Google Cloud release notes

The following release notes cover the most recent changes over the last 60 days. For a comprehensive list, see the individual product release note pages .

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/gcp-release-notes.xml

April 14, 2021

Cloud Run

Cloud Run is now available in europe-central2 (Warsaw)

Google Kubernetes Engine

(2021-R12) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on the Kubernetes versioning scheme, see Versioning.

No channel

Stable channel

  • Version 1.17.17-gke.3000 is now the default version in the Stable channel.
  • Version 1.17.17-gke.3700 is now available in the Stable channel.
  • Version 1.17.17-gke.2800 is no longer available in the Stable channel.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.16 to version 1.17.17-gke.3000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.17 to version 1.17.17-gke.3000 with this release.

Regular channel

  • Version 1.19.8-gke.1600 is now available in the Regular channel.
  • Version 1.18.16-gke.302 is no longer available in the Regular channel.

Rapid channel

  • Version 1.19.9-gke.100 is now the default version in the Rapid channel.
  • Version 1.19.9-gke.700 is now available in the Rapid channel.
  • Version 1.20.5-gke.800 is now available in the Rapid channel.
  • Version 1.19.8-gke.2000 is no longer available in the Rapid channel.
  • Version 1.20.5-gke.101 is no longer available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.18 to version 1.19.9-gke.100 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to version 1.19.9-gke.100 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to version 1.20.5-gke.800 with this release.

1.19 GA

GKE version 1.19 is now generally available (GA).

Before upgrading to 1.19, read the Kubernetes 1.19 Release Notes especially the Urgent upgrade notes.

See below for notable changes and features in version 1.19.

The basic authentication method is no longer available starting with Kubernetes version 1.19. GKE clusters also no longer support basic authentication as they gradually upgrade to Kubernetes version 1.19. Basic authentication has been disabled by default for new GKE clusters since GKE version 1.12 and its usage has been discouraged in the Hardening your cluster's security guide. Migrate away from basic authentication before your cluster control planes are upgraded to Kubernetes version 1.19 to ensure your API clients can continue accessing the API server. To learn more about recommended authentication methods in GKE, see Authenticating to the Kubernetes API Server.

Admission webhooks and custom resource conversion webhooks must use serving certificates that contain the server name in a subjectAltName extension. Server names in the certificate CommonName will not be honored in future versions.

kube-proxy now uses EndpointSlices by default.

With the release of GKE node version 1.19, the Container-Optimized OS with Docker (cos) variant is deprecated. Please migrate to the Container-Optimized OS with Containerd (cos_containerd) variant, which is now the default GKE node image. For instructions, see Containerd images.

Seccomp General Availability (GA)

Seccomp (secure computing mode) support for Kubernetes has graduated to General Availability (GA). This feature can be used to increase the workload security by restricting the system calls for a Pod (applies to all containers) or individual containers.

A new seccompProfile field is added to Pod and Container securityContext objects, starting in Kubernetes version 1.19.

securityContext:
  seccompProfile:
    # "Unconfined", "RuntimeDefault", or "Localhost"
    type: Localhost
    # only necessary if type == Localhost
    localhostProfile: my-profiles/profile-allow.json

The alpha seccomp annotations seccomp.security.alpha.kubernetes.io/pod and container.seccomp.security.alpha.kubernetes.io/... are deprecated in favor of the GA API field. The alpha annotations will not be honored in Kubernetes versions 1.22 and later.

Prepare for transition

If you are currently using Seccomp annotations on Pods or Containers, you should identify and transition workloads using the annotations to set the API fields before version 1.21 is released on GKE (approximately in June 2021). No change on PodSecurityPolicy is required, as it supports both annotation and field seccomp profiles. You can perform the following recommended steps:

Locate Seccomp annotation usages

In your Kubernetes manifest files, search for "seccomp.security.alpha.kubernetes.io/pod" and "container.seccomp.security.alpha.kubernetes.io/".

Add or update securityContext fields

Based on your annotation usage, add or update (if securityContext already exists) the securityContext field in the Pod or Container spec. The annotations can be left in place, but must match the securityContext API field.

Current annotation usage Add or update securityContext
seccomp.security.alpha.kubernetes.io/pod In the Pod's securityContext, add the seccompProfile field.
container.seccomp.security.alpha.kubernetes.io/container-name In the container-name container's securityContext, add the seccompProfile field.

Set values for seccompProfile

The type field of seccompProfile corresponds to the annotation value, and localhostProfile field corresponds to the path following localhost annotation value.

Current annotation value seccompProfile value
unconfined
seccompProfile:
 type: Unconfined
runtime/default or docker/default
seccompProfile:
 type: RuntimeDefault
localhost/path/to/profile.json
seccompProfile:
 type: Localhost
 localhostProfile: path/to/profile.json

More resources

The widely used Ingress API has graduated to general availability in Kubernetes 1.19. The v1beta1 Ingress API is deprecated, and will no longer be served in versions 1.22 and later. Before version 1.21, identify and transition clients and manifests using the v1beta1 Ingress API to use networking.k8s.io/v1.

Clusters with Google Cloud's operations suite enabled can use the following query to identify clients that access the Ingress v1beta1 APIs:

resource.type="k8s_cluster"
resource.labels.cluster_name="$CLUSTER_NAME"
protoPayload.authenticationInfo.principalEmail:("system:serviceaccount" OR "@")
protoPayload.request.apiVersion=("extensions/v1beta1" OR "networking.k8s.io/v1beta1")
protoPayload.request.kind="Ingress"
NOT ("kube-system")

Identify and transition clients and manifests using the v1beta1 Ingress APIs to use networking.k8s.io/v1 before version 1.21 is released on GKE (approximately in June 2021), then verify no clients are using the v1beta1 API during the version 1.21 timeframe. Workloads using the v1beta1 APIs need to be upgraded before your cluster is upgraded to GKE 1.22.

To migrate manifests to networking.k8s.io/v1, perform the following:

  1. Rename the spec.backend field (if specified) to spec.defaultBackend.
  2. Rename each backend.serviceName field to backend.service.name.
  3. Rename each numeric backend.servicePort field to backend.service.port.number.
  4. Rename each string backend.servicePort field to backend.service.port.name.
  5. Specify a pathType field for each defined path. Options are Prefix, Exact, and ImplementationSpecific. To match the undefined v1beta1 behavior, use ImplementationSpecific.

As an example, to migrate this v1beta1 manifest to v1:

Original v1beta1 manifest Equivalent networking.k8s.io/v1 manifest
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: example
spec:
  backend:
    serviceName: default-backend
    servicePort: 80
  rules:
  - http:
      paths:
      - path: /testpath
        backend:
          serviceName: test
          servicePort: 80
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example
spec:
  defaultBackend:
    service:
      name: default-backend
      port:
        number: 80
  rules:
  - http:
      paths:
      - path: /testpath
        pathType: ImplementationSpecific
        backend:
          service:
            name: test
            port:
              number: 80

CertificateSigningRequest v1 API

The CertificateSigningRequest API has graduated to certificates.k8s.io/v1 in Kubernetes 1.19. The v1beta1 CertificateSigningRequest API is deprecated and will no longer be served in version 1.22 and later.

Clusters with Google Cloud's operations suite enabled can use the following query to identify clients that access the CertificateSigningRequest v1beta1 APIs:

resource.type="k8s_cluster"
resource.labels.cluster_name="$CLUSTER_NAME"
protoPayload.authenticationInfo.principalEmail:("system:serviceaccount" OR "@")
protoPayload.request.apiVersion="certificates.k8s.io/v1beta1"
NOT ("kube-system")

Identify and transition clients and manifests using the v1beta1 CertificateSigningRequest API to use certificates.k8s.io/v1 before version 1.21 is released on GKE (approximately in June 2021), then verify no clients are using the v1beta1 API during the version 1.21 timeframe. Workloads using the v1beta1 API need to be upgraded before your cluster is upgraded to GKE version 1.22.

Differences between the v1beta1 and v1 API are as follows:

  • For API clients requesting certificates:
    • spec.signerName is now required, and requests for kubernetes.io/legacy-unknown are not allowed to be created via the certificates.k8s.io/v1 API.
    • spec.usages is now required, may not contain duplicate values, and must only contain known usages.
  • For API clients approving or signing certificates:
    • status.conditions may not contain duplicate types.
    • status.conditions[*].status is now required.
    • status.certificate must be PEM-encoded, and must contain only CERTIFICATE blocks.

Admission webhooks and custom resource conversion webhooks using invalid serving certificates that do not contain the server name in a subjectAltName extension cannot be contacted by the Kubernetes API server in 1.19 prior to version 1.19.9-gke.400. This will be resolved in version 1.19.9-gke.400, and automatic upgrades from 1.18 to 1.19 will not begin until this issue is resolved. However, affected webhooks should work to correct their serving certificates in order to work correctly with Kubernetes version 1.22 and later.

Service API objects with more than 100 ports do not work correctly with EndpointSlices (https://issue.k8s.io/99382). This will be resolved in version 1.19.9-gke.600, and automatic upgrades from 1.18 to 1.19 will not begin until this issue is resolved.

Virtual Private Cloud

Access to Google APIs and services using Private Service Connect is now available in General Availability.

Using non-RFC 1918 addresses for Private Service Connect endpoints results in unexpected costs due to a billing issue. To prevent this issue, avoid using non-RFC 1918 IP addresses and instead use RFC 1918 IP addresses for Private Service Connect endpoints. If you are affected by this issue, contact your account team for remediation.

April 13, 2021

App Engine flexible environment .NET

App Engine is now available in the europe-central2 region (Warsaw).

App Engine flexible environment Go

App Engine is now available in the europe-central2 region (Warsaw).

App Engine flexible environment PHP

App Engine is now available in the europe-central2 region (Warsaw).

App Engine flexible environment Python

App Engine is now available in the europe-central2 region (Warsaw).

App Engine flexible environment custom runtimes

App Engine is now available in the europe-central2 region (Warsaw).

App Engine standard environment Go

App Engine is now available in the europe-central2 region (Warsaw).

App Engine standard environment Java

App Engine is now available in the europe-central2 region (Warsaw).

App Engine standard environment PHP

App Engine is now available in the europe-central2 region (Warsaw).

App Engine standard environment Python

App Engine is now available in the europe-central2 region (Warsaw).

Compute Engine

Generally available: VM Manager integration with VPC Service Control.

Generally available: You can now configure schedule-based autoscaling for your managed instance groups. Schedule-based autoscaling lets you improve the availability of your application by scheduling capacity ahead of anticipated load.

Datastore

Support for the europe-central2 (Warsaw) region.

April 12, 2021

Cloud Functions

Cloud Functions is now available in the following region:

  • europe-central2 (Warsaw)

See Cloud Functions Locations for details.

Cloud Logging

Shared queries are now generally available (GA). To learn more, see Shared queries.

Cloud Monitoring

The dashboard save feature now displays the date and time of the last save operation. You can also disable and enable autosave. For more information, see Configuring dashboards.

April 09, 2021

Cloud Monitoring

Cloud Monitoring has changed the default behavior for when notifications are sent. For new alerts, the default behavior is to send a notification only when the incident is created. For all alerts, the alert's Policy detail page displays when notifications are sent. To change this behavior, edit the policy. For more information, see Managing Policies.

Document AI

Procurement DocAI General availability (GA) release

Procurement DocAI (PDAI) solution is now available in private General Availability (GA).

This includes the following processors:

Human in the Loop (HITL) support for Procurement DocAI processors

Procurement DocAI processors now support Human in the Loop (HITL) AI platform functionality supporting human revisions of predictions.

Invoice parser behavior update

The invoice parser behavior has been updated to include the following features:

  • Offers extended support for the following languages (in addition to English):
    • French
    • Dutch
    • German
    • Spanish
  • Improves supplier parsing accuracy with Knowledge Graph support.
  • Improves prediction quality (accuracy).
  • Extends the header and line item fields extracted by the parser.
  • Increased the number of pages for online processing (10 pages) and offline processing (200 pages).
  • Increased the number of documents per batch in offline processing (50 documents).

Expense parser (Receipt parser) behavior update

The expense parser behavior has been updated to include the following features:

  • Renamed Receipt parser to Expense parser.
  • Improved prediction quality.
  • Improved prediction quality for English, French, and Dutch for more expense types (for example hotel statements).

Human in the Loop (HITL) AI General Availability (GA) released

HITL AI is now available in Private General Availability (GA) for human review of Invoice, Expense, and Utility parser predictions.

Features:

  • HITL configuration enhanced to designate which fields need review and whether a field is mandatory, saving review time.
  • Labeler UI highlights the fields below a confidence score and supports single-click confirmation to improve review efficiency.
  • Labeling Manager shows analytics and metrics by task and by labeler to streamline HITL operations.
Google Cloud VMware Engine

Added global quota limits for VMware Engine nodes so users have more flexibility in distributing resources across regions.

For details, see Quotas and limits.

Updated the display name of VMware Engine quota entries to reflect the resource type and assignment level. Quotas available to assign for VMware Engine are as follows:

  • VMware Engine standard 72 vCPUs nodes across regions
  • VMware Engine standard 72 vCPUs nodes per region
Identity and Access Management

Workload identity federation is now generally available. You can use workload identity federation to grant access to Google Cloud resources from on-premises and multi-cloud workloads.

April 08, 2021

Cloud Bigtable

Cloud Bigtable support for customer-managed encryption keys (CMEK) is now generally available.

Cloud Operations Suite

The Google Cloud Ops Agent is now available in Preview. This agent combines logging and metrics into a single agent that is targeted toward specialized logging workloads that require higher throughput and improved resource efficiency. It supports both Linux and Windows Compute Engine VMs.

Cloud Operations now offers the ability to install the Google Cloud Ops Agent via Ansible on Linux and Windows Compute Engine VMs.

Cloud Operations now offers the ability to provision the Google Cloud Ops Agent via Terraform on Linux and Windows Compute Engine VMs.

Compute Engine

Generally available: Predictive autoscaling for managed instance groups lets you improve the availability of your workloads by using Machine Learning to predict future demand and create virtual machines ahead of forecasted load.

April 07, 2021

Cloud CDN

Serve stale, bypassing cache, and negative caching are now Generally Available.

These features are available when configuring Cloud CDN enabled backend services and backend buckets in the Cloud Console, in addition to the gcloud SDK and REST API.

Cloud CDN now supports configuring negative caching for HTTP 302 (Found) and HTTP 307 (Temporary Redirect) status codes.

To learn how to enable negative caching for these status codes, visit the documentation.

Identity and Access Management

You can now get recommendations for folder- and organization-level role bindings using the gcloud command-line tool and REST API. This feature is available in Preview.

Security Command Center

Security Command Center Legacy, previously known as Cloud Security Command Center, and Event Threat Detection Legacy are being permanently disabled for all customers on June 7, 2021.

If you onboarded to Security Command Center before May 2020, or Event Threat Detection before June 2020, and never upgraded to Security Command Center's Standard tier or Premium tier, you are using a legacy product.

To continue benefiting from Security Command Center and Event Threat Detection without an interruption in service, customers using legacy products must migrate their organizations to Security Command Center Standard or Premium. Event Threat Detection, a built-in service of Security Command Center, is available only in the Premium tier.

For details on upgrading legacy products, see Migrate from legacy Security Command Center products.

April 06, 2021

Cloud Bigtable

Data Access audit logging for Cloud Bigtable is now generally available.

If you previously enabled Data Access audit logs for all Google Cloud services in the Cloud Audit Logs default configuration, you might need to take additional steps to enable Data Access audit logging for Cloud Bigtable. Affected customers will see a notification at the top of the Cloud Bigtable page of the Cloud Console.

Cloud Logging

Cloud Logging now supports 22 regions in which you can create a log bucket so that you can meet compliance and audit requirements when storing your logs.

Compute Engine

N2D machines are now available in the following regions and zones:

  • us-central1-b - Iowa
  • asia-northeast1-a,b - Tokyo

See VM instance pricing for details.

Generally available: You can now use instance schedules from the Google Cloud Console.

Google Kubernetes Engine

(2021-R11) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on the Kubernetes versioning scheme, see Versioning.

No channel

Stable channel

Regular channel

  • Version 1.18.16-gke.502 is now the default version.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.17 to version 1.18.16-gke.502 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to version 1.18.16-gke.502 with this release.

Rapid channel

  • Version 1.19.8-gke.2000 is now the default version.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.19.8-gke.1600
    • 1.20.4-gke.2200
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.18 to version 1.19.8-gke.2000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to version 1.19.8-gke.2000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to version 1.20.5-gke.100 with this release.

Versions no longer available

The following versions are no longer available for new clusters or upgrades:

  • Versions 1.15 and earlier.

April 05, 2021

Dataproc

Image 2.0:

April 02, 2021

Cloud CDN

Cloud CDN now treats HTTP responses with a valid, future date in the Expires header as cacheable, even if those responses do not have a Cache-Control: public directive.

This will allow Cloud CDN to cache additional responses and better align with HTTP standards.

Review the caching documentation for details on what content Cloud CDN considers cacheable vs. uncacheable.

Document AI

Lending DocAI General Availability (GA) released

Lending DocAI is now General Availability. See the documentation for more information.

Lending DocAI processors added

The following Lending DocAI processors are now available:

April 01, 2021

App Engine standard environment Java
  • Updated Java SDK to version 1.9.88.
  • Upgraded to Jetty 9.4.39 to fix CVE-2021-28163, CVE-2021-28164, CVE-2021-28165.
Cloud Run

Restricting ingress on Cloud Run is now at general availability (GA).

Compute Engine

Memory-optimized machines are now available in the following regions and zones:

  • M1 ultramem (Jakarta ) asia-southeast2-a,c
  • M1 ultramem (Osaka) asia-northeast2-a
  • M1 ultramem, M2 ultramem and M2 megamem (Osaka) asia-northeast2-b
  • M2 ultramem and M2 megamem (Osaka) asia-northeast2-c

See VM instance pricing for details.

Google Cloud VMware Engine

The Google Cloud Business Associate Agreement (BAA) now also covers Google Cloud VMware Engine. Businesses in the healthcare vertical who need HIPAA compliance can run their workloads on Google Cloud VMware Engine.

For details, see HIPAA Compliance on Google Cloud Platform.

Restructured documentation to better group content and improve workflow discoverability.

Identity and Access Management

Policy Simulator is now generally available. You can use Policy Simulator to simulate policy changes before you apply them.

March 31, 2021

AI Platform (Unified)

AI Platform (Unified) is now available in General Availability (GA).

AI Platform (Unified) has added support for the following regions for custom model training, as well as batch and online prediction for custom-trained models:

  • us-west1 (Oregon)
  • us-east1 (South Carolina)
  • us-east4 (N. Virginia)
  • northamerica-northeast1 (Montreal)
  • europe-west2 (London)
  • europe-west1 (Belgium)
  • asia-southeast1 (Singapore)
  • asia-northeast1 (Tokyo)
  • australia-southeast1 (Sydney)
  • asia-northeast3 (Seoul)
AI Platform Deep Learning Containers

M66 Release

AI Platform Deep Learning VM Image

M66 Release

  • PyTorch 1.8 support in deep learning environments (Deep Learning VM Image and Deep Learning Containers) is available.
  • Fixed scope allocator optimization issue with the TensorFlow Enterprise 2.3/2.1 MKL build.
  • Regular package refreshment and bug fixes.
Cloud Billing

Effective April 1, 2021, for customers in India: Due to new Reserve Bank of India (RBI) regulations, your bank might begin declining automatic card charges for recurring payments for your Google Cloud usage.

To avoid interruptions in service, if your automatic payments are being declined, we recommend that you make a manual payment for your usage.

Cloud Database Migration Service

Database Migration Service makes it easier for you to "lift and shift" your MySQL and PostgreSQL workloads into Cloud SQL. This service streamlines your networking workflows, manages one-time and continuous migrations between your source and destination databases, and provides you with statuses of the migration operations.

The documentation now contains information for using Database Migration Service with PostgreSQL. This information includes:

  • A quickstart
  • Conceptual content
  • How to use this service through the user interface, gcloud, and REST API calls
  • Reference, support, and resource-related information

In addition, for this release, updates include: * Use the Cloud SDK: A guide to get started with the Cloud SDK so you can use it to manage Database Migration Service connection profiles and migration jobs. * Use the Database Migration Service API: This guide provides information about how to enable and use the REST API to administer connection profiles and migration jobs programmatically. * Providing gcloud information for managing connection profiles and migration jobs for MySQL and PostgreSQL.

Click here to access the documentation.

Compute Engine

Preview: You can now configure your VM to shutdown automatically when you revoke the Cloud KMS key protecting a persistent disk attached to the VM. For more information, see Configuring VM shutdown on Cloud KMS key revocation.

Dataproc

Dataproc support of Dataproc Metastore services is now available in GA.

Document AI

Document AI General availability (GA) released

Document AI is now General Availability (GA).

Transcoder API

Beta stage support for VPC Service Controls.

March 30, 2021

Transfer Appliance

Transfer Appliance version 2.2 is deprecated and replaced by Transfer Appliance version 4.0.

Transfer Appliance version 4.0 is now available to order in Singapore.

March 29, 2021

Cloud Asset Inventory

New resource types are now available.

The following resource types are now publicly available through the export API (ExportAssets and BatchGetAssetsHistory) and the Feed API:

  • Cloud Memcache
    • memcache.googleapis.com/Instance
  • Memorystore for Redis
    • redis.googleapis.com/Instance

The following resource types are now publicly available through the resource search API (SearchAllResources) and policy search API (SearchAllIamPolicies):

  • Cloud Composer
    • composer.googleapis.com/Environment
  • Cloud Run
    • run.googleapis.com/DomainMapping
    • run.googleapis.com/Revision
    • run.googleapis.com/Service
  • Cloud KMS
    • cloudkms.googleapis.com/KeyRing
    • cloudkms.googleapis.com/CryptoKey
    • cloudkms.googleapis.com/CryptoKeyVersion
    • cloudkms.googleapis.com/ImportJob

The following resource types are now publicly available through the analyze policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

  • Cloud Composer
    • composer.googleapis.com/Environment
  • Cloud Run
    • run.googleapis.com/Service
    • run.googleapis.com/Revision
  • Cloud TPU
    • tpu.googleapis.com/Node
  • Cloud Storage
    • storage.googleapis.com/Bucket
Cloud CDN

Cloud CDN now treats the no-cache Cache-Control directive in a response as per RFC 7234 and allows these responses to be cached, provided that they are validated every time before being reused.

Visit the caching documentation to review how Cloud CDN handles the full set of HTTP caching directives.

Cloud Logging

Logs Views are now Generally Available (GA). Using Logs Views, you can control who has access to the logs within your Logs Buckets. For more information on this feature, refer to the Managing Logs Views guide.

Cloud Storage

Cloud CDN, external HTTP(S) Load Balancing, and Cloud Storage services use BoringSSL, and are not affected by the recent OpenSSL security advisory that relates to CA certificate checks (CVE-2021-3450) and TLS renegotiation (CVE-2021-3449).

Google Kubernetes Engine

(2021-R10) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on the Kubernetes versioning scheme, see Versioning.

No channel

  • Version 1.17.17-gke.2800 is now the default version.
  • The following versions are now available:
  • The following versions are no longer available:
    • 1.15.12-gke.6002
    • 1.16.15-gke.10600
    • 1.16.15-gke.11800
    • 1.16.15-gke.7801
    • 1.17.15-gke.800
    • 1.17.17-gke.1100
    • 1.18.12-gke.1210
    • 1.18.14-gke.1200
    • 1.18.14-gke.1600
    • 1.18.15-gke.1100
    • 1.18.15-gke.1102
    • 1.18.15-gke.1500
    • 1.18.16-gke.1200
    • 1.18.16-gke.500
  • Control planes and nodes with auto-upgrade enabled will be upgraded from versions 1.17 and earlier to version 1.17.17-gke.2800 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to version 1.18.16-gke.302 with this release.

Stable channel

  • Version 1.17.17-gke.2800 is now the default version in the Stable channel.
  • The following versions are no longer available in the Stable channel:
    • 1.16.15-gke.7801
    • 1.17.17-gke.1101
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from versions 1.17 and earlier to version 1.17.17-gke.2800 with this release.

Regular channel

  • Version 1.18.16-gke.302 is now the default version in the Regular channel.
  • Version 1.18.16-gke.502 is now available in the Regular channel.
  • The following versions are no longer available in the Regular channel:
    • 1.18.15-gke.1501
    • 1.18.15-gke.1502
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to version 1.18.16-gke.302 with this release.

Rapid channel

  • Version 1.19.8-gke.1600 is now the default version in the Rapid channel.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.19.8-gke.1000
    • 1.20.4-gke.1800
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to version 1.19.8-gke.1600 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to version 1.20.4-gke.2200 with this release.

March 28, 2021

Cloud CDN

Cloud CDN, external HTTP(S) Load Balancing and Cloud Storage customers are not affected by the recent OpenSSL security advisory that relates to CA certificate checks (CVE-2021-3450) and TLS renegotiation (CVE-2021-3449).

These services use BoringSSL and are not affected by these OpenSSL-specific bugs.

March 26, 2021

AI Platform Notebooks

Cross Project Service Account support

App Engine standard environment Go

App Engine standard environment provides a new metric, CPU Utilization, which indicates the CPU utilization average over all active instances. For more information, see Google Cloud metrics.

App Engine standard environment Java

App Engine standard environment provides a new metric, CPU Utilization, which indicates the CPU utilization average over all active instances. For more information, see Google Cloud metrics.

App Engine standard environment PHP

App Engine standard environment provides a new metric, CPU Utilization, which indicates the CPU utilization average over all active instances. For more information, see Google Cloud metrics.

App Engine standard environment Python

App Engine standard environment provides a new metric, CPU Utilization, which indicates the CPU utilization average over all active instances. For more information, see Google Cloud metrics.

Dataproc

Image 2.0:

  • Changed default private IPv6 Google APIs access for 2.0 clusters from OUTBOUND to INHERIT_FROM_SUBNETWORK.

March 25, 2021

Compute Engine

Generally available: Start and stop virtual machine (VM) instances automatically using instance schedules. By automating the deployment of your VMs, instance schedules can help you optimize costs and manage VMs more efficiently.

Google Cloud VMware Engine

Added support for using NetApp Cloud Volumes Service for Google Cloud. You can use cloud volumes as NFS mount points or SMB shares in your workload virtual machines.

For details, see Connecting workload VMs to NetApp Cloud Volumes Service.

March 24, 2021

Cloud Bigtable

Cloud Bigtable is now available in the europe-central2 (Warsaw) region.

Cloud Storage

Warsaw region (europe-central2) launched.

Cloud VPN

Cloud VPN is now available in region europe-central2 (Warsaw, Poland).

Pricing is available on the Cloud VPN pricing page.

Compute Engine

General-purpose E2 and N1 machines are available in Warsaw, Poland europe-central2 in all three zones. See VM instance pricing for details.

Disks, snapshots, and images are available in Warsaw, Poland europe-central2 in all three zones. See Disks and image pricing for details.

Support for OS Login in VPC Service Controls is now Generally Available.

Dataproc

Dataproc is now available in the europe-central2 region (Warsaw).

Google Kubernetes Engine

The europe-central2 region in Warsaw is now available.

Pub/Sub

Pub/Sub is now available in the europe-central2 region (Warsaw).

Virtual Private Cloud

For auto mode VPC networks, added a new subnet 10.186.0.0/20 for the Warsaw europe-central2 region. For more information, see Auto mode IP ranges.

The ability to connect VM interfaces other than nic0 to a Shared VPC is now available in General Availability for instance templates and managed instance groups. This feature is available in the gcloud command-line tool and the API.

March 23, 2021

Dataproc

The default Dataproc image is now image version 2.0.

New sub-minor versions of Dataproc images: 1.3.88-debian10, 1.3.88-ubuntu18, 1.4.59-debian10, 1.4.59-ubuntu18, 1.5.34-centos8, 1.5.34-debian10, 1.5.34-ubuntu18, 2.0.7-centos8, 2.0.7-debian10, and 2.0.7-ubuntu18.

Image 2.0:

  • Updated Iceberg to version 0.11.0.
  • Updated Flink to version 1.12.2.

Image 2.0:

  • HIVE-22373: File Merge tasks fail when containers are reused.

Fixed a bug that caused Hive jobs to fail on Ranger-enabled clusters.

Fixed a bug where Spark event logs directory and history server directory could not be set to Cloud Storage correctly.

Fixed a bug where Presto property value with ';' could not be set correctly in the config file.

CVE-2020-13957: SOLR-14663: ConfigSets CREATE does not set trusted flag.

CVE-2020-1926: HIVE-22708: Test fix for http transport.

Google Kubernetes Engine

Starting tomorrow, March 24, 2021, the mechanism we use to create GKE release notes will change. Although this change does not affect the content of the notes, it does affect the presentation and underlying syntax. If you subscribe to the XML feed for this page, entries for March 24 and earlier will be updated as a result of changes to formatting and syntax; the content itself did not change.

The feed URL will also change from https://cloud.google.com/feeds/kubernetes-engine-release-notes.xml to https://cloud.google.com/feeds/gke-main-release-notes.xml. We will automatically redirect from the old URL to the new one.

Workload Identity for Windows Server nodes is now available in GKE versions 1.18.16-gke.1200, 1.19.8-gke.1300, 1.20.4-gke.1500, and later.

Windows Server, version 1909 is reaching end of support on May 11, 2021. Newer Windows Server image versions are available in GKE versions 1.19.8-gke.1600+ and 1.20.4-gke.500+.

Speech-to-Text

Speech-to-Text now allows you to upload your longrunning transcription results directly into a Cloud Storage bucket. See the asynchronous speech recognition documentation for more details.

March 22, 2021

Cloud Asset Inventory

Exporting asset relationships is now available in public preview through the Export API (ExportAssets). The following relationship types are available now:

  • INSTANCE_TO_INSTANCEGROUP
Cloud Bigtable

Cloud Bigtable's Cloud Console navigation has been improved. On the Instances page, the Create Instance button is more prominent. After you navigate to an instance, the following updates are visible:

  • Left-pane navigation is now organized in sections.
  • New breadcrumb navigation on each page shows the ID of the selected instance.
  • Page headings are more prominent.
  • You can now edit or delete an instance from every page.
Cloud CDN

Cloud CDN now defaults to the Cache All Static cache mode for newly created backend buckets and backend services, which allows Cloud CDN to cache static content more readily.

The Cache All Static cache mode caches positive responses with valid caching directives, and will default to caching static content (videos, images, and web assets) for 1 hour. Responses that set a no-store, private, or no-cache cache directive will not be cached.

Existing backends remain unchanged and default to the Use Origin Headers cache mode.

Request coalescing (or collapsing) is now enabled by default on all backend services and backend buckets.

Customers with a high number of requests to cached resources that are updated often, or live streaming workloads, should see a notable reduction in bandwidth from, and requests to, their origin(s).

March 19, 2021

Compute Engine

N2D machine types are available in the following regions and zones:

  • Frankfurt, europe-west3-a,b
  • Hong Kong, asia-east2-b,c

See VM instance pricing for pricing details.

Google Kubernetes Engine

Google canonical error codes are now available in GA. GKE operations now use the canonical error model to report errors.

Added support for multiple pod CIDRs (available in Preview) which allows users to specify a different Pod CIDR for a new node pool than the one specified during cluster creation. This alleviates the problem of running out of Pod IP addresses for under provisioned clusters.

You can dynamically update the network tags, node labels and node taints of an existing GKE node pool. This feature is available in Preview. For more information, see Applying updates to node pool metadata.

March 18, 2021

Cloud Functions

Shared VPC on Cloud Functions is now at general availability (GA).

Cloud Logging

Cloud Logging now shows the breakdown of log severity levels in the Histogram pane. To learn more, see the Histogram section on the Logs Explorer page.

Cloud Run

Shared VPC on Cloud Run is now at general availability (GA).

March 17, 2021

Compute Engine

Preview: You can now configure N2 and C2 VMs with up to 100 Gbps of network bandwidth.

This feature is ideal for network-intensive, distributed workloads such as high-performance computing (HPC), machine learning (ML), and deep learning (DL).

Learn more about higher bandwidth configurations, the regions and zones where these machines are available, and the post preview pricing for this new feature.

M2 machine types are now available in the following regions and zones:

  • Sydney — australia-southeast1-b,c
  • London — europe-west2-b,c
  • Montréal — northamerica-northeast1-b,c

See VM instance pricing for details.

Generally Available: Use the bulk instance API to create multiple, homogeneous VMs that are independent from each other. For more information, see Using the bulk instance API.

Google Cloud VMware Engine

VMware Engine nodes are now available in the following additional region:

  • Council Bluffs, Iowa, North America (us-central1)
Istio on Google Kubernetes Engine

1.4.10-gke.8 is available.

Fixes known security issue of OpenSSL in base images.

March 16, 2021

Cloud VPN

Cloud VPN support for GRE traffic is available in Preview. For more information, see the Cloud VPN overview.

Compute Engine

Generally Available: NVIDIA® A100 GPUs are now available in the following three regions:

  • Iowa, North America: us-central1-a,b,c
  • Netherlands, Europe: europe-west4-a,b
  • Singapore, APAC: asia-southeast1-c

    For more information, see GPUs on Compute Engine.

Generally Available: Accelerator-optimized (A2) machine types are now available in the following three regions:

  • Iowa, North America: us-central1-a,b,c
  • Netherlands, Europe: europe-west4-a,b
  • Singapore, APAC: asia-southeast1-c

N2D machine types are now available in Frankfurt, europe-west3-c and Hong Kong, asia-east2-a. See VM instance pricing for pricing details.

N2 machine types are now available in Zurich, europe-west6 in all three zones. See VM instance pricing for details.

C2 machine types are now available in Salt Lake City, us-west3 in all three zones. See VM instance pricing for details.

Memory-optimized machine types are now available in Tokyo, asia-northeast1 in all zones. See VM instance pricing for details.

C2 machine types are now available in Zürich, europe-west6 in all three zones. See VM instance pricing for details.

Dataproc

New sub-minor versions of Dataproc images: 1.3.87-debian10, 1.3.87-ubuntu18, 1.4.58-debian10, 1.4.58-ubuntu18, 1.5.33-centos8, 1.5.33-debian10, 1.5.33-ubuntu18, 2.0.6-centos8, 2.0.6-debian10, and 2.0.6-ubuntu18.

Image 2.0: Upgraded Spark to version 3.1.1

Google Kubernetes Engine

(2021-R9) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on the Kubernetes versioning scheme, see Versioning.

No channel

Stable channel

  • Version 1.17.17-gke.2800 is now available in the Stable channel.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from versions 1.17 and earlier to version 1.17.17-gke.1101 with this release.
  • Version 1.17.17-gke.1100 is no longer available in the Stable channel.

Regular channel

  • Version 1.18.15-gke.1501 is now the default version in the Regular channel.
  • Version 1.18.15-gke.1502 is now available in the Regular channel.
  • Version 1.18.16-gke.302 is now available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to version 1.18.15-gke.1501 with this release.
  • Version 1.18.12-gke.1210 is no longer available in the Regular channel.

Rapid channel

  • Version 1.19.8-gke.1000 is now the default version in the Rapid channel.
  • Version 1.19.8-gke.1600 is now available in the Rapid channel.
  • Version 1.20.4-gke.1800 is now available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to version 1.19.8-gke.1000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to version 1.20.4-gke.1800 with this release.
  • Version 1.19.7-gke.2503 is no longer available in the Rapid channel.
  • Version 1.20.4-gke.400 is no longer available in the Rapid channel.

Internal TCP/UDP load balancer subsetting (Preview) is available on GKE. With subsetting, GKE clusters using internal load balancer Services can scale beyond 250 nodes. This feature is in Preview for new GKE clusters on version 1.18 and existing clusters on version 1.19. Subsetting removes the current node scale limitations associated with GKE internal TCP/UDP load balancers.

All ports (Preview) is available for internal load balancer Services on GKE. All ports lets you open more than 5 ports on a TCP/UDP load balancer that is being used with GKE. This feature is in Preview for new GKE clusters on version 1.18 and is automatically enabled when subsetting is enabled on the GKE cluster.

Identity and Access Management

Tags are now generally available. You can attach tags to resources, then use the tags to manage access to your resources.

March 15, 2021

AI Platform (Unified) Speech-to-Text

Speech-to-Text has launched the Model Adaptation feature. You can now create custom classes and build phrase sets to improve your transcription results.

March 12, 2021

Cloud Logging

Suggested queries is now generally available (GA). To learn more, go to Suggested queries.

March 11, 2021

App Engine standard environment Java
  • Updated Java SDK to version 1.9.87.
  • Upgraded to Jetty 9.4.38 to fix CVE-2020-27223.
App Engine standard environment Python

The Python 3.9 runtime for the App Engine standard environment is now generally available.

Cloud Billing

List cost and Unrounded cost columns now available in the Cost Table report

We've added two columns of data to the Cost table report: List cost and Unrounded cost.

  • List cost: The List cost column is available for Cloud Billing accounts associated with a negotiated pricing contract, and represents the monthly cost of your cloud usage calculated using list prices. If your account has negotiated, custom pricing, you can compare List cost amounts to Cost amounts to determine how much you are saving with your negotiated prices.
  • Unrounded cost: The Unrounded cost column contains the calculated cost of the usage to a precision of up to six decimal places. Unrounded costs can be helpful when analyzing your cost details and understanding the source of any discrepancies due to rounding.

For more information on the Cost table report, see View and download the cost details of your invoice or statement.

March 10, 2021

Google Kubernetes Engine

40 Kubernetes metrics as part of Cloud Operations for GKE are now generally available.

Starting in version 1.19.8-gke.1000, in the Rapid release channel, the --can-ip-forward flag is disabled for all new clusters. Existing VPC-native clusters when upgraded to 1.19.8-gke.1000 will set the --can-ip-forward flag to disabled.

Pub/Sub

Pub/Sub push subscriptions can now be created with Cloud Run service endpoints protected by VPC Service Controls. This feature is available in the Preview launch stage.

March 08, 2021

Cloud Run

The ability to specify a minimum number of container instances to be kept warm and ready to serve requests is now at general availability (GA).

Dataproc

Dataproc 2.0 image version will become a default Dataproc image version in 1 week on March 15, 2021.

Security Command Center

Security Health Analytics, a built-in service of Security Command Center, launched new detectors in general availability:

Detects resources that are not using customer-managed encryption keys (CMEK)

  • BUCKET_CMEK_DISABLED
  • DISK_CMEK_DISABLED
  • NODEPOOL_BOOK_CMEK_DISABLED
  • SQL_CMEK_DISABLED

Detects vulnerabilities in Compute Engine instances

  • DEFAULT_SERVICE_ACCOUNT_USED
  • SHIELDED_VM_DISABLED

Detects publicly accessible Cloud KMS keys

  • KMS_PUBLIC_KEY

Detects out-of-region Compute Engine resources

  • ORG_POLICY_LOCATION_RESTRICTION

Detects misconfiguration of SQL instances

  • SQL_CROSS_DB_OWNERSHIP_CHAINING
  • SQL_CONTAINED_DATABASE_AUTHENTICATION
  • SQL_CROSS_DB_OWNERSHIP_CHAINING
  • SQL_LOCAL_INFILE
  • SQL_LOG_CHECKPOINTS_DISABLED
  • SQL_LOG_CONNECTIONS_DISABLED
  • SQL_LOG_DISCONNECTIONS_DISABLED
  • SQL_LOG_LOCK_WAITS_DISABLED
  • SQL_LOG_MIN_DURATION_STATEMENT_ENABLED
  • SQL_LOG_MIN_ERROR_STATEMENT
  • SQL_LOG_TEMP_FILES

For more information on these and other Security Health Analytics detectors, see Vulnerabilities findings.

Event Threat Detection, a built in service of Security Command Center, launched a preview for a new detector.

Service account self-investigation detects when a service account is used to investigate roles associated with that same service account. For more information on Event Threat Detection detectors, see Event Threat Detection conceptual overview.

Documentation

  • Security Health Analytics documentation now includes more detailed information about detectors, including supported assets and scan configurations. For more information, see Vulnerabilities findings.

  • The Security Health Analytics remediation page now includes suggested instructions to resolve all Security Health Analytics findings. For more information, see Remediating Security Health Analytics findings.

  • Event Threat Detection documentation now includes additional details on cloud logs used by the service. For more information, see Event Threat Detection conceptual overview.

March 05, 2021

AI Platform Deep Learning Containers

M65 release

  • Upgraded tensorflow-cloud to 0.1.13.

  • Regular package refreshment and bug fixes.

AI Platform Deep Learning VM Image

M65 release

  • Added support for DooD (Docker outside of Docker) in Dataflow notebooks container images.

  • Upgraded tensorflow-cloud to 0.1.13.

  • Regular package refreshment and bug fixes.

AI Platform Training

AI Platform Training now provides pre-built PyTorch containers for PyTorch 1.7.

In addition to training with CPUs or GPUs, you can use one of the PyTorch 1.7 containers to perform PyTorch training with a TPU.

Cloud CDN

Support for item request coalescing is now Generally Available.

Item request coalescing allows multiple requests for a small object to be coalesced (collapsed) into a single origin request for the same cache key into a single origin request per edge node.

This enhances Cloud CDN's existing request coalescing behaviour for large objects, such as video and file downloads.

To enable request coalescing for your Cloud CDN enabled backends, visit the documentation.

Cloud Run

You can now use VPC Service Controls with Cloud Run to set up a secure perimeter to guard against data exfiltration. (Available in public preview.)

Dataproc

New sub-minor versions of Dataproc images: 1.3.86-debian10, 1.3.86-ubuntu18, 1.4.57-debian10, 1.4.57-ubuntu18, 1.5.32-centos8, 1.5.32-debian10, 1.5.32-ubuntu18, 2.0.5-debian10, and 2.0.5-ubuntu18

Image 2.0:

Fixed a bug where YARN applications launched by Hive jobs were not correctly tagged, leading to missing YARN application status from job state.

Fixed the permission for mounted SSD Hadoop directories.

Google Cloud VMware Engine

Added security bulletin for the VMware Engine response to VMware security advisory VMSA-2021-0002.

Google Kubernetes Engine

(2021-R8) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on the Kubernetes versioning scheme, see Versioning.

No channel

Stable channel

  • Version 1.17.17-gke.1101 is now available in the Stable channel. This version is now the default.
  • Auto-upgrading nodes and control planes in the Stable channel upgrade from versions 1.17 and earlier to version 1.17.17-gke.1100 with this release.
  • Version 1.15.12-gke.6002 is no longer available in the Stable channel.
  • Version 1.16.15-gke.7800 is no longer available in the Stable channel.
  • Version 1.17.15-gke.800 is no longer available in the Stable channel.

Regular channel

  • Version 1.18.15-gke.1501 is now available in the Regular channel.
  • Version 1.18.15-gke.1102 is no longer available in the Regular channel.

Rapid channel

  • Version 1.19.7-gke.2503 is now available in the Rapid channel. This version is now the default.
  • Version 1.19.8-gke.1000 is now available in the Rapid channel.
  • Version 1.20.4-gke.400 is now available in the Rapid channel.
  • Auto-upgrading nodes and control planes in the Rapid channel upgrade from version 1.19 to version 1.19.7-gke.2503 with this release.
  • Auto-upgrading nodes and control planes in the Rapid channel upgrade from version 1.20 to version 1.20.4-gke.400 with this release.
  • Version 1.19.7-gke.1500 is no longer available in the Rapid channel.
  • Version 1.20.2-gke.2500 is no longer available in the Rapid channel.
Memorystore for Redis

Support for In-transit encryption on Memorystore for Redis is now Generally Available.

March 04, 2021

AI Platform Notebooks

New Notebooks instances add labels for VM image (goog-caip-notebook) and volume (goog-caip-notebook-volume).

Compute Engine

The VM instance details page for Compute Engine now offers a guided installation path for Monitoring agents when they are not detected.

Identity and Access Management

For workload identity federation, available in beta, you can now use updated client libraries for C++, Go, Java, Node.js, and Python to automatically obtain Google credentials.

For details, see the documentation for your identity provider:

March 03, 2021

Cloud Run

Cloud Run reports a new Cloud Monitoring metric: Instance count, which counts the number of container instances that exist, broken down by state (active or idle).

March 02, 2021

AI Platform (Unified)

CMEK compliance using the client libraries

You can now use the client libraries to create resources with a customer-managed encryption key (CMEK).

For more information on creating a resource with an encryption key using the client libraries, see Using customer-managed encryption keys (CMEK).

Dataproc

Added the --cluster-labels flag to gcloud dataproc jobs submit to allow submitting jobs to a cluster that matches specified cluster labels. Also see Submitting a Dataproc job.

Google Kubernetes Engine

Starting with GKE version 1.19.7-gke.2000 (minimum GKE node version: 1.18.12- gke.1203, 1.19.6-gke.800), the Compute Engine persistent disk Container Storage Interface (CSI) Driver for Windows (Preview) is available in GKE. This feature allows you to take advantage of the latest persistent disk features without having to manually manage the CSI driver lifecycle. The CSI driver provides access to features such as volume snapshot and volume expansion. For more information, see Using the Compute Engine persistent disk CSI Driver.

The GKE Service Level Agreement now covers the Regular channel for both Standard and Autopilot modes of operation.

March 01, 2021

AI Platform (Unified)

The client library for Java now includes enhancements to improve usage of training and prediction features. The client library includes additional types and utility functions for sending training requests, sending prediction requests, and reading prediction results.

To use these enhancements, you must install the latest version of the client library.

Cloud Run

Cloud Run is now available in the following regions:

  • us-west2 (Los Angeles)
  • us-west3 (Salt Lake city)
  • us-west4 (Las Vegas)
Dataproc

Dataproc 2.0 image version will become a default Dataproc image version in 2 weeks on March 15, 2021.

Pub/Sub

Pub/Sub message schemas are now available in the Preview launch stage.

February 26, 2021

Cloud Asset Inventory

New resource types now available.

The following resource types are now publicly available through the resource search API (SearchAllResources), policy search API (SearchAllIamPolicies), and analyze policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

  • Cloud Functions
    • cloudfunctions.googleapis.com/CloudFunction
  • Cloud SQL
    • sqladmin.googleapis.com/Instance
  • Cloud TPU
    • tpu.googleapis.com/Node

The following resource types are now publicly available through the export API (ExportAssets and BatchGetAssetsHistory) and the Feed API:

  • Artifact Registry
    • artifactregistry.googleapis.com/DockerImage
  • Api Gateway
    • apigateway.googleapis.com/Api
    • apigateway.googleapis.com/ApiConfig
    • apigateway.googleapis.com/Gateway
  • Assured Workloads for Government
    • assuredworkloads.googleapis.com/Workload

The following searchable fields are now publicly available through the resource search API (SearchAllResources):

  • parentAssetType
  • project
  • folders
  • organization
Dataproc

New sub-minor versions of Dataproc images: 1.3.85-debian10, 1.3.85-ubuntu18, 1.4.56-debian10, 1.4.56-ubuntu18, 1.5.31-centos8, 1.5.31-debian10, 1.5.31-ubuntu18, 2.0.4-debian10, and 2.0.4-ubuntu18

Image 2.0: Upgraded Spark to 3.1.1 RC2 version

Allow stopping clusters that have autoscaling enabled, and allow enabling autoscaling on clusters that are STOPPED, STOPPING, or STARTING. If you stop a cluster that has autoscaling enabled, the Dataproc autoscaler will stop scaling the cluster. It will resume scaling the cluster once it has been started again. If you enable autoscaling on a stopped cluster, the autoscaling policy will only take effect once the cluster has been started (see Starting and stopping clusters).

Deactivated mysql and hive-metastore components for clusters created with a Dataproc Metastore service on an image that has the DISABLE_COMPONENT_HIVE_METASTORE and DISABLE_COMPONENT_MYSQL capabilities.

Image 1.3 - 1.5: HIVE-18871: hive on Tez execution error due to set hive.aux.jars.path to hdfs://

Transcoder API

Sprite sheets now support different image compression levels with the new quality setting.

Sprite sheets now preserve the source aspect ratio. Set the sprite width or height field, but not both (the API will automatically calculate the missing field).

The API now supports video padding with black.

Virtual Private Cloud

Hierarchical firewall policies are now available in General Availability.

February 25, 2021

AI Platform (Unified)

AI Platform (Unified) now supports Access Transparency in beta. Google Cloud organizations with certain support packages can use this feature. Learn more about using Access Transparency with AI Platform (Unified).

The client libraries for Node.js and Python now include enhancements to improve usage of training and prediction features. These client libraries include additional types and utility functions for sending training requests, sending prediction requests, and reading prediction results.

To use these enhancements, you must install the latest version of the client libraries.

The predict and explain method calls no longer require the use of a different service endpoint (for example, https://us-central1-prediction-aiplatform.googleapis.com). These methods are now available on the same endpoint as all other methods.

In addition to Docker images hosted on Container Registry, you can now use Docker images hosted on Artifact Registry and Docker Hub for custom container training on AI Platform.

The Docker images for pre-built training containers and pre-built prediction containers are now available on Artifact Registry.

Compute Engine

Preview: You can now use the gcloud command-line tool to import images from AWS into Google Cloud. For more information, see Importing images from AWS.

Google Kubernetes Engine

(2021-R7) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on the Kubernetes versioning scheme, see Versioning.

No channel

Stable channel

Regular channel

  • Version 1.18.15-gke.1102 is now available in the Regular channel.
  • Version 1.18.12-gke-1206 is no longer available in the Regular channel.
  • Auto-upgrading control planes in the Regular channel automatically upgrade from version 1.18 to version 1.18.12-gke.1210 with this release.
  • Auto-upgrading nodes in the Regular channel automatically upgrade from version 1.18.12-gke.1210 with this release.

Rapid channel

  • Version 1.19.7-gke.1500 is the new default version in the Rapid channel.
  • Version 1.19.7-gke.2503 is now available in the Rapid channel.
  • Version 1.20.2-gke.2500 is now available in the Rapid channel. Before upgrading to 1.20.2-gke.2500, read the 1.20 available in the Rapid channel section in the release notes.
  • Version 1.19.7-gke.1302 is no longer available in the Rapid channel.
  • Auto-upgrading control planes in the Rapid channel automatically upgrade from version 1.19 to version 1.19.7-gke.1500 with this release.
  • Auto-upgrading control planes in the Rapid channel automatically upgrade from version 1.20 to version 1.20.2-gke.2500 with this release.
  • Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.19 to version 1.19.7-gke.1500 with this release.
  • Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.20 to version 1.20.2-gke.2500 with this release.

1.20 available in the Rapid channel

Kubernetes 1.20 is now available in the Rapid channel. Before upgrading to 1.20.2-gke.2500, read the Kubernetes 1.20 ReleaseNotes especially the Urgent upgrade notes and Deprecations sections.

RuntimeClass graduated to GA in version 1.20: The node.k8s.io/v1beta1 RuntimeClass API has graduated to node.k8s.io/v1 with no changes. API clients and manifests should switch to using the node.k8s.io/v1 API after version 1.20. The node.k8s.io/v1beta1 API is deprecated and will no longer be served starting in version 1.25.

As of version 1.20, the kubelet no longer creates the target_path for NodePublishVolume in accordance with the CSI spec. If you have self-managed CSI drivers deployed in your cluster, ensure that they are idempotent and do any necessary mount creation or verification. For more information, see Kubernetes issue #88759.

Starting in version 1.20, timeouts on exec probes are honored, and default to 1 second if unspecified. If you have Pods using exec probes, ensure that they can easily complete in 1 second or explicitly set an appropriate timeout. For more information, see ConfigureProbes.

Non-deterministic treatment of objects with invalid ownerReferences was fixed in version 1.20. Run the kubectl-check-ownerreferences tool prior to upgrade to locate existing objects with invalid ownerReferences.

  • A namespaced object with an ownerReference to another namespaced object which does not exist in the same namespace is now consistently treated as having a missing owner and is deleted.

  • A cluster-scoped object with an ownerReference to a namespaced object is now consistently treated as having an unresolvable owner, and is ignored by the garbage collector.

  • Starting in version 1.20, when a namespace mismatch between a child and owner object is detected, an event with a reason code of OwnerRefInvalidNamespace is recorded.

The metadata.selfLink field, deprecated since version 1.16, is no longer populated in version 1.20. See Kubernetes issue #1164 for details. A related bug in the k8s.io/client-golibrary in the GetReference function was fixed in versions 0.15.9 or later, 0.16.4 or later, and 0.17.0 or later. Clients using the GetReference function should upgrade to one of those versions of client-go or newer in order to work correctly against an API Server running version 1.20 or later.

You can now create clusters using the Autopilot mode. Autopilot is a new mode of operation in GKE that is designed to reduce the operational cost of managing clusters, optimize your clusters for production, and yield higher workload availability. For more information, see the Autopilot overview and blog post.

February 24, 2021

Cloud Tasks

Maximum push task size is now increased to 1 MB.

Identity and Access Management

You can now use Policy Simulator to simulate policy changes before you apply them. This feature is available in Preview.

Pub/Sub

An Apache Spark connector is now available for Pub/Sub Lite, allowing you to read messages from Pub/Sub Lite in your Spark clusters.

February 23, 2021

Virtual Private Cloud

The ability to connect VM interfaces other than nic0 to a Shared VPC is now available in General Availability. This feature presently only GA for individual VM instances. Support for instance templates and managed instance groups is still Preview.

February 22, 2021

Cloud Billing

Optimal Recommendations for Compute Engine committed use discounts are now Generally Available. Recommendations provide you opportunities to optimize your compute costs by analyzing your VM spending trends and recommending committed use discount contracts.

Recommendations are presented in two forms:

  • Optimal recommendations are based on overall usage and might cover resources that are not on all the time.
  • Stable usage recommendations cover minimum stable usage over time.

For understanding and purchasing committed use discount recommendations, see the documentation.

Dataproc

Dataproc 2.0 image version will become a default Dataproc image version in 3 weeks on March 15, 2021.

Google Kubernetes Engine

This note was updated on March 2, 2021. The issue with the Config Connector add-on with private clusters is a known issue, not a fixed issue.

GKE version 1.19.7-gke.1500 contains a fix for a performance issue in NodeLocal DNSCache. For more information, see NodeLocalDNS timeout errors.

Customers using the Config Connector add-on with private clusters might see an issue with all resource requests timing out. Affected customers must manually create a firewall rule that allows your cluster control plane to initiate TCP connections to your nodes on port 9443. For more information, see Adding firewall rules for specific use cases. This issue will be fixed in a future release.

February 19, 2021

AI Platform Deep Learning Containers

M64 release

  • Upgraded TensorFlow 2.4 to 2.4.1.

  • Upgraded TFX and Fairness Indicators from 0.26.0 to 0.27.0.

  • Miscellaneous bug fixes and updates.

Swift For TensorFlow

  • The Swift For TensorFlow project is entering archive mode. Containers will be deprecated and will no longer receive updates after this release.
AI Platform Deep Learning VM Image

M64 release

  • Upgraded TensorFlow 2.4 to 2.4.1.

  • Upgraded TFX and Fairness Indicators from 0.26.0 to 0.27.0.

  • Added the Fast.ai book tutorials to Pytorch images.

  • Enabled gVNIC for all DLVM images.

  • Miscellaneous bug fixes and updates.

Swift For TensorFlow

  • The Swift For TensorFlow project is entering archive mode. Swift images will be deprecated and will no longer receive updates after this release.
Google Cloud VMware Engine

Added upfront prepay option for 3-year and 1-year commitment contracts. VMware Engine provides an option to unlock up to 50% off the hourly rate savings on resources through the prepay upfront option. Contact Sales for more information.

February 18, 2021

Cloud Logging

Cloud Logging agent for Windows version 1-14 is now available. This version changes the default Windows configuration from using gRPC to REST for sending logs to the Cloud Logging API. For more information, refer to the release information on GitHub.

February 17, 2021

Compute Engine

Preview: Predictive autoscaling for managed instance groups lets you improve the availability of your workloads by using Machine Learning to predict future demand and create virtual machines ahead of forecasted load.

Google Cloud VMware Engine

Added password management of the CloudOwner@gve.local user for vCenter and the admin user for NSX-T Manager. VMware Engine generates a password for these users when you deploy a private cloud. You can view and reset credentials from the private cloud details page.

Added the ability to peer multiple VPCs with private clouds in a region. This improvement enables you to establish a many-to-many relationship between your VPCs and regions.

Added support for global DNS name resolution for management components of your private cloud using Cloud DNS. You can set up Cloud DNS to resolve domain names of management components of multiple private clouds (in the same or different regions) in your project.

For more information, see Configuring DNS for vCenter access.

Updated private cloud nodes so that the ESXi advanced parameter fakescsireservation and MAC learning are now enabled by default. This allows creation of a nested ESXi environment on your private cloud.

Added missing release notes for previous region launches of VMware Engine resources:

  • Montréal, Québec (northamerica-northeast1)
  • São Paulo, Brazil (southamerica-east1)
  • Jurong West, Singapore (asia-southeast1)
  • Eemshaven, Netherlands (europe-west4)
  • Sydney, Australia (australia-southeast1)
  • London, England (europe-west2)
  • Tokyo, Japan (asia-northeast1)
  • Frankfurt, Germany (europe-west3)
Google Kubernetes Engine

This note was updated on March 3, 2021. Version 1.15.12-gke.6002 is still available in the Stable channel for R6.

(2021-R6) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on the Kubernetes versioning scheme, see Versioning.

No channel

  • Version 1.16.15-gke.11800 is now available.
  • Version 1.17.17-gke.1500 is now available.
  • Version 1.18.15-gke.1500 is now available.
  • Version 1.15.12-gke.6002 is no longer available.
  • Version 1.16.15-gke.6000 is no longer available.
  • Version 1.16.15-gke.6900 is no longer available.
  • Version 1.16.15-gke.7300 is no longer available.
  • Version 1.17.14-gke.1600 is no longer available.
  • Version 1.17.15-gke.300 is no longer available.
  • Version 1.18.12-gke.1205 is no longer available.
  • Version 1.18.15-gke.800 is no longer available.
  • Auto-upgrading control planes automatically upgrade from version 1.15 to version 1.16.15-gke.7800 with this release.

Stable channel

  • Version 1.16.15-gke.6000 is no longer available in the Stable channel.
  • Auto-upgrading control planes in the Stable channel automatically upgrade from version 1.0.0 to version 1.16.15-gke.7800 with this release.

Regular channel

  • Version 1.18.12-gke.1206 is now available in the Regular channel. This version is now the default.
  • Version 1.17.14-gke.1600 is no longer available in the Regular channel.
  • Version 1.17.15-gke.800 is no longer available in the Regular channel.
  • Auto-upgrading control planes in the Regular channel automatically upgrade from version 1.17 to version 1.18.12-gke.1206 with this release.
  • Auto-upgrading nodes in the Regular channel automatically upgrade from version 1.17 to version 1.18.12-gke.1206 with this release.

Rapid channel

  • Version 1.19.7-gke.1302 is now available in the Rapid channel. This version is now the default.
  • Version 1.19.7-gke.1500 is now available in the Rapid channel.
  • Version 1.18.12-gke.1206 is no longer available in the Rapid channel.
  • Version 1.19.7-gke.800 is no longer available in the Rapid channel.
  • Auto-upgrading control planes in the Rapid channel automatically upgrade from version 1.18 to version 1.19.7-gke.1302 with this release.
  • Auto-upgrading nodes in the Rapid channel automatically upgrade from version 1.18 to version 1.19.7-gke.1302 with this release.

Multi-cluster Services (MCS) is now Generally Available (GA) for GKE versions 1.17 and later. MCS provides a Kubernetes-native interface to build Kubernetes applications that span multiple clusters.

MCS enables existing Services to be discoverable and accessible across clusters with a virtual IP, matching the behavior of a ClusterIP Service accessible in a cluster.

The COS image for GKE 1.16 clusters is now cos-77-12371-1109-0.

GKE version 1.16.15-gke.11800 contains a fix for the certificate update issue in Internal Ingress.

February 16, 2021

AI Platform Training

The default boot disk type for virtual machine instances used for training jobs has changed from pd-standard to pd-ssd. Learn more about disk types for custom training and read about pricing for different disk types.

Note that for training jobs where you don't specify a DiskConfig, pricing does not change. This is because the first 100 GB of disk for each VM do not incur any charge, regardless of disk type.

Dataproc

New sub-minor versions of Dataproc images: 1.3.84-debian10, 1.3.84-ubuntu18, 1.4.55-debian10, 1.4.55-ubuntu18, 1.5.30-centos8, 1.5.30-debian10, 1.5.30-ubuntu18, 2.0.3-debian10, and 2.0.3-ubuntu18

Fixed a bug that prevented Dataproc on GKE cluster creation.

Google Kubernetes Engine

For clusters using a 1.19 version, with the Container-Optimized OS with Containerd (cos_containerd) node image, the issue where dockerd (the Docker Daemon) is not running at boot is now fixed.

Identity and Access Management

You can now use IAM conditions to set limits on the roles that a member can grant and revoke. This feature is generally available.

February 15, 2021

Dataproc

Dataproc 2.0 image version will become a default Dataproc image version in 4 weeks on March 15, 2021.