The following release notes cover the most recent changes over the last 30 days. For a comprehensive list, see the individual product release note pages .
You can see the latest product updates for all of Google Cloud on the Google Cloud release notes page.
To get the latest product updates delivered to you, add the URL of this page to your
feed
reader, or add the feed URL directly: https://cloud.google.com/feeds/gcp-release-notes.xml
October 23, 2020
Cloud Healthcare APIIt is now possible to use `` to escape special characters in FHIR resources.
October 22, 2020
Access Context ManagerAccess levels now support checking the Storage encryption (allowedEncryptionStatuses
), Require admin approval (requireAdminApproval
) and Require corp owned device (requireCorpOwned
) attributes of requests originating from mobile devices.
The ST_GEOGFROMGEOJSON
and ST_GEOGFROMTEXT
geographic functions support a new make_valid
parameter. If set to TRUE
, the function attempts to correct polygon issues when importing geography data.
The ST_GEOGFROMTEXT
function also supports a new planar
parameter. If set to TRUE
, the function treats imported WKT geometries as having planar edges.
These new function parameters are in Beta.
Updated version of Magnitude Simba ODBC driver includes improvements to performance, logging, OpenSSL support, and bug fixes.
Cloud Logging now calculates logs-based metrics from both ingested and excluded logs. In other words, you can now calculate logs-based metrics from logs without ingesting them into a Logs Bucket.
This change started rolling out October 18, 2020 and will finish rolling out October, 30 2020.
For more information, see Overview of logs-based metrics.
Logs Views are now available in Preview. Using Logs Views, you can control who has access to the logs within your Logs Buckets. For more information on this feature, refer to the Managing Logs Views guide.
Announcing the Alpha release of the Dataproc Persistent History Server, which provides a UI to view job history for jobs run on active and deleted Dataproc clusters.
October 21, 2020
Cloud Data FusionIn Cloud Data Fusion versions before 6.2, there is a known issue where pipelines get stuck during execution. Stopping the pipeline results in the following error: Malformed reply from SOCKS server
. To fix this, delete the Dataproc cluster, and then update the memory settings in the compute profile.
October 20, 2020
Cloud Load BalancingFor HTTP requests, the httpRequest.remoteIp
and httpRequest.serverIp
fields can include port information. For example 10.0.0.1:80
.
Recent queries is now generally available (GA). To learn more, go to Recent queries.
October 19, 2020
BigQueryBigQuery Audit Logs stopped using the following checks for redacting resource names for cross-project access and caller identities: The bigquery.jobs.create
permission check and the internal setting for a project domain. Please review the documentation at Caller identities and resource names.
In the Logs Explorer you can now download your logs in JSON and CSV to your computer, Google Drive, or view them in a new tab. To learn more, see Downloading logs.
Cloud Run is now available in the following regions:
asia-east2
(Hong Kong)asia-northeast3
(Seoul, South Korea)asia-southeast2
(Jakarta)asia-south1
(Mumbai, India)europe-west2
(London, UK)europe-west3
(Frankfurt, Germany)europe-west6
(Zurich, Switzerland)southamerica-east1
(Sao Paulo, Brazil)
You can now purchase a custom domain via Cloud Domains using the Cloud Run user interface.
Memory-optimized M1 machine types are available in Frankfurt europe-west3-a,b,c
. Memory-optimized M2 machine types are available in Frankfurt, europe-west3-a,b
.
See VM instance pricing for details.
Announcing the GA (General Availability) release of the Dataproc Ranger Optional Component and the Dataproc Solr Optional Component.
A fix for a known issue where custom resources created in the istio-system
namespace were deleted when upgrading from GKE 1.16 to 1.17 and 1.18 is available in R33.
Upgrade to one of the following unaffected versions:
- 1.17.12-gke.1501 and higher
- 1.18.9-gke.1501 and higher
The issue only occurs during upgrades, so new clusters created in earlier versions are also unaffected.
Pub/Sub message ordering is now available in GA.
October 16, 2020
Cloud BigtableA tutorial is now available that demonstrates how to send a Cloud Bigtable read request using a Cloud Functions HTTP(S) request.
LABEL_DETECTION
model upgrade
The LABEL_DETECTION
model will undergo an upgrade over the next 90 days to a newer version. The API interface and client library will be the same as with the previous version. The API follows the same Service Level Agreement.
Please note that you have 30 days from today to test the new model by specifying "builtin/latest"
in the model
field of the Feature
object while requesting image annotation. At the end of that period, it will be promoted to the default model accessible as "builtin/stable"
. After that event, the original model will still be available for another 60 days using "builtin/legacy"
.
If you encounter problems with this upgrade, please contact Vision API engineering team by submitting a ticket in the private issue tracker.
Announcing the GA (General Availability) release of the Dataproc - Docker Optional Component and the Dataproc - Flink Optional Component.
Document AI Preview released
The following beta and preview features are available in API version v1beta3:
- General processors: Document OCR (Optical Character Recognition), form parser, and document splitter.
- Lending processors: W9, 1040, W2, 1099-MISC, and 1003 parsers, as well as lending document splitter & classifier.
Credential Access Boundaries are now generally available. Use Credential Access Boundaries to downscope the permissions that a short-lived credential can use to access a Cloud Storage bucket.
October 15, 2020
Cloud BigtableThe steps to create a new Cloud Bigtable instance and edit an existing instance have been streamlined and improved in the Google Cloud Console.
Discount sharing for committed use discounts is now Generally Available. With discount sharing enabled, you can apply your purchased commitments across multiple projects within a single Cloud Billing account. Discount sharing helps you minimize the overhead of managing each of your commitments individually and provides increased flexibility so that you can use the compute options that best suit your needs, while also increasing cost predictability.
- For more information about enabling committed use discount sharing, see Turning on committed use discount sharing.
- For more information on the possible cost savings using committed use discount sharing, see Understanding discount sharing.
- New versions of Cloud Composer images:
composer-1.12.3-airflow-1.10.6
,composer-1.12.3-airflow-1.10.9
, andcomposer-1.12.3-airflow-1.10.10
. The default iscomposer-1.12.3-airflow-1.10.9
. Upgrade your Cloud SDK to use features in this release.
- Cloud Build logs from the tenant project are now published in the Composer logs. They are available under the log name
build-log-webserver
. - Airflow DAG processor manager logs are now published in the Composer logs. They are available under the log name
dag-processor-manager
. - If an update operation fails, links to the specific Cloud Build log will now be included in the error message.
- Compatibility with Domain Restricted sharing has been improved. Upgrading your environment to the newest version of Composer can now enable or disable its compatibility with Domain Restricted Sharing based on your organization policy.
- Setting or updating the machine type of the Airflow web server or Cloud SQL instance in Composer versions that don't support this feature (older than
composer-1.7.2
) will now return an error instead of failing silently. - Environments will now fall back to the in-cluster build when PyPI package installation fails due to Cloud Build unavailability under your VPC Service Controls configuration.
- Airflow 1.10.10:
- Fixed an issue with async DAG bag loading.
- Task instance details will now render properly, even if there are no DAG runs related to the instance.
The Ops Agent is now available in Preview. Ops Agent provides a single agent to collect logs and metrics on Compute Engine instances.
Note that the Ops Agent uses new configuration files that are not compatible with the standalone Cloud Monitoring and Cloud Logging agents.
You can now specify a minimum number of container instances to be kept warm and ready to serve requests, for services requiring reduced latency and fewer cold starts.
A new multi-region instance configuration is now available in North America - nam9
(North Virginia/Iowa/South Carolina/Oregon).
Support for 1500 MTU in VPC networks is now Generally available.
Support export
sub-command in the config-connector
CLI
Add support for the AccessContextManagerServicePerimeter
resource
Add support for Folder-level IAM Audit Configs
Fix deadLetterTopicRef
in the PubSubSubscription
resource (Issue #281)
If a role binding in an IAM policy refers to a deleted member (for example, deleted:user:tamika@example.com?uid=123456789012345678901
), you can now add role bindings for a newly created member with the same name (in this case, user:tamika@example.com
). The role bindings always apply to the newly created member.
For details, see the documentation for policies with deleted members.
Support for 1500 MTU in VPC networks is now available in General Availability.
October 14, 2020
BigQueryDynamic SQL is now generally available (GA). Dynamic SQL lets you generate and execute SQL statements dynamically at runtime. For more information, see EXECUTE IMMEDIATE.
BigQuery standard SQL now supports the following new functions. These functions are generally available (GA).
- ASCII
- CHR
- INITCAP
- INSTR
- LAST_DAY
- LEFT
- OCTET_LENGTH
- REGEXP_EXTRACT with 2 additional parameters (position and occurrence)
- REGEXP_INSTR
- REGEXP_SUBSTR
- RIGHT
- SOUNDEX
- TRANSLATE
- UNICODE
BigQuery now supports the following new statements. These statements are generally available (GA).
BigQuery standard SQL now supports DATE arithmetics operators.
The following INFORMATION_SCHEMA
views are now generally available (GA).
BigQuery now supports Unicode table names. For more information, see Table naming.
Queries can now have duplicate column names.
Classic VPN partial deprecation
Starting on October 31, 2021, you will no longer be able to do the following:
- Create new Classic VPN tunnels using static routing (route based or policy based) that connect to another Classic VPN gateway
- Create new Classic VPN tunnels using static routing (route based or policy based) that connect a Google Cloud Virtual Private Cloud (VPC) network to another cloud provider's network
- Create new Classic VPN tunnels using dynamic routing (all configurations)
You can continue to create the following types of connections and get support for them:
- VPN tunnels using static routing from Classic VPN gateways to on-premises VPN gateways and from on-premises VPN gateways to Classic VPN gateways
- VPN tunnels using static routing from a Classic VPN gateway to and from a Compute Engine virtual machine (VM) acting as a VPN gateway
Although Google will not proactively disable existing connections on the deprecation date, deprecated Classic VPN configurations will no longer receive regular updates or maintenance.
For more information, see the Classic VPN partial deprecation page for a video tutorial and documentation to help you migrate, as soon as possible, to our more reliable High Availability Cloud VPN solution.
Compute-optimized (C2) machine types are now available in the following regions and zones:
- Finland: europe-north1-a,b,c
- Seoul: asia-northeast3-a,b,c
See VM-instance-pricing for details.
Sign in with Apple is now supported.
October 13, 2020
Anthos Service Mesh1.4.10-asm.19 is now available
You can now allow an experimental feature to exceed 4GB of memory usage.
Cloud Domains is available in Preview. Cloud Domains enables you to search, register, and manage domain names with Google Cloud.
In runtimes that use buildpacks you can now configure aspects of your build by setting build configuration variables. See Using Environment Variables for more information. In Preview.
We've renamed the Logs Viewer (Preview) to the Logs Explorer. The Logs Explorer offers a robust set of tools for analyzing your logs data and is now the default viewer for Cloud Logging. To learn more, see Using the Logs Explorer.
The Logs Viewer (Classic) is now called the Legacy Logs Viewer. It will continue to be available and maintained until March 2021, but won't be actively developed further.
You can now control egress traffic from a service and route all outbound requests to your VPC network. This allows you to configure a static outbound IP address by leveraging Cloud NAT.
Cloud Run for Anthos on Google Cloud version 0.17.2-gke.1 is now available for the following GKE minor version:
1.16
Fixes the security issue, ISTIO-SECURITY-2020-010 for Cloud Run for Anthos on Google Cloud clusters running on 1.15+ k8s version.
CHECK constraints is now generally available, allowing you to define a boolean expression on the columns of a table and require that all rows in the table satisfy the expression. For more information, see Creating and managing check constraints.
Generated columns support is now generally available, allowing you to define columns that are computed from other columns in a row. For more information, see Creating and managing generated columns.
Cloud Talent Solution has launched the v4 version of the API. Migrate to Cloud Talent Solution v4 by October 14, 2021 to continue using Cloud Talent Solution.
As of today Cloud Talent Solution versions v3, v3p1beta1, and v4beta1 are deprecated. Deprecated means that these versions will continue to work until October 13, 2021, at which time these versions will be shut down. Migrate to Cloud Talent Solution v4 by October 14, 2021 to continue using Cloud Talent Solution.
When using orderBy
to order job search results by distance_from
from the search location, equidistant jobs from the center of the search location will be tie-broken based on each job's relevance to the search keywords. Previously, jobs in this scenario weren't primarily tie-broken based on each job's relevance to the search keywords.
When using the EmploymentType
as part of HistogramQuery
, facet counts for CONTRACTOR
no longer also include facet counts for CONTRACT_TO_HIRE
.
HistogramQuery
facet counts no longer differ from the number of jobs returned when filtering search results by a given facet.
CTS has made improvements to the handling of accented characters and gendered terms in job titles and search keywords.
New sub-minor versions of Dataproc images: 1.3.72-debian10, 1.3.72-ubuntu18, 1.4.43-debian10, 1.4.43-ubuntu18, 1.5.18-debian10, 1.5.18-ubuntu18, 2.0.0-RC14-debian10, and 2.0.0-RC14-ubuntu18.
Obtaining the status of the latest transfer operation is in Preview.
October 12, 2020
Anthos GKE on AWSGKE on AWS 1.5.0 supports volume snapshots.
Cloud Logging has deprecated the following two logs-based metrics related to exclusions:
logging.googleapis.com/excluded_log_entry_count
logging.googleapis.com/excluded_byte_count
Cloud Logging will stop populating these metrics on October 1, 2021.
You can now allocate 4 vCPUs to container instances of Cloud Run services.
Cloud SQL now offers "deny maintenance periods". With deny maintenance periods, you can prevent automatic maintenance from occurring during a specific time period. For example, the end-of-year holiday season is a time of peak load that requires heightened focus on infrastructure stability for many retail businesses. By setting a deny maintenance period from mid-October to mid-January, these businesses can prevent planned upgrades from Cloud SQL during their busiest time of year.
Cloud SQL for PostgreSQL now offers IAM database authentication to help you better monitor and manage access for users and service accounts to databases. This feature allows users and service accounts to use IAM credentials to log into PostgreSQL instances. To learn more about how IAM database authentication works, see the Overview of Cloud SQL IAM database authentication. To configure an instance, see Configuring instances for IAM database authentication. To create users or service accounts, see Creating and managing users that use IAM database authentication.
Cloud SQL now offers "deny maintenance periods". With deny maintenance periods, you can prevent automatic maintenance from occurring during a specific time period. For example, the end-of-year holiday season is a time of peak load that requires heightened focus on infrastructure stability for many retail businesses. By setting a deny maintenance period from mid-October to mid-January, these businesses can prevent planned upgrades from Cloud SQL during their busiest time of year.
Database auditing in Cloud SQL for PostgreSQL is available through the open-source pgAudit extension. Using this extension, you can selectively record and track SQL operations performed against a given database instance.
The pgAudit extension helps you configure many of the logs often required to comply with government, financial, and ISO certifications.
Cloud SQL now offers "deny maintenance periods". With deny maintenance periods, you can prevent automatic maintenance from occurring during a specific time period. For example, the end-of-year holiday season is a time of peak load that requires heightened focus on infrastructure stability for many retail businesses. By setting a deny maintenance period from mid-October to mid-January, these businesses can prevent planned upgrades from Cloud SQL during their busiest time of year.
N2 machine types are now available in the following four regions and zones:
- Las Vegas: us-west4-a,b,c
- Montréal: northamerica-northeast1-a,b,c
- Finland: europe-north1-a
- Hong Kong: asia-east2-a,b,c
For pricing details, see VM instance pricing.
Support added for migration of VMs from vSphere configured with CSM firmware type setting.
You can now customize who receives notifications from GCP with Essential Contacts. This feature is available in preview. For more information, see Managing contacts for notifications.
October 11, 2020
Cloud RunWhen a container instance needs to be shut down, it now receives a SIGTERM
signal. If handled, CPU is allocated for up to 10 seconds before the container is shut down.
October 09, 2020
Identity and Access ManagementThe documentation now provides details about service agents for all publicly available services. A service agent is a special type of service account that is created and managed by Google, and is used by Google Cloud services to access your resources.
Pub/Sub Lite is now available in GA.
October 08, 2020
Cloud BillingCloud Billing budget settings have been updated to support credits by credit type. We have added all possible Cloud Billing credit types to the budget scope, allowing you to set your budget amount to include or exclude specific credits by type, such as promotional credits, committed use discounts, and free tiers. Previously, the credits setting was an optional checkbox when setting the budget amount — the Include credits in cost option — and not the granular options now available in the budget scope. The previous credits checkbox setting could only include either all of the available credits or none of the credits.
For budgets that were set up before the granular credits budget scope feature became available:
- In the budget amount, if you had enabled the Include credits in cost option, then all credits are included in the cost calculation.
- In the budget amount, if you had deselected the Include credits in cost option, then none of the credits are included in the cost calculation.
To implement the new credits scope feature in existing budgets, edit the budget's credit settings.
Read more about credits and budget scope options in our documentation.
The Consent Management API is available in beta.
External HTTP(S) Load Balancing is now supported for App Engine, Cloud Functions, and Cloud Run services. To configure this, you will need to use a new type of network endpoint group (NEG) called a Serverless NEG.
This feature is now available in General Availability.
The following updates to Cloud Spanner standard SQL are now available :
- Support for SELECT * REPLACE and SELECT * EXCEPT syntax.
- Documentation for Net functions.
Support for migrating Windows VM workloads has moved from the Beta stage to general availability.
This release adds full support for migrating Windows VM workloads to the Google Cloud Console, including the ability to create a Windows migration source. See Migrating a Windows VM for more.
Migrate for Anthos provides tools that you run on a Linux or Windows VM workload to determine the workload's fit for migration to a container. See Using the Linux discovery tool and Using the Windows discovery tool for more.
Custom Services Blocklist support added which lets you define a list of services to disable in a migrated container. See Custom Services Blocklist for more.
The image
field value of the GenerateArtifactsFlow CRD defines the names and locations of two images created from a migrated VM. In previous releases, the names contained a predefined tag.
To ensure that the tag value is unique, the format of the tag has changed for this release to specify the timestamp of the migration.
You can also explicitly set the tag if you prefer to another value. See Setting the name of the container image for more.
When you deploy your migrated Windows containers to a cluster, you can now use a Group Managed Service Account (gMSA) to execute the container under a specific service account identity. See Configuring gMSA for more.
171123825: In some cases, migration process might fail, and Cloud Logging indicate errors such as:
"failed to load map, error 6"
or:
"failed in domap for addition of new path sdd"
Workaround: Delete the migration and restart it. In rare cases, a re-installation of the product is required.
170706786: The Linux Discovery Tool might return exit code 0 even when all information was collected successfully.
Workaround: Make sure you run the tool as a 'root' user or as a user with full sudo access.
170627229: Migrated workload of a JBoss application might fail at startup. Cloud Logging indicates such an error as:
ERROR [org.jboss.as.server] (Controller Boot Thread) ...:
Caught exception during boot: java.lang.IllegalStateException: ...:
Could not rename
/opt/jboss-7.1.1/standalone/configuration/.../standalone_xml_history/current
to
/opt/jboss-7.1.1/standalone/configuration/.../standalone_xml_history/...
Workaround: Backup and then delete the directory mentioned in the error message above. For example:
/opt/jboss-7.1.1/standalone/configuration/.../standalone_xml_history/current
167656057: Installation on a GKE cluster with ACM might fail. Indication of the error can be seen in the Migrate for Anthos upgrade job, in the v2k-system
namespace.
For example:
kubectl logs -n v2k-system controllers-upgrade-fzlmz
Shows this error:
failed to validate admission controller - admission webhook "validation.gatekeeper.sh" does not support dry run
Workaround:
gatekeeper
is an ACM component.
Manually deleting the upgrader job fixes the issue.
For example:
kubectl delete job -n v2k-system controllers-upgrade
157062328: In some cases, adding a service to the blocklist using a configmap will not actually stop that service from running on the deployed workload.
Workaround: Disable the service using in the Dockerfile (rather than a config-map), and rebuild the image.
163800225: kubectl port-forward might not work properly for a deployed workload.
Please contact support for more information.
171173082: Mistakenly creating a local VMware source on a Cloud-based cluster,
normally used only in an on-prem migration,
results in the source being in PROCESSING
state forever.
For example, you use migctl
to check the source status:
migctl source status local-vmw-src
The State
displays as:
PROCESSING
Message: Post "https://1.2.3.4/sdk": context deadline exceeded
Workaround: Delete the local VMware source, and create a remote/streaming VMware source.
170604382: Running migctl
when not connected to a cluster
results in a panic
error such as the one below, followed by a stack-trace:
migctl setup install panic: Cannot create kubernetes client
Workaround: Connect a cluster, and re-run migctl
.
Event Threat Detection, a built-in service of Security Command Center Premium, now includes two new detectors to monitor your organization's BigQuery resources. The detectors identify data exfiltration - resources saved outside of your organization or attempts to access protected data.
Read more about available detectors in Event Threat Detection conceptual overview.
The Security Command Center API now includes a severity
field for Findings. This feature is available using Security Command Center's v1p1beta1
API.
October 07, 2020
Cloud BillingProject-level tax information in BigQuery Export tables: Starting on September 1 2020, your daily cost detail data in BigQuery shows taxes broken down by project, instead of aggregating taxes into a single line item. You don't need to make any changes to access the data.
If you have queries or visualizations that depend on tax data, you might need to update the queries to account for these changes.
- New versions of Cloud Composer images:
composer-1.12.2-airflow-1.10.6
,composer-1.12.2-airflow-1.10.9
, andcomposer-1.12.2-airflow-1.10.10
. The default iscomposer-1.12.2-airflow-1.10.9
. Upgrade your Cloud SDK to use features in this release.
- Added the log entry labels
version_id
andinstance_id
to differentiate the logs of different Airflow web server instances. - Airflow database upgrade logs are now published in the Composer logs under a separate log name.
- Cloud Storage syncing logs are now published together in the Composer logs under a separate log name. They can be separated based further on
pod_id
.
- Fixed upgrade rollback failures due to a
mismatch in API versions
error. - Improved handling of errors caused by a missing
plugins/
directory in the Cloud Storage bucket. - Backported an Airflow change that fixes an issue with Airflow 1.10.9 and 1.10.10 that causes MySQL to deadlock on the
rendered_task_instance_fields
table when using DAG serialization. - Fixed a bug that undercharged customers for App Engine storage.
- Backfilled GKE API versions to make older Composer environments GKE 1.16-proof.
- Fixed an issue that caused
bq load
commands for files larger than 100MB to fail with aRedirectMissingLocation
error.
The Cloud Healthcare API offers single-region support in the southamerica-east1
(Osasco (São Paulo), Brazil) region.
The Cloud Healthcare API offers single-region support in the australia-southeast1
(Sydney, Australia) region.
Add support for the DataflowFlexTemplateJob
resource
Add the transformNameMapping
field to DataflowJob
Add the auditConfigs
field to IAMPolicy
Add the loadBalancerType
, datapathProvider
, and notificationConfig
fields to ContainerCluster
Add the artifacts
and options
fields to CloudBuildTrigger
Add support for the GRPC protocol for ComputeBackendService
Add logic to auto-trigger server-side apply metadata on resources on K8s clusters with server-side apply enabled (i.e. K8s 1.16+)
Fix issue where kubectl get gcp
did not include IAMPolicy
, IAMPolicyMember
, and IAMAuditConfig
resources (Issue #286)
October 06, 2020
BigQueryAuthorized user-defined functions (UDFs) are now generally available (GA). Authorized UDFs let you share query results without giving access to the underlying tables. For more information, see Authorized UDFs.
The Cloud Console now lets you opt in to search and autocomplete powered by Data Catalog. This feature is in beta.
The ability to enable or disable Endpoint-Independent Mapping for your gateway is now available in Preview.
Cloud Run now supports request timeouts up to 60 minutes. However, timeouts greater than 15 minutes are a beta feature.
New sub-minor versions of Dataproc images: 1.3.71-debian10, 1.3.71-ubuntu18, 1.4.42-debian10, 1.4.42-ubuntu18, 1.5.17-debian10, 1.5.17-ubuntu18, 2.0.0-RC13-debian10, and 2.0.0-RC13-ubuntu18.
Image 1.4
- Upgraded Spark to version 2.4.7.
Image 1.5
- Upgraded Spark to version 2.4.7.
- Installed
google-cloud-bigquery-storage
package by default in the Anaconda component. - Changed default value of
zeppelin.notebook.storage
in zeppelin-site.xml to "org.apache.zeppelin.notebook.repo.GCSNotebookRepo".
Image 2.0
- Updated HBase to version 2.2.6.
- Installed
google-cloud-bigquery-storage
in default conda environment. - Changed default value of
zeppelin.notebook.storage
in zeppelin-site.xml to "org.apache.zeppelin.notebook.repo.GCSNotebookRepo".
There is a known issue with the upgrade from GKE 1.16 to 1.17. Any custom resources you created in the istio-system
namespace are deleted during an upgrade to 1.17. These resources must be manually recreated. We recommend not upgrading clusters with the Istio addon to 1.17 until the fix is rolled out. The issue only occurs during upgrades, so new clusters are not affected.
The fix was not included in release R31 as previously reported
Added support for Redis AUTH to Memorystore for Redis.
October 05, 2020
Cloud MonitoringAlerting is now available for Monitoring Query Language (MQL). For more information, see Alerting policies with MQL
You can use OS Login in VPC Service Controls. This feature is in Beta stage support.
Starting October 5, the Container Registry Service Agent is granted the Container Registry Service Agent IAM role by default when you enable the Container Registry API. Previously, this account was granted the Editor role.
To learn more about this change and how to update the role on an existing Container Registry service account with Editor permissions, see the Container Registry access control documentation
Beta stage support for the following integration:
October 02, 2020
Anthos GKE on AWSAnthos GKE on-AWS 1.5.0-gke.6 is now available and clusters run on 1.16.15-gke.700 and v1.17.9-gke.2800. To upgrade your clusters, perform the following steps:
- Upgrade your Management service to 1.5.0-gke.6.
- Upgrade your user clusters to 1.16.15-gke.700 or v1.17.9-gke.2800
Workload identity (preview) lets you bind Kubernetes service accounts to AWS IAM accounts with specific permissions. Workload identity blocks unwanted access to cloud resources with AWS IAM permissions. With workload identity, you can assign different IAM roles to each workload. Fine grained permissions control allows you to follow the principle of least privilege. For more details, see Creating a user cluster with workload identity
You can now route traffic from the GKE on AWS management service and Connect through an HTTP/HTTPS proxy. For more details, see Using a proxy with GKE on AWS
Improved installation experience
This version enables installation and upgrade by using any Google Cloud–authenticated service account. You no longer need to be on the allowlist to access GKE on AWS components..
Additional preflight checks enforce enablement of required Google Cloud APIs. See Google Cloud requirements for more information.
When creating multiple multiple management clusters, users may have seen name collisions with S3 bucket. Now, you can specify a custom name for your S3 bucket to avoid naming conflicts.
N2D machine types are available in The Dalles, Oregon, in the us-west1-c zone. For more information, see the VM instance pricing page.
C2 machine types are now available in Sydney, Australia australia-southeast1-b
. See the VM instance pricing page for details.
Added Cloud IAM support for ComputeImage.
Fixed an issue where an IAMPolicy cannot be deleted when the externally referenced resource does not exist.
Fixed an infinite diff condition on spec.minMasterVersion.
There is a known issue with the upgrade from GKE 1.16 to 1.17 versions
lower than 1.17.9-gke.6300 (R30 or earlier). Any custom resources you created
in the istio-system
namespace are deleted during an upgrade to 1.17
(R30 or earlier). These resources must be manually recreated. We recommend that
you upgrade only to R31 or a later version that doesn't have the issue. The issue only occurs during upgrades, so new clusters are not affected.
October 01, 2020
BigQueryBigQuery table-level access control is now generally available. For more information, see Introduction to table access controls .
Added a new tutorial for delivering HTTP and HTTPS content over the same hostname when using Cloud CDN. While many browsers enforce the use of Transport Layer Security (TLS) and disallow non-secure content delivery, there are still use cases where non-secure delivery and secure delivery must be allowed over the same hostname.
Added a new tutorial for delivering HTTP and HTTPS content over the same hostname when using Cloud CDN. While many browsers enforce the use of Transport Layer Security (TLS) and disallow non-secure content delivery, there are still use cases where non-secure delivery and secure delivery must be allowed over the same hostname.
N2D machine types are now available in all three zones of us-east1-b,c,d in Moncks Corner, South Carolina. See VM instance pricing for details.
Launched Dataproc integration with Compute Engine sole-tenant nodes, which allows users to create a cluster in a sole-tenant node group.
Added Cloud Console UI support for creating Redis instances with Shared VPC using private services access.
September 30, 2020
Cloud Data FusionThis release is in parallel with the CDAP 6.2.2 release.
Cloud Data Fusion now supports autoscaling Dataproc clusters.
Cloud Data Fusion now displays the number of pending preview runs, if any, before the current run. In the Studio, the number of pending runs is displayed under the timer.
Improved performance for skewed joins by including Distribution in the Joiner plugin settings.
Wrangler now supports BigQuery views and materialized views.
Cloud Run for Anthos on Google Cloud version 0.17.2-gke.1 is now available for the following GKE minor version:
1.17
Cloud Talent Solution's consumption pricing and quota limits will change effective January 4, 2021. The new pricing and quota limits are intended to better address the variety of use cases the talent industry has for managing and searching for jobs.
Dataflow now supports Flex Templates in GA.
Creating clusters and instantiating workflow requests that succeed even when the requester did not have ActAs permission on the service account now generate a warning field in the audit log request.
New sub-minor versions of Dataproc images: 1.3.70-debian10, 1.3.70-ubuntu18, 1.4.41-debian10, 1.4.41-ubuntu18, 1.5.16-debian10, 1.5.16-ubuntu18, 2.0.0-RC12-debian10, and 2.0.0-RC12-ubuntu18.
All supported images
Upgraded Conscrypt to the 2.5.1 version.
Image 1.5
- Upgraded Delta Lake to the 0.6.1 version.
Image 1.5 and Image 2.0 Preview
- Upgraded Cloud Storage connector to the 2.1.5 version.
Image 2.0 preview
The Anaconda optional component is no longer available or required when using the Jupyter optional component (Miniconda is installed and activated by default).
Updated R to the 4.0.0 version.
Configured YARN aggregated logs to use the IFile format.
Upgrade Flink to the 1.11.2 version.
September 29, 2020
Anthos Service Mesh1.6.11-asm.1, 1.5.10-asm.2, and 1.4.10-asm.18
Fixes the security issue, ISTIO-SECURITY-2020-010, with the same fixes as Istio 1.6.11. These fixes were backported to 1.6.11-asm.1, 1.5.10-asm.2 and 1.4.10-asm.18. For more information, see the Istio 1.6.11 release notes.
For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
1.6
1.5
1.4
Time series models now let you change DATA_FREQUENCY
from the default value (AUTO_FREQUENCY
) when forecasting multiple time series using TIME_SERIES_ID_COL
.
Improvements to Cloud CDN's request collapsing behavior: If your deployment serves large objects, these improvements reduce origin load during revalidation and cache fill. Live video workloads will see the largest benefit. For more information, see Support for byte range requests.
Cloud Profiler history view is available in beta. For more information, see Viewing historical trends.
Cloud Run now supports server-side HTTP and gRPC streaming.
You can now use a network tags parameter to add network tags to all worker VMs that execute a particular Dataflow job.
Automated Envoy deployment for Google Compute Engine VMs is now in General Availability.
September 28, 2020
Cloud BillingBudget alert email notifications: Cloud Billing Budgets functionality has been updated to offer more control over recipients of alert emails. In May 2020, we announced that you can use Monitoring notifications to customize your budget to send alert emails to up to five additional email recipients you specify, in addition to the default email recipients. Now, you can also opt out of the default email settings, choosing not to send budget alert emails to Billing Account Administrators and Billing Account Users on the target Cloud Billing account (that is, every user assigned a billing role of either roles/billing.admin or roles/billing.user). To opt out of the default behavior, in the Cloud Billing budget's Manage notifications settings, deselect Email alerts to billing admins and users. Read more about email notification settings in our documentation.
Committed use discounts (CUDs) are now available to purchase for Cloud VMware Engine. CUDs provide discounted prices in exchange for your commitment to use a minimum level of resources for a specified term. With spend-based committed use discounts for Cloud VMware Engine, you can earn a deep discount off your cost of use in exchange for committing to continuously use VMware Engine nodes in a particular region for a 1- or 3-year term. See the documentation for more details.
- New versions of Cloud Composer images:
composer-1.12.1-airflow-1.10.6
,composer-1.12.1-airflow-1.10.9
, andcomposer-1.12.1-airflow-1.10.10
. The default iscomposer-1.12.1-airflow-1.10.6
. Upgrade your Cloud SDK to use features in this release.
- In-cluster image build logs will now appear in Monitoring under separate log names
build-log-*
, instead of in the Composer Agent logs. - You can now set or update machine types for the Airflow web server and Cloud SQL instance for any environment running a Composer version 1.7.2 or newer, regardless of Airflow version.
- Airflow 1.10.6, 1.10.9, and 1.10.9: An Airflow change has been backported that lowers the network cost of DAG serialization.
- Airflow 1.10.9: An Airflow change has been backported that improves GKE cluster resource usage, improving overall Airflow performance.
The NUMERIC
data type is now generally available.
Tokyo+Osaka dual-region (asia1
) launched.
- New location for storing your data.
N2D machine types are available in The Dalles, Oregon, the us-west1-b
zone. For more information, see the VM instance pricing page.
Committed use discounts (CUDs) are available to purchase for Google Cloud VMware Engine. CUDs provide discounted prices in exchange for your commitment to use a minimum level of resources for a specified term. With spend-based committed use discounts for VMware Engine, you can earn a deep discount off your cost of use in exchange for committing to continuously use VMware Engine nodes in a particular region for a 1- or 3-year term. See the documentation for more details.
September 25, 2020
App Engine flexible environment .NETYou can use network ingress controls so your app only receives requests that are sent from your project's VPC or that are routed through the Cloud Load Balancing load balancer.
You can use network ingress controls so your app only receives requests that are sent from your project's VPC or that are routed through the Cloud Load Balancing load balancer.
You can use network ingress controls so your app only receives requests that are sent from your project's VPC or that are routed through the Cloud Load Balancing load balancer.
You can use network ingress controls so your app only receives requests that are sent from your project's VPC or that are routed through the Cloud Load Balancing load balancer.
You can use network ingress controls so your app only receives requests that are sent from your project's VPC or that are routed through the Cloud Load Balancing load balancer.
You can use network ingress controls so your app only receives requests that are sent from your project's VPC or that are routed through the Cloud Load Balancing load balancer.
You can use network ingress controls so your app only receives requests that are sent from your project's VPC or that are routed through the Cloud Load Balancing load balancer.
If you use Cloud Load Balancing, you can use network ingress controls so your app only receives requests that are routed through the load balancer.
If you use Cloud Load Balancing, you can use network ingress controls so your app only receives requests that are routed through the load balancer.
If you use Cloud Load Balancing, you can use network ingress controls so your app only receives requests that are routed through the load balancer.
If you use Cloud Load Balancing, you can use network ingress controls so your app only receives requests that are routed through the load balancer.
If you use Cloud Load Balancing, you can use network ingress controls so your app only receives requests that are routed through the load balancer.
If you use Cloud Load Balancing, you can use network ingress controls so your app only receives requests that are routed through the load balancer.
If you use Cloud Load Balancing, you can use network ingress controls so your app only receives requests that are routed through the load balancer.
If you use Cloud Load Balancing, you can use network ingress controls so your app only receives requests that are routed through the load balancer.
If you use Cloud Load Balancing, you can use network ingress controls so your app only receives requests that are routed through the load balancer.
If you use Cloud Load Balancing, you can use network ingress controls so your app only receives requests that are routed through the load balancer.
On July 28, 2020, we announced that improved validation checks will be introduced on API calls to the Compute Engine API. This change has been postponed and will be rescheduled for a later time.
Filestore backups has launched to beta. Now you can back up your Filestore instances.
September 24, 2020
AI Platform Deep Learning VM ImageM56 release
- Bug fixes for TensorFlow 2.3 add-ons
- Fixes bug affecting BigQuery magic commands in some environments
- Adds a diagnostics tool for AI Platform Notebooks
Anthos Config Management now includes Config Connector v1.19.1.
Anthos Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: 15d56e3).
Binary Authorization can now be enabled through the Anthos Config Management Operator. See Setting up with Anthos Config Management for details.
The syncer
and importer
Containers now both run in the git-importer
Pod in the importer
Container.
The nomos
CLI tool is now available via gcloud
. Please see the downloads page for more information.
This release includes several logging and performance improvements.
Anthos GKE on-prem 1.5.0-gke.27 is now available. To upgrade, see Upgrading GKE on-prem. GKE on-prem 1.5.0-gke.27 clusters run on Kubernetes 1.17.9-gke.4400.
Improved upgrade and installation:
- Preflight checks are now blocking with v1 configs for installation and upgrades. Users can use
--skip-preflight-check-blocking
to unblock the operation. - Added support for running
gkeadm
on macOS Catalina, v10.14. - Enabled installation and upgrade by using any Google Cloud–authenticated service account. This removes the need for allowlisting.
- Improved security by adding support for using an external credential file in admin or user configuration. This enables customers to check in their cluster configuration files in source code repositories without exposing confidential credential information.
Improved HA and failure recovery:
- The user cluster control plane HA feature is now generally available.
- Added kubelet and Docker health monitoring and auto repair to the Node Problem Detector.
- Introduces Node Auto Repair feature in preview to continuously detect and repair unhealthy nodes. This feature is disabled by default (opt-in) in this release.
Improved support for Day-2 operations:
- The
gkectl update cluster
command is now generally available. Users can use it to change supported features in the user cluster configurations after cluster creation. - The
gkectl update credentials
command for vSphere and F5 credentials is now generally available. - Improves scalability with 20 user clusters per admin cluster, and 250 nodes, 7500 pods, 500 load balancing services (using Seesaw), and 250 load balancing services (using F5) per user cluster.
- Introduces vSphere CSI driver in preview.
Enhanced monitoring with Cloud Monitoring:
- Introduces out-of-the-box alerts for critical cluster metrics and events in preview.
- Out-of-the-box monitoring dashboards are automatically created during installation when Cloud Monitoring is enabled.
- Allows users to modify CPU or memory resource settings for Cloud Monitoring components.
Functionality changes:
- Preflight check failures now block
gkectl create loadbalancer
for the bundled load balancer with Seesaw. - Adds a blocking preflight check for the anthos.googleapis.com API of a configured gkeConnect project.
- Adds a blocking preflight check on proxy IP and service/pod CIDR overlapping.
- Adds a non-blocking preflight check on cluster health before an admin or user cluster upgrade.
- Updates the
gkectl
diagnose snapshot:- Fixes the all scenario to collect all supported Kubernetes resources for the target cluster.
- Collects F5 load balancer information, including Virtual Server, Virtual Address, Pool, Node, and Monitor.
- Collects vSphere information, including VM objects and their events based on the resource pool, and the Datacenter, Cluster, Network, and Datastore objects that are associated with VMs.
- Fixes the OIDC proxy configuration issue. Users no longer need to edit NO_PROXY env settings in the cluster configuration to include new node IPs.
- Adds monitoring.dashboardEditor to the roles granted to the logging-monitoring service account during admin workstation creation with
--auto-create-service-accounts
. - Bundled load balancing with Seesaw switches to the IPVS maglev hashing algorithm, achieving stateless, seamless failover. There is no connection sync daemon anymore.
- The hostconfig section of the ipBlock file can be specified directly in the cluster yaml file network section and has a streamlined format.
Breaking changes:
- Starting with version 1.5, instead of using
kubectl patch machinedeployment
to resize the user cluster andkubectl edit cluster
to add static IPs to user clusters, usegkectl update cluster
to resize the worker node in user clusters and to add static IPs to user clusters. - Starting with version 1.5, the
gkectl
log is saved in a single file instead of multiple files by log verbosity levels. By default, thegkectl
log is saved in the/home/ubuntu/.config/gke-on-prem/logs
directory with a symlink created under the./logs
directory for easy access. Users can use--log_dir
or--log_file
to change this default setting. - Starting with version 1.5, the
gkeadm
log is saved in a single file instead of multiple files by log verbosity levels. By default, thegkeadm
log is saved under./logs
. Users can use--log_dir
or--log_file
to change this default setting. - In version 1.5 only, the etcd version is updated from 3.3 to 3.4, which means the etcd image becomes smaller for improved performance and security (distroless), and the admin and user cluster etcd restore process is changed.
Fixes:
- Fixed an issue that caused approximately 50 seconds of downtime for the user cluster API service during cluster upgrade or update.
- Corrected the default log verbosity setting in
gkectl
andgkeadm
Help messages.
Known issues:
- Due to a 1.17 Kubernetes issue,
kube-apiserver
andkube-scheduler
don't expose kubernetes_build_info on the /metrics endpoint in the 1.5 release. Customers can useKubernetes_build_info
fromkube-controller-manager
to get similar information like the Kubernetes major version, minor version, and build date. - Cloud Run for Anthos on-prem causes an operational outage of GKE on-prem when Cloud Run for Anthos on-prem is enabled in both installation and upgrade of GKE on-prem 1.5.0.
Cloud Run for Anthos on Google Cloud version 0.17.2-gke.1 is now available for following GKE minor version:
1.18
MySQL 5.6.42 is upgraded to 5.6.47.
The Organization policy constraints for Direct Path disablement have launched into beta.