Google Cloud release notes

The following release notes cover the most recent changes over the last 60 days. For a comprehensive list of product-specific release notes, see the individual product release note pages.

You can also see and filter all release notes in the Google Cloud console or you can programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/gcp-release-notes.xml

May 27, 2022

Cloud Logging

Support has been removed for two previously deprecated system metrics: logging.googleapis.com/excluded_log_entry_count and logging.googleapis.com/excluded_byte_count.

Cloud Spanner

Cloud Spanner change streams capture and stream out inserts, updates, and deletes in near real-time—useful for analytics, archiving, and triggering downstream application workflows.

Cloud TPU

Cloud TPU now supports Tensorflow 2.8.2 and 2.9.1. For more information see TensorFlow 2.8.2 release notes and TensorFlow 2.9.1 release notes.

Compute Engine

Preview: You can now use the SSH troubleshooting tool from the Cloud console to help you determine the cause of failed SSH connections.

Data Catalog

Data Catalog is now available in Santiago (southamerica-west1). For more information on region and feature availability, see regions.

Security Command Center

The compliances, exfiltration, and processes attributes were added to the Finding object.

  • The compliances attribute provides details about security standards that are unmet.
  • The exfiltration attribute provides details about the sources and targets of an exfiltration attempt.
  • The processes attribute provides details about operating system processes relevant to a finding.

For more information, see the API documentation for the Finding object.

May 26, 2022

Anthos clusters on VMware

Anthos clusters on VMware 1.11.1-gke.53 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.11.1-gke.53 runs on Kubernetes 1.22.8-gke.200.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.11, 1.10, and 1.9.

Fixed for v1.11.1

  • Fixed the known issue where v1.11.0 user clusters cannot be created with a v1.10.x admin cluster.

  • Fixed the issue where the gkectl logs might be truncated when admin cluster creation has failed.

  • Fixed the issue that Anthos Identity Service with LDAP failed to authenticate against some older Active Directory servers when the user id contains a comma.

Fixed the following vulnerabilities

High-severity CVEs

Medium-severity CVEs

Anthos clusters on VMware 1.10.4-gke.32 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.10.4-gke.32 runs on Kubernetes 1.21.5-gke.1200.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.11, 1.10, and 1.9.

Fixed for v1.10.4

Fixed the following vulnerabilities

High-severity CVEs

RBAC fixes

  • anetd

    • Changed to use kubelet kubeconfig to only allow the anetd to update its own node resource, and the pod resources that are running on the node.
  • antrea-controller / anetd-win

    • Instead of reusing the RBAC config for anetd, created a dedicated RBAC config for antrea and reduced the unnecessary permissions.
  • clusterdns-controller

    • Scoped down clusterdns permissions to default resource name.
    • Scoped down configmap permissions to coredns resource name.
    • Removed create/delete permissions for configmaps. The coredns configmap is now created by the bundle, with create-only annotation to ensure we don't overwrite existing config on upgrade.
  • dns-autoscaler

    • Removed unneeded permissions, and scoped down needed permissions to a particular resource using resourceNames.
    • Restricted get configmap for dns autoscaler.
  • gke-usage-metering

    • Restricted the permission to the kube-system namespace where possible
  • seesaw-load-balancer

    • Restricted the permission by setting resource names.
Anthos clusters on bare metal

Release 1.11.2

Anthos clusters on bare metal 1.11.2 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.11.2 runs on Kubernetes 1.22.

Starting with Anthos clusters on bare metal release 1.11.2, you can enable or disable Anthos VM Runtime by updating the VMRuntime custom resource only. The legacy spec.kubevirt settings in the cluster configuration are no longer supported. The VMRuntime custom resource is installed by default on version 1.10 and later hybrid, standalone, and user clusters. The VMRuntime custom resource can't be applied to admin clusters.

If you have Anthos VM Runtime enabled for your Anthos clusters on bare metal, you must disable it before upgrading clusters to version 1.11.2 or higher. If this step is not completed, your cluster upgrade will fail. You can re-enable Anthos VM Runtime after the upgrade is complete.

Starting with Anthos clusters on bare metal release 1.11.2, the Anthos VM Runtime API version has changed from v1alpha1 to v1. This version change doesn't affect the VMRuntime custom resource, but most other resources are affected.

Functionality changes:

  • The containerd runtime has been upgraded to 1.5.11-gke.0 to address CVE-2022-24769

  • Added a preflight check that disallows Ubuntu 18.04 distributions with 4.15.x Linux kernels.

Fixes:

  • Fixed cluster custom resource status reporting for pending reconciliations.

  • Fixed a bmctl check cluster command issue that caused the user cluster kubeconfig Secret to be overwritten.

  • Fixed an issue with manifest installation when last-applied-config is broken that caused upgrades to fail.

  • Fixed an issue to ensure that the 20-minute timeout for node draining is enforced during cluster upgrades. This timeout provides ample time for nodes to drain, but ensures that upgrades can always proceed.

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

App Engine standard environment Java
  • Updated the Java SDK to version 1.9.97.
  • Added missing classes in the appegine-jsr107cache.jar file.
Cloud Composer

Cloud Composer 1.18.10 and 2.0.14 release started on May 26, 2022. Get ready for upcoming changes and features as we roll out the new release to all regions. This release is in progress at the moment. Listed changes and features might not be available in some regions yet.

(Airflow 2) If your DAGs use the google-ads package version 14.0.0 or earlier, please upgrade your environment to Cloud Composer version 2.0.14 so that your environment uses Google Ads API v10. Google Ads API v8 and v9 are deprecated and will not be available in the near future.

Added new database metrics: a metric that shows the total limit of database connections, and a metric for the number of active database connections.

(Airflow 1) The google-cloud-bigquery package is upgraded from 1.28.0 to 2.13.0.

(Airflow 2) Updates for the apache-airflow-providers-google package:

Breaking changes:

  • Upgrade to support Google Ads v10 (#22965)

Features:

  • [FEATURE] google provider - BigQueryInsertJobOperator log query (#23648)
  • [FEATURE] google provider - split GkeStartPodOperator execute (#23518)
  • Add exportContext.offload flag to CLOUD_SQL_EXPORT_VALIDATION. (#23614)
  • Create links for BiqTable operators (#23164)
  • implements #22859 - Add .sql as templatable extension (#22920)
  • 'GCSFileTransformOperator': New templated fields 'source_object', 'destination_object' (#23328)

Bug Fixes

  • Fix 'PostgresToGCSOperator' does not allow nested JSON (#23063)
  • Fix GCSToGCSOperator ignores replace parameter when there is no wildcard (#23340)
  • update processor to fix broken download URLs (#23299)
  • 'LookerStartPdtBuildOperator', 'LookerCheckPdtBuildSensor' : fix empty materialization id handling (#23025)
  • Change ComputeSSH to throw provider import error instead paramiko (#23035)
  • Fix cancel_on_kill after execution timeout for DataprocSubmitJobOperator (#22955)
  • Fix select * query xcom push for BigQueryGetDataOperator (#22936)
  • MSSQLToGCSOperator fails: datetime is not JSON Serializable (#22882)
  • Update credentials when using ADC in Compute Engine #23773

Misc changes

  • Add Stackdriver assets and migrate system tests to AIP-47 (#23320)
  • CloudTasks assets & system tests migration (AIP-47) (#23282)
  • TextToSpeech assets & system tests migration (AIP-47) (#23247)
  • Fix code-snippets in google provider (#23438)
  • Bigquery assets (#23165)
  • Remove redundant docstring in 'BigQueryUpdateTableSchemaOperator' (#23349)
  • Migrate gcs to new system tests design (#22778)
  • add missing docstring in 'BigQueryHook.create_empty_table' (#23270)
  • Cleanup Google provider CHANGELOG.rst (#23390)
  • migrate system test gcs_to_bigquery into new design (#22753)
  • Add example DAG for demonstrating usage of GCS sensors (#22808)

(Cloud Composer 2) Several false error log messages are no longer generated after an environment is created.

(Cloud Composer 2) Fixed a problem where the Airflow web server becomes unavailable after all PyPI packages are uninstalled from an environment.

Fixed a problem where Cloud Composer always reported an error when checking for connectivity to the PyPI repository during PyPI package installation in Private IP environments.

Cloud Composer 1.18.10 and 2.0.14 images are available:

  • composer-1.18.10-airflow-1.10.15 (default)
  • composer-1.18.10-airflow-2.1.4
  • composer-1.18.10-airflow-2.2.3
  • composer-1.18.10-airflow-2.2.5
  • composer-2.0.14-airflow-2.1.4
  • composer-2.0.14-airflow-2.2.3
  • composer-2.0.14-airflow-2.2.5

Cloud Composer versions 1.16.5 and 1.17.0.preview.1 have reached their end of full support period.

Cloud Load Balancing

Regional external and regional internal HTTP(S) load balancers now support regional SSL policies. SSL policies give you the ability to control the features of SSL that your Google Cloud load balancers negotiate with clients.

For details, see:

This feature is in Preview.

Cloud Logging

You can now collect IIS logs and additional metrics from the Ops Agent, starting with versions 2.14.0 (logs) and 2.15.0 (additional metrics). For more information, see Monitoring third-party applications: IIS.

You can now collect Varnish logs and metrics from the Ops Agent, starting with versions 2.16.0 (logs) and 2.15.0 (metrics). For more information, see Monitoring third-party applications: Varnish.

You can now collect Active Directory Domain Services logs and metrics from the Ops Agent, starting with version 2.15.0. For more information, see Monitoring third-party applications: Active Directory Domain Services.

You can now collect Jetty logs from the Ops Agent, starting with version 2.16.0. For more information, see Monitoring third-party applications: Jetty.

Cloud Monitoring

You can now configure an uptime check to validate a specific JSONpath. For more information, see Validate response data.

A new version of Managed Service for Prometheus is now available. Version 0.4.1 of managed collection has been released, along with v2.35.0-gmp.2 of the managed-service binary that v0.4.1 depends on (container image: gke.gcr.io/prometheus-engine/prometheus:v2.35.0-gmp.2-gke.0). For details about the changes included, see the release page on GitHub.

You can now collect IIS logs and additional metrics from the Ops Agent, starting with versions 2.14.0 (logs) and 2.15.0 (additional metrics). For more information, see Monitoring third-party applications: IIS.

You can now collect Varnish logs and metrics from the Ops Agent, starting with versions 2.16.0 (logs) and 2.15.0 (metrics). For more information, see Monitoring third-party applications: Varnish.

You can now collect Active Directory Domain Services logs and metrics from the Ops Agent, starting with version 2.15.0. For more information, see Monitoring third-party applications: Active Directory Domain Services.

Cloud SQL for MySQL

Cloud SQL for MySQL now supports minor version 8.0.29. To upgrade your existing instance to the new version, see Upgrade the database minor version.

Google Kubernetes Engine

1.24 is now available in the Rapid channel

Kubernetes 1.24 is now available in the Rapid channel. Before upgrading, read the Kubernetes 1.24 Release Notes, especially the action required and deprecation sections.

New API versions

  • storage.k8s.io/v1 CSIStorageCapacity

Notable changes

  • GKE does not support node images that use Docker as the runtime in GKE version 1.24 and later. For more information, see migrating from Docker to containerd.
  • Secret API objects containing service account tokens are not automatically created in 1.24.
    • This change improves security by reducing readable, permanent, Secret-based tokens to ones that have been explicitly requested, and improves performance by reducing the amount of persisted Secret data and avoiding unnecessary utilization of application-layer secrets encryption.
    • Existing Secret-based tokens from previous versions remain valid on upgrade.
    • Secret-based tokens are not used by nodes or pods on version 1.21 and later.
    • Only node versions 1.22 and later are supported running against 1.24 clusters.
    • Clients retrieving tokens directly from the API can still obtain a token using these methods supported in all available GKE versions:
    • Examples of incorrect ways to obtain Secret-based tokens from the API include:
      • Scanning the secrets[*].name field of a ServiceAccount object; this field lists secrets usable by pods running as that service account, not for other purposes, and secrets in that list have never been guaranteed to be service account token secrets.
      • Looking for existing Secret objects of type kubernetes.io/service-account-token created by other clients; a Secret created by another client is owned by that client, and cannot be assumed to be stable for use by other clients.
  • Kubernetes 1.24 deprecates support for insecure serving certificates signed with a SHA-1 hash. Aggregated API servers, admission webhooks, and custom resource conversion webhooks using TLS certificates that are signed by SHA-1 should replace the serving certificates as soon as possible.

    • At cluster version 1.24.0 and later, GKE provides a Cloud Audit log to check if your cluster contains an affected service. You can use the following filter to search for the logs of a 1.24+ cluster:

      logName: "projects/$PROJECT/logs/cloudaudit.googleapis.com%2Factivity"
      resource.type = "k8s_cluster"
      operation.producer = "k8s.io"
      "invalid-cert.kubernetes.io"
      ```
      
    • If you are not affected you won't see any logs. If you do see such an audit log, it will include the name of the service (whether webhook or aggregated API).

Deprecated API versions

These APIs are still served in version 1.24 but are in a deprecation period:

  • PodSecurityPolicy

    • policy/v1beta1 PodSecurityPolicy
    • Deprecated in 1.21 with removal targeted for version 1.25.
    • 1.24 is the last version supporting the beta PodSecurityPolicy feature. Use of this feature must be discontinued before clusters will upgrade to 1.25. For more information, see PodSecurityPolicy deprecation.
  • The following Beta versions of graduated APIs will be removed in 1.25 in favor of their newer versions:

    • discovery.k8s.io/v1beta1 EndpointSlice, deprecated since 1.21
    • policy/v1beta1 PodDisruptionBudget, deprecated since 1.21
    • batch/v1beta1 CronJob, deprecated since 1.21
    • node.k8s.io/v1beta1 RuntimeClass
    • autoscaling/v2beta1 HorizontalPodAutoscaler
  • The following Beta versions of graduated APIs will be removed in 1.26 in favor of newer versions:

    • flowcontrol.apiserver.k8s.io/v1beta1 FlowSchema, PriorityLevelConfiguration
      • deprecated since 1.23
      • use flowcontrol.apiserver.k8s.io/v1beta2 instead, available since 1.23
    • autoscaling/v2beta2 HorizontalPodAutoscaler
      • deprecated since 1.23
      • use autoscaling/v2 instead, available since 1.23 (or autoscaling/v1)
  • The following Beta versions of graduated APIs will be removed in 1.27 in favor of new versions:

    • storage.k8s.io/v1beta1 CSIStorageCapacity, deprecated since 1.24

Nodes on version 1.24.0-gke.1000 with more than 80GB of memory will fail to start successfully due to a known bug, which will be resolved in future 1.24 versions.

(2022-R13) Version updates

  • Version 1.22.8-gke.201 is now the default version.
  • The following control plane and node version are now available:

  • The following control plane versions are no longer available:

    • 1.19.16-gke.10800
    • 1.20.15-gke.3400
    • 1.20.15-gke.3600
    • 1.20.15-gke.4100
    • 1.20.15-gke.5000
    • 1.20.15-gke.5200
    • 1.21.10-gke.400
    • 1.21.10-gke.1300
    • 1.21.10-gke.1500
    • 1.21.10-gke.2000
    • 1.22.6-gke.300
    • 1.22.6-gke.1000
    • 1.22.7-gke.300
    • 1.22.7-gke.900
    • 1.22.7-gke.1300
    • 1.22.7-gke.1500
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.20.15-gke.6000 with this release.

  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to 1.21.11-gke.1100 with this release.

  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.21 to 1.21.11-gke.1100 with this release.

  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.22 to 1.22.8-gke.201 with this release.

(2022-R13) Version updates

  • Version 1.21.11-gke.1100 is now the default version in the Stable channel.

  • The following versions are now available in the Stable channel:

  • The following versions are no longer available in the Stable channel:

    • 1.19.16-gke.10800
    • 1.20.15-gke.5200
    • 1.21.11-gke.900
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to version 1.20.15-gke.6000 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.20 to version 1.21.11-gke.1100 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.21 to version 1.21.11-gke.1100 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.22 to version 1.22.8-gke.201 with this release.

(2022-R13) Version updates

  • Version 1.22.8-gke.201 is now the default version in the Regular channel.
  • Version 1.22.8-gke.200 is no longer available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to 1.22.8-gke.201 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.22 to 1.22.8-gke.201 with this release.

(2022-R13) Version updates

  • Version 1.23.5-gke.2400 is now the default version in the Rapid channel.

  • The following versions are now available in the Rapid channel:

  • The following versions are no longer available in the Rapid channel:

    • 1.21.11-gke.1900
    • 1.22.8-gke.201
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to 1.20.15-gke.6000 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.21.12-gke.1500 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.12-gke.1500 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.23.5-gke.2400 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.24 to 1.24.0-gke.1000 with this release.

(2022-R13) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

  • Version 1.22.8-gke.201 is now the default version.
  • The following control plane and node version are now available:

  • The following control plane versions are no longer available:

    • 1.19.16-gke.10800
    • 1.20.15-gke.3400
    • 1.20.15-gke.3600
    • 1.20.15-gke.4100
    • 1.20.15-gke.5000
    • 1.20.15-gke.5200
    • 1.21.10-gke.400
    • 1.21.10-gke.1300
    • 1.21.10-gke.1500
    • 1.21.10-gke.2000
    • 1.22.6-gke.300
    • 1.22.6-gke.1000
    • 1.22.7-gke.300
    • 1.22.7-gke.900
    • 1.22.7-gke.1300
    • 1.22.7-gke.1500
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.20.15-gke.6000 with this release.

  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to 1.21.11-gke.1100 with this release.

  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.21 to 1.21.11-gke.1100 with this release.

  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.22 to 1.22.8-gke.201 with this release.

Stable channel

  • Version 1.21.11-gke.1100 is now the default version in the Stable channel.

  • The following versions are now available in the Stable channel:

  • The following versions are no longer available in the Stable channel:

    • 1.19.16-gke.10800
    • 1.20.15-gke.5200
    • 1.21.11-gke.900
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to version 1.20.15-gke.6000 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.20 to version 1.21.11-gke.1100 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.21 to version 1.21.11-gke.1100 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.22 to version 1.22.8-gke.201 with this release.

Regular channel

  • Version 1.22.8-gke.201 is now the default version in the Regular channel.
  • Version 1.22.8-gke.200 is no longer available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to 1.22.8-gke.201 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.22 to 1.22.8-gke.201 with this release.

Rapid channel

  • Version 1.23.5-gke.2400 is now the default version in the Rapid channel.

  • The following versions are now available in the Rapid channel:

  • The following versions are no longer available in the Rapid channel:

    • 1.21.11-gke.1900
    • 1.22.8-gke.201
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to 1.20.15-gke.6000 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.21.12-gke.1500 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.12-gke.1500 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.23.5-gke.2400 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.24 to 1.24.0-gke.1000 with this release.

May 25, 2022

Access Approval

Access Approval lets you know if the notification emails for access requests don't get delivered to you because you provided an incorrect email address while setting up the notification configurations.

Apigee Connectors

Preview release of new Connectors for Apigee

On May 20, 2022, we released the preview version of the Connectors for Apigee.

The Zendesk connector is available for Apigee. For more information, see Zendesk connection.

Apigee UI

You can now create and manage Private Service Connect (PSC) endpoint attachments in the Apigee UI. For details, see Creating an endpoint attachment.

Artifact Registry

Apt and Yum repositories are now generally available.

Chronicle

The following supported default parsers have changed, listed by product name and ingestion label:

  • Apache Hadoop (HADOOP)
  • Suricata IDS (SURICATA_IDS)
  • GCP Compute (GCP_COMPUTE)
  • Elastic Audit Beats (ELASTIC_AUDITBEAT)
  • Cloudflare (CLOUDFLARE)
  • Proofpoint On Demand (PROOFPOINT_ON_DEMAND)
  • FortiGate (FORTINET_FIREWALL)
  • CSV Custom IOC (CSV_CUSTOM_IOC)
  • CrowdStrike Falcon (CS_EDR)
  • Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
  • CIS Albert Alerts (CIS_ALBERT_ALERT)
  • SonicWall (SONIC_FIREWALL)
  • Okta User Context (OKTA_USER_CONTEXT)
  • Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
  • Check Point (CHECKPOINT_FIREWALL)
  • Barracuda Email (BARRACUDA_EMAIL)
  • Microsoft Azure Activity (AZURE_ACTIVITY)
  • Carbon Black App Control (CB_APP_CONTROL)
  • OpenSSH (OPENSSH)
  • OneLogin (ONELOGIN_SSO)
  • Office 365 (OFFICE_365)
  • FireEye NX (FIREEYE_NX)
  • ExtraHop RevealX (EXTRAHOP)
  • Cisco Umbrella DNS (UMBRELLA_DNS)
  • Kaspersky AV (KASPERSKY_AV)
  • IBM Guardium (GUARDIUM)
  • F5 ASM (F5_ASM)
  • Cisco Email Security (CISCO_EMAIL_SECURITY)
  • Workspace Activities (WORKSPACE_ACTIVITY)
  • Forcepoint Proxy (FORCEPOINT_WEBPROXY)
  • Azure AD Organizational Context (AZURE_AD_CONTEXT)
  • Tanium Stream (TANIUM_TH)
  • Apache (APACHE)

For details about the changes in each parser, see Supported default parsers.

Cloud Asset Inventory

The following resource types are now publicly available through the Analyze Policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

  • Cloud KMS
    • cloudkms.googleapis.com/EkmConnection
  • Cloud Run
    • run.googleapis.com/Job
    • run.googleapis.com/Execution
Cloud Composer

Private Service Connect support in Cloud Composer 2 is now generally available (GA).

Privately used public IP addresses are now generally available (GA).

Cloud Functions

We have updated the documentation to clarify that to get the updates and security patches for runtimes and their dependencies, you need to deploy a function. Security patches are not applied otherwise.

Google Cloud Armor

Google Cloud Armor integration with reCAPTCHA Enterprise is now in General Availability. See the Cloud Armor bot management overview and the Overview of reCAPTCHA Enterprise for WAF and Google Cloud Armor integration.

Google Distributed Cloud Edge

This is a patch release of Google Distributed Cloud Edge (version 1.0.2).

The following changes have been introduced in this release of of Distributed Cloud Edge:

  • Configuring a maintenance window now controls the scheduling of software updates for the Kubernetes control plane and Kubernetes nodes.

  • You can now deploy KubeVirt virtual machines on Distributed Cloud Edge in unmanaged namespaces with support for the Containerized Data Importer (CDI) plug-in.

The following issues have been resolved in this release of Distributed Cloud Edge:

  • Intermittent VPN connection persistence after deletion has been resolved. You no longer need to manually check whether the VPN connection and its associated resources have been successfully deleted.

  • The localpv-shared Persistent Volume has been eliminated. You will no longer see this Persistent Volume on the filesystem of your Distributed Cloud Edge nodes.

This release of Distributed Cloud Edge contains the following known issues:

  • The NodePort Service is not supported. This release of Distributed Cloud Edge only supports the LoadBalancer and ClusterIP Kubernetes Services.

  • The Kubernetes control planes associated with Distributed Cloud Clusters can briefly go down during Distributed Cloud Cluster software updates.

  • A large number of webhook calls might cause the Konnectivity proxy to temporarily fail.

  • The metrics agents running on Distributed Cloud Edge nodes can accumulate a backlog of events and stall, preventing the capture of further metrics.

Google Kubernetes Engine

You can now easily assess the running cost implications at cluster creation time. The GKE cluster cost widget lets you get an estimated cost range when you are creating a cluster.

This information can help you get a better understanding of the upper and lower monthly cost to expect based on your cluster autoscaling setup. This feature is now available in Preview.

For more information, see Introducing GKE cost estimator, built right into the Google Cloud console.

GKE clusters that run control plane versions 1.21 or later and node versions 1.16 or earlier might experience:

  • Readiness check failures.
  • Network endpoint groups (NEGs) and load balancers (LBs) not created or synced.

This occurs because the Ingress controllers running in GKE cluster control plane versions 1.21 or later are not compatible with node versions 1.16 and earlier. To resolve this issue, upgrade your node pools.

For more information, see Node version not compatible with control plane version.

Pub/Sub Lite

The Kafka Shim Java client library for Pub/Sub Lite is now GA.

May 24, 2022

Artifact Registry

Artifact Registry is now available in the us-east5 region (Columbus, United States).

BigQuery

You can now load data into BigQuery using Informatica Data Loader. This feature is generally available. Informatica provides connectors that can ingest data into BigQuery.

Cloud Healthcare API

A release was made. Updates may include general performance improvements, bug fixes, and updates to the API reference documentation.

Cloud Key Management Service

Cloud KMS is available in the following region:

  • us-east5

For more information, see Cloud KMS locations.

Cloud Run

The following new region is now available: us-east5.

Cloud SQL for MySQL

Support for us-east5 (Columbus).

Cloud SQL for PostgreSQL

Support for us-east5 (Columbus).

Cloud SQL for SQL Server

Support for us-east5 (Columbus).

Cloud Storage

Cloud Storage is now available in Columbus, Ohio (us-east5 region).

Cloud VPN

Cloud VPN is available in region us-east5 (Columbus, US).

Pricing is available on the Cloud VPN pricing page.

Compute Engine

Generally available: Columbus, Ohio, USA us-east5-a,b,c has launched with E2, N2, and N2D VMs in all three zones. Additionally, you can create C2 VMs in zones a and b.

See VM instance pricing for details.

Config Connector

Config Connector version 1.86.0 is now available.

Added support for ComputeRegionNetworkEndpointGroup resource.

Added spec.serviceDirectoryRegistrations field to ComputeForwardingRule.

Fixed issue where webhooks were unintentionally returning 500 errors when rejecting immutable field changes.

Dataflow

Dataflow is now available in Columbus (us-east5).

Google Kubernetes Engine

The us-east5 region in Columbus, Ohio is now available.

Memorystore for Memcached

Added new Memorystore for Memcached region: Columbus (us-east5).

Memorystore for Redis

Added new Memorystore for Redis region: Milan (europe-west8).

Pub/Sub

Pub/Sub is now available in us-east5 (Columbus, Ohio).

SAP on Google Cloud

Google Cloud monitoring agent for SAP NetWeaver version 2.3

Version 2.3 of the Google Cloud monitoring agent for SAP NetWeaver is now available. This version includes bug fixes and supportability improvements.

For more information about the agent, see Monitoring SAP NetWeaver on Google Cloud.

Monitoring agent for SAP HANA version 2.4

Version 2.4 of the monitoring agent for SAP HANA is now available. This version includes bug fixes and supportability improvements.

For more information about the agent, see Monitoring agent for SAP HANA.

Virtual Private Cloud

For auto mode VPC networks, added a new subnet 10.202.0.0/20 for the Columbus us-east5 region. For more information, see Auto mode IP ranges.

May 23, 2022

Apigee X

On May 23, 2022, we released an updated version of Apigee X (1-8-0-apigee-9).

Bug ID Description
N/A Upgraded infrastructure and libraries
App Engine flexible environment .NET

You can now disable external ephemeral IP addresses for App Engine Flex services. Read our documentation to learn how. This feature is at the Preview launch stage.

App Engine flexible environment Go

You can now disable external ephemeral IP addresses for App Engine Flex services. Read our documentation to learn how. This feature is at the Preview launch stage.

App Engine flexible environment Java

You can now disable external ephemeral IP addresses for App Engine Flex services. Read our documentation to learn how. This feature is at the Preview launch stage.

App Engine flexible environment Node.js

You can now disable external ephemeral IP addresses for App Engine Flex services. Read our documentation to learn how. This feature is at the Preview launch stage.

App Engine flexible environment PHP

You can now disable external ephemeral IP addresses for App Engine Flex services. Read our documentation to learn how. This feature is at the Preview launch stage.

App Engine flexible environment Python

You can now disable external ephemeral IP addresses for App Engine Flex services. Read our documentation to learn how. This feature is at the Preview launch stage.

App Engine flexible environment Ruby

You can now disable external ephemeral IP addresses for App Engine Flex services. Read our documentation to learn how. This feature is at the Preview launch stage.

BigQuery

Metrics for query/statement_scanned_bytes and query/statement_scanned_bytes_billed are no longer delayed for 6 hours in order to smooth reporting over the duration of the job. Values are now reported every 180 seconds without smoothing. For more information about metrics, see Google Cloud metrics.

Cloud Build

Users can now receive build status notifications in Google Chat via a Google Chat notifier. The Google Chat notifier is available as an experimental release. To learn more, see Configuring Google Chat notifications.

Cloud Storage

JSON copy requests and XML copy requests now return a permanent error on timeouts for objects larger than 2.5 GiB and a retryable error on timeouts for objects smaller than 2.5 GiB.

Dataproc

New sub-minor versions of Dataproc images:

1.5.66-debian10, 1.5.66-ubuntu18, 1.5.66-rocky8

2.0.40-debian10, 2.0.40-ubuntu18, 2.0.40-rocky8

Upgraded Spark to 3.1.3 in Dataproc image version 2.0.

Fixed a bug where job was not being marked as terminated after master node reboot.

Fixed a bug where Flink was not able to run on HA clusters.

Backported the fix for HIVE-20514 to Hive 2.3 in Dataproc image version 1.5.

Fixed a bug with HDFS directories initialization when core:fs.defaultFS is set to an external HDFS.

Dialogflow

Dialogflow CX now supports version-specific webhooks.

Dialogflow CX now supports fine-grained webhook errors for built-in events.

May 20, 2022

Anthos Service Mesh

Enabling endpoint discovery multi-cluster installations with declarative API is now available as a preview feature in all release channels. For more information, see Enable endpoint discovery between public clusters with declarative API.

Cloud Logging

You can now see more log entries in the Logs Explorer as a result of several style changes.

Cloud Vision

OCR model migration

The TEXT_DETECTION and DOCUMENT_TEXT_DETECTION models have been upgraded to newer versions. The API interface and client library will be the same as the previous version. The API follows the same Service Level Agreement.

The legacy models can still be accessed until August 20 2022. Specify "builtin/legacy" in the model field of a Feature object to get the old model results. After August 20, 2022 the legacy models will no longer be offered.

Confidential VM

Support for 3rd generation AMD EPYC Milan processors on general purpose N2D machine types is now available in Preview.

Support for compute-optimized C2D machine types is now available in Preview, featuring:

  • 3rd generation AMD EPYC Milan processors
  • AMD Secure Encrypted Virtualization (SEV) which can encrypt the memory of the VM to protect data in-use
  • The largest VM sizes and are best-suited for high-performance computing (HPC)
Config Controller

Config Controller now uses version 1.84.0 for Config Connector (release notes)

Google Cloud VMware Engine

Beginning on May 30 2022, the VMware Engine operations team will continue performing essential maintenance of the network infrastructure to improve equipment robustness and apply security patches. Users affected by this upgrade will receive an email with planned maintenance dates and times.

For details about the upgrade and steps to prepare, see Service announcements.

Google Kubernetes Engine

You can now quickly identify which of your workloads are underutilized in the Cost Optimization tab. You can also quickly apply suggested values for resource requests and limits (or your own preferred values).

This feature is now available in Preview. For more information, see GKE workload rightsizing.

May 19, 2022

Anthos Config Management

Fixed metrics to use correct reconciler Pod name for multiple RootSync and RepoSync objects. The metrics are documented at Config Sync metrics

Anthos clusters on VMware

Anthos clusters on VMware 1.9.6-gke.1 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.9.6-gke.1 runs on Kubernetes 1.21.5-gke.1200.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.11, 1.10, and 1.9.

Secret encryption key rotation does not fail when the cluster has more than 1000 secrets.

Fixed the following vulnerabilities

Changed scope of certain RBAC permissions

We have scoped down the over-privileged RBAC permissions for the following components in this release:

  • clusterdns-controller:

    • Scope down clusterdns permissions to 'default' resource name.
    • Scope down configmap permissions to 'coredns' resource name.
    • Remove create/delete permissions for configmaps.
  • seesaw-load-balancer:

    • Restrict the permission to access secrets by specifying certain secret names instead of allowing the access for all secrets.
  • coredns-autoscaler:

    • Reduce the get configmap permission to a specific configmap resource name.
  • anetd / anet-operator:

    • Changed to use kubelet kubeconfig to restrict the anetd to only update its own node resource, and the pod resources that are running on the node.
  • gke-usage-metering:

    • Restrict the permission to only kube-system namespace.
  • ANG (Anthos Network Gateway)

    • Remove/modify RBAC roles and lower the use of kube-rbac proxy in ANG.
Cloud Composer

Airflow 2.2.5 is available in Cloud Composer images.

(Cloud Composer 2) You can now assign permissions for an environment's service account on the service account level instead of the project level. To use this feature, create environments using gcloud, API, or Terraform. Cloud Console support for this feature will be released at a later date.

(Cloud Composer 2) Increased the memory limit for the Redis queue and made it scale with the environment's size.

New Airflow metrics for pools, smart sensor, and SLA email notifications are available for Cloud Composer environments.

If it is not possible to create an environment because of CMEK-related organization policies constraints/gcp.restrictCmekCryptoKeyProjects and constraints/gcp.restrictNonCmekServices, then such attempts fail with an error immediately.

It is now possible to use upper-case symbols in the versions of PyPI packages.

If it is not possible to create an environment because of constraints/compute.vmCanIpForward and compute.vmExternalIpAccessorganization policies, then such attempts fail with an error immediately.

(Airflow 1) If your DAGs use the google-ads package version 14.0.0 or earlier, please upgrade your environment to Cloud Composer version 1.18.9 so that your environment uses Google Ads API v10. Google Ads API v8 and v9 are deprecated and will not be available in the near future. This change is available only for Airflow 1. We will provide a similar change for Airflow 2 in a future release.

Cloud Composer 1.18.9 and 2.0.13 images are available:

  • composer-1.18.9-airflow-1.10.15 (default)
  • composer-1.18.9-airflow-2.1.4
  • composer-1.18.9-airflow-2.2.3
  • composer-1.18.9-airflow-2.2.5
  • composer-2.0.13-airflow-2.1.4
  • composer-2.0.13-airflow-2.2.3
  • composer-2.0.13-airflow-2.2.5
Config Connector

Config Connector version 1.85.0 is now available.

Fixed spec.topics in SecretManagerSecret (Issue #655).

Added support for PrivateCACertificate resource.

Fixed the reference configs for AccessContextManagerServicePerimeter.

Added spec.subsetting field to ComputeBackendService.

Added spec.secondaryIpRange field to RedisInstance.

Changed spec.readReplicasMode in RedisInstance from immutable to optional.

Google Kubernetes Engine

(2022-R12) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

Stable channel

  • Version 1.21.11-gke.900 is now the default version in the Stable channel.

  • The following versions are now available in the Stable channel:

  • The following versions are no longer available in the Stable channel:

    • 1.19.16-gke.9900
    • 1.20.15-gke.3400
    • 1.20.15-gke.3600
    • 1.20.15-gke.4100
    • 1.21.10-gke.2000
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.16-gke.10800 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.20 to 1.21.11-gke.900 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.21 to 1.21.11-gke.900 with this release.

Regular channel

  • Version 1.21.11-gke.1100 is now the default version in the Regular channel.
  • The following versions are now available in the Regular channel:

  • The following versions are no longer available in the Regular channel:

    • 1.20.15-gke.5200
    • 1.21.9-gke.1002
    • 1.21.10-gke.400
    • 1.21.10-gke.2000
    • 1.21.11-gke.900
    • 1.22.6-gke.300
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.20.15-gke.6000 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.21.11-gke.1100 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to 1.21.11-gke.1100 with this release.

Rapid channel

  • The following versions are now available in the Rapid channel:

  • The following versions are no longer available in the Rapid channel:

    • 1.21.11-gke.1100
    • 1.22.7-gke.1500
    • 1.22.8-gke.200
    • 1.23.5-gke.1500
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.21.11-gke.1900 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.11-gke.1900 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.23 to 1.23.5-gke.2400 with this release.

(2022-R12) Version updates

(2022-R12) Version updates

  • Version 1.21.11-gke.900 is now the default version in the Stable channel.

  • The following versions are now available in the Stable channel:

  • The following versions are no longer available in the Stable channel:

    • 1.19.16-gke.9900
    • 1.20.15-gke.3400
    • 1.20.15-gke.3600
    • 1.20.15-gke.4100
    • 1.21.10-gke.2000
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.16-gke.10800 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.20 to 1.21.11-gke.900 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.21 to 1.21.11-gke.900 with this release.

(2022-R12) Version updates

  • Version 1.21.11-gke.1100 is now the default version in the Regular channel.
  • The following versions are now available in the Regular channel:

  • The following versions are no longer available in the Regular channel:

    • 1.20.15-gke.5200
    • 1.21.9-gke.1002
    • 1.21.10-gke.400
    • 1.21.10-gke.2000
    • 1.21.11-gke.900
    • 1.22.6-gke.300
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.20.15-gke.6000 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.21.11-gke.1100 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to 1.21.11-gke.1100 with this release.

(2022-R12) Version updates

  • The following versions are now available in the Rapid channel:

  • The following versions are no longer available in the Rapid channel:

    • 1.21.11-gke.1100
    • 1.22.7-gke.1500
    • 1.22.8-gke.200
    • 1.23.5-gke.1500
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.21.11-gke.1900 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.11-gke.1900 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.23 to 1.23.5-gke.2400 with this release.

May 18, 2022

Apigee Monetization

On May 18, 2022 we released an updated version of the Apigee Monetization software.

Apigee X now supports export of additional fee-based values for organizations using monetization. For more information, see Generating monetization reports.

Apigee UI

On May 18, 2022, we released an updated version of the Apigee UI.

App Engine flexible environment .NET

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

App Engine flexible environment Go

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

App Engine flexible environment Java

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

App Engine flexible environment Node.js

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

App Engine flexible environment PHP

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

App Engine flexible environment Python

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

App Engine flexible environment Ruby

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

App Engine flexible environment custom runtimes

Specifying a user-managed service account for each App Engine version during deployment is now a generally available.

App Engine standard environment Go

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

App Engine standard environment Java

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

App Engine standard environment Node.js

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

App Engine standard environment PHP

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

App Engine standard environment Python

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

App Engine standard environment Ruby

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

BigQuery

Updated versions of ODBC and JDBC drivers for BigQuery are now available that include enhancements.

Cloud Asset Inventory

The following resource types are now publicly available through the Export APIs (ExportAssets and BatchGetAssetsHistory), the Feed API, and the Search APIs (SearchAllResources and SearchAllIamPolicies):

  • Cloud Firestore
    • firestore.googleapis.com/Database

The following resource types are now publicly available through the Analyze Policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

  • Datastream
    • datastream.googleapis.com/Stream
    • datastream.googleapis.com/ConnectionProfile
    • datastream.googleapis.com/PrivateConnection
Cloud SQL for MySQL

Cloud SQL now supports faster machine type changes, with connectivity dropping to less than 60 seconds. For more information, see Impact of changing instance settings.

Compute Engine

N2D VMs are now available in Paris, France europe-west9-a,b,c.

See VM instance pricing for details.

Traffic Director

Traffic Director for GKE now supports using the Kubernetes Gateway APIs to create a service mesh.

Traffic Director control plane logging and monitoring now supports request count by zone, in addition to DS API Connected Streams and request count.

Vertex AI

The ability to configure Vertex AI private endpoints is now general available (GA). Vertex AI private endpoints provide a low-latency, secure connection to the Vertex AI online prediction service. You can configure Vertex AI private endpoints by using VPC Network Peering. For more information, see Use private endpoints for online prediction.

May 17, 2022

Cloud Build

Users can view build logs directly in GitHub or GitHub Enterprise without logging into Cloud Build. For more information, see Building repositories from GitHub and Building repositories from GitHub Enterprise. This feature is generally available.

Google Cloud Deploy

Google Cloud Deploy support for VPC Service Controls is now generally available (GA).

VPC Service Controls

General availability for the following integration:

May 16, 2022

Apigee API hub

On May 16, 2022 Apigee hub released a new version of the software.

Bug ID Description
232129385 Users without artifact write permission encountered errors when loading various pages if the default API hub artifacts were not yet initialized by the system.
Cloud Asset Inventory

The following resource types are now publicly available through the Export APIs (ExportAssets and BatchGetAssetsHistory), the Feed API, and the Search APIs (SearchAllResources and SearchAllIamPolicies):

  • Cloud KMS
    • cloudkms.googleapis.com/EkmConnection
Cloud Debugger

Cloud Debugger is deprecated and is scheduled for shutdown on May 31 2023. For an alternative, use the open source CLI tool, Snapshot Debugger.

Cloud Healthcare API

A release was made. Updates may include general performance improvements, bug fixes, and updates to the API reference documentation.

Cloud Monitoring

The pricing for Google Cloud Managed Service for Prometheus has been reduced by 25-50%, depending on volume and usage. Existing pricing tiers have been reduced by 25%, and a new high-volume tier has been added at 50% of the current cost. For pricing details, see Cloud Monitoring pricing summary, and for a set of examples, see Pricing examples based on samples ingested.

Cloud Run

You can now tag services using Resource Manager tags for fine-grained access control.

Config Controller

Config Controller now uses version 1.11.1 for Anthos Config Management (release note)

Deep Learning Containers

M92 Release

  • TensorFlow Enterprise 2.9 is now available. Note that this TensorFlow Enterprise version does not include Long Term Version Support.
  • Starting with PyTorch 1.11, PyTorch environments now support XLA by default.
  • TensorFlow Enterprise patch releases: 2.6.4 and 2.8.1.
  • Deep Learning Containers are now available on Artifact Registry.
Deep Learning VM Images

M92 Release

  • TensorFlow Enterprise 2.9 is now available. Note that this TensorFlow Enterprise version does not include Long Term Version Support.
  • Starting with PyTorch 1.11, PyTorch environments now support XLA by default.
  • TensorFlow Enterprise patch releases: 2.6.4 and 2.8.1.
Eventarc

Eventarc is now available in the following regions:

  • europe-west8 (Milan, Italy)
  • europe-west9 (Paris, France)
Google Cloud Armor

The rule source for Cloud Armor preconfigured rules now includes ModSecurity Core Rule Set (CRS) 3.3 in public preview. For more information, see Tuning Google Cloud Armor WAF rules.

Security Command Center

Updates were made to the applications that let you send Security Command Center data to to the following SIEM and SOAR platforms:

In addition, Security Command Center can automatically send findings, assets, audit logs, and security sources to Splunk. For more information, see Sending Security Command Center data to Splunk.

Tensorflow Enterprise

TensorFlow Enterprise 2.9 is now available. Note that this TensorFlow Enterprise version does not include Long Term Version Support.

TensorFlow Enterprise 2.6 has been updated to 2.6.4.

TensorFlow Enterprise 2.8 has been updated to 2.8.1.

Workflows

Workflows using callbacks that were deployed on or before January 11, 2022 must be redeployed to continue executing workflows without failures.

May 13, 2022

Cloud Composer

Cloud Composer 1.18.8 and 2.0.12 release started on May 13, 2022. Get ready for upcoming changes and features as we roll out the new release to all regions. This release is in progress at the moment. Listed changes and features might not be available in some regions yet.

Cloud Composer performs several retries when checking pip connectivity.

(Cloud Composer 2) Workers and schedulers generate a warning log message when storage usage is close to the limit.

(Airflow 2) The default value for the [webserver]worker_refresh_interval Airflow configuration option is changed to 600 seconds.

(Cloud Composer 1) Increased the memory limit for GCSfuse on machine types that have more than 4 GB of memory. This change improves the stability of the syncing process between the environment's bucket and worker pods.

(Available without upgrading) The domain prefix for Private Service Connect subnetwork (connection_subnetwork) is now omitted in environment details.

(Airflow 2.2.3) Web server log messages in Airflow UI now have a correct time zone.

Fixed a problem where DAG import errors were not displayed in Cloud Console for Private IP environments in certain versions of Cloud Composer.

(Airflow 1.10.15) Fixed the variables set command. Now it correctly sets values for specified variables.

Cloud Composer 1.18.8 and 2.0.12 images are available:

  • composer-1.18.8-airflow-1.10.15 (default)
  • composer-1.18.8-airflow-2.1.4
  • composer-1.18.8-airflow-2.2.3
  • composer-2.0.12-airflow-2.1.4
  • composer-2.0.12-airflow-2.2.3

Cloud Composer versions 1.16.3, 1.16.4, and 1.17.0.preview.0 have reached their end of full support period.

Cloud SQL for MySQL

New maintenance versions are now available through self-service maintenance. See the maintenance changelog to learn more about these new maintenance versions.

Cloud SQL for PostgreSQL

New maintenance versions are now available through self-service maintenance. See the maintenance changelog to learn more about these new maintenance versions.

Cloud SQL for SQL Server

New maintenance versions are now available through self-service maintenance. See the maintenance changelog to learn more about these new maintenance versions.

Datastream

Datastream now supports backfilling Oracle database tables that have more than 100 million rows. Click here to access the documentation.

Firestore

Firebase App Check now supports Firestore at the General Availability release level. Use App Check in your mobile or web app to ensure that only your app can access your Firestore data.

Google Kubernetes Engine

Tags are now available. You can use tags to group or organize your clusters according to custom business dimensions. This is in addition to the hierarchical resource organization provided by GCP's resource manager. The integration of tags with policy engines (via conditional rules) such as IAM or Organization Policy, also allows you to apply centralized policies to custom security perimeters defined through tag bindings.

May 12, 2022

Anthos Service Mesh

1.11.8-asm.1 is now available.

This patch release includes the features of Istio 1.11.8 subject to the list of Anthos Service Mesh Supported features. Anthos Service Mesh version 1.11.8-asm.1 uses envoy v1.19.3.

1.12.6-asm.3 is now available.

This patch release contains the features of Istio 1.12.6 subject to the list of Anthos Service Mesh Supported features. Anthos Service Mesh version 1.12.6-asm.3 uses envoy v1.20.3.

1.13.2-asm.5 is now available.

This patch release contains the features of Istio 1.13.2 subject to the list of Anthos Service Mesh Supported features. Anthos Service Mesh version 1.13.2-asm.5 uses envoy v1.21.2.

Apigee Connectors

Preview release of new Connectors for Apigee

On May 12, 2022, we released the preview version of new Connectors for Apigee.

The following new connectors are available for Apigee:

Cloud Healthcare API

The Healthcare Natural Language API is now available in the europe-west2 location.

Eventarc VPC Service Controls

General availability for the following integration:

Vertex AI Workbench

M91 release

The M91 release of Vertex AI Workbench managed notebooks includes the following:

  • Log streaming to the consumer project via Logs Viewer is now supported
  • Added the net-tools package
  • Regular package refreshments and bug fixes

Fixed an issue that caused Spark server networking errors when using Dataproc Serverless Spark and VPC Peering

Workflows

The following functions have been added:

A Status field that tracks the current steps and progress of an execution is available in Preview. See the Workflows Executions REST API Overview.

May 11, 2022

Apigee Integrated Portal

On May 11, 2022 we released an updated version of the Apigee Integrated Portal software.

Bug ID Description
228603948 Fixed an issue that prevented users from editing custom fields for account creation and signup.
228339667 Documentation now reflects support for the STARTTLS SMTP authorization type.
227511014 Fixed an issue that prevented V1 Portals from being upgraded to V2.
224991572 Improvements to the Get Started documentation bundled with a new portal. Create a new portal and then click Get Started to see the new content.
220980189 Fixed issue with publishing API Products on a Portal when the organization has over 1,000 API Products.
218320618 Page descriptions are now limited to 1,000 characters. Page content is now limited to 1 MB.
210651558 Fixed issue where adding a new API Product subscription to an App would remove all scopes on the Apps credentials.
Apigee hybrid

hybrid v1.6.7

On May 11, 2022 we released an updated version of the Apigee hybrid v1.6.7 software.

For information on upgrading, see Upgrading Apigee hybrid to version 1.6.

Bug ID Description
227600373 Fixed an installation issue with Cassandra.
227538469 Configuration actions would write logs to the pod file system.
226964206 MART, runtime and synchronizer would write to the pod file system.
226464960 Apigee hybrid fresh installations on OpenShift 4.6 and 4.8 would fail.
225081332 Allow privileged pods issue.
224620542 On some Kubernetes platforms, logging would fail without adding an empty directory for the logs.
223081301 Fixed organization-level UDCA incorrect http-proxy secret name.
222649295 Organization-level UDCA would hang.
221266789 Hybrid logging functionality has been reworked. This should resolve issues with excessive log volume generation, frequent logger restarts, and ensure correct logger functionality with both docker and containerd runtimes.
213261445 Fixed reliance on keystore generated by cert manager for metrics endpoint and removed the need for a custom generate_cert script.
205616792 Fixed core dump on running user schema setup.
Chronicle

The following supported default parsers have changed (listed by product name and ingestion label):

  • ExtraHop RevealX (EXTRAHOP)
  • Imperva (IMPERVA_WAF)
  • Windows Event (WINEVTLOG)
  • Azure AD Organizational Context (AZURE_AD_CONTEXT)
  • Citrix Netscaler (CITRIX_NETSCALER)
  • Elastic Packet Beats (ELASTIC_PACKETBEATS)
  • Elastic Audit Beats (ELASTIC_AUDITBEAT)
  • Sendmail (SENDMAIL)
  • VMware vCenter (VMWARE_VCENTER)
  • AWS VPC Flow (AWS_VPC_FLOW)
  • Bluecat DDI (BLUECAT_DDI)
  • Cisco ACS (CISCO_ACS)
  • Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
  • Forcepoint Proxy (FORCEPOINT_WEBPROXY)
  • McAfee ePolicy Orchestrator (MCAFEE_EPO)
  • Office 365 (OFFICE_365)
  • Apple MacOS (MACOS)
  • Archer Integrated Risk Management (ARCHER_IRM)
  • Cisco Meraki (CISCO_MERAKI)
  • Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
  • IBM DB2 (DB2_DB)
  • Cisco ISE (CISCO_ISE)
  • F5 BIGIP LTM (F5_BIGIP_LTM)
  • Juniper Junos (JUNIPER_JUNOS)
  • Microsoft Exchange (EXCHANGE_MAIL)
  • VMware ESXi (VMWARE_ESX)
  • Digital Shadows SearchLight (DIGITAL_SHADOWS_SEARCHLIGHT)
  • Azure Firewall (AZURE_FIREWALL)
  • ForgeRock OpenAM (OPENAM)
  • FortiGate (FORTINET_FIREWALL)
  • ZScaler NGFW (ZSCALER_FIREWALL)
  • OpenVPN (OPEN_VPN)

For details about the changes in each parser, see Supported default parsers.

Cloud Healthcare API

The following methods now look up references to resource versions and return them if they exist:

Cloud Monitoring

Private uptime checks are now generally available. Private uptime checks enable HTTP requests into a customer Virtual Private Cloud (VPC) network while enforcing Identity and Access Management (IAM) restrictions and VPC Service Controls perimeters. Private uptime checks can send requests over the private network to resources like a virtual machine (VM) or an L4 internal load balancer (ILB).

For more information, see Create private uptime checks.

Cloud Run

Cloud Run jobs are now available in Preview.

Google Kubernetes Engine

(2022-R11) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

  • Version 1.21.11-gke.900 is now the default version.
  • The following control plane versions are no longer available:
    • 1.21.6-gke.1503
    • 1.21.9-gke.300
    • 1.21.9-gke.1001
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to 1.19.16-gke.9900 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.19.16-gke.9900 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.23 to 1.23.5-gke.1501 with this release.

Stable channel

  • The following versions are now available in the Stable channel:

  • Version 1.19.16-gke.9400 is no longer available in the Stable channel.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to 1.19.16-gke.9900 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.16-gke.9900 with this release.

Regular channel

  • Version 1.21.11-gke.900 is now the default version in the Regular channel.
  • The following versions are now available in the Regular channel:

  • The following versions are no longer available in the Regular channel:

    • 1.20.15-gke.5000
    • 1.21.6-gke.1503
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.20.15-gke.5200 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.21.11-gke.900 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to 1.21.11-gke.900 with this release.

Rapid channel

  • Version 1.22.8-gke.2200 is now the default version in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.22.8-gke.2200 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.22.8-gke.2200 with this release.

(2022-R11) Version updates

  • Version 1.21.11-gke.900 is now the default version.
  • The following control plane versions are no longer available:
    • 1.21.6-gke.1503
    • 1.21.9-gke.300
    • 1.21.9-gke.1001
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to 1.19.16-gke.9900 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to 1.19.16-gke.9900 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.23 to 1.23.5-gke.1501 with this release.

(2022-R11) Version updates

  • The following versions are now available in the Stable channel:

  • Version 1.19.16-gke.9400 is no longer available in the Stable channel.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to 1.19.16-gke.9900 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.16-gke.9900 with this release.

(2022-R11) Version updates

  • Version 1.21.11-gke.900 is now the default version in the Regular channel.
  • The following versions are now available in the Regular channel:

  • The following versions are no longer available in the Regular channel:

    • 1.20.15-gke.5000
    • 1.21.6-gke.1503
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.20.15-gke.5200 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.21.11-gke.900 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to 1.21.11-gke.900 with this release.

(2022-R11) Version updates

  • Version 1.22.8-gke.2200 is now the default version in the Rapid channel.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.22.8-gke.2200 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.22 to 1.22.8-gke.2200 with this release.
Network Intelligence Center

Network Analyzer is now available in Preview.

May 10, 2022

Apigee hybrid
Issue ID Affects Status Description
231758700
231976420
Apigee hybrid 1.7.x
Apigee hybrid 1.6.x
Apigee hybrid 1.5.x
OPEN Apigee Hybrid Dockerhub customers unable to pull images with Docker Content Trust enabled. Users are encountering the following error when pulling images for Apigee Hybrid from Docker Hub: ERRO[0001] Metadata for targets expired. This applies to the following hybrid components:
- google/apigee-authn-authz
- google/apigee-mart-server
- google/apigee-runtime
- google/apigee-synchronizer

Workaround
If you encounter this error, you can use one of the two following workarounds:
- Switch to using gcr.io/apigee-release to pull hybrid images.
- Disable docker content trust by setting the DOCKER_CONTENT_TRUST environment variable to 0
Artifact Registry

Artifact Registry is now available in the europe-southwest1 region (Madrid, Spain).

Chronicle

The following new fields are available in the Unified Data Model:

For a list of fields in the Unified Data Model, and descriptions, see the Unified Data Model field list.

Cloud Build

You can now use Cloud Build attestors to secure your image deployments. To learn how to set up gated deployments, see Securing image deployments to Cloud Run and Google Kubernetes Engine. To learn how to view build integrity records, see Viewing build provenance. This feature is generally available.

Cloud Composer

The following deprecated operators are no longer actively maintained and will be removed in one of the future versions of operators for Airflow 2. Make sure to switch to alternative operators.

Deprecated operators: BigQueryExecuteQueryOperator, BigQueryPatchDatasetOperator, DataflowCreateJavaJobOperator, DataflowCreatePythonJobOperator, DataprocScaleClusterOperator, DataprocSubmitPigJobOperator, DataprocSubmitSparkSqlJobOperator, DataprocSubmitSparkJobOperator, DataprocSubmitHadoopJobOperator, DataprocSubmitPySparkJobOperator, MLEngineManageModelOperator, MLEngineManageVersionOperator, GCSObjectsWtihPrefixExistenceSensor.

Cloud Key Management Service

Cloud KMS is available in the following region:

  • europe-southwest1

For more information, see Cloud KMS locations.

Cloud Router

Cloud Router now supports MD5 authentication of BGP sessions. This feature is available in preview. For more information, see Use MD5 authentication.

Cloud Storage

Cloud Storage is now available in Madrid, Spain (europe-southwest1 region).

Cloud Talent Solution Job Search
  • Jobs within same state will rank higher in results when search jobs in a state level location with TELECOMMUTE_ALLOWED option
  • keywordSearchable will be returned correctly in Job instance responses
  • Fix compensation histogram query to return correct histogram result
Cloud VPN

Cloud VPN is now available in region europe-southwest1 (Madrid, Spain).

Pricing is available on the Cloud VPN pricing page.

Compute Engine

Generally available: Madrid, Spain europe-southwest1-a,b,c has launched with E2 and N2 VMs available in all three zones.

See VM instance pricing for details.

Config Connector

Config Connector version 1.84.0 is now available.

Added IAMPolicy and IAMPolicyMember support for AccessContextManagerAccessPolicy.

Added spec.approvalConfig field to CloudBuildTrigger.

Added spec.rule.redirectOptions field to ComputeSecurityPolicy.

Added spec.addonsConfig.gkeBackupAgentConfig field to ContainerCluster.

Added cnrm.cloud.google.com/skip-wait-on-job-termination directive to DataflowFlexTemplateJob and DataflowJob.

Added spec.rrdatasRefs field to DNSRecordSet.

Added spec.columnLayout.columns.widgets.logsPanel, spec.gridLayout.widgets.logsPanel, spec.mosaicLayout.tiles.widget.logsPanel, and spec.rowLayout.rows.widgets.logsPanel fields to MonitoringMonitorDashboard.

Added spec.enableExactlyOnceDelivery field to PubSubSubscription.

Reduced reconciliation frequency of ConfigConnector object.

Deprecated spec.rrdatas field in DNSRecordSet.

Renamed spec.template.volumes.cloudSqlInstance.connections to spec.template.volumes.cloudSqlInstance.instances in RunService (Alpha).

Removed spec.template.confidential field from RunService (Alpha).

Removed status.terminalCondition.domainMappingReason and status.terminalCondition.internalReason fields from RunService (Alpha).

Removed spec.gateways field from NetworkServicesTCPRoute (Alpha).

Dataflow

Dataflow is now available in Madrid (europe-southwest1).

Google Cloud Deploy

Google Cloud Deploy now lets you change the timeout for Cloud Build operations, from the default setting of 1 hour.

Google Kubernetes Engine

The europe-southwest1 region in Madrid is now available.

Managed Service for Microsoft Active Directory

Managed Microsoft AD is available in the following regions:

  • australia-southeast2 (Melbourne)
  • europe-central2 (Warsaw)
  • northamerica-northeast2 (Toronto)
  • us-west3 (Salt Lake City)
  • us-west4 (Las Vegas)

For more information, see Adding and removing regions.

Memorystore for Memcached

Added new Memorystore for Memcached region: Madrid (europe-southwest1).

Pub/Sub

Pub/Sub is now available in europe-southwest1 (Madrid) .

Virtual Private Cloud

For auto mode VPC networks, added a new subnet 10.204.0.0/20 for the Madrid europe-southwest1 region. For more information, see Auto mode IP ranges.

May 09, 2022

Anthos clusters on AWS

You can now launch clusters with Kubernetes versions 1.21.11-gke.1100 and 1.22.8-gke.1300

In 1.22.8-gke.1300, fixed an issue where add ons cannot be applied when Windows node pools are enabled.

In 1.22.8-gke.1300, fixed an issue where logging agent could fill up attached disk space.

These releases includes the following Role-based access control (RBAC) changes:

  • Scoped down anet-operator permissions for Lease update.
  • Scoped down anetd Daemonset permissions for Nodes and pods.
  • Scoped down fluentbit-gke permissions for service account tokens.
  • Scoped down gke-metrics-agent for service account tokens.
  • Scoped down coredns-autoscaler permissions for Nodes, ConfigMaps and Deployments.

These releases fix the following CVEs:

Anthos clusters on Azure

You can now launch clusters with Kubernetes versions 1.21.11-gke.1100 and 1.22.8-gke.1300

In 1.22.8-gke.1300, fixed an issue where logging agent could fill up attached disk space.

In 1.22.8-gke.1300, fixed an issue where add ons cannot be applied when Windows node pools are enabled.

These releases fix the following CVEs:

These releases includes the following Role-based access control (RBAC) changes:

  • Scoped down anet-operator permissions for Lease update.
  • Scoped down anetd Daemonset permissions for Nodes and pods.
  • Scoped down fluentbit-gke permissions for service account tokens.
  • Scoped down gke-metrics-agent for service account tokens.
  • Scoped down coredns-autoscaler permissions for Nodes, ConfigMaps and Deployments.
Apigee API hub

On May 9, 2022 Apigee hub released a new version of the software.

Bug ID Description
231715589 When viewing the API hub getting started page in the Google Cloud console, if you switched to another un-provisioned project, the browser encountered a redirect loop.
Apigee X

On May 9, 2022 we released an updated version of the Apigee X software (1-8-0-apigee-5).

The GoogleIDToken.Audience tag now includes the useTargetUrl attribute to simplify audience configuration of Google ID tokens for Apigee policies.

Bug ID Description
221292104 Fix to address failure to capture requests in Debug sessions involving PostClientFlow ServiceCallouts.
228855520 Upgraded ASM to the latest version.
Bug ID Description
217497793 A security issue was addressed.
Cloud Load Balancing

Regional external and regional internal HTTP(S) load balancers now support using Cloud Run services as backends for the load balancer. This is configured using a serverless network endpoint group (NEG).

For details, see:

This feature is available in Preview.

Cloud Run

The following new region is now available: europe-southwest1.

Compute Engine

Generally available: Insights for idle VM and machine size recommendations help you assess the utilization of your Compute Engine resources. Insights are automatically generated based on system metrics or metrics gathered by the Cloud Monitoring service.

Learn more about VM insights and MIG insights.

Config Controller

Config Controller now uses version 1.83.0 for Config Connector (release notes)

Dataproc

New sub-minor versions of Dataproc images:

1.5.65-debian10, 1.5.65-ubuntu18, 1.5.65-rocky8

2.0.39-debian10, 2.0.39-ubuntu18, 2.0.39-rocky8

Dataproc Serverless for Spark now uses runtime version 1.0.12.

Fixed an issue where chronyd systemd service failed to start due to a race condition between systemd-timesyncd and chronyd.

Dataproc Serverless for Spark runtime version 1.0.1 is unavailable for new batch submissions.

Virtual Private Cloud

Reserving static regional external IPv6 addresses is available as a limited Preview feature. Contact your sales representative for access.

May 06, 2022

Cloud Monitoring

You can now configure Metrics Explorer and charts on dashboards to display a ratio of metrics by using the Cloud Console. For more information, see Ratios of metrics.

Cloud Storage

Us-east4 is now available for dual-region storage. This feature is now in Preview.

Google Cloud Deploy

Google Cloud Deploy now supports Skaffold version 1.37.1, as the default.

Resource Manager

The feature for listing the effectively evaluated tags on a resource has launched into public preview. For more information, see Listing effective tags on a resource.

SAP on Google Cloud

Extreme persistent disks are available for SAP HANA with improved functionality

Recent enhancements have further optimized extreme persistent disks, removing any potential limitations for using extreme persistent disks with SAP HANA.

For more information about extreme persistent disks and SAP HANA, see:

May 05, 2022

BigQuery

The new format element %J is generally available (GA) for DATE, TIME, DATETIME, and TIMESTAMP functions. This format element lets you use the ISO 8601 1-based day of the year.

PARSE_DATE, PARSE_TIME, PARSE_DATETIME, and PARSE_TIMESTAMP now support the following date and time format elements: %a, %A, %g, %G, %j, %u, %U, %V, %w, and %W.

Cloud Asset Inventory

Documentation for Policy Analyzer has moved to the Policy Intelligence documentation.

Cloud Bigtable

A Cloud Bigtable table overview page in the Cloud console is now generally available (GA). The table overview displays monitoring metrics and replication details for a selected table.

Cloud Build

Cloud Build now supports a script field, which allows users to specify shell scripts to execute in a build step. This feature is available as a preview release. To learn more, see Using the script field.

Cloud Load Balancing

Regional external HTTP(S) load balancers now support Shared VPC configurations where the load balancer's forwarding rule, target proxy, and URL map, can be created in a host or service project, while the backend services and backends can be distributed across multiple service projects in the Shared VPC environment. This is referred to as cross-project service referencing. Cross-project backend services can be referenced from a single URL map.

Cross-project service referencing gives service developers and admins autonomy over the exposure of their services through the centrally managed load balancer.

For details, see:

This feature is available in Preview.

Cloud Logging

You can now hide large amounts of similar log entries from your query results in the Logs Explorer. To learn more, see Hide similar logs.

Cloud Monitoring

SLO monitoring: Cloud Monitoring can now detect potential GKE- and Cloud Run-based services in your project. Monitoring provides a list of such candidate services, and you can now identify the candidates you want to monitor and create SLOs for them by using the Cloud Console. For more information, see Defining a microservice.

Cloud Run

You can now define service-level objectives (SLOs) for your Cloud Run services using SLO monitoring in Cloud Monitoring or the Cloud Run service page.

Cloud Vision

OCR model migration reverted

We have switched the "builtin/stable" model back to the original version temporarily while we fix a bug resulting from this migration. The week of May 16th, we will update the "builtin/stable" model used for OCR again with the model from "builtin/latest" and create a new release note.

You will be able to use the original model as "builtin/legacy" for 90 more days after we upgrade "builtin/stable".

Identity and Access Management

Documentation for Activity Analyzer, IAM insights, IAM Policy Troubleshooter, IAM role recommendations, and IAM Policy Simulator has moved to the Policy Intelligence documentation.

May 04, 2022

Anthos clusters on bare metal

Release 1.10.4

Anthos clusters on bare metal 1.10.4 is now available for download. To upgrade, see Upgrade Anthos on bare metal. Anthos clusters on bare metal 1.10.4 runs on Kubernetes 1.21.

Fixes:

  • The following container image security vulnerabilities have been fixed:

  • Role-based access control (RBAC) fixes:

    • Set AutomountServiceAccountToken field for Node Problem Detector jobs and etcd-defrag Daemonsets to false.

    • Set capi-kubeadm-bootstrap-controller-manager to use a dedicated service account.

    • Scoped down configmap/(get, list, watch) permissions to metallb-config resource name.

    • Scoped down configmap/get permission to core-dns-autoscaler resource name.

    • Removed services.update permission for the MetalLB kube-system:controller role.

    • anetd

      • Removed Cilium service account and replaced it with the account used by kubelet.

      • Removed pod and node access from Cilium cluster role.

      • Added Cilium cluster role to the kubelet service account.

      • Removed pods/(delete) role from cilium-operator cluster role.

      • Scoped down leases permissions in cilium-operator cluster role to cilium-operator-resource-lock resource name and kube-controller-manager resource name.

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

Apigee API hub

On May 4, 2022 Apigee API hub began the release of a new version of the software for Public Preview.

At Public Preview, products or features are ready for testing by customers. Preview offerings are often publicly announced, but are not necessarily feature-complete, and no SLAs or technical support commitments are provided for these. Unless stated otherwise by Google, Preview offerings are intended for use in test environments only.

Added the API Hub label in the Apigee community.

Added provisioning instructions.

Documentation: Provision API hub

Added instructions on how to get support.

Documentation: Get support

Action buttons in the UI are now disabled if you do not have appropriate permissions to perform the action.

Apigee Integrated Portal

On May 4, 2022 we released an updated version of the Apigee Integrated Portal software.

Error messages for rejected logins for an inactive user are now more informative to the user.

Emails from portal-sso will either be the email address of the sender that the user sets up in the custom smtp settings, or it will be no-reply@google.com, instead of the human-readable name orgname-portalname. This screenshot illustrates emails sent from portal-sso in e2e. It shows one email with custom smtp settings (tsnow-custom-smtp) and one email with the default settings (no-reply).

Bug ID Description
220993729 Portal SSO showed the Apigee domain when hovering over footer links in third-party web pages.
220188030 Reset password was not working for LDAP configurations.
214146121 An authentication issue with Apigee SSO has been fixed.
204952689 Fixed miscellaneous logback error.
194469693 Enabled SAML config error so that it is visible.
194053231 Added server-side validation for the password field. If the password is non-compliant, the response is 422:Unprocessable Entity.
190609332 Improved error output for failures while enabling SSO for Apigee
157131343 Added support for the parenthesis () and plus + characters for built-in IDP custom fields. Other special characters will continue to be blocked due to security reasons.
ID Description
200604177 Upgraded jQuery and Bootstrap
Apigee UI

On May 4, 2022 we released an updated version of the Apigee UI.

We have released a new version of the Develop tab in the Proxy Editor. See Introducing the new Proxy Editor.

App Engine standard environment Ruby

The Ruby 3.0 runtime for App Engine standard environment is now generally available.

Channel Services

Rebilling is now available in the Partner Sales Console and Cloud Channel API. This new billing data service helps you simplify your customer billing process by configuring discounts and exporting your billing data to a BigQuery dataset.

Cloud Functions

Cloud Functions now supports Ruby 3.0 at the General Availability release level.

Cloud SQL for MySQL

Support for europe-west9 (Paris).

Cloud SQL for PostgreSQL

Support for europe-west9 (Paris).

Cloud SQL for SQL Server

Support for europe-west9 (Paris).

Google Kubernetes Engine

Spot Pods for GKE Autopilot clusters is now generally available. Use Spot Pods to run your fault-tolerant workloads at reduced costs.

Spot VMs on GKE is now generally available. Spot VMs let you run fault-tolerant workloads at lower costs.

Resource Manager

The resource usage restriction Organization Policy constraint has launched into general availability.

May 03, 2022

Anthos Anthos Service Mesh

Version 1.13 is now available for managed Anthos Service Mesh and is rolling out into the Rapid Release Channel.

Version 1.12 is being promoted to the Regular Release Channel, and version 1.11 is being promoted to the Stable Release Channel.

See Select a managed Anthos Service Mesh release channel for more information.

In addition to the existing labels, you can now use the "istio-injection" label as an alias. For more information, see Injection labels.

Artifact Registry

Artifact Registry is now available in the europe-west9 region (Paris, France).

BigQuery ML

The following new features are now generally available (GA) for ARIMA_PLUS models:

To learn how to achieve one hundred times higher scalability with the ARIMA_PLUS model while using the new forecasting accuracy metrics, see the Accelerate ARIMA_PLUS to forecast 1 million time series within hours. You can also read ARIMA_PLUS best practices.

Cloud Asset Inventory

The following resource types are now publicly available through the Export APIs (ExportAssets and BatchGetAssetsHistory), the Feed API, and the Search APIs (SearchAllResources and SearchAllIamPolicies):

  • Certificate Authority Service
    • privateca.googleapis.com/Certificate
Cloud Bigtable

Cloud Bigtable is available in the europe-west9 (Paris) region. For more information, see Bigtable locations.

Cloud Functions

Cloud Functions has added support for the following new runtimes at the Preview release level:

Cloud Healthcare API

The Healthcare Natural Language API is available in the following locations:

Cloud Key Management Service

Cloud KMS is available in the following region:

  • europe-west9

For more information, see Cloud KMS locations.

Cloud Run

The following new region is now available: europe-west9.

Cloud Spanner

You can create Cloud Spanner regional instances in Paris (europe-west9).

Query Optimizer version 4 is generally available, and is the default optimizer version.

Compute Engine

Generally available: Paris, France europe-west9-a,b,c has launched with general-purpose E2 and N2 VMs available in all three zones.

See VM instance pricing for details.

Dataflow

Dataflow is now available in Paris (europe-west9).

Dataproc

New sub-minor versions of Dataproc images:

1.5.64-debian10, 1.5.64-ubuntu18, 1.5.64-rocky8

2.0.38-debian10, 2.0.38-ubuntu18, 2.0.38-rocky8

Dataproc Serverless for Spark now uses runtime version 1.0.11.

If you request to cancel a job in one of the following states, Dataproc will return the job, but not initiate cancellation, since it is already in progress: CANCEL_PENDING, CANCEL_STARTED, or CANCELLED.

When submitting a Dataproc job or workflow that selects a cluster that matches the specified labels, Dataproc will avoid choosing clusters that are in a state that disallows running jobs. Specifically, Dataproc will only choose among clusters in one of the following states: RUNNING, UPDATING, CREATING, or ERROR_DUE_TO_UPDATE.

Added Dataproc Serverless support for updating the Cloud Storage connector using the dataproc.gcsConnector.version and dataproc.gcsConnector.uri properties.

Hive: Upgrade to Apache ORC 1.5.13 in image version 2.0. Notable in this release are 2 bug fixes: ORC-598 and ORC-672, related to handling ORC files with arrays larger than 1024 elements.

Dataproc correctly defaults NodePool locations when the GKE cluster is in us-east1 and europe-west1.

Dataproc Serverless for Spark runtime version 1.0.0 is unavailable for new batch submissions.

Google Kubernetes Engine

(2022-R10) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

Stable channel

  • Version 1.21.10-gke.2000 is now the default version in the Stable channel.

  • The following versions are now available in the Stable channel:

  • The following versions are no longer available in the Stable channel:

    • 1.19.16-gke.9200
    • 1.20.15-gke.2500
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to 1.19.16-gke.9400 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.16-gke.9400 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.20 to 1.21.10-gke.2000 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.22 to 1.22.8-gke.200 with this release.

Regular channel

  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.20.15-gke.4100
    • 1.21.5-gke.1805
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to 1.19.16-gke.9400 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.20.15-gke.5000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.15-gke.5000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.23 to 1.23.5-gke.1501 with this release.

Rapid channel

  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.21.11-gke.900
    • 1.22.7-gke.1300
    • 1.23.5-gke.200
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.18 to 1.19.16-gke.9400 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to 1.20.15-gke.4100 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.21.11-gke.1100 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.11-gke.1100 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.23 to 1.23.5-gke.1500 with this release.

The europe-west9 region in Paris is now available.

Page: No Channel

(2022-R10) Version updates

(2022-R10) Version updates

  • Version 1.21.10-gke.2000 is now the default version in the Stable channel.

  • The following versions are now available in the Stable channel:

  • The following versions are no longer available in the Stable channel:

    • 1.19.16-gke.9200
    • 1.20.15-gke.2500
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to 1.19.16-gke.9400 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.16-gke.9400 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.20 to 1.21.10-gke.2000 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.22 to 1.22.8-gke.200 with this release.

(2022-R10) Version updates

  • The following versions are now available in the Regular channel:

  • The following versions are no longer available in the Regular channel:

    • 1.20.15-gke.4100
    • 1.21.5-gke.1805
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to 1.19.16-gke.9400 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to 1.20.15-gke.5000 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to 1.20.15-gke.5000 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.23 to 1.23.5-gke.1501 with this release.

(2022-R10) Version updates

  • The following versions are now available in the Rapid channel:

  • The following versions are no longer available in the Rapid channel:

    • 1.21.11-gke.900
    • 1.22.7-gke.1300
    • 1.23.5-gke.200
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.18 to 1.19.16-gke.9400 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to 1.20.15-gke.4100 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to 1.21.11-gke.1100 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to 1.21.11-gke.1100 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.23 to 1.23.5-gke.1500 with this release.

Memorystore for Memcached

Added new Memorystore for Memcached region: Paris (europe-west9).

Pub/Sub

Pub/Sub is now available in europe-west9 (Paris).

May 02, 2022

Anthos clusters on AWS (previous generation)

Anthos Clusters on AWS aws-1.11.0-gke.6 (previous generation) is now available. Clusters in this release support the following Kubernetes versions:

  • 1.22.8-gke.1300
  • 1.21.11-gke.1100
  • 1.20.15-gke.5200

The issue announced in the April 19th release note regarding the creation of 1.22 clusters has been resolved. You can now create 1.22 clusters.

This release fixes the following CVEs:

This release removes unneeded permissions from the coredns-autoscaler, calico-typha, and konnectivity-agent-autoscaler components.

Anthos clusters on VMware

Creating a 1.11.0 user cluster with a 1.10 admin cluster fails. If you need a 1.11.0 user cluster, use the following workaround:

  1. Create a 1.10 user cluster.

  2. Upgrade the user cluster to 1.11.0.

  3. Optionally, upgrade the admin cluster to 1.11.0. After the admin cluster is upgraded, you can create 1.11.0 user clusters.

For details on how to upgrade, see Upgrading Anthos clusters on VMware.

Anthos clusters on bare metal

Release 1.11.1

Anthos clusters on bare metal 1.11.1 is now available for download. To upgrade, see Upgrade Anthos on bare metal. Anthos clusters on bare metal 1.11.1 runs on Kubernetes 1.22.

Fixes:

  • Resolved cluster installation issue in which cluster status is prematurely declared ready, resulting in a "Failed to wait for applied resources" error.

  • Added validation that a cluster's kubeconfig secret data is correct.

  • Added feature so that bmctl outputs line numbers of relevant yaml when a parsing error occurs.

  • Removed the misleading log "Waiting for pod to finish" on pods such as anetd that aren't meant to finish.

  • Added automatic inclusion of a control plane's virtual IP address to the cluster NO_PROXY list.

  • Role-based access control fixes:

    • Set AutomountServiceAccountToken field for Node Problem Detector jobs to false.

    • Set capi-kubeadm-bootstrap-controller-manager to use a dedicated service account.

    • Scoped down deployment/(update,patch) permissions to the metrics-server resource name.

    • Scoped down configmap/(get, list, watch) permissions to metallb-config resource name.

    • anetd:

    • Removed Cilium service account and replaced it with the account used by kubelet.

    • Removed pod and node access from Cilium cluster role.

    • Added Cilium cluster role to the kubelet service account.

    • Removed pods/(delete) role from cilium-operator cluster role.

    • Scoped down leases permissions in cilium-operator cluster role to cilium-operator-resource-lock resource name and kube-controller-manager resource name.

  • The following container image security vulnerabilities have been fixed:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

Artifact Registry

Getting and listing Artifact Registry locations in a project now requires the following permissions:

  • artifactregistry.locations.list
  • artifactregistry.locations.get

You can grant these permissions with the Artifact Registry Reader role (roles/artifactregistry.reader) role or another role that includes these permissions.

BigQuery

Case-insensitive collation support for BigQuery is now available for Preview. Collation determines how strings are sorted and compared in collation-supported operations. If case-insensitive collation is used, case is ignored in comparison and sorting operations.

These operations support collation:

The COLLATE function is now available for Preview in Google Standard SQL for BigQuery. With the COLLATE function, you can pass in a STRING and return a STRING with a collation specification.

The DEFAULT COLLATE clause is now available for Preview. With this clause, the default collation specification is applied to all column data types supporting collation. You can use the DEFAULT COLLATE clause in the following DDL statements:

The COLLATE clause is now available for Preview. With this clause, a collation specification is applied to a specific column in a table. You can use the COLLATE clause in the following DDL statements:

Cloud SQL for MySQL

New maintenance versions are now available through self-service maintenance. See the maintenance changelog to learn more about these new maintenance versions.

Cloud SQL for PostgreSQL

New maintenance versions are now available through self-service maintenance. See the maintenance changelog to learn more about these new maintenance versions.

Cloud SQL for SQL Server

New maintenance versions are now available through self-service maintenance. See the maintenance changelog to learn more about these new maintenance versions.

Cloud Storage

Cloud Storage is now available in Paris, France (europe-west9 region).

Cloud VPN

Cloud VPN is now available in region europe-west9 (Paris, France).

Pricing is available on the Cloud VPN pricing page.

Cloud Vision

OCR model migration

The TEXT_DETECTION and DOCUMENT_TEXT_DETECTION models have been upgraded to newer versions. The API interface and client library will be the same as the previous version. The API follows the same Service Level Agreement.

The legacy models can still be accessed until August 02 2022. Specify "builtin/legacy" in the model field of a Feature object to get the old model results. After August 02, 2022 the legacy models will no longer be offered.

Config Controller

Config Controller is now supported in region europe-north1 and australia-southeast1

Added --use-private-endpoint flag to gcloud anthos config controller create to restrict access to the master's private endpoint IP of a config controller instance. Available in gcloud 378.0.0 (release note).

Added gcloud anthos config controller get-config-connector-identity which prints the default Config Connector identity, to allow easier subsequent permission grant. Available in gcloud 383.0.0 (release notes)

Let gcloud anthos config controller create prints the default Config Connector identity, to allow easier subsequent permission grant. Available in gcloud 383.0.0 (release notes)

Config Controller now uses version 1.82.0 for Config Connector (release notes)

Memorystore for Memcached

Added new Memorystore for Memcached region: Milan (europe-west8).

Traffic Director

Traffic Director's service routing APIs now include Gateway TLS routing.

Virtual Private Cloud

For auto mode VPC networks, added a new subnet 10.200.0.0/20 for the Paris europe-west9 region. For more information, see Auto mode IP ranges.

May 01, 2022

Certificate Manager

Billing has been enabled. Certificate Manager usage is billed at 100% discount until the end of the Preview period.

April 29, 2022

Cloud Composer Cloud Healthcare API

A release was made. Updates may include general performance improvements, bug fixes, and updates to the API reference documentation.

Cloud SQL for MySQL

MySQL 8.0 is now the default major database version for Cloud SQL for MySQL.

Compute Engine

Generally available: Spot VMs are available for all machine types, regions, and zones. Use Spot VMs for workloads that can withstand preemption to receive large discounts. Spot VMs provide discounts of 60-91% off the on-demand price for standard VMs for machine types and GPUs and also provide smaller discounts for local SSDs. Spot prices can change up to once a month to reflect the underlying supply and demand.

Spot VMs are the latest version of preemptible VM instances. Although new and existing preemptible VMs continue to be supported and use the same prices as Spot VMs, Spot VMs provide new features that are not supported for preemptible VMs. For example, preemptible VMs can only run for up to 24 hours at a time, but Spot VMs have no maximum runtime.

Learn more about Spot VMs and preemptible VMs.

Google Cloud VMware Engine

The VMware Engine operations team will apply important security updates to vCenter Server and NSX-T beginning early May 2022. Users affected by this upgrade will receive an email with planned maintenance dates and times.

For details about the maintenance scope and impact, see Service announcements.

Identity and Access Management

Support for using workload identity federation with any SAML 2.0-compatible identity provider is now generally available.

April 28, 2022

Anthos clusters on VMware

Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666, have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all Linux node operating systems (Container-Optimized OS and Ubuntu). For instructions and more details, see the GCP-2022-014 security bulletin.

Cloud Logging

You can now comment within your Logging queries. For more information, see Logging query language: comments.

Cloud SQL for MySQL

The following Cloud SQL recommenders that help you optimize your database costs are now generally available:

Cloud SQL for PostgreSQL

The following Cloud SQL recommenders that help you optimize your database costs are now generally available:

Cloud SQL for SQL Server

The following Cloud SQL recommenders that help you optimize your database costs are now generally available:

Dialogflow

Dialogflow ES has added preview support for the following languages:

Afrikaans, Albanian, Amharic, Armenian, Azerbaijani, Basque, Belarusian, Bosnian, Bulgarian, Catalan, Cebuano, Chichewa, Corsican, Croatian, Czech, Esperanto, Estonian, Frisian, Galician, Georgian, Greek, Gujarati, Haitian Creole, Hausa, Hmong, Hungarian, Icelandic, Igbo, Irish, Javanese, Kannada, Kazakh, Khmer, Kinyarwanda, Kurdish, Kyrgyz, Latin, Latvian, Lithuanian, Luxembourgish, Macedonian, Malagasy, Malayalam, Maltese, Maori, Mongolian, Nepali, Oriya/Odia, Punjabi, Samoan, Scots Gaelic, Serbian - Cyrillic, Serbian - Latin, Sesotho, Shona, Slovak, Slovenian, Somali, Sundanese, Swahili, Tajik, Tatar, Turkmen, Uzbek, Welsh, Xhosa, Yoruba, Zulu

Error Reporting

Preview: You can now get notification recommendations and insights for Error Reporting. For more information, see Error Reporting notification recommender and insights.

Firestore

The datastore.databases.getMetadata permission now supports custom Identity and Access Management roles.

Firestore in Datastore mode

The datastore.databases.getMetadata permission now supports custom Identity and Access Management roles. You can use custom roles with this permission to unlink your database from App Engine.

Network Intelligence Center

Connectivity to router appliances is now generally available in Network Topology. Google Cloud users can use Network Topology to audit their networking configuration and troubleshoot issues related to the router appliance instances.

Recommender

Preview: The Error Reporting notification recommender looks for recent crashes in your Cloud project and provides recommendations if you have not configured Error Reporting notifications.

Security Command Center

Security Command Center error detectors are generally available (GA). Error detectors report configuration errors that prevent Security Command Center and its services from functioning properly. Remediation guidance is provided for each finding type. For more information, see Security Command Center errors.

The connections[] and description attributes were added to the Finding object.

  • The connections[] attribute contains information about the IP connection associated with the finding. It includes the destination IP address, the destination port, the source IP address, the source port, and the protocol.
  • The description attribute provides an explanation of the finding.

For more information, see the API documentation for the Finding object.

April 27, 2022

Anthos clusters on VMware

Anthos clusters on VMware 1.11.0-gke.543 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.11.0-gke.543 runs on Kubernetes v1.22.8-gke.200.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.11, 1.10, and 1.9.

  • The structure of the Anthos clusters on VMware documentation is substantially different from previous versions. For details, see New documentation structure.

  • Dockershim, the Docker Engine integration code in Kubernetes, was deprecated in Kubernetes 1.20, and will be removed in Kubernetes 1.24. Thus, the ubuntu OS node image type will not be supported at that time. You should plan to convert your node pools to use either the ubuntu_containerd or the cos OS image type as soon as possible. For more details, see Using containerd for the container runtime.

  • The connect project is now called fleet host project. For more information, see Fleet host project.

  • Kubernetes 1.22 has deprecated certain APIs, a list of which can be found in Kubernetes 1.22 deprecated APIs. In your manifests and API clients, you need to replace references to the deprecated APIs with references to the newer API calls. For more information, see the What to do section in the Deprecated API Migration Guide.

  • Several Anthos metrics have been deprecated for which data is no longer collected. For a list of deprecated metrics, including instructions to migrate to replacement metrics, see Replace deprecated metrics in dashboard.

Cluster lifecycle Improvements:

  • Admin cluster creation is now resumable. If admin cluster creation fails at any step, you can now rerun gkectl create admin to resume the admin cluster creation.

Platform enhancements:

  • Windows Node Pool:

    • GA: Support for Windows Dataplane V2 is generally available. Windows Dataplane V2 is now enabled by default for Windows node pools. This means that containerd is also enabled by default for Windows node pools.
    • Added deprecation notice for Windows nodes that Docker and Flannel will be removed in a subsequent version. If you are using Docker container runtime, you should update your user cluster configuration with gkectl update cluster to use containerd and Windows Dataplane V2 instead.
    • Added support for idempotent Windows startup script execution after node reboot.
    • New Windows Server 2019 OS build version 10.0.17763.2565 has been qualified for Anthos 1.11.0.
  • Egress NAT Gateway:

    • GA: Egress NAT Gateway is now generally available. With this feature, you can configure source network address translation (SNAT) so that certain egress traffic from user clusters is given a predictable source IP address. This enables return traffic from workloads outside the originating cluster to reach the cluster. For more information, see Configuring an egress NAT gateway.
  • MetalLB:

    • GA: The new load balancer option, MetalLB, is now generally available as another bundled software load balancer in addition to Seesaw.
  • Multinic logs:

    • The Fluent Bit Logging agent can now collect logs for Pods with multiple network interfaces, and send them to Cloud Logging. Logs will be collected as system logs and no extra charges will apply.

Security enhancements: - Admin cluster CA Certificate Rotation:

  • GA: You can now use gkectl to rotate system root CA certificates for admin clusters.

Simplify day-2 operations:

  • GA: gkectl update admin supports registering an existing admin cluster.
  • Cluster diagnosis improvements:
    • gkectl diagnose cluster automatically runs during admin or user cluster upgrade failure.
    • gkectl diagnose cluster searches and surfaces related events for any validation failure.
  • GA: gkectl update supports enabling and disabling of Cloud Logging and Cloud Monitoring in an existing cluster. You can also enable or disable logging to Cloud Audit Logs with gkectl update on both admin and user clusters.
  • Changes made to the metrics-server-config ConfigMap are now preserved across cluster upgrades.

Terminology changes:

The connect project is now called fleet host project. For more information, see Fleet host project.

We have removed the over-privileged RBAC permissions for the following components.

Anthos clusters on bare metal

Release 1.9.7

Anthos clusters on bare metal 1.9.7 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.9.7 runs on Kubernetes 1.21.

Fixes:

Known issues:

For information about the latest known issues, see Anthos on bare metal known issues in the Troubleshooting section.

Apigee API hub

On April 27, 2022 Apigee hub released a new version of the software.

All system taxonomy descriptions are now editable.

Chronicle

The following supported default parsers have changed (listed by product name and ingestion label):

  • Apache Tomcat (TOMCAT)
  • Azure AD (AZURE_AD)
  • BIND (BIND_DNS)
  • Bitdefender (BITDEFENDER)
  • Blue Coat Proxy (BLUECOAT_WEBPROXY)
  • Cisco ACS (CISCO_ACS)
  • Cisco Email Security (CISCO_EMAIL_SECURITY)
  • Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
  • Cisco ISE (CISCO_ISE)
  • Citrix Netscaler (CITRIX_NETSCALER)
  • CrowdStrike Falcon (CS_EDR)
  • Darktrace (DARKTRACE)
  • Dell EMC Data Domain (DELL_EMC_DATA_DOMAIN)
  • Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
  • EPIC Systems (EPIC)
  • F5 ASM (F5_ASM)
  • GCP Cloud Identity Device Users (GCP_CLOUDIDENTITY_DEVICEUSERS)
  • GMV Checker ATM Security (GMV_CHECKER)
  • HCL BigFix (HCL_BIGFIX)
  • Layer7 SiteMinder (SITEMINDER_SSO)
  • Microsoft Azure NSG Flow (AZURE_NSG_FLOW)
  • Microsoft Defender for Identity(MICROSOFT_DEFENDER_IDENTITY)
  • Microsoft Powershell (POWERSHELL)
  • Mobileiron (MOBILEIRON)
  • Office 365 (OFFICE_365)
  • Salesforce (SALESFORCE)
  • SecureAuth (SECUREAUTH_SSO)
  • SentinelOne EDR (SENTINEL_EDR)
  • Windows Event (WINEVTLOG)
  • Workspace Activities (WORKSPACE_ACTIVITY)
  • ZScaler NGFW (ZSCALER_FIREWALL)

For details about the changes in each parser, see Supported default parsers.

Chronicle now supports the following functions in Detection Engine rules:

  • strings.concat(a, b)
  • strings.to_lower(stringText)
  • strings.to_upper(stringText)
  • strings.base64_decode(encodedString)
  • re.capture(stringText, regex)
  • re.replace(stringText, replaceRegex, replacementText)
  • timestamp.get_minute(unix_seconds [, time_zone])
  • timestamp.get_hour(unix_seconds [, time_zone])
  • timestamp.get_day_of_week(unix_seconds [, time_zone])
  • timestamp.get_week(unix_seconds [, time_zone])
  • timestamp.current_seconds()
  • math.abs(intExpression)

For more information about these functions, see YARA-L 2.0 language syntax.

Cloud Asset Inventory

The following searchable fields are now publicly available through the resource search API (SearchAllResources).

  • tagKeys
  • tagValues
  • tagValueIds
Google Kubernetes Engine

Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666 have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all GKE node operating systems (Container-Optimized OS and Ubuntu). For instructions and more details, see the GCP-2022-014 security bulletin.

April 26, 2022

Anthos clusters on AWS

Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666 have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all GKE node operating systems (Container-Optimized OS and Ubuntu). For instructions and more details, see the GCP-2022-014 security bulletin.

Anthos clusters on AWS (previous generation)

Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666 have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all GKE node operating systems (Container-Optimized OS and Ubuntu). For instructions and more details, see the GCP-2022-014 security bulletin.

Anthos clusters on Azure

Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666 have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all GKE node operating systems (Container-Optimized OS and Ubuntu). For instructions and more details, see the GCP-2022-014 security bulletin.

Anthos clusters on bare metal

Security bulletin (all minor versions)

Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666 have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect Linux operating systems supported by Anthos clusters on bare metal. For instructions and more details, see the GCP-2022-014 security bulletin.

Carbon Footprint

Viewing and exporting carbon footprint data now requires the billing.accounts.getCarbonInformation IAM permission. This permission is part of the Carbon Footprint Viewer (roles/billing.carbonViewer) and Billing Account Viewer (roles/billing.viewer) IAM roles.

Chronicle

The Chronicle Container Registry key is no longer needed and has been removed. The corresponding documentation on the Container Registry key for the Linux version of the Chronicle Forwarder has also been removed.

Cloud Logging

You can now do the following in the improved Logs Explorer:

When querying your logs data in the Logs Explorer, you can now select queries from a library, making it easier to explore your data and find logs during time-critical troubleshooting sessions.

Vertex AI

You can now train your custom models using Cloud TPU Architecture (TPU VMs).

April 25, 2022

BigQuery

The ability to configure the time travel window is now in Preview. You can specify the duration of the time travel window, from a minimum of two days to a maximum of seven days.

Three new INFORMATION_SCHEMA views that show table storage metadata are now in Preview.

BigQuery Admin Resource Charts are now generally available (GA) for on-demand users, enabling administrators to monitor key metrics and troubleshoot issues across the entire organization. Previously, it was only available for reservation users. A new permission, bigquery.jobs.listExecutionMetadata, has been added to make it easier to gain access to the full UI.

Chronicle

Rules run frequency

Rules can now be run at different frequencies. Rule run frequency impacts the latency with which detections are discovered for each rule. Longer run frequencies increase the amount of time between when an event occurs and when a detection is processed for that event. Rules with a window size of at least one hour are limited to either 1 hour or 24 hour run frequencies.

Cloud Billing

Cost table report now supports updated filters, project ancestry, and report sharing

In the Cloud Billing Console Cost table report, we've updated the report's filters and invoice month selector to function similarly to the Cloud Billing Reports page and Cost breakdown page, added project ancestry functionality, and enabled report sharing.

Updated filters: You use the cost table report to access the details of your invoices and statements. The report's filters and other settings allow you to configure the report views when you are analyzing the usage and cost data. You can also download the cost table data to CSV for offline analysis. When you download the report to CSV, the data that downloads is limited by any filters that you have set and includes only the columns that you have selected to view.

Project ancestry: A new table column has been added to display project ancestry data. Starting with the January 2022 invoice month:

Report sharing: Along with the updated report filters, the cost table report now supports URL bookmarking and sharing. As you configure your cost table report by setting the invoice month, table view cost grouping options, and report filters, the cost table URL updates to include your selections. You can save your report settings by bookmarking the URL. You can share the cost table report by copying the URL.

For more details about the cost table report and using the updated features and functionality, see the documentation.

Cloud Logging

The Cloud Logging API now supports the following regions:

  • Europe:
    • europe-southwest1
    • europe-west6
    • europe-west8
    • europe-west9
  • South America:
    • southamerica-west1

For more information, see Data Regionality for Cloud Logging.

Cloud SQL for MySQL

You can now accept a maintenance update on your instance outside of the normal flow of scheduled maintenance.

While Cloud SQL schedules maintenance updates once every few months to ensure you have the latest maintenance version, you might want to use self-service maintenance if:

  • You need an update sooner than your next scheduled maintenance event.
  • You want to catch up to the latest maintenance version after skipping your most recent scheduled maintenance event.
  • You want to gain more control over when maintenance is applied

Cloud SQL now supports maintenance changelogs. Maintenance changelogs provide information about updates available in new maintenance versions, such as database minor version upgrades and patches for security vulnerabilities. For links to current maintenance changelogs for each major database version, see Cloud SQL maintenance changelogs.

Cloud SQL for PostgreSQL

You can now accept a maintenance update on your instance outside of the normal flow of scheduled maintenance.

While Cloud SQL schedules maintenance updates once every few months to ensure you have the latest maintenance version, you might want to use self-service maintenance if:

  • You need an update sooner than your next scheduled maintenance event.
  • You want to catch up to the latest maintenance version after skipping your most recent scheduled maintenance event.
  • You want to gain more control over when maintenance is applied

Cloud SQL now supports maintenance changelogs. Maintenance changelogs provide information about updates available in new maintenance versions, such as database minor version upgrades and patches for security vulnerabilities. For links to current maintenance changelogs for each major database version, see Cloud SQL maintenance changelogs.

The following PostgreSQL minor versions and extension versions are now available. If you use maintenance windows, you might not yet have these versions. In this case, you will see the new versions after your maintenance update occurs. To find your maintenance window or manage maintenance updates, see Finding and setting maintenance windows.

  • 14.1 is upgraded to 14.2.
  • 13.5 is upgraded to 13.6.
  • 12.9 is upgraded to 12.10.
  • 11.14 is upgraded to 11.15.
  • 10.19 is upgraded to 10.20.
Cloud SQL for SQL Server

You can now accept a maintenance update on your instance outside of the normal flow of scheduled maintenance.

While Cloud SQL schedules maintenance updates once every few months to ensure you have the latest maintenance version, you might want to use self-service maintenance if:

  • You need an update sooner than your next scheduled maintenance event.
  • You want to catch up to the latest maintenance version after skipping your most recent scheduled maintenance event.
  • You want to gain more control over when maintenance is applied

Cloud SQL now supports maintenance changelogs. Maintenance changelogs provide information about updates available in new maintenance versions, such as database minor version upgrades and patches for security vulnerabilities. For links to current maintenance changelogs for each major database version, see Cloud SQL maintenance changelogs.

Config Connector

Config Connector version 1.83.0 is now available.

Made the spec.resourceRef.apiVersion field in IAMPolicy, IAMPartialPolicy, IAMPolicyMember, IAMAuditConfig optional.

Added IAMPolicyMember support for BinaryAuthorizationPolicy, CloudFunctionsFunction, DataprocCluster, NetworkSecurityAuthorizationPolicy, NetworkSecurityClientTLSPolicy, NetworkSecurityServerTLSPolicy, and RunService.

Identity and Access Management

The IAM documentation now refers to "IAM policies" as "allow policies." You might continue to see references to "IAM policies" in other documentation.

This change does not affect REST APIs, client libraries, or flags for the gcloud CLI.

T-Systems Sovereign Cloud

T-Systems Sovereign Cloud is now generally available. To get started, see the following topics:

Virtual Private Cloud

Automatic DNS configuration for Private Service Connect endpoints is available in General Availability.

For service producers: When you publish a managed service with Private Service Connect, you can optionally specify a domain name for the service.

For service consumers: When you create a Private Service Connect endpoint to connect to a managed service that has a specified domain name, a DNS entry for the Private Service Connect endpoint is created in a Service Directory DNS zone.

reCAPTCHA Enterprise

The v1 version of the reCAPTCHA Enterprise API now supports API key authentication. The v1beta1 version of the API will continue to be available only for the existing users.

April 22, 2022

Apigee X

On April 22, 2022 we released an updated version of the Apigee X software (1-7-0-apigee-34).

Bug ID Description
N/A Upgraded infrastructure and libraries
Apigee hybrid

hybrid v1.5.10

On April 22, 2022 we released an updated version of the Apigee hybrid v1.5.10 software.

For information on upgrading, see Upgrading Apigee hybrid to version 1.5.

Bug ID Description
225169066 Cassandra database backup and restore was not working when http_proxy is enabled under certain circumstances.
221885751 Hybrid logging functionality has been reworked. This should resolve issues with excessive log volume generation, frequent logger restarts, and ensure correct logger functionality with both docker and containerd runtimes.
202403896 Upgrade to Apigee hybrid v1.6 from v1.5 could fail due to annotation size.
221885751 Multiple issues with the Hybrid logging functionality have been addressed.
Cloud Composer

(Cloud Composer 2) Network tags are now applied to nodes in an environment's cluster.

Airflow schedulers and workers generate error log messages if pods for these components are evicted.

Cloud Composer automatically recreates and unpauses the Airflow monitoring DAG if it was deleted or paused.

(Cloud Composer 2) Cloud Composer Service Agent account cannot be used as a service account for an environment.

Fixed a problem where an environment was not deleted properly and remained in an error state in some cases.

(Available without upgrading) Fixed a problem that caused Cloud Composer 1 environments with IP Masquerade Agent to break after an upgrade.

(Cloud Composer 2) When a new environment is created, Cloud Composer checks if the project's network setup allows connections to the Airflow web server domain, *.composer.cloud.google.com. An error is generated if it's not possible to connect to this domain.

Cloud Composer 1.18.7 and 2.0.11 images are available:

  • composer-1.18.7-airflow-1.10.15 (default)
  • composer-1.18.7-airflow-2.1.4
  • composer-1.18.7-airflow-2.2.3
  • composer-2.0.11-airflow-2.1.4
  • composer-2.0.11-airflow-2.2.3

Cloud Composer versions 1.16.1, and 1.16.2 have reached their end of full support period.

Cloud Healthcare API

Performing a FHIR search with the _content parameter and without specifying a FHIR resource type will be deprecated on May 23, 2022. You must specify a FHIR resource type when searching with the _content parameter. See Text search for more information.

Cloud Run

You can now allocate up to 32 GiB of memory and up to 8 CPU to your Cloud Run services.

Dataproc

New sub-minor versions of Dataproc images:

1.5.63-debian10, 1.5.63-ubuntu18, 1.5.63-rocky8

2.0.37-debian10, 2.0.37-ubuntu18, 2.0.37-rocky8

Dataproc Serverless for Spark now uses runtime version 1.0.10.

Cloud Storage connector version upgraded to 2.2.6 in image version 2.0.

Hive: Bundle threeten classes in hive-exec.jar in image version 2.0. ORC now requires date handling classes in the org.threeten package, which are not present in hive-exec.jar at query time.

HIVE-22589 fixed this bug upstream, but it was part of a large new feature. Instead, this change applies a small targeted fix to address the bug.

Identity and Access Management

IAM Conditions now provides resource attributes for Cloud SQL backup sets. You can use these resource attributes to grant access to a subset of your Cloud SQL resources.

April 21, 2022

Anthos Config Management

Added support for using Fleet Workload Identity to authenticate to Git repositories in Cloud Source Repositories. To learn more, see Grant Config Sync read-only access to Git.

Added a new --timeout flag to the nomos bugreport command. This flag configures the timeout for connecting to the cluster.

ConfigSync ignores the hidden directories .github, .gitlab, and the hidden file .gitlab-ci.yml.

Fixed the issue where nomos bugreport blocks on IO when the number of managed resources exceeds the buffer limit.

Compute Engine

NVIDIA 510 driver is now supported for GPUs running on Compute Engine. For information about installing drivers, see Install GPU drivers.

Config Connector

Config Connector version 1.82.0 is now available.

Added field spec.networkInterface[].networkIpRef to ComputeInstance resource.

Deprecated spec.networkInterface[].networkIp field in ComputeInstance resource.

Config Controller

Config Controller is now supported in region asia-northeast1.

Document AI

Document OCR processor

The changes from the Google Default Next version have been applied to the Google default version.

The previous Google default version can still be accessed until July 21, 2022 as pretrained-legacy. After July 21, 2022, that version will be removed.

For more information about using different versions of the processor, see Managing processor versions .

For the original announcement of this change, see the January 14, 2022 release note.

Filestore

Filestore is now available in Santiago, Chile (southamerica-west1 region) for Basic HDD and Basic SSD instances.

Google Kubernetes Engine

(2022-R9) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

  • Version 1.21.10-gke.2000 is now the default version.
  • The following control plane and node versions are now available:
  • The following control plane versions are no longer available:
    • 1.19.16-gke.8300
    • 1.20.15-gke.1000
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to version 1.19.16-gke.9200 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to version 1.20.15-gke.3400 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to version 1.20.15-gke.3400 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.21 to version 1.21.10-gke.2000 with this release.

Stable channel

Note: Your clusters might not have these versions available. Rollouts begin on the day of the note and take four or more business days to be completed across all Google Cloud zones.

  • Version 1.21.10-gke.2000 is now the default version in the Stable channel.

  • The following versions are now available in the Stable channel:

  • The following versions are no longer available in the Stable channel:

    • 1.19.16-gke.9200
    • 1.20.15-gke.2500
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to 1.19.16-gke.9400 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to 1.19.16-gke.9400 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.20 to 1.21.10-gke.2000 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.22 to 1.22.8-gke.200 with this release.

Regular channel

  • Version 1.21.10-gke.2000 is now the default version in the Regular channel.
  • The following versions are now available in the Regular channel:
  • Version 1.20.15-gke.3600 is no longer available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to version 1.19.16-gke.9200 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to version 1.20.15-gke.4100 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to version 1.21.10-gke.2000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to version 1.21.10-gke.2000 with this release.

Rapid channel

  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.21.10-gke.2000
    • 1.22.7-gke.900
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.18 to version 1.19.16-gke.9200 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to version 1.20.15-gke.2500 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to version 1.21.11-gke.900 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to version 1.21.11-gke.900 with this release.

(2022-R9) Version updates

  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.21.10-gke.2000
    • 1.22.7-gke.900
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.18 to version 1.19.16-gke.9200 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.19 to version 1.20.15-gke.2500 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.20 to version 1.21.11-gke.900 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.21 to version 1.21.11-gke.900 with this release.

(2022-R9) Version updates

  • Version 1.21.10-gke.2000 is now the default version in the Regular channel.
  • The following versions are now available in the Regular channel:
  • Version 1.20.15-gke.3600 is no longer available in the Regular channel.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.18 to version 1.19.16-gke.9200 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.19 to version 1.20.15-gke.4100 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.20 to version 1.21.10-gke.2000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.21 to version 1.21.10-gke.2000 with this release.

(2022-R9) Version updates

  • Version 1.20.15-gke.3400 is now the default version in the Stable channel.

  • The following versions are now available in the Stable channel:

  • The following versions are no longer available in the Stable channel:

    • 1.19.16-gke.8300
    • 1.20.15-gke.1000
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.18 to version 1.19.16-gke.9200 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.19 to version 1.20.15-gke.3400 with this release.

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.20 to version 1.20.15-gke.3400 with this release.

(2022-R9) Version updates

  • Version 1.21.10-gke.2000 is now the default version.
  • The following control plane and node versions are now available:
  • The following control plane versions are no longer available:
    • 1.19.16-gke.8300
    • 1.20.15-gke.1000
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.18 to version 1.19.16-gke.9200 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.19 to version 1.20.15-gke.3400 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.20 to version 1.20.15-gke.3400 with this release.
  • Control planes and nodes with auto-upgrade enabled will be upgraded from version 1.21 to version 1.21.10-gke.2000 with this release.
Speech-to-Text

"Latest" models are available in more than 20 languages. These models employ new end-to-end machine learning techniques and can improve the accuracy of your recognized speech. For more information see Latest models.

Vertex AI

You can now use a pre-built container to perform custom training with PyTorch 1.11.

Workflows

Call logging is now generally available (GA).

April 20, 2022

Apigee API hub

On April 20, 2022 Apigee hub released a new version of the software.

Changed columns in the History table:

  • Changed Date & time to Updated
  • Changed Comment to Commit history
  • Added ID, which is the ID of the revision as it appears in the registry API.
Artifact Registry

Artifact Registry is now available in europe-west8 region (Milan, Italy).

Cloud Bigtable

Cloud Bigtable is available in the europe-west8 (Milan) region. For more information, see Bigtable locations.

Cloud SQL for MySQL

Support for europe-west8 region (Milan).

Cloud SQL for PostgreSQL

Support for europe-west8 region (Milan).

Cloud SQL for SQL Server

Support for europe-west8 region (Milan).

Cloud Spanner

Cloud Spanner regional instances can now be created in Milan (europe-west8).

Cloud Storage

Cloud Storage is now available in Milan, Italy (europe-west8 region).

Cloud VPN

Cloud VPN is now available in region europe-west8 (Milan, Italy).

Pricing is available on the Cloud VPN pricing page.

Compute Engine

Generally available: Milan, Italy europe-west8-a,b,c region has launched with general-purpose E2, N2, and N2D VMs available in all three zones.

See VM instance pricing for details.

Dataflow

Dataflow is now available in Milan (europe-west8).

Dataproc

Dataproc is now available in the europe-west8 region (Milan, Italy).

Google Kubernetes Engine

The europe-west8 region in Milan is now available.

Pub/Sub

Pub/Sub is now available in europe-west8 (Milan).

Virtual Private Cloud

For auto mode VPC networks, added a new subnet 10.198.0.0/20 for the Milan europe-west8 region. For more information, see Auto mode IP ranges.

April 19, 2022

AI Platform Training

Pre-built PyTorch containers for PyTorch 1.11 are available for training. You can use these containers to train with CPUs, GPUs, or TPUs.

Actifio

You can now get instant access to Actifio's knowledge and support portal "Actifio NOW" when you create the Actifio NOW account, after sign up.

Makes it easy to set up Actifio GO for Google Compute VMware engine with a preferred topology of Sky on Compute Engine.

Enables easy linkage of OnVault to Google Cloud storage classes i.e., Coldline, Nearline, Standard, and Archive storage.

This update changes the location of onboarding collateral (such as videos and documentation), so that it is visibly accessible in the screen layout, thereby improving onboarding.

Fixed issue related to quick Actifio Global Manager (AGM) interface timeout when accessing the AGM through the Actifio GO portal.

Fixed known gaps and issues related to user management.

With this update, AGM API's along with new DR orchestration script will take the place of Resiliency Director (RD) for new deployments. The RD is undergoing some back-end modernisation work, and therefore won't be available until 2023.

Anthos clusters on AWS (previous generation)

An issue has been discovered in Anthos clusters on AWS (previous generation). Do not launch Kubernetes 1.22 clusters at this time.

The Anthos clusters on AWS (previous generation) release 1.11.0-gke.1 has been removed. We are working on a fix.

Cloud Asset Inventory

The following resource types are now publicly available through the Analyze Policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

  • Database Migration Service
    • datamigration.googleapis.com/MigrationJob
    • datamigration.googleapis.com/ConnectionProfile
Cloud Load Balancing

Backend subsetting for internal HTTP(S) load balancers improves performance and scalability by assigning a subset of backends to each of the proxy instances.

This feature is in Preview.

Cloud Run

The following new region is now available: europe-west8.

Network Intelligence Center

You can set the observation period for overly permissive rule insights for a period of up to 12 months. For more information, see Configuring observation periods.

Storage Transfer Service

Storage Transfer Service now provides more options for when to overwrite files that already exist in the destination. The new overwriteWhen field provides three options, that apply to all transfers, including those to or from file systems.

  • NEVER provides defense in depth for archival cases, where data is not intended to be overwritten. Users no longer need to rely on a retention policy to protect their data.
  • DIFFERENT uses ETags and checksum values to only overwrite a file if the contents have changed.
  • ALWAYS overwrites any existing files with the same name. Avoids LIST operations on the destination when transferring into Cloud Storage.

April 18, 2022

Anthos clusters on VMware

Anthos clusters on VMware 1.10.3-gke.49 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.10.3-gke.49 runs on Kubernetes 1.21.5-gke.1200.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.10, 1.9, and 1.8.

  • Fixed issue where scale down sometimes took longer than expected when cluster autoscaling is enabled in a Dataplane-v2 cluster.
  • Added keep-alive configuration to avoid timeout issues for long running vSphere operations in gkeadm.
  • RBAC fixes:

    • coredns-autoscaler:
    • Removed configmaps create permission.
    • Removed replicasets/scale permissions.
    • Removed replicationcontrollers/scale permissions.
    • Scoped down deployments/scale permissions to coredns resource name.

    • clusterdns-controller:

      • Scoped down clusterdns permissions to default resource name.
      • Scoped down configmap permissions to coredns resource name.
      • Removed create/delete permissions for configmaps. The coredns configmap is now created by the bundle, with create-only annotation to ensure we don't overwrite existing config on upgrade.
    • auto-resize controller:

    • Scoped down leases permissions to onprem-auto-resize-leader-election resource name.

    • Scoped down configmaps permissions to onprem-auto-resize-leader-election resource name.

    • load-balancer-f5:

    • Removed get list watch create patch delete permissions for configmaps.

    • Removed update create patch for events nodes.

    • Removed create permissions for services/status and services.

    • Removed view permission for secret bigip-login-9t8mzp.

  • Fixed high-severity CVEs:

Apigee UI

On April 18, 2022, we released an updated version of the Apigee UI.

The UI for managing Apigee instances has been updated and improved:

  • You can now specify a list of accepted Cloud projects that can privately connect to the instance's service attachment.
  • The New Instance dialog is replaced by a dedicated Create new instance configuration page with fields for specifying or creating a disk encryption key and for editing the list of accepted projects.
  • The Edit instance dialog is replaced by a dedicated page that lets you add or remove environments and edit the list of accepted projects that can privately connect to the instance's service attachment.
  • The UI now lets you select the disk encryption key from a list and provides a convenient flow if you want to create a new key.
  • The UI for deleting an instance has changed. There is now a DELETE button on the Instance details page.

For more information, see Managing instances.

Bug ID Description
229008583 When opening the Apigee UI in multiple tabs with different orgs, some cache entries were not being synched. This has been fixed.
204429957 Make ClientSpecificResourceService and ClientResourceNamePipe return plain values. Previously, methods on those classes returned observables. Now they return values.
Apigee hybrid

Apigee hybrid v1.7.0

On April 18, 2022 we released Apigee hybrid v1.7.0.

For information on upgrading, see Upgrading Apigee hybrid to version 1.7.

mTLS communication between Cassandra clients and Cassandra nodes

Apigee hybrid now supports mTLS communication between Cassandra clients (MART, Sync, and MP) and Cassandra nodes. For related ports used, see feedbackSecure ports usage. (Implemented in Apigee hybrid v1.7.0)

Custom metrics scaling

Apigee hybrid v1.7.0 now supports custom metrics scaling using the metrics:appStackdriverExporter and metrics:proxyStackdriverExporter configuration properties. See metrics in the Configuration properties reference. (Implemented in Apigee hybrid v1.7.0)

OAuth JWT access tokens

Apigee hybrid v1.7.0 now supports JWT operations that allow the OAuthV2 policy to generate, verify, and refresh access tokens that conform to the JWT token standard. See Using JWT OAuth tokens. (Implemented in Apigee hybrid v1.7.0)

Cloud Logging

Apigee hybrid v1.7.0 now supports the <CloudLogging> element in the MessageLogging policy that lets you log messages to Cloud Logging. (Implemented in Apigee hybrid v1.7.0)

** PublishMessage policy**

Apigee hybrid v1.7.0 now supports the PublishMessage policy that lets you publish your API proxy flow information to a Google Cloud Pub/Sub topic.

GraphQL policy now supports JSON-encoded payloads. (Implemented in Apigee X, March 15, 2022)

Bug ID Description
224577096 Support Added for Anthos Service Mesh 1.12 (Fixed in Apigee hybrid v1.6.6)
219523719 Fix to address CPU and memory consumption when debug-session is enabled with response-status as the filtering criteria. (Fixed in Apigee X, March 15, 2022)
217386412 Change the property set logging level to fine when property is not found. (Fixed in Apigee hybrid v1.6.5)
215773113 Setting the securityPolicy appeared to have no effect for specific configurations. (Fixed in Apigee hybrid v1.6.5)
214960081 HTTPS endpoints could be called as HTTP resulting in an "EOF unexpected" error. (Fixed in Apigee hybrid v1.6.4)
211787541 Errors displayed in synchronizer logs for stale contracts. (Fixed in Apigee hybrid v1.6.5)
210590135 Invalid protocol in proxy.url flow variable in Apigee X. The proxy.url flow variable could show as http even when the request is https. (Fixed in Apigee hybrid v1.6.4)
210314786 The backup utility did not work with workload identity. (Fixed in Apigee hybrid v1.6.4)
209622008 Dynamic updates to rate in spike arrest are now reflected immediately. (Fixed in Apigee X, March 15, 2022)
209484701 Invalid client IP sent to analytics. (Fixed in Apigee hybrid v1.6.5)
209097822 Fixed and issue where SpikeArrest was not reflecting updated rate (Fixed in Apigee hybrid v1.6.3)
208474799 Apigee hybrid now supports ASM version 1.12. See Supported platforms for ASM version support for each supported version of Apigee Hybrid. (Fixed in Apigee hybrid v1.7.0)
208322185 Apigee hybrid Cassandra backup and restore can now use either a user-provided custom secret or a generated secret (Fixed in Apigee hybrid v1.6.3)
207762842 Hybrid logging functionality has been reworked. This should resolve issues with excessive log volume generation, frequent logger restarts, and ensure correct logger functionality with both docker and containerd runtimes.(Fixed in Apigee hybrid v1.7.0)
207618262 Fixed an issue where SpikeArrest opened too many connections to redis-envoy. (Fixed in Apigee hybrid v1.6.3)
207400645 Allow direct reads from API server to API client when enabled. (Fixed in Apigee hybrid v1.6.3)
205820658 Fixed an issue where Apigee X/hybrid Debug could show the authorization header. (Fixed in Apigee hybrid v1.6.3)
205810988 Resolve suspension dialog displayed "user not authorized" message for regions other than US This has been fixed. Location information is now added into the suspension URL from Apigee. (Fixed in Apigee X, December 02,2021)
205732137 Handle Quota correctly when the Operation group is set with empty string params (Fixed in Apigee hybrid v1.6.3)
205148816 Product Level Quota Info now available in Proxy. (Fixed in Apigee hybrid v1.6.3)
204943895 Quota Policy in Shared Flow now working properly. (Fixed in Apigee hybrid v1.6.3)
204943880 Fixed issue where SpikeArrest in Shared Flow did not have context of API Proxy. (Fixed in Apigee hybrid v1.6.3)
204905727 GenerateResponse was hanging on response flow when enabled=true. (Fixed in Apigee hybrid v1.6.5)
204368970 TLS variables are now set by Apigee Runtime. (Fixed in Apigee hybrid v1.6.3)
204146857 Fixed an issue where new environments were not created in Apigee hybrid deployment. (Fixed in Apigee hybrid v1.6.3)
203785814 A transient error could occur when calling conversion webhook for Apigee Telemetry. The error would occur when Apigee CRD is installed too early in the sequence. The installer job now checks for the correct sequence. (Fixed in Apigee hybrid v1.6.4)
203468593 Corrected the storageclass property name. (Fixed in Apigee hybrid v1.5.5)
203462573 The StorageClass set in overrides was not honored. (Fixed in Apigee hybrid v1.6.1)
202560276 AKS - containerd broke apigee-logger. (Fixed in Apigee hybrid v1.6.1)
202309278 Monetization: Eliminated a race condition that could make a prepaid developer's balance appear incorrect. (Fixed in Apigee hybrid v1.6.2)
202299966 Added new remote-address-related headers and modified the headers to be RFC compliant. (Fixed in Apigee hybrid v1.6.3)
200918549 There was an issue when using forward proxy with the ApigeeConnect agent. (Fixed in Apigee hybrid v1.6.1)
200700375 Fixed API products sorting issue in UI. Previously, sorting was disabled on the API products page. Sorting is now enabled. (Fixed in Apigee X, September 23, 2021)
200648523 Trace Variable, is_request_blocked, was showing incorrect information. (Fixed in Apigee hybrid v1.6.2)
199952038 The apigeectl command uses the new --restore flag to restore Cassandra to a previously saved snapshot. For more information, see Restoring in a single region. (Fixed in Apigee hybrid v1.6.6)
199807323 Updating Developer would reset the Developer billing type attribute (Fixed in Apigee hybrid v1.6.2)
199541025 Transaction ID is now required to be unique when used with prepaid developer balance credit API. (Fixed in Apigee hybrid v1.6.2)
198549304, 197730687, 196937143, 188370635, 187890034 Error state for conflicting dates is now correct. (Fixed in Apigee hybrid v1.6.2)
198036824 The securityContext was empty when it should have been populated. (Fixed in Apigee hybrid v1.6.1)
197945951 Stale DNS record in MP memory could cause an outage for a proxy. (Fixed in Apigee hybrid v1.6.4)
197910247 SetDialogflowResponse Policy - JSONPath expressions were not working. (Fixed in Apigee hybrid v1.6.1)
197711066 Cluster upgrade failed due to PDB (PodDisruptionBudget) policy not being met. (Fixed in Apigee hybrid v1.6.1)
196095557 Fixed proxy high response times. (Fixed in Apigee hybrid v1.5.4)
196024622 Hybrid images contained keys. (Fixed in Apigee hybrid v1.6.1)
196024483 Hybrid images did not set USER instruction when building the container. (Fixed in Apigee hybrid v1.6.1)
193799009 Fixed wrong status code shown on trace with ServiceCallout in PostClientflow. (Fixed in Apigee hybrid v1.5.4)
193520269 Fixed Apigee UI not showing the trace UI. (Fixed in Apigee hybrid v1.5.4)
193041253 Cassandra upgraded to v3.11.9 The Cassandra database in Apigee hybrid v1.7.0 has been upgraded to version 3.11.9. (Fixed in Apigee hybrid v1.7.0)
192987085 Fixed the ApiProductNotFound exception, which occurred when you deleted an API product but the deletion of associated rate plans was pending. (Fixed in Apigee X Monetization, November 3, 2021)
191853747 Apigee Workload Identities not working for specific configurations. (Fixed in Apigee hybrid v1.6.5)
190679584 There was an Incorrect error message on deploying AssertCondition policy with invalid condition. (Fixed in Apigee hybrid v1.6.1)
189341334 Fixed an issue to eliminate the potential for connection leaks for the watcher component. (Fixed in Apigee hybrid v1.6.3)
188407113 Invalid value in the ConsumptionPricingType during rate plan creation displayed the 500 status code. Now the status code for an invalid value is 4xx. (Fixed in Apigee X Monetization, November 3, 2021)
181259284 Fixed unresolved flow variables system.region.name and system.pod.name. (Fixed in Apigee hybrid v1.5.4)
180672249 FlowCallout succeeded, although SharedFlow had errors in deployment. (Fixed in Apigee hybrid v1.6.1)
173738907 Fixed support resource request/limit in override.yaml in apigee-metrics. (Fixed in Apigee hybrid v1.5.4)
173566787 Reuse existing target IPs if DNS resolution fail on DNS cache refresh. (Fixed in Apigee hybrid v1.6.5)
111777025 LookupCache: cachehit was shown false in trace when the actual value was true. (Fixed in Apigee hybrid v1.6.5)N/A
N/A If there is more than one SpikeArrest policy in a bundle, 502 errors will occur. (Fixed in Apigee X, December 12, 2021)
N/A If ServiceCallout is "fire and forget" (no tag), a race condition can occur if there is another policy that occurs after it. (Fixed in Apigee X, December 12, 2021)
N/A Fix bug delete dialog does not open Previously, on click of delete dialog, the dialog was not appearing, this fixes it (Fixed in Apigee X, October 05, 2021)
N/A Dynamic updates to rate in SpikeArrest may not reflect immediately. (Fixed in Apigee X, December 12, 2021)
Bug ID Description
217743790 ** Cassandra backup would run as privileged.**
204994504 Container Vulnerability fixed: CVE-2018-12934. (Fixed in Apigee hybrid v1.6.5)
N/A Multiple security fixes including CVE-2019-5021. (Fixed in Apigee hybrid v1.6.5)
N/A Miscellaneous Security updates and fixes. (Fixed in Apigee X, December 12, 2021)
205820658 A security issue was addressed. (Fixed in Apigee hybrid v1.6.2-hotfix.1)

"Apigee Deployer" role deprecated and replaced by "Apigee Environment Admin" The environment role "Apigee Deployer" has been deprecated, and replaced by "Apigee Environment Admin". (Implemented in Apigee X, December 2, 2022)

App Engine standard environment PHP App Engine standard environment Python Cloud Data Fusion

Google Drive Plugins version 1.4.0 is generally available (GA). For more information, see the CDAP Hub release log.

Compute Engine SAP on Google Cloud

SAP NetWeaver high-availability cluster documentation for RHEL

A new manual configuration guide for SAP NetWeaver high-availability clusters on Red Hat Enterprise Linux (RHEL) is available for use.

For more information, see the HA cluster configuration guide for SAP NetWeaver on RHEL.

SAP NetWeaver high-availability clusters on SLES - change to recommended configuration

The recommended configuration for enabling back-end communication between the nodes in a SUSE Linux Enterprise Server (SLES) high-availability cluster for SAP NetWeaver on Google Cloud has changed.

The new guidance uses the google-guest-agent to enable back-end communication instead of a startup script.

If you are using a startup script to enable back-end communication in an existing cluster, we recommend that you switch to the google-guest-agent configuration at your earliest convenience.

For the updated guidance, see Enable load balancer back-end communication between the VMs.

April 15, 2022

Chronicle

Chronicle Detection Engine now supports the min() function and subtraction operator in the outcome section of a rule.

Cloud Build

Cloud Build default pools now support regional builds at the preview release stage. To learn more, see Cloud Build locations.

Cloud Build now supports regional build triggers at the preview release stage. To learn more, see Cloud Build locations.

Dataplex Kf

Add Config Connector as a dependency of Kf.

April 14, 2022

Anthos Service Mesh

1.13.2-asm.2 is now available.

Anthos Service Mesh 1.13 includes the features of Istio 1.13.2 subject to the list of Anthos Service Mesh Supported features.

Assured Workloads

You can now restrict resource creation of global security configuration to comply with data residency requirements by using organization policies, which affect Google Cloud services such as Compute Engine and Identity-Aware Proxy (IAP). This capability is available as a Preview launch.

Cloud Data Loss Prevention

The data profiler for BigQuery is generally available (GA). The data profiler is a fully-managed service that continuously scans data across your entire organization to give you general awareness of what data you have, and specific visibility into where sensitive data is stored and processed. For more information, see Data profiles for BigQuery data.

Cloud Healthcare API

A release was made. Updates may include general performance improvements, bug fixes, and updates to the API reference documentation.

Cloud Logging

In the Logs Explorer, pinning log entries has been improved and new options to view pinned log entries in different resource contexts have been added. To learn more, see Pin log entries.

Cloud Monitoring

You can now define template variables and permanent filters for your dashboards. For more information, see Create a template variable or permanent filter.

Cloud Optimization AI

Cloud Fleet Routing is now generally available (GA).

You can now grant access to Cloud Optimization IAM roles to a user, a group, or a service account to perform create or get operations in the context of a batchOptimizeTours request.

You can now create models that can solve up to 120 mns (instead of 60 mns) using automatic checkpoints in a batchOptimizeTour request to solve complex problems.

You can now set a soft_max_load with related costs on your vehicles to balance the load limit across your fleet.

Optimization AI now has a concurrent batch solve quota of 60000 timeout seconds per project.

Cloud Spanner

You can now define a default value for a non-key table column when creating or altering a table. Using the DEFAULT keyword, a schema author can provide a fallback for a column when an insert statement or mutation doesn't explicitly specify a value.

A new three-continent, nine-replica multi-region instance configuration is available for Cloud Spanner: nam-eur-asia3 (Iowa/South Carolina/Belgium/Netherlands/Taiwan/Oklahoma).

Compute Engine

Generally available: NVIDIA A100 GPUs are now available in the following additional regions and zones:

  • Tokyo, Japan, APAC: asia-northeast1-a,c

For more information about using GPUs on Compute Engine, see GPU platforms. For pricing information, review the pricing tables for the Accelerator-optimized machine type family.

Config Controller

Config Controller now uses version 1.79.0 for Config Connector (release notes)

April 13, 2022

Access Transparency

Access Transparency supports Secret Manager in GA stage. For the complete list of services that Access Transparency supports, see Supported services.

Anthos clusters on AWS

Anthos Clusters on AWS now supports Kubernetes versions 1.22.8-gke.200 and 1.21.11-gke.100. For more information, see the open source release notes for Kubernetes 1.22.8 and Kubernetes 1.21.11.

Kubernetes 1.22 removes support for several deprecated v1beta1 APIs. Before upgrading your clusters to v1.22, you must upgrade your workloads to use the stable v1 APIs and confirm their compatibility with v1.22. For more information, see Kubernetes 1.22 Deprecated APIs.

When you create a new cluster using Kubernetes version 1.22, you can now configure custom logging parameters.

As a preview feature, you can now choose Windows as your node pool image type when you create node pools with Kubernetes version 1.22.8.

You can now set the autoscaler's minimum node count to zero.

This release of Anthos Clusters on AWS improves your ability to update your cluster configuration, including

You can now view most common asynchronous cluster and nodepool boot errors in the long running operation error field.

As a preview feature, you can now configure nodes to be dedicated hosts.

To create new 1.22 clusters, you need to add the ec2:GetConsoleOutput permission to your Anthos Multi-Cloud API role.

A security vulnerability, CVE-2022-0847, has been discovered in the Linux kernel version 5.8 and later that can potentially escalate container privileges to root. This vulnerability affects Anthos Clusters on AWS running Kubernetes version 1.21 on Ubuntu.

For more information, see the GCP-2022-012 security bulletin.

A security vulnerability, CVE-2022-23648, has been discovered in containerd's handling of path traversal in the OCI image volume specification. Containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain full read access to arbitrary files and directories on the host.

For more information, see the GCP-2022-013 security bulletin.

Anthos Clusters on AWS now sets the default instance type to m5.large when you create a new cluster or node pool. The previous default instance type was t3.medium.

Anthos clusters on Azure

Anthos Clusters on Azure now supports Kubernetes versions 1.22.8-gke.200 and 1.21.11-gke.100. For more information, see the open source release notes for Kubernetes 1.22.8 and Kubernetes 1.21.11.

Kubernetes 1.22 removes support for several deprecated v1beta1 APIs. Before upgrading your clusters to v1.22, you must upgrade your workloads to use the stable v1 APIs and confirm their compatibility with v1.22. For more information, see Kubernetes 1.22 Deprecated APIs.

When you create a new cluster using Kubernetes version 1.22, you can now configure custom logging parameters.

As a preview feature, you can now choose Windows as your node pool image type when you create node pools with Kubernetes version 1.22.8.

You can now set the autoscaler's minimum node count to zero.

This release of Anthos Clusters on Azure adds the ability to update your

  • control plane and node pool VM size
  • cluster annotations
  • Azure admin users
  • control plane root volume size

You can now set the autoscaler's minimum node count to zero.

You can now view most common asynchronous cluster and nodepool boot errors in the long running operation error field.

A security vulnerability, CVE-2022-0847, has been discovered in the Linux kernel version 5.8 and later that can potentially escalate container privileges to root. This vulnerability affects Anthos on Azure on Ubuntu running Kubernetes version 1.21.

For more information, see the GCP-2022-012 security bulletin.

A security vulnerability, CVE-2022-23648, has been discovered in containerd's handling of path traversal in the OCI image volume specification. Containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain full read access to arbitrary files and directories on the host.

For more information, see the GCP-2022-013 security bulletin.

App Engine standard environment Go

The App Engine legacy bundled services for Go 1.12+ are now available at the General Availability release level. These APIs can be accessed through language-idiomatic libraries. Calls to these API are billed according to the standard rates.

App Engine standard environment Java

The App Engine legacy bundled services for Java 11/17 are now available at the General Availability release level. These APIs can be accessed through language-idiomatic libraries. Calls to these API are billed according to the standard rates.

App Engine standard environment PHP

The App Engine legacy bundled services for PHP 7+ are now available at the Preview release level. These APIs can be accessed through language-idiomatic libraries. Calls to these API are billed according to the standard rates.

App Engine standard environment Python

The App Engine legacy bundled services for Python 3 are now available at the General Availability release level. These APIs can be accessed through language-idiomatic libraries. Calls to these API are billed according to the standard rates.

Certificate Authority Service Chronicle

The following supported default parsers have changed (listed by ingestion label)

  • AKAMAI_WAF
  • ARUBA_WIRELESS
  • AWS_CLOUDTRAIL
  • AWS_CONFIG
  • AZURE_AD_CONTEXT
  • AZURE_COSMOS_DB
  • BITDEFENDER
  • CA_ACCESS_CONTROL
  • CASSANDRA
  • CISCO_EMAIL_SECURITY
  • CISCO_FIREPOWER_FIREWALL
  • CISCO_ISE
  • CISCO_MERAKI
  • CISCO_TACACS
  • CS_EDR
  • D3_BANKING
  • ELASTIC_WINLOGBEAT
  • FILEZILLA_FTP
  • GCP_CLOUDIDENTITY_DEVICES
  • GCP_CLOUDIDENTITY_DEVICEUSERS
  • GMV_CHECKER
  • GUARDDUTY
  • GUARDIUM
  • IIS
  • INFOBLOX_DHCP
  • KASPERSKY_AV
  • KEA_DHCP
  • MCAFEE_DLP
  • MCAFEE_EPO
  • MICROSOFT_DEFENDER_ENDPOINT
  • NETSKOPE_WEBPROXY
  • OFFICE_365
  • OKTA
  • OKTA_USER_CONTEXT
  • ONELOGIN_SSO
  • ORDR_IOT
  • PAN_FIREWALL
  • PROOFPOINT_ON_DEMAND
  • PULSE_SECURE_VPN
  • RH_ISAC_IOC
  • SALESFORCE
  • SERVICENOW_CMDB
  • SLACK_AUDIT
  • SOPHOS_UTM
  • SYMANTEC_EDR
  • TANIUM_TH
  • UMBRELLA_DNS
  • UNIFI_AP
  • VANDYKE_SFTP
  • VMWARE_ESX
  • VMWARE_VREALIZE
  • WINDOWS_DHCP
  • WINDOWS_DNS
  • WINDOWS_SYSMON
  • WORKSPACE_ACTIVITY
  • WORKSPACE_ALERTS
  • WORKSPACE_USERS

For details about the changes in each parser, see Supported default parsers

Cloud Composer

Cloud Composer now supports CMEK encryption using keys stored in External Key Managers.

(Cloud Composer 2) Airflow webserver and worker-scheduler images in multiregional repositories are now tagged with their image version (for example, composer-2.0.10-airflow-2.1.4). This change is gradually backfilled to previous images as well.

It is now possible to use upper case symbols in the names of PyPI packages.

(Airflow 2) Exception traces from Airflow task executions are now properly annotated with labels in Cloud Logging.

(Cloud Composer 2) Fixed a problem where some info log messages were logged as errors during environment operations.

(Available without upgrading) DAG schedule intervals are now correctly displayed in the list of DAGs in Cloud Console. Before the change, this value was not displayed in some environments.

(Airflow 1.10.15) Backported the fix for KubernetesPodOperator. KubernetesPodOperator now retries log tailing in in long-living tasks.

(Airflow 1.10.15) Airflow Upgrade Checker updated to version 1.4.0.

(Airflow 1.10.15) Fixes in the apache-airflow-backport-providers-google package: DataprocCreateBatchOperator, Dataplex operators, YAML safe load.

Cloud Composer 1.18.6 and 2.0.10 images are available:

  • composer-1.18.6-airflow-1.10.15 (default)
  • composer-1.18.6-airflow-2.1.4
  • composer-1.18.6-airflow-2.2.3
  • composer-2.0.10-airflow-2.1.4
  • composer-2.0.10-airflow-2.2.3

Cloud Composer 1.16.0 has reached its end of full support period.

Compute Engine

Tau T2D VMs are now available in the following regions and zones:

  • Las Vegas, NV (us-west4-a,b)
  • São Paulo, Brazil, South America (southamerica-east1-a,b,c)
  • St. Ghislain, Belgium (europe-west1-c)

N2 general-purpose VMs are available in Salt Lake City, UT (us-west3-a,b,c).

See VM instance pricing for details.

Config Connector

This release contains an issue that may prevent you from successfully deleting namespaces with Config Connector enabled if using Config Connector in namespaced-mode. If you are using namespaced-mode, do not upgrade to version 1.81.0 - please upgrade to 1.82.0 instead.

Config Connector version 1.81.0 is now available.

Added support for ApigeeEnvironment resource.

Added field spec.cluster[].autoscalingConfig to BigtableInstance resource.

Added field spec.edgeSecurityPolicy to ComputeBackendBucket resource.

Added field spec.type to ComputeSecurityPolicy resource.

Added field spec.schedule.repeatInterval to StorageTransferJob resource

Fixed the bug introduced in version 1.62.0 that list fields can't be set to empty lists. (Issue #595)

Dataproc

Announcing the General Availability (GA) release of Dataproc on GKE, which allows you to execute Big Data applications using the Dataproc jobs API on GKE clusters.

Google Kubernetes Engine

A security vulnerability, CVE-2022-23648, has been discovered in containerd's handling of path traversal in the OCI image volume specification. Containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain full read access to arbitrary files and directories on the host. This vulnerability may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy). This vulnerability affects all GKE node operating systems (Container-Optimized OS and Ubuntu) which use containerd by default. All GKE, Autopilot, and GKE Sandbox nodes are affected.

For more information, see the GCP-2022-013 security bulletin.

Egress NAT policy to configure IP masquerade is now generally available on GKE Autopilot clusters with Dataplane v2 in versions 1.22.7-gke.1500+ or 1.23.4-gke.1600+. For configuration examples of Egress NAT policy, see Egress NAT Policy documentation.

April 12, 2022

Anthos clusters on AWS (previous generation)

A security vulnerability, CVE-2022-23648, has been discovered in containerd's handling of path traversal in the OCI image volume specification. Containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain full read access to arbitrary files and directories on the host.

For more information, see the GCP-2022-013 security bulletin.

Anthos clusters on VMware

A security vulnerability, CVE-2022-23648, has been discovered in containerd's handling of path traversal in the OCI image volume specification. Containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain full read access to arbitrary files and directories on the host.

For more information, see the GCP-2022-013 security bulletin.

Anthos clusters on bare metal

Security bulletin (1.8, 1.9, and 1.10)

A security vulnerability, CVE-2022-23648, has been discovered in containerd's handling of path traversal in the OCI image volume specification. Containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain full read access to arbitrary files and directories on the host.

For more information, see the GCP-2022-013 security bulletin.

Cloud SQL for MySQL

Customer-managed encryption key (CMEK) organization policy constraints are now available in Preview.

  • constraints/gcp.restrictNonCmekServices allows you to control which resources require the use of CMEK.
  • constraints/gcp.restrictCmekCryptoKeyProjects allows you to control the projects from which a Cloud KMS key can be used to validate requests.

You can use both constraints together to enforce the use of CMEK from allowed projects.

To learn more, see Customer-managed encryption keys (CMEK) organization policies. To add CMEK organization policies now, see Add Cloud SQL organization policies.

Cloud SQL for PostgreSQL

Customer-managed encryption key (CMEK) organization policy constraints are now available in Preview.

  • constraints/gcp.restrictNonCmekServices allows you to control which resources require the use of CMEK.
  • constraints/gcp.restrictCmekCryptoKeyProjects allows you to control the projects from which a Cloud KMS key can be used to validate requests.

You can use both constraints together to enforce the use of CMEK from allowed projects.

To learn more, see Customer-managed encryption keys (CMEK) organization policies. To add CMEK organization policies now, see Add Cloud SQL organization policies.

Cloud SQL for SQL Server

Customer-managed encryption key (CMEK) organization policy constraints are now available in Preview.

  • constraints/gcp.restrictNonCmekServices allows you to control which resources require the use of CMEK.
  • constraints/gcp.restrictCmekCryptoKeyProjects allows you to control the projects from which a Cloud KMS key can be used to validate requests.

You can use both constraints together to enforce the use of CMEK from allowed projects.

To learn more, see Customer-managed encryption keys (CMEK) organization policies. To add CMEK organization policies now, see Add Cloud SQL organization policies.

Storage Transfer Service

Storage Transfer Service now offers a predefined role to simplify permission assignment to transfer agents. The roles/storagetransfer.transfer