------------------------------
Title: March 21, 2024
[content]
Anthos Config Management
Feature
The constraint template library includes a new template: K8sPSSRunAsNonRoot. For reference, see the Constraint template library.
Changed
Policy Controller bundles have been updated to the following versions: cis-gke-v1.4.0: 202402.0-preview, nist-sp-800-190: 202402.0, nist-sp-800-53-r5: 202402.0, pci-dss-v3.2.1: 202402.0, pss-baseline-v2022: 202402.0, pss-restricted-v2022: 202402.0. For reference, see Policy Controller bundles overview.
Fixed
Fixed a regression introduced in 1.16.0 that limits the length of the Secret name referenced in the spec.git.secretRef.name field of the RootSync object.
Fixed
Fixed a regression introduced in 1.17.0 that caused Config Sync to sometimes fail to pull the latest commit from a Git branch by upgrading git-sync (Config Sync dependency for pulling from git) from v4.1.0 to v4.2.1.
Backup and DR
Announcement
Backup and DR Service 11.0.10.417 is now available to update your backup/recovery appliance. Refer to these instructions to update your appliance.
Announcement
Backup and DR Service 11.0.10 includes an operating system upgrade from CentOS 7 to Rocky Linux 8. As CentOS 7 will reach its End of Life (EOL) on June 24, 2024, you must upgrade to 11.0.10 before the EOL date to continue receiving security updates. 

To upgrade to 11.0.10, you should take a snapshot of the appliance's boot disk. If your backup/recovery appliance is on 11.0.5 or below, then you need to upgrade to 11.0.9 before successfully upgrading to 11.0.10. See 11.0.9 release notes to know how to back up the boot disk.
Feature
Backup and DR Service added support to access historical reports. Learn more.
BigQuery
Feature
You can now add Salesforce Data Cloud data to BigQuery. This feature is generally available (GA).
Feature
Incremental materialized views now support LEFT OUTER JOIN and UNION ALL. This feature is in preview.
Bigtable
Feature
You can now view Bigtable cost data with instance granularity in the Google Cloud Billing detailed export to BigQuery. For more information, see Structure of detailed cost data export.
Compute Engine
Feature
Generally available: In a managed instance group (MIG), you can set metadata and labels for all VMs in the group without the need to create a new instance template. For more information, see Override instance template properties with an all-instances configuration.
Feature
Generally available: In a managed instance group (MIG), you can turn off repairs to inspect failed and unhealthy VMs, to implement your own repair logic, or to monitor the application health without triggering repairs by MIG. For more information, see Turn off repairs in a MIG.
Dataproc
Announcement
New Dataproc on Compute Engine subminor image versions:


2.0.96-debian10, 2.0.96-rocky8, 2.0.96-ubuntu18
2.1.44-debian11, 2.1.44-rocky8, 2.1.44-ubuntu20, 2.1.44-ubuntu20-arm
2.2.10-debian12, 2.2.10-rocky9, 2.2.10-ubuntu22

Google Distributed Cloud Virtual for Bare Metal
Announcement
Release 1.28.300-gke.131

GKE on Bare Metal 1.28.300-gke.131 is now available for download. To upgrade, see Upgrade clusters. GKE on Bare Metal 1.28.300-gke.131 runs on Kubernetes 1.28.

If you use a third-party storage vendor, check the GDCV Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of GKE on Bare Metal.
Changed
Functionality changes:


Updated preflight checks to add a check for networking kernel modules.
Updated preflight checks to remove the check for iptables package availability.
Increased the default memory limit for node-exporter.

Fixed
Fixes:


Fixed an issue with configuring a proxy for your cluster that required you to manually set HTTPS_PROXY and NO_PROXY environment variables on the admin workstation.

Fixed
The following container image security vulnerabilities have been fixed in 1.28.300-gke.131: 


High-severity container vulnerabilities:


CVE-2022-28948
CVE-2023-29499

Medium-severity container vulnerabilities:


CVE-2023-3446
CVE-2023-3817
CVE-2023-32611
CVE-2023-32665
CVE-2023-49290
CVE-2024-21664
GHSA-2c7c-3mj9-8fqh

Low-severity container vulnerabilities:


CVE-2021-25743
CVE-2023-2975


Issue
Known issues:

For information about the latest known issues, see GKE on Bare Metal known issues in the Troubleshooting section.
Announcement
Release 1.15.11

GKE on Bare Metal 1.15.11 is now available for download. To upgrade, see Upgrade clusters. GKE on Bare Metal 1.15.11 runs on Kubernetes 1.26.

If you use a third-party storage vendor, check the GDCV Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of GKE on Bare Metal.
Fixed
The following container image security vulnerabilities have been fixed in 1.15.11: 


Medium-severity container vulnerabilities:


CVE-2023-46218
CVE-2023-49290
CVE-2024-21664
GHSA-2c7c-3mj9-8fqh

Low-severity container vulnerabilities:


CVE-2021-25743


Issue
Known issues:

For information about the latest known issues, see GKE on Bare Metal known issues in the Troubleshooting section.
Google Distributed Cloud Virtual for VMware
Announcement
GKE on VMware 1.28.300-gke.123 is now available. To upgrade, see
Upgrading GKE on VMware.
GKE on VMware 1.28.300-gke.123 runs on Kubernetes v1.28.4-gke.1400.  

If you are using a third-party storage vendor, check the
GDCV Ready storage partners
document to make sure the storage vendor has already passed the qualification
for this release of GKE on VMware.  
Changed

Increased the default memory limit for node-exporter.
Updated the AIS version to hybrid_identity_charon_20240228_0730_RC00.

Fixed
The following issues are fixed in 1.28.300-gke.123:


Fixed the issue where the admin cluster backup did a retry on
non-idempotent operations.
Fixed the
known issue
where the controlPlaneNodePort field defaulted to 30968 when the manualLB
spec was empty.
Fixed the
known issue
that caused the preflight check to fail when the hostname wasn't in the IP
block file.
Fixed the
known issue
that caused Kubelet to be flooded with logs stating that
"/etc/kubernetes/manifests" does not exist on the worker nodes.


The following vulnerabilities are fixed in 1.28.300-gke.123:


High-severity container vulnerabilities:


CVE-2023-5517
CVE-2023-4408
CVE-2023-29499

Container-optimized OS vulnerabilities:


CVE-2023-40547


Security Command Center
Feature
Security Command Center detectors are now mapped to the following additional compliance frameworks:


CIS Critical Security Controls v8
Cloud Controls Matrix v 4
HIPAA
ISO 27001 (2022)
NIST 800-53 (rev 5)
NIST Cybersecurity Framework (v 1.0)
PCI-DSS 4.0
SOC 2 (2017)

VPC Service Controls
Feature
Preview stage support for the following integration:


Sovereign Controls by Partners

reCAPTCHA Enterprise
Feature
reCAPTCHA Enterprise platform logs are now available in Chronicle. Users can now view their reCAPTCHA assessment and annotation data in a structured and searchable data format in Chronicle. For more information, see Collect reCAPTCHA Enterprise logs.
[/content]

PublishedDate: 2024-03-21
Category: Technology
NewsPaper: GCP latest releases