Google Cloud release notes

The following release notes cover the most recent changes over the last 60 days. For a comprehensive list of product-specific release notes, see the individual product release note pages.

You can also see and filter all release notes in the Google Cloud Console

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/gcp-release-notes.xml

July 30, 2021

Cloud Logging

Cloud Logging now lets you control access to individual log entry fields using field-level access control. To learn more, see Field-level access control.

Dataproc Metastore

Dataproc Metastore is now available in the asia-southeast1 (Singapore), europe-west1 (Belgium), and northamerica-northeast1 (Montréal) regions.

Kf

New features may now start in preview and GA with the next Kf release.

New Early Access program (currently private preview).

Automated assessment and migration of your existing CF foundation.

[PREVIEW] NFS broker automatically configures NFS mounts on your cluster for Apps to bind to.

[PREVIEW] Schedule Tasks to run at recurring intervals specified using the unix-cron format.

[PREVIEW] Support for Anthos clusters on VMware via the Early Access program.

Minor reliability improvements.

Support for ASM 1.10.

July 29, 2021

Anthos GKE on AWS

Anthos clusters on AWS aws-1.8.1-gke.1 is now available.

Anthos clusters on AWS aws-1.8.1-gke.1 clusters run the following Kubernetes versions:

  • 1.17.17-gke.13600
  • 1.18.20-gke.2600
  • 1.19.13-gke.300
  • 1.20.9-gke.300

This release contains fixes for the following security vulnerabilities:

Anthos clusters on AWS now requires kubectl version 1.17 or higher and terraform version v0.14.3 or higher.

Anthos clusters on bare metal

Release 1.8.2

Anthos clusters on bare metal 1.8.2 is now available. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.8.2 runs on Kubernetes 1.20.

Features:

  • Preview: Added capability to rotate cluster certificate authorities (CAs) for user clusters. For instructions on using the bmctl cluster credentials command to rotate cluster CAs, see Rotate user cluster certificate authority.

  • Preview: Added support for AppArmor with Anthos clusters on bare metal. You don't need to disable AppArmor on Ubuntu as a prerequisite for installation. When you create new 1.8.2 clusters or upgrade clusters to version 1.8.2, you can enable AppArmor either before or after you upgrade.

Fixes:

  • Fixed CVE-2021-3520 vulnerability related to a flaw in lz4, which provides support for LZ4 a lossless compression algorithm. The flaw impacts availability, but has potential to impact confidentiality and integrity as well.

  • Fixed bmctl operation failures that occur for some Ubuntu 20.04 LTS distributions with a more recent Linux kernel, including GCP Ubuntu 20.04 LTS images on the 5.8 kernel. For more information about this issue and a workaround, see Ubuntu 20.04 LTS and bmctl.

  • Fixed OpenStack support for user clusters. In prior releases, cluster creation fails for user type clusters when the baremetal.cluster.gke.io/external-cloud-provider: "true" annotation is added to the cluster configuration file.

  • Fixed PATH environment issues for executing commands as a non-root user. For more information, see Known Issues.

  • Fixed an issue that caused user cluster resets (bmctl reset cluster) to get stuck while deleting namespaces.

  • Fixed out-of-memory (OOM) conditions related to Connect Agent memory usage that resulted in pod failures.

  • Fixed issue that blocked snapshots for clusters configured for passwordless SUDO capability for machine login (nodeAccess.loginUser: <login user name>).

  • Fixed issue that blocked some 1.7.x version admin, hybrid, or standalone clusters from upgrading to the 1.8 minor release. This issue affected some clusters that were updated by applying changes from an updated cluster configuration file.

  • Fixed Address Resolution Protocol (ARP) table issue for high-availability (HA) deployments that blocked upgrades from completing.

Functionality changes:

  • Expanded snapshots to include resource usage metrics to improve troubleshooting and support. Added metrics include the output of ip neigh, kubectl top nodes, and kubectl top pods commands.

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

Cloud Load Balancing

Cloud Monitoring now provides a new predefined dashboard called External HTTP(S) Load Balancers. The new dashboard provides powerful visualizations to help you understand and troubleshoot connectivity issues on your external HTTP(S) load balancers.

For details, see HTTP(S) Load Balancing logging and monitoring.

Cloud Logging

Cloud Logging now supports the asia-east2 and europe-central2 regions. For a full list or regions, see Regionalization.

Cloud Monitoring

Monitoring Query Language (MQL) no longer requires you to use strict form when you create MQL-based alerting policies by using the Monitoring API. You can now provide queries in concise form. The query is stored as you provide it; concise queries are not converted to strict form.

Cloud SQL for PostgreSQL

Cloud SQL for PostgreSQL now supports the following flags: * tcp_keepalives_count * tcp_keepalives_idle * tcp_keepalives_interval

For more information about these flags, see the Cloud SQL for PostgreSQL flags documentation.

Dataproc Metastore

There is an issue with Dataproc Metastore to Data Catalog batch sync. Metadata changes introduced through imports and backups will not be reflected in Data Catalog until batch sync is restored.

July 28, 2021

Anthos Service Mesh

1.8.6-asm.7 is now available. This patch release:

  • Fixes a bug that could lead to memory leaks in the proxy.
  • Fixes a bug causing invalid cipherSuites in the Gateway configuration that could cause broken traffic.
BigQuery ML

The Wide-and-Deep model is now available for preview. 'DNN_LINEAR_COMBINED_CLASSIFIER' and 'DNN_LINEAR_COMBINED_REGRESSOR' create a Wide-and-Deep Classifier and Regressor models, respectively.

Vertex AI

You can use the Reduction Server algorithm (Preview) to increase throughput and reduce latency during distributed custom training.

Virtual Private Cloud

Publishing services and accessing published services using Private Service Connect is now available in General Availability.

If you are using Private Service Connect to publish or consume services, the following items are not logged in Cloud Logging: changes in endpoint status, and service attachment deletions.

The number of Private Service Connect endpoints that are connected to a service attachment is not adjusted when an endpoint is deleted. See workaround information.

Workflows

A list.concat function has been added to support adding an element to a list.

July 27, 2021

BigQuery

BigQuery now supports the INTERVAL type, which represents a duration or an amount of time. This type is in Preview.

BigQuery ML

Explainable artificial intelligence (XAI) helps you understand the results that your predictive machine-learning model generates for classification and regression tasks by defining how each feature in a row of data contributed to the predicted result. This feature is now available for preview.

Cloud Build

Cloud Build private pools are now generally available. Private pools offer regionalization and greater customization over the build environment, including the ability to access resources in a private network with support for VPC Service Controls. For more information, see Private pools overview.

Cloud Load Balancing

When you make an internal TCP/UDP load balancer the next hop of a static route, the route can now have network tags.

In addition, you now have two different ways to specify the next hop:

  • Forwarding rule's name and the load balancer's region
  • Internal IP address of the forwarding rule

For more information, see the following pages:

Cloud Run

Cloud Run VPC Service Controls are now at General Availability (GA).

Committed use discounts are now at General Availability (GA).

The following organization policies are now at General Availability (GA): Cloud Run Allowed ingress settings and Allowed VPC egress settings.

Dataproc

New sub-minor versions of Dataproc images: 1.3.94-debian10, 1.3.94-ubuntu18, 1.4.65-debian10, 1.4.65-ubuntu18, 1.5.40-centos8, 1.5.40-debian10, 1.5.40-ubuntu18, 2.0.14-centos8, 2.0.14-debian10, and 2.0.14-ubuntu18.

The following component versions were updated in image 2.0:

Fixed a rare bug that sometimes happened when scaling down the number of secondary workers in a cluster in which the update operation would fail with error 'Resource is not a member of' or 'Cannot delete instance that was already deleted'.

Google Kubernetes Engine

(2021-R24) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

  • Version 1.20.8-gke.900 is now the default version.
  • The following control plane and node versions are now available:
  • The following control plane versions are no longer available:
    • 1.18.18-gke.1101
    • 1.18.18-gke.1701
    • 1.20.7-gke.1800
    • 1.20.7-gke.2200
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to version 1.20.8-gke.700 with this release.

Stable channel

  • Version 1.18.20-gke.501 is now the default version in the Stable channel.
  • Version 1.18.20-gke.900 is now available in the Stable channel.
  • Version 1.19.12-gke.2100 is now available in the Stable channel.
  • Version 1.18.19-gke.1701 is no longer available in the Stable channel.
  • Version 1.19.10-gke.1000 is no longer available in the Stable channel.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to version 1.18.20-gke.501 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to version 1.19.11-gke.2101 with this release.

Regular channel

  • Version 1.20.8-gke.900 is now the default version in the Regular channel.
  • The following versions are no longer available in the Regular channel:
    • 1.19.9-gke.1900
    • 1.19.11-gke.1701
    • 1.19.12-gke.1100
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.20.8-gke.900 with this release.

Rapid channel

(2021-R24) Version updates

  • Version 1.20.8-gke.900 is now the default version.
  • The following control plane and node versions are now available:
  • The following control plane versions are no longer available:
    • 1.18.18-gke.1101
    • 1.18.18-gke.1701
    • 1.20.7-gke.1800
    • 1.20.7-gke.2200
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to version 1.20.8-gke.700 with this release.

(2021-R24) Version updates

  • Version 1.18.20-gke.501 is now the default version in the Stable channel.
  • Version 1.18.20-gke.900 is now available in the Stable channel.
  • Version 1.19.12-gke.2100 is now available in the Stable channel.
  • Version 1.18.19-gke.1701 is no longer available in the Stable channel.
  • Version 1.19.10-gke.1000 is no longer available in the Stable channel.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to version 1.18.20-gke.501 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to version 1.19.11-gke.2101 with this release.

(2021-R24) Version updates

  • Version 1.20.8-gke.900 is now the default version in the Regular channel.
  • The following versions are no longer available in the Regular channel:
    • 1.19.9-gke.1900
    • 1.19.11-gke.1701
    • 1.19.12-gke.1100
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.20.8-gke.900 with this release.

(2021-R24) Version updates

Identity and Access Management

Recommender now generates lateral movement insights, which identify roles that allow a service account in one project to impersonate a service account in another project. You can manage lateral movement insights using the gcloud command-line tool or the Recommender REST API. This feature is available in Preview.

Resource Manager

The Organization Policy constraints Allowed ingress settings and Allowed VPC egress settings for Cloud Run have launched into general availability.

VPC Service Controls

Support for Cloud Run is now at General Availability (GA).

Vertex AI

July 26, 2021

Access Approval

Cloud Data Loss Prevention is supported by Access Approval in GA stage.

Cloud External Key Manager is supported by Access Approval in GA stage.

Cloud HSM is supported by Access Approval in GA stage.

Cloud Logging is supported by Access Approval in GA stage.

BigQuery

DML query jobs now return statistics about the number of rows that were inserted, deleted, or updated. For more information, see DmlStats in the Job resource type. In addition, DML statistics are now available in the INFORMATION_SCHEMA.JOBS_BY_* views. This feature is generally available (GA).

BigQuery ML

Time series models now support holiday effects for weekly time series, in addition to the daily time series that was previously supported. This feature is now generally available (GA).

Cloud Logging

Log entries that are exported to BigQuery that result in a schema mismatch are now being written to an error table. For more information, see Mismatches in schema.

Cloud Monitoring

The new External HTTP(S) Load Balancers dashboard in Monitoring provides powerful visualizations to help you understand and troubleshoot connectivity issues on your external load balancers.

Cloud Run

Cloud Run container instances can now process up to 1,000 concurrent requests, see Setting maximum concurrency. The default is still 80.

Cloud SQL for PostgreSQL
  • The following PostgreSQL minor versions and extension versions are now available. If you use maintenance windows, you might not yet have these versions. In this case, you will see the new versions once your maintenance update occurs. To find your maintenance window or manage maintenance updates, see Finding and setting maintenance windows.
    • 9.6.21 is upgraded to 9.6.22.
    • 10.16 is upgraded to 10.17.
    • 11.11 is upgraded to 11.12.
    • 12.6 is upgraded to 12.7.
    • 13.2 is upgraded to 13.3.
  • pglogical extension is upgraded to 2.3.4.
  • PostGIS extension is upgraded to 3.0.3 for all PostgreSQL major versions.
Notebooks

If using proxy single-user mode, Notebooks API now verifies if the specified user (proxy-user-mail) has Service Account permissions on the Service Account. This check is performed during instance creation and registration.

July 23, 2021

Artifact Registry

Artifact Registry now supports Cloud External Key Manager (Cloud EKM) when using customer-managed encryption keys.

Network Intelligence Center

Connectivity Tests now includes a feature that verifies connectivity to and from Google-managed services, such as Google Kubernetes Engine (GKE) control planes or Cloud SQL instances. The Connectivity Tests configuration analysis can now run a test and provide an overall reachability result for Google-managed services. For more information, see Connectivity Tests overview.

July 22, 2021

Anthos Config Management

An issue introduced in 1.8.0 nomos hydrate that breaks support for --clusters has been fixed.

An issue that caused Config Sync monitoring Pods fail to start in a cluster with PodSecurityPolicy enabled has been fixed.

Cluster selectors and namespace selectors annotations are removed from the result of nomos hydrate so that it can pass nomos vet and can be synced directly to the cluster by Config Sync.

Anthos Service Mesh

The 1.x version of kpt breaks Anthos Service Mesh installations and upgrades. Anthos Service Mesh requires a pre -1.x version of kpt. The latest version of the gcloud command-line tool includes the 1.x kpt that breaks installs and upgrades.

Make sure that you are running a pre 1.x version of kpt:

kpt version

The output should be similar to the following:

0.39.2

If you have kpt version 1.x or higher, use the curl command in Setting up your environment to download the required version for your operating system.

If you are installing or upgrading Anthos Service Mesh using the install_asm script, make sure to download the most recent version of the script. The updated version of install_asm checks your kpt version. If needed, install_asm downloads and uses the required kpt version. Run install_asm --version to make sure you have a version of install_asm that has the workaround. You need the following install_asm versions or higher:

Anthos clusters on VMware

Anthos clusters on VMware 1.8.1-gke.7 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.8.1-gke.7 runs on Kubernetes v1.20.8-gke.1500.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.8, 1.7, and 1.6.

Fixes:

  • The issue that the etc/cron.daily/aide script uses up all existing space in /run, causing a crashloop in Pods, has been fixed. The files located under /run/aide/ will be cleaned up periodically.
  • If you use the gkectl upgrade loadbalancer to attempt to update some parameters of the Seesaw load balancer in version 1.8.0, this will not work in either DHCP or IPAM mode. If your setup includes this configuration, do not upgrade to version 1.8.0, but instead to version 1.8.1 or later. If you are already at version 1.8.0, you can upgrade to 1.8.1 first before updating any parameters. See Upgrading Seesaw load balancer with version 1.8.0.
  • For Windows nodes, fixed an issue by adding a step for automatically detecting the network interface name instead of hard-coding it, since this name might be different depending on the network adapter being used in the base VM template.
  • Fixed an issue for building a Windows VM template that avoids retrying the VM shutdown in the gkectl prepare windows command, as this retrying caused the command to be stuck for a long time.
  • Fixed an issue where snapshot.storage.k8s.io/v1 resources were rejected by the snapshot admission webhook.
  • The CVE-2021-3520 security vulnerability has been fixed. 
Cloud Composer

Cloud Composer environments with Airflow 2 can run more than one Airflow scheduler. This feature brings Airflow HA scheduler to Cloud Composer environments.

New versions of Cloud Composer images:

  • composer-1.16.11-airflow-1.10.12
  • composer-1.16.11-airflow-1.10.14
  • composer-1.16.11-airflow-1.10.15 (default)
  • composer-1.17.0-preview.7-airflow-2.0.2

Airflow 2.0.1 is no longer included in Cloud Composer images.

Cloud Run for Anthos

Cloud Run for Anthos is now available as a separate experience from the managed Cloud Run product in the Google Cloud Console.

The new Cloud Run for Anthos page provides you a product specific experience for all your Cloud Run for Anthos services.

Learn more

Compute Engine

Preview: You can use the Help Assistant in the Google Cloud Console to find answers to questions about Compute Engine.

Config Connector

Config Connector 1.57.0 is now available.

Added support for GKEHubFeatureMembership resource.

Added spec.projectRef to ServiceUsageService.

Reverted DNSRecordSetto an older implementation (from v1.50.0) due to an issue that broke users' ability to modify rrdatas. Note that this also means that rrdatas and ttl are required fields again.

Added the following output-only fields:

  • BigQueryJob: query.destinationEncryptionConfiguration.kmsKeyVersion, load.destinationEncryptionConfiguration.kmsKeyVersion, and copy.destinationEncryptionConfiguration.kmsKeyVersion.
  • BigQueryTable: encryptionConfiguration.kmsKeyVersion.

Added advancedMachineFeatures to ComputeInstance.

Dataflow

Dataflow now supports custom containers in GA.

Dataproc Metastore

Avro based imports and exports are now in GA.

Datastore

The DATA_READ and DATA_WRITE Data Access audit logs feature has been moved to a future release. It is not currently available.

Dialogflow

The root CA used for Dialogflow's client certificates for mutual TLS will change to GTS Root R1 in the week of July 26 2021. Please see the mTLS documentation for Dialogflow ES and Dialogflow CX for details.

On July 26, 2021, two new Dialogflow IAM permissions will become effective: dialogflow.changelogs.get and dialogflow.changelogs.list. If you use custom roles to grant access to the Dialogflow CX console, make sure to add these permissions to your custom roles to grant access to the Change history functionality. If you don't use custom roles, no action is required.

Firestore

The DATA_READ and DATA_WRITE Data Access audit logs feature has been moved to a future release. It is not currently available.

Identity and Access Management

A C++ client library for IAM is now available. The client library supports the IAM API and the Service Account Credentials API.

July 21, 2021

App Engine standard environment Go

Egress settings are now available for Serverless VPC Access. Egress settings allow you to specify whether or not to send traffic with external destinations through your Serverless VPC Access connector, which is necessary if you want to set up a static outbound IP address for your App Engine service.

Egress settings are now available for Serverless VPC Access. Egress settings allow you to specify whether or not to send traffic with external destinations through your Serverless VPC Access connector, which is necessary if you want to set up a static outbound IP address for your App Engine service.

App Engine standard environment Java

Egress settings are now available for Serverless VPC Access. Egress settings allow you to specify whether or not to send traffic with external destinations through your Serverless VPC Access connector, which is necessary if you want to set up a static outbound IP address for your App Engine service.

Egress settings are now available for Serverless VPC Access. Egress settings allow you to specify whether or not to send traffic with external destinations through your Serverless VPC Access connector, which is necessary if you want to set up a static outbound IP address for your App Engine service.

App Engine standard environment Node.js

Egress settings are now available for Serverless VPC Access. Egress settings allow you to specify whether or not to send traffic with external destinations through your Serverless VPC Access connector, which is necessary if you want to set up a static outbound IP address for your App Engine service.

App Engine standard environment PHP

Egress settings are now available for Serverless VPC Access. Egress settings allow you to specify whether or not to send traffic with external destinations through your Serverless VPC Access connector, which is necessary if you want to set up a static outbound IP address for your App Engine service.

App Engine standard environment Python

Egress settings are now available for Serverless VPC Access. Egress settings allow you to specify whether or not to send traffic with external destinations through your Serverless VPC Access connector, which is necessary if you want to set up a static outbound IP address for your App Engine service.

Egress settings are now available for Serverless VPC Access. Egress settings allow you to specify whether or not to send traffic with external destinations through your Serverless VPC Access connector, which is necessary if you want to set up a static outbound IP address for your App Engine service.

App Engine standard environment Ruby

Egress settings are now available for Serverless VPC Access. Egress settings allow you to specify whether or not to send traffic with external destinations through your Serverless VPC Access connector, which is necessary if you want to set up a static outbound IP address for your App Engine service.

Cloud Spanner

Time to live (TTL) is now available in public preview. This feature lets database administrators periodically delete unneeded data from Cloud Spanner tables, and so decrease storage and backup costs and potentially increase query performance. To use this feature, a database owner defines a row deletion policy on a table schema.

Google Kubernetes Engine

Google Groups for RBAC is now generally available.

Identity and Access Management

You can now set limits on the Cloud Storage roles that a member can grant and revoke. This is possible because Cloud Storage now recognizes the modifiedGrantsByRole API attribute in conditions.

Speech-to-Text

Speech-to-Text has launched a GA version of the Spoken Emoji and Spoken Puncuation features. See the documentation for details.

July 20, 2021

Cloud Run

Cloud Run is now covered by FedRAMP Moderate

Cloud Spanner

Granular instance sizing is now available in public preview. Historically, the most granular unit for provisioning compute capacity on Spanner has been the node. To provide more granular control, we are introducing Processing Units (PUs); one Spanner node is equal to 1,000 PUs. You can now provision in batches of 100 PUs, and get a proportionate amount of compute and storage resources. Learn more.

Cloud Storage

gcloud alpha storage commands are now available.

  • These commands provide faster uploading and downloading performance over the gsutil command line tool.
Dataproc

New sub-minor versions of Dataproc images: 1.3.93-debian10, 1.3.93-ubuntu18, 1.4.64-debian10, 1.4.64-ubuntu18, 1.5.39-centos8, 1.5.39-debian10, 1.5.39-ubuntu18, 2.0.13-centos8, 2.0.13-debian10, and 2.0.13-ubuntu18.

Upgraded Cloud Storage connector to version 2.2.2 on 2.0 images.

Fixed Hue installation on Ubuntu 2.0 images.

Fixed an issue on 1.4 and 1.5 images where temporary shuffle data could be leaked when running Enhanced Flexibility Mode (EFM) with Spark.

Google Kubernetes Engine

(2021-R23) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

  • The following control plane and node versions are now available:
  • The following control plane versions are no longer available:
    • 1.18.17-gke.1900
    • 1.19.9-gke.1400
    • 1.20.6-gke.1000
    • 1.20.6-gke.1400
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to version 1.18.17-gke.1901 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to version 1.19.9-gke.1900 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to version 1.20.7-gke.1800 with this release.

Stable channel

  • Version 1.18.19-gke.1701 is now the default version in the Stable channel.
  • Version 1.18.20-gke.501 is now available in the Stable channel.
  • Version 1.18.17-gke.1901 is no longer available in the Stable channel.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to version 1.18.19-gke.1701 with this release.

Regular channel

  • Version 1.19.12-gke.1100 is now available in the Regular channel.
  • Version 1.20.8-gke.900 is now available in the Regular channel.
  • Version 1.20.7-gke.1800 is no longer available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.8-gke.900 with this release.

Rapid channel

  • Version 1.20.8-gke.700 is now the default version in the Rapid channel.
  • Version 1.20.8-gke.900 is now available in the Rapid channel.
  • Version 1.20.7-gke.2200 is no longer available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.20.8-gke.700 with this release.

Legacy Logging and Monitoring was deprecated December 12, 2019 and was decommissioned March 31, 2021. As described in the guide for Migrating to Cloud Operations for GKE all clusters still using Legacy Logging and Monitoring are being automatically and gradually migrated to Cloud Operations for GKE during the coming weeks.

(2021-R23) Version updates

  • The following control plane and node versions are now available:
  • The following control plane versions are no longer available:
    • 1.18.17-gke.1900
    • 1.19.9-gke.1400
    • 1.20.6-gke.1000
    • 1.20.6-gke.1400
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to version 1.18.17-gke.1901 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to version 1.19.9-gke.1900 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to version 1.20.7-gke.1800 with this release.

(2021-R23) Version updates

  • Version 1.18.19-gke.1701 is now the default version in the Stable channel.
  • Version 1.18.20-gke.501 is now available in the Stable channel.
  • Version 1.18.17-gke.1901 is no longer available in the Stable channel.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to version 1.18.19-gke.1701 with this release.

(2021-R23) Version updates

  • Version 1.19.12-gke.1100 is now available in the Regular channel.
  • Version 1.20.8-gke.900 is now available in the Regular channel.
  • Version 1.20.7-gke.1800 is no longer available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.8-gke.900 with this release.

(2021-R23) Version updates

  • Version 1.20.8-gke.700 is now the default version in the Rapid channel.
  • Version 1.20.8-gke.900 is now available in the Rapid channel.
  • Version 1.20.7-gke.2200 is no longer available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.20.8-gke.700 with this release.
Memorystore for Redis

Added support for Maintenance Windows for Memorystore for Redis.

Network Connectivity Center

Network Connectivity Center now supports VPC Service Controls. For details, see Protecting resources with VPC Service Controls.

Secret Manager

Secret Manager now supports using a filter to customize the output of ListSecrets and ListSecretVersions. For more information, see Filtering.

VPC Service Controls

Preview stage support for the following integration:

  • Network Connectivity Center
Vertex AI

Private endpoints for online prediction are now available in preview. After you set up VPC Network Peering with Vertex AI, you can create private endpoints for low-latency online prediction within your private network.

Additionally, the documentation for VPC Network Peering with custom training has moved. The general instructions for setting up VPC Network Peering with Vertex AI are available at the original link, https://cloud.google.com/vertex-ai/docs/general/vpc-peering. The documentation for custom training is now available here: Using private IP with custom training.

Virtual Private Cloud

External IPv6 addresses for VM instances is now available in General Availability in supported regions.

July 19, 2021

AI Platform Training

You can now use an interactive shell to inspect your training container while it runs. The interactive shell can be helpful for monitoring and debugging training jobs.

This feature is available in preview.

App Engine flexible environment .NET

Specifying a user-managed service account for each App Engine version during deployment is now available in preview. This feature lets you grant different privileges to each version, based on the specific tasks it performs, and avoid granting more privileges than necessary.

App Engine flexible environment Go

Specifying a user-managed service account for each App Engine version during deployment is now available in preview. This feature lets you grant different privileges to each version, based on the specific tasks it performs, and avoid granting more privileges than necessary.

App Engine flexible environment Java

Specifying a user-managed service account for each App Engine version during deployment is now available in preview. This feature lets you grant different privileges to each version, based on the specific tasks it performs, and avoid granting more privileges than necessary.

App Engine flexible environment Node.js

Specifying a user-managed service account for each App Engine version during deployment is now available in preview. This feature lets you grant different privileges to each version, based on the specific tasks it performs, and avoid granting more privileges than necessary.

App Engine flexible environment PHP

Specifying a user-managed service account for each App Engine version during deployment is now available in preview. This feature lets you grant different privileges to each version, based on the specific tasks it performs, and avoid granting more privileges than necessary.

App Engine flexible environment Python

Specifying a user-managed service account for each App Engine version during deployment is now available in preview. This feature lets you grant different privileges to each version, based on the specific tasks it performs, and avoid granting more privileges than necessary.

App Engine flexible environment Ruby

Specifying a user-managed service account for each App Engine version during deployment is now available in preview. This feature lets you grant different privileges to each version, based on the specific tasks it performs, and avoid granting more privileges than necessary.

App Engine flexible environment custom runtimes

Specifying a user-managed service account for each App Engine version during deployment is now available in preview. This feature lets you grant different privileges to each version, based on the specific tasks it performs, and avoid granting more privileges than necessary.

BigQuery

BigQuery now supports workload management data control language (DCL) statements:

This feature is generally available GA.

BigQuery now supports the following SQL query operators:

This feature is generally available (GA).

BigQuery standard SQL now supports the CONTAINS_SUBSTR function. This feature is generally available (GA).

BigQuery ML

The end-to-end user journey for BigQuery ML documents an overview of the complete machine-learning flow for each available model including feature preprocessing, model creation, hyperparameter tuning, inference, evaluation, model export, etc.

Cloud CDN

Cloud CDN now treats HTTP responses with a max-age or s-maxage directive as cacheable, even if those responses do not have a Cache-Control: public directive.

This allows Cloud CDN to cache additional responses and better align with HTTP standards.

For details, see the caching documentation.

Cloud Spanner

Key Visualizer for Cloud Spanner is now available. Key Visualizer is an interactive monitoring tool to analyze usage patterns in Spanner databases. It reveals trends and outliers in important performance and resource metrics.

Private Catalog

Private Catalog launches improvements for using Terraform, including updating solutions, noting version highlights, and updating deployments. Learn more

Security Command Center

Security Health Analytics, a built-in service of Security Command Center, has launched a new detector, DATASET_CMEK_DISABLED, in general availability. The detector, available to Security Command Center Premium customers, detects BigQuery datasets that are not encrypted using customer-managed encryption keys (CMEK). For more information, see the DATASET_SCANNER table in Vulnerabilities findings.

Event Threat Detection, a built-in service of Security Command Center Premium, has launched a public preview of new detectors to protect your Google Workspace domains. The detectors identify suspicious activities in member accounts and your Admin Console, including leaked passwords, attempted account breaches, settings changes, and possible government-backed attacks. For more information, see Event Threat Detection overview.

VPC Service Controls

Beta stage support for the following integration:

Vertex AI

You can now use an interactive shell to inspect your custom training container while it runs. The interactive shell can be helpful for monitoring and debugging training.

This feature is available in preview.

July 16, 2021

App Engine standard environment Java
  • Updated Java SDK to version 1.9.90.
Cloud Bigtable

New Dataflow templates are now available to help you import data into Cloud Bigtable. The importsnapshot template lets you import HBase snapshots into Cloud Bigtable, without the need to export data as SequenceFiles or Avro files. The sync-table template lets you validate the integrity of your imported data.

The Cloud Bigtable documentation has been updated to include information about connection pools and when to consider resizing them.

Datastore

This feature has been moved to a future release. It is not currently available.

Added DATA_READ and DATA_WRITE Data Access audit logs. See Firestore in Datastore mode audit logging information. This feature is available in Preview.

Firestore

This feature has been moved to a future release. It is not currently available.

Added DATA_READ and DATA_WRITE Data Access audit logs. See Firestore audit logging information. This feature is available in Preview.

Network Intelligence Center

In the Google Cloud console, the trace panel for each Connectivity Test now includes links to VMs, firewall rules, and other resources that were analyzed as part of the test. Additionally, when you view the Result details panel, it now shows the source and destination IP address, the port that was used, and other information about the test. To see screenshots of the enhanced UI, visit Common Use Cases.

July 15, 2021

Deep Learning Containers

M75 Release

  • Enhanced environment configurations so it is easier to install additional frameworks in CUDA containers.
Deep Learning VM Images

M75 Release

  • Improved the clarity of error messages for custom container users.
SAP on Google Cloud

SAP HANA: sizing guidelines for persistent disks reduced

For most Compute Engine VM types that are certified for SAP HANA, Google Cloud has reduced the required minimum sizes of SSD and balanced persistent disks that are used for block storage by reducing the amount of storage that is allocated to the /hana/data volume from 1.5x memory to 1.2x memory. Google Cloud also updated the Deployment Manager templates that Google Cloud provides for SAP HANA to use the reduced sizes.

For more information, see Minimum sizes for SSD and balanced persistent disks.

Traffic Director

Traffic Director can now use internet NEGs of the type INTERNET_FQDN_PORT to route traffic to private services that are reachable using hybrid connectivity, including named on-premises, multi-cloud, and internet services. For full details, see Traffic Director with internet network endpoint groups.

July 14, 2021

Cloud Composer

New versions of Cloud Composer images:

  • composer-1.16.10-airflow-1.10.15 (default)
  • composer-1.16.10-airflow-1.10.14
  • composer-1.16.10-airflow-1.10.12
  • composer-1.17.0-preview.6-airflow-2.0.1
  • composer-1.17.0-preview.6-airflow-2.0.2

Airflow 2.0.2 is available in Cloud Composer images.

Fixed memory issues on the FluentD environment component.

Cloud Shell

Terraform plugin v2.12.0

The Cloud Shell Editor now comes preinstalled with the HashiCorp Terraform extension! The extension adds syntax highlighting and other editing features for Terraform files using Terraform Language Server. Review the Terraform release notes for a complete list of features/updates/bug fixes.

Google Cloud VMware Engine

Changed MTU recommendation for private cloud-to-private cloud external communications to 1500 bytes.

Google Kubernetes Engine

A new security vulnerability, CVE-2021-22555, has been discovered where a malicious actor with CAP_NET_ADMIN privileges can potentially cause a container breakout to root on the host. This vulnerability affects all GKE clusters and Anthos clusters on VMware running Linux version 2.6.19 or later.

For more information, see the GCP-2021-015 security bulletin.

Vertex AI

You can now use the gcloud beta ai custom-jobs create command to build a Docker image based on local training code, push the image to Container Registry, and create a CustomJob resource.

Virtual Private Cloud

Private Service Connect service attachment details now correctly shows the status for consumer endpoints. Consumer endpoints can have a status other than Accepted.

If you're creating a Private Service Connect endpoint in a Shared VPC network, the endpoint no longer needs to be in the same project that contains the virtual machines (VMs) that send requests to the endpoint.

July 13, 2021

Chronicle

New documentation to support Chronicle data ingestion planning

You can now find information about Chronicle supported default parsers.

Supported default parsers provides information about which ingestion labels (LogTypes) also support a default parser. You can find the supported data format (KV, JSON, CEF, etc), the parser category, and when the default parser was last updated.

Cloud Logging

The Cloud Console now supports creating Logging sinks at the organization or folder level. For information on creating sinks, see Exporting logs with the Google Cloud Console.

Starting on October 12, 2021, your Dataflow logs that are ingested and stored in Cloud Logging will be charged at the standard Cloud Logging prices. It's recommended that you review the volume of Dataflow logs ingested into Cloud Logging through Metrics Explorer in Cloud Monitoring. For information on optimizing the log volume for your Dataflow jobs, see Controlling log volume.

Cloud Monitoring

Metrics Explorer, a stand-alone charting tool that lets you quickly chart and explore time-series data, has a new interface and supports enhanced aggregation options. For more information, see Metrics Explorer.

The VM instances page has a new Processes tab in Preview. This tab adds charts for process metrics to the charts provided by the existing CPU, Memory, Disk, and Network tabs.

Compute Engine

Preview: Access the Compute Engine API using Cloud Client Libraries built on our latest client library model. An updated client library is now available in the following language:

  • Go

For more information, see Compute Engine client libraries.

Preview: The Observability tab on Compute Engine's VM instance details page includes a new category for process metrics. You can use the new charts and reports to troubleshoot the behavior of processes running on your VMs.

Config Connector

Config Connector 1.56.0 is now available.

Added support for ComputeInstanceGroupManager resource (Issue #314).

Added support for BinaryAuthorizationPolicy resource.

Added cluster.kmsKeyRef field to BigtableInstance.

Added expire, rotation, topics, and ttl fields to SecretManagerSecret (Issue #471).

Fixed bug that was causing CloudIdentityGroup to go through infinite updates.

Added timestamp to log messages.

Aggregated the cnrm-admin ClusterRole to the admin and edit ClusterRoles, and aggregated the cnrm-viewer ClusterRole to view ClusterRole. See Aggregated ClusterRoles for details (Issue #486).

Google Kubernetes Engine

There is a known issue that prevents the gcloud client from interacting with multi-cluster Ingress that was introduced in gcloud version 346.0.0 and was fixed in version 348.0.0. It is recommended that you do not use gcloud versions 346.0.0 and 347.0.0 when using multi-cluster Ingress.

Transcoder API

Transcoder v1 API is now available. See the migration guide for information on how to update your job templates to the new version.

The Transcoder v1beta1 API is deprecated and will be turned down. It is replaced by the Transcoder v1 API.

The API outputs CEA-608 captions instead of CEA-708.

July 12, 2021

Cloud Logging

You can now install the Logging and Monitoring agents on multiple VMs from the Inventory tab on the Cloud Monitoring VM Instances page. You can select multiple VMs in your fleet for agent installation. The page generates the necessary installation command and provides a link to Cloud Shell, where you can run the command.

Cloud Monitoring

You can now install the Logging and Monitoring agents on multiple VMs from the Inventory tab on the Cloud Monitoring VM Instances page. You can select multiple VMs in your fleet for agent installation. The page generates the necessary installation command and provides a link to Cloud Shell, where you can run the command.

A warning annotation is now added to charts when they are missing data due to a data outage. When the annotation is absent, data gaps aren't due to a data outage. For common reasons why a chart might contain a data gap, see Gaps in chart data.

Cloud Storage

List object V2 for the XML APIPreview launched.

  • List object V2 provides improved interoperability with Amazon S3 tools and libraries.
Dataproc

For 2.0+ image clusters, the dataproc:dataproc.master.custom.init.actions.mode cluster property can be set to RUN_AFTER_SERVICES to run initialization actions on the master after HDFS and any services that depend on HDFS are initialized. Examples of HDFS-dependent services include: HBase, Hive Server2, Ranger, Solr, and the Spark and MapReduce history servers. Default: RUN_BEFORE_SERVICES.

July 09, 2021

Cloud Trace

Cloud Trace announces that the OpenTelemetry library for Java is now generally available. For information about configuring your Java application to use Open Telemetry, see Java and OpenTelemetry.

Dataproc

Custom image limitation: New images announced in the Dataproc release notes are not available for use as the base for custom images until one week from their announcement date.

The Dataproc v1beta2 APIs are deprecated. Please use the Dataproc v1 APIs.

Dataproc Metastore

Backing up and restoring service metadata are now in GA.

Google Kubernetes Engine

(2021-R22) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

Stable channel

  • Version 1.18.19-gke.1701 is now available in the Stable channel.
  • Version 1.19.11-gke.2101 is now available in the Stable channel.
  • Version 1.18.18-gke.1700 is no longer available in the Stable channel.

Regular channel

  • Version 1.19.11-gke.1701 is now available in the Regular channel.
  • Version 1.20.7-gke.1800 is now available in the Regular channel.
  • Version 1.19.10-gke.1700 is no longer available in the Regular channel.
  • Version 1.20.6-gke.1000 is no longer available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.7-gke.1800 with this release.

Rapid channel

  • Version 1.20.7-gke.2200 is now the default version.
  • Version 1.20.8-gke.700 is now available in the Rapid channel.
  • Version 1.21.2-gke.600 is now available in the Rapid channel.
  • Version 1.20.6-gke.1400 is no longer available in the Rapid channel.
  • Version 1.20.7-gke.1800 is no longer available in the Rapid channel.
  • Version 1.21.1-gke.2200 is no longer available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.20.7-gke.2200 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.2-gke.600 with this release.

(2021-R22) Version updates

  • Version 1.18.19-gke.1701 is now available in the Stable channel.
  • Version 1.19.11-gke.2101 is now available in the Stable channel.
  • Version 1.18.18-gke.1700 is no longer available in the Stable channel.

(2021-R22) Version updates

  • Version 1.19.11-gke.1701 is now available in the Regular channel.
  • Version 1.20.7-gke.1800 is now available in the Regular channel.
  • Version 1.19.10-gke.1700 is no longer available in the Regular channel.
  • Version 1.20.6-gke.1000 is no longer available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.7-gke.1800 with this release.

(2021-R22) Version updates

(2021-R22) Version updates

  • Version 1.20.7-gke.2200 is now the default version.
  • Version 1.20.8-gke.700 is now available in the Rapid channel.
  • Version 1.21.2-gke.600 is now available in the Rapid channel.
  • Version 1.20.6-gke.1400 is no longer available in the Rapid channel.
  • Version 1.20.7-gke.1800 is no longer available in the Rapid channel.
  • Version 1.21.1-gke.2200 is no longer available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.20.7-gke.2200 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.2-gke.600 with this release.
Network Connectivity Center

Network Connectivity Center now includes hard limits on the number of resources that can be linked to an individual spoke. For details, see Quotas and limits.

VPC Service Controls

Beta stage support for the following integration:

July 08, 2021

Anthos clusters on VMware

Anthos clusters on VMware 1.8.0-gke.25 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.8.0-gke.25 runs on Kubernetes v1.20.5-gke.1301.

Fixes:

Fixed CVE-2021-34824 that could expose private keys and certificates from Kubernetes secrets through the credentialName field when using Gateway or DestinationRule. This vulnerability affects all clusters created or upgraded with Anthos clusters on VMware version 1.8.0.21. For more information, see the GCP-2021-012 security bulletin.

Cloud Composer

New versions of Cloud Composer images:

  • composer-1.17.0-preview.5-airflow-2.0.1
  • composer-1.16.9-airflow-1.10.15 (default)
  • composer-1.16.9-airflow-1.10.14
  • composer-1.16.9-airflow-1.10.12

When PyPI modules installation fails with certain error types in VPC SC environments, an additional attempt to perform the environment update operation is made using an in-cluster build.

Cloud Composer 1.10.6 has reached its end of full support period.

Cloud SQL for MySQL

IAM database authentication for Cloud SQL for MySQL is now generally available. To get started using IAM database authentication, see Cloud SQL IAM database authentication.

Cloud Spanner

The NUMERIC data type is now supported as a valid key column type, so you can now use NUMERIC type columns when specifying primary keys, foreign keys, and secondary indexes.

Error Reporting

Error Reporting notifications has been upgraded to use the Alerting infrastructure. For more information, see the Notifications guide.

Google Kubernetes Engine

Microsoft published a security bulletin on a Remote code execution (RCE) vulnerability, CVE-2021-34527, that affects the print spooler in Windows servers. The CERT Coordination Center (CERT/CC) published an update note on a related vulnerability, dubbed "PrintNightmare" that also affects Windows print spoolers - PrintNightmare, Critical Windows Print Spooler Vulnerability.

For more information, see the GCP-2021-014 security bulletin.

Vertex AI

You can now containerize and run your training code locally by using the new gcloud beta ai custom-jobs local-run command. This feature is available in preview.

July 07, 2021

Anthos GKE on AWS

Anthos clusters on AWS aws-1.8.0-gke.8 is now available.

Anthos clusters on AWS aws-1.8.0-gke.8 clusters run the following Kubernetes versions:

  • 1.17.17-gke.11000
  • 1.18.19-gke.2300
  • 1.19.11-gke.2300
  • 1.20.7-gke.2400

This release fixes an issue mentioned in the entry on July 2, 2021. We recommend all customers upgrade to 1.8.0-gke.8.

When you upgrade or update a user cluster, the Connect agent is automatically updated to the latest version.

Anthos clusters on VMware

Anthos clusters on VMware 1.8.0-gke.25 is now available to resolve this issue.

The Istio project recently disclosed a new security vulnerability, CVE-2021-34824, affecting Istio. Istio contains a remotely exploitable vulnerability where credentials specified in the credentialName field for Gateway or DestinationRule can be accessed from different namespaces.

For more information, see the GCP-2021-012 security bulletin.

BigQuery Cloud Functions

Cloud Functions now logs pending queue requests abort error messages.

Cloud Load Balancing

External TCP/UDP Network Load Balancing now allows you to configure a connection tracking policy. A connection tracking policy introduces the following new properties to let you customize your load balancer's connection tracking behavior:

To learn about how connection tracking works, see Backend selection and connection tracking.

To learn how to configure a connection tracking policy, see Configure a connection tracking policy.

This feature is available in Preview.

Cloud Logging

The Share link feature for queries in the Logs Explorer now lets you choose whether to include an absolute time range or a relative time range. With an absolute time range, the query includes static time values for the results, so the query always returns the same results. With a relative time range, you can set a value like "last 1 hour", and the results change as time passes.

Preview: Cloud Logging now supports alerts based on matching the content of your logs. When triggered, a log-based alert notifies you that a match has appeared in your logs and opens an incident in Cloud Monitoring. You can create log-based alerts by using the Logs Explorer or the Monitoring API. For more information, see Monitoring your logs and Using log-based alerts.

Cloud Monitoring

Preview: Cloud Logging now supports alerts based on matching the content of your logs. When triggered, a log-based alert notifies you that a match has appeared in your logs and opens an incident in Cloud Monitoring. You can create log-based alerts by using the Logs Explorer or the Monitoring API. For more information, see Monitoring your logs and Using log-based alerts.

Config Connector

Config Connector 1.55.0 is now available

Added NetworkServicesEndpointPolicy support

Added new fields:

  • ComputeInstance: networkPerformanceConfig.totalEgressBandwidthTier field added.
  • ComputeInstanceTemplate: advancedMachineFeatures field added.
  • ComputeInstanceTemplate: confidentialInstanceConfig.enableConfidentialCompute field is now immutable.
  • ComputeInstanceTemplate: networkPerformanceConfig.totalEgressBandwidthTier field added.
  • ComputeSecurityPolicy: adaptiveProtectionConfig field added.
  • RedisInstance: redisVersion field no longer immutable.

Reduced max retry interval on failure to 120 seconds for fast reconciliation

Use IAMResourceRef type in IAMPartialPolicySpec (Issue #495)

ContainerCluster supports User Project Override (Issue #492)

Dataproc

The end date of support for Dataproc image version 1.4 has been extended from August, 2021 to November, 2021.

Deep Learning VM Images

M74 Release

  • In Debian 10 GPU images, updated NVIDIA drivers to 460.73.01 and CUDA to 11.0.3.
  • Added support for controlling the Cloud Storage backup synchronization time and reducing the output of synchronization.
  • Preinstalled the table of contents extension in JupyterLab.
  • Added fastai 2.4 to the PyTorch 1.9 GPU image.

July 06, 2021

Cloud Healthcare API

The Cloud Healthcare API offers single-region support in the europe-west3 (Frankfurt) region.

The Cloud Healthcare API offers single-region support in the asia-northeast3 (Seoul) region.

The Cloud Healthcare API offers single-region support in the asia-south1 (Mumbai) region.

July 05, 2021

Dataproc

New sub-minor versions of Dataproc images: 1.3.92-debian10, 1.3.92-ubuntu18, 1.4.63-debian10, 1.4.63-ubuntu18, 1.5.38-centos8, 1.5.38-debian10, 1.5.38-ubuntu18, 2.0.12-centos8, 2.0.12-debian10, and 2.0.12-ubuntu18.

Upgraded Spark version to 2.4.8 in the following images:

  • Image 1.4
  • Image 1.5

Minimum boot disk sizes for Dataproc images:

  • Image 2.0: 30GB
  • Image 1.5: 20GB
  • Image 1.4: 15GB
  • Image 1.3: 15GB

Fixed stdout/stderr links on Spark History Server Web UI of the Persistent History Server in the following images:

  • Image 1.4
  • Image 1.5

Fixed a bug where personal auth credentials would not propagate to every VM in the cluster if VPC service controls were enabled.

VPC Service Controls

Beta stage support for the following integration:

July 02, 2021

Anthos GKE on AWS

An issue has been discovered with Anthos clusters on AWS 1.8.0. When you complete an upgrade to your management service to 1.8.0, the management service automatically performs a rolling update of all node pools.

A fix for this issue is being developed. A new build will be published when the fix is available.

Anthos clusters on bare metal

Release 1.8.1

Anthos clusters on bare metal release 1.8.1 is now available. To upgrade, see Upgrading Anthos on bare metal. Anthos on bare metal 1.8.1 runs on Kubernetes 1.20.

Fixes:

Fixed CVE-2021-34824 that could expose private keys and certificates from Kubernetes secrets through the credentialName field when using Gateway or DestinationRule. This vulnerability affects all clusters created or upgraded with Anthos clusters on bare metal release 1.8.0. For more information, see the GCP-2021-012 security bulletin.

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

Certificate Authority Service

Certificate Authority Service is now generally available with the following new features.

  • Certificate authority (CA) pools: A CA pool is a container for multiple CAs with a common certificate issuance policy and IAM policy. More information: Overview of CA pools.
  • Certificate templates: Certificate templates are reusable and parameterized schemas for common certificate issuance scenarios. The reusable configs feature has been retired, and certificate template replaces it. More information: Certificate templates.
  • Identity reflection: Identity reflection is a special certificate issuance mode that limits an unprivileged certificate requester. With the identity reflection mode, the unprivileged certificate requester can only request certificates with a SAN corresponding to the identity in their credential. More information: Using identity reflection.
  • Updates to CA states: A new state called STAGED has been added to the list of CA states. The new set of CA states can be found here: Certificate authority states.
  • New locations: CA Service has expanded the list of locations where you can create your resources. For the complete list of locations, see Locations.

In addition to the above features, Certificate Authority Service has the following updates as part of the GA release.

  • Pricing: CA Service offers a simple pay-as-you-go pricing model. Large volume customers can also avail the subscription-based pricing model. More information: Pricing.
  • Service Level Agreement (SLA): SLA for CA Service is now publicly available and offers 99.9% availability per region for certificate creation. More information: SLA.
  • Compliance: CA Service meets ISO 27001, 27017, 27018, SOC1, SOC2, SOC3, BSI C5, and PCI compliance standards.
Cloud Functions

Cloud Functions now supports .NET at the General Availability release level. This runtime is based on .NET Core 3.1.

Cloud Monitoring

You can now display summaries of single-condition alerting policies on a custom dashboard. A policy summary includes a display of the monitored time series, the threshold, and chips that show the number of open incidents and whether the policy is disabled. For more information about Alert charts, see the following pages:

Dashboard-wide filters now apply to all charts on a dashboard. Prior to this change, these filters didn't apply to MQL-configured charts.

Dialogflow

In Dialogflow CX, you can now use the Search feature (Preview launch) to search, filter, and access the core resources within an agent.

In Dialogflow CX, you can now use the sys.long-utterance built-in event to handle user queries exceeding the maximum length (256 characters).

Document AI

Change in processor documentation

The location of individual processor information has changed. You can now find individual processor documentation for all solutions (General, Procurement, Lending) in the following locations:

Human in the Loop (HITL) now supports priority queues for each processor, based on the urgency of each document. For more information, see HITL.

Google Kubernetes Engine

The Istio project recently disclosed a new security vulnerability, CVE-2021-34824, affecting Istio. Istio contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces.

For more information, see the GCP-2021-012 security bulletin.

Config Management is now available on GKE. Config Management provides you with the following benefits:

  • You can now use Policy Controller. Policy Controller enables the enforcement of fully programmable policies for your clusters. To learn more, see Policy Controller overview.
  • You can now install Config Sync using the Cloud Console or the gcloud command line tool. To learn more, see Installing Config Sync.
Network Intelligence Center

Connectivity to Google-managed services is now generally available in Network Topology. Google Cloud users can use Network Topology to audit their networking configuration and troubleshoot networking issues related to the different Google services in use.

VPC Service Controls

General availability for the following integration:

July 01, 2021

Anthos Config Management

This release note contains information about 1.8.0 features that are now more widely available.

Config Sync now supports accessing Cloud Source Repositories through a Google service account when Workload Identity is enabled in your cluster. To learn more, see Granting Config Sync read-only access to Git.

Config Management is now available on GKE. Config Management enables you to use Policy Controller. GKE users can also now install Config Sync using the Cloud Console or by using the gcloud command-line tool. To learn more, see Installing Config Sync.

The following commands have been promoted to beta:

  • gcloud container hub config-management apply
  • gcloud container hub config-management disable
  • gcloud container hub config-management enable
  • gcloud container hub config-management status
  • gcloud container hub config-management unmanage
  • gcloud container hub config-management upgrade
  • gcloud container hub config-management version

The config file format for the gcloud apply command has changed. For more information on the new file format, see gcloud apply spec fields.

You can now configure your cluster with the same settings used by another cluster by using gcloud fetch-for-apply. To learn more, see Configuring Config Sync.

Config Sync cluster selectors now support CustomResourceDefinitions.

Anthos GKE on AWS

Anthos clusters on AWS aws-1.8.0-gke.7 is now available.

Anthos clusters on AWS aws-1.8.0-gke.7 clusters run the following Kubernetes versions:

  • 1.17.17-gke.11000
  • 1.18.19-gke.2300
  • 1.19.11-gke.2300
  • 1.20.7-gke.2400

You can now launch Kubernetes 1.20 clusters.

Workload identity to authenticate to Google Cloud services from your user clusters is now available. Using workload identity is supported on user clusters running version 1.20 and higher.

You can now update the security groups associated with user clusters and node pools. For more information, see Updating a user cluster

You can now modify proxy settings on a running cluster. For more information, see Changing Cluster Proxy Settings

Anthos clusters on Azure now supports Cloud Logging and Cloud Monitoring of user cluster control planes. For more information, see Configuring logging and monitoring.

BigQuery

An updated version of ODBC driver for BigQuery is now available that includes bug fixes, parameterized data type support, and metadata retrieval performance improvements.

An updated version of JDBC driver for BigQuery is now available that includes bug fixes, parameterized data type support, and job retry improvements.

Chronicle

Asset Namespaces

The asset namespaces feature enables you to classify categories of assets sharing a common network environment, or namespace, and then perform searches for those assets within the Chronicle user interface based on that namespace. See also the Linux Forwarder documentation for information on how to configure the Forwarder to add namespaces to your security data before it is ingested into your Chronicle account.

Linux Forwarder Updates

The Linux Forwarder has been enhanced with the following additional capabilities:

Disk Buffering—Disk buffering enables you to buffer backlogged messages to disk as opposed to memory. The backlogged messages can be stored in case the forwarder crashes or the underlying host crashes.

Regular Expression Filters—Regular expression filters enable you to filter logs based on regular expression matches.

Arbitrary labels—Use labels to attach arbitrary metadata to logs using key and value pairs.

Namespaces—Use namespace labels to identify logs from distinct network segments and to deconflict overlapping IP addresses.

Kafka Input—You can ingest data from Kafka topics just as you can for syslog. Consumer groups are leveraged to enable you to deploy up to 3 Forwarders and pull data from the same Kafka topic.

Cloud Billing

(Customers in India only) Starting on July 1, 2021, the first page of your invoice shows a Unified Payment Interface (UPI) QR code. You can pay your invoice by scanning the QR code with any UPI-enabled application.

(Customers in India only) We have updated information about Google's tax compliance in India, for tax deducted at source (TDS). Learn about Google Cloud India TDS certificates.

Cloud Storage

Public access preventionPreview launched.

Cloud Translation

Cloud Translation - Advanced (v3) support for a regional EU endpoint is now in Preview. For more information, see Specify a regional endpoint.

Compute Engine

Preview: You can now configure N2D VMs with up to 100 Gbps of network bandwidth.

This feature is ideal for network-intensive distributed workloads.

Learn more about higher bandwidth configurations, the regions and zones where these machines are available, and the post preview pricing for this new feature.

Secret Manager

Secret Manager now offers a limited number of free resources as part of the Google Cloud Free program.

For more details on free resources, see Secret Manager pricing.

Storage Transfer Service

Transfer service for on-premises data support for delete from source is now Generally Available. For more information, see Data consistency details.

Storage Transfer Service offers Preview for Integration with AWS Security Token Service. Security conscious customers can now use Storage Transfer Service to perform transfers from AWS S3 without passing any security credentials. This release will alleviate the security burden associated with passing long-term AWS S3 credentials, which have to be rotated or explicitly revoked when they are no longer needed. Refer Amazon Web Services (AWS) S3 Federated Identity credentials when setting up access to your data source.

VPC Service Controls

Preview stage support for the following integration:

June 30, 2021

Anthos Service Mesh

Anthos Service Mesh user authentication is now generally available (GA). This feature lets you use existing Identity Providers (IDP) for user authentication and access control to your workloads. For more information, see Configuring Anthos Service Mesh user authentication.

1.10.2-asm.3 is now available and includes a fix for the known issue with control plane metric reporting reported on June 25, 2021.

For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

Anthos clusters on Azure

The preview release of Anthos clusters on Azure is now available. With this release, you can create, use, and tear down Anthos clusters on Azure, as well as load balancers, and storage volumes.

Anthos clusters on Azure is available for customers with an existing support relationship with Google Cloud. Contact your account representative for access.

Anthos clusters on Azure supports Kubernetes version 1.19.10-gke.1000.

To create a cluster, see the Installation overview.

New features include:

  • Private clusters with private IPs
  • gcloud alpha container azure clusters and node-pools support
  • Application-layer secrets encryption
  • Choice of volume type, size, and customer-managed encryption keys
  • Cluster Autoscaler

Current limitations include the following:

  • Cluster updates are not supported. You must recreate clusters when using the next version.
  • Node pools have only been tested up to 20 nodes.
  • In order to use the Google Cloud Console, you must register your cluster with the Connect agent.
  • Not all Google Cloud and Azure regions are supported. See Supported regions for more information.
Anthos clusters on bare metal

Security bulletin (1.8)

The Istio project recently announced a security vulnerability (CVE-2021-34824) where credentials specified in the credentialName field for Gateway or DestinationRule can be accessed from different namespaces. This vulnerability affects all clusters created or upgraded with Anthos clusters on bare metal release 1.8.0. For more information, see the GCP-2021-012 security bulletin.

App Engine flexible environment .NET

Requests from internal services to the App Engine flexible environment no longer originate from 10.0.0.1. The IP ranges are as follows:

  • Cron requests from newly created or updated App Engine Cron jobs sent to the App Engine flexible environment now come from 0.1.0.2. For Cron jobs created with older gcloud versions (earlier than 326.0.0), Cron requests will come from 0.1.0.1. Previously, these requests only came from both 0.1.0.1 and 10.0.0.1.
  • For other Cloud Scheduler jobs and Cloud Tasks queues (including App Engine Task Queues), requests sent to the App Engine flexible environment now only come from 0.1.0.2. Previously, these requests came from both 0.1.0.2 and 10.0.0.1.
  • For URL Fetch, requests sent to the App Engine flexible environment now only come from 0.1.0.40. Previously, these requests came from both 0.1.0.40 and 10.0.0.1.

For more information, see Understanding the App Engine firewall.

App Engine flexible environment Go

Requests from internal services to the App Engine flexible environment no longer originate from 10.0.0.1. The IP ranges are as follows: - Cron requests from newly created or updated App Engine Cron jobs sent to the App Engine flexible environment now come from 0.1.0.2. For Cron jobs created with older gcloud versions (earlier than 326.0.0), Cron requests will come from 0.1.0.1. Previously, these requests only came from both 0.1.0.1 and 10.0.0.1. - For other Cloud Scheduler jobs and Cloud Tasks queues (including App Engine Task Queues), requests sent to the App Engine flexible environment now only come from 0.1.0.2. Previously, these requests came from both 0.1.0.2 and 10.0.0.1. - For URL Fetch, requests sent to the App Engine flexible environment now only come from 0.1.0.40. Previously, these requests came from both 0.1.0.40 and 10.0.0.1.

For more information, see Understanding the App Engine firewall.

App Engine flexible environment Java

Requests from internal services to the App Engine flexible environment no longer originate from 10.0.0.1. The IP ranges are as follows:

  • Cron requests from newly created or updated App Engine Cron jobs sent to the App Engine flexible environment now come from 0.1.0.2. For Cron jobs created with older gcloud versions (earlier than 326.0.0), Cron requests will come from 0.1.0.1. Previously, these requests only came from both 0.1.0.1 and 10.0.0.1.
  • For other Cloud Scheduler jobs and Cloud Tasks queues (including App Engine Task Queues), requests sent to the App Engine flexible environment now only come from 0.1.0.2. Previously, these requests came from both 0.1.0.2 and 10.0.0.1.
  • For URL Fetch, requests sent to the App Engine flexible environment now only come from 0.1.0.40. Previously, these requests came from both 0.1.0.40 and 10.0.0.1.

For more information, see Understanding the App Engine firewall.

App Engine flexible environment Node.js

Requests from internal services to the App Engine flexible environment no longer originate from 10.0.0.1. The IP ranges are as follows:

  • Cron requests from newly created or updated App Engine Cron jobs sent to the App Engine flexible environment now come from 0.1.0.2. For Cron jobs created with older gcloud versions (earlier than 326.0.0), Cron requests will come from 0.1.0.1. Previously, these requests only came from both 0.1.0.1 and 10.0.0.1.
  • For other Cloud Scheduler jobs and Cloud Tasks queues (including App Engine Task Queues), requests sent to the App Engine flexible environment now only come from 0.1.0.2. Previously, these requests came from both 0.1.0.2 and 10.0.0.1.
  • For URL Fetch, requests sent to the App Engine flexible environment now only come from 0.1.0.40. Previously, these requests came from both 0.1.0.40 and 10.0.0.1.

For more information, see Understanding the App Engine firewall.

App Engine flexible environment PHP

Requests from internal services to the App Engine flexible environment no longer originate from 10.0.0.1. The IP ranges are as follows:

  • Cron requests from newly created or updated App Engine Cron jobs sent to the App Engine flexible environment now come from 0.1.0.2. For Cron jobs created with older gcloud versions (earlier than 326.0.0), Cron requests will come from 0.1.0.1. Previously, these requests only came from both 0.1.0.1 and 10.0.0.1.
  • For other Cloud Scheduler jobs and Cloud Tasks queues (including App Engine Task Queues), requests sent to the App Engine flexible environment now only come from 0.1.0.2. Previously, these requests came from both 0.1.0.2 and 10.0.0.1.
  • For URL Fetch, requests sent to the App Engine flexible environment now only come from 0.1.0.40. Previously, these requests came from both 0.1.0.40 and 10.0.0.1.

For more information, see Understanding the App Engine firewall.

App Engine flexible environment Python

Requests from internal services to the App Engine flexible environment no longer originate from 10.0.0.1. The IP ranges are as follows:

  • Cron requests from newly created or updated App Engine Cron jobs sent to the App Engine flexible environment now come from 0.1.0.2. For Cron jobs created with older gcloud versions (earlier than 326.0.0), Cron requests will come from 0.1.0.1. Previously, these requests only came from both 0.1.0.1 and 10.0.0.1.
  • For other Cloud Scheduler jobs and Cloud Tasks queues (including App Engine Task Queues), requests sent to the App Engine flexible environment now only come from 0.1.0.2. Previously, these requests came from both 0.1.0.2 and 10.0.0.1.
  • For URL Fetch, requests sent to the App Engine flexible environment now only come from 0.1.0.40. Previously, these requests came from both 0.1.0.40 and 10.0.0.1.

For more information, see Understanding the App Engine firewall.

App Engine flexible environment Ruby

Requests from internal services to the App Engine flexible environment no longer originate from 10.0.0.1. The IP ranges are as follows:

  • Cron requests from newly created or updated App Engine Cron jobs sent to the App Engine flexible environment now come from 0.1.0.2. For Cron jobs created with older gcloud versions (earlier than 326.0.0), Cron requests will come from 0.1.0.1. Previously, these requests only came from both 0.1.0.1 and 10.0.0.1.
  • For other Cloud Scheduler jobs and Cloud Tasks queues (including App Engine Task Queues), requests sent to the App Engine flexible environment now only come from 0.1.0.2. Previously, these requests came from both 0.1.0.2 and 10.0.0.1.
  • For URL Fetch, requests sent to the App Engine flexible environment now only come from 0.1.0.40. Previously, these requests came from both 0.1.0.40 and 10.0.0.1.

For more information, see Understanding the App Engine firewall.

App Engine standard environment Go

Specifying a user-managed service account for each App Engine version during deployment is now available in preview. This feature lets you grant different privileges to each version, based on the specific tasks it performs, and avoid granting more privileges than necessary.

Requests from newly created or updated App Engine Cron jobs sent to the App Engine standard environment now come from 0.1.0.2. For Cron jobs created with older gcloud versions (earlier than 326.0.0), Cron requests will come from 0.1.0.1. Previously, these requests only came from 0.1.0.1. See Understanding the App Engine firewall for more information.

Specifying a user-managed service account for each App Engine version during deployment is now available in preview. This feature lets you grant different privileges to each version, based on the specific tasks it performs, and avoid granting more privileges than necessary.

Requests from newly created or updated App Engine Cron jobs sent to the App Engine standard environment now come from 0.1.0.2. For Cron jobs created with older gcloud versions (earlier than 326.0.0), Cron requests will come from 0.1.0.1. Previously, these requests only came from 0.1.0.1. See Understanding the App Engine firewall for more information.

App Engine standard environment Java

Specifying a user-managed service account for each App Engine version during deployment is now available in preview. This feature lets you grant different privileges to each version, based on the specific tasks it performs, and avoid granting more privileges than necessary.

Requests from newly created or updated App Engine Cron jobs sent to the App Engine standard environment now come from 0.1.0.2. For Cron jobs created with older gcloud versions (earlier than 326.0.0), Cron requests will come from 0.1.0.1. Previously, these requests only came from 0.1.0.1. See Understanding the App Engine firewall for more information.

Specifying a user-managed service account for each App Engine version during deployment is now available in preview. This feature lets you grant different privileges to each version, based on the specific tasks it performs, and avoid granting more privileges than necessary.

Requests from newly created or updated App Engine Cron jobs sent to the App Engine standard environment now come from 0.1.0.2. For Cron jobs created with older gcloud versions (earlier than 326.0.0), Cron requests will come from 0.1.0.1. Previously, these requests only came from 0.1.0.1. See Understanding the App Engine firewall for more information.

App Engine standard environment Node.js

Specifying a user-managed service account for each App Engine version during deployment is now available in preview. This feature lets you grant different privileges to each version, based on the specific tasks it performs, and avoid granting more privileges than necessary.

Requests from newly created or updated App Engine Cron jobs sent to the App Engine standard environment now come from 0.1.0.2. For Cron jobs created with older gcloud versions (earlier than 326.0.0), Cron requests will come from 0.1.0.1. Previously, these requests only came from 0.1.0.1. See Understanding the App Engine firewall for more information.

App Engine standard environment PHP

Specifying a user-managed service account for each App Engine version during deployment is now available in preview. This feature lets you grant different privileges to each version, based on the specific tasks it performs, and avoid granting more privileges than necessary.

Requests from newly created or updated App Engine Cron jobs sent to the App Engine standard environment now come from 0.1.0.2. For Cron jobs created with older gcloud versions (earlier than 326.0.0), Cron requests will come from 0.1.0.1. Previously, these requests only came from 0.1.0.1. See Understanding the App Engine firewall for more information.

Specifying a user-managed service account for each App Engine version during deployment is now available in preview. This feature lets you grant different privileges to each version, based on the specific tasks it performs, and avoid granting more privileges than necessary.

Requests from newly created or updated App Engine Cron jobs sent to the App Engine standard environment now come from 0.1.0.2. For Cron jobs created with older gcloud versions (earlier than 326.0.0), Cron requests will come from 0.1.0.1. Previously, these requests only came from 0.1.0.1. See Understanding the App Engine firewall for more information.

App Engine standard environment Python

Specifying a user-managed service account for each App Engine version during deployment is now available in preview. This feature lets you grant different privileges to each version, based on the specific tasks it performs, and avoid granting more privileges than necessary.

Requests from newly created or updated App Engine Cron jobs sent to the App Engine standard environment now come from 0.1.0.2. For Cron jobs created with older gcloud versions (earlier than 326.0.0), Cron requests will come from 0.1.0.1. Previously, these requests only came from 0.1.0.1. See Understanding the App Engine firewall for more information.

Specifying a user-managed service account for each App Engine version during deployment is now available in preview. This feature lets you grant different privileges to each version, based on the specific tasks it performs, and avoid granting more privileges than necessary.

Requests from newly created or updated App Engine Cron jobs sent to the App Engine standard environment now come from 0.1.0.2. For Cron jobs created with older gcloud versions (earlier than 326.0.0), Cron requests will come from 0.1.0.1. Previously, these requests only came from 0.1.0.1. See Understanding the App Engine firewall for more information.

App Engine standard environment Ruby

Specifying a user-managed service account for each App Engine version during deployment is now available in preview. This feature lets you grant different privileges to each version, based on the specific tasks it performs, and avoid granting more privileges than necessary.

Requests from newly created or updated App Engine Cron jobs sent to the App Engine standard environment now come from 0.1.0.2. For Cron jobs created with older gcloud versions (earlier than 326.0.0), Cron requests will come from 0.1.0.1. Previously, these requests only came from 0.1.0.1. See Understanding the App Engine firewall for more information.

Chronicle

Downloading Events

You can download large numbers of the events associated with each threat detection as a CSV file, enabling you to search across a broad set of the data stored in your Chronicle account to hunt for security issues.

Cloud Composer

New versions of Cloud Composer images:

  • composer-1.17.0-preview.4-airflow-2.0.1
  • composer-1.16.8-airflow-1.10.15 (default)
  • composer-1.16.8-airflow-1.10.14
  • composer-1.16.8-airflow-1.10.12

Fixed remaining memory issues that occurred while syncing files on machine types with more than 8 vCPUs.

Cloud Composer 1.10.5 has reached its end of full support period.

Cloud Logging

Cloud Logging lets you copy logs from a Cloud Logging bucket to a Cloud Storage bucket. To learn more, see Copying log entries.

The Ops Agent is now Generally Available as version 2.0.0. This agent combines logging and metrics into a single agent. The Ops Agent is targeted toward specialized logging workloads that require higher throughput and improved resource efficiency.

For installation information, see Installing the Ops Agent. For information about migrating from an earlier version, see the transition guide.

The GA version of the Ops Agent can be configured to collect specific sets of metrics, as described in Configuring the Ops Agent. There is a small number of metrics that the GA version of the Ops Agent handles differently from the Preview versions of the Ops Agent and the Monitoring agent; see Differences in metric collection.

Cloud Monitoring

The Monitoring dashboards page in the Cloud Console now includes a collection of sample dashboards. The sample dashboards provide support for many common applications. You can preview, install, and then customize these dashboards. For more information, see Installing sample dashboards.

The Ops Agent is now Generally Available as version 2.0.0. This agent combines logging and metrics into a single agent. The Ops Agent is targeted toward specialized logging workloads that require higher throughput and improved resource efficiency.

For installation information, see Installing the Ops Agent. For information about migrating from an earlier version, see the transition guide.

The GA version of the Ops Agent can be configured to collect specific sets of metrics, as described in Configuring the Ops Agent. There is a small number of metrics that the GA version of the Ops Agent handles differently from the Preview versions of the Ops Agent and the Monitoring agent; see Differences in metric collection.

Cloud Run

Cloud Run is now available in the following region:

  • asia-south2 (Delhi, India)
Cloud SQL for MySQL

Cloud SQL for MySQL now offers stored procedures that you can execute on your instances. You can use stored procedures to add or drop secondary indexes on read replicas. See Cloud SQL stored procedures.

Cloud Spanner

Cloud Spanner now supports Cloud External Key Manager (Cloud EKM) when using customer-managed encryption keys. Cloud EKM also provides Key Access Justification to give you more visibility into key access requests.

Compute Engine

The Machine types documentation has been renamed to Machine families. The URL remains the same.

New pages have been added to reflect the expansion of our machine fleet.

You can learn about Virtio memory balloon devices at the Dynamic resource management page.

Dataflow

GPU support on Dataflow is now in General Availability.

Dialogflow

The Dialogflow ES API now provides methods for managing versions and environments.

Google Cloud Armor

Google Cloud Armor now supports parsing of the JSON content of POST bodies when preconfigured WAF rules are evaluated. JSON parsing must be enabled on a per-security-policy basis. In addition, you can enable verbose request logging to provide more details about why a particular rule was triggered. These features are Generally Available.

Pub/Sub

Pub/Sub message schemas are now GA.

SAP on Google Cloud

SAP HANA certification: 12 TB m2-ultramem-416 machine type for OLAP workloads

SAP has certified the Compute Engine 12 TB m2-ultramem-416 machine type for SAP HANA with OLAP workloads in an SAP HANA scale-up configuration that must be sized by using SAP workload-based sizing methods.

For more information, see Certified Compute Engine VMs for SAP HANA.

SAP NetWeaver is supported on Bare Metal Solution with more database types

In addition to SAP HANA, you can now run SAP NetWeaver on Bare Metal Solution servers for production workloads with other SAP NetWeaver supported database types, such as Oracle databases.

For more information, see SAP NetWeaver on Bare Metal Solution planning guide.

Secret Manager

Secret Manager now has a guide for rotating secrets and binding a secret version to your application.

To learn more, see Rotation of secrets.

Virtual Private Cloud

Deleting a private services access connection now also removes configurations created by the service producer, if Google is the service producer (for example, Cloud SQL). The improved deletion process simplifies administration if you delete a private services access connection, but later want to recreate it. This feature is now available in General Availability.

The billing issue for non-RFC 1918 addresses for Private Service Connect endpoints that you use to access Google APIs and services has been fixed.

June 29, 2021

Anthos Service Mesh

There is a breaking change in 1.10 with inbound forwarding that affects applications that bind solely to the localhost interface.

For more information, see the 1.10 Istio upgrading notes.

BigQuery

BigQuery is now available in the Delhi (asia-south2) region.

BigQuery now supports multi-statement transactions. These allow you to perform mutating operations, such as inserting or deleting rows, on one or more tables, and either commit or roll back the changes atomically. This feature is in Preview.

BigQuery BI Engine

BigQuery BI Engine is now available in the Delhi (asia-south2) region.

BigQuery Data Transfer Service

BigQuery Data Transfer Service is now available in the Delhi (asia-south2) region.

BigQuery ML

BigQuery ML is now available in the Delhi (asia-south2) region.

Cloud Bigtable

Cloud Bigtable is now available in the asia-south2 (Delhi) region.

Cloud Billing

Summary bar now available in the Cost Table report

To provide additional flexibility when analyzing your data in the cost table report, we've added the summary bar as another analysis tool.

When you select a subset of rows in your cost table, a floating summary bar opens and shows you the total gross costs, credits, the percentage of savings, and the total net costs, summarized for the selected rows. The summary bar is available for both the nested and flat table views.

For more information about using the summary bar on the Cost table report, see View and download the cost details of your invoice or statement.

Cloud SQL for MySQL

Cloud SQL for MySQL now supports the innodb_flush_log_at_trx_commit flag.

Support for asia-south2 (Delhi) region.

Cloud SQL for PostgreSQL

Support for asia-south2 (Delhi) region.

Cloud SQL for SQL Server

Support for asia-south2 (Delhi) region.

Cloud Spanner

Cloud Spanner regional instances can now be created in Delhi (asia-south2).

Cloud Storage

Delhi region (asia-south2) launched.

Cloud VPN

Cloud VPN is now available in region asia-south2 (Delhi, India).

Pricing is available on the Cloud VPN pricing page.

Compute Engine

Preview: You can now autoscale both regional and zonal managed instance groups based on a Cloud Monitoring metric that provides an aggregated value for the group. You can also apply filters to group metrics to further scope the scaling signal. For more information, see Scaling based on Cloud Monitoring metrics.

Delhi, India asia-south2-a,b,c region has launched with E2, N2, N1, and C2 virtual machine (VM) instances in all three zones. See VM instance pricing for details.

Dataflow

Dataflow is now able to use workers, Dataflow Shuffle, Streaming Engine, FlexRS, and regional endpoints in zones in Delhi (asia-south2).

Dataproc

Dataproc is now available in the asia-south2 region (Delhi).

The following previously released sub-minor versions of Dataproc images have been rolled back and can only be used when updating existing clusters that already use them:

  • 1.3.91-debian10, 1.3.91-ubuntu18
  • 1.4.62-debian10, 1.4.62-ubuntu18
  • 1.5.37-centos8, 1.5.37-debian10, 1.5.37-ubuntu18
  • 2.0.11-centos8, 2.0.11-debian10, and 2.0.11-ubuntu18.

Added support for Dataproc Metastore in three new recently turned up regions: europe-west3, us-west1, and us-east1.

Introduced a new ERROR_DUE_TO_UPDATE state, which indicates a cluster has encountered an irrecoverable error while scaling. Clusters in this state cannot be scaled, but can accept jobs.

Fixed an issue where a spurious unrecognized property warning was generated when the dataproc:jupyter.listen.all.interfaces cluster property is set.

Filestore

Filestore is available in the europe-central2 (Warsaw) region. See Regions and zones.

Google Kubernetes Engine

The asia-south2 region in Delhi is now available.

Kf

Kf Cloud Service Broker for Google Cloud for Google managed services.

Prevent creating a GSA policy when the GoogleProjectId field is not set.

Allow customization of external-gateway in kfsystem.yaml.

Memorystore for Memcached

Added new Memorystore for Memcached region: Delhi (asia-south2).

Memorystore for Redis

Added new Cloud Memorystore for Redis region: Delhi (asia-south2)

Migrate for Anthos and GKE

Enhanced runtime support added which lets you deploy containers to GKE Autopilot clusters and to Cloud Run, and simplifies the process of deploying containers to Anthos clusters on AWS that use workload identity. This feature is in preview.

See Enhanced runtime for more.

Added support for the preview release of the fit assessment tool that is intended to eventually replace the existing Linux discovery tool. The new fit assessment tool provides you with:

  • Ability to get the inventory information about VMware VMs through direct connection to vCenter.
  • Enhanced HTML output that makes it easier to view the assessment results.
  • New collection script, mfit_linux_collect.sh, and new assessment tool, mfit.

See Using the fit assessment tool for more.

179976237: You can now create a Docker image file registry configuration with the name of a previously deleted configuration.

166014117 : If you are using Migrate for Compute Engine with Migrate for Anthos and GKE to migrate Linux workloads, after you complete a successful migration, delete the migration to free up the source VM.

187922406: A migration might fail due to a LVM (Logical Volume Manager) failure.

Workaround: Recreate and retry the migration.

Secret Manager

Secret Manager is now available in asia-south2 (Delhi). See Secret Manager locations for more information.

Secret Manager now has a guide for using Cloud Asset Inventory to identify and audit secrets.

To learn more, see Analyze secrets with Cloud Asset Inventory.

Traffic Director

You can now use VPC Service Controls with Traffic Director. You can add projects to service perimeters that protect resources and services (like Traffic Director) from requests that originate outside the perimeter. To learn more about VPC Service Controls, see the VPC Service Controls Overview.

VPC Service Controls

General availability for the following integration:

This note is incorrect; see entry for July 5, 2021

Virtual Private Cloud

For auto mode VPC networks, added a new subnet 10.190.0.0/20 for the Delhi asia-south2 region. For more information, see Auto mode IP ranges.

June 28, 2021

Anthos clusters on VMware

Anthos clusters on VMware 1.8.0-gke.21 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.8.0-gke.21 runs on Kubernetes v1.20.5-gke.1301.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.8, 1.7, and 1.6.

Cluster lifecycle Improvements:

You should no longer use gcloud to unregister a user cluster, because clusters are registered automatically. Instead, register existing user clusters by using gkectl update cluster. You can also use gkectl update cluster to consolidate out-of-band registration that was done using gcloud. For more information, see Cluster registration.

Platform enhancements:

  • Preview: Cluster autoscaling is now available in preview. With cluster autoscaling, you can horizontally scale node pools in proportion to workload demand. When demand is high, the cluster autoscaler adds nodes to the node pool. When demand is low, the cluster autoscaler removes nodes from the node pool, scaling back down to a minimum size that you designate. Cluster autoscaling can increase the availability of your workloads while controlling costs.

  • Preview: User cluster control-plane node and admin cluster add-on node auto sizing are now available in preview. The features can be enabled separately in user cluster or admin cluster configurations. When you enable user cluster control-plane node auto sizing, user cluster control-plane nodes are automatically resized in proportion to the number of node pool nodes in the given user cluster. When you enable admin cluster add-on node auto sizing, admin cluster add-on nodes are automatically resized in proportion to the number nodes in the admin cluster.

  • Preview: Windows Server container support for Anthos clusters on VMware is now available in preview. This allows you to modernize and run your Windows-based apps more efficiently in your data centers without having to go through risky application rewrites. You can use Windows containers alongside Linux containers for your container workloads. The same experience and benefits that you have come to enjoy with Anthos clusters on VMware using Linux--application portability, consolidation, cost savings, and agility--can now be applied to Windows Server applications also.

  • Preview: Admin cluster backup is now available in preview. With this feature enabled, admin cluster backups are automatically performed before and after user and admin cluster creation, update, and upgrade. A new gkectl backup admin command performs manual backup. Upon admin cluster storage failure, you can restore the admin cluster from a backup with the gkectl repair admin-cluster --restore-from-backup command.

Security enhancements:

  • The Ubuntu node image is qualified with the CIS (Center for Internet Security) L1/L2 Server Benchmark.

  • Generally available: Workload identity support is now generally available. For more information, see Fleet workload identity. The connect-agent service account key is no longer required during installation. The connect agent uses workload identity to authenticate to Google Cloud instead of an exported Google Cloud service account key.

  • You can now use gkectl to rotate system root CA certificates for user clusters.

  • You can now use gkectl to update vCenter CA certificates for both admin clusters and user clusters.

  • Preview: You can enable Secrets encryption with internally generated keys instead of a hardware security model (HSM). This feature will be enabled by default in a future release.

Network feature enhancements:

Preview: Egress NAT gateway is now available in preview. To be able to access off-cluster workloads, traffic originating within the cluster that is related to specific flows must have deterministic source IP addresses. Egress NAT gateway gives you fine-grained control over which traffic gets a deterministic source IP address, and then provides that address. The Egress NAT Gateway functionality is built on top of Dataplane V2.

Storage enhancements:

  • The Anthos vSphere CSI driver now supports both offline and online volume expansion for dynamically and statically created block volumes only.

    • Offline volume expansion is available in vSphere 7.0 and later. Online expansion is available in vSphere 7.0u2 and later.

    • The vSphere CSI driver StorageClass standard-rwo, which is installed in user clusters automatically, sets allowVolumeExpansion to true by default for newly created clusters running on vSphere 7.0 or later. You can use both online and offline expansion for volumes using this StorageClass.

  • The volume snapshot feature now supports v1 versions of VolumeSnapshot, VolumeSnapshotContent, and VolumeSnapshotClass objects. The v1beta1 versions are deprecated and will soon stop being served.

Simplify day-2 operations:

  • You can now use Anthos Identity Service (AIS) and OpenID Connect (OIDC) for authentication to admin clusters in addition to user clusters.

  • Preview: Anthos Identity Service can now resolve groups with Okta as identity provider. This allows administrators to write RBAC policy with Okta groups.

  • Preview: Anthos Identity service now supports LDAP authentication methods in addition to OIDC. You can use AIS with Microsoft Active Directory without the need for provisioning Active Directory Federation Services.

  • The Anthos metadata agent replaces the original metadata agent to collect and send Anthos metadata to Google Cloud Platform, so that Google Cloud Platform can use this metadata to build a better user interface for Anthos clusters. You must 1) enable the Config Monitoring for Ops API in your logging-monitoring project, 2) grant the Ops Config Monitoring Resource Metadata Writer role to your logging-monitoring service account, and 3) add opsconfigmonitoring.googleapis.com to your proxy allowlist (if applicable).

  • You can use gkectl diagnose snapshot --upload-to [GCS_BUCKET] --service-account-key-file [SA_KEY_FILE] to automatically upload snapshots to a Google Cloud Storage (GCS) bucket. The provided service account must have the roles/storage.admin IAM role enabled.

Functionality changes:

  • The admin cluster now uses containerd on all nodes, including the admin cluster control-plane node, admin cluster add-on nodes, and user cluster control-plane nodes. This applies to both new admin clusters and existing admin clusters upgraded from 1.7.x. On user cluster node pools,  containerd is the default container runtime for new node pools, but existing node pools that are upgraded from 1.7.x will continue using Docker Engine. You can continue to use Docker Engine for a new node pool by setting its osImageType to ubuntu.

  • A new ubuntu_containerd OS image type is introduced. ubuntu_containerd uses an identical OS image as ubuntu, but the node is configured to use containerd as the container runtime instead. The ubuntu_containerd OS is used for new node pools by default, but existing node pools upgraded from 1.7.x continue using Docker Engine. Docker Engine support will be removed in Kubernetes 1.24, and you should start converting your node pools to ubuntu_containerd as soon as possible.

  • When installing or upgrading to 1.8.0-gke.21 on a vCenter with a vSphere version older than 6.7 Update 3, you may receive a notification. Note that vSphere versions older than 6.7 Update 3 will no longer be supported in Anthos clusters on VMware in an upcoming version.

  • The create-config Secret is removed in both the admin and the user clusters. If you previously relied on workarounds that modify the secret(s), contact Cloud Support for updates.

  • You can update the CPU and memory configuration for the user cluster control-plane node with gkectl update cluster.

  • You can configure the CPU and memory configurations for the admin control-plane node to non-default settings during admin cluster creation through the newly introduced admin cluster configuration fields.

  • Node auto repairs are throttled at the node pool level. The number of repairs per hour for a node pool is limited to the either 3, or 10% of the number of nodes in the node pool, whichever is greater.

  • Starting from Kubernetes 1.20, timeouts on exec probes are honored, and default to one second if unspecified. If you have Pods using exec probes, ensure they can easily complete in one second or explicitly set an appropriate timeout. See Configure Probes for more details.

  • Starting from Kubernetes 1.20, Kubelet no longer creates the target_path for NodePublishVolume in accordance with the CSI spec. If you have self-managed CSI drivers deployed in your cluster, ensure they are idempotent and do any necessary mount creation/verification. See Kubernetes issue #88759 for details.

  • Non-deterministic treatment of objects with invalid ownerReferences was fixed in Kubernetes 1.20. You can run the kubectl-check-ownerreferences tool prior to upgrade to locate existing objects with invalid ownerReferences. The metadata.selfLink field, deprecated since Kubernetes 1.16, is no longer populated in Kubernetes 1.20. See Kubernetes issue #1164 for details.

Breaking changes:

  • The Istio components have been upgraded to handle ingress support. Previously, using HTTPS for ingress required both an Istio Gateway and Kubernetes Ingress. With this release, the full ingress spec is natively supported.

  • The Cloud Run for Anthos user cluster configuration option is no longer supported. Cloud Run for Anthos is now installed as part of registration with a fleet. This allows for configuring and upgrading Cloud Run separately from Anthos clusters on VMware. To upgrade to the newest version of Cloud Run for Anthos, see Installing Cloud Run for Anthos.

Fixes:

  • Previously, the admin cluster upgrade could be affected by the expired front-proxy-client certificate that persists in the data disk for the admin cluster control-plane node. Now the front-proxy-client certificate is renewed during an upgrade.

  • Fixed an issue where logs are sent to the parent project of the service account specified in the stackdriver.serviceAccountKeyPath field of your cluster configuration file while the value of stackdriver.projectID is ignored.

  • Fixed an issue that Calico-node Pods sometimes use an excessive amount of CPU in large-scale clusters.

The stackdriver-metadata-agent-cluster-level-* Pod might have logs that look like this:

reflector.go:131] third_party/golang/kubeclient/tools/cache/reflector.go:99: Failed to list *unstructured.Unstructured: the server could not find the requested resource

You can safely ignore these logs.

BigQuery

BigQuery now supports access management data control language (DCL) statements and corresponding views:

GRANT and REVOKE statements are generally available (GA). OBJECT_PRIVILEGES table is available in Preview.

BigQuery now supports the following casting features:

These features are generally available (GA).

BigQuery now supports the ALTER COLUMN SET OPTIONS data definition language (DDL) statement. This feature is generally available (GA).

Table functions are now available in Preview. These user-defined functions, commonly known as table-valued functions (TVFs), return a table value.

The Google Trends dataset is now available in Preview and available in the Google Cloud Marketplace.

BigQuery Data Transfer Service

Audit logging, Cloud Logging, and Cloud Monitoring for the BigQuery Data Transfer Service are now generally available (GA).

Chronicle

Detection Engine API

The VerifyRule method has been added to the Detection Engine API. This method verifies that a rule is a valid YARA-L 2.0 rule without creating a new rule or evaluating it over data.

Cloud Functions

Cloud Functions is now available in the following region:

asia-east1 (Taiwan)

See Cloud Functions Locations for details.

Cloud Monitoring

The Incidents page now provides an option to permanently close incidents if no data for that incident has arrived in the most recent alerting period. For more information, see Closing incidents.

Cloud Monitoring is launching a new Observability tab on Compute Engine's VM instance details page. This tab replaces the Monitoring tab. The enhanced Observability tab provides access to logs and greater visibility into CPU, disk, and network metrics.

Cloud SQL for SQL Server

Integration of SQL Server with Managed Service for Microsoft Active Directory is generally available.

This provides capabilities for authentication, authorization, and more.

Joining an instance to a managed Active Directory domain enables you to log in to your SQL Server instances using Windows Authentication. Additionally, you can integrate with your on-premises AD domains by establishing a trust with the Managed Service for Microsoft Active Directory.

Compute Engine

Generally available: Compute Engine's VM instance details page has a new Observability tab, which replaces the Monitoring tab. The enhanced Observability tab provides access to logs and greater visibility into CPU, disk, and network metrics.

General-purpose N2D VMs are now available in us-west4-b Las Vegas, NV. See VM instance pricing for details.

Dataflow

Dataflow snapshots are now available in GA.

Dialogflow

Dialogflow CX now supports the asia-south1 (Mumbai) region.

Google Kubernetes Engine

In GKE node version 1.21.1-gke.2200 and later, Containerd is available as a runtime for Windows Server LTSC and SAC node images. Containerd is the recommended container runtime for GKE. For more information, see Node images.

Network Connectivity Center

It's no longer possible to add or remove router appliance instances to or from an existing spoke. Instead, you must delete and re-create the spoke to include the router appliance instances that you want the spoke to contain. This issue is being worked on.

Speech-to-Text

The Speech-to-Text now supports multi-region endpoints as a GA feature. See the multi-region endpoints documentation for more information.

June 25, 2021

Anthos Service Mesh

There is a known issue in 1.10.2-asm.2 where control plane metric reporting to Cloud Monitoring is not functioning properly and reports excessive error logs in the Istiod container.

BigQuery

BigQuery table snapshots are now in Preview. A table snapshot is a low-cost, read-only copy of a table's data as it was at a particular time. For more information, see Introduction to table snapshots.

Cloud Logging

Log entries viewed in JSON format in the Cloud Console are now displayed with the field names in alphabetical order.

Cloud Run

Cloud Run is now available in the following region:

  • australia-southeast2 (Melbourne)
Cloud Tasks

A Service Level Agreement (SLA) for Cloud Tasks is now in effect.

Dataproc Metastore

Dataproc Metastore performs a Hive metadata schema validation when importing metadata into a service.

  • For SQL dump, it verifies the tables in the SQL dump file.
  • For Avro import, it verifies the Avro file names.
  • Both approaches ensure that all tables exist in the import source.

If the verification fails, the operation fails with INVALID_ARGUMENT code and an error message describing which table is missing.

The metadata import history is limited to 25. The oldest import is automatically deleted when the 26th import is created.

Dialogflow

New System functions are now available in Dialogflow CX.

Filestore

You can now secure your Filestore instances using a VPC service perimeter. For details, see Securing instances with a service perimeter.

Google Kubernetes Engine

GKE clusters on some 1.18.18+ and 1.19.10+ versions might fail to create or apply CustomResourceDefinitions containing integer validation rules using server-side apply. The following error occurs: failed to convert new object to proper version: unable to convert unstructured object to apiextensions.k8s.io/v1, Kind=CustomResourceDefinition: cannot convert int64 to float64.

The following versions are affected:

  • 1.19.11-gke.1700
  • 1.19.10-gke.1700
  • 1.19.10-gke.1600
  • 1.19.10-gke.1000
  • 1.18.19-gke.1700
  • 1.18.18-gke.1700
  • 1.18.18-gke.1100

To resolve this issue, upgrade to a newer version or downgrade to one of the following versions:

  • 1.19.9-gke.1900
  • 1.18.17-gke.1901

(2021-R21) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

Stable channel

  • Version 1.18.18-gke.1700 is now available in the Stable channel.
  • Version 1.18.17-gke.1900 is no longer available in the Stable channel.
  • Version 1.18.18-gke.1100 is no longer available in the Stable channel.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.17 to version 1.18.17-gke.1901 with this release.

Regular channel

  • Version 1.19.9-gke.1900 is now the default version in the Regular channel.
  • Version 1.19.9-gke.1900 is now available in the Regular channel.
  • Version 1.19.10-gke.1600 is no longer available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to 1.19.10-gke.1700 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.19.10-gke.1700 with this release.

Rapid channel

  • Version 1.20.7-gke.2200 is now available in the Rapid channel.
  • Version 1.21.1-gke.2200 is now available in the Rapid channel.
  • Version 1.21.1-gke.1800 is no longer available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to 1.20.7-gke.1800 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.20.7-gke.1800 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.1-gke.2200 with this release.

(2021-R21) Version updates

(2021-R21) Version updates

  • Version 1.18.18-gke.1700 is now available in the Stable channel.
  • Version 1.18.17-gke.1900 is no longer available in the Stable channel.
  • Version 1.18.18-gke.1100 is no longer available in the Stable channel.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.17 to version 1.18.17-gke.1901 with this release.

(2021-R21) Version updates

  • Version 1.19.9-gke.1900 is now the default version in the Regular channel.
  • Version 1.19.9-gke.1900 is now available in the Regular channel.
  • Version 1.19.10-gke.1600 is no longer available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to 1.19.10-gke.1700 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.19.10-gke.1700 with this release.

(2021-R21) Version updates

  • Version 1.20.7-gke.2200 is now available in the Rapid channel.
  • Version 1.21.1-gke.2200 is now available in the Rapid channel.
  • Version 1.21.1-gke.1800 is no longer available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to 1.20.7-gke.1800 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.20.7-gke.1800 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.1-gke.2200 with this release.
Vertex AI

You can now use NVIDIA A100 GPUs and several accelerator-optimized (A2) machine types for training. You must use A100 GPUs and A2 machine types together. Learn about their pricing.

Workflows

Syntax for updating list values and map values is now supported.

June 24, 2021

Anthos Config Management

Config Connector can no longer be installed via Anthos Config Management. Upgrading to Anthos Config Management v1.8.0 will not affect an existing Config Connector installation, but that installation can no longer be managed with Anthos Config Management. To install or upgrade Config Connector alongside Anthos Config Management v1.8.0 or later, see Advanced installation options > Upgrading from non-operator installations in the Config Connector documentation. The version of Config Connector supported in earlier versions of Anthos Config Management will stop working on Kubernetes versions greater than or equal to 1.19.

The Config Sync admission webhook serving port is switched from 8676 to 10250. If you use Config Sync in multi-repo mode in private GKE clusters, you no longer need to add a firewall rule to open port 8676.

The Hierarchy Controller admission webhook serving port has switched from 9443 to 10250. If you use Hierarchy Controller in private GKE clusters you no longer need to add a firewall rule to open port 9443.

The Anthos Policy Controller admission webhook serving port is switched from 8443 to 10250. If you use Policy Controller in private GKE clusters you no longer need to add a firewall rule to open port 8443.

All Anthos Config Management components have been updated to remove use of v1beta1 APIs scheduled to be removed in Kubernetes 1.22. See the Kubernetes Deprecated API Migration Guide for more details.

Anthos Policy Controller now supports the ability for users to mutate resources as a preview feature. For more information see Mutating resources.

Anthos Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: f6c2fe8).

Editing rights to Hierarchical Resource Quotas are now aggregated into the cluster-wide 'edit' and 'admin' Cluster Roles.

Anthos Service Mesh

1.10.2-asm.2 is now available.

This patch release contains the same bug fixes that are in Istio 1.10.2. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

Anthos clusters on-premises support Mesh CA.

New installations of Anthos Service Mesh 1.10x on Anthos clusters on VMWare and bare metal support the Anthos Service Mesh certificate authority (Mesh CA). For details on the installation, see Installing Anthos Service Mesh on-premises.

When you install Anthos Service Mesh on-premises with Mesh CA, this enables Cloud Monitoring and Cloud Logging by default. Additionally, you can use Cloud Trace (which you enable separately) as needed for troubleshooting.

Google-managed control plane release channels are available.

Anthos Service Mesh releases updates often, to deliver security updates, fix known issues, and introduce new features. Release channels offer you the ability to balance between stability and the feature set of the Anthos Service Mesh version. Google automatically manages the version and upgrade cadence for each release channel. To learn more, see the following:

Migrating to Mesh CA from Istio CA with little or no downtime.

Migrating to Anthos Service Mesh certificate authority (Mesh CA) from Istio CA (also known as Citadel) requires migrating the root of trust. Prior to Anthos Service Mesh 1.10, if you wanted to migrate from Istio on to Anthos Service Mesh with Mesh CA, you needed to schedule downtime because Anthos Service Mesh was not able to load multiple root certificates, which interrupted mutual TLS (mTLS) traffic during the migration.

With Anthos Service Mesh 1.10 and higher, you can install a new in-cluster control plane with an option that distributes the Mesh CA root of trust to all proxies. After switching to the new control plane and restarting workloads, all proxies are configured with both the Istio CA and Mesh CA root of trust. Next, you install a new in-cluster control plane that has Mesh CA enabled. As you switch workloads over to the new control plane, mTLS traffic isn't interrupt. For details, see Migrating to Mesh CA.

The Istio project recently announced a security vulnerability (CVE-2021-34824) where where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces.

For more information, see the GCP-2021-012 security bulletin.

1.8.6-asm.4 and 1.9.6-asm.1 are now available. This release updates the envoy versions for the following Anthos Service Mesh versions:

  • 1.8.6-asm.2 uses Envoy v1.16.3.
  • 1.9.6-asm.1 uses Envoy v1.17.2.

These patch releases contains a fix for CVE-2021-34824. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

Cloud Asset Inventory

New resource types are now available.

The following resource types are now publicly available through the resource search API (SearchAllResources) and policy search API (SearchAllIamPolicies):

  • Managed Service For Microsoft Active Directory
    • managedservices.googapis.com/Domain

The following resource types are now publicly available through the Export APIs (ExportAssets and BatchGetAssetsHistory) and the Feed API:

  • Secret Manager (Newly added real-time feed support)
    • secretmanager.googleapis.com/Secret
    • secretmanager.googleapis.com/SecretVersion
Cloud SQL for SQL Server

Cloud SQL for SQL Server now supports SQL Server 2019. The default version continues to be SQL Server 2017 Standard. See Database versions and version policies.

Compute Engine

Preview: Use patch alerting to monitor the patch jobs running in your environment. For more information, see Monitoring patch jobs.

Config Connector

Config Connector 1.54.0 is now available

Added support for the following resources:

  • MonitoringDashboard
  • GKEHubFeature
  • IAMPartialPolicy
  • NetworkSecurityAuthorizationPolicy
  • BinaryAuthorizationAttestor

Added support for ingress and egress policies in AccessContextManagerServicePerimeter

Added new fields:

  • ComputeAddress: networkRef
  • ComputeDisk: provisionedIops
  • ComputeInstance: reservationAffinity
  • ComputeInstanceTemplate: reservationAffinity
  • ComputeInterconnectedAttachment: encryption and ipsecInternalAddresses
  • ComputeResourcePolicy: description and instanceSchedulePolicy
  • ComputeRouterInterface: encryptedInterconnectRouter
  • SQLInstance: diskAutoresizeLimit
  • StorageTransferJob: transferSpec.azureBlobStorageDataSource

The following fields are no longer immutable:

  • CloudIdentityGroup: initialGroupConfig
  • DataflowFlexTemplateJob: containerSpecGcsPath and parameters

SQLInstance: databaseVersion field now additionally accepts POSTGRES_10, POSTGRES_12, and POSTGRES_13.

ComputeVPNGateway: vpnInterfaces field moved from status to spec and now includes interconnectAttachmentRef field.

ComputeAddress: purpose field now additionally accepts IPSEC_INTERCONNECT.

Config Controller

Config Controller is available for Public Preview. Config Controller is a managed service to provision and orchestrate Anthos and Google Cloud resources. Config Controller allows you to define and operate with simple, declarative configuration in Kubernetes style. For information on Config Controller, please see Config Controller Overview.

Versions of included products

Config Controller can be used to deploy a landing zone blueprint.

Google Kubernetes Engine

Internal load balancer subsetting for GKE is now generally available in GKE versions 1.18.19-gke.1400 and later.

Tensorflow Enterprise
  • TensorFlow Enterprise 2.3 has been updated to 2.3.3 from 2.3.2
  • TensorFlow Enterprise 2.1 has been updated to 2.1.4 from 2.1.3

June 23, 2021

Cloud Bigtable

Console Table Management for Cloud Bigtable is now generally available. You can now use the Google Cloud Console to create, edit, and delete Cloud Bigtable tables, column families, and garbage collection policies.

Cloud Data Fusion

Preview: You can now replicate data continuously and in real time from operational data stores in Oracle into BigQuery using the Oracle (by Datastream) plugin. The plugin is available in Cloud Data Fusion version 6.4.0 or later.

Cloud Router Cloud SQL for MySQL

Cloud SQL storage limits are now increased to support up to 64 TB. See Cloud SQL storage limits for more information.

The following MySQL minor versions have been upgraded:

  • MySQL 5.6.50 is upgraded to 5.6.51
  • MySQL 5.7.32 is upgraded to 5.7.33
Cloud SQL for PostgreSQL

Cloud SQL storage limits are now increased to support up to 64 TB. See Cloud SQL storage limits for more information.

Cloud SQL for SQL Server

Cloud SQL storage limits are now increased to support up to 64 TB. See Cloud SQL storage limits for more information.

Compute Engine

Best practices are now available for the Compute Engine API.

Memorystore for Memcached

Added new Memorystore for Memcached region: Melbourne (australia-southeast2).

Virtual Private Cloud

If you are using Private Service Connect endpoints to access services in another VPC network, and you delete multiple endpoints in a short period of time, one or more of the deletions might fail. To avoid this issue, wait 20 seconds between deletions.

If you are using Private Service Connect endpoints to access services in another VPC network, and you create more endpoints than are allowed by the limit set by the service producer, any endpoints created after the limit is reached have a status of Pending, as expected. However, if you remove endpoints to get below the limit, the status of those endpoints does not change to Accepted.

June 22, 2021

BigQuery Data Transfer Service BigQuery ML

BigQuery ML is releasing the following features for preview:

  • The ML.DETECT_ANOMALIES function is now available. This function provides anomaly detection for BigQuery ML. The function runs against time-series data using ARIMA_PLUS models. The function runs against independent and identically distributed (IID) random variables data using AUTOENCODER and KMEANS models.
  • The AUTOENCODER model type is now available for CREATE MODEL statements. This is a TensorFlow-based, deep-learning model that supports sparse data representations, and is commonly used in ML tasks such as feature embedding, unsupervised anomaly detection, and non-linear dimensionality reduction. The ML.PREDICT function can use previously built AUTOENCODER models to reduce the dimensionality of query results.
  • Hyperparameter tuning is now available and can be used to improve model performance by searching for the optimal hyperparameters when training ML models using CREATE MODEL statements. View the BigQuery ML Hypertuning tutorial to learn how to improve model performance by 40%.
Cloud CDN

External HTTP(S) Load Balancing and Cloud CDN now support HTTP/3. HTTP/3 is based on the IETF QUIC transport protocol. Compared to HTTP/2, it reduces request latency, improves throughput, and mitigates head-of-line blocking. HTTP/3 is already supported on most major web browsers.

To learn how to enable HTTP/3 on your external HTTP(S) load balancer, visit the documentation.

Cloud Load Balancing

External HTTP(S) Load Balancing and Cloud CDN now support HTTP/3. HTTP/3 is based on the IETF QUIC transport protocol. Compared to HTTP/2, it reduces request latency, improves throughput, and mitigates head-of-line blocking. HTTP/3 is already supported on most major web browsers.

To learn how to enable HTTP/3 on your external HTTP(S) load balancer, visit the documentation.

Symmetric hashing for internal TCP/UDP load balancers as next hops—When load balancing to multiple NICs on the backends, you no longer need to use source network address translation (SNAT). SNAT isn't required because Google Cloud uses symmetric hashing. This means that when packets belong to the same flow, Google Cloud calculates the same hash. In other words, the hash doesn't change when the source IP address:port is swapped with the destination IP address:port.

This feature is in General Availability.

Cloud Run

Cloud Run support for WebSockets, HTTP/2, and gRPC streaming are now at general availability (GA).

Cloud TPU

The Cloud TPU team has released support for TensorFlow 2.4.2. The corresponding Tensorflow release notes are:

Tensoflow-2.4.2 Release notes

Dataflow

Dataflow is now able to use workers, Dataflow Shuffle, Streaming Engine, FlexRS, and regional endpoints in zones in Melbourne (australia-southeast2).

Deep Learning Containers

M73 Release

  • Upgraded TensorFlow Enterprise 2.1.3 to 2.1.4.
  • Upgraded TensorFlow Enterprise 2.3.2 to 2.3.3.
  • Miscellaneous bug fixes and updates.
Deep Learning VM Images

M73 Release

  • Upgraded TensorFlow Enterprise 2.1.3 to 2.1.4.
  • Upgraded TensorFlow Enterprise 2.3.2 to 2.3.3.
  • Disabled automatic updates for Ubuntu to be in line with the behavior in Debian images.
  • Miscellaneous bug fixes and updates.
VPC Service Controls

General availability for the following integration:

June 21, 2021

Access Approval

Cloud Data Loss Prevention is supported by Access Approval in Preview stage.

Cloud External Key Manager is supported by Access Approval in Preview stage.

Cloud HSM is supported by Access Approval in Preview stage.

Anthos clusters on bare metal

Release 1.8.0

Anthos clusters on bare metal release 1.8.0 is now available. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.8.0 runs on Kubernetes 1.20.

Extended installation support:

  • Provided support to use containerd as the container runtime as GA for Anthos clusters on bare metal release 1.8.0. Cluster upgrades to 1.8.0 are blocked for 1.7.x clusters that are configured to use the preview containerd capability. For more information, see Upgrading 1.7.x clusters that use containerd in Known Issues.
  • Preview: Improved virtual machine (VM) management capability. Anthos VM Runtime uses KubeVirt to orchestrate VMs on clusters, allowing you to work with your VM-based apps and workloads in a uniform development environment. Anthos VM Runtime has worked with Anthos clusters on bare metal as a preview feature since November 2020 and we have continued to enhance its capability. For more information, see Working with VM-based workloads.
  • Added edge profile support for standalone clusters. The edge profile is recommended for edge devices with limited resources. Add profile: edge to the cluster config file when you create a standalone cluster to produce a cluster that has significantly reduced system resource requirements. The edge profile is only available for standalone clusters, it is ignored for other cluster types. For more information, see Creating standalone clusters.
  • Added support to specify provider ID for Nodes (controlPlane.nodePoolSpec.nodes.providerID) to support deploying on OpenStack using Load Balancing as a Service (LBaaS) resources. For more information, see Configure your clusters to use OpenStack.
  • Preview: Added support for installing Anthos clusters on bare metal, using your own registry service, instead of gcr.io. For instructions and additional information, see Installing Anthos Bare Metal using registry mirror.

Improved upgrade:

  • Enabled support for upgrading non-SELinux clusters to SELinux. For more information, see Enable SELinux in Upgrading Anthos clusters on bare metal.
  • Cluster upgrades are not blocked by excessive Node draining durations. During a cluster upgrade, if the draining process takes longer than 20 minutes for any specific Node, the upgrade process will carry on without waiting for draining to complete.

Updated user cluster lifecycle management:

  • Added bmctl improvements for resetting user cluster and adding additional preflight checks to confirm machine and network readiness for cluster creation:

Enhanced monitoring and logging:

  • Preview: Added Cloud Audit Logging capability, which enables audit logs to be written to Cloud Audit Logs in your Google project. Audit logs are useful for investigating suspicious API requests and for collecting statistics. For more information, see Enable Audit Logging.

Introduced new networking capabilities in preview:

  • Preview: Added multi-NIC capability to provide additional interfaces to your Pods.
  • Preview: Added egress NAT gateway capability to provide persistent, deterministic routing for the egress traffic from your clusters. For more information, see Configure an egress NAT gateway for external communication.
  • Preview: Added option for BGP bundled load balancer for Layer-3 (L3) topologies. This feature can be used with user clusters and admin clusters.

Enhanced security:

  • Workload Identity is GA. The Connect Agent Service Account Key is no longer required during installation. Connect Agent uses Workload Identity to authenticate to GCP instead of an exported GCP Service Account Key.

Expanded support for newer versions of operating systems:

  • Added support for installing Anthos clusters on bare metal on Red Hat Enterprise Linux (RHEL) 8.4, and CentOS 8.4

Functionality changes:

  • Added --workspace-dir flag to bmctl to allow changing the path and name of the workspace directory from the default bmctl-workspace. The workspace directory contains the configuration and log files generated by bmctl. When using the bmctl command, pass in a --workspace-dir flag to specify a non-default workspace directory location. If the directory does not exist, bmctl will create it for you.
  • Moved away from iptables-based NodePort and masquerade handling to eBPF-based management. NodePort and masquerade handling are now applied to the Node IP and default gateway interfaces only.

Fixes:

  • Resolved, as part of the GA support for using containerd as the container runtime, incorrect cgroup driver use. Newly created 1.8.0 clusters that are configured to use containerd will use the correct systemd cgroup driver.
  • Fixed issue that prevented usage metrics for the containerd process from being collected by Cloud Logging. This fix applies to newly created 1.8.0 clusters only.

Known issues:

  • If a Node is out of reach, Anthos clusters on bare metal can't start the draining process, which may impact the cluster upgrade process. For more information, see Node draining can't start when Node is out of reach.
  • Upgrading from 1.7.x clusters that use containerd as the container runtime to 1.8.0 is blocked. For more information, see Upgrading 1.7.x clusters that use containerd.
  • When running Anthos clusters on bare metal with firewalld enabled on either CentOS or Red Hat Enterprise Linux (RHEL), changes to firewalld can remove the Cilium iptables chains on the host network. The loss of the Cilium iptables chains causes the Pod on the Node to lose network connectivity outside of the Node. for more information, see Modifying firewalld will erase Cilium iptable chains.

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

BigQuery

Row-level security on table data is now generally available in BigQuery.

BigQuery is now available in the Melbourne (australia-southeast2) region.

BigQuery BI Engine

BigQuery BI Engine is now available in the Melbourne (australia-southeast2) region.

BigQuery Data Transfer Service

BigQuery Data Transfer Service is now available in the Melbourne (australia-southeast2) region.

BigQuery ML

BigQuery ML is now available in the Melbourne (australia-southeast2) region.

Channel Services

Added a new feature for the ImportCustomer API to specify which customer will receive imported Cloud Identity information.

Chronicle

Uppercase Alerts

For Chronicle customers who are also Uppercase customers, Uppercase alerts are now displayed on the Enterprise Insights page. Uppercase alerts are derived from both Google's internal threat detection infrastructure and research provided by Uppercase security analysts.

You can view these alerts in Uppercase Alert view. This view also enables you to provide feedback that can be shared with your own security team and with Uppercase.

You can also use the Uppercase API to retrieve alerts from your Chronicle account.

Cloud Bigtable

Cloud Bigtable is now available in the australia-southeast2 (Melbourne) region.

Cloud Key Management Service

Several fields related to verifying end-to-end data integrity for cryptographic operations are generally available (GA).

Cloud SQL for MySQL

Support for australia-southeast2 (Melbourne) region.

Cloud SQL for PostgreSQL

Support for australia-southeast2 (Melbourne) region.

Cloud SQL for SQL Server

A preview enables you to use replication in Cloud SQL for SQL Server. Additionally, the preview enables you to make cross-region replicas.

You can use replication to scale the use of data in a database without degrading performance. Other reasons include migrating or maintaining data duplicates between regions.

For more information, see Replication in Cloud SQL.

Support for australia-southeast2 (Melbourne) region.

Cloud Spanner

Cloud Spanner regional instances can now be created in Melbourne (australia-southeast2).

Cloud Storage

Melbourne region (australia-southeast2) launched.

Cloud VPN

Cloud VPN is now available in region australia-southeast2 (Melbourne, Australia).

Pricing is available on the Cloud VPN pricing page.

Compute Engine

Melbourne, Australia australia-southeast2-a,b,c has launched with E2, N2, N1, and M1 machines. M1 machines are only available in zones b and c.

See VM instance pricing for details.

Config Connector

Config Connector 1.53.0 is now available

Added support for NetworkSecurityClientTLSPolicy

Added support for NetworkSecurityServerTLSPolicy

Added support for strong hierarchal references to several resources:

  • Add spec.projectRef to DataprocAutoScalingPolicy
  • Add spec.projectRef to DataprocCluster
  • Add spec.projectRef to DataprocWorkflowTemplate
  • Add spec.projectRef to MonitoringGroup

Change cnrm-system containers to use HTTP probes for readiness instead of command probes

Dataproc

Dataproc is now available in the australia-southeast2 region (Melbourne).

Google Kubernetes Engine

The australia-southeast2 region in Melbourne is now available.

Memorystore for Redis

Added new Memorystore for Redis region: Melbourne (australia-southeast2).

Secret Manager

Secret Manager is now available in australia-southeast2 (Melbourne). See Secret Manager locations for more information.

Virtual Private Cloud

For auto mode VPC networks, added a new subnet 10.192.0.0/20 for the Melbourne australia-southeast2 region. For more information, see Auto mode IP ranges.

June 18, 2021

Compute Engine

Generally available: You can now create application consistent snapshots of disks attached to Linux VMs. For more information, see Creating Linux application consistent snapshots.

Dataproc

Dataproc Component Gateway URLs for any two new clusters that have the same project ID, region, and name will be identical unless Dataproc Personal Cluster Authentication is enabled.

Notebooks

Support for Compute Reservations. Notebooks API allows the use of Compute Reservations during instance creation.

Storage Transfer Service

Storage Transfer Service offers Preview support for transferring data from Azure ADLS Gen 2 to Cloud Storage.

June 17, 2021

Anthos clusters on VMware

When you upgrade an unregistered Anthos cluster on VMware from a version earlier than 1.7.0 to a version 1.7.0 or later, you need to manually install and configure the Anthos Config Management operator. If you had previously installed Anthos Config Management, you need to re-install it. For details on how to do this, see Installing Anthos Config Management.

If you are using a private registry for software images, upgrading an Anthos cluster on VMware will always require special steps, described in Updating Anthos Config Management using a private registry. Upgrading from a version earlier than 1.7.0 to a version 1.7.0 or later additionally requires that you manually install and configure the Anthos Config Management operator as described in Installing Anthos Config Management.

Cloud Composer

Cloud Composer is now available in Warsaw (europe-central2).

New versions of Cloud Composer images:

  • composer-1.17.0-preview.3-airflow-2.0.1
  • composer-1.16.7-airflow-1.10.15
  • composer-1.16.7-airflow-1.10.14 (default)
  • composer-1.16.7-airflow-1.10.12

GCSfuse version was updated to 0.35.1 (latest release). Cloud Composer uses GCSfuse to sync files between the environment buckets and worker pods. The change improves the stability of the syncing process.

(Airflow 2) Preinstalled packages changed. Removed: google_cloud_build==2.0.0, mock==2.0.0, pbr==5.5.1. Downgraded overrides from 3.1.0 to 2.8.0.

For DAG runs with long-running tasks, task level logs are now periodically updated in the Airflow UI. Before this change, logs were only available in Airflow UI after the task was completed.

It is now possible to create environments with CMEK encryption in projects with enabled domain restricted sharing. Before the fix, an error related to insufficient Cloud Pub/Sub permissions was generated.

(Airflow 2) In the Airflow UI, you can now create connection types from the installed custom Airflow provider packages. Before, these connection types were not available.

Fixed a problem where the Airflow worker health was calculated incorrectly because of leftover queued tasks without DAGs being present in the Airflow database. This led to problems with task execution because Airflow workers were constantly restarted in healthy environments.

Fixed the cause of Liveness probe errored events that appeared in the scheduler and worker pod logs.

Cloud SQL for PostgreSQL

Query Insights is now supported for read replicas.

Cloud TPU

Cloud TPU team just released TF-2.1.4, TF-2.2.3 and TF-2.3.3 on Cloud TPUs. The TensorFlow release notes for these releases are shown below.

Compute Engine

You can now customize E2 shared-core machine types. Shared-core machine types provide a fractional vCPU with the ability to burst to 2 vCPU for a short period of time.

  • E2 shared-core machine types support predefined platforms with Intel or AMD EPYC Rome processors.

  • The custom memory range is:

    • 1 to 2 GB for micro machines
    • 1 to 4 GB for small machines
    • 1 to 8 GB for medium machines

E2 shared-core custom machine pricing is the same as E2 custom machine pricing. E2 machines are available in all regions and zones.

Create a custom E2 shared-core machine using gcloud or the API.

Memory-optimized M2 machine types are now available in Belgium, europe-west1-b,c. See VM instance pricing for details.

Deep Learning Containers

M72 Release

  • Added PyTorch 1.9 and PyTorch/XLA 1.9 containers.
Deep Learning VM Images

M72 Release

  • Added PyTorch 1.9 and PyTorch/XLA 1.9 images.
Google Cloud VMware Engine

Added autoscale policies that can automatically expand or shrink a cluster in your private cloud based on factors like CPU utilization or storage capacity thresholds. All clusters begin with a default autoscale policy that adds a node based on a storage capacity threshold.

For details about this feature, see Autoscale policies.

Preview: vSAN data encryption for data at rest now uses keys generated by Cloud Key Management Service for all new private clouds.

For details about this feature, see Configuring vSAN encryption for your private cloud.

Removed vCenter privilege Host > Configuration > Storage partition configuration for role Cloud-Owner-Global-Role. This prevents the mounting of iSCS or NFS storage as a datastore on your private cloud vSphere cluster. If you have any iSCSI or NFS datastore mounted on your private cloud cluster, contact Cloud Customer Care.

Enabled TRIM/UNMAP support on vSAN at the time of private cloud creation for more efficient vSAN storage by default. To enable this feature on existing workload VMs, you must reboot the VMs.

Added the following vCenter privileges to the Cloud-Owner-Global-Role role:

  • Guest operation alias modification
  • Guest operation alias query
  • Guest operation modifications
  • Guest operation program execution
  • Guest operation queries

Added vSphere content library management privileges to the Cloud-Global-VM-admin-group group. With this change, a VM admin can add, delete, and read content library items.

The Quotas page in the Cloud Console no longer shows VMware Engine node usage as 0 when you have an active private cloud.

Network Intelligence Center

The Connectivity Tests dynamic verification feature is now generally available. This feature uses active probing to verify connectivity between VMs. For more information, see How Connectivity Tests analyzes the live data plane.

Text-to-Speech

Text-to-Speech now offers voices in the following new languages. See the supported voices page for a complete list of voices and audio samples.

  • ms-MY (Malay, Malaysia)
  • nl-BE (Dutch, Belgium)

June 16, 2021

Cloud Asset Inventory

New resource types are now available.

The following resource types are now publicly available through the resource search API (SearchAllResources) and policy search API (SearchAllIamPolicies):

  • Google Kubernetes Engine
    • apps.k8s.io/Deployment
    • apps.k8s.io/ReplicaSet
    • batch.k8s.io/Job
  • Hub
    • gkehub.googleapis.com/Membership
  • API Gateway
    • apigateway.googleapis.com/Api
    • apigateway.googleapis.com/ApiConfig
    • apigateway.googleapis.com/Gateway
  • Document AI
    • documentai.googleapis.com/HumanReviewConfig
    • documentai.googleapis.com/LabelerPool
    • documentai.googleapis.com/Processor
  • Vertex AI
    • aiplatform.googleapis.com/BatchPredictionJob
    • aiplatform.googleapis.com/CustomJob
    • aiplatform.googleapis.com/DataLabelingJob
    • aiplatform.googleapis.com/Dataset
    • aiplatform.googleapis.com/Endpoint
    • aiplatform.googleapis.com/HyperparameterTuningJob
    • aiplatform.googleapis.com/Model
    • aiplatform.googleapis.com/SpecialistPool
    • aiplatform.googleapis.com/TrainingPipeline
Cloud Data Fusion

The SAP accelerator for the order to cash process is now available. It provides sample pipelines that you can use to build your end-to-end order to cash process and analytics with Cloud Data Fusion, BigQuery, and Looker. The accelerator is a sample implementation of the SAP Table Batch Source plugin, which enables bulk data integration from SAP applications with Cloud Data Fusion. The accelerator is available in Cloud Data Fusion environments running in version 6.3.0 and above.

Cloud Run for Anthos

Cloud Run for Anthos on Google Cloud version 0.22.0-gke.6 is now available for the following GKE minor versions:

  • 1.19
  • 1.20
  • 1.21

Cloud Run for Anthos on Google Cloud version 0.23.0-gke.6 is now available for the following GKE minor versions:

  • 1.19
  • 1.20
  • 1.21
Cloud Scheduler

Cloud Scheduler is now available in us-west1, asia-east1, and asia-southeast1.

Cloud Tasks

Cloud Tasks is now available in us-west1, asia-east1, and asia-southeast1.

Google Kubernetes Engine

(2021-R20) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

  • Version 1.19.10-gke.1600 is now the default version.
  • The following versions are now available:
  • The following versions are no longer available:
    • 1.18.17-gke.1200
    • 1.18.17-gke.1201
    • 1.19.9-gke.1400
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to version 1.18.17-gke.1901 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to version 1.19.9-gke.1900 with this release.

Stable channel

  • Version 1.18.17-gke.1901 is now the default version in the Stable channel.
  • Version 1.18.18-gke.1100 is now available in the Stable channel.
  • Version 1.18.17-gke.1200 is no longer available in the Stable channel.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to version 1.18.17-gke.1901 with this release.

Regular channel

  • Version 1.19.10-gke.1600 is now the default version in the Regular channel.
  • Version 1.19.10-gke.1700 is now available in the Regular channel.
  • Version 1.19.9-gke.1900 is no longer available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to 1.19.10-gke.1600 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.19.10-gke.1600 with this release.

Rapid channel

  • Version 1.20.7-gke.1800 is now available in the Rapid channel.
  • Version 1.21.1-gke.1800 is now available in the Rapid channel.
  • Version 1.21.1-gke.400 is no longer available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.1-gke.1800 with this release.

(2021-R20) Version updates

  • Version 1.19.10-gke.1600 is now the default version.
  • The following versions are now available:
  • The following versions are no longer available:
    • 1.18.17-gke.1200
    • 1.18.17-gke.1201
    • 1.19.9-gke.1400
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to version 1.18.17-gke.1901 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to version 1.19.9-gke.1900 with this release.

(2021-R20) Version updates

  • Version 1.18.17-gke.1901 is now the default version in the Stable channel.
  • Version 1.18.18-gke.1100 is now available in the Stable channel.
  • Version 1.18.17-gke.1200 is no longer available in the Stable channel.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to version 1.18.17-gke.1901 with this release.

(2021-R20) Version updates

  • Version 1.19.10-gke.1600 is now the default version in the Regular channel.
  • Version 1.19.10-gke.1700 is now available in the Regular channel.
  • Version 1.19.9-gke.1900 is no longer available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to 1.19.10-gke.1600 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.19.10-gke.1600 with this release.

(2021-R20) Version updates

  • Version 1.20.7-gke.1800 is now available in the Rapid channel.
  • Version 1.21.1-gke.1800 is now available in the Rapid channel.
  • Version 1.21.1-gke.400 is no longer available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.1-gke.1800 with this release.
Virtual Private Cloud

Private Service Connect endpoints in consumer networks now won't become unresponsive if they are connected to a service attachment that references a load balancer without backend VMs.

June 15, 2021

Anthos Service Mesh

Google-managed control plane is now a generally available (GA) feature. This feature lets you move from managing Istiod in your clusters to configuring the control plane as a service. Google will manage the availability, scalability and security of the control plane.

In addition, it offers these new features:

Using the Google-managed control plane also simplifies multi-cluster mesh configuration and reduces the Kubernetes Engine privileges needed to install Anthos Service Mesh. For more information see Configuring the Google-managed control plane.

Cloud Logging

You can now view Monitoring data and link to the resources in the Cloud Console for certain logs, such as Google Kubernetes Engine logs, in the Logs Explorer. For more information, see Viewing Monitoring data.

Cloud Monitoring

You can now view Monitoring data for certain logs, such as Google Kubernetes Engine logs, in the Logs Explorer. For more information, see Viewing Monitoring data.

Cloud Spanner

The SQL mathematical functions EXP, LN, LOG, LOG10 and SQRT now directly support NUMERIC data as input. You no longer need to cast NUMERIC data to FLOAT64 data before passing it as input to these functions.

Cloud VPN

Cloud VPN no longer checks a peer's IKE identity.

This change simplifies the configuration of your VPN peers, because you no longer need to explicitly set a peer's IKE identity to a specific value.

Note: Some Cloud VPN tunnels that were previously unestablished due to unmatched IKE identity might now become established.

  • If you don't want the affected tunnels to become established, please delete them as needed on the Cloud VPN side, on the on-premises side, or on both sides.

  • If you want the affected tunnels to become established, no action is required on your part.

Previously, Cloud VPN required peers to use an IKE identity of type ID_IPV4_ADDR, which is equal to the peer's public IP address. Removing this restriction enables easier interoperation with peers that don't support changing their IKE identity, especially when such peers are located behind NAT (Network Address Translation).

If you have any questions or require assistance, please contact Google Cloud Support.

Datastore Dialogflow

Final reminder: The Dialogflow V1 API shutdown will be finalized during the week of June 21, 2021 July 12, 2021. All bots (except Actions on Google) using Dialogflow V1 API requests will stop responding. Consider migrating to Dialogflow ES or Dialogflow CX.

Firestore Google Kubernetes Engine

The issue affecting the Datadog Agent on Autopilot has been resolved in Datadog version 2.13.1.

Kf

Kf Operator to manage Kf installation.

Added Operator diagnostics to kf doctor.

Allow target command to take arg instead of flag.

Config Connector can manage the Kf Google Service Account (GSA).

Removed internal routing dependency on internal-gateway.

Inline environment variable printing in kf env.

Config Connector is now required.

Updated Tekton to 0.23.0.

Only check for timeout error for deprovisioning service instances.

Make targeting a non-existent Space an error.

Fixes manifest parsing bug.

Virtual Private Cloud

Bring your own IP (BYOIP) is now available in General Availability.

June 14, 2021

App Engine flexible environment .NET

App Engine is now available in the us-west1 (Oregon), asia-southeast1 (Singapore), and asia-east1 (Taiwan) regions.

App Engine flexible environment Go

App Engine is now available in the us-west1 (Oregon), asia-southeast1 (Singapore), and asia-east1 (Taiwan) regions.

App Engine flexible environment Java

App Engine is now available in the us-west1 (Oregon), asia-southeast1 (Singapore), and asia-east1 (Taiwan) regions.

App Engine flexible environment Node.js

App Engine is now available in the us-west1 (Oregon), asia-southeast1 (Singapore), and asia-east1 (Taiwan) regions.

App Engine flexible environment PHP

App Engine is now available in the us-west1 (Oregon), asia-southeast1 (Singapore), and asia-east1 (Taiwan) regions.

App Engine flexible environment Python

App Engine is now available in the us-west1 (Oregon), asia-southeast1 (Singapore), and asia-east1 (Taiwan) regions.

App Engine flexible environment Ruby

App Engine is now available in the us-west1 (Oregon), asia-southeast1 (Singapore), and asia-east1 (Taiwan) regions.

App Engine flexible environment custom runtimes

App Engine is now available in the us-west1 (Oregon), asia-southeast1 (Singapore), and asia-east1 (Taiwan) regions.

App Engine standard environment Go

App Engine is now available in the us-west1 (Oregon), asia-southeast1 (Singapore), and asia-east1 (Taiwan) regions.

App Engine is now available in the us-west1 (Oregon), asia-southeast1 (Singapore), and asia-east1 (Taiwan) regions.

App Engine standard environment Java

App Engine is now available in the us-west1 (Oregon), asia-southeast1 (Singapore), and asia-east1 (Taiwan) regions.

App Engine is now available in the us-west1 (Oregon), asia-southeast1 (Singapore), and asia-east1 (Taiwan) regions.

App Engine standard environment Node.js

App Engine is now available in the us-west1 (Oregon), asia-southeast1 (Singapore), and asia-east1 (Taiwan) regions.

App Engine standard environment PHP

App Engine is now available in the us-west1 (Oregon), asia-southeast1 (Singapore), and asia-east1 (Taiwan) regions.

App Engine is now available in the us-west1 (Oregon), asia-southeast1 (Singapore), and asia-east1 (Taiwan) regions.

App Engine standard environment Python

App Engine is now available in the us-west1 (Oregon), asia-southeast1 (Singapore), and asia-east1 (Taiwan) regions.

App Engine is now available in the us-west1 (Oregon), asia-southeast1 (Singapore), and asia-east1 (Taiwan) regions.

App Engine standard environment Ruby

App Engine is now available in the us-west1 (Oregon), asia-southeast1 (Singapore), and asia-east1 (Taiwan) regions.

Cloud Functions

Cloud Functions is now available in the following region:

  • asia-southeast1 (Singapore)

See Cloud Functions Locations for details.

Dataflow

In addition to scalar functions, Dataflow SQL now supports aggregate user-defined functions (UDFs) for Java. For more information, see Dataflow SQL user-defined functions. This feature is in Preview.

Datastore

Support for the following additional locations:

  • asia-southeast1 Singapore
  • us-west1 Oregeon
  • asia-east1 Taiwan

See the full list of locations.

Firestore

Support for the following additional locations:

  • asia-southeast1 Singapore
  • us-west1 Oregeon
  • asia-east1 Taiwan

See the full list of locations.

Network Intelligence Center

Google Cloud performance view is generally available in Performance Dashboard.

Virtual Private Cloud

Enabling or disabling PROXY protocol after a Private Service Connect service attachment is created does not change the configuration. However, the status shown in the service attachment details incorrectly shows that the status has changed. To enable or disable PROXY protocol, delete the service attachment and recreate it with the correct PROXY protocol configuration.

June 11, 2021

Cloud Spanner

You can now find common queries for monitoring and troubleshooting on the Query page in the Cloud Console. This page now has query templates to help you to access these introspection system tables: Query Stats, Read Stats, Transaction Stats, Lock Stats, and Oldest active queries.

Config Connector

Config Connector 1.52.0 is now available.

Added support for ComputeURLMap, DataFusionInstance, LoggingLogExclusion.

IAMServiceAccount: added support for resourceID.

spec.preservedUnknownFields is set to false for all CRDs, ensuring consistent behavior as the flag is set from true to false across Kubernetes versions.

Google Kubernetes Engine

GKE Multi-cluster Services support for pod-specific addressing is now generally available.

Network Connectivity Center

If you use a Router appliance spoke to connect more than 1,000 VMs, you might be unable to establish BGP sessions between the router appliance instance and Cloud Router. The 1,000-VM limit includes any VMs that are accessible through VPC Network Peering.

Vertex AI

June 10, 2021

Cloud Asset Inventory

The following resource types are now publicly available through the Export APIs (ExportAssets, ListAssets, BatchGetAssetsHistory) and the Feed API:

  • Serverless VPC Access
    • vpcaccess.googleapis.com/Connector
  • Certificate Authority Service
    • privateca.googleapis.com/CaPool
    • privateca.googleapis.com/CertificateAuthority
    • privateca.googleapis.com/CertificateRevocationList
    • privateca.googleapis.com/CertificateTemplate

The following resource types are now publicly available through the Analyze Policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

  • Cloud KMS
    • cloudkms.googleapis.com/KeyRing
    • cloudkms.googleapis.com/CryptoKey
    • cloudkms.googleapis.com/CryptoKeyVersion
    • cloudkms.googleapis.com/ImportJob
  • Service Usage
    • serviceusage.googleapis.com/Service
  • Cloud Data Fusion
    • datafusion.googleapis.com/Instance
Compute Engine

NVIDIA® T4 GPUs are now available in the following additional regions and zones:

  • St. Ghislain, Belgium: europe-west1-b,c,d

For more information about using GPUs on Compute Engine, see GPUs on Compute Engine.

Google Kubernetes Engine

Volume snapshots is now generally available. Starting in GKE version 1.21 and later, you can now use v1 snapshots; v1beta1 snapshots will continue to operate as expected until further notice.

Committed use discounts are now generally available to purchase for Google Kubernetes Engine (Autopilot Mode).

Google Kubernetes Engine (Autopilot Mode) committed use discounts apply to all Autopilot Pod workload vCPU, memory, and ephemeral storage usage in the region in which you have committed. Google Kubernetes Engine (Autopilot Mode) committed use discounts do not apply to the cluster management fee or to GKE Standard mode compute nodes.

See the documentation for more details.

For GKE clusters running Windows Server node pools, you can see the version mapping between GKE versions and Windows Server versions for all available GKE versions by using a gcloud command. This feature is now available in preview.

For more details, see Use gcloud tool to get version mapping.

Identity and Access Management

The documentation for IAM role recommendations now has more detail about how insights are used to generate recommendations.

Memorystore for Redis

Added support for Upgrading the Redis version of an instance with the Google Cloud Console.

Released support for Redis version 6.x (Preview) on Memorystore for Redis. For more details, see Supported versions.

SAP on Google Cloud

SAP NetWeaver high-availability cluster documentation for SLES

A new load-balancer-based configuration guide for SAP NetWeaver high-availability clusters on SUSE Linux Enterprise Server (SLES) is available for use.

For more information, see the HA cluster configuration guide for SAP NetWeaver on SLES.

June 09, 2021

Cloud Load Balancing

Network Load Balancing now supports load-balancing ESP (Encapsulating Security Payload) and ICMP (Internet Control Message Protocol) traffic. To handle these protocols, you specify the new L3_DEFAULT protocol on the load balancer's forwarding rule.

For details, see:

This feature is available in Preview.

Dataflow

Dataflow SQL now supports user-defined functions (UDFs) written using Java. For more information, see Dataflow SQL user-defined functions. This feature is in Preview.

Document AI

VPC Service Controls

Integration with Document AI VPC Service Controls is now generally available.

Google Kubernetes Engine

(2021-R19) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

Stable channel

  • Version 1.18.17-gke.1900 is now the default version in the Stable channel.
  • Version 1.18.17-gke.1901 is now available in the Stable channel.
  • Version 1.19.10-gke.1000 is now available in the Stable channel.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to version 1.18.17-gke.1900 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to version 1.19.10-gke.1000 with this release.

Regular channel

  • Version 1.19.10-gke.1600 is now available in the Regular channel.
  • Version 1.20.6-gke.1000 is now available in the Regular channel.
  • Version 1.19.9-gke.1400 is no longer available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.19.9-gke.1900 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.6-gke.1000 with this release.

Rapid channel

  • Version 1.20.6-gke.1400 is now the default version in the Rapid channel.
  • Version 1.21.1-gke.400 is now available in the Rapid channel.
  • Version 1.20.6-gke.1000 is no longer available in the Rapid channel.
  • Version 1.21.1-gke.100 is no longer available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.20.6-gke.1400 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.1-gke.400 with this release.

If you manually upgrade your cluster from 1.18 to 1.19 and the network tier configuration on an existing external network load balancer does not match the network tier annotation in the service spec (if unspecified, defaults to Premium), the load balancer will be deleted and recreated, and the network tier configuration will be enforced.

A domain-scoped project is not supported in GKE version 1.20. The cluster's CertificateSigningRequest will be denied when validating the DNS name and the nodes cannot join the cluster.

1.20 is now generally available

Kubernetes 1.20 is now generally available (GA). Before upgrading, read the Kubernetes 1.20 Release Notes especially the Urgent upgrade notes and Deprecations sections.

The node.k8s.io/v1beta1 RuntimeClass API has graduated to node.k8s.io/v1 with no changes. API clients and manifests should switch to using the node.k8s.io/v1 API after version 1.20. The node.k8s.io/v1beta1 API is deprecated and will no longer be served starting in version 1.25.

As of version 1.20, the kubelet no longer creates the target_path for NodePublishVolume in accordance with the CSI spec. If you have self-managed CSI drivers deployed in your cluster, ensure that they are idempotent and do any necessary mount creation or verification. For more information, see Kubernetes issue #88759.

Starting in version 1.20, timeouts on exec probes are honored, and default to 1 second if unspecified. If you have Pods using exec probes, ensure that they can easily complete in 1 second or explicitly set an appropriate timeout. For more information, see ConfigureProbes.

Non-deterministic treatment of objects with invalid ownerReferences was fixed in version 1.20. Run the kubectl-check-ownerreferences tool prior to upgrade to locate existing objects with invalid ownerReferences.

  • A namespaced object with an ownerReference to another namespaced object which does not exist in the same namespace is now consistently treated as having a missing owner and is deleted.

  • A cluster-scoped object with an ownerReference to a namespaced object is now consistently treated as having an unresolvable owner, and is ignored by the garbage collector.

  • Starting in version 1.20, when a namespace mismatch between a child and owner object is detected, an event with a reason code of OwnerRefInvalidNamespace is recorded.

The metadata.selfLink field, deprecated since version 1.16, is no longer populated in version 1.20. See Kubernetes issue #1164 for details. A related bug in the k8s.io/client-golibrary in the GetReference function was fixed in versions 0.15.9 or later, 0.16.4 or later, and 0.17.0 or later. Clients using the GetReference function should upgrade to one of those versions of client-go or newer in order to work correctly against an API Server running version 1.20 or later.

Reminder: Future beta API removals in versions 1.22 and 1.25

Kubernetes versions 1.22 and 1.25 will stop serving several deprecated beta APIs. It is recommended to begin migrating your clients and manifests to the stable replacement APIs now. More information is available in the OSS Kubernetes documentation.

(2021-R19) Version updates

(2021-R19) Version updates

  • Version 1.18.17-gke.1900 is now the default version in the Stable channel.
  • Version 1.18.17-gke.1901 is now available in the Stable channel.
  • Version 1.19.10-gke.1000 is now available in the Stable channel.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to version 1.18.17-gke.1900 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to version 1.19.10-gke.1000 with this release.

(2021-R19) Version updates

  • Version 1.19.10-gke.1600 is now available in the Regular channel.
  • Version 1.20.6-gke.1000 is now available in the Regular channel.
  • Version 1.19.9-gke.1400 is no longer available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.19.9-gke.1900 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.6-gke.1000 with this release.

(2021-R19) Version updates

  • Version 1.20.6-gke.1400 is now the default version in the Rapid channel.
  • Version 1.21.1-gke.400 is now available in the Rapid channel.
  • Version 1.20.6-gke.1000 is no longer available in the Rapid channel.
  • Version 1.21.1-gke.100 is no longer available in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.20.6-gke.1400 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.1-gke.400 with this release.
VPC Service Controls

Integration with Document AI VPC Service Controls is now generally available.

Virtual Private Cloud

If you enable PROXY protocol for a Private Service Connect service attachment, the PROXY protocol header value was previously either 0xEA or 0xE0. Starting today, the value will always be 0xE0.

June 08, 2021

AI Platform Prediction

Runtime version 2.5 is now available. You can use runtime version 2.5 to serve online predictions with TensorFlow 2.5.1, scikit-learn 0.24.1, or XGBoost 1.4.0. Runtime version 2.5 does not support batch prediction.

See the full list of updated dependencies in runtime version 2.5.

Anthos clusters on VMware

Anthos clusters on VMware 1.5.4-gke.2 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.5.4-gke.2 runs on Kubernetes v.1.17.9-gke.4400. The supported versions that offer the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.7, 1.6, and 1.5.

Fixes

These security vulnerabilities have been fixed:

Fixed CVE-2021-25735 mentioned in the GCP-2021-003 Security Bulletin, CVE-2021-31535, and other medium and low vulnerability CVEs with fixes available.

Cloud Billing

Committed use discounts for Google Kubernetes Engine (GKE) are now Generally Available to purchase for workloads running on GKE Autopilot.

They provide discounted prices in exchange for your commitment to use a minimum level of resources for a specified term. The spend-based committed use discounts apply to all GKE Autopilot Pod workload CPU, memory, and ephemeral storage usage in the region in which you have committed. This gives you low, predictable costs, without the need to make any manual changes or updates yourself. This flexibility saves you time and helps you to save more by achieving high utilization rates across your commitments.

GKE Autopilot Mode commitments do not apply to the cluster management fee or to GKE Standard mode compute nodes.

See the documentation for more details.

Cloud VPN

You can check for VPN tunnel overutilization using the VPN tunnel utilization recommender. A recommender is a service in Google Cloud that provides usage recommendations for cloud resources.

Compute Engine

Generally available: You can configure how your regional managed instance group distributes instances across zones by using capacity-aware distribution shapes, which can automatically deploy instances to zones where capacity is available and optionally prioritize the use of reservations.

Preview: When rolling out configuration or application updates to a stateful or stateless managed instance group, use the minimum and most disruptive allowed actions to control disruption to your workload.

Dataproc

Custom image limitation: Currently, the following Dataproc image versions are the latest images that can be used as the base for custom images:

  • 1.3.89-debian10, 1.3.89-ubuntu18
  • 1.4.60-debian10, 1.4.60-ubuntu18
  • 1.5.35-debian10, 1.5.35-ubuntu18, 1.5.35-centos8
  • 2.0.9-debian10, 2.0.9-ubuntu18, 2.0.11-centos8
Migrate for Compute Engine

Transition the underlying OS used by Migrate for Compute Engine components (Manager, Cloud Extensions, Importers, and Exporters) to use Ubuntu Advantage.

Resource Manager

The Resource Settings API has entered general availability. You can use Resource Settings to centrally configure settings for your Google Cloud projects, folders, and organization. For more information, see Resource Settings overview.

June 07, 2021

Anthos clusters on VMware

Anthos clusters on VMware 1.6.3-gke.3 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.6.3-gke.3 runs on Kubernetes v1.18.18-gke.100. The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.7, 1.6, and 1.5.

Fixes

These security vulnerabilities have been fixed:

Fixed CVE-2021-25735 mentioned in the GCP-2021-003 Security Bulletin, CVE-2021-31535, and other medium and low vulnerability CVEs with fixes available.

BigQuery

BigQuery now supports parameterized types. The following parameterized types are supported:

This feature is in Preview.

Cloud Asset Inventory

New resource types are now available.

The following resource types are now publicly available through the Export APIs (ExportAssets and BatchGetAssetsHistory) and the Feed API:

  • Cloud Redis
    • redis.googleapis.com/Instance
Cloud Composer

New versions of Cloud Composer images:

  • composer-1.17.0-preview.2-airflow-2.0.1
  • composer-1.16.6-airflow-1.10.15
  • composer-1.16.6-airflow-1.10.14 (default)
  • composer-1.16.6-airflow-1.10.12

You can now store values for the smtp_password Airflow configuration option in Secret Manager.

Increased the timeout for environment upgrade operations to support upgrades for databases up to 16 GB in size. If an upgrade operation times out and the Airflow database size is more than 10 GB, a warning message about the database size is generated.

Fixed memory issues that occurred while syncing files on machine types with more than 8 vCPUs.

DAG parsing and task processing in Airflow no longer fails because of incorrectly formatted Airflow logs. This happened due to a bug in Airflow log message formatting. Before this fix, errors related to sensor tasks with reschedule intervals shorter than scheduler processing time were not displayed.

(New environments only) Some log messages related to Airflow web server access were previously missing in Cloud Logging. This problem is fixed and these messages now appear in Cloud Logging.

(Available without upgrading) Updating environment labels now correctly overrides previous labels in billing reports.

Cloud Composer 1.10.4 has reached its end of full support period.

Cloud Functions

Cloud Functions now supports Ruby 2.6 and 2.7 at the General Availability release level.

Cloud SQL for MySQL

Cloud SQL now offers faster maintenance, with connectivity dropping for less than 60 seconds on average.

Cloud SQL for PostgreSQL

Cloud SQL now offers faster maintenance, with connectivity dropping for less than 60 seconds on average.

Cloud SQL for SQL Server

Cloud SQL now offers faster maintenance, with connectivity dropping for less than 120 seconds on average.

Cloud TPU

Cloud TPU now supports Tensorflow 2.5.0. For more information, see Tensorflow 2.5.0 Release Notes

Google Kubernetes Engine

You can now specify the default image type to use for new auto-provisioning node pools. See Using node auto-provisioning for more details.

Security Command Center

Security Command Center Legacy, previously known as Cloud Security Command Center, and Event Threat Detection Legacy have been permanently disabled.

To continue benefiting from Security Command Center, you must migrate your organizations to Security Command Center's free Standard tier or Premium tier. Event Threat Detection, a built-in service of Security Command Center, is available only in the Premium tier.

For information on upgrading to Security Command Center Standard or Premium, see Migrate from legacy Security Command Center products. To inquire about flexible pricing options for the Premium tier, complete our Premium inquiry form. You should receive a response within two US business days.

Workflows

String processing functions are now available in the text module of the Workflows standard library.

June 04, 2021

Artifact Registry

Maven, npm, and Python repositories are now in Preview.

Storage and network egress charges apply to all formats that are in Preview or are generally available.

Cloud Asset Inventory

Cloud Asset Inventory Console Preview is now publicly available. It enables you to see insights about Google Cloud footprint, details and history of resources, and provides powerful and easy filtering and search capabilities.

Cloud SQL for PostgreSQL

Both the Cloud SQL Java Connector and Cloud SQL Python Connector now support IAM Authentication for PostgreSQL.

Cloud Spanner

We are replacing the Insert a row and Edit a row data forms in the Cloud Console with pre-populated DML query templates on the Query page. These templates provide you more flexibility when adding and editing data. Learn More

Dialogflow

Dialogflow CX will have new pricing on September 1, 2021. For details, see the pricing documentation. In summary, the new pricing will be:

  • Text: $0.007/request
  • Audio: $0.06/minute
Google Kubernetes Engine

The security community recently disclosed a new security vulnerability CVE-2021-30465 found in runc that has the potential to allow full access to a node filesystem.

For more information, see the GCP-2021-011 security bulletin.

Virtual Private Cloud

The Private Service Connect Published Services tab in the Google Cloud Console now correctly displays service attachments. You can now view and manage service attachments using the Console, the gcloud command-line tool, or the API

When a Private Service Connect consumer endpoint is deleted, the service attachment details now correctly reflects this change.

June 03, 2021

Anthos GKE on AWS

Anthos clusters on AWS 1.7.2-gke.0 is now available.

Anthos clusters on AWS 1.7.2-gke.0 clusters run the following Kubernetes versions:

  • 1.16.15-gke.18500
  • 1.17.17-gke.8200
  • 1.18.18-gke.1500
  • 1.19.10-gke.1500

The Anthos clusters on AWS 1.7.2-gke.0 release addresses the following vulnerabilities:

Artifact Registry

Artifact Registry now supports Access Transparency. Access Transparency provides you with logs of actions that Google staff have taken when accessing your data. To learn more about Access Transparency, see the Overview of Access Transparency.

Cloud Asset Inventory

New resource types are now available.

The following resource types are now publicly available through the Export APIs (ExportAssets and BatchGetAssetsHistory) and the Feed API:

  • Cloud Bigtable
    • bigtableadmin.googleapis.com/AppProfile
Cloud Run

Request timeouts up to 60 minutes are now at general availability (GA).

Compute Engine

N2D machine types are now available in us-west4-a , Las Vegas, Nevada. See VM instance pricing for details.