Google Cloud release notes

The following release notes cover the most recent changes over the last 60 days. For a comprehensive list of product-specific release notes, see the individual product release note pages.

You can also see and filter all release notes in the Google Cloud Console or you can programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/gcp-release-notes.xml

November 24, 2021

Certificate Authority Service

You can now browse all the code samples for Certificate Authority Service on the documentation site. To check all the available code samples, see All CA Service code samples.

Cloud Monitoring

The date on which pricing for Monitoring data ingested by using GKE workload metrics goes into effect has changed. Pricing is now effective on February 1, 2022.

November 22, 2021

Cloud Functions

Cloud Functions is now available in the following region:

us-west1 (Oregon)

See Cloud Functions Locations for details.

Cloud Load Balancing

When you make an internal TCP/UDP load balancer the next hop of a static route, the route can have instance tags (also called network tags).

In addition, there are two different ways to specify the next hop:

  • Forwarding rule's name and the load balancer's region
  • Internal IP address of the forwarding rule.

This feature is now available in General availability.

For more information, see the following pages:

Note that this feature isn't supported in the Console. To configure the route with network tags, use gcloud or the API.

Cloud Logging

On or after March 3, 2022, the Legacy Logs Viewer will be shut down and all users will be redirected to use the Logs Explorer.

Google Cloud VMware Engine

Added an update to the September 22, 2021 service announcement. Continuing in December 2021, VMware Engine will upgrade the VMware stack from version 7.0 Update 1 to 7.0 Update 2 and the NSX-T stack from version 3.0 to 3.1.2. Users affected by this upgrade will receive an email with planned maintenance dates and times.

For details about the upgrade and steps to prepare, see Service announcements.

November 19, 2021

Anthos Service Mesh

1.11.4-asm.5 is now available for managed Anthos Service Mesh and is rolling out into the Rapid Release Channel. See Select a managed Anthos Service Mesh release channel for more information.

Managed Anthos Service Mesh now supports Certificate Authority (CA) Service. To install managed Anthos Service Mesh with CA Service, see Configure managed Anthos Service Mesh.

Managed Anthos Service Mesh now supports GKE Autopilot as a preview feature in the Rapid Channel. For more information, see Configure managed Anthos Service Mesh with asmcli x.

BigQuery

Updated versions of ODBC and JDBC drivers for BigQuery are now available that include enhancements.

Chronicle

This document describes Chronicle's recommendations for writing rules in YARA-L.

Cloud SQL for PostgreSQL

The following extensions in Cloud SQL for PostgreSQL are generally available:

  • auto_explain. Enables you to automatically log execution plans of slow statements, for troubleshooting and more. Provides an automated way to perform the functionality of the EXPLAIN command.
  • pg_cron. A cron-based job scheduler, this extension enables cron syntax to schedule commands from a database.
  • pg_hint_plan. Enables you to improve PostgreSQL execution plans using hints, which are simple descriptions in SQL comments.
  • pg_proctab. Enables you to use pg_top with Cloud SQL for PostgreSQL, and generate reports from the operating system process table.
Cloud Storage

Public access preventionPreview now uses inherited in place of unspecified.

  • Name change more clearly expresses how the state of public access prevention is determined for affected buckets.
Security Command Center

Security Command Center has launched Mute Findings in general availability.

Mute Findings is a powerful volume management feature that lets you create filters to automatically hide or suppress current and future findings based on criteria you specify. The feature can save you time from reviewing or responding to security findings for assets that are isolated, fall within acceptable business parameters, or aren't relevant to your organization based on your company's policies.

To learn more, see Mute findings in Security Command Center.

Vertex AI

The autopackaging feature of the gcloud ai custom-jobs create command is generally available (GA). Autopackaging lets you use a single command to run code on your local computer as a custom training job in Vertex AI.

The gcloud ai customs-jobs local-run command is generally available (GA). You can use this command to containerize and run training code locally.

Workflows

Workflows can be scheduled through the Workflows page in the Cloud Console.

November 18, 2021

Anthos clusters on VMware

Anthos clusters on VMware 1.9.2-gke.4 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.9.2-gke.4 runs on Kubernetes v1.21.5-gke.1200.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.9, 1.8, and 1.7.

With version 1.9.2, cert-manager is installed in the cert-manager namespace. Previously, for versions 1.8.2 to 1.9.1, cert-manager was installed in the kube-system namespace.

The cert-manager version is upgraded from 1.0.3 to 1.5.4.

If you already use any ClusterIssuer with a different cluster resource namespace from the default cert-manager namespace, follow these steps if you upgrade to version 1.9.2.

   * Manually copy the related certificates, secrets, or issuers to the cert-manager namespace to use the installed cert-manager after upgrading to 1.9.2.    

   * If you need to use a different version of cert-manager, or if you need to install it in a different namespace, follow these instructions each time that you upgrade your cluster. 

Fixes:

  • Fixed issue with cilium-operator not reconciling CiliumNode for Windows nodes when updating the cluster to add Windows node pools.
  • Fixed issue which could temporarily result in no healthy CoreDNS pods present during cluster operations.
  • Fixed issue where you cannot run gkectl upgrade loadbalancer on a user cluster seesaw load balancer.
  • Fixed issue where node_filesystem metrics report gives wrong size for /run.
  • Fixed CVE-2021-37159. Because of Ubuntu PPA version pinning, this vulnerability may still be reported as false positive by certain vulnerability scanning tools, even though the underlying vulnerability has been patched in the 1.9.2 release.
  • Fixed issue where user cluster node is not synching time.
  • Alleviated the high CPU and memory usage by /etc/cron.daily/aide discussed in this issue.
Cloud Monitoring

Cloud Monitoring now supports dashboard-wide grouping and filtering. For more information, see Dashboard-wide filters.

Deep Learning Containers

M86 release

  • Upgraded all Ubuntu 18.04 LTS Deep Learning Container images to Ubuntu 20.04 LTS (see What is an Ubuntu LTS release?).
  • Released PyTorch/XLA 1.10.
  • Upgraded TensorFlow Enterprise image to the latest patch version: 2.6.2
  • Deprecated CUDA 10.x environments.
  • Locked JupyterLab version to 3.2.
Deep Learning VM Images

M86 release

  • Upgraded all Ubuntu 18.04 LTS Deep Learning VM images to Ubuntu 20.04 LTS (see What is an Ubuntu LTS release?).
  • Released PyTorch/XLA 1.10.
  • Upgraded TensorFlow Enterprise image to the latest patch version: 2.6.2
  • Deprecated CUDA 10.x environments.
  • Locked JupyterLab version to 3.2.

November 17, 2021

AI Platform Prediction

Runtime version 2.7 is now available. You can use runtime version 2.7 to serve online predictions with TensorFlow 2.7.0, scikit-learn 1.0, or XGBoost 1.4.2. Runtime version 2.7 does not support batch prediction.

See the full list of updated dependencies in runtime version 2.7.

Cloud Asset Inventory

The following resource types are now publicly available through the Analyze Policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

  • Assured Workloads
    • assuredworkloads.googleapis.com/Workload
  • DocumentAI
    • documentai.googleapis.com/ProcessorVersion
Cloud Data Fusion

Cloud Data Fusion is now available in the Santiago (southamerica-west1) region.

Cloud Functions

Cloud Functions now supports the following runtimes at the General Availability release level:

Dataproc

Dataproc is now available in the southamerica-west1 region (Santiago, Chile).

Dialogflow

Dialogflow CX Phone Gateway now supports call transfer.

Dialogflow CX webhooks now support custom CA certificates.

Dialogflow CX now supports agent backup.

Memorystore for Redis

Added new Memorystore for Redis region: Santiago (southamerica-west1).

Workflows

The following functions have been added:

  • sys.sleep_until — Suspends execution until the given time
  • time.format — Formats timestamp as a human-readable string
  • time.parse — Parses ISO 8601-compatible string into a timestamp

November 16, 2021

BigQuery

BigQuery is now available in the Santiago (southamerica-west1) region.

BigQuery BI Engine

BigQuery BI Engine is now available in the Santiago (southamerica-west1) region.

BigQuery Data Transfer Service

BigQuery Data Transfer Service is now available in the Santiago (southamerica-west1) region.

BigQuery ML

BigQuery ML is now available in the Santiago (southamerica-west1) region.

Cloud Asset Inventory

The following resource types are now publicly available through the Export APIs (ExportAssets and BatchGetAssetsHistory) and the Feed API:

  • Vertex AI
    • aiplatform.googleapis.com/PipelineJob

The following resource types are now publicly available through the Analyze Policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

  • BigQuery
    • bigquery.googleapis.com/Model
  • Google Kubernetes Engine
    • apps.k8s.io/Deployment
    • apps.k8s.io/ReplicaSet
    • batch.k8s.io/Job
Cloud Bigtable

Cloud Bigtable is available in the southamerica-west1 (Santiago) region. For more information, see Bigtable locations.

Cloud Composer

(Cloud Composer 1) GCSfuse version updated to 37.0. Cloud Composer uses GCSfuse to sync files between the environment bucket and worker pods.

(New environments only) Default values for maintenance windows are from 00:00:00 to 04:00:00 (GMT) on Sunday, Friday, and Saturday every week.

New versions of Cloud Composer images:

composer-1.17.5-airflow-2.1.4 composer-1.17.5-airflow-2.1.2 composer-1.17.5-airflow-2.0.2 composer-1.17.5-airflow-1.10.15 (default) composer-1.17.5-airflow-1.10.12 composer-1.17.5-airflow-1.10.14

Cloud Composer 1.13.0 has reached its end of full support period.

Cloud Run

The following new region is now available: southamerica-west1.

Cloud SQL for MySQL

Support for southamerica-west1 (Santiago) region.

Cloud SQL for PostgreSQL

Support for southamerica-west1 (Santiago) region.

Cloud SQL for SQL Server

Support for southamerica-west1 (Santiago) region.

Cloud Spanner

Cloud Spanner regional instances can now be created in Santiago (southamerica-west1).

Cloud Storage

Santiago region (southamerica-west1) launched.

New location for storing your data.

Cloud VPN

Cloud VPN is now available in region southamerica-west1 (Santiago, Chile).

Pricing is available on the Cloud VPN pricing page.

Compute Engine

Generally available: You can now configure N2, N2D, and C2 VMs with up to 100 Gbps of network bandwidth.

This feature is ideal for network-intensive, distributed workloads such as high-performance computing (HPC), machine learning (ML), and deep learning (DL).

Learn more about high-bandwidth network configurations, and the regions and zones where these VMs are available.

Generally available: Santiago, Chile, South America southamerica-west1-a,b,c region has launched with E2, N2, and C2 VMs in all three zones. See VM instance pricing for details.

Dataflow

Dataflow is now available in Santiago (southamerica-west1).

Google Kubernetes Engine

The southamerica-west1 region in Santiago, Chile is now available.

Pub/Sub

Pub/Sub is now available in southamerica-west1 (Santiago).

Secret Manager

Secret Manager is now available in the Santiago (southamerica-west1) region.

Virtual Private Cloud

For auto mode VPC networks, added a new subnet 10.194.0.0/20 for the Santiago southamerica-west1 region. For more information, see Auto mode IP ranges.

November 15, 2021

Anthos on bare metal

Release 1.7.6

Anthos clusters on bare metal 1.7.6 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.7.6 runs on Kubernetes 1.19.

Fixes:

The following container image security vulnerabilities have been fixed:

Known issues:

When you upgrade Anthos clusters on bare metal from a version with a security patch to the next minor release, we recommend you upgrade to the highest patch version to ensure you have the latest security fixes. Always review the release notes before upgrading so you're aware of what has changed, including security fixes and known issues. Upgrading to a lower release version isn't supported.

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

Release 1.9.2

Anthos clusters on bare metal 1.9.2 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.9.2 runs on Kubernetes 1.21.

Fixes:

  • Updated preflight checks to use strict mode for decoding YAML to catch issues with indentation and misplaced fields in the cluster configuration file.

  • Fixed an issue that caused containerRuntime to default to docker, instead of containerd in certain uncommon situations.

  • Fixed an issue where node_filesystem metrics report incorrect size in Cloud Monitoring for mount-points other than root.

  • Fixed an issue that caused communication failures between Cloud Logging metadata agent and the Cloud Monitoring API when the root certificate authority (CA) on the host node isn't set up properly.

  • The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

Artifact Registry

Artifact Registry repositories with gcr.io domain support are now available in Preview. These gcr.io repositories provide some features that are backwards-compatible with Container Registry.

Cloud Load Balancing

Cloud Load Balancing introduces a new version of the external HTTP(S) load balancer. The new global external HTTP(S) load balancer with advanced traffic management capabilities contains many of the features of our existing classic HTTP(S) load balancer, but with an ever-growing list of traffic management capabilities such as weighted traffic splitting, request mirroring, outlier detection, fault injection, and so on.

For details on the new load balancer, see:

This load balancer is available in Public Preview.

Cloud Monitoring

Preview: Google Cloud Managed Service for Prometheus, Google Cloud's fully managed, Prometheus-compatible monitoring solution, is now available in Preview. You can use the managed service anywhere that you use standard Prometheus today. The collector retains all expected Prometheus functionality, such as local storage and rule evaluation.

Managed Service for Prometheus also offers managed data collection in Kubernetes environments, reducing the complexity of deploying, scaling, sharding, configuring, and maintaining the collectors. For more information, see Google Cloud Managed Service for Prometheus.

Compute Engine

Generally available: You can now monitor health state change logs for VM instances in a managed instance group when you use application-based health checking.

Generally available: N2D machine types running on third generation AMD EPYC Milan processors. These machine types are only available in specific regions and zones. See VM instance pricing for details.

Generally available: T2D Tau machine types are available in select regions and zones. Tau T2D VMs offer excellent price-performance for a wide range of scale-out workloads. See VM instance pricing for details.

Dataproc Metastore Google Kubernetes Engine

(2021-R33) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

Stable channel

  • The following control plane and node versions are now available:
  • Version 1.19.14-gke.1900 is no longer available in the Stable channel.
  • The following control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded with this release:

Regular channel

  • Version 1.21.5-gke.1302 is now the default version in the Regular channel.
  • Version 1.20.11-gke.1801 is now available in the Regular channel.
  • Version 1.20.10-gke.1600 is no longer available in the Regular channel.
  • The following control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded with this release:

Rapid channel

  • Version 1.21.5-gke.1802 is now the default version in the Rapid channel.
  • Version 1.22.3-gke.700 is now available in the Rapid channel.
  • The following control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded with this release:

(2021-R33) Version updates

(2021-R33) Version updates

  • The following control plane and node versions are now available:
  • Version 1.19.14-gke.1900 is no longer available in the Stable channel.
  • The following control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded with this release:

(2021-R33) Version updates

  • Version 1.21.5-gke.1302 is now the default version in the Regular channel.
  • Version 1.20.11-gke.1801 is now available in the Regular channel.
  • Version 1.20.10-gke.1600 is no longer available in the Regular channel.
  • The following control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded with this release:

(2021-R33) Version updates

  • Version 1.21.5-gke.1802 is now the default version in the Rapid channel.
  • Version 1.22.3-gke.700 is now available in the Rapid channel.
  • The following control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded with this release:
Traffic Director

Traffic Director service security for GKE is now in General Availability. This provides the following:

  • Authentication and encryption using transport layer security (TLS) and mutual TLS (mTLS) for both Traffic Director with Envoy and proxyless gRPC applications. Server TLS policies and client TLS policies control whether services need to prove their identities to each other and use encrypted communication channels.

  • Authorization, based on characteristics of the client and the request. Authorization policies control whether a service is permitted to access another service, and which actions are allowed. Authorization is currently available only for Traffic Director with Envoy.

For more information, see the service security documentation and setup guides.

VPC Service Controls

General availability for the following integration:

November 12, 2021

BigQuery

BigQuery now supports authorized datasets (General Availability).

Cloud Asset Inventory

The following resource types are now publicly available through the Export APIs (ExportAssets and BatchGetAssetsHistory) and the Feed API:

  • Cloud Resource Manager Tags
    • cloudresourcemanager.googleapis.com/TagKey
    • cloudresourcemanager.googleapis.com/TagValue
  • Cloud OS Config
    • osconfig.googleapis.com/VulnerabilityReport
Cloud DNS

The type of the vmInstanceId field in Cloud DNS's Stackdriver Logs has been changed from a number to a string.

Compute Engine

You can now access vulnerability report data, available through the OS Config API service, from Cloud Asset Inventory. For more information, see View vulnerability reports data from Cloud Asset Inventory.

Firestore

The Firestore Unity and C++ SDKs are now supported at the General Availability release level.

Dartpad, Flutter's online editor, now supports Firestore. For an example, see this sample app.

Google Kubernetes Engine

The release on September 17, 2021 (2021-R29) fixed CVEs in the Compute Engine PD CSI driver for the cluster minor version 1.18. The fixes are available in GKE version 1.18.20-gke.5900 and later.

The following CVEs were fixed: CVE-2021-3712, CVE-2021-3580, CVE-2021-33910, CVE-2020-29361, CVE-2020-29362, CVE-2021-24031, CVE-2021-3711, CVE-2021-20305, CVE-2020-24659, CVE-2021-24032, CVE-2021-20231, CVE-2021-20232, CVE-2021-33560, CVE-2020-29363, CVE-2021-3520, and CVE-2020-27350.

Legacy networks that contain GKE clusters can be converted to VPC networks, if the required control plane and node pool upgrades are performed. This feature is available in Preview. For more information, see Single-region conversion tool.

SAP on Google Cloud

Backint agent for SAP HANA StorageException issue fixed

Google Cloud released version 1.0.13 of the Backint agent for SAP HANA, which fixes an issue that could cause a backup that is stored in Cloud Storage to be unusable if a StorageException error occurred during the backup process.

Apply the fix as soon as possible by downloading and installing version 1.0.13 of the Backint agent for SAP HANA.

For more information about the issue and the fix, see StorageException for Cloud Storage can cause corrupted Backint agent backup.

Backint agent for SAP HANA version 1.0.13

Version 1.0.13 of the Google Cloud Backint agent for SAP HANA is now available. Version 1.0.13 improves the handling of StorageException errors that might occur when writing backups to Cloud Storage. This version fixes an issue that, under certain circumstances, could make stored backups unusable.

For more information about the agent, see Cloud Storage Backint agent for SAP HANA overview.

Virtual Private Cloud

Private Service Connect endpoints used to access a managed service are now automatically registered with Service Directory. This feature is available in General Availability.

Converting a single-region legacy network to a custom mode VPC network is now available in Preview.

November 11, 2021

Access Approval

Access Approval supports Organization Policy Service in Preview stage.

Access Transparency

Access Transparency supports Organization Policy Service in GA stage.

Cloud Billing

Starting in November 2021, if you have committed use discounts (CUDs), Google Cloud Billing calculates the attribution for your fees and credits every hour, to help you track costs faster and more accurately.

As a result of this change, you also see fewer line items for attribution in your BigQuery usage cost exports.

Learn about how your CUD fees and credits are attributed across your resources.

Cloud Monitoring

You can now view the project-scoped log entries for all projects in a metrics scope on a custom dashboard. For more information, see View logs on a dashboard.

Compute Engine

Generally available: You can now use the gcloud command-line and the OS Config API to get inventory and vulnerability report data for your VMs in a specific zone. For more information, see Viewing operating system details.

Config Connector

Config Connector 1.67.0 is now available.

Added support for PrivateCACertificateTemplate resource.

Added support for ConfigControllerInstance (Alpha) resource.

Added fields spec.nodeConfig.guestAccelerator[].gpuPartitionSize and spec.workloadIdentityConfig.workloadPool to ContainerCluster resource.

Added field spec.nodeConfig.guestAccelerator[].gpuPartitionSize to ContainerNodePool resource.

Deprecated spec.workloadIdentityConfig.identityNamespace (field is also no longer required), spec.masterAuth and status.instanceGroupUrls in ContainerCluster resource.

Fixed the issue that DataflowJob was repeatedly updating if spec.enableStreamingEngine was set to true.

Fixed the issues in config-connector bulk-export and the exported IAMCustomRole resources can now be imported into Config Connector.

Memorystore for Redis

Released the Read Replicas (Preview) feature for Memorystore for Redis. For more details, see Read replicas.

November 10, 2021

Cloud Asset Inventory

The following resource types are now publicly available through the resource search API (SearchAllResources) and policy search API (SearchAllIamPolicies):

  • Metastore
    • metastore.googleapis.com/Service
    • metastore.googleapis.com/MetadataImport
    • metastore.googleapis.com/Backup

The following resource types are now publicly available through the Export APIs (ExportAssets and BatchGetAssetsHistory) and the Feed API:

  • Metastore
    • metastore.googleapis.com/Service
    • metastore.googleapis.com/MetadataImport
    • metastore.googleapis.com/Backup
Cloud IDS

Cloud IDS is now in General Availability.

Document AI

We have lowered the price for many processors. For more information, see the Pricing page.

Google Cloud VMware Engine

VMware Engine nodes are now available in the following additional zone:

  • Frankfurt, Germany: europe-west3-2

November 09, 2021

BigQuery

The following scripting statements have been added to Google Standard SQL for BigQuery.

  • CASE: Executes the first list of SQL statements where a boolean expression is TRUE.
  • CASE search_expression: Executes the first list of SQL statements where the search expression matches a WHEN expression.
  • LABELS: Provides an unconditional jump to the end of the block or loop associated with a label.
  • REPEAT: Repeatedly executes a list of SQL statements until the boolean condition at the end of the list is TRUE.
  • FOR...IN: Loops over every row in a table expression.

These features are generally available (GA).

Cloud Asset Inventory

The following resource types are now publicly available through the resource search API (SearchAllResources) and policy search API (SearchAllIamPolicies):

  • Monitoring
    • monitoring.googleapis.com/AlertPolicy
Cloud Run

Cloud Run support for referencing Secret Manager Secrets is now at general availability (GA).

Compute Engine

If you use local SSDs with sync-heavy workloads, you will now more consistently reach write IOPS limits and experience lower latency, without having to disable cache flushing. This is due to a recent SSD firmware update.

Google Kubernetes Engine

For GKE Autopilot clusters, Spot Pods are now available in Preview. Spot Pods let you run fault-tolerant workloads at lower costs.

Vertex AI

Vertex AI Pipelines is generally available (GA).

November 08, 2021

BigQuery

The following INFORMATION_SCHEMA views now support a DDL column. The value of the column is the DDL statement that can be used to create the resource.

This feature is generally available (GA).

Cloud Asset Inventory

The following resource types are now publicly available through the resource search API (SearchAllResources) and policy search API (SearchAllIamPolicies):

  • Service Management
    • servicemanagement.googleapis.com/ManagedService
  • Certificate Authority Service
    • privateca.googleapis.com/CaPool
    • privateca.googleapis.com/CertificateAuthority
    • privateca.googleapis.com/CertificateRevocationList
    • privateca.googleapis.com/CertificateTemplate
Cloud Monitoring

The API to manage the metrics scope of a Google Cloud project is now Generally Available. For more information, see Manage metrics scopes with the API.

Terraform now supports use of the metrics scope API. For sample code, see google_monitoring_monitored_project.

You can now save a copy of a chart from the Observability tab on Compute Engine's VM instance details page to one of your custom dashboards. To save a copy of the chart, select Add to Custom Dashboard from the More Options menu on the chart. You then select a new or existing custom dashboard, and have the option of renaming the new copy of the chart.

Compute Engine

You can now save a copy of a chart from the Observability tab on Compute Engine's VM instance details page to one of your custom dashboards. To save a copy of the chart, select Add to Custom Dashboard from chart option. You then select a new or existing custom dashboard, and have the option of renaming the new copy of the chart.

Deep Learning Containers

M85 Release

  • Regular package refreshment and bug fixes.
Deep Learning VM Images

M85 Release

  • CUDA 11.3 Debian-10 image is available.
  • Regular package refreshment and bug fixes.
Speech-to-Text

Speech-to-Text has launched two new medical speech models, which are tailored for recognition of words that are common in medical settings. See the medical models documentation for more details.

November 05, 2021

Cloud Data Fusion

Cloud Data Fusion version 6.5.1 is now available. This release is in parallel with the CDAP 6.5.1 release .

GA: Cloud Data Fusion now supports Customer-Managed Encryption Keys (CMEK), which provides user encryption control over the data written to Google internal resources in tenant projects, and data written by Cloud Data Fusion pipelines. The list of supported plugins has also expanded.

Fixed in 6.5.1 (for more information, see the CDAP release note ):

  • Fixed an issue where messages could not be retrieved for Kafka topics.
  • Fixed an issue where you could not create a profile for an existing Dataproc cluster.
  • Fixed an issue that caused pipelines to fail when Transformation Pushdown was enabled and used macros as properties.
  • Fixed an issue that caused long running programs, like Replication, to fail within the default Hadoop delegation token timeout. Now, these tokens get renewed so that the job keeps running.
  • Fixed an issue in Replication that caused an error when you clicked Configure.
  • Fixed an issue that caused a pipeline to fail with an ACCESS DENIED error when running BigQuery jobs. For more information, see Troubleshooting .
  • Fixed an issue in the Cloud Storage connection that prevented browsing and parsing files stored in folders under buckets.
  • Fixed an issue that caused custom formats to be unusable in the Cloud Storage source and sink.
Cloud Monitoring

You can now collect Apache Web Server metrics from the Ops Agent, starting with version 2.7.0. For more information, see Monitoring third-party applications: Apache Web Server.

You can now collect Redis metrics from the Ops Agent, starting with version 2.7.0. For more information, see Monitoring third-party applications: Redis.

Cloud TPU

Cloud TPU now supports Tensorflow 2.7.0. For more information, see Tensorflow 2.7.0 Release Notes

Deep Learning Containers

M84 Release

  • TensorFlow Enterprise 2.7 is now available with CUDA 11.3 support. Note that this TensorFlow Enterprise version does not include Long Term Version Support.
Deep Learning VM Images

M84 Release

  • TensorFlow Enterprise 2.7 is now available with CUDA 11.3 support. Note that this TensorFlow Enterprise version does not include Long Term Version Support.
Document AI

The following procurement processors are now publicly accessible:

We have release a new version of the Document OCR Processor called Google default next. This version changes the distribution of confidence scores in the response. You have 90 days from today to test the new model before the changes are applied to the Google default version . After that event, the original version will still be available for another 90 days as legacy. For more information about using different versions of the processor, see Managing processor versions.

Secret Manager

Secret Manager filtering support to customize the output of ListSecrets and ListSecretVersions is now generally available. For more information, see Filtering.

Tensorflow Enterprise

TensorFlow Enterprise 2.7 is now available with CUDA 11.3 support. Note that this TensorFlow Enterprise version does not include Long Term Version Support.

November 04, 2021

Anthos Service Mesh

Version 1.11 is now available for managed Anthos Service Mesh and is rolling out into the Rapid Release Channel. See Select a managed Anthos Service Mesh release channel for more information.

Managed Anthos Service Mesh now supports Multi-project with shared VPC in the Rapid Release Channel. For more information, see Configure managed Anthos Service Mesh.

Managed Anthos Service Mesh now supports private GKE clusters with private control plane. This means that all types of private GKE clusters are supported. For more information, see Environments on the Supported features page.

Cloud Composer

Airflow 2.1.4 is available in Cloud Composer images.

The scheduler heartbeat probe no longer checks for the availability of logs in Cloud Logging. This change reduces the chance of false positives.

(Cloud Composer 2 only) The termination grace period for workers is extended from 30 seconds to 30 minutes. This change does not apply to operations that re-create pods (for example, when changing environment variables), so that these operations do not require a long time to complete.

(New Cloud Composer 2 environments only) Access to the Airflow web server in Cloud Composer 2 is now additionally protected by Service Control API checks, for extended access control.

New versions of Cloud Composer images:

  • composer-2.0.0-preview.5-airflow-2.1.4
  • composer-2.0.0-preview.5-airflow-2.1.2
  • composer-2.0.0-preview.5-airflow-2.0.2
  • composer-1.17.4-airflow-2.1.4
  • composer-1.17.4-airflow-2.1.2
  • composer-1.17.4-airflow-2.0.2
  • composer-1.17.4-airflow-1.10.15 (default)
  • composer-1.17.4-airflow-1.10.14
  • composer-1.17.4-airflow-1.10.12

Cloud Composer versions 1.12.4 and 1.12.5 have reached their end of full support period.

Cloud Healthcare API

It is now possible to determine the base resource validation level using the projects.locations.datasets.fhirStores.patch method.

Cloud Monitoring

Data from closed incidents is now retained for 13 months instead of 90 days, so you can see patterns over longer periods of time and investigate them. For information about investigating incidents, see Incidents.

You can now create an alerting policy from the alert chart dialog on a custom dashboard, and you can create an alerting policy by converting a chart on custom dashboard to an alert chart. For more information, see Alert charts.

Cloud Spanner

Time to live (TTL) reduces storage costs, improves query performance, and simplifies data retention by automatically removing unneeded data based on user-defined policies.

Config Connector

Config Connector 1.66.0 is now available.

Added support for memberFrom in IAMPartialPolicy.

Miscellaneous bug fixes and improvements.

Datastore

DATA_READ and DATA_WRITE Data Access audit logs are now supported at the General Availability release level. See Datastore audit logging information.

Dialogflow

Preview launch of the following languages in Dialogflow CX:

Afrikaans, Amharic, Azerbaijani, Belarusian, Bulgarian, Bosnian, Catalan, Cebuano, Corsican, Czech, Welsh, Greek, Esperanto, Estonian, Basque, Persian, Frisian, Irish, Scots Gaelic, Galician, Gujarati, Hausa, Hebrew, Hmong, Croatian, Haitian Creole, Hungarian, Armenian, Igbo, Icelandic, Javanese, Georgian, Kazakh, Khmer, Kannada, Kurdish, Kyrgyz, Latin, Luxembourgish, Lithuanian, Latvian, Malagasy, Maori, Macedonian, Malayalam, Mongolian, Maltese, Nepali, Chichewa, Odia, Punjabi, Pashto, Kinyarwanda, Sindhi, Slovak, Slovenian, Samoan, Shona, Somali, Albanian, Serbian, Sesotho, Sundanese, Swahili, Tajik, Turkmen, Tatar, Uyghur, Urdu, Uzbek, Xhosa, Yiddish, Yoruba, Zulu

Firestore

DATA_READ and DATA_WRITE Data Access audit logs are now supported at the General Availability release level. See Firestore audit logging information.

Google Kubernetes Engine

You can now use image streaming in GKE to reduce image pull time and improve overall application startup and autoscaling performance. For more information, see Use image streaming to pull container images.

Storage Transfer Service

Storage Transfer Service now offers Preview support for agent pools. You can use agent pools to create isolated groups of agents as a source or sink entity in a transfer job. This enables you to transfer data from multiple data centers and filesystems concurrently, without creating multiple projects for a large transfer spanning multiple filesystems and data centers.

Vertex AI

Vertex Explainable AI Preview support available for AutoML image classification models

Vertex Explainable AI offers Preview support for the following model type:

November 03, 2021

App Engine standard environment Go

Egress settings for Serverless VPC Access are now generally available. Egress settings allow you to specify whether or not to send traffic with external destinations through your Serverless VPC Access connector, which is necessary if you want to set up a static outbound IP address for your App Engine service.

Egress settings for Serverless VPC Access are now generally available. Egress settings allow you to specify whether or not to send traffic with external destinations through your Serverless VPC Access connector, which is necessary if you want to set up a static outbound IP address for your App Engine service.

App Engine standard environment Java

Egress settings for Serverless VPC Access are now generally available. Egress settings allow you to specify whether or not to send traffic with external destinations through your Serverless VPC Access connector, which is necessary if you want to set up a static outbound IP address for your App Engine service.

Egress settings for Serverless VPC Access are now generally available. Egress settings allow you to specify whether or not to send traffic with external destinations through your Serverless VPC Access connector, which is necessary if you want to set up a static outbound IP address for your App Engine service.

App Engine standard environment Node.js

Egress settings for Serverless VPC Access are now generally available. Egress settings allow you to specify whether or not to send traffic with external destinations through your Serverless VPC Access connector, which is necessary if you want to set up a static outbound IP address for your App Engine service.

App Engine standard environment PHP

Egress settings for Serverless VPC Access are now generally available. Egress settings allow you to specify whether or not to send traffic with external destinations through your Serverless VPC Access connector, which is necessary if you want to set up a static outbound IP address for your App Engine service.

App Engine standard environment Python

Egress settings for Serverless VPC Access are now generally available. Egress settings allow you to specify whether or not to send traffic with external destinations through your Serverless VPC Access connector, which is necessary if you want to set up a static outbound IP address for your App Engine service.

Egress settings for Serverless VPC Access are now generally available. Egress settings allow you to specify whether or not to send traffic with external destinations through your Serverless VPC Access connector, which is necessary if you want to set up a static outbound IP address for your App Engine service.

App Engine standard environment Ruby

Egress settings for Serverless VPC Access are now generally available. Egress settings allow you to specify whether or not to send traffic with external destinations through your Serverless VPC Access connector, which is necessary if you want to set up a static outbound IP address for your App Engine service.

Cloud Key Management Service

You can now attest HSM keys using certificate chains via gcloud command-line tool, Cloud Console, or Cloud KMS API. See Verifying attestations to learn more.

SAP on Google Cloud

FIXED: SAP HANA backup issue with Backint agent

A critical issue that can result in corrupted backups has been identified that might affect users of the Backint agent for SAP HANA. We are actively working on a fix.

For the fix and for more information, see StorageException for Cloud Storage can cause corrupted Backint agent backup.

November 02, 2021

AI Platform Training

Using interactive shells to inspect training jobs is generally available (GA).

You can use these interactive shells with VPC Service Controls.

App Engine standard environment Java
  • Upgrade to Jetty version 9.4.44.v20210927
BigQuery

BigQuery now supports parameterized types. The following parameterized types are supported:

This feature is generally available GA.

Cloud Asset Inventory

The following resource types are now publicly available through the resource search API (SearchAllResources) and policy search API (SearchAllIamPolicies):

  • Google Kubernetes Engine
    • networking.k8s.io/NetworkPolicy
Cloud Composer

Cloud Composer is now available in Singapore (asia-southeast1).

Cloud Run for Anthos

General availability: Installing Cloud Run for Anthos as an Anthos fleet component with Anthos Service Mesh is now publicly available. Learn about what's new and changed in the latest release.

Vertex AI

Using interactive shells to inspect custom training jobs is generally available (GA).

You can use these interactive shells with VPC Service Controls.

November 01, 2021

Cloud Asset Inventory

Cloud Asset Inventory Console is now generally available.

This release enables you to view the following information for your Cloud deployment, using powerful search capabilities and easy filtering.

  • Details and history of resources and IAM policies
  • Machine type statistics
  • Policy statistics
  • Insights of your Cloud footprint
  • IAM policies as a whole, or scoped to individual IAM policies' details

Learn more about searching resources and searching policies in the console.

Cloud Billing

Prioritized attribution for your resource-based committed use discounts (CUDs) is now Generally Available.

You can now specify how your credits and, where appropriate, the subscription fees from your resource-based committed use discounts are distributed among your Google Cloud projects.

Learn about how you can allocate your commitments.

Cloud Load Balancing

Cloud Load Balancing announces a significant increase in the URL map limits for External and Internal HTTP(S) Load Balancing. The new limits let you scale to a much higher number of services behind a single load balancer.

For example, URL maps for external HTTP(S) load balancers can now support up to 1000 host rules. The total size of the URL map is constrained to 64KB for External HTTP(S) Load Balancing and 128KB for Internal HTTP(S) Load Balancing

For the updated list of limits see, URL map limits

Cloud Monitoring

You can now collect Cassandra metrics from the Ops Agent, starting with version 2.6.0. For more information, see Monitoring third-party applications: Cassandra.

Cloud Run

You can now allocate up to 16GiB of memory to your Cloud Run services.

Committed use discount recommender now automatically generates recommendations to purchase Cloud Run committed use discounts based on historical usage.

Cloud Storage Cloud Translation

Document Translation for Cloud Translation - Advanced (v3) is now Generally Available (GA) and includes the following enhancements:

  • Right to left language support for PDFs
  • Preserves font size, font color, font style, and hyperlinks for native PDFs only
  • Batch document translation requests support PDF to DOCX conversions for native PDFs only
Config Connector

Config Connector 1.65.0 is now available.

Added support for the ComputeServiceAttachment resource.

config-connector command cli print-resources now includes a column listing whether it supports of related IAM resources.

All config-connector containers now emit logging to stdout rather than stderr.

config-connector command cli now correctly labels supported bulk-export resources.

Dataproc

Added the following new Apache Spark properties to control Cloud Storage flush behavior for event logs for 1.4 and later images:

  • spark.history.fs.gs.outputstream.type (default: BASIC)
  • spark.history.fs.gs.outputstream.sync.min.interval.ms (default: 5000ms).

Note: The default configuration of these properties enables the display of running jobs in the Spark History Server UI for clusters using Cloud Storage to store spark event logs.

Added support in 1.5 and 2.0 images to filter Spark Applications on the Spark History Server Web UI based on Cloud Storage path. Filtering is accomplished using the eventLogDirFilter parameter, which accepts any Cloud Storage path substring and will return applications that match the Cloud Storage path.

New sub-minor versions of Dataproc images:

1.4.75-debian10, 1.4.75-ubuntu18,

1.5.50-centos8, 1.5.50-debian10, 1.5.50-ubuntu18,

2.0.24-centos8, 2.0.24-debian10, 2.0.24-ubuntu18

Removed Apache Iceberg and Delta Lake libraries in 2.0 images because they are not compatible with Spark 3.1.

Upgraded Cloud Storage connector to version 2.2.3 on 2.0 Images.

The previous Dataproc on GKE beta documentation has been replaced with a Dataproc on GKE private preview sign up form. Existing beta customers can continue using the beta release, but note that the beta release is planned to be deprecated and removed.

Patched Hive in 2.0 images with HIVE-20187, which fixes a bug where Hive returned incorrect query results when hive.convert.join.bucket.mapjoin.tez is set to true.

Backported SPARK-31946 in 2.0 images.

Backported SPARK-23182 in 1.4 and 1.5 images. This prevents long-running Spark shuffle servers from leaking connections when they are not cleanly terminated.

Fixed stdout and stderr links in the Spark History Server Web UI in 2.0 images.

Storage Transfer Service

Storage Transfer Service now offers Preview support for exporting data from Cloud Storage to a POSIX file system. You can use this bidirectional data movement capability to move data in and out of Cloud Storage, on-premises clusters, and edge locations including Google Distributed Cloud. For more information, see Download data from Cloud Storage.

Transcoder API Video Intelligence API

AutoML Action Recognition: The Streaming API is a Beta feature of Video Intelligence API for real-time versions of several capabilities such as object tracking and label detection. This current launch adds streaming support for AutoML Action Recognition models. Customers can now specify their own custom AutoML model when performing action recognition on a stream.

October 29, 2021

Anthos GKE on AWS

Anthos Clusters on AWS aws-1.9.1-gke.0 is now available.

Anthos clusters on AWS aws-1.9.1-gke.0 clusters run the following Kubernetes versions:

  • 1.18.20-gke.8300
  • 1.19.15-gke.1600
  • 1.20.11-gke.1600
  • 1.21.5-gke.1600

Release aws-1.9.1-gke.0 fixes an issue in release 1.9.0 in which authorization with AWS IAM assumed roles failed.

Release aws-1.9.1-gke.0 of Anthos Clusters on AWS fixes the following security issues:

For more information, click on the CVE or search for details at https://nvd.nist.gov.

Anthos clusters on VMware

The security community recently disclosed a new security vulnerability CVE-2021-30465 found in runc that has the potential to allow full access to a node filesystem.

For more information, see the GCP-2021-011 security bulletin.

Anthos on bare metal

Security bulletin (all minor versions)

The security community recently disclosed a new security vulnerability CVE-2021-30465 found in runc that has the potential to allow full access to a node filesystem.

For more information, see the GCP-2021-011 security bulletin.

Cloud Asset Inventory

The following resource types are now publicly available through the resource search API (SearchAllResources) and policy search API (SearchAllIamPolicies):

  • BigQuery
    • bigquery.googleapis.com/Model
  • Cloud SQL
    • sqladmin.googleapis.com/BackupRun

The following resource types are now publicly available through the Analyze Policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

  • Cloud SQL
    • sqladmin.googleapis.com/BackupRun
  • Artifact Registry
    • artifactregistry.googleapis.com/Repository
  • Cloud Bigtable
    • bigtableadmin.googleapis.com/AppProfile
    • bigtableadmin.googleapis.com/Backup
Cloud SQL for PostgreSQL
  • The following PostgreSQL minor versions and extension versions are now available. If you use maintenance windows, you might not yet have these versions. In this case, you will see the new versions after your maintenance update occurs. To find your maintenance window or manage maintenance updates, see Finding and setting maintenance windows.
    • 9.6.22 is upgraded to 9.6.23.
    • 10.17 is upgraded to 10.18.
    • 11.12 is upgraded to 11.13.
    • 12.7 is upgraded to 12.8.
    • 13.3 is upgraded to 13.4.
  • The hll extension is upgraded to 2.16.
  • The pglogical extension is upgraded to 2.4.0.
  • The pg_partman extension is upgraded to 4.5.1.
  • The pg_repack extension is upgraded to 1.4.7.
Cloud Spanner

The django-spanner plugin is now available, enabling you to use Cloud Spanner as a backend database for the Django Web framework. For more information, see Django ORM with Cloud Spanner.

Google Cloud VMware Engine

Generally available: VMware Engine integration with Google Cloud's operations suite using a standalone metrics and logs agent. The agent brings syslog messages and metrics from vCenter and vSAN to Google Cloud's operations suite, where you can set up your own dynamic alerts on over 50 metrics and leverage pre-built dashboards.

For details about this feature, see Setting up Cloud Monitoring with a standalone agent.

Google Kubernetes Engine

(2021-R32) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

Stable channel

  • Version 1.20.10-gke.1600 is now the default version in the Stable channel.
  • Version 1.19.15-gke.500 is now available in the Stable channel.
  • The following versions are no longer available in the Stable channel:
    • 1.19.13-gke.1900
    • 1.20.10-gke.301
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.14-gke.1900 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.20 to 1.20.10-gke.1600 with this release.

Regular channel

  • Version 1.20.10-gke.1600 is now the default version in the Regular channel.
  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.20.9-gke.1001
    • 1.20.10-gke.301
    • 1.21.3-gke.2001
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.10-gke.1600 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to 1.21.3-gke.2003 with this release.

Rapid channel

  • Version 1.21.5-gke.1302 is now the default version in the Rapid channel.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.21.4-gke.2300
    • 1.21.5-gke.1300
    • 1.22.2-gke.1300
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.5-gke.1302 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.22.2-gke.1901 with this release.

(2021-R32) Version updates

(2021-R32) Version updates

  • Version 1.20.10-gke.1600 is now the default version in the Stable channel.
  • Version 1.19.15-gke.500 is now available in the Stable channel.
  • The following versions are no longer available in the Stable channel:
    • 1.19.13-gke.1900
    • 1.20.10-gke.301
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.14-gke.1900 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.20 to 1.20.10-gke.1600 with this release.

(2021-R32) Version updates

  • Version 1.20.10-gke.1600 is now the default version in the Regular channel.
  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.20.9-gke.1001
    • 1.20.10-gke.301
    • 1.21.3-gke.2001
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.10-gke.1600 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to 1.21.3-gke.2003 with this release.

(2021-R32) Version updates

  • Version 1.21.5-gke.1302 is now the default version in the Rapid channel.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.21.4-gke.2300
    • 1.21.5-gke.1300
    • 1.22.2-gke.1300
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.5-gke.1302 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.22.2-gke.1901 with this release.

October 28, 2021

Anthos Config Management

Config Sync will not block deletion requests if the object has non-nil metadata.deletionTimestamp.

Increased git-importer memory limit to 500Mi.

Fixed the issue causing nomos hydrate not to generate the configurations for clusters selected by the configsync.gke.io/cluster-name-selector annotation.

Fixed the issue causing nomos hydrate to incorrectly require cluster objects to exist in the clusterregistry directory for unstructured repositories.

Fixed the issue causing the namespace to be only synced to one of the clusters when the config for a namespace is defined multiple times with different configmanagement.gke.io/cluster-selector or configsync.gke.io/cluster-name-selector annotations.

BigQuery

The table snapshots feature is now generally available (GA). It includes a Cloud Console interface and support for creating a table snapshot in a different project from its base table.

Cloud Billing

Recommendations for spend-based committed use discounts (CUDs) are now Generally Available.

You can use these recommendations to optimize your project costs by analyzing your spending trends and signing up for committed use discounts. Recommendations are supported for Cloud Billing accounts billed in US Dollars (USD).

Learn about commitment recommendations.

Compute Engine

Generally available: Schedule-based autoscaling for managed instance groups now lets you configure schedules without having another autoscaling signal.

Deep Learning Containers

M83 release

  • PyTorch 1.10 is now available.
Deep Learning VM Images

M83 release

  • PyTorch 1.10 is now available.
Eventarc

Support for VPC Service Controls is now generally available (GA).

Google Kubernetes Engine

GKE public clusters versions 1.22 and later created on or after October 28, 2021, will move to using Private Service Connect (PSC) for private control plane communication. There is no price increase for using GKE public clusters running on PSC, however, there will be a SKU change. This change does not apply to public clusters using legacy networks.

In clusters running GKE version 1.21.0-gke.1000 and later, the destination IP address and port of the GKE metadata server has changed. If you have a cluster network policy and you use Workload Identity, you should update your network policy to allow access to the following destination IP addresses and ports. To avoid disruptions during auto-upgrades, allow access to all these destination address and destination port combinations in your network policy. For more information, see Understanding the GKE metadata server.

GKE version GKE metadata server address
Prior to 1.21.0-gke.1000 127.0.0.1:987 and 127.0.0.1:988
1.21.0-gke.1000 and later 169.254.169.252:987 and 169.254.169.252:988
Kf

VCAP_APPLICATION route string no longer includes trailing slash.

Resolved a scenario that could result in extra reconciliation loops and logs.

Addressed a v2 buildpack condition that could prevent SIGTERM signals from propagating.

Network Intelligence Center

Connectivity Tests now supports private IP addresses outside of the RFC 1918 address space. For more information, see Connectivity Tests overview.

Workflows

A built-in environment variable, GOOGLE_CLOUD_SERVICE_ACCOUNT_NAME, is now supported to access the service account name for a workflow execution.

October 27, 2021

Anthos clusters on VMware

Anthos clusters on VMware 1.8.4-gke.1 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.8.4-gke.1 runs on Kubernetes v1.20.9-gke.701.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.9, 1.8, and 1.7.

Fixes for version 1.8.4:

  • Fixed high-severity CVE-2021-3711.
  • Fixed gkectl check-config failure when Anthos clusters are configured with a proxy whose url contains special characters.
  • Fixed "cert-manager" cainjector leader-election failure.

Known issue in version 1.8.4:

If you have already installed your own cert-manager in your cluster, read the suggested mitigation before upgrading to a version >=1.8.2 in order to avoid an installation conflict with the cert-manager deployed by Anthos clusters on VMware.

  • Installing your cert-manager with Apigee may also result in a conflict with the cert-manager deployed by Anthos clusters on VMware. To avoid this, read the suggested mitigation before upgrading to this version.

Anthos clusters on VMware 1.7.5-gke.0 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.7.5-gke.0 runs on Kubernetes v1.19.12-gke.2101.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.9, 1.8, and 1.7.

Fixes for version 1.7.5:

Fixed gkectl check-config failure when Anthos clusters are configured with a proxy whose url contains special characters.

BigQuery

SQL column-level encryption using Cloud Key Management Service (KMS) is now generally available (GA), letting you encrypt keysets within AEAD encryption functions.

Cloud Asset Inventory

The following resource types are now publicly available through the Export APIs (ExportAssets and BatchGetAssetsHistory) and the Feed API:

  • Vertex AI
    • aiplatform.googleapis.com/MetadataStore
  • Dialogflow
    • dialogflow.googleapis.com/Agent
    • dialogflow.googleapis.com/LocationSettings

The following resource types are now publicly available through the resource search API (SearchAllResources) and policy search API (SearchAllIamPolicies):

  • Dialogflow
    • dialogflow.googleapis.com/Agent
    • dialogflow.googleapis.com/LocationSettings
Cloud Bigtable

The guidance on migrating data from HBase to Cloud Bigtable has been updated. You can now use new tooling designed to create Bigtable tables from existing HBase tables, import snapshots of your HBase tables, and validate the integrity of migrated data.

Cloud Run

Cloud Run now supports network file systems such as NFS, NDB, 9P, CIFS/Samba, and Ceph, as well as Cloud Filestore and Cloud Storage FUSE. (Available in public preview.)

Cloud Run now supports a new second generation execution environment that provides full Linux compatibility rather than system call emulation. This execution environment provides better performance and the ability to use network file systems. (Available in public preview.)

Google Kubernetes Engine

In GKE version 1.22 and later, GKE cluster autoscaler and node auto-provisioning will support working on empty (zero node) clusters, and will support scaling down nodes with pods requesting local storage.

Memorystore for Memcached

Newly created Memorystore for Memcached instances now have a default Reserved Memory percentage of 10%. For more information, see Reserved Memory.

October 26, 2021

Actifio

Actifio GO product documentation is available at https://docs.actifio.com/Actifio-GO. New titles and titles with expanded content include:

  • Actifio GO Deployment Guide
  • Actifio GO Support Matrix
  • Enabling Consumption Billing
  • Protecting & Recovering Google Compute Engine Instances
  • Protecting & Recovering Microsoft SQL Server Databases
  • SAP-HANA DBA's Guide to Actifio GO
  • Getting Started with Actifio GO
  • Actifio Administrator's Survival Guide
  • Network Administrator's Guide to Actifio GO
  • Configuring Actifio OnVault
  • VMware Administrator's Guide to Actifio GO

The documentation for the Actifio VDP product continues to be available at https://docs.actifio.com/10.0.

Actifio GO is now Generally Available. Pre-approval is no longer needed to activate the solution.

Actifio GO migration for heritage customers is available now. Migrate to Actifio GO without drastically changing your existing Actifio heritage deployment.

New On-premises Actifio GO deployments require pre-approval. Please reach out to your Google Cloud account team to request on premises deployment of Actifio GO.

Actifio GO no longer requires $500 usage minimum.

Support matrix for Actifio GO will be published as two documents.

  • Actifio GO Support Matrix covers the support matrix information for workloads running in Google Cloud.
  • Actifio GO Support Matrix - Hybrid covers support matrix information for workloads running on-premises.

Actifio GO installer executable for VMware is deprecated from the date of this announcement.

Consolidated single support matrix document. Support matrix for GO will now be published as two separate documents covering support for workloads running in Google Cloud and a second document covering workloads running on premises.

Anthos on bare metal

Release 1.9.1

Anthos clusters on bare metal 1.9.1 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.9.1 runs on Kubernetes 1.21.

Fixes:

Functionality changes:

  • Updated the bmctl reset cluster command to prevent you from resetting an admin cluster if the admin cluster is managing user clusters.
  • Updated the bmctl create cluster command to block you from enabling the Anthos VM Runtime for admin clusters.

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

Cloud SQL for PostgreSQL

Cloud SQL now supports the max_pred_locks_per_page and max_pred_locks_per_relation flags. For information about the Cloud SQL implementation of these flags, see Supported flags.

Config Controller

Config Controller is a managed service to provision and orchestrate Anthos and Google Cloud resources. For information on Config Controller, see Config Controller overview.

Config Controller will now begin billing for Anthos Config Management at a rate of $0.10/hour for each instance.

Versions of included products: - Anthos Config Management v1.8.1, release notes - Config Connector v1.63.0, release notes

Data Catalog

Data Catalog is now available in two new North Virginia regions (aws-us-east-1 and azure-eastus2).

Deep Learning Containers

M82 release

  • Released CUDA11.3 container images.
  • The Vertex SDK for Python is available across all deep learning environment products; it was previously available only in TensorFlow images.
  • Theia IDE (experimental) images were refreshed. PyTorch has been removed from Theia IDE images.
Deep Learning VM Images

M82 Release

  • The Vertex SDK for Python is available across all deep learning environment products; it was previously available only in TensorFlow images.
  • Theia IDE (experimental) images were refreshed. PyTorch has been removed from Theia IDE images.
Identity and Access Management

For Credential Access Boundaries, you can now use updated authentication libraries for Go, Java, Node.js, and Python to automatically exchange OAuth 2.0 access tokens for downscoped tokens.

For details, see Exchange and refresh the access token automatically.

Migrate for Compute Engine

Migrate VMs using UEFI firmware. Using UEFI firmware you can enable Secure Boot migration details.

Network Connectivity Center

The issue reported on Sept. 30, 2021, has been resolved. Cloud DNS forwarding services and Private Google Access can now be accessed through Router appliance spokes.

Security Command Center

An issue that resulted in Security Command Center incorrectly reporting findings for some monitoring vulnerability detectors has been fixed.

Due to changes made on September 20, 2020 in the logging source upon which FIREWALL_NOT_MONITORED, NETWORK_NOT_MONITORED, ROUTE_NOT_MONITORED, and SQL_INSTANCE_NOT_MONITORED findings in Security Health Analytics are predicated, the remediation instructions for those findings were inaccurate.

The issue is resolved. Findings are being generated accurately and you are being properly alerted of misconfigurations in your organization.

If you want to enable monitoring in order to remediate these findings, you will need to update the logs-based metrics for these findings. Updated filters are available in the findings themselves and product documentation:

If you have questions or need assistance, contact Google Cloud Support or Google Cloud Billing Support.

October 25, 2021

Anthos GKE on AWS

The security community recently disclosed a new security vulnerability CVE-2021-30465 found in runc that has the potential to allow full access to a node filesystem.

For more information, see the GCP-2021-011 security bulletin.

A security issue was discovered in the Kubernetes ingress-nginx controller, CVE-2021-25742. Ingress-nginx custom snippets allows retrieval of ingress-nginx service account tokens and secrets across all namespaces. For more information, see the GCP-2021-024 security bulletin.

BigQuery

BigQuery Omni, a multi-cloud analytics solution, is now generally available.

Cloud Router

Bidirectional Forwarding Detection (BFD) for Cloud Router is available in Preview.

Config Connector

Config Connector 1.64.0 is now available.

Added support for ComputeFirewallPolicyRule resource.

Added support for FilestoreBackup and FilestoreInstance resources.

Added connectionTrackingPolicy field to ComputeBackendService.

Added ipv6AccessConfig, ipv6AccessType and stackType fields to ComputeInstance.

Added ipv6AccessConfig, ipv6AccessType and stackType fields to ComputeInstanceTemplate.

Added ipv6AccessType, stackType, externalIpv6Prefix, ipv6CidrRange fields to ComputeSubnetwork.

Added nodeConfig.workloadMetadataConfig.mode; deprecated nodeConfig.workloadMetadataConfig.nodeMetadata in ContainerCluster.

Added serviceAccountRef field to CloudBuildTrigger.

Added monitoringConfig, dnsConfig and loggingConfig fields to ContainerCluster.

Added importOnly field to KMSCryptoKey.

Added disabled field to IAMServiceAccount.

Added gcsDataSink.path and gcsDataSource.path fields to StorageTransferJob.

Moved version field to status in DataprocWorkflowTemplate.

In DNSRecordSet, ttl field is no longer required.

Handle the lifecycle of ConfigConnectorContext objects in a separate controller for better isolation and scalability.

Fixed the issue of changing BigTableInstance node size.

Migrate for Compute Engine

#199379063 Windows migrated VMs have GooGet installed with a wrong root directory

Windows VMs migrated before October 7th 2021 may have GooGet (Google package manager) installed with the wrong root directory (C:\Windows\System32\%ProgramData%\GooGet instead of C:\ProgramData\GooGet).

Workaround: Reinstall GooGet and guest environment by following the instructions to Install a guest environment in-place. A copy of googet.exe can also be found under C:\Google\Migrate\GooGet, which allows you to skip the download command in step 1. C:\Windows\System32\%ProgramData%\GooGet can be safely deleted if needed.

Following the steps to install a guest environment in place will also update guest environment packages to their latest released versions.

SAP on Google Cloud

New SAP certifications: SAP has certified the following operating systems for SAP HANA on Google Cloud:

  • Red Hat Enterprise Linux 8.2
  • Red Hat Enterprise Linux 8.4
  • SUSE Linux Enterprise Server 15 SP3

See Certified operating systems for SAP HANA.

Security Command Center

The following detectors for unsafe Google Groups changes are generally available (GA):

  • Credential Access: Privileged Group Opened To Public
  • Credential Access: Sensitive Role Granted To Hybrid Group
  • Credential Access: External Member Added To Privileged Group

For more information, see Unsafe Google Groups changes.

Vertex AI

Vertex ML Metadata is generally available (GA).

October 22, 2021

Dataproc

The dataproc:dataproc.cluster-ttl.consider-yarn-activity cluster property is now set to true by default for image versions 1.4.64+, 1.5.39+, and 2.0.13+. With this change, with clusters created with these image versions, Dataproc Cluster Scheduled Deletion by default will consider YARN activity, in addition to Dataproc Jobs API activity, when determining cluster idle time . This change does not affect clusters with images with lower version numbers: cluster idle time for those clusters will continue to be computed based on Dataproc Jobs API activity only. When using image versions 1.4.64+, 1.5.39+, and 2.0.13+, you can opt out of this changed behavior by setting this property to false when you create the cluster.

October 21, 2021

Anthos clusters on VMware

A security issue was discovered in the Kubernetes ingress-nginx controller, CVE-2021-25742. Ingress-nginx custom snippets allow retrieval of ingress-nginx service account tokens and secrets across all namespaces. For more information, see the GCP-2021-024 security bulletin.

Anthos on bare metal

Release 1.8.5

Anthos clusters on bare metal 1.8.5 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.8.5 runs on Kubernetes 1.20.

Fixes:

The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

Security bulletin (all minor versions)

A security issue was discovered in the Kubernetes ingress-nginx controller, CVE-2021-25742. Ingress-nginx custom snippets allows retrieval of ingress-nginx service account tokens and secrets across all namespaces. For more information, see the GCP-2021-024 security bulletin.

Cloud Bigtable

Cloud Bigtable app profile cluster groups let you route an app profile's traffic to a subset of an instance's clusters. This feature is generally available (GA).

Compute Engine

Preview: You can now configure up to 48 vCPUs and 312 GB memory on virtual machine (VM) instances that have a single T4 GPU attached.

For more information, see Network bandwidths and GPUs.

Google Kubernetes Engine

For GKE Autopilot clusters, CMEK for boot disks and CMEK for application-layer encryption is now generally available.

For GKE Autopilot clusters, Google Groups for RBAC is now generally available.

A security issue was discovered in the Kubernetes ingress-nginx controller, CVE-2021-25742. Ingress-nginx custom snippets allows retrieval of ingress-nginx service account tokens and secrets across all namespaces. For more information, see the GCP-2021-024 security bulletin.

SAP on Google Cloud

SAP HANA scale-out deployment fails due to a Python error

If you have an existing SAP HANA scale-out system with host auto-failover on Google Cloud and you are upgrading SAP HANA to SAP HANA 2.0 SPS 5 Revision 56 or later, SAP HANA fails to start due to a Python error that prevents the storage manager for SAP HANA from attaching storage. The storage manager for SAP HANA version 2.1 or earlier does not support SAP HANA 2.0 SPS 5 Revision 56 or later.

To resolve the issue, upgrade the storage manager for SAP HANA to version 2.2 or later. For more information, see Known issues.

High-availability cluster failover issue due to a Corosync communication delay

For RHEL and SLES operating systems, if there is a temporary delay in the transmission of Corosync messages between the cluster nodes, the delay can incorrectly trigger a failover for your high-availability (HA) cluster for SAP solutions on Google Cloud.

Follow the resolution steps depending on your operating system. For more information, see Known issues.

High-availability configuration guidance changed

The Google Cloud guidance for configuring Pacemaker clusters for SAP has changed for better integration with Google Cloud infrastructure and to more closely align with the defaults and recommendations that are provided by the operating system vendors. These are non-breaking changes that are recommended for optimal reliability. The changes apply to the fence agent, some cluster resource definitions, and some default settings of the Corosync and Pacemaker cluster properties. The Deployment Manager scripts and manual deployment guides have been updated to reflect these changes.

If you have an existing Linux high-availability cluster for SAP on Google Cloud, compare your current settings to the new recommendations and update your cluster as necessary.

For instructions on displaying your current cluster settings and for an example of the recommended cluster settings, see Checking your cluster configuration.

Traffic Director

Traffic Director with internet NEGs of the type INTERNET_FQDN_PORT is now in General Availability. For full details, see Traffic Director with internet network endpoint groups.

Virtual Private Cloud

This issue is now fixed: Connectivity from on-premises hosts to a Private Service Connect endpoint that is used to access published services might not establish for some existing Cloud VPN connections. As a workaround, recreate the VPN gateway and the VPN tunnels.

October 20, 2021

Anthos clusters on VMware

Anthos clusters on VMware 1.9.1-gke.6 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.9.1-gke.6 runs on Kubernetes v1.21.5-gke.400.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.9, 1.8, and 1.7.

  • In version 1.9.0, there was a known issue with restoring an admin cluster using a backup when using a private registry. That has been fixed in version 1.9.1.
  • Fixed gkectl check-config failure that occurs when Anthos clusters are configured with a proxy whose url contains special characters.
  • Fixed "cert-manager" cainjector leader-election failure.

If you have already installed your own cert-manager in your cluster, read the suggested mitigation before upgrading to a version >=1.8.2 in order to avoid an installation conflict with the cert-manager deployed by Anthos clusters on VMware.

  • Installing your cert-manager with Apigee may also result in a conflict with the cert-manager deployed by Anthos clusters on VMware. To avoid this, read the suggested mitigation before upgrading to this version.
Cloud Asset Inventory

The following resource types are now publicly available through the Analyze Policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

  • Cloud OS Config
    • osconfig.googleapis.com/PatchDeployment
  • Container
    • k8s.io/Service
  • Vertex AI
    • aiplatform.googleapis.com/BatchPredictionJob
    • aiplatform.googleapis.com/CustomJob
    • aiplatform.googleapis.com/DataLabelingJob
    • aiplatform.googleapis.com/Dataset
    • aiplatform.googleapis.com/Endpoint
    • aiplatform.googleapis.com/HyperparameterTuningJob
    • aiplatform.googleapis.com/Model
    • aiplatform.googleapis.com/SpecialistPool
    • aiplatform.googleapis.com/TrainingPipeline
Cloud Logging

You can now collect MySQL logs from the Ops Agent, starting with version 2.5.0. For more information, see Collecting logs from third-party applications: MySQL.

You can now collect Redis logs from the Ops Agent, starting with version 2.5.0. For more information, see Collecting logs from third-party applications: Redis.

You can now collect Cassandra logs from the Ops Agent, starting with version 2.5.0. For more information, see Collecting logs from third-party applications: Cassandra.

Cloud Shell

Cloud Shell Editor is now built with Theia 1.18.0

Review the Theia release notes for a complete list of features/updates/bug fixes.

Cloud Code Extension updated to v1.14.1

Update includes a Kubernetes Development Sessions explorer which provides more insight into task execution and streamlines examining session logs. See the Cloud Code release notes for a full listing of features/updates/bug fixes.

Dialogflow

Dialogflow ES V2 API now supports regionalization.

Kf

Anthos clusters on VMware (GKE on-prem) support promoted to GA.

Anthos clusters on bare metal support promoted to GA.

New wrap-v2-buildpack experimental command available.

Known issue: some buildpacks (ex: https://github.com/cloudfoundry/java-buildpack) produce directories that do not work with the pack CLI.

Added support for kubectl explain to inspect Kf CRDs.

Fixed condition where CLI may not always show build logs.

Fixed issue where kf doctor expects the ASM ingress gateway deployment to be in the kf namespace.

Addressed scenario where the Kf operator could overwrite ASM Gateway customization.

Config Connector dependency updated to v1.60.

Tekton dependency updated to v0.26.0.

Traffic Director

Traffic Director security service with GKE is now in General Availability for gRPC proxyless services. The changes in this release include:

  • Support for the Certificate Authority Service GA API, using CA pools instead of individual CAs.
  • Promoting the network-services and network-security CLI/APIs to general availability.
  • Security is enabled by default in gRPC libraries and the gRPC PSM bootstrap generator.
  • Cloud Logging enhancements to aid in debugging run-time errors and conflicts.
  • Support for proxyless gRPC and Envoy interoperability with security enabled.
  • Config Connector support for proxyless gRPC security.
  • Use of the new --enable-mesh-certificates GKE flag.
  • Support for the GA version (security.cloud.google.com/v1) of WorkloadCertificateConfig and TrustConfig in GKE.
  • Wallet example upgraded to use PSM security .
VPC Service Controls

General availability for the following integration:

October 19, 2021

Anthos clusters on Azure

The security community recently disclosed a new security vulnerability CVE-2021-30465 found in runc that has the potential to allow full access to a node filesystem.

For more information, see the GCP-2021-011 security bulletin.

Anthos on bare metal

Release 1.7.5

Anthos clusters on bare metal 1.7.5 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.7.5 runs on Kubernetes 1.19.

Fixes:

The following container image security vulnerabilities have been fixed:

Known issues:

When you upgrade Anthos clusters on bare metal from a version with a security patch to the next minor release, we recommend you upgrade to the highest patch version to ensure you have the latest security fixes. Always review the release notes before upgrading so you're aware of what has changed, including security fixes and known issues. Upgrading to a lower release version isn't supported.

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

Cloud Domains

Cloud Domains is available in GA. Cloud Domains enables you to search, register, and manage domain names with Google Cloud. Cloud Domains also lets you transfer a domain to or from a third-party provider.

As announced in the MSA sent on September 16, 2021, Cloud Domains has a new billing model.

Dialogflow

Dialogflow CX change history is now available from the API.

Dialogflow CX now provides a continuous testing and deployment preview feature.

Identity and Access Management

The IAM page of the Cloud Console now lists lateral movement insights in addition to policy insights. Lateral movement insights are in Preview.

October 18, 2021

Cloud Composer

Cloud Composer 2 supports Airflow web server plugins.

Cloud Composer is now available in Oregon (us-west1).

Added the google-cloud-aiplatform package to Cloud Composer images with Airflow versions 2.1.2, 2.0.2, and 1.10.15.

(New environments only) Cloud Composer 2 environments create Autopilot clusters using the Regular release channel. Before this change, the Rapid channel was used.

Fixed an issue with the Airflow web server availability in Cloud Composer 2.

(New environments only) Shielded Nodes and Secure Boot features are enabled for Cloud Composer 1 environment clusters.

(New environments only) Cloud Composer 1 environment creation no longer fails when the constraints/compute.requireShieldedVm policy is turned on.

(Available without upgrading) Fixed a problem with Airflow 2 configuration changes not propagating to Airflow workers.

Fixed a bug that caused the __pycache__ folder to sometimes appear in an environment's bucket.

New versions of Cloud Composer images:

  • composer-1.17.3-airflow-2.1.2
  • composer-1.17.3-airflow-2.0.2
  • composer-1.17.3-airflow-1.10.15 (default)
  • composer-1.17.3-airflow-1.10.14
  • composer-1.17.3-airflow-1.10.12
  • composer-2.0.0-preview.4-airflow-2.1.2
  • composer-2.0.0-preview.4-airflow-2.0.2

Cloud Composer versions 1.12.2 and 1.12.3 have reached their end of full support period.

Cloud Data Loss Prevention

The IMSI_ID infoType detector is available in all regions.

Cloud Load Balancing

Cloud Load Balancing now supports load-balancing traffic to endpoints that extend beyond Google Cloud, such as on-premises data centers and other public clouds that you can reach using hybrid connectivity.

Hybrid load balancing is supported by the following load balancers:

  • External HTTP(S) Load Balancing
  • Internal HTTP(S) Load Balancing
  • TCP Proxy and SSL Proxy Load Balancing

For details, see Hybrid load balancing overview.

This feature is available in General Availability.

Network Connectivity Center

Network Connectivity Center is now generally available. For more information, see the Network Connectivity Center overview.

It is now possible to add or remove router appliance instances from an existing spoke, as long as you don't try to add instances that belong to a different VPC network. For details, see Working with hubs and spokes.

VPC Service Controls

General availability for the following integration:

October 15, 2021

Chronicle

Detection Engine API

The ListDetections method has been updated to allow customers to list detections efficiently across rule versions and rules by either detection timestamp or commit timestamp. Parameters originally used to list detections by detection timestamp will eventually be deprecated.

Dialogflow

Dialogflow CX has a new feature for side-by-side flow version comparison.

Document AI

Contract DocAI (Preview) released

The Contract parser is now available.

Google Kubernetes Engine

(2021-R31) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

  • Version 1.20.10-gke.1600 is now the default version.
  • The following control plane and node versions are now available:

  • Control plane version 1.19.13-gke.701 is no longer available.

  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.19.13-gke.1900 with this release.

  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to 1.20.10-gke.1600 with this release.

Stable channel

  • Version 1.19.13-gke.1900 is now the default version in the Stable channel.
  • The following versions are now available in the Stable channel:

  • Version 1.19.13-gke.1200 is no longer available in the Stable channel.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.13-gke.1900 with this release.

Regular channel

Rapid channel

  • Version 1.21.4-gke.2300 is now the default version in the Rapid channel.
  • The following versions are now available in the Rapid channel:

  • The following versions are no longer available in the Rapid channel:

    • 1.21.4-gke.1801
    • 1.22.1-gke.1602
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.4-gke.2300 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.22.2-gke.1300 with this release.

(2021-R31) Version updates

  • Version 1.20.10-gke.1600 is now the default version.
  • The following control plane and node versions are now available:

  • Control plane version 1.19.13-gke.701 is no longer available.

  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.19.13-gke.1900 with this release.

  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to 1.20.10-gke.1600 with this release.

(2021-R31) Version updates

  • Version 1.19.13-gke.1900 is now the default version in the Stable channel.
  • The following versions are now available in the Stable channel:

  • Version 1.19.13-gke.1200 is no longer available in the Stable channel.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.13-gke.1900 with this release.

(2021-R31) Version updates

(2021-R31) Version updates

  • Version 1.21.4-gke.2300 is now the default version in the Rapid channel.
  • The following versions are now available in the Rapid channel:

  • The following versions are no longer available in the Rapid channel:

    • 1.21.4-gke.1801
    • 1.22.1-gke.1602
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.4-gke.2300 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.22.2-gke.1300 with this release.

GKE Windows clusters using the persistent disk CSI driver ​might experience volume mount issues with existing PersistentVolumeClaim or PersistentVolume resources if upgraded to one the following versions. Please do not upgrade your Windows node pools to the following versions in the Rapid channel:

  • 1.22.1-gke.1602 or later

The fix will be available in a future GKE 1.22 release.

Migrate for Compute Engine

v.4.11.7 Security updates available. See Migrate for Compute Engine Downloads for downloads and upgrade instructions.

October 14, 2021

Dialogflow

GA (general availability) launch of the following languages in Dialogflow CX:

  • Arabic
  • Bengali
  • Filipino
  • Finnish
  • Malay
  • Marathi
  • Romanian
  • Sinhala
  • Tamil
  • Telugu
  • Vietnamese

GA (general availability) launch of the following languages in Dialogflow ES:

  • Bengali
  • Filipino
  • Finnish
  • Malay
  • Marathi
  • Romanian
  • Sinhala
  • Tamil
  • Telugu
  • Vietnamese
Google Kubernetes Engine

StatefulSet Pods in Calico Network Policy enabled GKE clusters might experience connectivity issues in a Terminating state in the following GKE versions:

  • 1.18
  • 1.19
  • 1.20 to 1.20.11-gke.1299
  • 1.21 to 1.21.4-gke.1499

To mitigate this issue, upgrade your GKE control plane to GKE version 1.21.4-gke.1500 or later.
For more information, see the known issue and Calico issue #4710.

October 13, 2021

Cloud Asset Inventory

The following resource types are now publicly available through the Analyze Policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

  • App Engine Memcache
    • memcache.googleapis.com/Instance
  • Filestore
    • file.googleapis.com/Instance
    • file.googleapis.com/Backup
Cloud Spanner

You can now assign request tags and transaction tags in your application code to easily troubleshoot query performance, transaction latency, and lock contentions by correlating introspection statistics to application code.

Cloud Storage

Cloud EKM keys can now be used to encrypt Cloud Storage data.

Compute Engine

Preview: Spot VMs are now available! Spot VMs are the latest version of preemptible VM instances. Use Spot VMs for fault-tolerant workloads to get a 60-91% discount over the price of standard VMs. Spot prices can change up to once a month to reflect the underlying supply and demand. Like preemptible VMs, Spot VMs are available for all machine types, regions, and zones.

Preemptible VMs continue to be supported for new and existing VMs, and preemptible VMs now use the same pricing model as Spot VMs. However, Spot VMs provide new features that are not supported for preemptible VMs. For example, preemptible VMs can only run for up to 24 hours at a time, but Spot VMs do not have a maximum runtime.

Learn more about Spot VMs and preemptible VMs.

Google Cloud VMware Engine

All new VMware Engine private clouds now deploy with VMware vSphere version 7.0 Update 2 and NSX-T version 3.1.2. Existing private clouds will be upgraded to vSphere version 7.0 Update 2 and NSX-T version 3.1.2 over a period of time in October 2021.

See Service announcements for more details on the contents of this upgrade.

Generally available: vSAN data encryption for data at rest now uses keys generated by Cloud Key Management Service for all new private clouds.

For details about this feature, see About vSAN encryption.

Google Kubernetes Engine

The following GKE versions fix containerd issue #5438. This issue caused pod IP address leaks which exhaust the IP addresses of containerd based nodes.

  • 1.19.14-gke.1500 or later
  • 1.20.10-gke.1500 or later
  • 1.21.4-gke.1600 or later

For more information, see the Containerd node images known issues.

Identity and Access Management

You can now use workload identity federation with any SAML 2.0-compatible identity provider. This feature is in Preview.

Security Command Center

Event Threat Detection, a built-in service of Security Command Center Premium, launched an integration with Chronicle that lets you perform advanced analysis of threat findings.

The integration lets you seamlessly send findings to Chronicle, a Google Cloud service that you can use to investigate threats and pivot through related actions and events in a unified timeline. Chronicle enriches Event Threat Detection findings, helping you identify indicators of interest and simplify investigations.

To learn more about Chronicle, see Chronicle overview. For instructions on sending Event Threat Detection findings to Chronicle, see Investigate findings in Chronicle.

October 12, 2021

BigQuery

The BigQuery Storage Write API is now generally available (GA). The Storage Write API combines the functionality of high-throughput streaming ingestion and batch loading into a single API.

Carbon Footprint

Google Cloud Carbon Footprint is in Public Preview

Cloud Data Loss Prevention

The data profiler for BigQuery is available in Preview. For more information, see Data profiles for BigQuery data.

Cloud Spanner

The PostgreSQL interface is available in Preview, making the capabilities of Spanner accessible from the PostgreSQL ecosystem. The release supports a subset of the PostgreSQL SQL dialect, including core data types, functions, and operators. Applications can connect using updated Spanner drivers for JDBC, Java, Go, and Python. Starting initially with psql, community tools can connect using PGAdapter, a sidecar proxy that implements the PostgreSQL wire protocol. Sign up for the preview today.

Cloud Storage

Objects uploaded using XML API multipart uploads cannot be rewritten or copied within Cloud Storage.

Compute Engine

Preview: Third generation Intel Xeon Scalable Processor (Ice Lake) N2 VMs are now available in select regions and zones. These new N2 VMs are offered at the same price as existing N2 VMs on second generation Intel Xeon Scalable Processors.

Deep Learning Containers

M81 release

  • Upgraded R to 4.1.
  • Fixed bug that prevented R kernels from working properly.
Deep Learning VM Images

M81 release

  • Upgraded R to 4.1.
  • Improved Cloud Storage sync logic so that only newer files sync.
  • Fixed bug that prevented R kernels from working properly.
Google Kubernetes Engine

Spot VMs on GKE is now available in Preview.

With GKE version 1.19 and later, the CPU and memory usage of gke-metrics-agent have been optimized. With this change, Out Of Memory (OOM) crashes are reduced significantly.

If you are on GKE version 1.18 and earlier, you will need to upgrade your clusters to version 1.19 or later.

Virtual Private Cloud

Using Private Service Connect to publish services that are hosted on the backends of an internal HTTP(S) load balancer is now Generally Available.

Accessing published services using a Private Service Connect endpoint is now available from on-premises hosts that are connected to a VPC network using Cloud VPN. This feature is available in Preview.

Connectivity from on-premises hosts to a Private Service Connect endpoint that is used to access published services might not establish for some existing Cloud VPN connections. As a workaround, recreate the VPN gateway and the VPN tunnels.

Connectivity from on-premises hosts to a Private Service Connect endpoint that is used to access managed services does not establish if both of the following conditions are met:

  • The service is published with explicit project approval

  • Your project is not already approved before you create the endpoint.

See known issues for a workaround while this feature is in Preview.

October 11, 2021

Cloud Logging

Cloud Logging now supports the asia-south2, asia-southeast2, australia-southeast2, northamerica-northeast2, and us-west4 regions. For a full list or regions, see Regionalization.

Compute Engine

Preview: Tau T2D VMs are now available in select regions and zones. T2D VMs are ideal for a wide variety of workloads in a cloud-native environment. See VM instance pricing for details.

SAP on Google Cloud

Storage Manager for SAP HANA Standby Nodes version 2.2

Version 2.2 of the Google Cloud storage manager for SAP HANA standby nodes is now available. Version 2.2 adds support for SAP HANA 2.0 rev 56 and above, and includes minor bug fixes and performance enhancements. Version 2.2 does not include any other changes to the features or functionality of the storage manager for SAP HANA.

For more information about the storage manager for SAP HANA, see SAP HANA host auto-failover on Google Cloud.

Backint agent for SAP HANA version 1.0.12

Version 1.0.12 of the Google Cloud Backint agent for SAP HANA is now available. Version 1.0.12 provides compatibility for Backint protocol 1.5, as well as other minor fixes and enhancements. Version 1.0.12 does not include any changes to the features or functionality of the Backint agent for SAP HANA.

For more information about the agent, see Cloud Storage Backint agent for SAP HANA overview.

October 08, 2021

Cloud SQL for MySQL

Access Approval is now GA for Cloud SQL. Access Approval enables you to require explicit approval before Google Support may access your database for support purposes.To learn about access approval, see Overview of Access Approval. To set up access approval now, see the Access Approval Quickstart.

Cloud SQL for PostgreSQL

Access Approval is now GA for Cloud SQL. Access Approval enables you to require explicit approval before Google Support may access your database for support purposes.To learn about access approval, see Overview of Access Approval. To set up access approval now, see the Access Approval Quickstart.

Cloud SQL for SQL Server

Access Approval is now GA for Cloud SQL. Access Approval enables you to require explicit approval before Google Support may access your database for support purposes.To learn about access approval, see Overview of Access Approval. To set up access approval now, see the Access Approval Quickstart.

Dataproc

In a future announcement (on approximately October 22, 2021), Dataproc will announce that Cluster Scheduled Deletion by default will consider YARN activity, in addition to Dataproc Jobs API activity, when determining cluster idle time. This change will affect image versions 1.4.64+, 1.5.39+, and 2.0.13+. To test this feature now, create a cluster with a recent image, setting the dataproc:dataproc.cluster-ttl.consider-yarn-activity cluster property to true. Note: After this behavior becomes the default, you can opt out when you create a cluster by setting the property to false.

Video Intelligence API

The SHOT_CHANGE_DETECTION model will undergo an upgrade over the next 90 days to a newer version. The API interface and client library will remain the same as the previous version.

Note that you have 30 days from today to test the new model by specifying "builtin/latest" in the model field of the config object for shot change detection. At the end of 30 days, the new model will be promoted to the default model accessible as "builtin/stable". After that event, the original model, currently accessible by default or using "builtin/stable" will still be available for another 60 days using "builtin/legacy".

Until this 30 day period ends, the model formerly accessible as "builtin/latest" will be available as "builtin/legacy". Thank you for your feedback on that model, now labeled "builtin/legacy" version. The new model launched today as "builtin/latest" has been improved over this model as well as the current default "builtin/stable" model.

If you encounter problems with this upgrade, contact the Video Intelligence API engineering team by submitting a ticket in the private issue tracker.

October 07, 2021

Access Approval

Access Approval supports the following services in GA stage:

  • Cloud SQL
  • Google Kubernetes Engine
  • Speaker ID
Dataproc Metastore

Fixed the issue causing Dataproc Metastore service creations with CMEK enabled to fail if a service without CMEK enabled has never been created before in the project.

October 06, 2021

AI Platform Training

Runtime version 2.6 is available. You can use runtime version 2.6 to train with TensorFlow 2.6, scikit-learn 0.24.2, or XGBoost 1.4.2. Runtime version 2.6 supports training with CPUs, GPUs, or TPUs.

See the full list of updated dependencies in runtime version 2.6.

Anthos Service Mesh

1.11.2-asm.17 is now available.

Anthos Service Mesh 1.11 includes the features of Istio 1.11 subject to the list of Anthos Service Mesh supported features.

Managed Anthos Service Mesh isn't rolling out to the rapid release channel at this time. You can periodically check this page for the announcement of the rollout of Managed Anthos Service Mesh to the rapid channel. See Select a Managed Anthos Service Mesh release channel for more information.

asmcliis generally available for new installations and upgrades of Anthos Service Mesh. You can use asmcli to:

The in-cluster control plane is supported on the on the following platforms using asmcli:

  • GKE clusters in a single project
  • GKE clusters in multiple projects
  • Anthos clusters on VMware
  • Anthos on bare metal
  • Anthos clusters on AWS
  • Amazon EKS

Note: Upgrades from Anthos Service Mesh 1.7 on EKS to Anthos Service Mesh 1.11 aren't supported. You will need to set up a new EKS cluster to install Anthos Service Mesh 1.11.

asmcli requires clusters to be registered with a fleet. asmcli can automatically register a cluster as long as it meets the requirements specified in fleet requirements. asmcli does not support automatic fleet registration for GKE 1.22 clusters, which must be registered manually before installation.

Using install_asm and istioctl install is deprecated and support for these tools for installations and upgrades of Anthos Service Mesh will be removed when Anthos Service Mesh 1.12 is released. Please update your scripts and tools to use asmcli. For more information see Transitioning to asmcli.

The Anthos Service Mesh integration with Certificate Authority Service (CA Service) is generally available. You can use CA Service as the certificate authority for signing mutual TLS certificates. See Configure Anthos Service Mesh to use CA Service for details.

Anthos Service Mesh uses a proxy that is based on OSS Envoy. The Anthos Service Mesh 1.11 proxy is based on Envoy v1.19.1.

Cloud Logging

You can now collect Apache httpd logs from the Ops Agent, starting with version 2.4.0. For more information, see Collecting logs from third-party applications: Apache httpd.

The Ops Agent now supports collecting logs from the systemd-journald service, starting with Ops Agent version 2.4.0. For information on configuring the systemd_journald receiver, see Configuring the Ops Agent: Logging receivers.

Cloud Spanner

You can now specify the statistics package for the query optimizer to use, to ensure predictability in your query plans.

Document AI

Document AI is now generally available (GA) in the following new locations:

  • europe-west2
  • northamerica-northeast1

You must request access to use the new locations. For more information, see Regional and multi-regional support.

October 05, 2021

Cloud Asset Inventory

The following resource types are now publicly available through the resource search API (SearchAllResources), policy search API (SearchAllIamPolicies), and Analyze Policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning) : + Eventarc + eventarc.googleapis.com/Trigger

Cloud Composer

Python Client for Cloud Composer version 1.0.0 is released. You can use this library to interact with Cloud Composer API from Python.

Cloud Storage

Turbo replication is a premium feature designed to provide inter-region replication for newly written objects within 15 minutes.

This feature is now available in Preview.

Cloud VPN

Classic VPN partial deprecation update

Starting on March 31, 2022, you will no longer be able to create new Classic VPN tunnels that use dynamic routing (BGP) unless you are creating a specifically supported configuration.

On or after March 31, 2022, you can still create the following Classic VPN configurations:

  • Classic VPN tunnels that use dynamic routing and connect to VPN gateway software running inside a Compute Engine VM.
  • Classic VPN tunnels that use static (route-based or policy-based) routing.

This notice replaces any previous notice about the deprecation of static routing configurations in Classic VPN.

Although Google will not proactively disable existing connections on the deprecation date, deprecated Classic VPN configurations will only receive maintenance updates going forward.

For more information, see Classic VPN partial deprecation for a video tutorial and documentation to help you migrate to the more reliable High Availability Cloud VPN solution.

Filestore

You can now get support for preview features for Filestore. For details see the Support page.

Migrate for Anthos and GKE

Fit assessment tool now in GA

The migration fit assessment tool has moved from the Public Preview to General Availability. The migrate fit assessment tool helps users assess their workloads' fit for containerization. The provides users with detailed technical insights and a fit score per workload. The HTML fit assessment report enables users to easily share assessment data offline. The JSON file report allows them to view their assessment directly on the cloud console.

194605214 Use controller storage by default for pod log collection for logging migration tasks. Setup max log file size and file rotation.

187922406 Fixed LVM mount failure caused from broken device mapper devices.

198092293 [MFIT] vSphere level <-> guest level data correlation failure with certain NIC configurations.

197432816 [MFIT] More granular assessment of supported Windows versions.

197206783 [MFIT] Fixed failure to run guest collect script via SSH with a non-root remote user.

196712456, 201610944 [MFIT] Minor html report UI improvements.

Security Command Center

Security Health Analytics, a built-in service of Security Command Center, released new detectors in general availability.

The following detectors, available only in Security Command Center's Premium tier, detect vulnerabilities in your Google Kubernetes Engine clusters and expand the number of detectors that support the CIS Google Kubernetes Engine (GKE) Benchmark v1.0.0:

For more information, see Container vulnerability findings. To learn how to remediate vulnerabilities, see Remediating Security Health Analytics findings

Vertex AI

Vertex Feature Store is generally available (GA).

October 04, 2021

Anthos clusters on VMware

A security vulnerability, CVE-2020-8561, has been discovered in Kubernetes where certain webhooks can be made to redirect kube-apiserver requests to private networks of that API server. For more information, see the GCP-2021-021 security bulletin.

Anthos on bare metal

Security bulletin (all minor versions)

A security vulnerability, CVE-2020-8561, has been discovered in Kubernetes where certain webhooks can be made to redirect kube-apiserver requests to private networks of that API server.

For more information, see the GCP-2021-021 security bulletin.

Artifact Registry

You can now specify a release or snapshot version policy for Maven repositories when you create them. You cannot change the version policy of an existing repository. Repositories created before availability of this feature accept both snapshot and release packages.

BigQuery Cloud Bigtable

Cloud Bigtable provides a CPU utilization by app profile, method, and table metric that gives you more granular observability into the cluster's CPU usage. This metric is generally available (GA).

Cloud Monitoring

GKE version 1.20.8-gke.2100 or later offers a Preview of a fully managed metric collection pipeline to scrape Prometheus-style metrics exposed by any GKE workload and send those metrics to Cloud Monitoring for dashboards, alerts, and SLOs. Compared to the Prometheus Stackdriver sidecar, this new pipeline is easy to set up, allows filtering to control cost, supports larger clusters, is fully managed, supports Autopilot and horizontal Pod autoscaling, and offers better pricing. Get started with GKE workload metrics.

Cloud Run for Anthos

Preview: Newly deployed services are now automatically configured to use nip.io as the default domain, providing immediate access to each of your services without configuration. The nip.io default domain is only available through Cloud Run for Anthos fleet installations. Existing services in your fleet that use the previous example.com default domain are automatically upgraded to use the new nip.io domain. Learn more about test domains.

Cloud SQL for MySQL

Cloud SQL now supports the ability for you to specify IP CIDR ranges from your VPC network for your Cloud SQL instances allowing you to manage your IP address space better. For more information, see Allocated IP address ranges. To start using this feature now, see Configuring private IP for a new instance.

Google Kubernetes Engine

GKE version 1.20.8-gke.2100 or later offers a Preview of a fully managed metric collection pipeline to scrape Prometheus-style metrics exposed by any GKE workload and send those metrics to Cloud Monitoring for dashboards, alerts, and SLOs. Compared to the Prometheus Stackdriver sidecar, this new pipeline is easy to set up, allows filtering to control cost, supports larger clusters, is fully managed, supports Autopilot and horizontal Pod autoscaling, and offers better pricing. Get started with GKE workload metrics.

Virtual Private Cloud

The number of Private Service Connect endpoints that are connected to a service attachment is now correctly adjusted when an endpoint is deleted.

If you are using Private Service Connect endpoints to access services in another VPC network, and you create more endpoints than are allowed by the limit set by the service producer, any endpoints created after the limit is reached have a status of Pending, as expected. Now, if you remove endpoints to get below the limit, the status of those endpoints correctly changes to Accepted.

October 03, 2021

Migrate for Compute Engine

Migrate for Computer Engine now supports the configuration of multiple network interfaces to migrated VMs.

October 01, 2021

BeyondCorp Enterprise

The BeyondCorp Enterprise and Tanium integration is now generally available.

With this integration, you can collect the real-time information about the devices in your organization using Tanium, and use this information to manage your devices and control access to your organizational resources using BeyondCorp Enterprise.

For more information, see BeyondCorp Enterprise and Tanium integration overview.

The BeyondCorp Enterprise and BeyondCorp Enterprise and Crowdstrike Falcon Zero Trust Assessment (Falcon ZTA) integration is now generally available.

With this integration, you can collect the real-time information about the devices in your organization using Falcon ZTA, and use this information to manage your devices and control access to your organizational resources using BeyondCorp Enterprise.

For more information, see BeyondCorp Enterprise and Falcon ZTA integration overview.

BigQuery

BigQuery pricing has changed as follows:

  1. BigQuery Storage Read API has moved from a single regional SKU to a set of regional SKUs for bytes scanned. All BigQuery Storage Read API users can now read up to 300 TB of data per month at no charge. For more information, see BigQuery data extraction pricing.

  2. BigQuery now charges BigQuery Storage Read API users for network egress. For more information, see BigQuery Storage Read API Network Egress Within Google Cloud.

BigQuery now supports the following geospatial data functions:

  • ST_BUFFER: Returns a GEOGRAPHY that represents the buffer around the input GEOGRAPHY. You specify the number of segments to determine how much the resulting geography can deviate from the ideal buffer radius.

  • ST_BUFFERWITHTOLERANCE: Returns a GEOGRAPHY that represents the buffer around the input GEOGRAPHY. You specify the tolerance to determine how much the resulting geography can deviate from the ideal buffer radius.

These functions are available as a preview.

Cloud Vision

OCR Model Update

An improved model is now available for Text Detection (OCR). The new model can be used with TEXT_DETECTION and DOCUMENT_TEXT_DETECTION features. The same model is used for requests sent to both features. With the new model, the distribution of confidence scores of responses will change. For more information, see Service announcements.

Please note that you have 90 days from today to test the new model by specifying "builtin/latest" in the model field of the Feature object. At the end of that period, it will be promoted to the default model accessible as "builtin/stable". After that event, the original models will still be available for another 90 days using "builtin/legacy". If you encounter problems with this upgrade, please contact Vision API engineering team by submitting a ticket in the private issue tracker.

Deprecate region forwarding In 90 days, specifying the location "us" or "eu" in the request to the global endpoint vision.googleapis.com will no longer be supported. Instead you should directly call the "us" or "eu" region endpoints (us-vision.googleapis.com or eu-vision.googleapis.com). You can find more information in the Multi-regional support section of the feature pages.

New multi-regional support for features

The Vision API now offers multi-regional support (us and eu) for the LABEL_DETECTION and SAFE_SEARCH features.

Config Connector

Config Connector 1.63.0 is now available.

Added spec.configSync.git.gcpServiceAccountRef to GKEHubFeatureMembership.

Added spec.destroyScheduledDuration to KMSCryptoKey.

ComputeDisk: spec.interface has been deprecated. The value of spec.interface is no longer used by the API, so all validation has been removed and values will not be populated. You should remove this field from your configuration.

ComputeRouterPeer: ipAddress is no longer a read-only field, and can be set with the spec.ipAddress field.

Dataproc

New sub-minor versions of Dataproc images:

1.4.73-debian10, 1.4.73-ubuntu18,

1.5.48-centos8, 1.5.48-debian10, 1.5.48-ubuntu18,

2.0.22-centos8, 2.0.22-debian10, 2.0.22-ubuntu18

Fixed an issue where complete YARN container logs were not visible in 1.5 and 2.0 Images.

HADOOP-15129: Fixed in 2.0 Images: Datanode cached namenode DNS lookup failure and could not startup on.

Google Kubernetes Engine

(2021-R30) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

  • Version 1.20.10-gke.301 is now the default version.
  • The following control plane and node versions are now available:
  • The following control plane versions are no longer available:
    • 1.18.20-gke.3001
    • 1.18.20-gke.3300
    • 1.18.20-gke.4100
    • 1.18.20-gke.4501
    • 1.18.20-gke.6000
    • 1.19.12-gke.2101
    • 1.20.8-gke.2101
    • 1.20.9-gke.701
    • 1.20.9-gke.1000
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.19.13-gke.1200 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to 1.20.10-gke.301 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.21 to 1.21.3-gke.2001 with this release.

Stable channel

  • Version 1.19.13-gke.1200 is now the default version.
  • The following control plane and node versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.19.13-gke.701
    • 1.20.9-gke.1000
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.13-gke.1200 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.20.9-gke.1001 with this release.

Regular channel

  • Version 1.20.10-gke.301 is now the default version in the Regular channel.
  • Version 1.21.3-gke.2001 is now available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.10-gke.301 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to 1.21.3-gke.2001 with this release.

Rapid channel

  • Version 1.21.4-gke.1801 is now the default version in the Rapid channel.
  • The following control plane and node versions are now available in the Rapid channel:
  • Version 1.21.4-gke.301 is no longer available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.4-gke.1801 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.22.1-gke.1602 with this release.

1.20 clusters with legacy ABAC authorization enabled should not upgrade to 1.21 until 1.21.4-gke.2500+ is available.

1.21 is now generally available

Kubernetes version 1.21 is now generally available. Before upgrading, read the Kubernetes 1.21 Release Notes, especially the action required and deprecation sections.

The following features are introduced in version 1.21:

CronJob (GA)

The CronJob API has graduated to General Availability (GA), bringing performance improvements and allowing scheduled jobs to be run using a stable API.

  • This resource is now available in the batch/v1 group/version.
  • The batch/v1beta1 group/version is deprecated, and will be removed in version 1.25. See the migration guide for details.

PodDisruptionBudget (GA)

The PodDisruptionBudget has graduated to GA, allowing Pod evictions to be controlled using a stable API.

  • This resource is now available in the policy/v1 group/version.
  • The policy/v1beta1 group/version is deprecated, and will be removed in version 1.25. See the migration guide for details.

EndpointSlice (GA)

The EndpointSlice API has graduated to GA, bringing performance improvements over the v1 Endpoints API.

  • This more scalable API for service discovery is now enabled on all clusters and is promoted to discovery.k8s.io/v1.
  • The discovery.k8s.io/v1beta1 group/version is deprecated, and will be removed in version 1.25. See the migration guide for details.

Default namespace label (Beta)

Namespace API objects now have a kubernetes.io/metadata.name label matching their metadata.name field to allow selecting any namespace by its name using a label selector. This can be used for objects which select namespaces by label, such as admission webhooks and network policies.

Bound service account token volumes (Beta)

  • The API credentials injected into containers at /var/run/secrets/kubernetes.io/serviceaccount/token are now time-limited, auto-refreshed, and invalidated when the containing pod is deleted.
  • By default, injected tokens are given an extended lifetime so they remain valid even after a new refreshed token is provided. The metric serviceaccount_stale_tokens_total and the audit annotation authentication.k8s.io/stale-token can be used to monitor for workloads that depend on the extended lifetime and are continuing to use tokens even after a refreshed token is provided to the container.
  • Clients should reload the token from disk periodically (once per minute is recommended) to ensure they use the refreshed token. k8s.io/client-go version 11.0.0+ and 0.15.0+ reload tokens automatically.

In Kubernetes 1.21, newly provisioned PersistentVolumes by gce-pd will use the topology.kubernetes.io/zone GA label instead of the failure-domain.beta.kubernetes.io/zone beta label.

New Beta and Stable APIs

The following Stable APIs are new in 1.21:

  • batch/v1 CronJob
  • policy/v1 PodDisruptionBudget
  • discovery.k8s.io/v1 EndpointSlice

The following Beta APIs are new in 1.21:

  • storage.k8s.io/v1beta1 CSIStorageCapacity

Deprecated APIs

The following APIs are deprecated in the 1.21 release:

  • PodSecurityPolicy
    • policy/v1beta1 PodSecurityPolicy
    • Deprecated in 1.21 with removal targeted for version 1.25.
  • The following Beta versions of newly graduated APIs will be removed in 1.25 in favor of GA versions:
    • discovery.k8s.io/v1beta1 EndpointSlice
    • policy/v1beta1 PodDisruptionBudget
    • batch/v1beta1 CronJob
  • The following Beta versions of previously graduated APIs will be removed in 1.22 in favor of GA versions:
    • admissionregistration.k8s.io/v1beta1, MutatingWebhookConfiguration
    • admissionregistration.k8s.io/v1beta1, ValidatingWebhookConfiguration
    • apiextensions.k8s.io/v1beta1, CustomResourceDefinition
    • apiregistration.k8s.io/v1beta1, APIService
    • authentication.k8s.io/v1beta1, TokenReview
    • authorization.k8s.io/v1beta1, LocalSubjectAccessReview
    • authorization.k8s.io/v1beta1, SelfSubjectAccessReview
    • authorization.k8s.io/v1beta1, SubjectAccessReview
    • certificates.k8s.io/v1beta1, CertificateSigningRequest
    • coordination.k8s.io/v1beta1, Lease
    • extensions/v1beta1, Ingress
    • networking.k8s.io/v1beta1, Ingress
    • networking.k8s.io/v1beta1, IngressClass
    • rbac.authorization.k8s.io/v1beta1, ClusterRole
    • rbac.authorization.k8s.io/v1beta1, ClusterRoleBinding
    • rbac.authorization.k8s.io/v1beta1, Role
    • rbac.authorization.k8s.io/v1beta1, RoleBinding
    • scheduling.k8s.io/v1beta1, PriorityClass
    • storage.k8s.io/v1beta1, CSIDriver
    • storage.k8s.io/v1beta1, CSINode
    • storage.k8s.io/v1beta1, StorageClass
    • storage.k8s.io/v1beta1, VolumeAttachment

1.22 is now available in the Rapid channel

Kubernetes 1.22 is now available in the Rapid channel. Before upgrading, read the Kubernetes 1.22 Release Notes, especially the action required and deprecation sections.

Removed API versions in 1.22

The following Beta versions of previously graduated APIs are removed in 1.22 in favor of the GA versions. All existing objects can be interacted with via the stable APIs. Update API clients and manifests to use the GA APIs before upgrading. For more information, see the Kubernetes 1.22 deprecated APIs guide.

  • admissionregistration.k8s.io/v1beta1, MutatingWebhookConfiguration
  • admissionregistration.k8s.io/v1beta1, ValidatingWebhookConfiguration
  • apiextensions.k8s.io/v1beta1, CustomResourceDefinition
  • apiregistration.k8s.io/v1beta1, APIService
  • authentication.k8s.io/v1beta1, TokenReview
  • authorization.k8s.io/v1beta1, LocalSubjectAccessReview
  • authorization.k8s.io/v1beta1, SelfSubjectAccessReview
  • authorization.k8s.io/v1beta1, SubjectAccessReview
  • certificates.k8s.io/v1beta1, CertificateSigningRequest
  • coordination.k8s.io/v1beta1, Lease
  • extensions/v1beta1, Ingress
  • networking.k8s.io/v1beta1, Ingress
  • networking.k8s.io/v1beta1, IngressClass
  • rbac.authorization.k8s.io/v1beta1, ClusterRole
  • rbac.authorization.k8s.io/v1beta1, ClusterRoleBinding
  • rbac.authorization.k8s.io/v1beta1, Role
  • rbac.authorization.k8s.io/v1beta1, RoleBinding
  • scheduling.k8s.io/v1beta1, PriorityClass
  • storage.k8s.io/v1beta1, CSIDriver
  • storage.k8s.io/v1beta1, CSINode
  • storage.k8s.io/v1beta1, StorageClass
  • storage.k8s.io/v1beta1, VolumeAttachment

Deprecated API versions

These APIs are still served in version 1.22 but are in a deprecation period, and will be removed in 1.25:

  • PodSecurityPolicy
    • policy/v1beta1 PodSecurityPolicy
    • Deprecated in 1.21 with removal targeted for version 1.25.
  • The following Beta versions of graduated APIs will be removed in 1.25 in favor of their GA versions:
    • discovery.k8s.io/v1beta1 EndpointSlice, deprecated since 1.21
    • policy/v1beta1 PodDisruptionBudget, deprecated since 1.21
    • batch/v1beta1 CronJob, deprecated since 1.21

New API versions in 1.22

The pods/eviction subresource now accepts policy/v1 eviction requests in addition to policy/v1beta1 eviction requests (#100724)

Notable features in 1.22

GA: Server-side Apply

Server-side Apply is a new object merge algorithm, as well as tracking of field ownership, running on the Kubernetes API server. Server-side Apply helps users and controllers create and modify their resources via declarative configurations by sending their fully specified intent. Refer to server-side apply documentation for more information. Improvements in 1.22 include:

  • scale subresource ownership is tracked correctly (#98377)
  • label selector fields are applied atomically (#97989)
Beta: DaemonSet maxSurge

DaemonSet objects now support a maxSurge rollout parameter, which allows running updated pods for the DaemonSet on nodes before removing old pods. Refer to the DaemonSet API documentation for more information.

Beta: Suspended jobs

Job objects can now be created or placed in a suspended state, to allow higher-level control over ordering and scheduling of batch workloads. Refer to the Job documentation for more information.

Beta: podAffinity namespace selection

Pod affinity rules can now specify namespaced using a label selector, in addition to a fixed list of namespace names. Refer to the pod affinity documentation for more information.

Notable changes and bug fixes in 1.22

  • The terminationGracePeriodSeconds field on pod specs and container probes should not be negative. Negative values of terminationGracePeriodSeconds will be treated as the value 1 on the delete path. Immutable field validation will be relaxed in order to update negative values. In a future release, negative values will not be permitted. (#98866)

  • As a mitigation for CVE-2021-25740, newly created Kubernetes 1.22 clusters no longer include write access to the Endpoints API in the edit and admin roles by default. Existing clusters upgraded to Kubernetes 1.22 retain previous permissions in those roles. For instructions to re-add Endpoints write access to the edit and admin roles in newly created 1.22 clusters, refer to the RBAC documentation.

(2021-R30) Version updates

  • Version 1.20.10-gke.301 is now the default version.
  • The following control plane and node versions are now available:
  • The following control plane versions are no longer available:
    • 1.18.20-gke.3001
    • 1.18.20-gke.3300
    • 1.18.20-gke.4100
    • 1.18.20-gke.4501
    • 1.18.20-gke.6000
    • 1.19.12-gke.2101
    • 1.20.8-gke.2101
    • 1.20.9-gke.701
    • 1.20.9-gke.1000
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.19.13-gke.1200 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to 1.20.10-gke.301 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.21 to 1.21.3-gke.2001 with this release.

(2021-R30) Version updates

  • Version 1.19.13-gke.1200 is now the default version.
  • The following control plane and node versions are now available in the Stable channel:
  • The following versions are no longer available in the Stable channel:
    • 1.19.13-gke.701
    • 1.20.9-gke.1000
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.13-gke.1200 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.20.9-gke.1001 with this release.

(2021-R30) Version updates

  • Version 1.20.10-gke.301 is now the default version in the Regular channel.
  • Version 1.21.3-gke.2001 is now available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.10-gke.301 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to 1.21.3-gke.2001 with this release.

(2021-R30) Version updates

  • Version 1.21.4-gke.1801 is now the default version in the Rapid channel.
  • The following control plane and node versions are now available in the Rapid channel:
  • Version 1.21.4-gke.301 is no longer available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.4-gke.1801 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.22.1-gke.1602 with this release.

September 30, 2021

Anthos GKE on AWS

Anthos Clusters on AWS aws-1.9.0-gke.2 is now available.

Anthos clusters on AWS aws-1.9.0-gke.2 clusters run the following Kubernetes versions:

  • 1.18.20-gke.6300
  • 1.19.14-gke.2200
  • 1.20.10-gke.2000
  • 1.21.4-gke.2100

You can now launch Kubernetes 1.21 clusters.

Anthos Identity Service is available on Kubernetes clusters version 1.21 and above.

Kubernetes 1.21 clusters now support the Kubernetes Konnectivity tool for communication between nodes and the control plane. When you launch a 1.21 cluster, you must allow connections between control plane nodes and node pool nodes on port 8132.

You can now update the OIDC configuration on a running cluster.

You can now specify a Cloud Storage Bucket name where Anthos clusters on AWS stores configuration data.

You can now launch node pools with AWS R5 instances.

The VolumeSnapshot resource API version v1beta1 is deprecated in Kubernetes 1.21 clusters. Use API version v1 for 1.21 clusters and above. All previously persisted VolumeSnapshot objects remain functional.

A security vulnerability, CVE-2020-8561, has been discovered in Kubernetes where certain webhooks can be made to redirect kube-apiserver requests to private networks of that API server. For more information, see the GCP-2021-021 security bulletin.

You cannot create new 1.16 clusters. Existing 1.16 clusters continue to function.

Error messages when upgrading or downgrading your clusters have been clarified.

Anthos clusters on Azure

A new release of Anthos clusters on Azure is now available.

Anthos clusters on Azure now supports Kubernetes 1.20 clusters

You must now manage your clusters with the gcloud command-line tool version 358.0.0 or higher.

Kubernetes 1.20 includes a fix for CVE2021-25741. We recommend you replace all 1.19 clusters with 1.20 clusters.

Cluster updates are not supported. To use Kubernetes 1.20, you must create new clusters.

You can now use an HTTP proxy with Kubernetes 1.20 clusters

You can now launch clusters in the Singapore and Australia regions

You can now specify zone placement of control plane replicas when you create a cluster. For more information, see Control plane zonal placement

When you get credentials for a Kubernetes 1.20 cluster, use the gcloud alpha container azure clusters get-credentials command.

Cloud Bigtable

Storage limits for Cloud Bigtable nodes have been doubled. Each node now supports twice as much storage, with no increase in per-node costs. This feature is generally available (GA).

Cloud Monitoring

Cloud Monitoring dashboards now support displays of data in tabular form. For information about this feature, see Configure tables with the Cloud Console and Configure tables by using the API.

Dataproc Metastore

CMEK integration with Dataproc Metastore is generally available (GA).

Filestore

You can now use Customer-Managed Encryption Keys (CMEK) to protect all data at rest in Filestore's Enterprise tier instances. CMEK in Filestore is a preview feature. For more information, see Encrypt data with customer-managed encryption keys.

Filestore's Enterprise tier now supports snapshots. A snapshot is a preserved state of your file share data that can be used to restore data. For more information, see the snapshots documentation page.

Google Cloud Armor

Google Cloud Armor Adaptive Protection is now in General Availability.

Google Kubernetes Engine

A security issue was discovered in Kubernetes, CVE-2021-25741, where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. For more information, see the GCP-2021-018 security bulletin.

A security vulnerability, CVE-2020-8561, has been discovered in Kubernetes where certain webhooks can be made to redirect kube-apiserver requests to private networks of that API server. For more information, see the GCP-2021-021 security bulletin.

There is a known issue where updating a BackendConfig resource using the v1beta1 API that removes an active Google Cloud Armor security policy from its service. For more information, see the GCP-2021-019 security bulletin.

Now you can see how effectively your GKE clusters and workloads are utilizing your available compute resources. The new Cost Optimization tab lets you view, filter, and learn more about the CPU and memory usage, requests, allocation, and limit amounts of each of your clusters and workloads. This information can help you identify opportunities to optimize your clusters or workloads for more cost effective resource utilization. This feature is now available in Preview. For more information, see View cost-related optimization metrics.

Identity and Access Management

IAM role recommendations for folder- and organization-level roles are now generally available.

Network Connectivity Center

Cloud DNS forwarding services and Private Google Access cannot be accessed through Router appliance spokes. This issue is being worked on.

Transcoder API

Transcoder API is GA: The Transcoder API has graduated out of beta and has reached v1. All API endpoints are updated to use https://transcoder.googleapis.com/v1/.

Added Troubleshooting guide.

VPC Service Controls

Preview stage support for the following integration:

September 29, 2021

Anthos clusters on VMware

Anthos clusters on VMware 1.9.0-gke.8 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.9.0-gke.8 runs on Kubernetes v1.21.4-gke.200.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.9, 1.8, and 1.7.

Features:

Cluster lifecycle Improvements:

  • GA: You can register an admin cluster during its creation by filling in the gkeConnect section in the admin cluster configuration file, similar to user cluster registration.

Platform enhancements:

  • Preview: User clusters can now be in a different vSphere datacenter from the admin cluster, resulting in datacenter isolation between the admin cluster and user clusters. This provides greater resiliency in the case of vSphere environment failures.

  • GA: Support for Windows node pools is generally available.This release adds:

    • Preview: Windows DataplaneV2 support, which allows for using Windows Network Policy
    • Node Problem Detector (NPD) support on Windows
    • Streamlined process for preparing Windows images in a private registry
    • Enhanced Flannel CNI support on Windows

    The upstream fixes for the "Windows Pod stuck at terminating status" error are also applied to this release, which improves the stability of running Windows workloads.

  • GA: Support for Container-Optimized OS (COS) node pools is generally available.

  • GA: CoreDNS is now the cluster DNS provider.

    • Clusters that are upgraded to 1.9 will have their KubeDNS provider replaced with CoreDNS. During the upgrade, CoreDNS is first deployed and then KubeDNS is removed, so applications should not observe DNS unavailability. However before upgrading, ensure that your cluster has enough additional resources to deploy CoreDNS. CoreDNS requires 100 millicpu and 170 MiB of memory per instance, all clusters require a minimum of 2 instances, and there is an additional instance deployed for every 16 nodes in the cluster.
    • You can configure cluster DNS options such as upstream name servers by using the new ClusterDNS custom resource.

Security enhancements:

  • GA: Always-on secrets encryption: You can enable secrets encryption with internally generated keys instead of a hardware security module (HSM). Use the gkectl update command to rotate these keys or to enable or disable secrets encryption after cluster creation.
  • Preview: Windows network policy support. This release introduces a new network plugin, Antrea, for Windows nodes. In addition to network connectivity and services support, it provides network policy support. When creating a user cluster, you can set enableWindowsDataplaneV2 to true to enable this feature. Enabling this feature replaces Flannel with Antrea on Windows nodes.
  • Preview: Azure AD group support for Authentication: This feature allows cluster admins to configure RBAC policies based on Azure AD groups for authorization in clusters. This supports retrieval of groups information for users belonging to more than 200 groups, thus overcoming a limitation of regular OIDC configured with Azure AD as the identity provider.

Simplify day-2 operations:

  • Preview: When creating a user cluster, you can set enableVMTracking in the configuration file to true to enable vSphere tag creation and attachment to the VMs in the user cluster. This allows easy mapping of VMs to clusters and node pools. See Enable VM tracking.
  • GA: New metrics agents based on open telemetry are introduced to improve reliability, scalability and resource usage.
  • Preview: You can enable or disable Stackdriver with gkectl update on existing user clusters. You can enable or disable cloud audit logging and monitoring with gkectl update on both admin and user clusters.

Breaking changes:

  • User cluster registration is now required and enforced. You must fill in the gkeConnect section of the user cluster configuration file before creating a new user cluster. You cannot upgrade a user cluster unless that cluster is registered. To unblock the cluster upgrade, add the gkeConnect section to the configuration file and run gkectl update cluster to register an existing 1.8 user cluster.

  • User clusters must be upgraded before the admin cluster. The flag --force-upgrade-admin to allow the old upgrade flow (admin cluster upgrade first) is no longer supported.

  • The following requirements are now enforced when you create a cluster that has logging and monitoring enabled.

    • The Config Monitoring for Ops API is enabled in your logging-monitoring project.
    • The Ops Config Monitoring Resource Metadata Writer role is granted to your logging-monitoring service account.
    • The URL opsconfigmonitoring.googleapis.com is added to your proxy allowlist (if applicable).

Changes:

  • There is now a checkpoint file for the admin cluster, located in the same datastore folder as the admin cluster data disk, with the name DATA_DISK_NAME-checkpoint.yaml, or DATA_DISK_NAME.yaml if the length of DATA_DISK_NAME is greater than the filename length limit. This file is required for future upgrades and should be considered as important as the admin cluster data disk.

    Note: If you have enabled VM encryption in vCenter, you must grant Cryptographer.Access permission to the vCenter credentials specified in your admin cluster configuration file, before trying to create or upgrade your admin cluster.

  • The admin cluster backup with gkectl preview feature introduced in 1.8 now allows updates to clusterBackup.datastore. This datastore may be different from vCenter.datastore so long as it is in the same datacenter as the cluster.

  • The k8s 1.21 release includes the following metrics changes:

    • Add new field status for storage_operation_duration_seconds, so that you can know about all status storage operation latency.
    • The storage metrics storage_operation_errors_total and storage_operation_status_count are marked deprecated. In both cases, the storage_operation_duration_seconds metric can be used to recover equivalent counts (using status=fail-unknown in the case of storage_operations_errors_total).

    • Rename the metric etcd_object_counts to apiserver_storage_object_counts and mark it as stable. The original etcd_object_counts metrics name is marked as "Deprecated" and will be removed in the future.

  • A new GKE on-prem control plane uptime dashboard is introduced with a new metric, kubernetes.io/anthos/container/uptime, for component availability. The old GKE on-prem control plane status dashboard and old kubernetes.io/anthos/up metric are deprecated. New alerts for admin cluster control plane components availability and user cluster control plane components availability are introduced with a new kubernetes.io/anthos/container/uptime metric to replace deprecated alerts and the old kubernetes.io/anthos/up metric.

  • You can now skip certain health checks performed by gkectl diagnose cluster with the –skip-validation-xxx flag.

Fixes:

  • Fixed the issue of gkeadm trying to set permissions for the component access service account when --auto-create-service-accounts=false.
  • Fixed the timeout issue for admin cluster creation or upgrade that was caused by high network latency to reach the container registry.
  • Fixed the gkectl create-config admin and gkectl create-config cluster panic issue in the 1.8.0-1.8.3 releases.
  • Fixed the /run/aide disk usage issue that was caused by the accumulated cron log for aide.

Restoring an admin cluster from a backup using gkectl repair admin-master –restore-from-backup fails when using a private registry. The issue will be resolved in a future release.

Cloud Composer

Cloud Composer supports the IP Masquerade agent in Preview. This feature is available in new Cloud Composer 1 environments.

Changes in the preinstalled apache-airflow-backport-providers-google package for Airflow 1.10.15:

  • Dataflow job operators can be run in async mode.
  • Dataflow Hook handles no Job Type.

New versions of Cloud Composer images:

  • composer-1.17.2-airflow-2.1.2
  • composer-1.17.2-airflow-2.0.2
  • composer-1.17.2-airflow-1.10.15 (default)
  • composer-1.17.2-airflow-1.10.14
  • composer-1.17.2-airflow-1.10.12
  • composer-2.0.0-preview.3-airflow-2.1.2 (default)
  • composer-2.0.0-preview.3-airflow-2.0.2

Cloud Composer 1.12.1 has reached its end of full support period.

Cloud Data Fusion

Preview: You can now use SAP as a source for batch-based and delta-based data extraction in Cloud Data Fusion through Operational Data Provisioning (ODP). For more information, see the SAP ODP plugin overview. This plugin is available in Cloud Data Fusion version 6.4.0 and later.

Cloud Load Balancing

External HTTP(S) Load Balancing is now available in a regional mode. The new regional external HTTP(S) load balancer contains many of the features of our existing global load balancer, but with an ever-growing list of advanced traffic management capabilities. You can use this load balancer for workloads with jurisdictional compliance requirements or to access the Standard Network Tier.

For details, see:

This load balancer is available in Public Preview.

Data Catalog

The catalog.search API method now returns the displayName and description of an entry in SearchCatalogResult.

Network Connectivity Center

Previously, if you used a Router appliance spoke to connect more than 1,000 VMs, you might have experienced problems establishing BGP sessions between the router appliance instance and the Cloud Router. This issue has been resolved.

Network Connectivity Center includes new limits on the number of underlying resources that can be associated with a spoke. For information about the new limits, see Network Connectivity Center quotas and limits.

SAP on Google Cloud

SAP HANA certification: 12 TB m2-ultramem-416 VMs certified for OLAP scale out

SAP has certified the Compute Engine 12 TB m2-ultramem-416 machine type for SAP HANA OLAP workloads in scale-out configurations with up to 16 nodes. SAP workload-based sizing is required.

For more information, see Certified Compute Engine VMs for SAP HANA.

VPC Service Controls

General availability for the following integration: