearly out of storage capacity, it's automatically stopped to prevent the loss of information. For more information, see Stopping an instance.

Cloud SQL for PostgreSQL

Cloud SQL supports the preview version of two recommenders that help you optimize your database costs:

When a database instance is nearly out of storage capacity, it's automatically stopped to prevent the loss of information. For more information, see Stopping an instance.

Cloud SQL for SQL Server

Cloud SQL supports the preview version of two recommenders that help you optimize your database costs:

When a database instance is nearly out of storage capacity, it's automatically stopped to prevent the loss of information. For more information, see Stopping an instance.

Google Cloud Marketplace Partners

You can now use Producer Portal's new guided configuration option to create deployment packages for your VM products directly in the Cloud Console.

Kf

Removed downstream lifecycle dependency for v2 buildpacks that could result in kf push failing.

September 27, 2021

App Engine standard environment Go

Many legacy App Engine APIs are now available to select second-generation runtimes. These APIs are available for Go 1.12+ in preview, through language-idiomatic libraries. Calls to these APIs are billed according to the standard rates.

App Engine standard environment Java

Many legacy App Engine APIs are now available to select second-generation runtimes. These APIs are available for Java 11 in preview, through language-idiomatic libraries. Calls to these APIs are billed according to the standard rates.

App Engine standard environment Python

Many legacy App Engine APIs are now available to select second-generation runtimes. These APIs are available for Python 3 in preview, through language-idiomatic libraries. Calls to these API are billed according to the standard rates.

BigQuery

BigQuery now supports the following geospatial data functions:

  • ST_BOUNDINGBOX: Returns a STRUCT that represents the bounding box for a geography.

  • ST_EXTENT: Returns a STRUCT that represents the bounding box for a set of geographies.

  • S2_COVERINGCELLIDS: Returns an array of S2 cell IDs that cover a geography.

  • S2_CELLIDFROMPOINT: Returns the S2 cell ID covering a point geography.

These functions are generally available (GA).

Cloud Monitoring

You can now install the Ops Agent on one or more Compute Engine VMs from the Inventory tab of the Monitoring VM Instances dashboard. The dashboard generates Cloud Shell commands you can use to install the Ops Agent (recommended) or the legacy agents (if needed) on the selected VMs.

Cloud Storage

Cloud Storage now more effectively batches Cloud KMS requests.

  • No changes to how you use Cloud Storage.
  • When working with objects encrypted with Cloud KMS keys, you may see improved performance in your high intensity workloads, a decrease in the number of Cloud KMS audit logs, and a reduction in Cloud KMS charges.
  • These improvements apply to objects written to and rewritten within Cloud Storage using Cloud KMS keys after September 2021.

September 24, 2021

Deep Learning Containers

Starting with the M80 image release, all environments will include JupyterLab 3.x by default. To continue using an existing environment's JupyterLab 1.x version, disable auto-upgrade (if enabled) and do not manually upgrade the environment to a new environment version. To create new instances using older images that have JupyterLab 1.x installed, see creating specific versions of instances.

M80 release

  • Updated JupyterLab from 1.x to 3.x.
  • Added Jupytext.
Deep Learning VM Images

Starting with the M80 image release, all environments will include JupyterLab 3.x by default. To continue using an existing environment's JupyterLab 1.x version, disable auto-upgrade (if enabled) and do not manually upgrade the environment to a new environment version. To create new instances using older images that have JupyterLab 1.x installed, see creating specific versions of instances.

M80 release

  • Updated JupyterLab from 1.x to 3.x.
  • Added Jupytext.
  • Deep Learning VM Images in Cloud Marketplace have been updated. They were not updated in the last release.
Google Kubernetes Engine

GKE versions 1.18.20-gke.5100 and later fix the issue with v1beta1 of the Backendconfig API, where a Cloud Armor security policy was inadvertently deleted from the backend Service of an Ingress resource.

For more information, see Kubernetes issue #1508 and the Ingress Known issues page.

GKE clusters running node pools that use Docker might experience containers restarting every time Docker restarts.

The following versions are affected:

  • GKE 1.20 versions lower than 1.20.9-gke.2100
  • GKE 1.21 versions lower than 1.21.3-gke.1600

To fix this issue, either use Containerd or upgrade your nodes to version:

  • For GKE 1.20: 1.20.9-gke.2100 or higher
  • For GKE 1.21: 1.21.3-gke.1600 or higher
Pub/Sub Lite

Pub/Sub Lite reservations allow you to reserve and share throughput capacity among multiple topics in a region. - For more information, see Creating and managing Lite reservations.

Vertex AI

Vertex Matching Engine is generally available (GA).

September 23, 2021

AI Platform Training

Pre-built PyTorch containers for PyTorch 1.9 are available for training. You can use these containers to train with CPUs, GPUs, or TPUs.

Anthos Config Management

Config Sync supports rendering Kustomize configurations and Helm charts in multi-repo mode. The Git repository must have a kustomization.yaml file in the root of the sync directory to trigger the rendering process. To learn more, see Use a repo with Kustomize configurations and Helm charts.

The nomos hydrate command supports rendering unstructured source format and it supports rendering Kustomize configurations or Helm charts.

The nomos vet command supports rendering and it supports rendering Kustomize configurations or Helm charts. It provides a --keep-output flag to preserve the rendered output.

Config Sync ignores validating and applying any resource configuration in the Git repo with the annotation config.kubernetes.io/local-config: "true".

When encountering KNV1021: UnknownObjectError, Config Sync applies other resources that aren't affected by this error.

Updated Config Sync CPU requests to fit inside a default GKE cluster and for better resource utilization.

We strongly recommend that all Config Sync users enable multi-repo mode. It provides you with additional features and gives you the flexibility to sync to a single repository, or multiple repositories. If you are using kubectl to install and manage Config Sync, you can enable multi-repo mode by setting spec.enableMultiRepo: true in your ConfigManagement object. For more details, see Syncing from multiple repositories.

The Anthos Config Management operator is now installed into the config-management-system namespace rather than the kube-system namespace. If you are running custom monitoring or installation processes you need to update those processes. For specific instructions, see Manually installing Config Sync and Policy Controller with kubectl.

In nomos versions earlier than 1.9.0, the nomos status command reports an incorrect status for clusters using an Anthos Config Management version of 1.9.0 or later. Before upgrading to Anthos Config Management 1.9.0 or later, download the latest nomos CLI tool.

Fixed the issue causing the reconciler image version not getting updated, when upgrading from Anthos Config Management version 1.6.2. This was caused by an immutable label added in Anthos Config Management 1.6.2 and removed in 1.7.0.

Anthos clusters on VMware

Anthos clusters on VMware 1.7.4-gke.2 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.7.4-gke.2 runs on Kubernetes v1.19.12-gke.2101.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.8, 1.7, and 1.6.

Fixes:

  • Fixed high-severity CVE-2021-3711.
  • Fixed CVE-2021-25741 mentioned in the GCP-2021-018 security bulletin.
  • Fixed the Istio security vulnerabilities listed in the GCP-2021-016 security bulletin.
  • Fixed the issue that gkeadm tries to set permissions for the component access service account when --auto-create-service-accounts=false.
Cloud Asset Inventory

The following resource types are now publicly available through the Export APIs (ExportAssets and BatchGetAssetsHistory) and the Feed API:

  • Vertex AI
    • aiplatform.googleapis.com/ModelDeploymentMonitoringJob
Cloud Composer

Cloud Composer supports Privately used public IP addresses in Preview. This feature is available in new environments.

Cloud Composer images with Airflow 2 now use Python 3.8.12.

Changes in the preinstalled apache-airflow-backport-providers-google package for Airflow 1.10.15:

  • CloudDataFusionStartPipelineOperator can be run in async mode.
  • Added a new sensor, DatafusionPipelineStateSensor.
  • Fixes for the success_states and pipeline_timeout parameters in CloudDataFusionStartPipelineOperator.

The GRPC_POLLING_STRATEGY environment variable is set to epoll1 by default. This fix is a workaround for a bug introduced in grpcio 1.31.

(New environments only) The FluentD environment component (composer-fluentd) no longer breaks if it was manually turned off for more than 30 days.

(New environments only) The airflow-monitoring pod is restarted instead of being marked as unhealthy when the GKE control plane IP changes.

New versions of Cloud Composer images:

  • composer-1.17.1-airflow-2.1.2
  • composer-1.17.1-airflow-2.0.2
  • composer-1.17.1-airflow-1.10.15 (default)
  • composer-1.17.1-airflow-1.10.14
  • composer-1.17.1-airflow-1.10.12
  • composer-2.0.0-preview.2-airflow-2.1.2
  • composer-2.0.0-preview.2-airflow-2.0.2

Cloud Composer 1.12.0 has reached its end of full support period.

Cloud Load Balancing

Internal TCP/UDP Load Balancing now allows you to configure a connection tracking policy for the load balancer's backend service. A connection tracking policy introduces the following new properties to let you customize your load balancer's connection tracking behavior:

  • Tracking mode
  • Connection persistence on unhealthy backends
  • Idle timeout

To learn about how connection tracking works, see Traffic distribution.

This feature is available in Preview.

Compute Engine

Generally Available: Use patch alerting to monitor the patch jobs running in your environment. For more information, see Monitoring patch jobs.

September 22, 2021

Chronicle

The Linux Forwarder has been enhanced to support load balancing and high-availability. This enables you to deploy the forwarder in an environment where a Layer 4 load balancer is installed between syslog data sources and forwarder instances.

Cloud CDN

Cloud CDN now supports custom named cookies and headers in the cache key, to enable A/B (multivariate) testing, canarying, and similar scenarios. Allowlisting of query parameters is now also enabled for backend buckets, to allow for cache busting. These features are available in Preview.

For details, see the caching documentation.

Cloud Storage

Object listing is no longer impacted when performing large-scale object deletion.

  • Previously, object listing performance could be degraded for up to several days when deleting millions of objects at once in a bucket.
Compute Engine

Preview: You can now access installer properties for your Windows applications by using OS inventory management. For more information, see OS inventory management.

For information on setting up and using OS inventory management, see Viewing operating system details.

Google Cloud VMware Engine

Beginning in the middle of October 2021, VMware Engine will upgrade the VMware stack from version 7.0 Update 1 to 7.0 Update 2 and the NSX-T stack from version 3.0 to 3.1.2. Users affected by this upgrade will receive an email with planned maintenance dates and times.

For details about the upgrade and steps to prepare, see Service announcements.

September 21, 2021

Anthos clusters on VMware

Anthos clusters on VMware 1.8.3-gke.0 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.8.3-gke.0 runs on Kubernetes v1.20.9-gke.701.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.8, 1.7, and 1.6.

Fixes:

  • Fixed high-severity CVE-2021-3711.
  • Fixed CVE-2021-25741 mentioned in the GCP-2021-018 security bulletin.
  • Fixed the Istio security vulnerabilities listed in the GCP-2021-016 security bulletin.
  • Fixed the issue that gkeadm tries to set permissions for the component access service account when --auto-create-service-accounts=false.

In versions 1..8.0-1.8.3, the gkectl create-config admin/cluster command panics with the message panic: invalid version: "latest". As a workaround, use gkectl create-config admin/cluster --gke-on-prem-version=$DESIRED_CLUSTER_VERSION. Replace DESIRED_CLUSTER_VERSION with the desired version.

Anthos on bare metal

Release 1.8.4

Anthos clusters on bare metal 1.8.4 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.8.4 runs on Kubernetes 1.20.

Fixes:

The following container image security vulnerabilities have been fixed: - CVE-2021-3711 - CVE-2021-3712 - CVE-2021-20305 - CVE-2021-33560

Known issues:

When you upgrade Anthos clusters on bare metal from a version with a security patch to the next minor release, we recommend you upgrade to the highest patch version to ensure you have the latest security fixes. Always review the release notes before upgrading so you're aware of what has changed, including security fixes and known issues. Upgrading to a lower release version isn't supported.

For information about the latest known issues, see Anthos clusters on bare metal known issues in the Troubleshooting section.

BigQuery

When saving query results from the Cloud Console to a CSV file, the available download size is now 10 MB. Previously the limit was 16,000 rows. Also, you can now download tables with nested and repeated data to CSV files.

Config Connector

Config Connector 1.62.0 is now available.

Added Age and Healthy columns for the kubectl get tabular outputs of ConfigConnector and ConfigConnectorContext resources.

Miscelleanous bug fixes.

Dataflow

Dataflow now uses Zonal DNS for worker resources. This enables Dataflow to offer higher reliability guarantees around Internal DNS registration.

Google Cloud VMware Engine

Added security bulletin for the VMware Engine response to VMware security advisory VMSA-2021-0020.

Vertex AI

Vertex Vizier is generally available (GA).

September 20, 2021

Anthos Service Mesh

1.9.8-asm.6 and 1.10.4-asm.14 are now available.

These patch releases fix a potential memory leak in the control plane.

Anthos on bare metal

Release 1.7.4

Anthos clusters on bare metal release 1.7.4 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.7.4 runs on Kubernetes 1.19.

Fixes:

  • Fixed vulnerability CVE-2021-25741 that might allow users to create a container with subpath volume mounts to access files and directories outside of the volume, including on the host filesystem. This vulnerability affects all clusters created or upgraded with Anthos clusters on bare metal release 1.7.0. For more information, see the GCP-2021-018 security bulletin.

  • Updated the Kubernetes patch version to address the following container image security vulnerabilities:

Known issues:

When you upgrade Anthos clusters on bare metal from a version with a security patch to the next minor release, we recommend you upgrade to the highest patch version to ensure you have the latest security fixes. Always review the release notes before upgrading so you're aware of what has changed, including security fixes and known issues. Upgrading to a lower release version isn't supported.

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

Security bulletin (1.7 and 1.8)

A security issue was discovered in Kubernetes, CVE-2021-25741, where a user may be able to create a container with subpath volume mounts to access files and directories outside of the volume, including on the host filesystem. This vulnerability affects all clusters created or upgraded with Anthos clusters on bare metal 1.7.x and 1.8.x releases, specifically 1.7.3 and earlier and 1.8.2 and earlier.

To fix this vulnerability, upgrade your Anthos clusters to version 1.7.4 or 1.8.3. For more information, see the GCP-2021-018 security bulletin.

App Engine standard environment Go

Previously, Legacy API calls made from the App Engine standard environment after the request had finished would immediately return with an error. API calls after the request has finished are now allowed. These API calls are billed according to the standard rates.

App Engine standard environment Java

Previously, Legacy API calls made from the App Engine standard environment after the request had finished would immediately return with an error. API calls after the request has finished are now allowed. These API calls are billed according to the standard rates.

App Engine standard environment PHP

Previously, Legacy API calls made from the App Engine standard environment after the request had finished would immediately return with an error. API calls after the request has finished are now allowed. These API calls are billed according to the standard rates.

App Engine standard environment Python

Previously, Legacy API calls made from the App Engine standard environment after the request had finished would immediately return with an error. API calls after the request has finished are now allowed. These API calls are billed according to the standard rates.

Cloud Storage

Object Versioning can now be managed in the Cloud Console.

Google Cloud Deploy

Google Cloud Deploy is available in Preview.

Identity and Access Management

The IAM documentation now refers to the identities that can be granted access to a resource as principals. Previously, these identities were known as members.

This change does not affect the REST API, the client libraries, or the flags for the gcloud command-line tool.

The reference documentation for predefined roles now uses a new format that is easier to browse.

Migrate for Compute Engine

Migrate for Compute Engine now supports the deployment of migrated workloads to sole-tenant nodes. A sole-tenant node is a Compute Engine server that is dedicated to hosting only your project's VMs.

See Migrating individual VMs for more information on sole tenancy.

Network Intelligence Center

Connectivity to Cloud VPN and Cloud Interconnect is now generally available in Network Topology. Google Cloud users can use Network Topology to audit their networking configuration and troubleshoot issues related to the hybrid connectivity to and from their on-premises networks.

Resource Manager

The Organization Policy Service v2 API reference documentation is now available. For more information, see the API reference documentation.

Video Intelligence API

The CELEBRITY_RECOGNITION model will undergo an upgrade to a newer version over the next 90 days. The API interface and client library will remain same as the previous version. The API follows the same Service Level Agreement (SLA). You have 30 days from this release date to test the new model. To do so, specify "builtin/latest" in the model field of the Feature object while requesting image annotation. After the end of this 30-day period, the new version will be promoted to the default model and accessible as "builtin/stable". Going forward, the original model will still be available for another 60 days using "builtin/legacy". If you encounter problems with this upgrade, contact the Video Intelligence API engineering team by submitting a ticket in the private issue tracker.

September 17, 2021

Anthos clusters on VMware

A security issue was discovered in Kubernetes, CVE-2021-25741, where a user may be able to create a container with subpath volume mounts to access files and directories outside of the volume, including on the host filesystem. For more information, see the GCP-2021-018 security bulletin.

BigQuery

BigQuery now supports the following geospatial data functions:

  • ST_EXTERIORRING: Returns a linestring geography that corresponds to the outermost ring of a polygon geography.

  • ST_INTERIORRINGS: Returns an array of linestring geographies that corresponds to the interior rings of a polygon geography.

  • ST_ANGLE: Returns the angle between two intersecting lines.

  • ST_AZIMUTH: Returns the azimuth of a line segment formed by two points.

  • ST_NUMGEOMETRIES: Returns the number of geometries in a geography.

  • ST_GEOMETRYTYPE: Returns the Open Geospatial Consortium (OGC) geometry type that describes a geography as a string.

These functions are generally available (GA).

Cloud Billing

Cost breakdown report now supports new filters and report sharing

In the Cloud Billing Console Cost breakdown report, you can now select the costs you want to analyze using the Time range and other report filters, such as projects, services, and SKUs.

For detailed insights behind the results of your cost breakdown report, view the Reports page. The cost breakdown report is linked to the Cloud Billing Reports page; the link uses the same time range and report filters you configure on your cost breakdown report. When you open the Reports page from your cost breakdown report, the report opens displaying the same totals as the cost breakdown report.

Along with the new report filters, the cost breakdown report now supports URL bookmarking and sharing. As you configure your cost breakdown report by setting the time range and other filters, the cost breakdown URL updates to include your selections. You can save your report settings by bookmarking the URL. You can share the cost breakdown report by copying the URL.

For more details about the cost breakdown report and using the new report filters and sharing feature, see the documentation.

Dataproc

Updated August 19, 2021 release notes with cluster creation Failure Action feature.

Google Cloud Deploy

Resource names, such as release name, are now validated for conformance with AIP-122. If you created any Google Cloud Deploy resources with names that don't conform, those resources might not work.

Google Kubernetes Engine

(2021-R29) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

Stable channel

  • Version 1.19.13-gke.701 is now the default version in the Stable channel.
  • Version 1.19.13-gke.1200 is now available in the Stable channel.
  • Version 1.20.9-gke.1000 is now available in the Stable channel.
  • The following versions are no longer available in the Stable channel:
    • 1.18.20-gke.901
    • 1.18.20-gke.3001
    • 1.19.12-gke.2101
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.13-gke.701 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.20 to 1.20.9-gke.1000 with this release.

Regular channel

  • Version 1.20.9-gke.1001 is now the default version in the Regular channel.
  • Version 1.20.10-gke.301 is now available in the Regular channel.
  • Version 1.20.9-gke.701 is no longer available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.9-gke.1001 with this release.

Rapid channel

  • Version 1.21.4-gke.301 is now the default version in the Rapid channel.
  • Version 1.21.4-gke.1801 is now available in the Rapid channel.
  • Version 1.21.3-gke.2001 is no longer available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.4-gke.301 with this release.

(2021-R29) Version updates

  • Version 1.20.9-gke.1001 is now the default version in the Regular channel.
  • Version 1.20.10-gke.301 is now available in the Regular channel.
  • Version 1.20.9-gke.701 is no longer available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.9-gke.1001 with this release.

(2021-R29) Version updates

  • Version 1.21.4-gke.301 is now the default version in the Rapid channel.
  • Version 1.21.4-gke.1801 is now available in the Rapid channel.
  • Version 1.21.3-gke.2001 is no longer available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.4-gke.301 with this release.

(2021-R29) Version updates

  • Version 1.19.13-gke.701 is now the default version in the Stable channel.
  • Version 1.19.13-gke.1200 is now available in the Stable channel.
  • Version 1.20.9-gke.1000 is now available in the Stable channel.
  • The following versions are no longer available in the Stable channel:
    • 1.18.20-gke.901
    • 1.18.20-gke.3001
    • 1.19.12-gke.2101
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.13-gke.701 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.20 to 1.20.9-gke.1000 with this release.

(2021-R29) Version updates

September 16, 2021

Anthos clusters on VMware

Anthos clusters on VMware 1.6.5-gke.0 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.6.5-gke.0 runs on Kubernetes 1.18.20-gke.4501.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.8, 1.7, and 1.6.

Fixes:

BigQuery ML

BigQuery ML documentation has been updated with the following improvements:

Dataproc Metastore

For new projects, Dataproc Metastore service creations with CMEK enabled fail if a service without CMEK enabled has never been created before.

To work around this issue, create a service without CMEK enabled first.

Google Kubernetes Engine

In GKE versions 1.21.0-gke.1500 and later, VPC-native is the default network mode during cluster creation. To create a routes-based cluster, you can use the --no-enable-ip-alias flag:

gcloud container clusters create CLUSTER_NAME --no-enable-ip-alias

For Autopilot clusters, starting with GKE version 1.21.3-gke.900:

  • Users can also create mutating webhooks. However, Autopilot modifies the mutating webhooks objects to add a namespace selector which excludes the resources in managed namespaces (currently, kube-system) from being intercepted. Additionally, webhooks which specify one or more of following resources (and any of their sub-resources) in the rules, will be rejected:

    - group: ""
      resource: nodes
    - group: ""
      resource: persistentvolumes
    - group: certificates.k8s.io
      resource: certificatesigningrequests
    - group: authentication.k8s.io
      resource: tokenreviews
    
  • The SYS_PTRACE capability is allowed in user workloads.

  • Gatekeeper is no longer used in Autopilot policy enforcement, letting users install their own Gatekeeper instances.

When downgrading Autopilot clusters versions 1.21 to the older minor versions, the cluster might intermittently become unavailable. Once the downgrade is complete, the cluster will be available.

Identity and Access Management Identity-Aware Proxy

Security bulletin c2agxr12ne

Certain Google Cloud load balancers routing to an Identity-Aware Proxy enabled Backend Service could have been vulnerable to an untrusted party under limited conditions.

For details, see GCP-2021-020

Kf

Improved kf doctor reliability for Anthos on-prem clusters.

Fixed an error that can occur during the initialization of the subresource API.

Virtual Private Cloud

Enabling or disabling PROXY protocol after a Private Service Connect service attachment is created now correctly changes the configuration.

September 15, 2021

Anthos GKE on AWS

A security issue was discovered in Kubernetes, CVE-2021-25741, where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. For more information, see the GCP-2021-018 security bulletin.

Cloud Composer

Airflow 2 in Cloud Composer is now generally available (GA).

HA Scheduler in Cloud Composer is now generally available (GA).

We plan to stop offering Airflow 1.10.14 and 1.10.12 in new versions of Cloud Composer. Starting from December 2021, new releases of Cloud Composer will support only Airflow 1.10.15 and Airflow 2.x versions.

We plan to switch new versions of Cloud Composer with Airflow 1.10.15 to Python 3.8. Starting from November 2021, new Cloud Composer images with Airflow 1.10.15 will use Python 3.8 instead of Python 3.6. Please check for PyPI package compatibility before upgrading your environment to a version with Python 3.8.

Java Runtime in Airflow workers and schedulers is updated from version 8 to version 11.

The default value for the visibility-timeout Airflow configuration option, which determines the amount of time after which the task is re-picked by another worker, is increased from 6 hours to 7 days. This change fixes a problem with long-running tasks, when two Airflow workers attempt to write to one log file at the same time, causing tasks to fail with a logging exception.

Airflow has its own system for controlling task health, which is not dependent on visibility-timeout. If required, you can override the value of this configuration option for your environment.

If an Airflow configuration option is blocked in the image version specified for an upgrade operation, and this option has an override in your environment, the upgrade operation is rejected.

In Airflow UI, menu items for Configuration and DAG dependencies pages are now correctly displayed for users with the Op role.

New versions of Cloud Composer images:

  • composer-1.17.0-airflow-2.1.2
  • composer-1.17.0-airflow-2.0.2
  • composer-1.17.0-airflow-1.10.15 (default)
  • composer-1.17.0-airflow-1.10.14
  • composer-1.17.0-airflow-1.10.12
  • composer-2.0.0-preview.1-airflow-2.1.2
  • composer-2.0.0-preview.1-airflow-2.0.2

Airflow 2.1.1 is no longer included in Cloud Composer images.

Cloud Functions

Cloud Functions now supports PHP 7.4 at the General Availability release level.

Google Cloud Deploy

The 3-part cluster specification is no longer supported in target configuration. The only accepted format is now as follows:

gke:
  cluster: projects/[project_name]/locations/[location]/clusters/[cluster_name]

The promoteRelease API is removed. Users can call releases.rollouts.create to promote a release through the API.

In the release resource, the archive_uri output field is replaced with artifact_uri. This reflects the fact that the Skaffold configuration and rendered manifest are no longer stored together as a tar file in a Google Cloud Storage bucket. They are now stored as files in GCS, in a folder corresponding to each render operation.

SAP on Google Cloud

Google Cloud monitoring agent for SAP NetWeaver, version 2.0 is generally available

Version 2.0 of the monitoring agent for SAP NetWeaver is now generally available (GA). For Linux, version 2.0 of the monitoring agent provides a simpler installation and upgrade path that conforms to the standard OS-based package management. For Windows, only the service name is changed to google-sapnetweavermonitoring-agent.

The information collected by version 2.0 of the monitoring agent for SAP NetWeaver is the same as version 1.0.

For more information, see SAP NetWeaver Planning Guide.

Vertex AI

Vertex Explainable AI is generally available (GA).

September 14, 2021

Anthos Service Mesh

1.9.8-asm.3 and 1.10.4-asm.9 are now available.

These patch releases:

  • Introduced a rate limit to improve control plane availability under load spikes.
  • Fixed a memory leak and proxy count issue in the control plane.
Cloud SQL for MySQL

Cloud SQL for MySQL now supports custom formatting controls for CSVs. For more information on how to select custom characters for field delimiters, quotes, escapes, and other characters in admin exports and imports, see our documentation.

Cloud SQL for PostgreSQL

Cloud SQL for PostgreSQL has enhanced the support for multiline log entries in postgres.log. Before, when a log entry spanned multiple lines, each line was recorded as a separate entry in Cloud Logging. The lines are now recorded as a single entry in Cloud Logging for ease of query and processing.

Cloud SQL for PostgreSQL now supports custom formatting controls for CSVs. For more information on how to select custom characters for field delimiters, quotes, escapes, and other characters in admin exports and imports, see our documentation.

Cloud Shell

Cloud Shell is available directly in the Google Cloud documentation.

You can use this feature to activate Cloud Shell in the documentation and run sample code in the terminal on the page. For more information, see Launching within documentation.

The following list summarizes known issues that you might encounter:

  • You can only activate Cloud Shell in the documentation when you're using Chrome desktop browsers (version 74 or higher).
  • If Cloud Shell is activated and you open a site search result, the browser asks if you want to leave the site and then closes Cloud Shell.
  • If Cloud Shell is activated and you open a URL that redirects you to a different URL, your Cloud Shell session restarts.
Google Kubernetes Engine

With GKE versions 1.21.4-gke.30 and later, users can create ServiceAttachment resources to provision Private Service Connect (PSC) for internal LoadBalancer Services. This feature is available in Preview.

Multi-cluster Ingress now supports SSL policies and HTTPS redirects using the FrontendConfig resource. This feature is generally available in GKE versions 1.17.13-gke.2600 and later.

Security Command Center

Event Threat Detection, a built-in service of Security Command Center Premium, has launched new detectors in public preview.

The following detectors monitor your Google Workspace and Cloud Audit logs and alert you when external members are added to privileged Google Groups—groups that are granted sensitive IAM roles and permissions:

  • Credential Access: Privileged Group Joinability Risk: Detects when Google Groups are changed to be accessible to the general public
  • Persistence: IAM Anomalous Group Grant: Detects when sensitive roles are granted to privileged Google Groups with external members
  • Credential Access: External Member In Privileged Group: Detects when an external member is added to a privileged Google Group

The following detectors monitor your Admin Activity logs and alert you to suspicious changes in Compute Engine instances:

  • Persistence: Compute Engine Admin Added SSH Key: Detects modification of the Compute Engine instance metadata ssh key value on established instances
  • Persistence: Compute Engine Admin Added Startup Script: Detects modification of the Compute Engine instance metadata startup script value on established instances

The Persistence: IAM Anomalous Grant detector is enhanced and detects when sensitive roles are granted to users and service accounts.

For more information on Event Threat Detection findings, see Rules. To learn how Event Threat Detection monitors changes in Google Groups and defines sensitive roles, see Unsafe Google Group changes.

Virtual Private Cloud

Full control over which protocols are mirrored by Packet Mirroring is now available in General Availability.

Workflows

Call logging is available in Preview.

September 13, 2021

Cloud Run

You can now configure Cloud Run services to have CPU allocated for the entire lifetime of container instances. Pricing depends on the CPU allocation configuration. (Available in public preview.)

Cloud Run for Anthos

Preview: Installing Cloud Run for Anthos as an Anthos feature is now available as a Preview. Currently available for new clusters only.

This preview of Cloud Run for Anthos installs as an Anthos fleet component and requires Anthos Service Mesh. Learn more.

Compute Engine

Generally Available: NVIDIA® T4 GPUs are now available in the following additional regions and zones:

  • Las Vegas, Nevada,: us-west4-a,b
  • Los Angeles, California: us-west2-b,c

For more information about using GPUs on Compute Engine, see GPUs on Compute Engine.

Dataproc

New sub-minor versions of Dataproc images: 1.4.71-debian10, 1.4.71-ubuntu18, 1.5.46-centos8, 1.5.46-debian10, 1.5.46-ubuntu18, 2.0.20-centos8, 2.0.20-debian10, 2.0.20-ubuntu18

Added support for enabling/disabling Ubuntu Snap daemon with cluster property dataproc:dataproc.snap.enabled. The default value is "true". If set to "false", pre-installed Snap packages in the image won't be affected, but auto refresh will be disabled. Applies to all Ubuntu images.

HIVE-21018: Grouping/distinct on more than 64 columns should be possible. Applies to 2.0 images.

Eventarc

Eventarc can be configured for data location and is supported as a resource location.

Google Kubernetes Engine

GKE versions 1.19.14-gke.301 and later fix the issue with v1beta1 of the Backendconfig API, where a Cloud Armor security policy was inadvertently deleted from the backend Service of an Ingress resource.

For more information, see Kubernetes issue #1508 and the Ingress Known issues page.

Vertex AI Workflows

Connectors are now generally available (GA).

September 10, 2021

Cloud Asset Inventory

New resource types are now available.

The following resource types are now publicly available through the Analyze Policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

  • Container
    • k8s.io/Node
    • k8s.io/Pod
    • k8s.io/Namespace
    • rbac.authorization.k8s.io/Role
    • rbac.authorization.k8s.io/RoleBinding
    • rbac.authorization.k8s.io/ClusterRole
    • rbac.authorization.k8s.io/ClusterRoleBinding
Cloud SQL for MySQL

The Cloud SQL out-of-disk recommender is now generally available. This feature proactively generates recommendations that help you reduce the risk of downtime that might be caused by your instances running out of disk space.

Cloud SQL for PostgreSQL

The Cloud SQL out-of-disk recommender is now generally available. This feature proactively generates recommendations that help you reduce the risk of downtime that might be caused by your instances running out of disk space.

Cloud SQL for PostgreSQL now supports the min_wal_size flag. For more information about this flag, see the Cloud SQL for PostgreSQL flags documentation.

Cloud SQL for SQL Server

The Cloud SQL out-of-disk recommender is now generally available. This feature proactively generates recommendations that help you reduce the risk of downtime that might be caused by your instances running out of disk space.

Config Connector

Config Connector 1.61.0 is now available

Added the securitySettings field to ComputeBackendService

Added jitter to resource reconciliation reenqueue period to smooth out the traffic pattern

Fixed a bug in BigqueryJob that generates unexpected diff for 'kms_key_name'

Notebooks

Due to a recent change, the iam.serviceAccounts.actAs permission on the specified service account for the notebook instance is required for users to continue to have access to their notebook instances. The Google internal Inverting Proxy server that provides access to notebook instances now verifies that this permission is present before allowing users access to the JupyterLab URL. The JupyterLab URL this update covers is: *.notebooks.googleusercontent.com This update only applies to notebook instances in Single User mode and verifies that the assigned single user is authorized to execute code inside the notebook instance. Notebook instances running in Service Account or Project Editor mode already perform this verification via the Inverting Proxy server.

Vertex AI

Vertex Model Monitoring is generally available (GA).

When you perform custom training, you can access Cloud Storage buckets by reading and writing to the local filesystem. This feature, based on Cloud Storage Fuse, is available in Preview.

September 09, 2021

Cloud Billing

Cloud Billing Budgets & alerts now support configurable budget time periods, beyond monthly budgets

In the Cloud Billing Console Budgets & alerts settings, you can now specify the time period of your budgets. Using the Time range settings now available to budgets in the Cloud Console, you can configure the budget's time range to a calendar period or a custom date range, allowing you to create budgets to monitor spend for time frames beyond the default calendar month, such as a quarter, a year, or a custom date range that you specify.

With this update, you can create, view, and manage all budgets (monthly and non-monthly) in the Budgets & alerts page in the Cloud Console or by using the Cloud Billing Budget API.

For more information on budgets and alerts, see Create, edit, or delete budgets and budget alerts.

Cloud Composer

Cloud Composer 2 is available in Preview.

Cloud Composer 2 brings environments that scale automatically based on the demands of your workflows. For more information about Cloud Composer 2, see Major versions of Cloud Composer, Environment scaling, and Pricing pages in the documentation.

Cloud Composer 2 uses the following Cloud Composer images:

  • composer-2.0.0-preview.0-airflow-2.1.2
  • composer-2.0.0-preview.0-airflow-2.1.1
  • composer-2.0.0-preview.0-airflow-2.0.2
Cloud Functions Cloud Key Management Service

Cloud KMS now provides a library that conforms to the PKCS #11 standard, which enables working with existing applications that use the PKCS #11 API. See Library for PKCS #11 to learn more.

Cloud Monitoring

You can now collect JVM metrics from the Ops Agent, starting with version 2.2.0. For more information, see Monitoring third-party applications: JVM.

Deep Learning Containers

M79 release

  • Updated Pytorch 1.9 containers (they were not refreshed in the last release).
  • Updated Theia IDE (experimental) containers.
  • Node.js is pinned to >=12.14.1,<13.
  • M79 is the last release version that has JupyterLab 1.x installed. For the next release (M80), JupyterLab will be upgraded to 3.x for all Deep Learning VM Images, Deep Learning Containers, and Notebooks.
  • Fixed a bug in which the home folder in custom container VMs was owned by the root instead of Jupyter.
Deep Learning VM Images

M79 release

  • Updated Pytorch 1.9 images (they were not refreshed in the last release).
  • Updated Theia IDE (experimental) images.
  • Node.js is pinned to >=12.14.1,<13.
  • M79 is the last release version that has JupyterLab 1.x installed. For the next release (M80), JupyterLab will be upgraded to 3.x for all Deep Learning VM Images, Deep Learning Containers, and Notebooks.
  • Deep Learning VM Images in Cloud Marketplace have not been updated. They are planned to be refreshed during the next release.
  • Fixed a bug in which the home folder in custom container VMs was owned by the root instead of Jupyter.
Firestore Google Kubernetes Engine

The managed Filestore CSI driver for GKE is now available in GKE versions 1.21 and later to provision and manage Filestore instances for GKE workloads.

Network Intelligence Center

Firewall Insights now provides comprehensive analysis of whether your firewall rules are overly permissive. Through overly permissive rule insights, which are now in public preview, Firewall Insights identifies rules and attributes that could be made more strict and secure.

Overly permissive rule insights include the following:

  • Allow rules with no hits
  • Allow rules with unused attributes
  • Allow rules with overly permissive IP address or port ranges

Firewall Insights uses Firewall Rules Logging to identify these rules. It uses machine learning to predict future usage of overly permissive rules.

By default, the product analyzes the past six weeks when it identifies overly permissive rules. However, you can choose a different observation period.

For more information about overly permissive rule insights, see the Firewall Insights overview. For details about how to enable overly permissive rules, see Using Firewall Insights.

September 08, 2021

Artifact Registry

Maven, npm, and Python repositories are now generally available.

Storage and network egress charges apply to all formats that are in Preview or are generally available.

BigQuery

Deleting the metadata for a specific job using the bq command-line tool is now generally available (GA).

Session support for BigQuery is now in Preview. With sessions:

  • You can associate your SQL activities in a session across scripts and multi-statement transactions in BigQuery with a unique session identifier.
  • You can use session variables (for example, default timezone or dataset) and temporary tables throughout the life of the session and also across scripts and transactions
  • When you enable sessions, all actions performed across multiple sessions can be viewed using the SESSION_ID column now available in jobs INFORMATION_SCHEMA views.
Cloud Healthcare API

The Healthcare Natural Language API is generally available (GA).

Cloud SQL for MySQL

Cloud SQL for MySQL now allows you to specify mysqldump options during migration from external servers. For more information, see Configuring Cloud SQL to replicate from an external server and Using a managed import to set up replication from external databases.

Compute Engine

Preview: You can now review OS vulnerability report data, which is collected by VM Manager, from the Security Command Center. This feature is available for Security Command Center premium tier users. For more information, see View vulnerability report data.

Dataproc

The following previously released sub-minor versions of Dataproc images included a bug where the dataproc user account was broken. This prevented some Dataproc services from functioning properly, which resulted in features being unavailable. In particular, this prevented Jupyter from running in clusters with Personal Cluster Authentication enabled.

These sub-minor versions have been rolled back, and can only be used when updating existing clusters that already use them:

  • 1.4.66-debian10, 1.4.66-ubuntu18
  • 1.4.67-debian10, 1.4.67-ubuntu18
  • 1.5.41-centos8, 1.5.41-debian10, 1.5.41-ubuntu18
  • 1.5.42-centos8, 1.5.42-debian10, 1.5.42-ubuntu18
  • 2.0.15-centos8, 2.0.15-debian10, 2.0.15-ubuntu18
  • 2.0.16-centos8, 2.0.16-debian10, 2.0.16-ubuntu18
Google Kubernetes Engine

Several gcloud flags used to configure which logs and metrics are collected are deprecated and replaced with new flags. See Deprecated Configuration Parameters for a list of the deprecated logging and monitoring flags as well as the equivalent values for the new --logging and --monitoring flags.

Kf

Kf for Anthos on-prem (Vsphere) is now available on the Public Previews page.

Addressed a potential panic in the kf build-logs command.

Changed flag and manifest validation for route and task fields so manifest routes are ignored when creating tasks.

September 07, 2021

Cloud Build

Build triggers support for buildpacks is now generally available. To learn more, see Creating and managing build triggers.

Cloud Load Balancing

Cloud Load Balancing now supports load-balancing traffic to endpoints that extend beyond Google Cloud, such as on-premises data centers and other public clouds that you can reach using hybrid connectivity.

Hybrid load balancing is supported by the following load balancers:

  • External HTTP(S) Load Balancing
  • Internal HTTP(S) Load Balancing
  • TCP Proxy and SSL Proxy Load Balancing

For details, see Hybrid load balancing overview.

This feature is available in Preview.

Dataflow

Dataflow now supports Shielded VM workers.

Dataproc

Added additional messages to the error messages for networking and IAM errors when creating a new cluster.

Google Kubernetes Engine

The R28 release notes were updated on September 24, 2021 with the following additions:

No channel

Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to 1.19.12-gke.2101 with this release.

Stable channel

Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to 1.19.12-gke.2101 with this release.

(2021-R28) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

Stable channel

  • Version 1.19.12-gke.2101 is now the default version in the Stable channel.
  • The following control plane and node versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.18.20-gke.3000
    • 1.19.12-gke.2100
    • 1.19.13-gke.700
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to 1.19.12-gke.2101 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.12-gke.2101 with this release.

Regular channel

  • Version 1.20.9-gke.701 is now the default version in the Regular channel.
  • The following control plane and node versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.20.9-gke.700
    • 1.20.9-gke.1000
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.9-gke.701 with this release.

Rapid channel

  • Version 1.21.3-gke.2001 is now the default version in the Rapid channel.
  • The following control plane and node versions are now available in the Rapid channel:
  • Version 1.21.3-gke.2000 is no longer available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.3-gke.2001 with this release.

Two security vulnerabilities, CVE-2021-33909 and CVE-2021-33910, have been discovered in the Linux kernel that can lead to an OS crash or an escalation to root by an unprivileged user. This vulnerability affects all GKE node operating systems (COS and Ubuntu).

For more information, see the GCP-2021-017 security bulletin.

This note was updated on September 24, 2021. Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to 1.19.12-gke.2101 with this release.

(2021-R28) Version updates

This note was updated on September 24, 2021. Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to 1.19.12-gke.2101 with this release.

(2021-R28) Version updates

  • Version 1.19.12-gke.2101 is now the default version in the Stable channel.
  • The following control plane and node versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.18.20-gke.3000
    • 1.19.12-gke.2100
    • 1.19.13-gke.700
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to 1.19.12-gke.2101 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.12-gke.2101 with this release.

(2021-R28) Version updates

  • Version 1.20.9-gke.701 is now the default version in the Regular channel.
  • The following control plane and node versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.20.9-gke.700
    • 1.20.9-gke.1000
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.9-gke.701 with this release.

(2021-R28) Version updates

  • Version 1.21.3-gke.2001 is now the default version in the Rapid channel.
  • The following control plane and node versions are now available in the Rapid channel:
  • Version 1.21.3-gke.2000 is no longer available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.3-gke.2001 with this release.
Memorystore for Redis

Redis version 6.x is now Generally Available on Memorystore for Redis.

Network Connectivity Center

Previously, if you used a Router appliance spoke to connect more than 1,000 VMs, you might have experienced problems establishing BGP sessions between the router appliance instance and the Cloud Router. This issue has been resolved.

Security Command Center

VM Manager vulnerability reports, which are in preview, are now available in Security Command Center Premium. The reports identify vulnerabilities in operating systems installed on Compute Engine virtual machines, including Common Vulnerabilities and Exposures (CVEs).

For more information on integrating VM Manager with Security Command Center, see VM Manager.

Workflows

Support for callback endpoints is available in Preview.

September 06, 2021

Dataproc Metastore

The default Dataproc Metastore service creation version is changed to Hive 3.1.2.

September 05, 2021

Migrate for Compute Engine

Added support for overriding the default license type to explicitly specify a license type of PAYG or BYOL.

See Configuring the target for a migrated VM for more information.

September 03, 2021

Anthos clusters on VMware

Anthos clusters on VMware 1.7.3-gke.6 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.7.3-gke.X runs on Kubernetes v1.19.12-gke.1100

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.8, 1.7, and 1.6.

Fixes:

  • Fixed the Ubuntu user password expiration issue. This is a required fix for customers running 1.7.2 or 1.7.3-gke.2. Either use the suggested workaround to fix this issue, or upgrade to get this fix.

  • Fixed the issue that the stackdriver-log-forwarder pod was sometimes in crashloop because of fluent-bit segfault.

Cloud Functions

Cloud Functions has added support for a new runtime, Go 1.16, at the Preview release level.

Cloud Key Management Service

Re-importing previously destroyed keys is now supported in Cloud KMS.

Cloud Monitoring

Cloud Monitoring now lets you configure how long Monitoring waits to close an incident when observations stop arriving. For more information, see Closing incidents.

Cloud Talent Solution Job Search

Added a new KeywordMatchMode field to support more keyword matching options.

Added more DiversificationLevel configuration options.

Cloud VPN

Added Terraform examples to automate HA VPN gateway creation:

Config Connector

Config Connector 1.60.0 is now available.

Added support for ComputeFirewallPolicy resource.

Fixed the error when deleting the ConfigConnectorContext object. (Issue #523)

September 02, 2021

Cloud Data Fusion

Preview: Cloud Data Fusion version 6.5.0 is now available. This version is a Preview. This release is in parallel with the CDAP 6.5.0 release.

Features in 6.5.0:

  • Preview: Cloud Data Fusion now supports role-based access control (RBAC). This gives administrators fine-grained access control over what users can do at the namespace level.

  • Preview: Cloud Data Fusion now supports customer-managed encryption keys (CMEK), which provide user encryption control over the data written to Google internal resources in tenant projects, and data written by Cloud Data Fusion pipelines.

  • Preview: Cloud Data Fusion Instance Admins can now create, view, duplicate, delete, import, and export connections from the Pipeline Studio, Wrangler, or the Namespace Admin page. A connection stores sensitive data, such as user credentials and host information, needed to connect to data sources. For more information, see Managing connections.

  • Preview: Transformation pushdown is now available. It helps you efficiently design and execute ELT workloads by pushing join transformations down to BigQuery. It gives users that prefer ELT in BigQuery access to the same visual experience that ETL users get in Cloud Data Fusion, without needing to maintain complex SQL scripts. When you enable Transformation pushdown, Cloud Data Fusion executes Join operations in BigQuery (instead of Apache Spark). All other stages in a pipeline are executed using Spark. For pipelines that perform multiple complex joins, BigQuery can execute these joins operations faster than Spark.

  • Preview: Dataproc cluster reuse is now available. It can be used to speed up pipeline run startup by reusing clusters from previous runs.

Changes in 6.5.0:

  • In version 6.5.0, Spark 3 is the new default engine used when using Cloud Data Fusion Preview and when running pipelines on Dataproc clusters. After an instance is upgraded to version 6.5.0, any new or upgraded pipeline that uses a Dataproc profile without an explicit image version will use the latest Dataproc image 2.0 that has Spark 3.1 bundled. For more information, see Upgrade notes for Spark 3.

  • Added support for labels in the Dataproc provisioner.

  • Added Shielded VMs to the configuration settings for the Dataproc provisioner. For more information, see the CDAP documentation.

  • Added authorization checks for preferences, logging, compute profiles, and metadata endpoints.

  • Added support to search for tables based on schema name when you select tables for a Replication job.

  • Added additional trace logging in the authorization flow for debugging.

  • Added support for BIGNUMERIC data type for BigQuery target in replication.

  • Behavior change: MySQL, Oracle, Postgres, and SQL Server batch sources, sinks, actions, and pipeline alerts are now installed by default as system plugins. Previously, these plugins were available in the Hub as user plugins.

Fixed in 6.5.0 preview version (for more information, see the CDAP release note):

  • Fixed an issue in Replication that caused jobs to fail if more than 1000 tables were selected for replication.

  • Fixed an issue that caused replication jobs to hang when there were too many Delete or DDL events.

  • Fixed an issue that caused Wrangler to ignore all the other columns other than the given column when parsing Excel files.

  • Fixed Wrangler to fail pipelines upon error. In Wrangler 6.2 and above, there was a backwards-incompatible change where pipelines did not fail if there was an error and instead were marked as completed.

  • Improved resilience of TMS.

  • Fixed an issue that caused File Source Plugin validation to fail when there was a macro in the Format field.

You can create connections for Database, MySQL, Oracle, PostgreSQL, and SQL Server sources, but the plugin properties do not include Use Connection. This means that you cannot reference a connection in a database source plugin. For more information, see Known issues: Database connections.

Cloud SQL for MySQL

Cloud SQL for MySQL now supports using a custom import to set up replication from large external databases. To use this replication option, see Configuring Cloud SQL to replicate from an external server and Using a custom import to set up replication from large external databases.

Datastore

Added DATA_READ and DATA_WRITE Data Access audit logs. See Firestore in Datastore mode audit logging information. This feature is available in Preview.

Firestore

Added DATA_READ and DATA_WRITE Data Access audit logs. See Firestore audit logging information. This feature is available in Preview.

Google Kubernetes Engine

Multi-Instance GPU on GKE is is now generally available.

Network Connectivity Center

You can now create Router appliance spokes by using the Google Cloud Console. For more information, see Working with hubs and spokes.

Workflows

Support for iterating over a sequence of numbers or through a collection of data is generally available (GA).

September 01, 2021

AI Platform Prediction

Runtime version 2.6 is now available. You can use runtime version 2.6 to serve online predictions with TensorFlow 2.6.0, scikit-learn 0.24.2, or XGBoost 1.4.2. Runtime version 2.6 does not support batch prediction.

See the full list of updated dependencies in runtime version 2.6.

Anthos GKE on AWS

Anthos clusters on AWS aws-1.8.2-gke.2 is now available.

Anthos clusters on AWS aws-1.8.2-gke.2 clusters run the following Kubernetes versions:

  • 1.17.17-gke.15800
  • 1.18.20-gke.4800
  • 1.19.14-gke.600
  • 1.20.10-gke.600

The supported versions also offer the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on AWS 1.8.

Cloud Asset Inventory

New resource types are now available.

The following resource types are now publicly available through the Analyze Policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

  • Logging
    • logging.googleapis.com/LogBucket
    • logging.googleapis.com/LogSink
    • logging.googleapis.com/LogMetric
Cloud Build

VPC Service Controls support for build triggers is now available in the preview release stage. This feature enables users to use build triggers in projects in the VPC Service Controls perimeter. For instructions, see Using VPC Service Controls.

Compute Engine

Generally available: When deleting VMs from a managed instance group, you can flag the operation to continue even if some instances were already deleted or if other instance validation errors occur.

Dialogflow

New Dialogflow CX agent roles are introduced for granular control of agent resources.

Eventarc

Support for Cloud Storage triggers is now available in Preview.

August 31, 2021

Anthos clusters on VMware

Anthos clusters on VMware 1.8.2-gke.11 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.8.2-gke.11 runs on Kubernetes 1.20.9-gke.701.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.8, 1.7, and 1.6.

Starting from version 1.8.2, Anthos clusters on VMware uses cert-manager instead of Istio Citadel for issuing TLS certificates used by metrics endpoints.

Fixes:

  • Fixed the Ubuntu user password expiration issue. You must get this fix. Either use the suggested workaround to fix this issue, or upgrade to get this fix.
  • Enhanced the admin cluster upgrade logic to prevent the admin cluster state (that is, the admin master data disk) from being lost in those cases when the disk is renamed or migrated accidentally.
  • Fixed the issue that the GKE connect-register service account key is printed in the klog in 1.8.0 and 1.8.1 when users run gkectl update cluster to update the GKE connect spec, such as to register an existing user cluster.
  • Fixed issue that when ESXi hosts were unavailable in the vCenter cluster (such as when disconnected from vCenter or in maintenance mode), the Cluster API controller and cluster health controllers would crash loop, and the gkectl diagnose cluster command would crash.
  • Fixed the issue that an admin cluster upgrade might be blocked indefinitely if admin node machines are upgraded before the new Cluster API controller is ready.
  • Fixed the issue that the onprem-user-cluster-controller might leak vCenter sessions over time.

  • Fixed the issue that the gateway IP was assigned to a Windows Pod, which made it unable to have network connectivity.

  • Fixed CVE-2021-33909 and CVE-2021-33910 on Ubuntu and COS.

HPA with custom metrics doesn't work in version 1.8.2 due to the migration from Istio to cert-manager for the monitoring pipeline. Customers using the HPA custom metrics with the monitoring pipeline should wait for a future release that will include this fix.

BigQuery

An updated version of ODBC driver for BigQuery is now available that includes enhancements.

Cloud Logging

You can now collect nginx metrics and logs from the Ops Agent, starting with version 2.1.0. For more information, see Monitoring third-party applications: nginx.

Cloud Monitoring

You can now collect nginx metrics and logs from the Ops Agent, starting with version 2.1.0. For more information, see Monitoring third-party applications: nginx.

Cloud Spanner

The R2DBC driver for Cloud Spanner is available in Preview. This driver lets you connect to Cloud Spanner from fully reactive applications.

Compute Engine

Generally available: You can now reference the latest available image in a public image family for a specific zone. This feature improves zonal fault tolerance for your workflows during Google image updates.

Dataflow

Dataflow Prime is now available in Preview.

SAP on Google Cloud

SAP HANA Fast Restart and Compute Engine M2 machines speed memory-error recovery

Compute Engine recently updated M2 VM types so that they can keep running when uncorrectable memory errors occur by using memory-poisoning recovery. Except for the block affected by the error, SAP HANA Fast Restart can then maintain all data in memory, which significantly reduces restart time because only the affected block is reloaded.

For more information, see Memory-error recovery with Fast Restart on Compute Engine VMs.

Transcoder API

All client library code samples updated to v1 of the API.

Delete operations for jobs and job templates now return a 404 resource not found error if the specified resource name does not exist. Previously, these delete operations failed silently in this case. To enable the previous behavior, set the allowMissing query parameter to true when sending a request to delete a job or job template.

Encryption support (and its associated documentation) is temporarily unavailable.

August 30, 2021

Access Approval

Access Approval supports Speaker ID in Preview stage.

BigQuery

Exporting table data in Parquet format is now generally available (GA).

Cloud Composer

Airflow 2.1.2 is available in Cloud Composer images.

(Airflow 2) Cloud Composer now supports the stable Airflow REST API. The stable Airflow REST API is enabled by default.

(Airflow 2) Cloud Composer now uses a custom authentication backend for authentication in the stable Airflow REST API. The default value of the [api]auth_backend Airflow configuration option is changed to airflow.composer.api.backend.composer_auth. The default role for new users that authenticate through the stable Airflow REST API is defined by the [api]composer_auth_user_registration_role Airflow configuration option, which is set to Op by default.

New versions of Cloud Composer images:

  • composer-1.16.16-airflow-1.10.12
  • composer-1.16.16-airflow-1.10.14
  • composer-1.16.16-airflow-1.10.15 (default)
  • composer-1.17.0-preview.12-airflow-2.0.2
  • composer-1.17.0-preview.12-airflow-2.1.1
  • composer-1.17.0-preview.12-airflow-2.1.2
Cloud Functions

Cloud Functions adds support for setting a minimum number of instances, available at the Preview release level. For more information, see the blog post.

Cloud Monitoring

The VM Instances page features enhanced scorecards for VM health. The new scorecards now include both "maintenance" and "system" events that might affect your VMs and agents, along with other metrics and statistics about the health of your VMs. The filtering and sorting of the Inventory table have also been enhanced.

Cloud SQL for PostgreSQL

Cloud SQL for PostgreSQL support for pglogical, native logical replication, wal2json and test_decoding is now generally available.

Cloud SQL for PostgreSQL support for Automatic IAM database authentication is now generally available. See Automatic IAM database authentication.

Cloud Spanner

In the Cloud Console, a database's Query page now supports multiple query tabs so you no longer have to clear one query to create and run another. Additionally, you can enter multiple query and DML statements in a single query tab. When you do so, the Results and Explanation subtabs let you choose which statement's results or query plan you want to view. See A tour of the query editor for details.

Added support for changing the leader region location of a Cloud Spanner database.

Added support for the JSON data type. For more information, see Working with JSON data.

Dataproc

New sub-minor versions of Dataproc images: 1.4.70-debian10, 1.4.70-ubuntu18, 1.5.45-centos8, 1.5.45-debian10, 1.5.45-ubuntu18, 2.0.19-centos8, 2.0.19-debian10, 2.0.19-ubuntu18

Backported SPARK-34295: Added a new spark.yarn.kerberos.renewal.excludeHadoopFileSystemsconfiguration option.

Image 2.0:

OOZIE-3599: Upgraded Jetty version to 9.4.

Dataproc Metastore

Hive version 3.1.2 will become the default Dataproc Metastore service creation version in 1 week on September 6, 2021.

Google Kubernetes Engine

GKE Autoscaling profiles are now generally available.

Traffic Director

Traffic Director deployed with proxyless gRPC can now use the advanced traffic management features retry and session affinity.

Vertex AI

You can now use a pre-built container to perform custom training with TensorFlow 2.6 and PyTorch 1.9.