Google Cloud release notes

Seccomp General Availability (GA)

Seccomp (secure computing mode) support for Kubernetes has graduated to General Availability (GA). This feature can be used to increase the workload security by restricting the system calls for a Pod (applies to all containers) or individual containers.

A new seccompProfile field is added to Pod and Container securityContext objects, starting in Kubernetes version 1.19.

securityContext:
  seccompProfile:
    # "Unconfined", "RuntimeDefault", or "Localhost"
    type: Localhost
    # only necessary if type == Localhost
    localhostProfile: my-profiles/profile-allow.json

The alpha seccomp annotations seccomp.security.alpha.kubernetes.io/pod and container.seccomp.security.alpha.kubernetes.io/... are deprecated in favor of the GA API field. The alpha annotations will not be honored in Kubernetes versions 1.22 and later.

Prepare for transition

If you are currently using Seccomp annotations on Pods or Containers, you should identify and transition workloads using the annotations to set the API fields before version 1.21 is released on GKE (approximately in June 2021). No change on PodSecurityPolicy is required, as it supports both annotation and field seccomp profiles. You can perform the following recommended steps:

Locate Seccomp annotation usages

In your Kubernetes manifest files, search for "seccomp.security.alpha.kubernetes.io/pod" and "container.seccomp.security.alpha.kubernetes.io/".

Add or update securityContext fields

Based on your annotation usage, add or update (if securityContext already exists) the securityContext field in the Pod or Container spec. The annotations can be left in place, but must match the securityContext API field.

Set values for seccompProfile

The type field of seccompProfile corresponds to the annotation value, and localhostProfile field corresponds to the path following localhost annotation value.

seccompProfile:
 type: Unconfined

seccompProfile:
 type: RuntimeDefault

seccompProfile:
 type: Localhost
 localhostProfile: path/to/profile.json

More resources

• Restrict a Container's Syscalls with Seccomp
• Seccomp to GA

The widely used Ingress API has graduated to general availability in Kubernetes 1.19. The v1beta1 Ingress API is deprecated, and will no longer be served in versions 1.22 and later. Before version 1.21, identify and transition clients and manifests using the v1beta1 Ingress API to use networking.k8s.io/v1.

Clusters with Google Cloud's operations suite enabled can use the following query to identify clients that access the Ingress v1beta1 APIs:

resource.type="k8s_cluster"
resource.labels.cluster_name="$CLUSTER_NAME"
protoPayload.authenticationInfo.principalEmail:("system:serviceaccount" OR "@")
protoPayload.request.apiVersion=("extensions/v1beta1" OR "networking.k8s.io/v1beta1")
protoPayload.request.kind="Ingress"
NOT ("kube-system")

Identify and transition clients and manifests using the v1beta1 Ingress APIs to use networking.k8s.io/v1 before version 1.21 is released on GKE (approximately in June 2021), then verify no clients are using the v1beta1 API during the version 1.21 timeframe. Workloads using the v1beta1 APIs need to be upgraded before your cluster is upgraded to GKE 1.22.

To migrate manifests to networking.k8s.io/v1, perform the following:

1. Rename the spec.backend field (if specified) to spec.defaultBackend.
2. Rename each backend.serviceName field to backend.service.name.
3. Rename each numeric backend.servicePort field to backend.service.port.number.
4. Rename each string backend.servicePort field to backend.service.port.name.
5. Specify a pathType field for each defined path. Options are Prefix, Exact, and ImplementationSpecific. To match the undefined v1beta1 behavior, use ImplementationSpecific.

As an example, to migrate this v1beta1 manifest to v1:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: example
spec:
  backend:
    serviceName: default-backend
    servicePort: 80
  rules:
  - http:
      paths:
      - path: /testpath
        backend:
          serviceName: test
          servicePort: 80

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example
spec:
  defaultBackend:
    service:
      name: default-backend
      port:
        number: 80
  rules:
  - http:
      paths:
      - path: /testpath
        pathType: ImplementationSpecific
        backend:
          service:
            name: test
            port:
              number: 80

CertificateSigningRequest v1 API

The CertificateSigningRequest API has graduated to certificates.k8s.io/v1 in Kubernetes 1.19. The v1beta1 CertificateSigningRequest API is deprecated and will no longer be served in version 1.22 and later.

Clusters with Google Cloud's operations suite enabled can use the following query to identify clients that access the CertificateSigningRequest v1beta1 APIs:

resource.type="k8s_cluster"
resource.labels.cluster_name="$CLUSTER_NAME"
protoPayload.authenticationInfo.principalEmail:("system:serviceaccount" OR "@")
protoPayload.request.apiVersion="certificates.k8s.io/v1beta1"
NOT ("kube-system")

Identify and transition clients and manifests using the v1beta1 CertificateSigningRequest API to use certificates.k8s.io/v1 before version 1.21 is released on GKE (approximately in June 2021), then verify no clients are using the v1beta1 API during the version 1.21 timeframe. Workloads using the v1beta1 API need to be upgraded before your cluster is upgraded to GKE version 1.22.

Differences between the v1beta1 and v1 API are as follows:

• For API clients requesting certificates:
  • spec.signerName is now required, and requests for kubernetes.io/legacy-unknown are not allowed to be created via the certificates.k8s.io/v1 API.
  • spec.usages is now required, may not contain duplicate values, and must only contain known usages.
• For API clients approving or signing certificates:
  • status.conditions may not contain duplicate types.
  • status.conditions[*].status is now required.
  • status.certificate must be PEM-encoded, and must contain only CERTIFICATE blocks.

App Engine is now available in the europe-central2 region (Warsaw).

App Engine is now available in the europe-central2 region (Warsaw).

App Engine is now available in the europe-central2 region (Warsaw).

App Engine is now available in the europe-central2 region (Warsaw).

App Engine is now available in the europe-central2 region (Warsaw).

App Engine is now available in the europe-central2 region (Warsaw).

App Engine is now available in the europe-central2 region (Warsaw).

Generally available: VM Manager integration with VPC Service Control.

Generally available: You can now configure schedule-based autoscaling for your managed instance groups. Schedule-based autoscaling lets you improve the availability of your application by scheduling capacity ahead of anticipated load.

Support for the europe-central2 (Warsaw) region.

Shared queries are now generally available (GA). To learn more, see Shared queries.

The Google Cloud Ops Agent is now available in Preview. This agent combines logging and metrics into a single agent that is targeted toward specialized logging workloads that require higher throughput and improved resource efficiency. It supports both Linux and Windows Compute Engine VMs.

Cloud Operations now offers the ability to install the Google Cloud Ops Agent via Ansible on Linux and Windows Compute Engine VMs.

Cloud Operations now offers the ability to provision the Google Cloud Ops Agent via Terraform on Linux and Windows Compute Engine VMs.

Generally available: Predictive autoscaling for managed instance groups lets you improve the availability of your workloads by using Machine Learning to predict future demand and create virtual machines ahead of forecasted load.

N2D machines are now available in the following regions and zones:

• us-central1-b - Iowa
• asia-northeast1-a,b - Tokyo

See VM instance pricing for details.

Generally available: You can now use instance schedules from the Google Cloud Console.

Lending DocAI General Availability (GA) released

Lending DocAI is now General Availability. See the documentation for more information.

Lending DocAI processors added

The following Lending DocAI processors are now available:

• Pay stub parser
• Bank statement parser
• 1040 Schedule C parser
• 1099-DIV parser
• 1099-G parser
• 1099-INT parser

Memory-optimized machines are now available in the following regions and zones:

• M1 ultramem (Jakarta ) asia-southeast2-a,c
• M1 ultramem (Osaka) asia-northeast2-a
• M1 ultramem, M2 ultramem and M2 megamem (Osaka) asia-northeast2-b
• M2 ultramem and M2 megamem (Osaka) asia-northeast2-c

See VM instance pricing for details.

M66 Release

• PyTorch 1.8 support in deep learning environments (Deep Learning VM Image and Deep Learning Containers) is available.
• Fixed scope allocator optimization issue with the TensorFlow Enterprise 2.3/2.1 MKL build.

M66 Release

• PyTorch 1.8 support in deep learning environments (Deep Learning VM Image and Deep Learning Containers) is available.
• Fixed scope allocator optimization issue with the TensorFlow Enterprise 2.3/2.1 MKL build.
• Regular package refreshment and bug fixes.

Preview: You can now configure your VM to shutdown automatically when you revoke the Cloud KMS key protecting a persistent disk attached to the VM. For more information, see Configuring VM shutdown on Cloud KMS key revocation.

Document AI General availability (GA) released

Document AI is now General Availability (GA).

Beta stage support for VPC Service Controls.

New resource types are now available.

The following resource types are now publicly available through the export API (ExportAssets and BatchGetAssetsHistory) and the Feed API:

• Cloud Memcache
  • memcache.googleapis.com/Instance
• Memorystore for Redis
  • redis.googleapis.com/Instance

The following resource types are now publicly available through the resource search API (SearchAllResources) and policy search API (SearchAllIamPolicies):

• Cloud Composer
  • composer.googleapis.com/Environment
• Cloud Run
  • run.googleapis.com/DomainMapping
  • run.googleapis.com/Revision
  • run.googleapis.com/Service
• Cloud KMS
  • cloudkms.googleapis.com/KeyRing
  • cloudkms.googleapis.com/CryptoKey
  • cloudkms.googleapis.com/CryptoKeyVersion
  • cloudkms.googleapis.com/ImportJob

The following resource types are now publicly available through the analyze policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

• Cloud Composer
  • composer.googleapis.com/Environment
• Cloud Run
  • run.googleapis.com/Service
  • run.googleapis.com/Revision
• Cloud TPU
  • tpu.googleapis.com/Node
• Cloud Storage
  • storage.googleapis.com/Bucket

Cross Project Service Account support

App Engine standard environment provides a new metric, CPU Utilization, which indicates the CPU utilization average over all active instances. For more information, see Google Cloud metrics.

App Engine standard environment provides a new metric, CPU Utilization, which indicates the CPU utilization average over all active instances. For more information, see Google Cloud metrics.

App Engine standard environment provides a new metric, CPU Utilization, which indicates the CPU utilization average over all active instances. For more information, see Google Cloud metrics.

App Engine standard environment provides a new metric, CPU Utilization, which indicates the CPU utilization average over all active instances. For more information, see Google Cloud metrics.

Generally available: Start and stop virtual machine (VM) instances automatically using instance schedules. By automating the deployment of your VMs, instance schedules can help you optimize costs and manage VMs more efficiently.

Cloud VPN is now available in region europe-central2 (Warsaw, Poland).

Pricing is available on the Cloud VPN pricing page.

General-purpose E2 and N1 machines are available in Warsaw, Poland europe-central2 in all three zones. See VM instance pricing for details.

Disks, snapshots, and images are available in Warsaw, Poland europe-central2 in all three zones. See Disks and image pricing for details.

Support for OS Login in VPC Service Controls is now Generally Available.

Pub/Sub is now available in the europe-central2 region (Warsaw).

Workload Identity for Windows Server nodes is now available in GKE versions 1.18.16-gke.1200, 1.19.8-gke.1300, 1.20.4-gke.1500, and later.

Exporting asset relationships is now available in public preview through the Export API (ExportAssets). The following relationship types are available now:

• INSTANCE_TO_INSTANCEGROUP

N2D machine types are available in the following regions and zones:

• Frankfurt, europe-west3-a,b
• Hong Kong, asia-east2-b,c

See VM instance pricing for pricing details.

Google canonical error codes are now available in GA. GKE operations now use the canonical error model to report errors.

Added support for multiple pod CIDRs (available in Preview) which allows users to specify a different Pod CIDR for a new node pool than the one specified during cluster creation. This alleviates the problem of running out of Pod IP addresses for under provisioned clusters.

You can dynamically update the network tags, node labels and node taints of an existing GKE node pool. This feature is available in Preview. For more information, see Applying updates to node pool metadata.

Cloud Logging now shows the breakdown of log severity levels in the Histogram pane. To learn more, see the Histogram section on the Logs Explorer page.

Preview: You can now configure N2 and C2 VMs with up to 100 Gbps of network bandwidth.

This feature is ideal for network-intensive, distributed workloads such as high-performance computing (HPC), machine learning (ML), and deep learning (DL).

Learn more about higher bandwidth configurations, the regions and zones where these machines are available, and the post preview pricing for this new feature.

M2 machine types are now available in the following regions and zones:

• Sydney — australia-southeast1-b,c
• London — europe-west2-b,c
• Montréal — northamerica-northeast1-b,c

See VM instance pricing for details.

Generally Available: Use the bulk instance API to create multiple, homogeneous VMs that are independent from each other. For more information, see Using the bulk instance API.

Cloud VPN support for GRE traffic is available in Preview. For more information, see the Cloud VPN overview.

Generally Available: NVIDIA® A100 GPUs are now available in the following three regions:

• Iowa, North America: us-central1-a,b,c
• Netherlands, Europe: europe-west4-a,b

• Singapore, APAC: asia-southeast1-c

  For more information, see GPUs on Compute Engine.

Generally Available: Accelerator-optimized (A2) machine types are now available in the following three regions:

• Iowa, North America: us-central1-a,b,c
• Netherlands, Europe: europe-west4-a,b
• Singapore, APAC: asia-southeast1-c

N2D machine types are now available in Frankfurt, europe-west3-c and Hong Kong, asia-east2-a. See VM instance pricing for pricing details.

N2 machine types are now available in Zurich, europe-west6 in all three zones. See VM instance pricing for details.

C2 machine types are now available in Salt Lake City, us-west3 in all three zones. See VM instance pricing for details.

Memory-optimized machine types are now available in Tokyo, asia-northeast1 in all zones. See VM instance pricing for details.

C2 machine types are now available in Zürich, europe-west6 in all three zones. See VM instance pricing for details.

Internal TCP/UDP load balancer subsetting (Preview) is available on GKE. With subsetting, GKE clusters using internal load balancer Services can scale beyond 250 nodes. This feature is in Preview for new GKE clusters on version 1.18 and existing clusters on version 1.19. Subsetting removes the current node scale limitations associated with GKE internal TCP/UDP load balancers.

All ports (Preview) is available for internal load balancer Services on GKE. All ports lets you open more than 5 ports on a TCP/UDP load balancer that is being used with GKE. This feature is in Preview for new GKE clusters on version 1.18 and is automatically enabled when subsetting is enabled on the GKE cluster.

You can now use a pre-built container to perform custom training with PyTorch 1.7.

The Python 3.9 runtime for the App Engine standard environment is now generally available.

40 Kubernetes metrics as part of Cloud Operations for GKE are now generally available.

Pub/Sub push subscriptions can now be created with Cloud Run service endpoints protected by VPC Service Controls. This feature is available in the Preview launch stage.

M65 release

• Upgraded tensorflow-cloud to 0.1.13.

• Regular package refreshment and bug fixes.

M65 release

• Added support for DooD (Docker outside of Docker) in Dataflow notebooks container images.

• Upgraded tensorflow-cloud to 0.1.13.

• Regular package refreshment and bug fixes.

AI Platform Training now provides pre-built PyTorch containers for PyTorch 1.7.

In addition to training with CPUs or GPUs, you can use one of the PyTorch 1.7 containers to perform PyTorch training with a TPU.

Support for In-transit encryption on Memorystore for Redis is now Generally Available.

Starting with GKE version 1.19.7-gke.2000 (minimum GKE node version: 1.18.12- gke.1203, 1.19.6-gke.800), the Compute Engine persistent disk Container Storage Interface (CSI) Driver for Windows (Preview) is available in GKE. This feature allows you to take advantage of the latest persistent disk features without having to manually manage the CSI driver lifecycle. The CSI driver provides access to features such as volume snapshot and volume expansion. For more information, see Using the Compute Engine persistent disk CSI Driver.

The GKE Service Level Agreement now covers the Regular channel for both Standard and Autopilot modes of operation.

Pub/Sub message schemas are now available in the Preview launch stage.

New resource types now available.

The following resource types are now publicly available through the resource search API (SearchAllResources), policy search API (SearchAllIamPolicies), and analyze policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

• Cloud Functions
  • cloudfunctions.googleapis.com/CloudFunction
• Cloud SQL
  • sqladmin.googleapis.com/Instance
• Cloud TPU
  • tpu.googleapis.com/Node

The following resource types are now publicly available through the export API (ExportAssets and BatchGetAssetsHistory) and the Feed API:

• Artifact Registry
  • artifactregistry.googleapis.com/DockerImage
• Api Gateway
  • apigateway.googleapis.com/Api
  • apigateway.googleapis.com/ApiConfig
  • apigateway.googleapis.com/Gateway
• Assured Workloads for Government
  • assuredworkloads.googleapis.com/Workload

The following searchable fields are now publicly available through the resource search API (SearchAllResources):

• parentAssetType
• project
• folders
• organization

Sprite sheets now support different image compression levels with the new quality setting.

Sprite sheets now preserve the source aspect ratio. Set the sprite width or height field, but not both (the API will automatically calculate the missing field).

The API now supports video padding with black.

AI Platform (Unified) now supports Access Transparency in beta. Google Cloud organizations with certain support packages can use this feature. Learn more about using Access Transparency with AI Platform (Unified).

In addition to Docker images hosted on Container Registry, you can now use Docker images hosted on Artifact Registry and Docker Hub for custom container training on AI Platform.

You can now use a pre-built container to perform custom training with TensorFlow 2.4.

You can now use a pre-built container to serve predictions from TensorFlow 2.3 models.

You can now use a pre-built container to serve predictions from XGBoost 1.2 models.

Preview: You can now use the gcloud command-line tool to import images from AWS into Google Cloud. For more information, see Importing images from AWS.

You can now create clusters using the Autopilot mode. Autopilot is a new mode of operation in GKE that is designed to reduce the operational cost of managing clusters, optimize your clusters for production, and yield higher workload availability. For more information, see the Autopilot overview and blog post.

An Apache Spark connector is now available for Pub/Sub Lite, allowing you to read messages from Pub/Sub Lite in your Spark clusters.

GKE Node System Config is now GA.

M64 release

• Upgraded TensorFlow 2.4 to 2.4.1.

• Upgraded TFX and Fairness Indicators from 0.26.0 to 0.27.0.

• Miscellaneous bug fixes and updates.

M64 release

• Upgraded TensorFlow 2.4 to 2.4.1.

• Upgraded TFX and Fairness Indicators from 0.26.0 to 0.27.0.

• Added the Fast.ai book tutorials to Pytorch images.

• Enabled gVNIC for all DLVM images.

• Miscellaneous bug fixes and updates.

Preview: Predictive autoscaling for managed instance groups lets you improve the availability of your workloads by using Machine Learning to predict future demand and create virtual machines ahead of forecasted load.

Multi-cluster Services (MCS) is now Generally Available (GA) for GKE versions 1.17 and later. MCS provides a Kubernetes-native interface to build Kubernetes applications that span multiple clusters.

MCS enables existing Services to be discoverable and accessible across clusters with a virtual IP, matching the behavior of a ClusterIP Service accessible in a cluster.