Google Distributed Cloud air-gapped 1.14.3 hotfixes

Hotfix 18

The 1.14.3-gdch.9425-18 hotfix is available.
This hotfix fixes the following issues:

Object storage:

  • Added support for S3 GetBucketVersioning.
  • Cannot upload to sync dual-zone buckets using signed URLs.
  • DeleteObject returns 500 for non-current versioned deletes.
  • With dual zone buckets, S3 secrets are not generated after binding the project-bucket-object-admin role to a service account.

Hotfix 17

The 1.14.3-gdch.9425-17 hotfix is available.
This hotfix fixes the following issues:

File storage:

  • The Trident CSI driver deletes NetApp ONTAP volumes when they are offline, potentially leading to data loss.
  • Multi-attach errors occur for volumes after cold reboot or node de-provision scenarios.
  • The project-fileshare-admin role is missing patch and update access.
  • Snapshots are not deleted in infra clusters when deleted in a user cluster.

Managed Kubernetes Service:

  • Revert moving vanilla cluster VMs to user projects.

Networking:

  • Invalid error code affects project network policies.
  • A large CT ebpf map leads to create endpoint and delete endpoint failures.
  • Leaked services might cause service IP duplication.

Hotfix 16

The 1.14.3-gdch.9425-16 hotfix is available.
This hotfix fixes the following issues:

Identity and access management:

  • There are forbidden errors when accessing vanilla Kubernetes clusters using kubeconfig from gdcloud.

Endpoint detection response:

  • The endpoint detection response subcomponent gets stuck in a reconciliation error state.

Managed Kubernetes Service:

  • Cluster validation should use the cluster's pod density when validating nodes.

Networking:

  • The subnet predefined roles are missing verbs.

Platform authentication:

  • CSRs for intermediary CAs are missing the basic constraint for CA.
  • Added support for reusing a system domain in managed public DNS.

Ticketing system:

  • An alert is not fired when the ticketing system is unavailable.

Hotfix 15

The 1.14.3-gdch.9425-15 hotfix is available.
This hotfix fixes the following issues:

Console:

  • There is an error when creating a role binding with a non-existent role.
  • You can't add multiple role bindings to a service account in the Console.

Identity and access management:

  • Added gdcloud get-credentials support for vanilla clusters.
  • Custom roles should generate templates with the same name for global and zonal APIs.
  • Exposed CertificateAuthority data on the well-known server.
  • The identity and access management page is broken.
  • There is an error when creating a role binding to a custom role.
  • You can't attach user roles in the Console.

Managed Kubernetes Service:

  • Move the vanilla cluster VMs to a user project.
  • There are missing machine types for n3 type.

Hotfix 14

The 1.14.3-gdch.9425-14 hotfix is available.
This hotfix fixes the following issues:

Console:

  • The identity and access management page is broken.

Multizone:

  • A pod in a vanilla cluster in zone1 cannot access the Management API server in zone2.

Hotfix 13

The 1.14.3-gdch.9425-13 and 1.14.3-gdch.8490-13 hotfixes are available.
This hotfix fixes the following issues:

Console:

  • Custom role creation does not work.

  • Custom role creation from project scope shouldn't show the Limit to selected projects checkbox.

DNS:

  • A pod in a vanilla cluster in zone1 cannot access the Management API server in zone2.

Monitoring:

  • A pod in a vanilla cluster in zone1 cannot access the Management API server in zone2.

Networking:

  • Controllers are stuck for hours in the unet-cm-backend-controller pod.

  • Multiple clustermesh API servers reached their defined CPU limits.

  • Data exfiltration protection (DEP) cannot be enabled on a global project that has DEP disabled.

Object storage:

  • GetBucketVersioning for S3 is not supported.

  • There is an error while initiating cp between different folders in a bucket.

Platform authentication:

  • Cert Manager fails to issue certificates.

SIEM:

  • You can't connect to a Splunk host from a user cluster.

Hotfix 12

The 1.14.3-gdch.9425-12 and 1.14.3-gdch.8490-12 hotfixes are available.
This hotfix fixes the following issues:

Console:

  • The global DNS is not resolving from a GDC VM.

Networking:

  • Updated allow-all-ingress and allow-all-egress PNP Translation.
  • Allow egress traffic from user workloads to system workloads automatically.
  • The global DNS server is not reachable.

Object storage:

  • Downloading from an S3 bucket fails.

Hotfix 11

The 1.14.3-gdch.9425-11 hotfix is available.
This hotfix fixes the following issues:

Endpoint detection response:

  • Nessus manager has duplicate agents and managers.

  • There are gaps in EDR coverage on the perimeter, user, and service clusters.

Identity and access management:

  • The service identity server fails to authenticate using zonal service account keys.

Service mesh:

  • The dataplane-ingress-gateway pods are missing the networking.private.gdc.goog/infra-access: enabled label.

Virtual machines:

  • There is a backwards compatibility issue for subnets.