This page contains a historical archive of Kubernetes version notes for unsupported versions. To view more recent version notes, see Kubernetes version notes.
Kubernetes 1.27
1.27.14-gke.1600
1.27.14-gke.1200
- Security Fixes:
- Fixed CVE-2024-6387
- Fixed CVE-2024-26583
- Fixed CVE-2024-26584
- Fixed CVE-2024-26585
- Fixed CVE-2023-52447
- Fixed CVE-2024-26809
- Fixed CVE-2024-26808
- Fixed CVE-2024-26924
- Fixed CVE-2024-26925
1.27.14-gke.700
- Security Fixes:
- Fixed CVE-2024-0985
1.27.13-gke.500
- Security Fixes:
- Fixed CVE-2023-52620.
- Fixed CVE-2024-1085.
- Fixed CVE-2024-26581.
1.27.12-gke.800
- Bug Fix: Fixed an issue with the cluster autoscaler so that it respects user-configured labels and taints on node pools. This enhancement enables accurate scaling up from zero nodes, and enables more precise provisioning of your clusters. This change fixes the following Known issue.
- Security Fixes:
- Fixed CVE-2020-29509
- Fixed CVE-2020-29511
- Fixed CVE-2020-29652
- Fixed CVE-2021-29923
- Fixed CVE-2021-3121
- Fixed CVE-2021-31525
- Fixed CVE-2021-33195
- Fixed CVE-2021-33196
- Fixed CVE-2021-33197
- Fixed CVE-2021-33198
- Fixed CVE-2021-34558
- Fixed CVE-2021-36221
- Fixed CVE-2021-38297
- Fixed CVE-2021-38561
- Fixed CVE-2021-39293
- Fixed CVE-2021-41771
- Fixed CVE-2021-41772
- Fixed CVE-2021-43565
- Fixed CVE-2021-44716
- Fixed CVE-2022-1705
- Fixed CVE-2022-1962
- Fixed CVE-2022-21698
- Fixed CVE-2022-23772
- Fixed CVE-2022-23773
- Fixed CVE-2022-23806
- Fixed CVE-2022-24675
- Fixed CVE-2022-24921
- Fixed CVE-2022-27664
- Fixed CVE-2022-28131
- Fixed CVE-2022-28327
- Fixed CVE-2022-2879
- Fixed CVE-2022-2880
- Fixed CVE-2022-29526
- Fixed CVE-2022-30580
- Fixed CVE-2022-30629
- Fixed CVE-2022-30630
- Fixed CVE-2022-30631
- Fixed CVE-2022-30632
- Fixed CVE-2022-30633
- Fixed CVE-2022-30635
- Fixed CVE-2022-32148
- Fixed CVE-2022-32149
- Fixed CVE-2022-32189
- Fixed CVE-2022-41715
- Fixed CVE-2022-41717
1.27.11-gke.1600
- Bug Fix: Fixed an issue where the Instance Metadata Service (IMDS) emulator sometimes failed to bind to an IP address on the node. The IMDS emulator enables nodes to securely access AWS EC2 instance metadata.
1.27.10-gke.500
- Bug Fixes:
- Fixed a bug for file descriptor leak in runc (CVE-2024-21626).
- Security Fixes:
- Fixed CVE-2023-39323.
- Fixed CVE-2023-39325.
- Fixed CVE-2023-39326.
- Fixed CVE-2023-3978.
- Fixed CVE-2023-44487.
- Fixed CVE-2023-45142.
- Fixed CVE-2023-45285.
- Fixed CVE-2023-48795.
- Fixed CVE-2024-0193.
- Fixed CVE-2023-6932.
- Fixed CVE-2023-6931.
- Fixed CVE-2024-0193.
- Fixed CVE-2023-6817.
1.27.9-gke.100
- Security Fixes
- Fixed CVE-2023-5363.
- Fixed CVE-2023-47038.
- Fixed CVE-2023-5981.
- Fixed CVE-2023-2975.
- Fixed CVE-2023-40217.
- Fixed CVE-2023-29002.
- Fixed CVE-2023-38545.
- Fixed CVE-2023-28321.
- Fixed CVE-2023-0464.
- Fixed CVE-2023-1255.
- Fixed CVE-2023-41332.
- Fixed CVE-2023-0465.
- Fixed CVE-2023-4016.
- Fixed CVE-2022-29458.
- Fixed CVE-2022-3996.
- Fixed CVE-2023-2602.
- Fixed CVE-2023-38546.
- Fixed CVE-2023-34242.
- Fixed CVE-2023-0466.
- Fixed CVE-2022-48522.
- Fixed CVE-2023-28322.
- Fixed CVE-2023-30851.
- Fixed CVE-2023-2283.
- Fixed CVE-2023-27594.
- Fixed CVE-2023-2603.
- Fixed CVE-2023-27593.
- Fixed CVE-2023-5156.
- Fixed CVE-2023-39347.
- Fixed CVE-2023-1667.
- Fixed CVE-2023-2650.
- Fixed CVE-2023-31484.
- Fixed CVE-2023-27595.
- Fixed CVE-2023-41333.
- Fixed CVE-2023-5869.
- Fixed CVE-2023-39417.
- Fixed CVE-2023-5868.
- Fixed CVE-2023-5870.
- Fixed GHSA-6xv5-86q9-7xr8.
1.27.7-gke.600
Feature: Added support for creating node pools using the 'G5' AWS EC2 instance.
Bug Fix: Enhanced Cloud Logging's ingestion of logs from Anthos clusters on AWS:
- Fixed an issue in timestamp parsing.
- Assigned the correct severity level to the
anthos-metadata-agent
's error logs.
Security Fixes
- Fixed CVE-2023-5197
- Fixed CVE-2023-44487
- Fixed CVE-2023-39325
- Fixed CVE-2023-4147
- Fixed CVE-2022-1996
1.27.6-gke.700
- Security Fixes
- Fixed CVE-2015-3276
- Fixed CVE-2022-29155
1.27.5-gke.200
Feature: Ubuntu 22.04 now uses linux-aws 6.2 kernel version.
Security Fixes
- Fixed CVE-2023-3610
- Fixed CVE-2023-3776
- Fixed CVE-2023-3611
1.27.4-gke.1600
Kubernetes OSS release notes * Deprecation: Disabled the unauthenticated kubelet read-only port 10255. Once a node pool is upgraded to version 1.27, workloads running on it will no longer be able to connect to port 10255.
- Feature: AWS Surge update feature is available in preview mode. Surge updates allow you to configure the speed and disruption of node pool updates. Please contact your account team to opt into the preview.
- Feature: Upgraded the EBS CSI Driver to v1.20.0.
- Feature: Upgraded the EFS CSI Driver to v1.5.7.
Feature: Upgraded the
snapshot-controller
andcsi-snapshot-validation-webhook
to v6.2.2. This new version introduces an important change to the API. Specifically, theVolumeSnapshot
,VolumeSnapshotContents
, andVolumeSnapshotClass
v1beta1 APIs are no longer available.Feature: Added support for a new
admin-groups
flag in the create and update APIs. This flag allows customers to quickly and easily authenticate listed groups as cluster administrators, eliminating the need to manually create and apply RBAC policies.Feature: Added Binary Authorization support which is a deploy-time security control that ensures only trusted container images are deployed. With Binary Authorization, you can require images to be signed by trusted authorities during the development process and then enforce signature validation when deploying. By enforcing validation, you can gain tighter control over your container environment by ensuring only verified images are integrated into the build-and-release process. For details about how to enable Binary Authorization on your clusters, see How to enable Binary Authorization.
Feature: Enabled gzip compression for
fluent-bit
(a log processor and forwarder),gke-metrics-agent
(a metrics collector), andaudit-proxy
(an audit log proxy).fluent-bit
compresses log data from both control plane and workloads before sending it to Cloud Logging,gke-metrics-agent
compresses metrics data from both control plane and workloads before sending it to Cloud Monitoring, andaudit-proxy
compresses audit log data before sending it to Audit Logging. This reduces network bandwidth and costs.Feature: Creating AWS SPOT node pools is now GA.
Feature: Node Auto Repair is now GA.
Feature: Improved security by adding file-integrity checks and fingerprint validation for binary artifacts downloaded from Cloud Storage.
Feature: Added an
ignore_errors
option to the delete API to handle cases where accidentally deleted IAM roles or manual removal of resources prevent the deletion of clusters or node pools. By appending?ignore_errors=true
to theDELETE
request URL, users can now forcibly remove clusters or node pools. However, this approach might result in orphaned resources in AWS or Azure, requiring manual cleanup.Feature: Added support for automatic periodic defragmentation of
etcd
andetcd-events
on the control plane. This feature reduces unnecessary disk storage and helps to preventetcd
and the control plane from becoming unavailable due to disk storage issues.Feature: Changed the metrics names for Kubernetes resource metrics to use a metrics prefix of
kubernetes.io/anthos/
rather thankubernetes.io/
. For details refer to the metrics reference documentation.Feature: Changed default etcd version to v3.4.21 on new clusters for improved stability. Existing clusters upgraded to this version will use etcd v3.5.6.
Feature: Improved node resource management by reserving resources for the kubelet. While this feature is crucial for preventing Out of Memory (OOM) errors by ensuring system and Kubernetes processes have the resources they need, it may lead to workload disruptions. The reservation of resources for the kubelet may affect the available resources for Pods, potentially affecting the capacity of smaller nodes to handle existing workloads. Customers should verify that smaller nodes can still support their workloads with this new feature activated.
- The reserved memory percentages are as follows:
- 255 MiB for machines with less than 1GB of memory
- 25% of the first 4GB of memory
- 20% of the next 4GB
- 10% of the next 8GB
- 6% of the next 112GB
- 2% of any memory above 128GB
- The reserved CPU percentages are as follows:
- 6% of the first core
- 1% of the next core
- 0.5% of the next 2 cores
- 0.25% of any cores above 4 cores
Bug Fixes
- Enabled the cluster autoscaler to balance nodes across different
availability zones. This is achieved using the
--balance-similar-node-groups
flag.
- Enabled the cluster autoscaler to balance nodes across different
availability zones. This is achieved using the
Security Fixes
- Fixed CVE-2021-43565
- Fixed CVE-2022-3821
- Fixed CVE-2022-4415
- Fixed CVE-2022-21698
- Fixed CVE-2022-41723.
- Fixed CVE-2022-41725.
- Fixed CVE-2023-24539
- Fixed CVE-2023-24540
- Fixed CVE-2023-29400
Kubernetes 1.26
1.26.14-gke.1500
- Bug Fix: Fixed an issue where the Instance Metadata Service (IMDS) emulator sometimes failed to bind to an IP address on the node. The IMDS emulator enables nodes to securely access AWS EC2 instance metadata.
1.26.13-gke.400
- Bug Fixes:
- Fixed a bug for file descriptor leak in runc (CVE-2024-21626).
- Security Fixes:
- Fixed CVE-2021-43565.
- Fixed CVE-2022-21698.
- Fixed CVE-2022-27191.
- Fixed CVE-2022-28948.
- Fixed CVE-2023-39318.
- Fixed CVE-2023-39319.
- Fixed CVE-2023-39323.
- Fixed CVE-2023-39325.
- Fixed CVE-2023-39326.
- Fixed CVE-2023-3978.
- Fixed CVE-2023-44487.
- Fixed CVE-2023-45142.
- Fixed CVE-2023-45285.
- Fixed CVE-2023-47108.
- Fixed CVE-2023-48795.
- Fixed CVE-2024-0193.
- Fixed CVE-2023-6932.
- Fixed CVE-2023-6931.
- Fixed CVE-2024-0193.
- Fixed CVE-2023-6817.
1.26.12-gke.100
- Security Fixes
- Fixed CVE-2023-5363.
- Fixed CVE-2023-47038.
- Fixed CVE-2023-5981.
- Fixed CVE-2023-2975.
- Fixed CVE-2023-4527.
- Fixed CVE-2023-29002.
- Fixed CVE-2023-38545.
- Fixed CVE-2023-28321.
- Fixed CVE-2023-0464.
- Fixed CVE-2023-1255.
- Fixed CVE-2023-41332.
- Fixed CVE-2023-0465.
- Fixed CVE-2023-4016.
- Fixed CVE-2022-29458.
- Fixed CVE-2022-3996.
- Fixed CVE-2023-2602.
- Fixed CVE-2023-38546.
- Fixed CVE-2023-34242.
- Fixed CVE-2023-0466.
- Fixed CVE-2022-48522.
- Fixed CVE-2023-28322.
- Fixed CVE-2023-30851.
- Fixed CVE-2023-2283.
- Fixed CVE-2023-27594.
- Fixed CVE-2023-2603.
- Fixed CVE-2023-27593.
- Fixed CVE-2023-5156.
- Fixed CVE-2023-39347.
- Fixed CVE-2023-1667.
- Fixed CVE-2023-2650.
- Fixed CVE-2023-31484.
- Fixed CVE-2023-27595.
- Fixed CVE-2023-41333.
- Fixed CVE-2023-5869.
- Fixed CVE-2023-39417.
- Fixed CVE-2023-5868.
- Fixed CVE-2023-5870.
1.26.10-gke.600
Feature: Added support for creating node pools using the 'G5' AWS EC2 instance.
Bug Fix: Upgraded the Elastic File System (EFS) Container Storage Interface (CSI) driver
aws-efs-csi-driver
to version v1.3.8-gke.21.Bug Fix: Enhanced Cloud Logging's ingestion of logs from Anthos clusters on AWS:
- Fixed an issue in timestamp parsing.
- Assigned the correct severity level to the
anthos-metadata-agent
's error logs.
Security Fixes
- Fixed CVE-2023-5197
- Fixed CVE-2023-44487
- Fixed CVE-2023-39325
- Fixed CVE-2023-4147
- Fixed CVE-2022-1996
1.26.9-gke.700
- Security Fixes
- Fixed CVE-2015-3276
- Fixed CVE-2022-29155
1.26.8-gke.200
Feature: Ubuntu 22.04 now uses linux-aws 6.2 kernel version.
Security Fixes
- Fixed CVE-2023-3610
- Fixed CVE-2023-3776
- Fixed CVE-2023-3611
1.26.7-gke.500
- Security Fixes
- Fixed CVE-2022-3821
- Fixed CVE-2022-4415
1.26.5-gke.1400
- Security Fixes
- Fixed CVE-2022-27664
- Fixed CVE-2022-32149
- Fixed CVE-2022-41723
- Fixed CVE-2023-24534
- Fixed CVE-2023-24536
- Fixed CVE-2023-24537
- Fixed CVE-2023-24538
1.26.5-gke.1200
- Bug Fixes
- Configures the cluster autoscaler to balance the number of nodes across availability zones using --balance-similar-node-groups.
1.26.4-gke.2200
Kubernetes OSS release notes * Feature: Ubuntu 22.04 is using linux-aws 5.19 kernel.
Bug Fixes
- Fixed an issue where Kubernetes would incorrectly apply the default StorageClass to PersistentVolumeClaims which have the deprecated annotation volume.beta.kubernetes.io/storage-class.
- Fixed an issue in which the logging agent consumed increasingly high amounts of memory.
Security Fixes
- Fixed an issue affecting netfilter connection tracking (conntrack), which is responsible for monitoring network connections. The fix ensures proper insertion of new connections into the conntrack table and overcomes the limitations caused by changes made to Linux kernel versions 5.15 and higher.
1.26.2-gke.1001
Known Issue: Kubernetes 1.26.2 will incorrectly apply the default StorageClass to PersistentVolumeClaims which have the deprecated annotation
volume.beta.kubernetes.io/storage-class
.Feature: Updated OS image to Ubuntu 22.04.
cgroupv2
is now used as the default control group configuration.- Ubuntu 22.04 uses
cgroupv2
by default. We recommend that you check if any of your applications access thecgroup
filesystem. If they do, they must be updated to usecgroupv2
. Some example applications that might require updates to ensure compatibility withcgroupv2
are: - Third-party monitoring and security agents that depend on the
cgroup
filesystem. - If
cAdvisor
is being used as a stand-alone DaemonSet for monitoring Pods and containers, it should be updated to version v0.43.0 or later. - If you are using JDK, we recommend that you use version 11.0.16 and later, or version 15 and later. These versions fully support
cgroupv2
. - If you are using the uber-go/automaxprocs package, make sure to use version v1.5.1 or higher.
- Ubuntu 22.04 removes the
timesyncd
package. Instead,chrony
is now used for the Amazon Time Sync Service. - For more information, see the Ubuntu release notes
- Ubuntu 22.04 uses
Feature: Sends metrics for control plane components to Cloud Monitoring. This includes a subset of the Prometheus metrics from kube-apiserver, etcd, kube-scheduler, kube-controller-manager. Metrics names use the prefix
kubernetes.io/anthos/
.Feature: Enabled sending Kubernetes resource metadata to Google Cloud Platform, improving both the user interface and cluster metrics. For the metadata to be ingested properly, customers need to enable the
Config Monitoring for Ops
API. This API can be enabled either in the Google Cloud Console , or by manually enabling theopsconfigmonitoring.googleapis.com
API in the gcloud CLI. Additionally, customers must follow the steps outlined in the Authorize Cloud Logging/Monitoring documentation to add the necessary IAM bindings. If applicable, addopsconfigmonitoring.googleapis.com
to your Proxy Allowlist.Feature: Added preview feature for creating Spot AWS node pool.
Feature: Creating node pools using ARM-based (Graviton) instance types is now GA.
Feature: Enabled kubelet graceful node shutdown. Non-system Pods are given 15 seconds to terminate, after which system Pods (with the
system-cluster-critical
orsystem-node-critical
priority classes) have 15 seconds to gracefully terminate.Feature: Enabled Node auto repair feature in preview mode. Please contact your account team to opt into the preview.
Feature: Added tags to dynamically created EFS Access Point resource.
Feature: Clusters now have per-node-pool subnet security group rules instead of VPC-wide rules
- Previously, the control plane allowed inbound traffic from the entire primary IP range of the VPC on ports TCP/443 and TCP/8123, which are used by node pools.
- Now, the control plane narrows the allowed inbound traffic to each IP range of the node pool subnets on ports TCP/443 and TCP/8123; multiple node pools can share one subnet.
- This change supports node pools running outside of the VPC's primary IP range and improves the security of the control plane.
- If you relied on the VPC-wide security group rule for allowing traffic from outside of the cluster (e.g. from a bastion host for kubectl), then as part of the upgrade you should create a security group, add a VPC-wide rule to it, and attach the security group to the control plane (via the AwsCluster.controlPlane.securityGroupIds field).
Bug Fixes: Newly-created clusters now use etcd v3.4.21 for improved stability. Existing clusters of previous versions were already using etcd v3.5.x and will not be downgraded to v3.4.21 during cluster upgrade; these clusters will instead use v3.5.6.
Security Fix: Set the hop limit of the IMDS emulator response to 1. This secures the communication of IMDS data between the emulator and a workload.
Kubernetes 1.25
1.25.14-gke.700
- Security Fixes
- Fixed CVE-2015-3276
- Fixed CVE-2022-29155
1.25.13-gke.200
- Security Fixes
- Fixed CVE-2023-3610
- Fixed CVE-2023-3776
- Fixed CVE-2023-3611
1.25.12-gke.500
Kubernetes OSS release notes
* Feature: Expanded the list of metrics collected from node pools to include
gke-metrics-agent
, cilium-agent
, cilium-operator
, coredns
,
fluentbit-gke
, kubelet
, and konnectivity-agent
.
- Security Fixes
- Fixed CVE-2022-3821
- Fixed CVE-2022-4415
- Fixed CVE-2022-29458
- Fixed CVE-2023-0464
- Fixed CVE-2023-0465
- Fixed CVE-2023-0466
- Fixed CVE-2023-2650
1.25.10-gke.1400
- Security Fixes
- Fixed CVE-2022-27664
- Fixed CVE-2022-32149
- Fixed CVE-2023-29491
- Fixed CVE-2023-31484
1.25.10-gke.1200
- Bug Fixes
- Configures the cluster autoscaler to balance the number of nodes across availability zones using --balance-similar-node-groups.
- Security Fixes
- Migrated node pool metrics agent and metrics server to authenticated kubelet port.
1.25.8-gke.500
Bug Fixes
- Fixed an issue in which the logging agent consumed increasingly high amounts of memory.
Security Fixes
- Fixed CVE-2023-1872.
1.25.7-gke.1000
Feature: Added tags to dynamically created EFS Access Point resource.
Bug Fixes: Newly-created clusters now use etcd v3.4.21 for improved stability. Existing clusters of previous versions were already using etcd v3.5.x and will not be downgraded to v3.4.21 during cluster upgrade; these clusters will instead use v3.5.6.
1.25.6-gke.1600
Bug Fix: Fixed an issue that could cause cluster upgrades to fail if certain types of validating admission webhooks are registered.
Security Fixes
- Fixed CVE-2023-25153.
- Fixed CVE-2023-25173.
- Fixed CVE-2023-0286.
- Fixed CVE-2022-4450.
- Fixed CVE-2023-0215.
- Fixed CVE-2022-2097.
- Fixed CVE-2022-4304.
- Fixed CVE-2023-0461.
1.25.5-gke.2000
Kubernetes OSS release notes * Feature: Updated Anthos Identity Service to better handle concurrent authentication webhook requests.
- Bug Fix: Fixed an issue where certain errors were not propagated and reported during cluster create/update operations.
- Bug Fix: Fixed an issue with AWS EFS CSI driver where EFS hostnames can't be resolved when AWS VPC is configured to use a custom DNS server.
Bug Fix: Fixed an issue where authentication through the Anthos Service Mesh dashboard failed due to inability to impersonate end user.
Security Fixes
- Fixed CVE-2022-2097.
- Fixed CVE-2022-42898.
1.25.5-gke.1500
Known Issue: Some UI surfaces in Google Cloud console can't authorize to the cluster and might display the cluster as unreachable. A workaround is to manually apply RBAC permitting user impersonation. For details, see Troubleshooting.
Security Fixes
- Fixed CVE-2022-23471
- Fixed CVE-2021-46848
- Fixed CVE-2022-42898
1.25.4-gke.1300
Known Issue: Some UI surfaces in Google Cloud console can't authorize to the cluster and might display the cluster as unreachable. A workaround is to manually apply RBAC permitting user impersonation. For details, see Troubleshooting.
Deprecation: removed deprecated in-tree volume plugins flocker, quobyte and storageos.
Feature: Enhanced security by restricting static pods running on the cluster's control plane VMs to run as non-root Linux users.
Feature: Added support for dynamically updating AWS node pool security groups. To update security groups, you must have the following permissions in your API role -
ec2:ModifyInstanceAttribute
ec2:DescribeInstances
Feature: Added support for dynamically updating AWS node pool tags. To update node pool tags, you must have the following permissions in your API role -
autoscaling:CreateOrUpdateTags
autoscaling:DeleteTags
ec2:CreateTags
ec2:DeleteTags
ec2:DescribeLaunchTemplates
Feature: EFS dynamic provisioning is now available in GA for clusters at version 1.25 or later. To use this feature, you must add the following permissions to the control plane role:
ec2:DescribeAvailabilityZones
elasticfilesystem:DescribeAccessPoints
elasticfilesystem:DescribeFileSystems
elasticfilesystem:DescribeMountTargets
elasticfilesystem:CreateAccessPoint
elasticfilesystem:DeleteAccessPoint
Feature: Uploading of workload metrics using Google Managed Service for Prometheus with managed collection to Cloud Monarch is now available in GA.
Feature: Added support to enable and update CloudWatch metrics collection on AWS node pool's auto scaling group. To enable or update metrics collection via create or update API, you must add the following permissions to your API role:
autoscaling:EnableMetricsCollection
autoscaling:DisableMetricsCollection
Feature: Azure AD GA. This feature allows cluster admins to configure RBAC policies based on Azure AD groups for authorization in clusters. This supports retrieval of groups information for users belonging to more than 200 groups, thus overcoming a limitation of regular OIDC configured with Azure AD as the identity provider.
Feature: Added a new token manager (gke-token-manager) to generate tokens for control plane components, using the service account signing key. Benefits:
- Eliminate the dependency on kube-apiserver for control plane components to authenticate to Google services. Previously, control plane components would use the TokenRequest API and were reliant on a healthy kube-apiserver. Whereas now the gke-token-manager component mints the tokens directly using the service account signing key.
- Eliminate the RBAC for generating token for controlplane components.
- Uncouple the logging and kube-apiserver. So that the logging can be ingested before the kube-apiserver is up.
- Make the controlplane more resilience. When the kube-apiserver is out of service the controlplane components can still get the tokens and keep working.
Feature: As a preview feature, ingest a variety of metrics from the control plane components to Cloud Monitoring, including kube-apiserver, etcd, kube-scheduler and kube-controller-manager.
Feature: Users in a Google Group can access AWS clusters using Connect Gateway by granting necessary RBAC permission to the Group. More details at Set up the Connect gateway with Google Groups.
Bug Fix: Fixed an issue which could result in outdated versions of
gke-connect-agent
not being removed after cluster upgrades.Security Fixes
- Fixed CVE-2020-16156
- Fixed CVE-2021-3671
- Fixed CVE-2021-4037
- Fixed CVE-2021-43618
- Fixed CVE-2022-0171
- Fixed CVE-2022-1184
- Fixed CVE-2022-20421
- Fixed CVE-2022-2602
- Fixed CVE-2022-2663
- Fixed CVE-2022-2978
- Fixed CVE-2022-3061
- Fixed CVE-2022-3116
- Fixed CVE-2022-3176
- Fixed CVE-2022-32221
- Fixed CVE-2022-3303
- Fixed CVE-2022-35737
- Fixed CVE-2022-3586
- Fixed CVE-2022-3621
- Fixed CVE-2022-3646
- Fixed CVE-2022-3649
- Fixed CVE-2022-37434
- Fixed CVE-2022-3903
- Fixed CVE-2022-39188
- Fixed CVE-2022-39842
- Fixed CVE-2022-40303
- Fixed CVE-2022-40304
- Fixed CVE-2022-40307
- Fixed CVE-2022-40768
- Fixed CVE-2022-4095
- Fixed CVE-2022-41674
- Fixed CVE-2022-41916
- Fixed CVE-2022-42010
- Fixed CVE-2022-42011
- Fixed CVE-2022-42012
- Fixed CVE-2022-42719
- Fixed CVE-2022-42720
- Fixed CVE-2022-42721
- Fixed CVE-2022-42722
- Fixed CVE-2022-43680
- Fixed CVE-2022-43750
- Fixed CVE-2022-44638
Kubernetes 1.24
1.24.14-gke.2700
- Security Fixes
- Fixed CVE-2022-28321
- Fixed CVE-2022-44640
1.24.14-gke.1400
- Bug Fixes
- Configures the cluster autoscaler to balance the number of nodes across availability zones using --balance-similar-node-groups.
1.24.13-gke.500
Bug Fixes
- Fixed an issue in which the logging agent consumed increasingly high amounts of memory.
Security Fixes
- Fixed CVE-2023-1872.
1.24.11-gke.1000
- Bug Fixes: Newly-created clusters now use etcd v3.4.21 for improved stability. Existing clusters of previous versions were already using etcd v3.5.x and will not be downgraded to v3.4.21 during cluster upgrade; these clusters will instead use v3.5.6.
1.24.10-gke.1200
- Bug Fix: Fixed an issue that could cause cluster upgrades to fail if certain types of validating admission webhooks are registered.
- Bug Fix: Fixed Cilium security ID propagation so that IDs are properly passed in the tunnel header when requests are forwarded to Services of type NodePort and LoadBalancer.
- Security Fixes
- Fixed CVE-2023-25153.
- Fixed CVE-2023-25173.
- Fixed CVE-2023-0286.
- Fixed CVE-2022-4450.
- Fixed CVE-2023-0215.
- Fixed CVE-2022-2097.
- Fixed CVE-2022-4304.
- Fixed CVE-2023-0461.
1.24.9-gke.2000
Feature: Updated Anthos Identity Service to better handle concurrent authentication webhook requests.
Bug Fix: Fixed an issue where certain errors were not propagated and reported during cluster create/update operations.
Security Fixes
- Fixed CVE-2022-2097.
- Fixed CVE-2022-42898.
1.24.9-gke.1500
- Security Fixes
- Fixed CVE-2022-23471
- Fixed CVE-2021-46848
- Fixed CVE-2022-42898
1.24.8-gke.1300
Feature: Azure AD GA. This feature allows cluster admins to configure RBAC policies based on Azure AD groups for authorization in clusters. This supports retrieval of groups information for users belonging to more than 200 groups, thus overcoming a limitation of regular OIDC configured with Azure AD as the identity provider.
Security Fixes
- Fixed CVE-2020-16156
- Fixed CVE-2021-3671
- Fixed CVE-2021-4037
- Fixed CVE-2021-43618
- Fixed CVE-2022-0171
- Fixed CVE-2022-1184
- Fixed CVE-2022-20421
- Fixed CVE-2022-2602
- Fixed CVE-2022-2663
- Fixed CVE-2022-2978
- Fixed CVE-2022-3061
- Fixed CVE-2022-3116
- Fixed CVE-2022-3176
- Fixed CVE-2022-32221
- Fixed CVE-2022-3303
- Fixed CVE-2022-3586
- Fixed CVE-2022-3621
- Fixed CVE-2022-3646
- Fixed CVE-2022-3649
- Fixed CVE-2022-37434
- Fixed CVE-2022-3903
- Fixed CVE-2022-39188
- Fixed CVE-2022-39842
- Fixed CVE-2022-40303
- Fixed CVE-2022-40304
- Fixed CVE-2022-40307
- Fixed CVE-2022-40768
- Fixed CVE-2022-4095
- Fixed CVE-2022-41674
- Fixed CVE-2022-42010
- Fixed CVE-2022-42011
- Fixed CVE-2022-42012
- Fixed CVE-2022-42719
- Fixed CVE-2022-42720
- Fixed CVE-2022-42721
- Fixed CVE-2022-42722
- Fixed CVE-2022-43680
- Fixed CVE-2022-43750
- Fixed CVE-2022-44638
1.24.5-gke.200
Feature: Added the
iptables
to nodepool for supporting ASM.Security Fixes
- Fixed CVE-2022-40674
- Fixed CVE-2021-3999
- Fixed CVE-2022-1679
- Fixed CVE-2022-2795
- Fixed CVE-2022-3028
- Fixed CVE-2022-38177
- Fixed CVE-2022-38178
- Fixed CVE-2021-3502
- Fixed CVE-2021-44648
- Fixed CVE-2021-46829
- Fixed CVE-2022-2905
- Fixed CVE-2022-3080
- Fixed CVE-2022-35252
- Fixed CVE-2022-39190
- Fixed CVE-2022-41222
- Fixed CVE-2020-8287
- Fixed CVE-2022-1184
- Fixed CVE-2022-1586
- Fixed CVE-2022-1587
- Fixed CVE-2022-2153
- Fixed CVE-2022-39188
- Fixed CVE-2022-20422
- Fixed CVE-2021-3999
- Fixed CVE-2022-1586
- Fixed CVE-2022-1587
- Fixed CVE-2022-35252
- Fixed CVE-2020-35525
- Fixed CVE-2020-35527
- Fixed CVE-2021-20223
- Fixed CVE-2022-40674
- Fixed CVE-2022-37434
- Fixed CVE-2021-46828
- Fixed CVE-2021-3999
- Fixed CVE-2022-2509
- Fixed CVE-2022-1586
- Fixed CVE-2022-1587
- Fixed CVE-2022-40674
- Fixed CVE-2022-37434
- Fixed CVE-2021-3999
- Fixed CVE-2022-1587
- Fixed CVE-2022-1586
1.24.3-gke.2200
- Bug Fix: Fix a bug where creating a Kubernetes Service resource with type LoadBalancer and annotation
service.beta.kubernetes.io/aws-load-balancer-type: nlb
, would remain with an empty target group. See https://github.com/kubernetes/cloud-provider-aws/issues/301
1.24.3-gke.2100
- Feature: Upload Kubernetes resource metrics to Google Cloud Monitoring for Windows node pools.
- Feature: Provided a webhook for easy IMDS emulator injection.
- Feature: go1.18 stops accepting certificates signed with the SHA-1 hash algorithm by default. Admission/conversion webhooks or aggregated server endpoints using these insecure certificates will break by default in 1.24. The environment variable GODEBUG=x509sha1=1 is set in Anthos on-AWS clusters as a temporary workaround to let these insecure certificates continue to work. However, the go team is anticipated to remove support on this workaround in the near coming releases. Customers should check and ensure there aren't any admission/conversion webhooks or aggregated server endpoints that are using such insecure certificates before upgrading to the upcoming breaking version.
- Feature: GKE on AWS now supports EFS dynamic provisioning in preview mode,
for Kubernetes clusters at version 1.24 or later. To use this feature, you must
add the following permissions to the
control plane role:
ec2:DescribeAvailabilityZones
elasticfilesystem:DescribeAccessPoints
elasticfilesystem:DescribeFileSystems
elasticfilesystem:DescribeMountTargets
elasticfilesystem:CreateAccessPoint
elasticfilesystem:DeleteAccessPoint
Feature: Improve network connectivity checks during cluster and node pool creation to help troubleshooting.
Feature: Support updates to AWS control plane tags. To update tags, you need to add the following permissions to the API role -
autoscaling:CreateOrUpdateTags
autoscaling:DeleteTags
ec2:CreateTags
ec2:DescribeLaunchTemplates
ec2:DescribeSecurityGroupRules
ec2:DeleteTags
elasticloadbalancing:AddTags
elasticloadbalancing:RemoveTags
Feature: Upload workload metrics using Google Managed Service for Prometheus to Cloud Monarch is available as invite only private preview.
Security Fixes
- Fixed CVE-2022-34903.
- Fixed CVE-2021-4209.
- Fixed CVE-2022-29900.
- Fixed CVE-2022-29901.
- Fixed CVE-2022-2385.
- Fixed CVE-2022-1462
- Fixed CVE-2022-1882
- Fixed CVE-2022-21505
- Fixed CVE-2022-2585
- Fixed CVE-2022-23816
- Fixed CVE-2022-2509
- Fixed CVE-2022-2586
- Fixed CVE-2022-2588
- Fixed CVE-2022-26373
- Fixed CVE-2022-36879
- Fixed CVE-2022-36946
Kubernetes 1.23
1.23.16-gke.2800
Bug Fix: Fixed an issue that could cause cluster upgrades to fail if certain types of validating admission webhooks are registered.
Security Fixes
- Fixed CVE-2023-25153.
- Fixed CVE-2023-25173.
- Fixed CVE-2023-0215.
- Fixed CVE-2022-4450.
- Fixed CVE-2023-0286.
- Fixed CVE-2022-4304.
- Fixed CVE-2022-2097.
- Fixed CVE-2023-0461.
1.23.16-gke.200
- Bug Fix: Fixed an issue where certain errors were not propagated and reported during cluster create/update operations.
Bug Fix: Fixed cpp-httplib issues with kubeapi server unable to reach AIS.
Security Fixes
- Fixed CVE-2022-2097.
1.23.14-gke.1800
- Security Fixes
- Fixed CVE-2022-23471
- Fixed CVE-2021-46848
- Fixed CVE-2022-42898
1.23.14-gke.1100
Feature: Azure AD GA. This feature allows cluster admins to configure RBAC policies based on Azure AD groups for authorization in clusters. This supports retrieval of groups information for users belonging to more than 200 groups, thus overcoming a limitation of regular OIDC configured with Azure AD as the identity provider.
Security Fixes
- Fixed CVE-2016-10228
- Fixed CVE-2019-19126
- Fixed CVE-2019-25013
- Fixed CVE-2020-10029
- Fixed CVE-2020-16156
- Fixed CVE-2020-1752
- Fixed CVE-2020-27618
- Fixed CVE-2020-6096
- Fixed CVE-2021-27645
- Fixed CVE-2021-3326
- Fixed CVE-2021-33574
- Fixed CVE-2021-35942
- Fixed CVE-2021-3671
- Fixed CVE-2021-3999
- Fixed CVE-2021-43618
- Fixed CVE-2022-1586
- Fixed CVE-2022-1587
- Fixed CVE-2022-23218
- Fixed CVE-2022-23219
- Fixed CVE-2022-3116
- Fixed CVE-2022-32221
- Fixed CVE-2022-35737
- Fixed CVE-2022-37434
- Fixed CVE-2022-41916
- Fixed CVE-2022-43680
1.23.11-gke.300
- Feature: Added the
iptables
to nodepool for supporting ASM. - Security Fixes
- Fixed CVE-2021-3999
- Fixed CVE-2022-35252
- Fixed CVE-2020-35525
- Fixed CVE-2020-35527
- Fixed CVE-2021-20223
- Fixed CVE-2022-40674
- Fixed CVE-2022-37434
- Fixed CVE-2021-46828
- Fixed CVE-2021-3999
- Fixed CVE-2022-2509
- Fixed CVE-2022-1586
- Fixed CVE-2022-1587
- Fixed CVE-2022-40674
- Fixed CVE-2022-37434
- Fixed CVE-2021-46828
- Fixed CVE-2022-2509
- Fixed CVE-2021-3999
- Fixed CVE-2022-1587
- Fixed CVE-2022-1586
1.23.9-gke.2200
- Bug Fix: Fix a bug where creating a Kubernetes Service resource with type LoadBalancer and annotation
service.beta.kubernetes.io/aws-load-balancer-type: nlb
, would remain with an empty target group. See https://github.com/kubernetes/cloud-provider-aws/issues/301
1.23.9-gke.2100
- Security Fixes
- Fixed CVE-2022-34903.
- Fixed CVE-2021-4209.
- Fixed CVE-2022-29900.
- Fixed CVE-2022-29901.
- Fixed CVE-2022-2385.
- Fixed CVE-2021-4209
1.23.9-gke.800
- Security Fixes
- Fixed CVE-2022-34903.
- Fixed CVE-2021-4209.
- Fixed CVE-2022-29901.
- Fixed CVE-2022-28693.
- Fixed CVE-2022-29900.
- Fixed CVE-2022-23825.
- Fixed CVE-2022-31030.
1.23.8-gke.1700
- Security Fixes
- Fixed CVE-2020-1712.
- Fixed CVE-2021-4160.
- Fixed CVE-2021-43566.
- Fixed CVE-2022-0778.
- Fixed CVE-2022-1292.
- Fixed CVE-2022-1304.
- Fixed CVE-2022-1664.
- Fixed CVE-2022-2068.
- Fixed CVE-2022-2097.
- Fixed CVE-2022-2327.
- Fixed CVE-2022-32206.
- Fixed CVE-2022-32208.
1.23.7-gke.1300
- Feature: Disable profiling endpoint (/debug/pprof) by default in kube-scheduler and kube-controller-manager.
Feature: Update kube-apiserver and kubelet to only use Strong Cryptographic Ciphers. Supported Ciphers used by Kubelet:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256
Supported Ciphers used by kube api-server:
TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384
Feature: Add an instance metadata server (IMDS) emulator.
Security Fixes
- Fixed CVE-2022-1786.
- Fixed CVE-2022-29582.
- Fixed CVE-2022-29581.
- Fixed CVE-2022-1116.
Kubernetes 1.22
1.22.15-gke.100
- Feature: Added the
iptables
to nodepool for supporting ASM. - Security Fixes
- Fixed CVE-2021-3999
- Fixed CVE-2022-35252
- Fixed CVE-2020-35525
- Fixed CVE-2020-35527
- Fixed CVE-2021-20223
- Fixed CVE-2022-40674
- Fixed CVE-2022-37434
- Fixed CVE-2021-46828
- Fixed CVE-2021-3999
- Fixed CVE-2022-2509
- Fixed CVE-2022-1586
- Fixed CVE-2022-1587
- Fixed CVE-2022-40674
- Fixed CVE-2022-37434
- Fixed CVE-2021-46828
- Fixed CVE-2022-2509
- Fixed CVE-2021-3999
- Fixed CVE-2022-1587
- Fixed CVE-2022-1586
1.22.12-gke.2300
- Security Fixes
- Fixed CVE-2022-34903.
- Fixed CVE-2021-4209.
- Fixed CVE-2022-29900.
- Fixed CVE-2022-29901.
- Fixed CVE-2022-2385.
- Fixed CVE-2022-2509.
1.22.12-gke.1100
- Security Fixes
- Fixed CVE-2022-34903.
- Fixed CVE-2021-4209.
- Fixed CVE-2022-29901.
- Fixed CVE-2022-28693.
- Fixed CVE-2022-29900.
- Fixed CVE-2022-23825.
- Fixed CVE-2022-31030.
1.22.12-gke.200
- Security Fixes
- Fixed CVE-2020-1712.
- Fixed CVE-2021-4160.
- Fixed CVE-2021-43566.
- Fixed CVE-2022-0778.
- Fixed CVE-2022-1292.
- Fixed CVE-2022-1304.
- Fixed CVE-2022-1664.
- Fixed CVE-2022-2068.
- Fixed CVE-2022-2097.
- Fixed CVE-2022-2327.
- Fixed CVE-2022-32206.
- Fixed CVE-2022-32208.
1.22.10-gke.1500
- Security Fixes
- Fixed CVE-2022-1786.
- Fixed CVE-2022-29582.
- Fixed CVE-2022-29581.
- Fixed CVE-2022-1116.
1.22.8-gke.2100
- Feature: Windows nodes now use pigz to improve image layer extraction performance.
1.22.8-gke.1300
- Bug Fixes
- Fixed an issue where addons cannot be applied when Windows nodepools are enabled.
- Fixed an issue where logging agent could fill up attached disk space.
- Security Fixes
- Fixed CVE-2022-1055.
- Fixed CVE-2022-0886.
- Fixed CVE-2022-0492.
- Fixed CVE-2022-24769.
- This release includes the following Role-based access control (RBAC) changes:
- Scoped down
anet-operator
permissions for Lease update. - Scoped down
anetd
Daemonset permissions for Nodes and pods. - Scoped down
fluentbit-gke
permissions for service account tokens. - Scoped down
gke-metrics-agent
for service account tokens. - Scoped down
coredns-autoscaler
permissions for Nodes, ConfigMaps and Deployments.
1.22.8-gke.200
- Feature: The default instance type for clusters and node pools created under Kubernetes v1.22 is now m5.large instead of t3.medium.
- Feature: When you create a new cluster using Kubernetes version 1.22, you can now configure custom logging parameters.
- Feature: As a preview feature, you can now choose Windows as your node pool image type when you create node pools with Kubernetes version 1.22.
- Feature: As a preview feature, you can now configure host machines as dedicated hosts.
- Feature: You can now view most common asynchronous cluster and nodepool boot errors in the long running operation error field. For more information, see the
gcloud container aws operations list
reference documentation. - Security Fixes
- Fixed CVE-2021-22600.
- Fixed CVE-2022-23648.
- Fixed CVE-2022-0001.
- Fixed CVE-2022-0002.
- Fixed CVE-2022-23960.
- Fixed CVE-2022-0847.
Kubernetes 1.21
1.21.14-gke.2900
- Security Fixes
- Fixed CVE-2022-2097.
- Fixed CVE-2022-32206.
- Fixed CVE-2022-32208.
- Fixed CVE-2022-34903.
- Fixed CVE-2021-4209.
- Fixed CVE-2022-29901.
- Fixed CVE-2022-28693.
- Fixed CVE-2022-29900.
- Fixed CVE-2022-23825.
- Fixed CVE-2022-31030.
1.21.14-gke.2100
- Security Fixes
- Fixed CVE-2016-10228.
- Fixed CVE-2018-16301.
- Fixed CVE-2018-25032.
- Fixed CVE-2019-18276.
- Fixed CVE-2019-20838.
- Fixed CVE-2019-25013.
- Fixed CVE-2020-14155.
- Fixed CVE-2020-27618.
- Fixed CVE-2020-27820.
- Fixed CVE-2020-29562.
- Fixed CVE-2020-6096.
- Fixed CVE-2020-8037.
- Fixed CVE-2021-20193.
- Fixed CVE-2021-22600.
- Fixed CVE-2021-26401.
- Fixed CVE-2021-27645.
- Fixed CVE-2021-28711.
- Fixed CVE-2021-28712.
- Fixed CVE-2021-28713.
- Fixed CVE-2021-28714.
- Fixed CVE-2021-28715.
- Fixed CVE-2021-3326.
- Fixed CVE-2021-35942.
- Fixed CVE-2021-36084.
- Fixed CVE-2021-36085.
- Fixed CVE-2021-36086.
- Fixed CVE-2021-36087.
- Fixed CVE-2021-36690.
- Fixed CVE-2021-3711.
- Fixed CVE-2021-3712.
- Fixed CVE-2021-3772.
- Fixed CVE-2021-39685.
- Fixed CVE-2021-39686.
- Fixed CVE-2021-39698.
- Fixed CVE-2021-3995.
- Fixed CVE-2021-3996.
- Fixed CVE-2021-3999.
- Fixed CVE-2021-4083.
- Fixed CVE-2021-4135.
- Fixed CVE-2021-4155.
- Fixed CVE-2021-4160.
- Fixed CVE-2021-4197.
- Fixed CVE-2021-4202.
- Fixed CVE-2021-43566.
- Fixed CVE-2021-43618.
- Fixed CVE-2021-43975.
- Fixed CVE-2021-43976.
- Fixed CVE-2021-44733.
- Fixed CVE-2021-45095.
- Fixed CVE-2021-45469.
- Fixed CVE-2021-45480.
- Fixed CVE-2022-0001.
- Fixed CVE-2022-0002.
- Fixed CVE-2022-0330.
- Fixed CVE-2022-0435.
- Fixed CVE-2022-0492.
- Fixed CVE-2022-0516.
- Fixed CVE-2022-0617.
- Fixed CVE-2022-0778.
- Fixed CVE-2022-1011.
- Fixed CVE-2022-1016.
- Fixed CVE-2022-1055.
- Fixed CVE-2022-1116.
- Fixed CVE-2022-1158.
- Fixed CVE-2022-1198.
- Fixed CVE-2022-1271.
- Fixed CVE-2022-1292.
- Fixed CVE-2022-1304.
- Fixed CVE-2022-1353.
- Fixed CVE-2022-1516.
- Fixed CVE-2022-1664.
- Fixed CVE-2022-1966.
- Fixed CVE-2022-20008.
- Fixed CVE-2022-20009.
- Fixed CVE-2022-2068.
- Fixed CVE-2022-21123.
- Fixed CVE-2022-21125.
- Fixed CVE-2022-21166.
- Fixed CVE-2022-21499.
- Fixed CVE-2022-22576.
- Fixed CVE-2022-22942.
- Fixed CVE-2022-23036.
- Fixed CVE-2022-23037.
- Fixed CVE-2022-23038.
- Fixed CVE-2022-23039.
- Fixed CVE-2022-23040.
- Fixed CVE-2022-23041.
- Fixed CVE-2022-23042.
- Fixed CVE-2022-23218.
- Fixed CVE-2022-23219.
- Fixed CVE-2022-2327.
- Fixed CVE-2022-23960.
- Fixed CVE-2022-24407.
- Fixed CVE-2022-24448.
- Fixed CVE-2022-24958.
- Fixed CVE-2022-24959.
- Fixed CVE-2022-25258.
- Fixed CVE-2022-25375.
- Fixed CVE-2022-25636.
- Fixed CVE-2022-26490.
- Fixed CVE-2022-26966.
- Fixed CVE-2022-27223.
- Fixed CVE-2022-27666.
- Fixed CVE-2022-27774.
- Fixed CVE-2022-27775.
- Fixed CVE-2022-27776.
- Fixed CVE-2022-27781.
- Fixed CVE-2022-27782.
- Fixed CVE-2022-28356.
- Fixed CVE-2022-28388.
- Fixed CVE-2022-28389.
- Fixed CVE-2022-28390.
- Fixed CVE-2022-29155.
- Fixed CVE-2022-29581.
- Fixed CVE-2022-30594.
1.21.11-gke.1900
- Security Fixes
- Fixed CVE-2022-1786.
- Fixed CVE-2022-29582.
- Fixed CVE-2022-29581.
- Fixed CVE-2022-1116.
1.21.11-gke.1800
1.21.11-gke.1100
- Security Fixes
- Fixed CVE-2022-1055.
- Fixed CVE-2022-0886.
- Fixed CVE-2022-0492.
- Fixed CVE-2022-24769.
- RBAC fixes:
- Scoped down anet-operator permissions for Lease update.
- Scoped down anetd Daemonset permissions for Nodes and pods.
- Scoped down fluentbit-gke permissions for service account tokens.
- Scoped down gke-metrics-agent for service account tokens.
- Scoped down coredns-autoscaler permissions for Nodes, ConfigMaps and Deployments.
1.21.11-gke.100
- Security Fixes
- Fixed CVE-2021-22600.
- Fixed CVE-2022-23648.
- Fixed CVE-2022-23648.
- Fixed CVE-2022-0001.
- Fixed CVE-2022-0002.
- Fixed CVE-2022-23960.
- Fixed CVE-2022-0847.
1.21.6-gke.1500
- Security Fixes
- Fixed CVE-2021-4154, see GCP-2022-002 for more details.
- Fixed CVE-2022-0185, see GCP-2022-002 for more details.