Google Cloud release notes

The following release notes cover the most recent changes over the last 60 days. For a comprehensive list of product-specific release notes, see the individual product release note pages.

You can also see and filter all release notes in the Google Cloud Console

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/gcp-release-notes.xml

May 07, 2021

Speech-to-Text

The Speech-to-Text model adaptation feature is now a GA feature. See the model adaptation concepts page for more information about using this feature.

May 06, 2021

Anthos clusters on VMware

The Envoy and Istio projects recently announced several new security vulnerabilities (CVE-2021-28683, CVE-2021-28682, and CVE-2021-29258) that could allow an attacker to crash Envoy.

For more information, see the GCP-2021-004 security bulletin.

Anthos clusters on bare metal

The Envoy and Istio projects recently announced several new security vulnerabilities (CVE-2021-28683, CVE-2021-28682, and CVE-2021-29258) that could allow an attacker to crash Envoy.

For more information, see the GCP-2021-004 security bulletin.

Cloud Logging

The Logs Explorer Histogram offers new time controls, including zooming and scrolling, to give you more in-depth analysis of your logs data. For details, see Analyzing logs using time controls.

Google Kubernetes Engine

You can now enable and configure OS Login for private GKE clusters and nodes. This feature is enabled for private GKE clusters running node pool versions 1.20.5 or later.

The Envoy and Istio projects recently announced several new security vulnerabilities ( CVE-2021-28683, CVE-2021-28682, and CVE-2021-29258) that could allow an attacker to crash Envoy.

For more information, see the GCP-2021-004 security bulletin.

May 05, 2021

AI Platform Deep Learning Containers

M68 Release

  • Upgraded R containers from 3.6 to 4.0.
  • Added xai-tabular-widget onto all TensorFlow containers.
  • Miscellaneous bug fixes and updates.
AI Platform Deep Learning VM Image

M68 Release

  • Upgraded R Images from 3.6 to 4.0.
  • Added xai-tabular-widget onto all TensorFlow images.
  • Miscellaneous bug fixes and updates.
Anthos clusters on VMware

Anthos clusters on VMware 1.7.1-gke.4 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.7.1-gke.4 runs on Kubernetes 1.19.7-gke.2400.

The supported versions that offer the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.7, 1.6, and 1.5.

If you upgrade the admin cluster before you upgrade the associated user clusters within the same minor version, such as from 1.7.0 to 1.7.1, the user control-planes will be upgraded together with the admin cluster. This applies even if you use the flag --force-upgrade-admin. This behavior, in versions 1.7.0 and later, is different from versions 1.6 and earlier, and is expected behavior.

Fixes:

  • Fixed a bug, so that the hardware version of a virtual machine is determined based on the ESXi host apiVersion instead of the host version. When host ESXi apiVersion is at least 6.7U2, VMs with version vmx-15 are created. Also, the CSI preflight checks validate the ESXi host API version instead of the host version.

  • Fixed a bug, so that if vSphereCSIDisabled is set to true, Container Storage Interface (CSI) preflight checks do not run when you execute commands such as gkectl check-config or create loadbalancer or create cluster.

  • Fixed CVE-2021-3444, CVE-2021-3449, CVE-2021-3450, CVE-2021-3492, CVE-2021-3493, and CVE-2021-29154 on the Ubuntu operating system used by the admin workstation, cluster nodes, and Seesaw.

  • Fixed a bug where attempting to install or upgrade GKE on-prem 1.7.0 failed with an "/STSService/ 400 Bad Request" when the vCenter is installed with the external platform services controller. Installations where the vCenter server is a single appliance are not affected. Note that VMware deprecated the external platform services controller in 2018.

  • Fixed a bug where auto repair failed to trigger for unhealthy nodes if the cluster-health-controller was restarted while a previously issued repair was in progress.

  • Fixed a bug so that the command gkectl diagnose snapshot output includes the list of containers and the containerd daemon log on Container-Optimized OS (COS) nodes.

  • Fixed a bug that caused gkectl update admin to generate an InternalFields diff unexpectedly.

  • Fixed the issue that the stackdriver-log-forwarder pod was sometimes in crashloop because of fluent-bit segfault.

Cloud Data Fusion

There is an issue in the BigQuery sink plugin version 0.17.0, which causes data pipelines to fail or give incorrect results. This issue is resolved in BigQuery sink plugin version 0.17.1. For more information, see the Cloud Data Fusion Troubleshooting page.

Cloud Monitoring

Cloud Monitoring has added new ways to interact with charts. You can now select a range of lines displayed on chart, shift the time axis by using your pointer, and have new controls to expand the chart around a specific point in time. Charts displaying distribution data include 50th, 95th, and 99th percentile lines as an optional overlay. For more information, see Exploring charted data.

SAP on Google Cloud

Updated SAP HANA certification of the 6 TB m2-megamem-416 machine type

For OLAP workloads, the SAP certification of the Compute Engine 6 TB m2-megamem-416 machine type now includes:

  • Scale-out configurations up to 16 nodes.
  • Compute Engine persistent disks for storage in scale-up or scale-out configurations.

For more information, see Certified Compute Engine VMs for SAP HANA.

Security Command Center

Security Command Center Premium has launched Continuous Exports for Pub/Sub in general availability. The feature simplifies the process of creating a NotificationConfig and automates the export of new findings to Pub/Sub.

You must be a Security Command Center Premium customer to use the feature. Security Command Center Standard continues to support one-time exports. To subscribe to Security Command Center Premium, contact your sales representative or fill out our inquiry form.

Security Health Analytics, a built-in service of Security Command Center, has launched a new detector, PUBSUB_CMEK_DISABLED, in general availability. The detector, available to Security Command Center Premium customers, identifies Pub/Sub topics that are not encrypted with customer-managed encryption keys (CMEK). For more information, see the PUBSUB_SCANNER table in Vulnerabilities findings.

Event Threat Detection, a built-in service of Security Command Center, has launched a new detector in general availability. Discovery: Service Account Self-Investigation detects when a service account credential is used to investigate the roles associated with that same service account. For more information on detectors, see Event Threat Detection conceptual overview.

Documentation

May 04, 2021

Cloud Healthcare API

The defaultSearchHandlingStrict field in the projects.locations.datasets.fhirStores.FhirStore resource is now available in the v1 version of the Cloud Healthcare API.

Cloud Load Balancing

Zonal NEGs (with GCE_VM_IP network endpoints) can now be used as backends for internal TCP/UDP load balancers. For more information on this type of zonal NEG, see Zonal NEGs overview. For instructions on how to set up an internal TCP/UDP load balancer with a zonal NEG backend, see Setting up Internal TCP/UDP Load Balancing with zonal NEGs

This feature is in General Availability.

Cloud Monitoring

The Query Editor for Monitoring Query Language (MQL) has been reimplemented. In addition to autocompletion and error detection, it now supports code folding and a find-and-replace capability. For more information, see Using the Query Editor.

Cloud Run for Anthos

Starting in Cloud Run for Anthos versions 0.21 and later, the new default progress deadline for deployments is up to 10 minutes. For example, it can take 10 mins before a bad revision will reach a failed state. To specify a different deadline, see Configuring progress deadlines.

Config Connector

Config Connector version 1.49.1 is now available.

Miscellaneous bug fixes.

Google Kubernetes Engine

(2021-R15) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on the Kubernetes versioning scheme, see Versioning.

No channel

  • Version 1.18.17-gke.100 is now the default version.
  • Version 1.17.17-gke.7200 is now available.
  • The following versions are no longer available:
    • 1.16.15-gke.12500
    • 1.16.15-gke.14800
    • 1.17.17-gke.1101
    • 1.17.17-gke.1500
    • 1.17.17-gke.2800
    • 1.17.17-gke.3000
  • The following control planes and nodes with auto-upgrade enabled will be upgraded with this release:

Stable channel

  • Version 1.18.17-gke.100 is now the default version in the Stable channel.
  • Version 1.17.17-gke.5400 is now available in the Stable channel.
  • The following versions are no longer available in the Stable channel:
    • 1.17.17-gke.3700
    • 1.18.16-gke.2100
  • The following control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded with this release:

Regular channel

  • Version 1.18.17-gke.100 is now the default version in the Regular channel.
  • The following versions are now available in the Regular channel:
  • Version 1.18.16-gke.2100 is no longer available in the Regular channel.
  • The following control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded with this release:

Rapid channel

  • Version 1.19.9-gke.1900 is now the default version in the Rapid channel.
  • Version 1.19.9-gke.1400 is no longer available in the Rapid channel.
  • The following control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded with this release:
Video Intelligence API

The following features are available in the Video Intelligence API version v1:

Face detection: Locate faces within a video, and identify attributes such as glasses being worn. Learn more

Person detection: Locate people in a video, and identify attributes and 2D landmarks. Learn more

This GA launch brings significant quality improvement to both features.

May 03, 2021

AI Platform (Unified) Artifact Registry

Artifact Registry now supports audit logging for container images in Cloud Audit Logs.

Cloud Bigtable

The ability to restore from a Cloud Bigtable backup to a different instance is now generally available. This feature enhancement lets you use backups for a wider variety of use cases.

Cloud Logging

You can now add custom fields in the Logs Explorer to better analyze logs and refine your queries. For more information, see Adding fields to Log fields pane .

Cloud Monitoring

The Inventory tab on the Cloud Monitoring VM Instances dashboard now offers the ability to filter and sort the instance table by any combination of columns. In addition, new health scorecards report a variety of metrics and statistics related to the health and status of your VMs and agents.

Cloud Run

By default, the memory allocated to each container instance of a new service is 512MiB. The new default applies to new services. Existing services retain their allocated memory.

You can now use Identity-aware Proxy with Cloud Run to use identity and context to guard access to your applications. (Available in public preview.)

Compute Engine

Generally available: Create virtual machines for high performance computing (HPC) workloads using the HPC VM image.

Google Kubernetes Engine

The kubelet graceful node shutdown feature is now enabled on preemptible and GPU accelerator nodes running versions 1.20.5-gke.500 or later.

April 30, 2021

Anthos GKE on AWS

Anthos clusters on AWS 1.7.1-gke.1 is now available.

Anthos clusters on AWS 1.7.1-gke.1 clusters run the following Kubernetes versions:

  • 1.16.15-gke.17300
  • 1.17.17-gke.7000
  • 1.18.18-gke.300
  • 1.19.9-gke.900

The Anthos clusters on AWS 1.7.1-gke.1 patch release addresses the following security vulnerabilities:

Anthos clusters on bare metal

Anthos clusters on bare metal release 1.7.1 is now available. To upgrade, see Upgrading Anthos clusters on bare metal. Anthos clusters on bare metal 1.7.1 runs on Kubernetes 1.19.

Functionality changes:

  • Customers can now take cluster snapshots regardless of whether the admin cluster control plane is running. This is helpful for diagnosing installation issues.
  • Deploying Anthos clusters on bare metal with SELinux is now fully supported on supported versions of Redhat Enterprise Linux. This applies for new installations of Anthos clusters on bare metal cases only.
  • User cluster creation with bmctl supports credential inheritance from the admin cluster by default. Credential overrides for the user cluster can be specified in the config file during cluster creation.

Fixes:

  • Fixed potential stuck upgrade from 1.6.x to 1.7.0. The bug was caused by a rare race condition when the coredns configmap failed to be backed up and restored during the upgrade.
  • Fixed potential missing GKE connect agent during installation due to a rare race condition.
  • Fixed issue that prevented automatic updates to the control plane load balancer config when adding/removing node(s) from the control plane node pool.
  • Addressed problem with syncing NodePool taints and labels that resulted in deletion of pre-existing items. Syncs will now append, update, or delete items that are added by taints and labels themselves only.
  • (Updated May 06, 2021) Fixed CVE-2021-25735 that could allow node updates to bypass a Validating Admission Webhook. For more details, see the GCP-2021-003 security bulletin.

Known issues:

  • Upgrading the container runtime from containerd to Docker will fail in Anthos clusters on bare metal release 1.7.1. This operation is not supported while the containerd runtime option is in preview.
  • bmctl snapshot command fails when the user creates a custom cluster namespace omitting cluster- prefix from the cluster config file. To avoid this issue, the cluster namespace should follow the cluster-$CLUSTER_NAME naming convention.

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

Assured Workloads for Government

Assured Workloads now provides support for CJIS and FedRAMP High, and a more streamlined provisioning experience for some compliance regimes. For more information, see the Assured Workloads documentation.

BigQuery

BigQuery now supports the following data definition language (DDL) statements:

This feature is in GA.

Cloud SQL for SQL Server

The following version upgrade applies to Cloud SQL for SQL Server:

  • SQL Server 2017 is upgraded from 14.0.3257.3 to 14.0.3370.1

If you use maintenance windows, the new version will be available after your maintenance update. For information about maintenance windows, and to manage maintenance updates, see Finding and setting maintenance windows.

Config Connector

Config Connector version 1.49.0 is now available.

Hierarchical reference field is optional for BigQueryDataset, ComputeDisk, Folder, and Project (Fixes a follow-up issue in #349).

April 29, 2021

Binary Authorization

Binary Authorization now supports Continuous Validation. See Continuous Validation documentation.

Cloud Composer

New versions of Cloud Composer images:

  • composer-1.16.3-airflow-1.10.15
  • composer-1.16.3-airflow-1.10.14 (default)
  • composer-1.16.3-airflow-1.10.12

When Airflow configuration is updated, an erroneous log message about a web server update failure no longer appears in logs.

Fixed problems with execution date in environment health monitoring when Airflow uses a custom time zone.

Cloud Composer versions 1.8.3 to 1.10.2 have reached their end of full support period.

Compute Engine

Preview: With the introduction of OS inventory management v2.0, you can now query the OS Config API to get inventory and vulnerability report data for your VMs in a specific zone, see OS inventory management.

You can now create extreme persistent disks in certain regions. With consistently high performance for both random access workloads and bulk throughput, extreme persistent disks are designed for high-end database workloads.

For more information, see Extreme persistent disks.

Google Kubernetes Engine

For GKE clusters with Windows Server nodes, node names will now be limited to 15-characters to allow for Active Directory joining.

Fixes for the following GKE Autopilot clusters issues are rolling out to the Rapid release channel:

  • Pods with a priority lower than -10 would not trigger scale up.
  • Pod anti-affinity might cause overscaling.

April 28, 2021

Cloud Load Balancing

Internal TCP/UDP Load Balancing now supports session affinity for the UDP protocol. This feature is available in General Availability.

Compute Engine

C2 machines are available in the following regions and zones:

  • Osaka asia-northeast2-a

See VM instance pricing for details.

April 27, 2021

AI Platform (Unified)

Vizier is now available in preview. Vizier is a feature of AI Platform (Unified) that you can use to perform black-box optimization. You can use Vizier to tune hyperparameters or optimize any evaluable system.

Access Approval

Google Kubernetes Engine is supported by Access Approval in Preview stage.

Cloud Spanner is supported by Access Approval in GA stage.

App Engine standard environment Go

Automatic scaling elements min_instances and min_idle_instances will now only apply to versions of a service that have been configured to receive traffic. This change is to reduce unexpected billing due to instances running old versions that are not intended to receive traffic.

App Engine standard environment Java

Automatic scaling elements min_instances and min_idle_instances will now only apply to versions of a service that have been configured to receive traffic. This change is to reduce unexpected billing due to instances running old versions that are not intended to receive traffic.

App Engine standard environment Node.js

Automatic scaling elements min_instances and min_idle_instances will now only apply to versions of a service that have been configured to receive traffic. This change is to reduce unexpected billing due to instances running old versions that are not intended to receive traffic.

App Engine standard environment PHP

Automatic scaling elements min_instances and min_idle_instances will now only apply to versions of a service that have been configured to receive traffic. This change is to reduce unexpected billing due to instances running old versions that are not intended to receive traffic.

App Engine standard environment Python

Automatic scaling elements min_instances and min_idle_instances will now only apply to versions of a service that have been configured to receive traffic. This change is to reduce unexpected billing due to instances running old versions that are not intended to receive traffic.

App Engine standard environment Ruby

Automatic scaling elements min_instances and min_idle_instances will now only apply to versions of a service that have been configured to receive traffic. This change is to reduce unexpected billing due to instances running old versions that are not intended to receive traffic.

Channel Services

The create, delete, get, list, and patch Customer APIs can now use an alternate parent binding to specify the customer's Channel Partner. The returned resource name follows the format accounts/*/customers/* regardless of the parent binding.

Added LICENSE_CAP_CHANGED to the list of EntitlementEvent.Type.ENUM_VALUES to deliver notifications for a new Pub/Sub event type.

Cloud Build

Webhook triggers are now generally available. Learn more about using webhook triggers to build repos hosted on Gitlab, Bitbucket Cloud, and Bitbucket Server.

Users can now run manual triggers on a schedule. For more information, see Scheduling builds.

Cloud Logging

You can now install the Cloud Logging agent, Cloud Monitoring agent, and Ops Agent on VMs running OpenSUSE Leap versions 15, 15.1, and 15.2.

Cloud Monitoring

You can now install the Cloud Logging agent, Cloud Monitoring agent, and Ops Agent on VMs running OpenSUSE Leap versions 15, 15.1, and 15.2.

Cloud Storage

You can now compose objects using source objects that were encrypted with Cloud KMS keys.

Compute Engine

N2D machines are available in the following regions and zones:

  • Osaka asia-northeast2-c
  • Montréal northamerica-northeast1-a,c
  • Finland europe-north1-a,b,c

See VM instance pricing for details.

Config Connector

Config Connector version 1.48.0 is now available.

ComputeDisk added support for projectRef

Added go-clients for GKEHubMembership and CloudIdentityGroup

Google Kubernetes Engine

(2021-R14) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on the Kubernetes versioning scheme, see Versioning.

No channel

Stable channel

  • Version 1.17.17-gke.4900 is now available in the Stable channel.
  • Version 1.18.17-gke.100 is now available in the Stable channel
  • Version 1.18.16-gke.302 is no longer available in the Stable channel.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to version 1.18.16-gke.2100 with this release.

Regular channel

  • Version 1.18.16-gke.2100 is now the default version in the Regular channel.
  • Version 1.18.17-gke.100 is now available in the Regular channel.
  • Version 1.18.16-gke.502 is no longer available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.17 to version 1.18.16-gke.2100 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to version 1.18.16-gke.2100 with this release.

Rapid channel

  • Version 1.19.9-gke.1400 is now the default version in the Rapid channel.
  • Version 1.19.9-gke.1900 is now available in the Rapid channel.
  • Version 1.20.5-gke.2000 is now available in the Rapid channel.
  • Version 1.19.9-gke.700 is no longer available in the Rapid channel.
  • Version 1.20.5-gke.1300 is no longer available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.18 to version 1.19.9-gke.1400 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to version 1.19.9-gke.1400 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to version 1.20.5-gke.2000 with this release.

Multi-Instance GPU on GKE is available in Preview.

April 26, 2021

Cloud Run for Anthos

Cloud Run for Anthos on Google Cloud version 0.21.0-gke.0 is now available for the following GKE minor versions:

  • 1.19
  • 1.20
  • 1.21

Events for Cloud Run for Anthos version 0.20.0-gke.108 is now available for the following GKE minor versions:

  • 1.19
  • 1.20
  • 1.21
Cloud Translation

Document Translation for Cloud Translation - Advanced (v3) is now available in Preview. Document Translation supports the DOCX, PPTX, XLSX, and PDF file formats. For more information, see Translate documents.

Dialogflow

Preview launch of the following languages in Dialogflow ES:

  • Bengali
  • Filipino
  • Finnish
  • Malay
  • Marathi
  • Romanian
  • Sinhala
  • Tamil
  • Telugu
  • Vietnamese

April 23, 2021

Cloud Healthcare API

The reference patterns document provides sample code and technical reference guides for common Cloud Healthcare API use cases.

Cloud SQL for PostgreSQL

The following PostgreSQL minor versions are now available. If you use maintenance windows, you might not yet have the minor version. In this case, you will see the new minor version once your maintenance update occurs. To find your maintenance window or manage maintenance updates, see Finding and setting maintenance windows.

  • 9.6.20 is upgraded to 9.6.21.
  • 10.15 is upgraded to 10.16.
  • 11.10 is upgraded to 11.11.
  • 12.5 is upgraded to 12.6.
  • 13.1 is upgraded to 13.2.

For more information about the content of these minor versions, please see the PostgreSQL release notes.

Config Connector

Config Connector version 1.47.0 is now available.

Added support CloudIdentityGroup and GKEHubMembership

Added resourceID support for Project resource

Fixed the issue of acquiring ComputeBackendService with iap configuration (GitHub #304)

Dataproc

Announcing Dataproc Confidential Compute: Dataproc clusters now support Compute Engine Confidential VMs.

New sub-minor versions of Dataproc images: 1.3.89-debian10, 1.3.89-ubuntu18, 1.4.60-debian10, 1.4.60-ubuntu18, 1.5.35-centos8, 1.5.35-debian10, 1.5.35-ubuntu18, 2.0.9-centos8, 2.0.9-debian10, and 2.0.9-ubuntu18.

Image 1.4

Image 1.5

  • CentOS only: adoptopenjdk is set as the default Java environment.

Image 1.5 and 2.0

  • Updated Oozie version to 5.2.1
  • The Jupyter optional component now uses the "GCS" subdirectory as the initial working directory when you open the JupyterLab UI.

April 22, 2021

Cloud Composer

New versions of Cloud Composer images:

  • composer-1.16.2-airflow-1.10.15
  • composer-1.16.2-airflow-1.10.14 (default)
  • composer-1.16.2-airflow-1.10.12

Airflow 1.10.10 is no longer included in Cloud Composer images.

When a GKE authorization error occurs during an environment operation, the GKE error message is reported and the operation fails immediately.

When an environment operation fails during the installation of PyPI packages, error messages generated by pip are now correctly reported.

When Airflow uses a non-UTC time zone, manually triggered DAGs are executed at correct times now. The monitoring panel displays the correct environment health status.

A deprecation message is now displayed for the xcom_push argument of KubernetesPodOperator.

Cloud Scheduler

The Cloud Scheduler Console UI now has support for three additional options:

  • Headers for HTTP and App Engine targets
  • Message attributes for Pub/Sub targets
  • Retry config for all targets
Kf

Allow long-running source uploads.

Traffic Director

Fixed an issue that caused unexpected behavior when handling malformed HTTP requests.

VPC Service Controls

General Availability release of Ingress and egress rules for VPC Service Controls.

April 21, 2021

BigQuery

BigQuery supports changing an existing non-clustered table to a clustered table and vice versa. You can also update the set of clustered columns of a clustered table. This feature was first documented in October 2020 but was not included in a release note. For more information, see Modifying clustering specification.

Cloud Logging

You can now provision and manage the Cloud Logging agent on Windows using Ansible. For more information, refer to the Ansible Role for Cloud Ops documentation.

Google Kubernetes Engine

See GKE release schedule for information on the current versions rollout and support schedule. See Versioning for details on the GKE version suppport and life cycle.

April 20, 2021

Anthos GKE on AWS

The Kubernetes project recently announced a new security vulnerability, CVE-2021-25735, that could allow node updates to bypass a Validating Admission Webhook. For more details, see the GCP-2021-003 security bulletin.

Anthos Service Mesh

1.9.3-asm.2, 1.8.5-asm.2, 1.7.8-asm.1, and 1.6.14-asm.2 are now available.

Fixes the security issue, ISTIO-SECURITY-2021-003, with the same fixes as Istio 1.9.3. These fixes were also backported to the specified Anthos Service Mesh versions.

This release updates the envoy versions for the following Anthos Service Mesh versions:

For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

Adding multiple private clusters from different projects into a single Mesh on GKE is now available as a generally available (GA) feature.

Adding multiple private clusters from different projects into a single Mesh on GKE is now available as a public preview feature.

Anthos clusters on VMware

The Kubernetes project recently announced a new security vulnerability, CVE-2021-25735, that could allow node updates to bypass a Validating Admission Webhook. For more details, see the GCP-2021-003 security bulletin.

Anthos clusters on bare metal

The Kubernetes project recently announced a new security vulnerability, CVE-2021-25735, that could allow node updates to bypass a Validating Admission Webhook. For more details, see the GCP-2021-003 security bulletin.

App Engine standard environment Go

Build environment variables support is now available in preview.

App Engine standard environment Java

Build environment variables support is now available in preview.

App Engine standard environment Node.js

Build environment variables support is now available in preview.

App Engine standard environment PHP

Build environment variables support is now available in preview.

App Engine standard environment Python

Build environment variables support is now available in preview.

App Engine standard environment Ruby

Build environment variables support is now available in preview.

Cloud Healthcare API

Resource indexing will now complete before the service sends asynchronous notifications such as Pub/Sub notifications. This ensures that services receiving notifications through Pub/Sub can assume that the resource is searchable when the notification is received.

Dialogflow

Preview launch of Change history and Auto sync in Dialogflow CX.

Google Kubernetes Engine

(2021-R13) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on the Kubernetes versioning scheme, see Versioning.

No channel

Stable channel

  • Version 1.17.17-gke.3700 is now the default version in the Stable channel.
  • Version 1.18.16-gke.2100 is now available in the Stable channel.
  • Version 1.17.17-gke.3000 is no longer available in the Stable channel.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.16 to version 1.17.17-gke.3700 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.17 to version 1.17.17-gke.3700 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to version 1.18.16-gke.302 with this release.

Regular channel

  • Version 1.18.16-gke.2100 is now available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to version 1.19.8-gke.1600 with this release.

Rapid channel

  • Version 1.19.9-gke.700 is now the default version in the Rapid channel.
  • Version 1.19.9-gke.1400 is now available in the Rapid channel.
  • Version 1.20.5-gke.1300 is now available in the Rapid channel.
  • Version 1.19.9-gke.100 is no longer available in the Rapid channel.
  • Version 1.20.5-gke.800 is no longer available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.18 to version 1.19.9-gke.700 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to version 1.19.9-gke.700 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to version 1.20.5-gke.1300 with this release.

The Kubernetes project recently announced a new security vulnerability, CVE-2021-25735, that could allow node updates to bypass a Validating Admission Webhook. For more details, see the GCP-2021-003 security bulletin.

Istio on Google Kubernetes Engine

1.6.14-gke.1 is now available.

Fixes the security issue, ISTIO-SECURITY-2021-003, with the same fixes as Istio 1.9.3. These fixes were also backported to the specified Istio on Google Kubernetes Engine versions.

April 19, 2021

AI Platform Deep Learning Containers

M67 Release

  • Added Horovod to TensorFlow GPU containers.
  • Regular package refreshment and bug fixes.
AI Platform Deep Learning VM Image

M67 Release

  • GPU support added for Beam Notebooks.
  • Added Horovod to TensorFlow GPU Deep Learning VMs.
  • Regular package refreshment and bug fixes.
API Keys API

API Keys API in Preview.

BigQuery ML

BigQuery ML is introducing new ARIMA_PLUS models and deprecating the ARIMA model type. While the underlying modeling technique has not changed, the following improvements are now available in ARIMA_PLUS:

Cloud Billing

Budget API now supports configurable budget time periods, beyond monthly budgets

Using the Cloud Billing Budget API to manage your budgets, you can now specify the time period of the budget. Prior to this update, you could only configure a budget to monitor costs incurred during a calendar month. Using the usage_period filter that is available in the Cloud Billing Budget API, you can configure the budget time period to a CalendarPeriod or a CustomPeriod, allowing you to create budgets to monitor time frames beyond the default calendar month, such as a quarter, a year, or a custom date range that you specify.

At this time, budgets configured with a non-monthly time period can only be viewed and managed using the Cloud Billing Budget API. Non-monthly budgets are not yet visible in the Budgets page in the Cloud Console.

For more information on using the Cloud Billing Budget API, see Get started with the Cloud Billing Budget API.

Cloud Functions

Cloud Functions has added support for a new runtime, PHP 7.4, in Preview.

Cloud Functions now supports the following runtimes at the General Availability release level:

Cloud Monitoring

Cloud Monitoring Workspaces are changing. Over the next few weeks, new capabilities are being deployed:

  • A Cloud Monitoring Workspace will be created automatically for a Google Cloud project. This change replaces the manual creation process.
  • The restriction that you can view the metrics for a project from only one Workspace is being eliminated. You'll be able to view the metrics for a project from multiple Workspaces.
  • Navigation to a Workspace that manages metrics from multiple projects is changing. For information on this change, see Navigating to a Workspace.
Cloud Trace

Cloud Trace announces that the OpenTelemetry library for Python is now generally available. For information about configuring your Python application to use Open Telemetry, see Python and OpenTelemetry.

Compute Engine

N2 VMs are now available in the following regions and zones:

  • Mumbai asia-south1-a,b
  • Jakarta asia-southeast2-a,b,c

See VM instance pricing for details.

Dialogflow

Dialogflow CX now supports the us-west1 (US, Oregon) region.

Google Kubernetes Engine

Due to GKE Autopilot restrictions on the kubelet API surface, the Datadog Agent is not operating correctly on Autopilot mode clusters.

Network Intelligence Center

Network Topology is Generally Available.

Resource Manager

The Resource Manager v3 API has been released into general availability. For more information, see the API reference documentation.

SAP on Google Cloud

File sharing options for SAP on Google Cloud: New guidance has been published to help you determine the best file sharing option for your SAP deployments on Google Cloud.

For more information, see File sharing solutions for SAP on Google Cloud.

April 16, 2021

AI Platform Prediction

Runtime version 2.4 is now available. You can use runtime version 2.4 to serve online predictions with TensorFlow 2.4.1, scikit-learn 0.24.0, or XGBoost 1.3.1. Runtime version 2.4 does not support batch prediction.

See the full list of updated dependencies in runtime version 2.4.

Cloud Monitoring

The Cloud Operations for GKE monitoring dashboard now allows you to manage and display service-level objectives (SLOs) that you define for your applications. For more information, see the Managing SLOs section of the Observing your GKE clusters guide.

Compute Engine

N2D machines are available in the following regions and zones:

  • Montréal northamerica-northeast1-b
  • Osaka asia-northeast2-a,b

See VM instance pricing for pricing details.

Config Connector

Config Connector version 1.46.0 is now available.

cnrm-resource-stats-recorder container now binds to hostPort 48797 rather than 8888 (fixes GitHub issue #449)

Go Client now uses a pointer type or allows for a built-in nil value for spec fields that are optional. (fixes GitHub issue #426)

BigQueryDataset add support for projectRef

ContainerCluster supports enableAutopilot, enableL4IlbSubsetting, and privateIpv6GoogleAccess.

ContainerNodePool supports disabling autoscaling by setting min and max node counts to 0 (fixes GitHub issue #437)

SecretManagerSecretVersion now requires the secretData field.

Added observedGeneration field to status for resources, enabling compatibility with kstatus (fixes GitHub issue #410]{:.external})

Dataproc

Added the ability to stop and start high-availability clusters.

Fixed a bug where scale-down update cluster requests failed due to quota validation if the user project was over a quota limit.

Dialogflow

Preview launch of the Dialogflow CX Phone Gateway integration.

April 15, 2021

AI Platform (Unified)

The Python client library for AI Platform (Unified) is now called the AI Platform (Unified) SDK. With the release of version 0.7 (Preview), the AI Platform (Unified) SDK provides two levels of support. The high-level aiplatform library is designed to simplify common data science workflows by using wrapper classes and opinionated defaults. The lower-level aiplatform.gapic library remains available for those times when you need more flexibility or control. Learn more.

Cloud Composer

New versions of Cloud Composer images:

  • composer-1.16.1-airflow-1.10.15
  • composer-1.16.1-airflow-1.10.14 (default)
  • composer-1.16.1-airflow-1.10.12
  • composer-1.16.1-airflow-1.10.10

If an environment's service account does not have required permissions for a requested operation, Cloud Composer generates an actionable error message. The operation fails faster in this case.

Fixed a bug that caused environment update and upgrade operations to fail with errors related to GKE cluster endpoints, instead of the actual root cause. This problem affected environments with installed custom PyPI packages.

Cloud Monitoring

Compute Engine's Instance Groups Monitoring tab now includes charts for your managed instance groups. Charted metrics include group size, CPU utilization, disk I/O, and more. You can select the time window for the charts and view the corresponding logs from the integrated logs viewer panel. You can also use the links on each chart to create alerting policies or to analyze the data in Metrics Explorer.

The Cloud Operations for GKE monitoring dashboard now includes a column called Error logs that displays the number of error logs associated with an entity based on the selected time range. You can also select which columns to display in the tables. For more information, see the Configuring the dashboard tables section of the Observing your GKE clusters guide.

Compute Engine

You can now see additional metrics for your managed instance groups from the Instance Groups Monitoring tab. Metrics include: group size, CPU utilization, disk I/O, and more. Use the time range picker to select the time window for the charts and view the corresponding logs from the integrated logs viewer panel. Follow the links on each chart to create alerts or to analyze the details in the Cloud Operations Metrics Explorer.

Dataproc Metastore

The asynchronous workflows logs now have labels that appear in Cloud logging.

You no longer need to manually override metastore.expression.proxy to use PartitionProxyForMetastore in Hive 3.1.2.

Memorystore for Redis

Added new Memorystore for Redis region: Warsaw (europe-central2).

SAP on Google Cloud

SAP HANA high-availability configurations on Red Hat: If you configured a RHEL HA cluster for SAP HANA before April 15, 2021 by following the Google Cloud documentation, you need to modify the location constraints of your cluster fencing devices to avoid possible race conditions during failovers.

To see the updated documentation to correct the issue, see Set up fencing, step 1.b.

April 14, 2021

App Engine standard environment Go

Serverless VPC Access support for Shared VPC is now generally available.

Serverless VPC Access support for Shared VPC is now generally available.

App Engine standard environment Java

Serverless VPC Access support for Shared VPC is now generally available.

Serverless VPC Access support for Shared VPC is now generally available.

App Engine standard environment Node.js

Serverless VPC Access support for Shared VPC is now generally available.

App Engine standard environment PHP

Serverless VPC Access support for Shared VPC is now generally available.

App Engine standard environment Python

Serverless VPC Access support for Shared VPC is now generally available.

Serverless VPC Access support for Shared VPC is now generally available.

App Engine standard environment Ruby

Serverless VPC Access support for Shared VPC is now generally available.

Cloud Asset Inventory

New resource types are now available.

The following resource types are now publicly available through the Export APIs (ExportAssets and BatchGetAssetsHistory) and the Feed API:

  • Cloud AI Platform (Unified)
    • aiplatform.googleapis.com/BatchPredictionJob
    • aiplatform.googleapis.com/CustomJob
    • aiplatform.googleapis.com/DataLabelingJob
    • aiplatform.googleapis.com/Dataset
    • aiplatform.googleapis.com/Endpoint
    • aiplatform.googleapis.com/HyperparameterTuningJob
    • aiplatform.googleapis.com/Model
    • aiplatform.googleapis.com/SpecialistPool
    • aiplatform.googleapis.com/TrainingPipeline
Cloud Run

Cloud Run is now available in europe-central2 (Warsaw)

Dialogflow

The "Auto-preview changes" option was removed from the Dialogflow ES Google Assistant integration.

Google Cloud Armor

Managed Protection Plus subscribers are also eligible to receive reactive or proactive DDoS response support from Google's DDoS mitigation experts to help triage and mitigate ongoing attacks, as well as DDoS bill protection to provide credits for some bill spikes caused by increased GCP usage as a result being target by a DDoS attack.

For more information, see the public docs.

Google Kubernetes Engine

(2021-R12) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on the Kubernetes versioning scheme, see Versioning.

No channel

Stable channel

  • Version 1.17.17-gke.3000 is now the default version in the Stable channel.
  • Version 1.17.17-gke.3700 is now available in the Stable channel.
  • Version 1.17.17-gke.2800 is no longer available in the Stable channel.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.16 to version 1.17.17-gke.3000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.17 to version 1.17.17-gke.3000 with this release.

Regular channel

  • Version 1.19.8-gke.1600 is now available in the Regular channel.
  • Version 1.18.16-gke.302 is no longer available in the Regular channel.

Rapid channel

  • Version 1.19.9-gke.100 is now the default version in the Rapid channel.
  • Version 1.19.9-gke.700 is now available in the Rapid channel.
  • Version 1.20.5-gke.800 is now available in the Rapid channel.
  • Version 1.19.8-gke.2000 is no longer available in the Rapid channel.
  • Version 1.20.5-gke.101 is no longer available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.18 to version 1.19.9-gke.100 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to version 1.19.9-gke.100 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to version 1.20.5-gke.800 with this release.

1.19 GA

GKE version 1.19 is now generally available (GA).

Before upgrading to 1.19, read the Kubernetes 1.19 Release Notes especially the Urgent upgrade notes.

See below for notable changes and features in version 1.19.

The basic authentication method is no longer available starting with Kubernetes version 1.19. GKE clusters also no longer support basic authentication as they gradually upgrade to Kubernetes version 1.19. Basic authentication has been disabled by default for new GKE clusters since GKE version 1.12 and its usage has been discouraged in the Hardening your cluster's security guide. Migrate away from basic authentication before your cluster control planes are upgraded to Kubernetes version 1.19 to ensure your API clients can continue accessing the API server. To learn more about recommended authentication methods in GKE, see Authenticating to the Kubernetes API Server.

Admission webhooks and custom resource conversion webhooks must use serving certificates that contain the server name in a subjectAltName extension. Server names in the certificate CommonName will not be honored in future versions.

kube-proxy now uses EndpointSlices by default.

With the release of GKE node version 1.19, the Container-Optimized OS with Docker (cos) variant is deprecated. Please migrate to the Container-Optimized OS with Containerd (cos_containerd) variant, which is now the default GKE node image. For instructions, see Containerd images.

Seccomp General Availability (GA)

Seccomp (secure computing mode) support for Kubernetes has graduated to General Availability (GA). This feature can be used to increase the workload security by restricting the system calls for a Pod (applies to all containers) or individual containers.

A new seccompProfile field is added to Pod and Container securityContext objects, starting in Kubernetes version 1.19.

securityContext:
  seccompProfile:
    # "Unconfined", "RuntimeDefault", or "Localhost"
    type: Localhost
    # only necessary if type == Localhost
    localhostProfile: my-profiles/profile-allow.json

The alpha seccomp annotations seccomp.security.alpha.kubernetes.io/pod and container.seccomp.security.alpha.kubernetes.io/... are deprecated in favor of the GA API field. The alpha annotations will not be honored in Kubernetes versions 1.22 and later.

Prepare for transition

If you are currently using Seccomp annotations on Pods or Containers, you should identify and transition workloads using the annotations to set the API fields before version 1.21 is released on GKE (approximately in June 2021). No change on PodSecurityPolicy is required, as it supports both annotation and field seccomp profiles. You can perform the following recommended steps:

Locate Seccomp annotation usages

In your Kubernetes manifest files, search for "seccomp.security.alpha.kubernetes.io/pod" and "container.seccomp.security.alpha.kubernetes.io/".

Add or update securityContext fields

Based on your annotation usage, add or update (if securityContext already exists) the securityContext field in the Pod or Container spec. The annotations can be left in place, but must match the securityContext API field.

Current annotation usage Add or update securityContext
seccomp.security.alpha.kubernetes.io/pod In the Pod's securityContext, add the seccompProfile field.
container.seccomp.security.alpha.kubernetes.io/container-name In the container-name container's securityContext, add the seccompProfile field.

Set values for seccompProfile

The type field of seccompProfile corresponds to the annotation value, and localhostProfile field corresponds to the path following localhost annotation value.

Current annotation value seccompProfile value
unconfined
seccompProfile:
 type: Unconfined
runtime/default or docker/default
seccompProfile:
 type: RuntimeDefault
localhost/path/to/profile.json
seccompProfile:
 type: Localhost
 localhostProfile: path/to/profile.json

More resources

The widely used Ingress API has graduated to general availability in Kubernetes 1.19. The v1beta1 Ingress API is deprecated, and will no longer be served in versions 1.22 and later. Before version 1.21, identify and transition clients and manifests using the v1beta1 Ingress API to use networking.k8s.io/v1.

Clusters with Google Cloud's operations suite enabled can use the following query to identify clients that access the Ingress v1beta1 APIs:

resource.type="k8s_cluster"
resource.labels.cluster_name="$CLUSTER_NAME"
protoPayload.authenticationInfo.principalEmail:("system:serviceaccount" OR "@")
protoPayload.request.apiVersion=("extensions/v1beta1" OR "networking.k8s.io/v1beta1")
protoPayload.request.kind="Ingress"
NOT ("kube-system")

Identify and transition clients and manifests using the v1beta1 Ingress APIs to use networking.k8s.io/v1 before version 1.21 is released on GKE (approximately in June 2021), then verify no clients are using the v1beta1 API during the version 1.21 timeframe. Workloads using the v1beta1 APIs need to be upgraded before your cluster is upgraded to GKE 1.22.

To migrate manifests to networking.k8s.io/v1, perform the following:

  1. Rename the spec.backend field (if specified) to spec.defaultBackend.
  2. Rename each backend.serviceName field to backend.service.name.
  3. Rename each numeric backend.servicePort field to backend.service.port.number.
  4. Rename each string backend.servicePort field to backend.service.port.name.
  5. Specify a pathType field for each defined path. Options are Prefix, Exact, and ImplementationSpecific. To match the undefined v1beta1 behavior, use ImplementationSpecific.

As an example, to migrate this v1beta1 manifest to v1:

Original v1beta1 manifest Equivalent networking.k8s.io/v1 manifest
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: example
spec:
  backend:
    serviceName: default-backend
    servicePort: 80
  rules:
  - http:
      paths:
      - path: /testpath
        backend:
          serviceName: test
          servicePort: 80
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example
spec:
  defaultBackend:
    service:
      name: default-backend
      port:
        number: 80
  rules:
  - http:
      paths:
      - path: /testpath
        pathType: ImplementationSpecific
        backend:
          service:
            name: test
            port:
              number: 80

CertificateSigningRequest v1 API

The CertificateSigningRequest API has graduated to certificates.k8s.io/v1 in Kubernetes 1.19. The v1beta1 CertificateSigningRequest API is deprecated and will no longer be served in version 1.22 and later.

Clusters with Google Cloud's operations suite enabled can use the following query to identify clients that access the CertificateSigningRequest v1beta1 APIs:

resource.type="k8s_cluster"
resource.labels.cluster_name="$CLUSTER_NAME"
protoPayload.authenticationInfo.principalEmail:("system:serviceaccount" OR "@")
protoPayload.request.apiVersion="certificates.k8s.io/v1beta1"
NOT ("kube-system")

Identify and transition clients and manifests using the v1beta1 CertificateSigningRequest API to use certificates.k8s.io/v1 before version 1.21 is released on GKE (approximately in June 2021), then verify no clients are using the v1beta1 API during the version 1.21 timeframe. Workloads using the v1beta1 API need to be upgraded before your cluster is upgraded to GKE version 1.22.

Differences between the v1beta1 and v1 API are as follows:

  • For API clients requesting certificates:
    • spec.signerName is now required, and requests for kubernetes.io/legacy-unknown are not allowed to be created via the certificates.k8s.io/v1 API.
    • spec.usages is now required, may not contain duplicate values, and must only contain known usages.
  • For API clients approving or signing certificates:
    • status.conditions may not contain duplicate types.
    • status.conditions[*].status is now required.
    • status.certificate must be PEM-encoded, and must contain only CERTIFICATE blocks.

Admission webhooks and custom resource conversion webhooks using invalid serving certificates that do not contain the server name in a subjectAltName extension cannot be contacted by the Kubernetes API server in 1.19 prior to version 1.19.9-gke.400. This will be resolved in version 1.19.9-gke.400, and automatic upgrades from 1.18 to 1.19 will not begin until this issue is resolved. However, affected webhooks should work to correct their serving certificates in order to work correctly with Kubernetes version 1.22 and later.

Service API objects with more than 100 ports do not work correctly with EndpointSlices (https://issue.k8s.io/99382). This will be resolved in version 1.19.9-gke.600, and automatic upgrades from 1.18 to 1.19 will not begin until this issue is resolved.

Migrate for Compute Engine

Google Cloud Console UI

End-to-end migration experience in Google Cloud Console including: Dashboard, Source inventory, Migrations managements, VM groups, and Targets.

To access the UI:

  1. Open the Migrate for Compute Engine page in the Google Cloud Console.

  2. In the upper-right corner, select Try the new version to open the Google Cloud Console to the 5.0 UI.

Migration primitives

Migration primitives controlling VM migration journey, which includes:

  • Replication - Initiate replication based migration, control periodical replication cycle schedule.

  • Test-Clone - Test a clone of migrating VM in Google Cloud with no disruptions on source VM to reduce migration risk.

  • Cut-Over - Cutting over to Google Cloud process with minimized downtime to migrating VM.

See VM Migration lifecycle for more.

VM groups

Group migration operations to enable you to manage and execute mass migration sprints.

See Mass migration with groups for more.

Seamless OS adaptation

Seamless OS adaptation of migrating VMs to prepare OS to run in Compute Engine (such as network settings) and deploy Compute Engine agents for seamless day 2 integrations with Compute Engine services.

See Adapting VMs to run on Google Cloud for more.

Compute Engine Targets

Migration to n Google Cloud target projects and flexible configuration of migrating VM target details (such as instance type, disk type, and network settings).

See Configuring the target for a migrated VM for more.

vSphere Source

Agentless migration of vSphere source environment utilizing Migrate Connector appliance deployed in source.

See On-premises VMware to Compute Engine migrations for more.

VM utilization reports

To help you determine the optimal settings for the Compute Engine target, Migrate for Compute Engine lets you create a source VM utilization report. This report displays information about resource allocation and utilization for the source VMs deployed on vCenter.

See Creating a source VM utilization report for more.

Virtual Private Cloud

Access to Google APIs and services using Private Service Connect is now available in General Availability.

Using non-RFC 1918 addresses for Private Service Connect endpoints results in unexpected costs due to a billing issue. To prevent this issue, avoid using non-RFC 1918 IP addresses and instead use RFC 1918 IP addresses for Private Service Connect endpoints. If you are affected by this issue, contact your account team for remediation.

April 13, 2021

Anthos Config Management

Anthos Config Management v1.7.0 included several Kubernetes library updates, one of these updates made checks for Resource types more strict. As a consequence, Config Sync users upgrading from an older version of Anthos Config Management may see errors in the form KNV9998: failed to encode declared fields: internal error: ....resources.limits.cpu: expected string, got &value.valueUnstructured{Value:2}. As a workaround, all resource declarations should be specified as strings.

App Engine flexible environment .NET

App Engine is now available in the europe-central2 region (Warsaw).

App Engine flexible environment Go

App Engine is now available in the europe-central2 region (Warsaw).

App Engine flexible environment Java

App Engine is now available in the europe-central2 region (Warsaw).

App Engine flexible environment Node.js

App Engine is now available in the europe-central2 region (Warsaw).

App Engine flexible environment PHP

App Engine is now available in the europe-central2 region (Warsaw).

App Engine flexible environment Python

App Engine is now available in the europe-central2 region (Warsaw).

App Engine flexible environment Ruby

App Engine is now available in the europe-central2 region (Warsaw).

App Engine flexible environment custom runtimes

App Engine is now available in the europe-central2 region (Warsaw).

App Engine standard environment Go

App Engine is now available in the europe-central2 region (Warsaw).

App Engine standard environment Java

App Engine is now available in the europe-central2 region (Warsaw).

App Engine is now available in the europe-central2 region (Warsaw).

App Engine standard environment Node.js

App Engine is now available in the europe-central2 region (Warsaw).

App Engine standard environment PHP

App Engine is now available in the europe-central2 region (Warsaw).

App Engine is now available in the europe-central2 region (Warsaw).

App Engine standard environment Python

App Engine is now available in the europe-central2 region (Warsaw).

App Engine is now available in the europe-central2 region (Warsaw).

App Engine standard environment Ruby

App Engine is now available in the europe-central2 region (Warsaw).

Cloud Monitoring

The Cloud Operations for GKE monitoring dashboard now provides a Metrics tab in the resource details panel. This tab also includes a menu option to create a new alert policy. For more information, see Observing your GKE clusters.

Cloud Spanner

Transaction statistics now includes information about commit retries to help users debug performance issues caused by transaction aborts.

Compute Engine

Generally available: VM Manager integration with VPC Service Control.

Generally available: You can now configure schedule-based autoscaling for your managed instance groups. Schedule-based autoscaling lets you improve the availability of your application by scheduling capacity ahead of anticipated load.

Datastore

Support for the europe-central2 (Warsaw) region.

Dialogflow

Preview launch of the Voximplant integration for Dialogflow CX.

Preview launch of the Facebook Messenger integration for Dialogflow CX.

Preview launch of the LINE integration for Dialogflow CX.

Firestore

Support for the europe-central2 (Warsaw) region.

Traffic Director

Traffic Director now supports the Client Status Discovery Service (CSDS) API, enabling you to see which clients are connected to Traffic Director and to inspect the configuration that Traffic Director generates for its clients. For more information, see Understanding Traffic Director client status.

VPC Service Controls

General availability for the following integration:

April 12, 2021

BigQuery

The BigQuery Admin Resource Charts Preview is now available for Reservation users, enabling administrators to more easily monitor and troubleshoot their BigQuery environment. It provides visibility into key metrics such as slot consumption, job concurrency, and job execution time across the entire organization.

Cloud Functions

Cloud Functions is now available in the following region:

  • europe-central2 (Warsaw)

See Cloud Functions Locations for details.

Cloud Logging

Shared queries are now generally available (GA). To learn more, see Shared queries.

Cloud Monitoring

The dashboard save feature now displays the date and time of the last save operation. You can also disable and enable autosave. For more information, see Configuring dashboards.

The Cloud Operations for GKE monitoring dashboard now provides an Alerts tab in the resource details panel. This tab also includes a link to create a new alert policy. For more information, see Observing your GKE clusters.

Traffic Director

Traffic Director now supports TCP-based services in GA. This brings service discovery, global load balancing, failover and many other Traffic Director capabilities to your non-HTTP services. See the setup guide to get started and the target proxies documentation for helpful background information.

April 09, 2021

BigQuery

BigQuery now has better support for loading ENUM and LIST types in Parquet files.

  • ENUM logical types can be converted to STRING or BYTES.
  • Schema inference is supported for LIST logical types.

For more information, see Loading Parquet data from Cloud Storage.

Cloud Monitoring

For new alerts created through the Cloud Console, the default behavior is to send a notification only when the incident is created. For alerts created by using the API, the default behavior is to send notifications when incidents are opened and closed. For all alerts, the alert's Policy detail page displays when notifications are sent. To change this behavior, you must use the Cloud Console to edit the policy. For more information, see Managing Policies.

Document AI

Procurement DocAI General availability (GA) release

Procurement DocAI (PDAI) solution is now available in private General Availability (GA).

This includes the following processors:

Human in the Loop (HITL) support for Procurement DocAI processors

Procurement DocAI processors now support Human in the Loop (HITL) AI platform functionality supporting human revisions of predictions.

Invoice parser behavior update

The invoice parser behavior has been updated to include the following features:

  • Offers extended support for the following languages (in addition to English):
    • French
    • Dutch
    • German
    • Spanish
  • Improves supplier parsing accuracy with Knowledge Graph support.
  • Improves prediction quality (accuracy).
  • Extends the header and line item fields extracted by the parser.
  • Increased the number of pages for online processing (10 pages) and offline processing (200 pages).
  • Increased the number of documents per batch in offline processing (50 documents).

Expense parser (Receipt parser) behavior update

The expense parser behavior has been updated to include the following features:

  • Renamed Receipt parser to Expense parser.
  • Improved prediction quality.
  • Improved prediction quality for English, French, and Dutch for more expense types (for example hotel statements).

Human in the Loop (HITL) AI General Availability (GA) released

HITL AI is now available in Private General Availability (GA) for human review of Invoice, Expense, and Utility parser predictions.

Features:

  • HITL configuration enhanced to designate which fields need review and whether a field is mandatory, saving review time.
  • Labeler UI highlights the fields below a confidence score and supports single-click confirmation to improve review efficiency.
  • Labeling Manager shows analytics and metrics by task and by labeler to streamline HITL operations.
Eventarc

The Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) is now granted to the Pub/Sub service account by default.

Google Cloud VMware Engine

Added global quota limits for VMware Engine nodes so users have more flexibility in distributing resources across regions.

For details, see Quotas and limits.

Updated the display name of VMware Engine quota entries to reflect the resource type and assignment level. Quotas available to assign for VMware Engine are as follows:

  • VMware Engine standard 72 vCPUs nodes across regions
  • VMware Engine standard 72 vCPUs nodes per region
Identity and Access Management

Workload identity federation is now generally available. You can use workload identity federation to grant access to Google Cloud resources from on-premises and multi-cloud workloads.

Storage Transfer Service

Obtaining the status of the latest transfer operation is in now generally available.

Text-to-Speech

Text-to-Speech now offers voices in the following new languages. See the supported voices page for a complete list of voices and audio samples.

  • es-US (Spanish, US)
  • af-ZA (Afrikaans, South Africa)
  • bg-BG (Bulgarian, Bulgaria)
  • ca-ES (Catalan, Spain)
  • is-IS (Icelandic, Iceland)
  • lv-LV (Latvian, Latvia)
  • sr-RS (Serbian, Cyrillic)

April 08, 2021

Cloud Asset Inventory

New resource types are now available.

The following resource types are now publicly available through the resource search API (SearchAllResources) and policy search API (SearchAllIamPolicies):

  • Service Usage
    • serviceusage.googleapis.com/Service
  • Cloud Data Fusion
    • datafusion.googleapis.com/Instance

The following resource types are now publicly available through the Export APIs (ExportAssets and BatchGetAssetsHistory) and the Feed API:

  • Cloud Document AI
    • documentai.googleapis.com/HumanReviewConfig
    • documentai.googleapis.com/LabelerPool
    • documentai.googleapis.com/Processor
Cloud Bigtable

Cloud Bigtable support for customer-managed encryption keys (CMEK) is now generally available.

Cloud Composer

Airflow 1.10.15 is available in Cloud Composer images.

New versions of Cloud Composer images:

  • composer-1.16.0-airflow-1.10.15
  • composer-1.16.0-airflow-1.10.14 (default)
  • composer-1.16.0-airflow-1.10.12
  • composer-1.16.0-airflow-1.10.10

In Airflow 1.10.14, PythonVirtualenvOperator now uses the Python version of the environment when a Python version is not specified.

Environments with already deleted GKE clusters can now be deleted as usual. Deleting such environments no longer requires a workaround.

Cloud Logging

The Google Cloud Ops Agent is now available in Preview. This agent combines logging and metrics into a single agent that is targeted toward specialized logging workloads that require higher throughput and improved resource efficiency. It supports both Linux and Windows Compute Engine VMs.

Cloud Operations now offers the ability to install the Google Cloud Ops Agent via Ansible on Linux and Windows Compute Engine VMs.

Cloud Operations now offers the ability to provision the Google Cloud Ops Agent via Terraform on Linux and Windows Compute Engine VMs.

Cloud Monitoring

The Google Cloud Ops Agent is now available in Preview. This agent combines logging and metrics into a single agent that is targeted toward specialized logging workloads that require higher throughput and improved resource efficiency. It supports both Linux and Windows Compute Engine VMs.

Cloud Operations now offers the ability to install the Google Cloud Ops Agent via Ansible on Linux and Windows Compute Engine VMs.

Cloud Operations now offers the ability to provision the Google Cloud Ops Agent via Terraform on Linux and Windows Compute Engine VMs.

Compute Engine

Generally available: Predictive autoscaling for managed instance groups lets you improve the availability of your workloads by using Machine Learning to predict future demand and create virtual machines ahead of forecasted load.

Config Connector

Config Connector version 1.45.0 is now available.

Added support for OSConfigGuestPolicy, IdentityPlatformTenant, IdentityPlatformOAuthIDPConfig and IdentityPlatformTenantOauthIDPConfig.

Added proxyBind field to ComputeTargetHTTPProxy, ComputeTargeHTTPSProxy, and ComputeTargetTCPProxy.

Added enableStreamingEngine field to DataflowJob.

Fixed issue where folderRef/organizationRef could not be defaulted from folder-id/organization-id annotations when creating Project/Folder resources with server-side apply. (More details can be found here).

Supported a viewer cluster role so that resources can be referenced cross namespaces in namespaced mode. (Issue #407)

Updated the structs' name of any field FooBar to be KindFooBar in Go Client resources. This ensures that the struct names are unique within a Go package.

Fixed the ListMeta type in Go Client (Issue #422).

April 07, 2021

BigQuery

Beginning in early Q3 2021, BigQuery Storage Read API will start charging for network egress. In addition, BigQuery Storage Read API will become available in all locations, with appropriate pricing. Another release note will be issued when these changes take effect.

Cloud CDN

Serve stale, bypassing cache, and negative caching are now Generally Available.

These features are available when configuring Cloud CDN enabled backend services and backend buckets in the Cloud Console, in addition to the gcloud SDK and REST API.

Cloud CDN now supports configuring negative caching for HTTP 302 (Found) and HTTP 307 (Temporary Redirect) status codes.

To learn how to enable negative caching for these status codes, visit the documentation.

Dialogflow

The following languages are now supported by Dialogflow CX:

  • Arabic
  • Bengali
  • Filipino
  • Finnish
  • Malay
  • Marathi
  • Romanian
  • Sinhala
  • Tamil
  • Telugu
  • Vietnamese
Identity and Access Management

You can now get recommendations for folder- and organization-level role bindings using the gcloud command-line tool and REST API. This feature is available in Preview.

Security Command Center

Security Command Center Legacy, previously known as Cloud Security Command Center, and Event Threat Detection Legacy are being permanently disabled for all customers on June 7, 2021.

If you onboarded to Security Command Center before May 2020, or Event Threat Detection before June 2020, and never upgraded to Security Command Center's Standard tier or Premium tier, you are using a legacy product.

To continue benefiting from Security Command Center and Event Threat Detection without an interruption in service, customers using legacy products must migrate their organizations to Security Command Center Standard or Premium. Event Threat Detection, a built-in service of Security Command Center, is available only in the Premium tier.

For details on upgrading legacy products, see Migrate from legacy Security Command Center products.

Text-to-Speech

Text-to-Speech now supports MULAW and ALAW audio encodings. See the AudioEncoding reference documentation for details.

April 06, 2021

Anthos GKE on AWS

Anthos clusters on AWS 1.7.0-gke.12 is now available.

Anthos clusters on AWS 1.7.0-gke.12 clusters run the following Kubernetes versions:

  • 1.16.15-gke.8100
  • 1.17.13-gke.2800
  • 1.18.12-gke.1800
  • 1.19.8-gke.1000

To upgrade your clusters, perform the following steps:

This release fixes an issue mentioned in the entry on April 2, 2021. We recommend all customers running 1.7.0-gke.11 upgrade to 1.7.0-gke.12.

BigQuery

The BigQuery Storage Write API is now in Preview. The Storage Write API is a stream-based API for ingesting data into BigQuery at low cost and high throughput. It provides exactly-once delivery semantics with real-time latency. For more information, see Using the BigQuery Storage Write API.

Cloud Bigtable

Data Access audit logging for Cloud Bigtable is now generally available.

If you previously enabled Data Access audit logs for all Google Cloud services in the Cloud Audit Logs default configuration, you might need to take additional steps to enable Data Access audit logging for Cloud Bigtable. Affected customers will see a notification at the top of the Cloud Bigtable page of the Cloud Console.

Cloud Life Sciences

Cloud Life Sciences has preview support for integrating with VPC Service Controls.

Cloud Logging

Cloud Logging now supports 22 regions in which you can create a log bucket so that you can meet compliance and audit requirements when storing your logs.

Cloud SQL for PostgreSQL

Cloud SQL for PostgreSQL now lets you use IAM database authentication with the Cloud SQL Auth proxy. The Cloud SQL Auth proxy is able to request and refresh OAuth 2.0 access tokens, ensuring that long-lived processes or applications that rely on connection pooling can have stable connections. To learn more, see Using IAM database authentication with the Cloud SQL Auth proxy.

Cloud SQL for SQL Server

Cloud SQL for SQL Server enables you to perform change data capture (CDC) operations for your Cloud SQL instances. General information about CDC in SQL Server is here.

CDC is available for the following Cloud SQL for SQL Server database versions:

  • SQL Server 2017 Standard
  • SQL Server 2017 Enterprise

After connecting to an instance, the sqlserver user can do many CDC operations. The functions include (and are not limited to) the following:

To turn on this feature for a database, run this command:

exec msdb.[dbo].[gcloudsql_cdc_enable_db] 'demo'

To turn off this feature for a database, run this command: exec msdb.[dbo].[gcloudsql_cdc_disable_db] 'demo'

Cloud SQL for SQL Server enables you to perform common operations on a tempdb database.

After you connect to an instance, the sqlserver user can manage the tempdb files. Specifically, the user has the CONTROL permission on the tempdb database, and can do many operations, including (and not limited to) the following:

    *   ALTER DATABASE [tempdb] ADD FILE
    *   ALTER DATABASE [tempdb] REMOVE
Cloud Spanner

You can now track the progress of long-running index backfill operations through the gcloud command line tool, REST API, and RPC API. For more information, see Checking the progress of a secondary index backfill.

Compute Engine

N2D machines are now available in the following regions and zones:

  • us-central1-b - Iowa
  • asia-northeast1-a,b - Tokyo

See VM instance pricing for details.

Generally available: You can now use instance schedules from the Google Cloud Console.

Google Kubernetes Engine

(2021-R11) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on the Kubernetes versioning scheme, see Versioning.

No channel

Stable channel

Regular channel

  • Version 1.18.16-gke.502 is now the default version.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.17 to version 1.18.16-gke.502 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to version 1.18.16-gke.502 with this release.

Rapid channel

  • Version 1.19.8-gke.2000 is now the default version.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.19.8-gke.1600
    • 1.20.4-gke.2200
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.18 to version 1.19.8-gke.2000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to version 1.19.8-gke.2000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to version 1.20.5-gke.100 with this release.

Versions no longer available

The following versions are no longer available for new clusters or upgrades:

  • Versions 1.15 and earlier.
Network Intelligence Center

Connectivity Tests now evaluates hierarchical firewall policy rules as part of its configuration analysis. For more information, see Connectivity Tests overview.

VPC Service Controls

Preview support for the following integration:

April 05, 2021

Anthos Config Management

Anthos Config Management images are no longer included in Anthos on VMWare clusters. To learn more, see Changes to Anthos Config Management updates.

The ability to sync from multiple Git repositories is now a generally-available feature. To learn more, see Syncing from multiple repositories.

A memory leak in the Anthos Config Management Operator Pod that led to high memory utilization or Pod restarts due to out-of-memory errors has been corrected.

Preview versions of multi-repo occasionally used excessive CPU usage and sent unnecessary queries to the apiserver master node, resulting in an unhealthy cluster. This issue has been corrected.

Config Sync configured with sourceFormat: unstructured will have errors during syncing if the Git repository includes a "Repo" resource.

Config Sync configured with sourceFormat: unstructured will have errors during syncing if the Git repository specifies a ClusterSelector with an invalid metadata.name field.

Customers using Anthos Policy Controller who have upgraded since Anthos Config Management 1.5.1 need to update the timeoutSeconds in their ValidatingWebhookConfigurations from "5" to "3" to avoid issues with Kubernetes leader elections.

Dataproc

Image 2.0:

April 02, 2021

Anthos GKE on AWS

An issue has been discovered with Anthos clusters on AWS 1.7.0.

If you use a HTTP proxy, do not upgrade to 1.7.0.

If you do not use a HTTP proxy, you can upgrade to 1.7.0.

A fix for this issue is being developed.

Anthos Service Mesh

1.9.2-asm.1 is now available.

This patch release contains the same bug fixes that are in Istio 1.9.2. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

Anthos Service Mesh user authentication is now available as a public preview feature on installations of 1.9. This feature lets you use existing Identity Providers (IDP) for user authentication and access control to your workloads. For more information, see Configuring Anthos Service Mesh user authentication.

BigQuery

BigQuery standard SQL now supports the ALTER TABLE DROP COLUMN. This feature is in Preview.

The maximum length has been increased from 128 characters to 300 characters for the following BigQuery fields: table column names, column alias names, and user-defined function names.

Cloud CDN

Cloud CDN now treats HTTP responses with a valid, future date in the Expires header as cacheable, even if those responses do not have a Cache-Control: public directive.

This will allow Cloud CDN to cache additional responses and better align with HTTP standards.

Review the caching documentation for details on what content Cloud CDN considers cacheable vs. uncacheable.

Document AI

Lending DocAI General Availability (GA) released

Lending DocAI is now General Availability. See the documentation for more information.

Lending DocAI processors added

The following Lending DocAI processors are now available:

Memorystore for Memcached

Added new Memorystore for Memcached region: Warsaw (europe-central2).

Secret Manager

Secret Manager now has a Best Practices guide.

Learn more about Secret Manager best practices.

April 01, 2021

App Engine standard environment Java
  • Updated Java SDK to version 1.9.88.
  • Upgraded to Jetty 9.4.39 to fix CVE-2021-28163, CVE-2021-28164, CVE-2021-28165.
Cloud Run

Restricting ingress on Cloud Run is now at general availability (GA).

Compute Engine

Memory-optimized machines are now available in the following regions and zones:

  • M1 ultramem (Jakarta ) asia-southeast2-a,c
  • M1 ultramem (Osaka) asia-northeast2-a
  • M1 ultramem, M2 ultramem and M2 megamem (Osaka) asia-northeast2-b
  • M2 ultramem and M2 megamem (Osaka) asia-northeast2-c

See VM instance pricing for details.

Dialogflow

The legacy analytics page has been removed from the Dialogflow ES console. Only the generally available new analytics page remains.

Google Cloud VMware Engine

The Google Cloud Business Associate Agreement (BAA) now also covers Google Cloud VMware Engine. Businesses in the healthcare vertical who need HIPAA compliance can run their workloads on Google Cloud VMware Engine.

For details, see HIPAA Compliance on Google Cloud Platform.

Restructured documentation to better group content and improve workflow discoverability.

Identity and Access Management

Policy Simulator is now generally available. You can use Policy Simulator to simulate policy changes before you apply them.

March 31, 2021

AI Platform (Unified)

AI Platform (Unified) is now available in General Availability (GA).

AI Platform (Unified) has added support for the following regions for custom model training, as well as batch and online prediction for custom-trained models:

  • us-west1 (Oregon)
  • us-east1 (South Carolina)
  • us-east4 (N. Virginia)
  • northamerica-northeast1 (Montreal)
  • europe-west2 (London)
  • europe-west1 (Belgium)
  • asia-southeast1 (Singapore)
  • asia-northeast1 (Tokyo)
  • australia-southeast1 (Sydney)
  • asia-northeast3 (Seoul)
AI Platform Deep Learning Containers

M66 Release

AI Platform Deep Learning VM Image

M66 Release

  • PyTorch 1.8 support in deep learning environments (Deep Learning VM Image and Deep Learning Containers) is available.
  • Fixed scope allocator optimization issue with the TensorFlow Enterprise 2.3/2.1 MKL build.
  • Regular package refreshment and bug fixes.
Anthos GKE on AWS

Anthos clusters on AWS 1.7.0-gke.11 is now available.

This note is updated. For more information, see entry on April 2, 2021.

Anthos clusters on AWS 1.7.0-gke.11 clusters run the following Kubernetes versions:

  • 1.16.15-gke.8100
  • 1.17.13-gke.2800
  • 1.18.12-gke.1800
  • 1.19.8-gke.1000

To upgrade your clusters, perform the following steps:

Anthos clusters on AWS now supports Kubernetes 1.19.

Anthos clusters on AWS now supports exporting logs and metrics from an Anthos clusters on AWS user cluster to Cloud Logging and Cloud Monitoring.

For more information, see Configuring logging and monitoring for Anthos clusters on AWS

Anthos clusters on AWS now supports CMK encryption for component volumes. For more information, see Using CMK to encrypt volumes.

Workload identity in user clusters is now generally available.

Anthos clusters on AWS now supports gp3 EBS volume types. You can configure gp3 volumes on your management service, AWSCluster, and AWSNodePools.

BigQuery

BigQuery standard SQL now supports the following statements for creating, configuring, and deleting datasets:

These statements are generally available (GA).

BigQuery standard SQL now supports the TABLESAMPLE operator, which lets you query random subsets of data from large BigQuery tables. For more information, see Table sampling. This feature is in Preview.

BigQuery standard SQL now supports the following JSON functions:

These statements are generally available (GA).

INFORMATION_SCHEMA views for table partitions are now available. This feature is in Preview.

The INFORMATION_SCHEMA.TABLES view now includes a DDL column that can be used to recreate the table. This feature is in Preview.

Support for the BigNumeric type in BigQuery standard SQL is now generally available (GA).

Cloud Billing

Effective April 1, 2021, for customers in India: Due to new Reserve Bank of India (RBI) regulations, your bank might begin declining automatic card charges for recurring payments for your Google Cloud usage.

To avoid interruptions in service, if your automatic payments are being declined, we recommend that you make a manual payment for your usage.

Cloud Composer

New versions of Cloud Composer images:

  • composer-1.15.2-airflow-1.10.14 (default)
  • composer-1.15.2-airflow-1.10.12
  • composer-1.15.2-airflow-1.10.10

Irrelevant warnings about asynchronous DAG loading parameters no longer show up in the Airflow logs.

Corrected the validation of custom Cloud SQL and Airflow web server IP ranges that are specified during the environment creation. Changed the error code and the message that are returned when a specified CIDR range is not valid.

Fixed an Airflow web UI bug that caused the DAG Tree View page to crash in rare cases.

Cloud Data Fusion

Cloud Data Fusion version 6.4.0 is now available. To upgrade, see Upgrading instances and pipelines. This release is in parallel with the CDAP 6.4.0 release.

Features in 6.4.0:

  • GA: You can now ingest data from SAP tables with the SAP Table Batch Source plugin.

  • Cloud Data Fusion now supports the Datetime data type in the following plugins. You can now read and write to tables that contain Datetime fields:

    • BigQuery batch source
    • BigQuery sink
    • BigQuery multi table sink
    • Bigtable batch source
    • Bigtable sink
    • Datastore batch source
    • Datastore sink
    • GCS file batch source
    • GCS file sink
    • GCS multi file sink
    • Spanner batch source
    • Spanner sink
    • File source
    • File sink
    • Wrangler
    • Amazon S3 batch source
    • Amazon S3 sink
    • Database source
  • You can configure machine type, cluster properties, and idle TTL for the Dataproc provisioner. For the available settings, see the CDAP documentation.

  • Adding, editing, and deleting comments on draft data pipelines is now supported. For more information, see Adding comments to a data pipeline.

  • Advanced join conditions are now available in the Joiner plugin. You can specify an arbitrary SQL condition to join on. For more information, see Join Condition Type.

  • A new post-action plugin is now available: GCS Done File Marker. To help you orchestrate downstream/dependent processes, this post-action plugin marks the end of a pipeline run by creating and storing an empty SUCCESS file in the given GCS bucket upon a pipeline completion, success, or failure.

.

Changed in version 6.4.0:

  • Behavior change: When you validate a plugin, macros get resolved with preferences. In previous releases, to validate a plugin's configuration, you had to change the pipeline to remove the macros.
  • Behavior change: Cloud Data Fusion now determines the schema dynamically at runtime instead of requiring arguments to be set. Multi sink runtime argument requirements have been removed, which lets you add simple transformations in multi-source/multi-sink pipelines. In previous releases, multi-sink plugins require the pipeline to set a runtime argument for each table, with the schema for each table.

  • You can now filter tables in the Multiple Database Tables Batch Source.

  • Multiple Database Batch Source and BigQuery multi-table sink have better error handling and let pipelines continue if one or more tables fail.

  • Cloud Data Fusion Replication changes:

    • Renamed Replication pipelines to Replication jobs.
    • The Customer-managed encryption key (CMEK) configuration property is now available for BigQuery targets in your Replication jobs.
    • On the BigQuery Target properties page, renamed the Staging Bucket Location property to Location.
    • Improved reliability by restarting Replication from the last known checkpoint.
  • You can now use files with ISO-8859, Windows and EBCDIC encoding types with Amazon S3, File and GCS File Reader batch source plugins.

  • Cloud Data Fusion now supports running pipelines on a Hadoop cluster with Kerberos enabled.

Fixed in 6.4.0 (for more information, see the CDAP release note):

  • Fixed Bigtable batch source plugin. In previous versions, pipelines that included the Bigtable source would fail.
  • FTP batch source now works with empty File System Properties.
  • Strings are now supported in Min/Max aggregate functions (used in both Group By and Pivot plugins).
  • Fixed Salesforce plugin to correctly parse the schema as Avro schema to be sure all the field names are accepted by Avro.
  • Fixed data pipeline with BigQuery sink that failed with INVALID_ARGUMENT exception if the range specified was a macro.
  • Fixed a class conflict in the Kinesis Spark Streaming source plugin. You can now run pipelines with this source.
  • Fixed an issue in field validation logic in pipelines with BigQuery sink that caused a NullPointerException.
  • Fixed the Wrangler Generate UUID directive to correctly generate a universally unique identifier (UUID) of the record.
  • Fixed advanced joins to recognize auto broadcast setting.
  • Fixed Pipeline Studio to use current namespace when it fetches data pipeline drafts.
  • Fixed Replication statistics to display on the dashboard for SQL Server.
  • Fixed an issue where clicking the Delete button on Replication Assessment page resulted in an error for the replication job.
  • Schema name is now shown when selecting tables to replicate.
  • Fixed Replication to correctly insert rows that were previous deleted by a replication job.
  • Data pipelines running in Spark 3 enabled Dataproc cluster no longer fail with class not found exception.
  • Fixed Replication with a SQL Server source to generate rows correctly in BigQuery target table if snapshot failed and restarted.
  • Fixed an issue where SQL Server replication job stopped processing data when the connection was reset by the SQL Server.
  • Fixed an error in Replication wizard step to select tables, columns and events to replicate, where selecting no columns for a table caused the wizard to fetch all columns in a table.
  • Using a macro for a password in a replication job no longer results in an error.
  • Fixed logical type display for data pipeline preview runs.
  • Fixed Dashboard API to return programs running but started before the startTime.
  • Fixed deployed Replication jobs to show advanced configurations in Ui.
  • Fixed data pipeline with Python Evaluator transformation to run without stack trace errors.
  • Added loading indicator while fetching logs in Log Viewer.
  • Fixed Pipeline preview so logical start time function doesn't display as a macro.
  • Fixed fields with a list drop down menu in the Replication wizard to default to Select one.
  • Added message in Replication Assessment when there are tables that CDF cannot access.
  • Used error message when an invalid expression is added in Wrangler.
  • Fixed RENAME directive in Wrangler so it is case sensitive.
  • Fixed Pipeline Operations UI to stop showing the loading icon forever when it gets error from backend.
  • Fixed Wrangler to no longer generate invalid reference names.
  • Fixed Wrangler to display logical types instead of java types.
  • Fixed pipelines from Wrangler to no longer generate incorrect for xml files.
  • Added connection in Wrangler hard codes the name of the JDBC driver.
  • Batch data pipelines with Spark 2.2 engine and HDFS sinks no longer fail with delegation token issue error.

FTP Batch Source (system plugin for data pipelines)

FTP Batch Source version 3.0.0 is backward compatible, except that it uses a different artifact. This was done to ensure that updates to the plugin can be delivered out-of-band from Cloud Data Fusion releases, through the Hub.

It is recommended that you use version 3.0.0 or later in your data pipelines.

Cloud Database Migration Service

Database Migration Service makes it easier for you to "lift and shift" your MySQL and PostgreSQL workloads into Cloud SQL. This service streamlines your networking workflows, manages one-time and continuous migrations between your source and destination databases, and provides you with statuses of the migration operations.

The documentation now contains information for using Database Migration Service with PostgreSQL. This information includes:

  • A quickstart
  • Conceptual content
  • How to use this service through the user interface, gcloud, and REST API calls
  • Reference, support, and resource-related information

In addition, for this release, updates include: * Use the Cloud SDK: A guide to get started with the Cloud SDK so you can use it to manage Database Migration Service connection profiles and migration jobs. * Use the Database Migration Service API: This guide provides information about how to enable and use the REST API to administer connection profiles and migration jobs programmatically. * Providing gcloud information for managing connection profiles and migration jobs for MySQL and PostgreSQL.

Click here to access the documentation.

Cloud Key Management Service

Cloud EKM now supports Dataflow Appliance and Pub/Sub. For more information, see Cloud External Key Manager.

Cloud Load Balancing

External TCP/UDP Network Load Balancing is now supported with backend services. Compared to the target pool backend, a backend service gives you more fine-grained control over your load balancer, including access to features such as connection draining, failover policies, and support for managed instance groups as backends.

Network load balancers with a backend service can also use health checks that match the traffic (TCP, SSL, HTTP, HTTPS, or HTTP/2) they are distributing.

To get started, see:

This feature is available in General Availability.

Cloud Run for Anthos

The free trial for Cloud Run for Anthos on Google Cloud has been extended and is now available until September 30, 2021.

Known issue:

Clusters that are upgraded to version 0.20.0-gke.6 might recieve the following error when you update the cluster's configmap:

Error from server (InternalError): error when replacing "/tmp/file.yaml":
Internal error occurred: failed calling webhook "config.webhook.istio.networking.internal.knative.dev":
the server rejected our request for an unknown reason

To resolve the error, you must run the following command to remove the validatingwebhookconfiguration configuration that is no longer supported in 0.20.0:

kubectl delete validatingwebhookconfiguration config.webhook.istio.networking.internal.knative.dev

After removing the unsupported configuration, you can proceed with updating your cluster's configmap.

Cloud SQL for PostgreSQL

Cloud SQL for PostgreSQL flags are now generally available. See supported PostgreSQL flags for more information.

Cloud Spanner

You can now use Customer-Managed Encryption Keys (CMEK) to protect databases in Cloud Spanner. CMEK in Cloud Spanner is now generally available. For more information, see CMEK.

You can now optionally specify the priority of data requests. For more information, see CPU utilization and task priority.

Compute Engine

Preview: You can now configure your VM to shutdown automatically when you revoke the Cloud KMS key protecting a persistent disk attached to the VM. For more information, see Configuring VM shutdown on Cloud KMS key revocation.

Dataproc

Dataproc support of Dataproc Metastore services is now available in GA.

Dataproc Metastore

The GA release of Dataproc Metastore is now available.

Dataproc Metastore imports and exports now support Avro storage format. This feature is in Preview.

Dataproc Metastore supports backing up and restoring service metadata and configuration. This feature is in Preview.

Dataproc Metastore supports asynchronous background tasks through the Canary release channel.

Document AI

Document AI General availability (GA) released

Document AI is now General Availability (GA).

Error Reporting

Service Errors is now available Generally Available (GA). Service Errors automatically captures and groups Google Cloud service errors and notifies you when these errors occur. For more information, refer to the Managing Service Errors documentation.

Kf

Kf supports Role-based access control in Spaces.

Kf supports source code upload without workstation write access to Artifact Registry.

Kf doctor supports running per-object commands.

Ensure log tailing prints the correct number of lines.

Ensure a Space cannot be deleted if a ServiceInstance was not deleted.

Ensure a ServiceBroker cannot be deleted if there is still an active ServiceInstance depending on it.

Run binding before push so VCAP_SERVICES is correct on the first deploy.

Resolved issue with health-check-type=process.

Updated the ASM version to 1.9.1.

SAP on Google Cloud

The Cloud Data Fusion plugin for SAP is now available. With the SAP Table Batch Source plugin and Cloud Data Fusion, you can create a data pipeline to integrate your SAP data with your data repositories on Google Cloud.

For more information, see Using the SAP Table Batch Source plugin.

The Deployment Manager template that Google Cloud provides to automate the deployment of Linux high-availability clusters for SAP HANA now supports Red Hat Enterprise Linux (RHEL) images.

For more information, see Automated SAP HANA HA deployment with load-balancer VIP implementation.

Secret Manager

Secret Manager Event Notifications is generally available.

Secret Manager Event Notifications lets you configure secrets to send messages to Pub/Sub topics whenever a change is made to the secret or one of its versions.

Learn more at enabling event notifications.

Storage Transfer Service

Storage Transfer Service support for hourly schedules and modifying a job's schedule is now generally available. For more information, see Schedule.

Storage Transfer Service support for specifying source and destination paths when creating a transfer is now generally available. For more information, see Specifying source and destination paths.

The following features are now generally available:

Transcoder API

Beta stage support for VPC Service Controls.

March 30, 2021

Secret Manager

Secret Manager Expiration is generally available.

Learn more at creating and managing expiring secrets.

Secret Manager Rotation is generally available.

Secret Manager Rotation sends messages to Pub/Sub topics based on the provided rotation frequency and rotation time.

Learn more at creating and managing rotation policies.

Transfer Appliance

Transfer Appliance version 2.2 is deprecated and replaced by Transfer Appliance version 4.0.

Transfer Appliance version 4.0 is now available to order in Singapore.

Transfer Appliance version 2.2 is deprecated, and replaced by Transfer Appliance version 4.0.

March 29, 2021

Anthos Service Mesh

The Anthos Service Mesh Topology (beta) page in Cloud Console won't display properly if unsupported versions, including versions earlier than Anthos Service Mesh 1.6.8, are installed on your clusters or if you have disabled the Canonical Service controller in clusters in your project.

Note that the Canonical Service controller is enabled by default on version 1.6.8 and higher. If you did not disable the Canonical Service controller on a supported version, no action is required.

What should I do?

Cloud Asset Inventory

New resource types are now available.

The following resource types are now publicly available through the export API (ExportAssets and BatchGetAssetsHistory) and the Feed API:

  • Cloud Memcache
    • memcache.googleapis.com/Instance
  • Memorystore for Redis
    • redis.googleapis.com/Instance

The following resource types are now publicly available through the resource search API (SearchAllResources) and policy search API (SearchAllIamPolicies):

  • Cloud Composer
    • composer.googleapis.com/Environment
  • Cloud Run
    • run.googleapis.com/DomainMapping
    • run.googleapis.com/Revision
    • run.googleapis.com/Service
  • Cloud KMS
    • cloudkms.googleapis.com/KeyRing
    • cloudkms.googleapis.com/CryptoKey
    • cloudkms.googleapis.com/CryptoKeyVersion
    • cloudkms.googleapis.com/ImportJob

The following resource types are now publicly available through the analyze policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

  • Cloud Composer
    • composer.googleapis.com/Environment
  • Cloud Run
    • run.googleapis.com/Service
    • run.googleapis.com/Revision
  • Cloud TPU
    • tpu.googleapis.com/Node
  • Cloud Storage
    • storage.googleapis.com/Bucket
Cloud CDN

Cloud CDN now treats the no-cache Cache-Control directive in a response as per RFC 7234 and allows these responses to be cached, provided that they are validated every time before being reused.

Visit the caching documentation to review how Cloud CDN handles the full set of HTTP caching directives.

Cloud Logging

Logs Views are now Generally Available (GA). Using Logs Views, you can control who has access to the logs within your Logs Buckets. For more information on this feature, refer to the Managing Logs Views guide.

Cloud SQL for SQL Server

You can integrate Cloud SQL for SQL Server with Managed Service for Microsoft Active Directory.

Authentication, authorization, and more are available. For example, joining an instance to a managed Active Directory domain enables you to log in using Windows Authentication. Additionally, you can integrate with your on-premises AD domains by establishing a trust.

Cloud Storage

Cloud CDN, external HTTP(S) Load Balancing, and Cloud Storage services use BoringSSL, and are not affected by the recent OpenSSL security advisory that relates to CA certificate checks (CVE-2021-3450) and TLS renegotiation (CVE-2021-3449).

Google Kubernetes Engine

(2021-R10) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on the Kubernetes versioning scheme, see Versioning.

No channel

  • Version 1.17.17-gke.2800 is now the default version.
  • The following versions are now available:
  • The following versions are no longer available:
    • 1.15.12-gke.6002
    • 1.16.15-gke.10600
    • 1.16.15-gke.11800
    • 1.16.15-gke.7801
    • 1.17.15-gke.800
    • 1.17.17-gke.1100
    • 1.18.12-gke.1210
    • 1.18.14-gke.1200
    • 1.18.14-gke.1600
    • 1.18.15-gke.1100
    • 1.18.15-gke.1102
    • 1.18.15-gke.1500
    • 1.18.16-gke.1200
    • 1.18.16-gke.500
  • Control planes and nodes with auto-upgrade enabled will be upgraded from versions 1.17 and earlier to version 1.17.17-gke.2800 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to version 1.18.16-gke.302 with this release.

Stable channel

  • Version 1.17.17-gke.2800 is now the default version in the Stable channel.
  • The following versions are no longer available in the Stable channel:
    • 1.16.15-gke.7801
    • 1.17.17-gke.1101
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from versions 1.17 and earlier to version 1.17.17-gke.2800 with this release.

Regular channel

  • Version 1.18.16-gke.302 is now the default version in the Regular channel.
  • Version 1.18.16-gke.502 is now available in the Regular channel.
  • The following versions are no longer available in the Regular channel:
    • 1.18.15-gke.1501
    • 1.18.15-gke.1502
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to version 1.18.16-gke.302 with this release.

Rapid channel

  • Version 1.19.8-gke.1600 is now the default version in the Rapid channel.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.19.8-gke.1000
    • 1.20.4-gke.1800
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to version 1.19.8-gke.1600 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to version 1.20.4-gke.2200 with this release.

March 28, 2021

Cloud CDN

Cloud CDN, external HTTP(S) Load Balancing and Cloud Storage customers are not affected by the recent OpenSSL security advisory that relates to CA certificate checks (CVE-2021-3450) and TLS renegotiation (CVE-2021-3449).

These services use BoringSSL and are not affected by these OpenSSL-specific bugs.

Cloud Load Balancing

Cloud CDN, external HTTP(S) Load Balancing and Cloud Storage customers are not affected by the recent OpenSSL security advisory that relates to CA certificate checks (CVE-2021-3450) and TLS renegotiation (CVE-2021-3449).

These services use BoringSSL and are not affected by these OpenSSL-specific bugs.

March 26, 2021

AI Platform Notebooks

Cross Project Service Account support

App Engine standard environment Go

App Engine standard environment provides a new metric, CPU Utilization, which indicates the CPU utilization average over all active instances. For more information, see Google Cloud metrics.

App Engine standard environment provides a new metric, CPU Utilization, which indicates the CPU utilization average over all active instances. For more information, see Google Cloud metrics.

App Engine standard environment Java

App Engine standard environment provides a new metric, CPU Utilization, which indicates the CPU utilization average over all active instances. For more information, see Google Cloud metrics.

App Engine standard environment provides a new metric, CPU Utilization, which indicates the CPU utilization average over all active instances. For more information, see Google Cloud metrics.

App Engine standard environment Node.js

App Engine standard environment provides a new metric, CPU Utilization, which indicates the CPU utilization average over all active instances. For more information, see Google Cloud metrics.

App Engine standard environment PHP

App Engine standard environment provides a new metric, CPU Utilization, which indicates the CPU utilization average over all active instances. For more information, see Google Cloud metrics.

App Engine standard environment provides a new metric, CPU Utilization, which indicates the CPU utilization average over all active instances. For more information, see Google Cloud metrics.

App Engine standard environment Python

App Engine standard environment provides a new metric, CPU Utilization, which indicates the CPU utilization average over all active instances. For more information, see Google Cloud metrics.

App Engine standard environment provides a new metric, CPU Utilization, which indicates the CPU utilization average over all active instances. For more information, see Google Cloud metrics.

App Engine standard environment Ruby

App Engine standard environment provides a new metric, CPU Utilization, which indicates the CPU utilization average over all active instances. For more information, see Google Cloud metrics.

Dataproc

Image 2.0:

  • Changed default private IPv6 Google APIs access for 2.0 clusters from OUTBOUND to INHERIT_FROM_SUBNETWORK.

March 25, 2021

Anthos clusters on VMware

Anthos clusters on VMware 1.7.0-gke.16 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.7.0-gke.16 runs on Kubernetes 1.19.7-gke.2400.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting GKE On-Prem are 1.6, 1.5, and 1.4.

Cluster lifecycle improvements

  • The cluster upgrade process has changed. Instead of upgrading the admin cluster first, you can upgrade user clusters to the newer version without upgrading the admin cluster. The new flow, which requires upgrading gkeadm, allows you to preview new features before performing a full upgrade with the admin cluster. In addition, the 1.7.0 version of gkectl can perform operations on both 1.6.X and 1.7.0 clusters.

  • Starting with version 1.7.0, you can deploy Anthos clusters on vSphere 7.0 environments in addition to vSphere 6.5 and 6.7. Note that Anthos clusters on VMware will phase out vSphere 6.5 support following VMware end of general support timelines.

  • Published the minimum hardware resource requirements for a proof-of-concept cluster.

Platform enhancements

  • GA: Node auto repair is now generally available and enabled by default for newly created clusters. When the feature is enabled, cluster-health-controller performs periodic health checks, surfaces problems as events on cluster objects, and automatically repairs unhealthy nodes.

  • GA: vSphere resource metrics is now generally available and enabled by default for newly created clusters. When the feature is enabled, VM level resource contention metrics are collected and displayed in the VM health dashboards automatically created through out-of-the-box monitoring. You can use these dashboards to track VM resource contention issues.

  • GA: Dataplane V2 is now generally available and can be enabled in newly created clusters.

  • GA: Network Policy Logging is now generally available. Network policy logging is available only for clusters running Dataplane V2.

  • You can attach vSphere tags to user cluster node pools during cluster creation and update. You can use tags to organize and select VMs in vCenter.

Security enhancements:

  • Preview: You can run Container-Optimized OS on your user cluster worker nodes.

Simplify Day-2 operations:

  • GA: Support for vSphere folders is now generally available. This allows you to install Anthos clusters on VMware in a vSphere folder, reducing the scope of the permission required for the vSphere user.

  • A new gkectl update admin command supports updating certain admin cluster configurations including adding static IP addresses.

  • The central log aggregator component has been removed from the logging pipeline to improve reliability, scalability and resource usage.

  • Cluster scalability has been improved:

    • 50 user clusters per admin cluster

    • With Seesaw, 500 nodes, 15,000 Pods, and 500 LoadBalancer Services per user cluster

    • With F5 BIG-IP, 250 nodes, 7,500 Pods, and 250 LoadBalancer Services per user cluster

Anthos Config Management:

Anthos Config Management (ACM) is now decoupled from Anthos clusters on VMware. This provides multiple benefits including decoupling the ACM release cadence from Anthos clusters on VMware, simplifying the testing and qualification process, and providing a consistent installation and upgrade flow.

Storage enhancements:

GA: The vSphere CSI driver is now generally available. Your vCenter server and ESXi hosts must both be running 6.7 update 3 or newer. The preflight checks and gkectl diagnose cluster have been enhanced to cover the CSI prerequisites.

Functionality changes:

  • gkectl diagnose cluster now includes validation load balancing, including F5, Seesaw, and manual mode.

  • gkectl diagnose snapshot now provides an HTML index file in the snapshot, and collects extra container information from the admin cluster control-plane node when the Kubernetes API server is inaccessible.

  • gkectl update admin has been updated to:

    • Enable or disable auto repair in the admin cluster
    • Add static IP addresses to the admin cluster
    • Enable/disable vSphere resource metrics in the admin cluster
  • gkectl update cluster has been enhanced to enable or disable vSphere resource metrics in a user cluster.

  • Given that we no longer need an allowlisted service account in the admin workstation configuration file, we deprecated the gcp.whitelistedServiceAccountKeyPath field and added a new gcp.componentAccessServiceAccountKeyPath field. For consistency, we also renamed the corresponding gcrKeyPath field in the admin cluster configuration file.

Breaking changes:

  • The following Google Cloud API endpoints must be allowlisted in network proxies and firewalls. These are now required for Connect Agent to authenticate to Google when the cluster is registered in Hub:

    • securetoken.googleapis.com
    • sts.googleapis.com
    • Iamcredentials.googleapis.com
  • gkectl now accepts only v1 cluster configuration files. For instructions on converting your v0 configuration files, see Converting configuration files.

Fixes:

  • Fixed a bug where Grafana dashboards based on the container_cpu_usage_seconds_total metric show no data.

  • Fixed an issue where scheduling Stackdriver components on user cluster control-plane nodes caused resource contention issues.

  • Fixed Stackdriver Daemonsets to tolerate NoSchedule and NoExecute taints.

  • Fixed an HTTP/2 connection issue that sometimes caused problems with connections from the kubelet to the Kubernetes API server. This issue also could lead to nodes becoming not ready.

Known issues:

  • Calico-node Pods sometimes use an excessive amount of CPU in large-scale clusters. You can mitigate the issue by killing such Pods.

  • When running gkectl update admin against a cluster upgraded from 1.6, you might get the following diff:

    - InternalFields: nil,
    - InternalFields: map[string]string{"features.onprem.cluster.gke.io/bundle- 
    vsphere-credentials": "enabled"},
    

    You can safely ignore this and proceed with the update.

Anthos clusters on bare metal

Anthos on bare metal 1.7.0 is now available. To upgrade, see Upgrading Anthos on bare metal. Anthos on bare metal 1.7.0 runs on Kubernetes 1.19.

Extended installation support:

  • Added requirement for Anthos clusters on bare metal connectivity with Google Cloud for install and upgrade operations. As of 1.7.0 preflight checks will check for connectivity to Google Cloud, enabled APIs, and permissions for service accounts. Existing clusters need to be registered in Google Cloud before upgrading. The connectivity checks are not overridable by the --force flag. For details, see the cluster creation and cluster upgrade documentation.

  • Added support for installing Anthos clusters on bare metal on OpenStack. For configuration instructions, see Configure your clusters to use OpenStack.

  • Added support for installing Anthos clusters on bare metal, using a private package repository instead of the default Docker APT repository. For instructions and additional information, see Use a private package repository server.

  • Removed installation prerequisite for setting Security-Enhanced Linux (SELinux) operational mode to be permissive. The related preflight check has been removed, as well.

  • Removed installation prerequisite for disabling firewalld . The related preflight check has also been removed. For information on configuring ports to use firewalld with Anthos clusters on bare metal, see Configuring firewalld ports on the Network requirements page.

  • Updated requirements for installing behind a proxy server and removed restriction on system-wide proxy configurations. For a detailed list of prerequisites, see Installing behind a proxy.

Improved upgrade:

  • Updated cluster upgrade routines to ensure worker node failures do not block cluster upgrades, providing a more consistent user experience. Control plane node failures will still block cluster upgrades.

  • Added bmctl support for running upgrade preflight checks. bmctl check preflight will run upgrade preflight checks if users specify the --kubeconfig flag. For example:
    bmctl check preflight --kubeconfig bmctl-workspace/cluster1/cluster1-kubeconfig

Updated user cluster lifecycle management:

  • Added support in bmctl for user cluster creation and upgrade functions.

  • Improved resource handling. Anthos clusters on bare metal now reconciles node pool taints and labels to nodes unless the node has a baremetal.cluster.gke.io/label-taint-no-sync annotation.

Enhanced monitoring and logging:

  • Preview: Added out-of-the-box alerts for critical cluster metrics and events. For information on working with alerting policies and getting notified, see Creating alerting policies.

  • Added support for collecting ansible job logs in admin and hybrid clusters by default.

Expanded support for newer versions of operating systems:

  • Added support for installing Anthos clusters on bare metal on Red Hat Enterprise Linux (RHEL) 8.3 and CentOS 8.3.

Functionality changes:

  • Added support for configuring the number of pods per node. New clusters can be configured to run up to 250 pods per node. For more information about configuring nodes, see Pod networking. You can find additional information for configuring pods in the cluster creation documentation.
  • Preview: Added support to use containerd as the container runtime. Anthos clusters on bare metal 1.6.x supports only Docker for container runtime (dockershim). In 1.7.0, Kubelet can be configured to use either Docker or containerd, using the new containerRuntime cluster config field. You must upgrade existing clusters to 1.7.0 to add or update the containerRuntime field.
  • Added support for more load balancer addressPool entries under cluster.spec.loadBalancer.addressPools. For existing addressPools, users can use cluster.spec.loadBalancer.AddressPools[].manualAssign specify additional addressPool entries.

Known issues:

  • Under rare circumstances, bmctl upgrade may become stuck at the Moving resources to upgraded cluster stage after finishing upgrading all nodes in the cluster. The issue does not affect cluster operation, but the final step needs to be finished.

    If bmctl does not move forward after 30 minutes in this state, re-run the bmctl upgrade command to complete the upgrade.

    The issue is captured in the upgrade-cluster.log file located in .../bmctl-workspace/<cluster name>/log/upgrade-cluster-<timestamp>. The following log entry shows how the failure is reported:

    Operation failed, retrying with backoff. Cause: error creating "baremetal.cluster.gke.io/v1, Kind=Cluster" <cluster name>: Internal error occurred: failed calling webhook "vcluster.kb.io": Post "https://webhook-service.kube-system.svc:443/validate-baremetal-cluster-gke-io-v1-cluster? timeout=30s": net/http: TLS handshake timeout

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

Compute Engine

Generally available: Start and stop virtual machine (VM) instances automatically using instance schedules. By automating the deployment of your VMs, instance schedules can help you optimize costs and manage VMs more efficiently.

Config Connector

Config Connector version 1.44.0 is now available.

Added support for the ContainerAnalysisNote resource (no config-connector CLI support)

Added mtu field to ComputeInterconnectAttachment.

Added nodeConfig.ephemeralStorageConfig field to ContainerCluster and ContainerNodePool.

Added settings.backupConfiguration.backupRetentionSettings and settings.backupConfiguration.transactionLogRetentionDays fields to SQLInstance.

Made materializedView.query field in BigQueryTable immutable.

Deprecated nicType field in ComputeInstanceTemplate.

Added support for acquisitions of Folder using displayName and folderRef/organizationRef.

Fixed incorrect file extension for Terraform files output by the config-connector CLI.

Google Cloud VMware Engine

Added support for using NetApp Cloud Volumes Service for Google Cloud. You can use cloud volumes as NFS mount points or SMB shares in your workload virtual machines.

For details, see Connecting workload VMs to NetApp Cloud Volumes Service.

Recommender

Recommender pricing is now generally available and determines how you can process and view recommendations using the API and BigQuery export. The pricing controls how much read and write quota is provided to individual resources.

March 24, 2021

Access Approval

Access Transparency logs contain a new field called accessApprovals. This field lists the approvals that granted access to a resource that is enrolled in Access Approval. Access Transparency logs published before March 24, 2021 will not have this field populated. This feature is subject to Access Approval exclusions and only available for the services supported by Access Approval.

BigQuery

BigQuery is now available in the Warsaw (europe-central2) region.

BigQuery BI Engine

BigQuery BI Engine is now available in the Warsaw (europe-central2) region.

BigQuery Data Transfer Service

BigQuery Data Transfer Service is now available in the Warsaw (europe-central2) region.

BigQuery ML

BigQuery ML is now available in the Warsaw (europe-central2) region.

Cloud Bigtable

Cloud Bigtable is now available in the europe-central2 (Warsaw) region.

Cloud DNS Cloud Data Fusion

Cloud Data Fusion version 6.3.1 is now available. This version fixes a race condition that results in intermittentant failures in concurrent pipeline executions. This release is in parallel with the CDAP 6.3.1 release.

Cloud Key Management Service

The europe-central2 region in Warsaw is now available. See Cloud KMS locations for more details.

Cloud Load Balancing

Subsetting for internal TCP/UDP load balancers lets you scale your internal TCP/UDP load balancer to support a larger number of backend VM instances per internal backend service.

This feature is in Preview.

Cloud SQL for MySQL Cloud SQL for PostgreSQL Cloud SQL for SQL Server Cloud Spanner

Cloud Spanner regional instances can now be created in Warsaw (europe-central2).

Cloud Storage

Warsaw region (europe-central2) launched.

Cloud VPN

Cloud VPN is now available in region europe-central2 (Warsaw, Poland).

Pricing is available on the Cloud VPN pricing page.

Compute Engine

General-purpose E2 and N1 machines are available in Warsaw, Poland europe-central2 in all three zones. See VM instance pricing for details.

Disks, snapshots, and images are available in Warsaw, Poland europe-central2 in all three zones. See Disks and image pricing for details.

Support for OS Login in VPC Service Controls is now Generally Available.

Dataflow

Dataflow is now able to use workers, Dataflow Shuffle, Streaming Engine, FlexRS, and regional endpoints in zones in europe-central2 (Warsaw).

Dataproc

Dataproc is now available in the europe-central2 region (Warsaw).

Google Kubernetes Engine

The europe-central2 region in Warsaw is now available.

Pub/Sub

Pub/Sub is now available in the europe-central2 region (Warsaw).

Resource Manager

The Resource Manager v3 API has been released into public preview. For more information, see the API reference documentation.

Secret Manager

The europe-central2 region is now available. See Secret Manager locations for more information.

VPC Service Controls

General availability for the following integration:

Virtual Private Cloud

For auto mode VPC networks, added a new subnet 10.186.0.0/20 for the Warsaw europe-central2 region. For more information, see Auto mode IP ranges.

The ability to connect VM interfaces other than nic0 to a Shared VPC is now available in General Availability for instance templates and managed instance groups. This feature is available in the gcloud command-line tool and the API.

March 23, 2021

Cloud Composer

New versions of Cloud Composer images:

  • composer-1.15.1-airflow-1.10.14 (default)
  • composer-1.15.1-airflow-1.10.12
  • composer-1.15.1-airflow-1.10.10

During the environment creation, Cloud Composer checks that there are enough CPUs, according to the Cloud Compute CPU quota for a region. If there are not enough CPUs, the operation does not start.

Removed the "@-@" workload info prefixes from Airflow task logs in the Airflow UI and Cloud Logging. This change is available for Airflow 1.10.14.

For Cloud Composer versions 1.13.2 and later, regional base images are used for Airflow web server and worker-scheduler builds. This improves customized image build times.

Invalid resource names in API requests now cause a 4xx response. The invalid resource name is reported in the error message.

Improved the validation procedure for custom IP ranges that are specified during the environment creation. Changed the error code and the message that are returned when a specified CIDR range is not valid.

Fixed the documentation link in the Airflow UI.

Improved the file synchronization error handling for environments that run under the Domain Restricted Sharing organizational policy.

Improved error handling when creating node pools during upgrade operations. In some cases, the error was not reported when an upgrade operation failed on a timeout.

Cloud Run for Anthos

Events for Cloud Run for Anthos version 0.19.0-gke.107 is now available for the following GKE minor versions:

  • 1.19
  • 1.20
Config Connector

Config Connector version 1.43.0 is now available

config-connector CLI now supports a flag to filter out deleted IAM members

Added support for IAPBrand (no config-connector CLI support)

Added support for IAPIdentityAwareProxyClient (no config-connector CLI support)

Conflict Prevention is now turned off by default. The current implementation results in the Ready condition destabilizing despite the resource reflecting user-desired state.

Work is enqueued to improve this behavior, but the functionality is turned off for new resources in the interim.

Webhook certificates that do not contain a SAN are now re-created on upgrade of the Config Connector operator.

Added support for folderRef and organizationRef in Project and Folder.

Dataproc

The default Dataproc image is now image version 2.0.

New sub-minor versions of Dataproc images: 1.3.88-debian10, 1.3.88-ubuntu18, 1.4.59-debian10, 1.4.59-ubuntu18, 1.5.34-centos8, 1.5.34-debian10, 1.5.34-ubuntu18, 2.0.7-centos8, 2.0.7-debian10, and 2.0.7-ubuntu18.

Image 2.0:

  • Updated Iceberg to version 0.11.0.
  • Updated Flink to version 1.12.2.

Image 2.0:

  • HIVE-22373: File Merge tasks fail when containers are reused.

Fixed a bug that caused Hive jobs to fail on Ranger-enabled clusters.

Fixed a bug where Spark event logs directory and history server directory could not be set to Cloud Storage correctly.

Fixed a bug where Presto property value with ';' could not be set correctly in the config file.

CVE-2020-13957: SOLR-14663: ConfigSets CREATE does not set trusted flag.

CVE-2020-1926: HIVE-22708: Test fix for http transport.

Google Kubernetes Engine

Starting tomorrow, March 24, 2021, the mechanism we use to create GKE release notes will change. Although this change does not affect the content of the notes, it does affect the presentation and underlying syntax. If you subscribe to the XML feed for this page, entries for March 24 and earlier will be updated as a result of changes to formatting and syntax; the content itself did not change.

The feed URL will also change from https://cloud.google.com/feeds/kubernetes-engine-release-notes.xml to https://cloud.google.com/feeds/gke-main-release-notes.xml. We will automatically redirect from the old URL to the new one.

Workload Identity for Windows Server nodes is now available in GKE versions 1.18.16-gke.1200, 1.19.8-gke.1300, 1.20.4-gke.1500, and later.

Windows Server, version 1909 is reaching end of support on May 11, 2021. Newer Windows Server image versions are available in GKE versions 1.19.8-gke.1600+ and 1.20.4-gke.500+.

Speech-to-Text

Speech-to-Text now allows you to upload your longrunning transcription results directly into a Cloud Storage bucket. See the asynchronous speech recognition documentation for more details.

March 22, 2021

Cloud Asset Inventory

Exporting asset relationships is now available in public preview through the Export API (ExportAssets). The following relationship types are available now:

  • INSTANCE_TO_INSTANCEGROUP
Cloud Bigtable

Cloud Bigtable's Cloud Console navigation has been improved. On the Instances page, the Create Instance button is more prominent. After you navigate to an instance, the following updates are visible:

  • Left-pane navigation is now organized in sections.
  • New breadcrumb navigation on each page shows the ID of the selected instance.
  • Page headings are more prominent.
  • You can now edit or delete an instance from every page.
Cloud CDN

Cloud CDN now defaults to the Cache All Static cache mode for newly created backend buckets and backend services, which allows Cloud CDN to cache static content more readily.

The Cache All Static cache mode caches positive responses with valid caching directives, and will default to caching static content (videos, images, and web assets) for 1 hour. Responses that set a no-store, private, or no-cache cache directive will not be cached.

Existing backends remain unchanged and default to the Use Origin Headers cache mode.

Request coalescing (or collapsing) is now enabled by default on all backend services and backend buckets.

Customers with a high number of requests to cached resources that are updated often, or live streaming workloads, should see a notable reduction in bandwidth from, and requests to, their origin(s).

Cloud Vision

EXIF rotation featured fixed

EXIF rotation is now disabled.

For more information, see the March 8, 2021 release note.

Dataflow

Dataflow SQL now supports user-defined functions (UDFs) written using SQL. For more information, see Dataflow SQL user-defined functions. This feature is in Preview.

Pub/Sub Lite Traffic Director

Traffic Director support for xDS clients that connect and request configuration using the xDS v3 API is now Generally Available. The following setup guides have been updated to use xDS v3:

March 19, 2021

Cloud SQL for PostgreSQL

The following extensions in Cloud SQL for PostgreSQL are generally available:

  • pg_partman. Enables you to create and manage time-based and serial-based table partition sets.
  • pgTAP. Provides a unit testing framework for PostgreSQL, written in PL/pgSQL and PL/SQL.
Compute Engine

N2D machine types are available in the following regions and zones:

  • Frankfurt, europe-west3-a,b
  • Hong Kong, asia-east2-b,c

See VM instance pricing for pricing details.

Dataflow

Execution details are now available in Preview.

Google Kubernetes Engine

Google canonical error codes are now available in GA. GKE operations now use the canonical error model to report errors.

Added support for multiple pod CIDRs (available in Preview) which allows users to specify a different Pod CIDR for a new node pool than the one specified during cluster creation. This alleviates the problem of running out of Pod IP addresses for under provisioned clusters.

You can dynamically update the network tags, node labels and node taints of an existing GKE node pool. This feature is available in Preview. For more information, see Applying updates to node pool metadata.

March 18, 2021

Cloud Functions

Shared VPC on Cloud Functions is now at general availability (GA).

Cloud Logging

Cloud Logging now shows the breakdown of log severity levels in the Histogram pane. To learn more, see the Histogram section on the Logs Explorer page.

Cloud Run

Shared VPC on Cloud Run is now at general availability (GA).

Virtual Private Cloud

Serverless VPC Access support for Shared VPC is now available in General availability.

March 17, 2021

Cloud Data Fusion

Preview: Cloud Data Fusion now supports Access Transparency. Access Transparency is a part of Google's long-term commitment to transparency and user trust. Access Transparency logs record the actions that Google personnel take when accessing customer content. For more information, see the Access Transparency overview.

Cloud Spanner

The Cloud Console query page has been updated with a revamped query editor, which now offers improved autocomplete, prevalidation of your query, formatting options, and the ability to run a selection from your query. This update also includes a new query plan visualizer. For a tour of these features and to learn more, see Tuning a query using the query plan visualizer.

Compute Engine

Preview: You can now configure N2 and C2 VMs with up to 100 Gbps of network bandwidth.

This feature is ideal for network-intensive, distributed workloads such as high-performance computing (HPC), machine learning (ML), and deep learning (DL).

Learn more about higher bandwidth configurations, the regions and zones where these machines are available, and the post preview pricing for this new feature.

M2 machine types are now available in the following regions and zones:

  • Sydney — australia-southeast1-b,c
  • London — europe-west2-b,c
  • Montréal — northamerica-northeast1-b,c

See VM instance pricing for details.

Generally Available: Use the bulk instance API to create multiple, homogeneous VMs that are independent from each other. For more information, see Using the bulk instance API.

Google Cloud VMware Engine

VMware Engine nodes are now available in the following additional region:

  • Council Bluffs, Iowa, North America (us-central1)
Istio on Google Kubernetes Engine

1.4.10-gke.8 is available.

Fixes known security issue of OpenSSL in base images.

March 16, 2021

Cloud Interconnect

Cloud Interconnect support for GRE traffic is available in Preview. For more information, see the Cloud Interconnect overview.

Cloud VPN

Cloud VPN support for GRE traffic is available in Preview. For more information, see the Cloud VPN overview.

Compute Engine

Generally Available: NVIDIA® A100 GPUs are now available in the following three regions:

  • Iowa, North America: us-central1-a,b,c
  • Netherlands, Europe: europe-west4-a,b
  • Singapore, APAC: asia-southeast1-c

    For more information, see GPUs on Compute Engine.

Generally Available: Accelerator-optimized (A2) machine types are now available in the following three regions:

  • Iowa, North America: us-central1-a,b,c
  • Netherlands, Europe: europe-west4-a,b
  • Singapore, APAC: asia-southeast1-c

N2D machine types are now available in Frankfurt, europe-west3-c and Hong Kong, asia-east2-a. See VM instance pricing for pricing details.

N2 machine types are now available in Zurich, europe-west6 in all three zones. See VM instance pricing for details.

C2 machine types are now available in Salt Lake City, us-west3 in all three zones. See VM instance pricing for details.

Memory-optimized machine types are now available in Tokyo, asia-northeast1 in all zones. See VM instance pricing for details.

C2 machine types are now available in Zürich, europe-west6 in all three zones. See VM instance pricing for details.

Dataproc

New sub-minor versions of Dataproc images: 1.3.87-debian10, 1.3.87-ubuntu18, 1.4.58-debian10, 1.4.58-ubuntu18, 1.5.33-centos8, 1.5.33-debian10, 1.5.33-ubuntu18, 2.0.6-centos8, 2.0.6-debian10, and 2.0.6-ubuntu18.

Image 2.0: Upgraded Spark to version 3.1.1

Google Kubernetes Engine

(2021-R9) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on the Kubernetes versioning scheme, see Versioning.

No channel

Stable channel

  • Version 1.17.17-gke.2800 is now available in the Stable channel.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from versions 1.17 and earlier to version 1.17.17-gke.1101 with this release.
  • Version 1.17.17-gke.1100 is no longer available in the Stable channel.

Regular channel

  • Version 1.18.15-gke.1501 is now the default version in the Regular channel.
  • Version 1.18.15-gke.1502 is now available in the Regular channel.
  • Version 1.18.16-gke.302 is now available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to version 1.18.15-gke.1501 with this release.
  • Version 1.18.12-gke.1210 is no longer available in the Regular channel.

Rapid channel

  • Version 1.19.8-gke.1000 is now the default version in the Rapid channel.
  • Version 1.19.8-gke.1600 is now available in the Rapid channel.
  • Version 1.20.4-gke.1800 is now available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to version 1.19.8-gke.1000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to version 1.20.4-gke.1800 with this release.
  • Version 1.19.7-gke.2503 is no longer available in the Rapid channel.
  • Version 1.20.4-gke.400 is no longer available in the Rapid channel.

Internal TCP/UDP load balancer subsetting (Preview) is available on GKE. With subsetting, GKE clusters using internal load balancer Services can scale beyond 250 nodes. This feature is in Preview for new GKE clusters on version 1.18 and existing clusters on version 1.19. Subsetting removes the current node scale limitations associated with GKE internal TCP/UDP load balancers.

All ports (Preview) is available for internal load balancer Services on GKE. All ports lets you open more than 5 ports on a TCP/UDP load balancer that is being used with GKE. This feature is in Preview for new GKE clusters on version 1.18 and is automatically enabled when subsetting is enabled on the GKE cluster.

Identity and Access Management

Tags are now generally available. You can attach tags to resources, then use the tags to manage access to your resources.

Resource Manager

The Organization Policy Service v2 API has launched into general availability.

Tags have been launched into general availability. For more information, see the Tags overview.

March 15, 2021

AI Platform (Unified) Access Approval

Cloud Logging and Cloud Spanner are supported by Access Approval in Preview stage.

Filestore

Filestore is available in the europe-central2 (Warsaw) region. See Regions and zones.

Speech-to-Text

Speech-to-Text has launched the Model Adaptation feature. You can now create custom classes and build phrase sets to improve your transcription results.

March 12, 2021

Channel Services

Added customer-level Pub/Sub events definition to provide notifications when there is a primary domain change or verification for your customers.

You can now use boolean as a parameter value.

Cloud Logging

Suggested queries is now generally available (GA). To learn more, go to Suggested queries.

Cloud SQL for MySQL

Cloud SQL for MySQL now supports the innodb_buffer_pool_size flag. To learn more about how to set this flag, see buffer pool size.

Config Connector

Config Connector version 1.42.0 is now available.

Increase resource limits of webhook, recorder and deletiondefender workloads

On upgrade, ensure that your cluster has sufficient CPU/Memory to allocate if you have seen Pod Unschedulable errors

Added operation field into ContainerNodePool

Ensure that CLI will not terminate on particular problematic resources when on-error is set with ignore or continue

Miscellaneous bug fixes

SAP on Google Cloud

The Google Storage Backint agent for SAP HANA has been updated to version 1.0.8. You can now upload backups to Cloud Storage faster using the Backint agent parallel upload function.

For more information, see Parallel uploads.