This document lists production updates to Google Distributed Cloud (software only) for bare metal (formerly known as Google Distributed Cloud Virtual, previously known as Anthos clusters on bare metal). Check this page periodically for any new announcements.
You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.
To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly.
December 10, 2024
Release 1.30.400-gke.133
Google Distributed Cloud for bare metal 1.30.400-gke.133 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.30.400-gke.133 runs on Kubernetes 1.30.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
Functionality changes:
Updated snapshots to include new information, including: kubelet config, CPU manager state, and memory manager state.
Updated the
bmctl push images
command to check for the existence of an image digest to determine whether or not to push an image.Added support for configuring the GKE Identity Service to enforce a minimum transport layer security (TLS) version of 1.2 for HTTPS connections. By default, the GKE Identity Service allows TLS 1.1 and higher connections. If you require enforcement for a minimum of TLS 1.2, reach out to Cloud Customer Care for assistance.
Fixes:
Fixed the issue where non-root users can't run
bmctl restore
to restore quorum.Fixed an issue where CronJob specs for periodic health checks weren't updated to reflect cluster annotation changes.
Fixed an issue that blocked user cluster create and upgrade operations to patch versions 1.30.100, 1.30.200, or 1.30.300. This issue applies only when
kubectl
or a GKE On-Prem API client (console, gcloud CLI, or Terraform) is used for user cluster creation and upgrades.
The following container image security vulnerabilities have been fixed in 1.30.400-gke.133:
- Critical container vulnerabilities:
- High-severity container vulnerabilities:
- CVE-2020-16156
- CVE-2021-33194
- CVE-2022-1304
- CVE-2022-27664
- CVE-2022-41723
- CVE-2022-48733
- CVE-2023-3676
- CVE-2023-3955
- CVE-2023-5528
- CVE-2023-7104
- CVE-2023-39325
- CVE-2023-49083
- CVE-2023-52425
- CVE-2024-0743
- CVE-2024-0793
- CVE-2024-6609
- CVE-2024-20696
- CVE-2024-38577
- CVE-2024-41011
- CVE-2024-42228
- CVE-2024-42280
- CVE-2024-42284
- CVE-2024-42285
- CVE-2024-42301
- CVE-2024-42302
- CVE-2024-42313
- CVE-2024-43839
- CVE-2024-43858
- CVE-2024-43882
- CVE-2024-44974
- CVE-2024-44987
- CVE-2024-44998
- CVE-2024-44999
- CVE-2024-45490
- CVE-2024-46673
- CVE-2024-46674
- CVE-2024-46722
- CVE-2024-46723
- CVE-2024-46724
- CVE-2024-46725
- CVE-2024-46731
- CVE-2024-46738
- CVE-2024-46740
- CVE-2024-46743
- CVE-2024-46744
- CVE-2024-46747
- CVE-2024-46756
- CVE-2024-46757
- CVE-2024-46758
- CVE-2024-46759
- CVE-2024-46782
- CVE-2024-46798
- CVE-2024-46800
- CVE-2024-46804
- CVE-2024-46814
- CVE-2024-46815
- CVE-2024-46818
- CVE-2024-46828
- CVE-2024-46844
- GHSA-m425-mq94-257g
- Medium-severity container vulnerabilities:
- CVE-2021-31525
- CVE-2021-3669
- CVE-2021-36976
- CVE-2022-26280
- CVE-2022-41717
- CVE-2023-2431
- CVE-2023-2727
- CVE-2023-2728
- CVE-2023-3978
- CVE-2023-23931
- CVE-2023-31083
- CVE-2023-44487
- CVE-2023-52889
- CVE-2024-24557
- CVE-2024-29018
- CVE-2024-41098
- CVE-2024-42114
- CVE-2024-42246
- CVE-2024-42259
- CVE-2024-42272
- CVE-2024-42283
- CVE-2024-42286
- CVE-2024-42287
- CVE-2024-42288
- CVE-2024-42289
- CVE-2024-42297
- CVE-2024-42309
- CVE-2024-42310
- CVE-2024-42311
- CVE-2024-43828
- CVE-2024-43829
- CVE-2024-43834
- CVE-2024-43835
- CVE-2024-43846
- CVE-2024-43849
- CVE-2024-43853
- CVE-2024-43854
- CVE-2024-43856
- CVE-2024-43860
- CVE-2024-43861
- CVE-2024-43871
- CVE-2024-43884
- CVE-2024-43889
- CVE-2024-43890
- CVE-2024-43892
- CVE-2024-43893
- CVE-2024-43894
- CVE-2024-43905
- CVE-2024-43907
- CVE-2024-43908
- CVE-2024-43914
- CVE-2024-44935
- CVE-2024-44944
- CVE-2024-44946
- CVE-2024-44947
- CVE-2024-44954
- CVE-2024-44960
- CVE-2024-44965
- CVE-2024-44968
- CVE-2024-44971
- CVE-2024-44988
- CVE-2024-44989
- CVE-2024-44990
- CVE-2024-44995
- CVE-2024-45003
- CVE-2024-45006
- CVE-2024-45016
- CVE-2024-45018
- CVE-2024-45021
- CVE-2024-45025
- CVE-2024-45028
- CVE-2024-46675
- CVE-2024-46676
- CVE-2024-46677
- CVE-2024-46679
- CVE-2024-46685
- CVE-2024-46689
- CVE-2024-46702
- CVE-2024-46707
- CVE-2024-46714
- CVE-2024-46719
- CVE-2024-46721
- CVE-2024-46737
- CVE-2024-46739
- CVE-2024-46750
- CVE-2024-46755
- CVE-2024-46763
- CVE-2024-46771
- CVE-2024-46777
- CVE-2024-46780
- CVE-2024-46781
- CVE-2024-46783
- CVE-2024-46791
- CVE-2024-46817
- CVE-2024-46819
- CVE-2024-46822
- CVE-2024-46829
- CVE-2024-46840
- CVE-2024-47663
- GHSA-jq35-85cj-fj4p
- Low-severity container vulnerabilities:
Known issues:
For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section.
November 22, 2024
Release 1.30.300-gke.84
Google Distributed Cloud for bare metal 1.30.300-gke.84 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.30.300-gke.84 runs on Kubernetes 1.30.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
Fixes:
Fixed an issue where the control plane VIP might become unavailable because Keepalived didn't check correctly that the VIP is on a node with a responsive HAProxy.
Fixed an issue where the registry mirror reachability check fails for a single unreachable registry mirror. Now the reachability check applies to configured registry mirrors only, instead of all registry mirrors.
The following container image security vulnerabilities have been fixed in 1.30.300-gke.84:
Low-severity container vulnerabilities:
Known issues:
For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section.
October 10, 2024
Release 1.30.200-gke.101
Google Distributed Cloud for bare metal 1.30.200-gke.101 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.30.200-gke.101 runs on Kubernetes 1.30.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
Updated the bmctl update
command to identify differences (if any) between the preview feature annotations in the cluster configuration file and the annotations in the deployed Cluster resource.
Fixes:
Fixed an issue where the control plane VIP might become unavailable because Keepalived didn't check correctly that the VIP is on a node with a responsive HAProxy.
Fixed Cloud Audit Logging failure due to allowlisting issue with multiple project IDs.
The following container image security vulnerabilities have been fixed in 1.30.200-gke.101:
Critical container vulnerabilities:
High-severity container vulnerabilities:
Medium-severity container vulnerabilities:
Low-severity container vulnerabilities:
Known issues:
For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section.
September 25, 2024
Release 1.30.100-gke.96
Google Distributed Cloud for bare metal 1.30.100-gke.96 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.30.100-gke.96 runs on Kubernetes 1.30.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
Functionality changes:
- Added
--skip-preflight
flag to thebmctl upgrade
command to prevent preflight checks from running during an upgrade.
The following container image security vulnerabilities have been fixed in 1.30.100-gke.96:
High-severity container vulnerabilities:
Medium-severity container vulnerabilities:
Known issues:
For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section.
August 29, 2024
Release 1.30.0-gke.1930
Google Distributed Cloud for bare metal 1.30.0-gke.1930 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.30.0-gke.1930 runs on Kubernetes 1.30.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
Version 1.16 end of life: In accordance with the Version Support Policy, version 1.16 (all patch releases) of Google Distributed Cloud for bare metal has reached its end of life and is no longer supported.
New and updated features:
Preview: Added support for keyless mode for clusters. This feature uses short-lived tokens and Workload Identity Federation for your cluster and workload credentials, instead of the default long-lived service account keys and Kubernetes Secrets. This feature provides improved security and reduces credential maintenance.
Preview: Added support for Custom Scheduler Configuration for pods to automatically spread workloads across cluster nodes for increased reliability.
GA: Added support for admin and hybrid clusters to manage multiple versions of user clusters concurrently.
GA: Added support for node-level private registry configuration for workload images.
GA: Updated the
bmctl update
command to display the difference between the specs in the YAML cluster configuration file and the deployed Cluster resource. The diff covers the specs for both the Cluster resource and the NodePool resource.GA: Added support for rolling back select node pool upgrades.
GA: Added support for specifying a session duration for Identity Service-issued tokens. You can set a session duration between 15 and 1440 minutes (24 hours). Shorter sessions provide better security (at the cost of more frequent reauthentication). Longer sessions reduce the frequency for reauthentication (at the cost of reduced security).
Preview: Updated the
gcloud beta container fleet memberships get-credentials command
to use a connect gateway preview feature that lets you run thekubectl attach
,cp
, andexec
commands. For more information, see Limitations.
Functionality changes:
Updated the node pool upgrade behavior. Version 1.30 and higher clusters, support all node pool versions from the preceding two minor versions. The
preview.baremetal.cluster.gke.io/two-minor-version-node-pool: enable
annotation isn't required when upgrading clusters from version 1.29 to version 1.30.Updated the
bmctl version
command to return the metadata image digest in the response. To print only the metadata image digest only, specify the new--option
valuemetadata-digest
.Deprecated the
spec.gkeVersion
field in theMachine
custom resource. Starting with version 1.30.0, thespec.gkeVersion
field is set to empty. For accurate version information, useanthosBareMetalVersion
(GDC for bare metal version) in theCluster
resource spec orgkeVersion
(Kubernetes version) in theCluster
resource status.Updated Kubernetes audit logging to include request and response payloads from the Kubernetes API server for bare metal custom resources, such as
Cluster
,NodePool
,BareMetalMachine
, andBareMetalCluster
.Updated registry mirror support to allow you to specify a port for host addresses.
Updated the networking preflight check to verify that either the
ip_tables
or thenf_tables
kernel module is available for loading, instead of being explicitly loaded.Updated the
stackdriver
custom resource to remove the feature gate for using Managed Service for Prometheus for system metricsfeatureGates.GMPForSystemMetrics
. This feature gate has defaulted to on (true
) since version 1.16. If you have manually disabled using Managed Service for Prometheus for system metrics, upgrading to version 1.30 might be a breaking change for some system metrics formats.Added checks to validate the SSH client certificate file type before saving the certificate as a Secret.
Updated GKE Identity Service custom resource definition to change the description for
IdentityServiceOptions
and improve formatting.Added preflight checks for available disk space in specific directories:
During cluster creation, the following directories are checked:
/
(the root directory) has at least 4 GiB of free space/var/log/fluent-bit-buffers
has at least 12 GiB of free space/var/opt/buffered-metrics
has at least 10016 MiB of free space
During a cluster upgrade, the following directory is checked:
/
(the root directory) has at least 2 GiB of free space
GA: Adopted the GKE audit policy, instead of the previous unpopulated policy.
Fixes:
Fixed an issue where old, inoperable WebHook resources caused problems with cluster upgrades.
Fixed an issue where upgraded clusters didn't get label updates that match the labels applied for newly created clusters, for a given version.
Fixed an issue where service accounts created by using the
--create-service-accounts
flag with thebmctl create config
command don't have enough permissions.Fixed an issue where the kubelet doesn't honor shortened, 1-second grace period for pod deletion during eviction-based draining.
The following container image security vulnerabilities have been fixed in 1.30.0-gke.1930:
High-severity container vulnerabilities:
Medium-severity container vulnerabilities:
Low-severity container vulnerabilities:
Known issues:
For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section.