Google Cloud release notes

Cloud Composer is now available in Oregon (us-west1).

Dialogflow CX has a new feature for side-by-side flow version comparison.

Contract DocAI (Preview) released

The Contract parser is now available.

v.4.11.7 Security updates available. See Migrate for Compute Engine Downloads for downloads and upgrade instructions.

GA (general availability) launch of the following languages in Dialogflow CX:

• Arabic
• Bengali
• Filipino
• Finnish
• Malay
• Marathi
• Romanian
• Sinhala
• Tamil
• Telugu
• Vietnamese

GA (general availability) launch of the following languages in Dialogflow ES:

• Bengali
• Filipino
• Finnish
• Malay
• Marathi
• Romanian
• Sinhala
• Tamil
• Telugu
• Vietnamese

The following resource types are now publicly available through the Analyze Policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

• App Engine Memcache
  • memcache.googleapis.com/Instance
• Filestore
  • file.googleapis.com/Instance
  • file.googleapis.com/Backup

You can now assign request tags and transaction tags in your application code to easily troubleshoot query performance, transaction latency, and lock contentions by correlating introspection statistics to application code.

Cloud EKM keys can now be used to encrypt Cloud Storage data.

• Cloud EKM keys encrypt your Cloud Storage data in the same way as other customer-managed encryption keys.

Preview: Spot VMs are now available! Spot VMs are the latest version of preemptible VM instances. Use Spot VMs for fault-tolerant workloads to get a 60-91% discount over the price of standard VMs. Spot prices can change up to once a month to reflect the underlying supply and demand. Like preemptible VMs, Spot VMs are available for all machine types, regions, and zones.

Preemptible VMs continue to be supported for new and existing VMs, and preemptible VMs now use the same pricing model as Spot VMs. However, Spot VMs provide new features that are not supported for preemptible VMs. For example, preemptible VMs can only run for up to 24 hours at a time, but Spot VMs do not have a maximum runtime.

Learn more about Spot VMs and preemptible VMs.

All new VMware Engine private clouds now deploy with VMware vSphere version 7.0 Update 2 and NSX-T version 3.1.2. Existing private clouds will be upgraded to vSphere version 7.0 Update 2 and NSX-T version 3.1.2 over a period of time in October 2021.

See Service announcements for more details on the contents of this upgrade.

Generally available: vSAN data encryption for data at rest now uses keys generated by Cloud Key Management Service for all new private clouds.

For details about this feature, see About vSAN encryption.

You can now use workload identity federation with any SAML 2.0-compatible identity provider. This feature is in Preview.

Event Threat Detection, a built-in service of Security Command Center Premium, launched an integration with Chronicle that lets you perform advanced analysis of threat findings.

The integration lets you seamlessly send findings to Chronicle, a Google Cloud service that you can use to investigate threats and pivot through related actions and events in a unified timeline. Chronicle enriches Event Threat Detection findings, helping you identify indicators of interest and simplify investigations.

To learn more about Chronicle, see Chronicle overview. For instructions on sending Event Threat Detection findings to Chronicle, see Investigate findings in Chronicle.

The BigQuery Storage Write API is now generally available (GA). The Storage Write API combines the functionality of high-throughput streaming ingestion and batch loading into a single API.

The data profiler for BigQuery is available in Preview. For more information, see Data profiles for BigQuery data.

The PostgreSQL interface is available in Preview, making the capabilities of Spanner accessible from the PostgreSQL ecosystem. The release supports a subset of the PostgreSQL SQL dialect, including core data types, functions, and operators. Applications can connect using updated Spanner drivers for JDBC, Java, Go, and Python. Starting initially with psql, community tools can connect using PGAdapter, a sidecar proxy that implements the PostgreSQL wire protocol. Sign up for the preview today.

Preview: Third generation Intel Xeon Scalable Processor (Ice Lake) N2 VMs are now available in select regions and zones. These new N2 VMs are offered at the same price as existing N2 VMs on second generation Intel Xeon Scalable Processors.

M81 release

• Upgraded R to 4.1.

M81 release

• Upgraded R to 4.1.
• Improved Cloud Storage sync logic so that only newer files sync.

Spot VMs on GKE is now available in Preview.

Using Private Service Connect to publish services that are hosted on the backends of an internal HTTP(S) load balancer is now Generally Available.

Accessing published services using a Private Service Connect endpoint is now available from on-premises hosts that are connected to a VPC network using Cloud VPN. This feature is available in Preview.

Preview: Tau T2D VMs are now available in select regions and zones. T2D VMs are ideal for a wide variety of workloads in a cloud-native environment. See VM instance pricing for details.

Access Approval is now GA for Cloud SQL. Access Approval enables you to require explicit approval before Google Support may access your database for support purposes.To learn about access approval, see Overview of Access Approval. To set up access approval now, see the Access Approval Quickstart.

Access Approval is now GA for Cloud SQL. Access Approval enables you to require explicit approval before Google Support may access your database for support purposes.To learn about access approval, see Overview of Access Approval. To set up access approval now, see the Access Approval Quickstart.

Access Approval is now GA for Cloud SQL. Access Approval enables you to require explicit approval before Google Support may access your database for support purposes.To learn about access approval, see Overview of Access Approval. To set up access approval now, see the Access Approval Quickstart.

Runtime version 2.6 is available. You can use runtime version 2.6 to train with TensorFlow 2.6, scikit-learn 0.24.2, or XGBoost 1.4.2. Runtime version 2.6 supports training with CPUs, GPUs, or TPUs.

See the full list of updated dependencies in runtime version 2.6.

asmcliis generally available for new installations and upgrades of Anthos Service Mesh. You can use asmcli to:

• Install the Anthos Service Mesh in-cluster control plane

• Configure managed Anthos Service Mesh

• Add Compute Engine virtual machines to Anthos Service Mesh

• Set up a multi-cluster mesh on non-private GKE clusters

• Set up a multi-cluster mesh outside Google Cloud

The in-cluster control plane is supported on the on the following platforms using asmcli:

• GKE clusters in a single project
• GKE clusters in multiple projects
• Anthos clusters on VMware
• Anthos on bare metal
• Anthos clusters on AWS
• Amazon EKS

Note: Upgrades from Anthos Service Mesh 1.7 on EKS to Anthos Service Mesh 1.11 aren't supported. You will need to set up a new EKS cluster to install Anthos Service Mesh 1.11.

asmcli requires clusters to be registered with a fleet. asmcli can automatically register a cluster as long as it meets the requirements specified in fleet requirements. asmcli does not support automatic fleet registration for GKE 1.22 clusters, which must be registered manually before installation.

The Anthos Service Mesh integration with Certificate Authority Service (CA Service) is generally available. You can use CA Service as the certificate authority for signing mutual TLS certificates. See Configure Anthos Service Mesh to use CA Service for details.

You can now collect Apache httpd logs from the Ops Agent, starting with version 2.4.0. For more information, see Collecting logs from third-party applications: Apache httpd.

The Ops Agent now supports collecting logs from the systemd-journald service, starting with Ops Agent version 2.4.0. For information on configuring the systemd_journald receiver, see Configuring the Ops Agent: Logging receivers.

You can now specify the statistics package for the query optimizer to use, to ensure predictability in your query plans.

Document AI is now generally available (GA) in the following new locations:

• europe-west2
• northamerica-northeast1

You must request access to use the new locations. For more information, see Regional and multi-regional support.

The following resource types are now publicly available through the resource search API (SearchAllResources), policy search API (SearchAllIamPolicies), and Analyze Policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning) : + Eventarc + eventarc.googleapis.com/Trigger

Python Client for Cloud Composer version 1.0.0 is released. You can use this library to interact with Cloud Composer API from Python.

Turbo replication is a premium feature designed to provide inter-region replication for newly written objects within 15 minutes.

This feature is now available in Preview.

Fit assessment tool now in GA

The migration fit assessment tool has moved from the Public Preview to General Availability. The migrate fit assessment tool helps users assess their workloads' fit for containerization. The provides users with detailed technical insights and a fit score per workload. The HTML fit assessment report enables users to easily share assessment data offline. The JSON file report allows them to view their assessment directly on the cloud console.

Security Health Analytics, a built-in service of Security Command Center, released new detectors in general availability.

The following detectors, available only in Security Command Center's Premium tier, detect vulnerabilities in your Google Kubernetes Engine clusters and expand the number of detectors that support the CIS Google Kubernetes Engine (GKE) Benchmark v1.0.0:

• ALPHA_CLUSTER_ENABLED: Alpha cluster features are enabled for a GKE cluster.
• BINARY_AUTHORIZATION_DISABLED: Binary Authorization is disabled on a GKE cluster.
• CLUSTER_SECRETS_ENCRYPTION_DISABLED: Application-layer secrets encryption is disabled on a GKE cluster.
• CLUSTER_SHIELDED_NODES_DISABLED: Shielded GKE nodes are not enabled for a cluster.
• INTEGRITY_MONITORING_DISABLED: Integrity monitoring is disabled for a GKE cluster.
• INTRANODE_VISIBILITY_DISABLED: Intranode visibility is disabled for a GKE cluster.
• NODEPOOL_SECURE_BOOT_DISABLED: Secure Boot is disabled for a GKE cluster.
• RELEASE_CHANNEL_DISABLED: A GKE cluster is not subscribed to a release channel.

For more information, see Container vulnerability findings. To learn how to remediate vulnerabilities, see Remediating Security Health Analytics findings

Vertex Feature Store is generally available (GA).

You can now specify a release or snapshot version policy for Maven repositories when you create them. You cannot change the version policy of an existing repository. Repositories created before availability of this feature accept both snapshot and release packages.

BigQuery Migration Service is now in Preview. It includes the following features:

• Interactive SQL Translator
• Batch SQL Translator

Cloud Bigtable provides a CPU utilization by app profile, method, and table metric that gives you more granular observability into the cluster's CPU usage. This metric is generally available (GA).

GKE version 1.20.8-gke.2100 or later offers a Preview of a fully managed metric collection pipeline to scrape Prometheus-style metrics exposed by any GKE workload and send those metrics to Cloud Monitoring for dashboards, alerts, and SLOs. Compared to the Prometheus Stackdriver sidecar, this new pipeline is easy to set up, allows filtering to control cost, supports larger clusters, is fully managed, supports Autopilot and horizontal Pod autoscaling, and offers better pricing. Get started with GKE workload metrics.

Preview: Newly deployed services are now automatically configured to use nip.io as the default domain, providing immediate access to each of your services without configuration. The nip.io default domain is only available through Cloud Run for Anthos fleet installations. Existing services in your fleet that use the previous example.com default domain are automatically upgraded to use the new nip.io domain. Learn more about test domains.

Cloud SQL now supports the ability for you to specify IP CIDR ranges from your VPC network for your Cloud SQL instances allowing you to manage your IP address space better. For more information, see Allocated IP address ranges. To start using this feature now, see Configuring private IP for a new instance.

GKE version 1.20.8-gke.2100 or later offers a Preview of a fully managed metric collection pipeline to scrape Prometheus-style metrics exposed by any GKE workload and send those metrics to Cloud Monitoring for dashboards, alerts, and SLOs. Compared to the Prometheus Stackdriver sidecar, this new pipeline is easy to set up, allows filtering to control cost, supports larger clusters, is fully managed, supports Autopilot and horizontal Pod autoscaling, and offers better pricing. Get started with GKE workload metrics.

Migrate for Computer Engine now supports the configuration of multiple network interfaces to migrated VMs.

BigQuery now supports the following geospatial data functions:

• ST_BUFFER: Returns a GEOGRAPHY that represents the buffer around the input GEOGRAPHY. You specify the number of segments to determine how much the resulting geography can deviate from the ideal buffer radius.

• ST_BUFFERWITHTOLERANCE: Returns a GEOGRAPHY that represents the buffer around the input GEOGRAPHY. You specify the tolerance to determine how much the resulting geography can deviate from the ideal buffer radius.

These functions are available as a preview.

New multi-regional support for features

The Vision API now offers multi-regional support (us and eu) for the LABEL_DETECTION and SAFE_SEARCH features.

Added spec.configSync.git.gcpServiceAccountRef to GKEHubFeatureMembership.

Added spec.destroyScheduledDuration to KMSCryptoKey.

The following features are introduced in version 1.21:

CronJob (GA)

The CronJob API has graduated to General Availability (GA), bringing performance improvements and allowing scheduled jobs to be run using a stable API.

• This resource is now available in the batch/v1 group/version.
• The batch/v1beta1 group/version is deprecated, and will be removed in version 1.25. See the migration guide for details.

PodDisruptionBudget (GA)

The PodDisruptionBudget has graduated to GA, allowing Pod evictions to be controlled using a stable API.

• This resource is now available in the policy/v1 group/version.
• The policy/v1beta1 group/version is deprecated, and will be removed in version 1.25. See the migration guide for details.

EndpointSlice (GA)

The EndpointSlice API has graduated to GA, bringing performance improvements over the v1 Endpoints API.

• This more scalable API for service discovery is now enabled on all clusters and is promoted to discovery.k8s.io/v1.
• The discovery.k8s.io/v1beta1 group/version is deprecated, and will be removed in version 1.25. See the migration guide for details.

Default namespace label (Beta)

Namespace API objects now have a kubernetes.io/metadata.name label matching their metadata.name field to allow selecting any namespace by its name using a label selector. This can be used for objects which select namespaces by label, such as admission webhooks and network policies.

Bound service account token volumes (Beta)

• The API credentials injected into containers at /var/run/secrets/kubernetes.io/serviceaccount/token are now time-limited, auto-refreshed, and invalidated when the containing pod is deleted.
• By default, injected tokens are given an extended lifetime so they remain valid even after a new refreshed token is provided. The metric serviceaccount_stale_tokens_total and the audit annotation authentication.k8s.io/stale-token can be used to monitor for workloads that depend on the extended lifetime and are continuing to use tokens even after a refreshed token is provided to the container.
• Clients should reload the token from disk periodically (once per minute is recommended) to ensure they use the refreshed token. k8s.io/client-go version 11.0.0+ and 0.15.0+ reload tokens automatically.

Notable features in 1.22

GA: Server-side Apply

Server-side Apply is a new object merge algorithm, as well as tracking of field ownership, running on the Kubernetes API server. Server-side Apply helps users and controllers create and modify their resources via declarative configurations by sending their fully specified intent. Refer to server-side apply documentation for more information. Improvements in 1.22 include:

• scale subresource ownership is tracked correctly (#98377)
• label selector fields are applied atomically (#97989)

Beta: DaemonSet maxSurge

DaemonSet objects now support a maxSurge rollout parameter, which allows running updated pods for the DaemonSet on nodes before removing old pods. Refer to the DaemonSet API documentation for more information.

Beta: Suspended jobs

Job objects can now be created or placed in a suspended state, to allow higher-level control over ordering and scheduling of batch workloads. Refer to the Job documentation for more information.

Beta: podAffinity namespace selection

Pod affinity rules can now specify namespaced using a label selector, in addition to a fixed list of namespace names. Refer to the pod affinity documentation for more information.

You can now launch Kubernetes 1.21 clusters.

Anthos Identity Service is available on Kubernetes clusters version 1.21 and above.

Kubernetes 1.21 clusters now support the Kubernetes Konnectivity tool for communication between nodes and the control plane. When you launch a 1.21 cluster, you must allow connections between control plane nodes and node pool nodes on port 8132.

You can now update the OIDC configuration on a running cluster.

You can now specify a Cloud Storage Bucket name where Anthos clusters on AWS stores configuration data.

You can now launch node pools with AWS R5 instances.

Anthos clusters on Azure now supports Kubernetes 1.20 clusters

You can now use an HTTP proxy with Kubernetes 1.20 clusters

You can now launch clusters in the Singapore and Australia regions

You can now specify zone placement of control plane replicas when you create a cluster. For more information, see Control plane zonal placement

Storage limits for Cloud Bigtable nodes have been doubled. Each node now supports twice as much storage, with no increase in per-node costs. This feature is generally available (GA).

Cloud Monitoring dashboards now support displays of data in tabular form. For information about this feature, see Configure tables with the Cloud Console and Configure tables by using the API.

CMEK integration with Dataproc Metastore is generally available (GA).

You can now use Customer-Managed Encryption Keys (CMEK) to protect all data at rest in Filestore's Enterprise tier instances. CMEK in Filestore is a preview feature. For more information, see Encrypt data with customer-managed encryption keys.

Filestore's Enterprise tier now supports snapshots. A snapshot is a preserved state of your file share data that can be used to restore data. For more information, see the snapshots documentation page.

Google Cloud Armor Adaptive Protection is now in General Availability.

Now you can see how effectively your GKE clusters and workloads are utilizing your available compute resources. The new Cost Optimization tab lets you view, filter, and learn more about the CPU and memory usage, requests, allocation, and limit amounts of each of your clusters and workloads. This information can help you identify opportunities to optimize your clusters or workloads for more cost effective resource utilization. This feature is now available in Preview. For more information, see View cost-related optimization metrics.

Added Troubleshooting guide.

Added guidance on job limits.

Anthos clusters on VMware 1.9.0-gke.8 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.9.0-gke.8 runs on Kubernetes v1.21.4-gke.200.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.9, 1.8, and 1.7.

Features:

Cluster lifecycle Improvements:

• GA: You can register an admin cluster during its creation by filling in the gkeConnect section in the admin cluster configuration file, similar to user cluster registration.

Platform enhancements:

• Preview: User clusters can now be in a different vSphere datacenter from the admin cluster, resulting in datacenter isolation between the admin cluster and user clusters. This provides greater resiliency in the case of vSphere environment failures.

• GA: Support for Windows node pools is generally available.This release adds:

  • Preview: Windows DataplaneV2 support, which allows for using Windows Network Policy
  • Node Problem Detector (NPD) support on Windows
  • Streamlined process for preparing Windows images in a private registry
  • Enhanced Flannel CNI support on Windows

  The upstream fixes for the "Windows Pod stuck at terminating status" error are also applied to this release, which improves the stability of running Windows workloads.

• GA: Support for Container-Optimized OS (COS) node pools is generally available.

• GA: CoreDNS is now the cluster DNS provider.

  • Clusters that are upgraded to 1.9 will have their KubeDNS provider replaced with CoreDNS. During the upgrade, CoreDNS is first deployed and then KubeDNS is removed, so applications should not observe DNS unavailability. However before upgrading, ensure that your cluster has enough additional resources to deploy CoreDNS. CoreDNS requires 100 millicpu and 170 MiB of memory per instance, all clusters require a minimum of 2 instances, and there is an additional instance deployed for every 16 nodes in the cluster.
  • You can configure cluster DNS options such as upstream name servers by using the new ClusterDNS custom resource.

Security enhancements:

• GA: Always-on secrets encryption: You can enable secrets encryption with internally generated keys instead of a hardware security module (HSM). Use the gkectl update command to rotate these keys or to enable or disable secrets encryption after cluster creation.
• Preview: Windows network policy support. This release introduces a new network plugin, Antrea, for Windows nodes. In addition to network connectivity and services support, it provides network policy support. When creating a user cluster, you can set enableWindowsDataplaneV2 to true to enable this feature. Enabling this feature replaces Flannel with Antrea on Windows nodes.
• Preview: Azure AD group support for Authentication: This feature allows cluster admins to configure RBAC policies based on Azure AD groups for authorization in clusters. This supports retrieval of groups information for users belonging to more than 200 groups, thus overcoming a limitation of regular OIDC configured with Azure AD as the identity provider.

Simplify day-2 operations:

• Preview: When creating a user cluster, you can set enableVMTracking in the configuration file to true to enable vSphere tag creation and attachment to the VMs in the user cluster. This allows easy mapping of VMs to clusters and node pools. See Enable VM tracking.
• GA: New metrics agents based on open telemetry are introduced to improve reliability, scalability and resource usage.
• Preview: You can enable or disable Stackdriver with gkectl update on existing user clusters. You can enable or disable cloud audit logging and monitoring with gkectl update on both admin and user clusters.

Cloud Composer supports the IP Masquerade agent in Preview. This feature is available in new Cloud Composer 1 environments.

Preview: You can now use SAP as a source for batch-based and delta-based data extraction in Cloud Data Fusion through Operational Data Provisioning (ODP). For more information, see the SAP ODP plugin overview. This plugin is available in Cloud Data Fusion version 6.4.0 and later.

External HTTP(S) Load Balancing is now available in a regional mode. The new regional external HTTP(S) load balancer contains many of the features of our existing global load balancer, but with an ever-growing list of advanced traffic management capabilities. You can use this load balancer for workloads with jurisdictional compliance requirements or to access the Standard Network Tier.

For details, see:

• External HTTPS(S) Load Balancing overview
• Load balancer features (External HTTP(S): Global | Regional)
• Setting up a regional external HTTP(S) load balancer
• Traffic management for regional external HTTP(S) load balancers

This load balancer is available in Public Preview.

General availability for the following integration:

• Security Token Service

Release 1.9.0

Anthos clusters on bare metal 1.9.0 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.9.0 runs on Kubernetes 1.21.

Improved cluster lifecycle functionalities:

• Preview: Added ability to reset individual nodes with the bmctl reset node command. To give access to the needed cluster configuration file, use the command with the -c flag.

• Preview: Added ability to recover from HA control plane quorum loss withbmctl restore --control-plane-node command.

• Added bmctl create ksa command to create a Kubernetes Service Account (KSA) and generate a bearer token. To log in to the registered cluster, you can use the token in Cloud Console Kubernetes Engine > Clusters.

• Preview: Added bmctl backup cluster and bmctl restore cluster commands to facilitate disaster recovery for clusters.

Introduced new troubleshooting capabilities:

• Updated the bmctl check cluster --snapshot command to support uploading cluster diagnostic snapshots to a Cloud Storage bucket for review by Cloud Customer Care.

• Provided access to bootstrap cluster logs to help troubleshoot cluster creation or upgrade problems.

• Preview: Added support for Node Problem Detector service on nodes for quick detection of common node problems.

Enhanced monitoring and logging:

• GA: Cloud Audit Logs capability is now generally available and enabled by default. Audit logs are useful for investigating suspicious API requests and for collecting statistics. For more information, see Use Audit Logging.

• Switched to new open telemetry-based metrics agents to improve reliability, ability to scale, and resource usage.

Improved networking capabilities:

• GA: The multi-NIC capability to provide additional interfaces to your pods is now generally available.

• Preview: Added the single root I/O virtualization (SR-IOV) container network interface (CNI) plugin for multi-NIC.

• Added support to configure cluster Domain Name System (DNS) provider options, such as upstream nameservers, with the new ClusterDNS custom resource definition.

Enhanced security:

• SELinux is now always enabled in the container runtime for CentOS and RHEL.

• Preview: Enhanced the capability to rotate cluster certificate authorities (CAs). Updates include support for all cluster types, rotation of front-proxy and etcd CAs, and changes to the bmctl command syntax.

• Preview: Added Okta group support for authentication in Anthos Identity Service.

Table functions are now generally available (GA). With the GA release, authorized table functions are now supported.

Customer managed encryption keys are now at general availability (GA).

Binary Authorization for Cloud Run is now at generally availability (GA).

Cloud SQL supports the preview version of two recommenders that help you optimize your database costs:

• Idle database instance recommender: Identifies idle database instances in your project and provides recommendations about the savings that you can make by shutting them down.

• Overprovisioned database instance recommender: Identifies overprovisioned database instances in your project and provides recommendations about the savings that you can make by rightsizing these instances.

When a database instance is nearly out of storage capacity, it's automatically stopped to prevent the loss of information. For more information, see Stopping an instance.

Cloud SQL supports the preview version of two recommenders that help you optimize your database costs:

• Idle database instance recommender: Identifies idle database instances in your project and provides recommendations about the savings that you can make by shutting them down.

• Overprovisioned database instance recommender: Identifies overprovisioned database instances in your project and provides recommendations about the savings that you can make by rightsizing these instances.

When a database instance is nearly out of storage capacity, it's automatically stopped to prevent the loss of information. For more information, see Stopping an instance.

Cloud SQL supports the preview version of two recommenders that help you optimize your database costs:

• Idle database instance recommender: Identifies idle database instances in your project and provides recommendations about the savings that you can make by shutting them down.

• Overprovisioned database instance recommender: Identifies overprovisioned database instances in your project and provides recommendations about the savings that you can make by rightsizing these instances.

When a database instance is nearly out of storage capacity, it's automatically stopped to prevent the loss of information. For more information, see Stopping an instance.

You can now use Producer Portal's new guided configuration option to create deployment packages for your VM products directly in the Cloud Console.

Many legacy App Engine APIs are now available to select second-generation runtimes. These APIs are available for Go 1.12+ in preview, through language-idiomatic libraries. Calls to these APIs are billed according to the standard rates.

Many legacy App Engine APIs are now available to select second-generation runtimes. These APIs are available for Java 11 in preview, through language-idiomatic libraries. Calls to these APIs are billed according to the standard rates.

Many legacy App Engine APIs are now available to select second-generation runtimes. These APIs are available for Python 3 in preview, through language-idiomatic libraries. Calls to these API are billed according to the standard rates.

BigQuery now supports the following geospatial data functions:

• ST_BOUNDINGBOX: Returns a STRUCT that represents the bounding box for a geography.

• ST_EXTENT: Returns a STRUCT that represents the bounding box for a set of geographies.

• S2_COVERINGCELLIDS: Returns an array of S2 cell IDs that cover a geography.

• S2_CELLIDFROMPOINT: Returns the S2 cell ID covering a point geography.

These functions are generally available (GA).

You can now install the Ops Agent on one or more Compute Engine VMs from the Inventory tab of the Monitoring VM Instances dashboard. The dashboard generates Cloud Shell commands you can use to install the Ops Agent (recommended) or the legacy agents (if needed) on the selected VMs.

M80 release

• Updated JupyterLab from 1.x to 3.x.
• Added Jupytext.

M80 release

• Updated JupyterLab from 1.x to 3.x.
• Added Jupytext.

Pub/Sub Lite reservations allow you to reserve and share throughput capacity among multiple topics in a region. - For more information, see Creating and managing Lite reservations.

Vertex Matching Engine is generally available (GA).

Training with pre-built PyTorch containers is generally available (GA).

Pre-built PyTorch containers for PyTorch 1.9 are available for training. You can use these containers to train with CPUs, GPUs, or TPUs.

Config Sync supports rendering Kustomize configurations and Helm charts in multi-repo mode. The Git repository must have a kustomization.yaml file in the root of the sync directory to trigger the rendering process. To learn more, see Use a repo with Kustomize configurations and Helm charts.

The nomos hydrate command supports rendering unstructured source format and it supports rendering Kustomize configurations or Helm charts.

The nomos vet command supports rendering and it supports rendering Kustomize configurations or Helm charts. It provides a --keep-output flag to preserve the rendered output.

Config Sync ignores validating and applying any resource configuration in the Git repo with the annotation config.kubernetes.io/local-config: "true".

Anthos clusters on VMware 1.7.4-gke.2 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.7.4-gke.2 runs on Kubernetes v1.19.12-gke.2101.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.8, 1.7, and 1.6.

The following resource types are now publicly available through the Export APIs (ExportAssets and BatchGetAssetsHistory) and the Feed API:

• Vertex AI
  • aiplatform.googleapis.com/ModelDeploymentMonitoringJob

Cloud Composer supports Privately used public IP addresses in Preview. This feature is available in new environments.

Internal TCP/UDP Load Balancing now allows you to configure a connection tracking policy for the load balancer's backend service. A connection tracking policy introduces the following new properties to let you customize your load balancer's connection tracking behavior:

• Tracking mode
• Connection persistence on unhealthy backends
• Idle timeout

To learn about how connection tracking works, see Traffic distribution.

This feature is available in Preview.

Generally Available: Use patch alerting to monitor the patch jobs running in your environment. For more information, see Monitoring patch jobs.

Cloud CDN now supports custom named cookies and headers in the cache key, to enable A/B (multivariate) testing, canarying, and similar scenarios. Allowlisting of query parameters is now also enabled for backend buckets, to allow for cache busting. These features are available in Preview.

For details, see the caching documentation.

Preview: You can now access installer properties for your Windows applications by using OS inventory management. For more information, see OS inventory management.

For information on setting up and using OS inventory management, see Viewing operating system details.

Anthos clusters on VMware 1.8.3-gke.0 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.8.3-gke.0 runs on Kubernetes v1.20.9-gke.701.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.8, 1.7, and 1.6.

Release 1.8.4

Anthos clusters on bare metal 1.8.4 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.8.4 runs on Kubernetes 1.20.

Added Age and Healthy columns for the kubectl get tabular outputs of ConfigConnector and ConfigConnectorContext resources.

Vertex Vizier is generally available (GA).

Release 1.7.4

Anthos clusters on bare metal release 1.7.4 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.7.4 runs on Kubernetes 1.19.

Object Versioning can now be managed in the Cloud Console.

• You can enable and disable Object Versioning using the Cloud Console.

• You can list, restore, copy, move, and delete versioned objects from within the Cloud Console.

Migrate for Compute Engine now supports the deployment of migrated workloads to sole-tenant nodes. A sole-tenant node is a Compute Engine server that is dedicated to hosting only your project's VMs.

See Migrating individual VMs for more information on sole tenancy.

Connectivity to Cloud VPN and Cloud Interconnect is now generally available in Network Topology. Google Cloud users can use Network Topology to audit their networking configuration and troubleshoot issues related to the hybrid connectivity to and from their on-premises networks.

The Organization Policy Service v2 API reference documentation is now available. For more information, see the API reference documentation.

BigQuery now supports the following geospatial data functions:

• ST_EXTERIORRING: Returns a linestring geography that corresponds to the outermost ring of a polygon geography.

• ST_INTERIORRINGS: Returns an array of linestring geographies that corresponds to the interior rings of a polygon geography.

• ST_ANGLE: Returns the angle between two intersecting lines.

• ST_AZIMUTH: Returns the azimuth of a line segment formed by two points.

• ST_NUMGEOMETRIES: Returns the number of geometries in a geography.

• ST_GEOMETRYTYPE: Returns the Open Geospatial Consortium (OGC) geometry type that describes a geography as a string.

These functions are generally available (GA).

Cost breakdown report now supports new filters and report sharing

In the Cloud Billing Console Cost breakdown report, you can now select the costs you want to analyze using the Time range and other report filters, such as projects, services, and SKUs.

For detailed insights behind the results of your cost breakdown report, view the Reports page. The cost breakdown report is linked to the Cloud Billing Reports page; the link uses the same time range and report filters you configure on your cost breakdown report. When you open the Reports page from your cost breakdown report, the report opens displaying the same totals as the cost breakdown report.

Along with the new report filters, the cost breakdown report now supports URL bookmarking and sharing. As you configure your cost breakdown report by setting the time range and other filters, the cost breakdown URL updates to include your selections. You can save your report settings by bookmarking the URL. You can share the cost breakdown report by copying the URL.

For more details about the cost breakdown report and using the new report filters and sharing feature, see the documentation.

Updated August 19, 2021 release notes with cluster creation Failure Action feature.

Anthos clusters on VMware 1.6.5-gke.0 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.6.5-gke.0 runs on Kubernetes 1.18.20-gke.4501.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.8, 1.7, and 1.6.

BigQuery ML documentation has been updated with the following improvements:

• The end-to-end user journey now includes an overview of the machine-learning workflow for each available model.
• Each machine learning module now provides an overview document that describes the BigQuery ML behavior and links to additional guidance. New documentation includes the following:
  • Model creation overview
  • Preprocessing overview
  • Hyperparameter tuning overview
  • Model evaluation overview
  • Model inference overview
  • Explainable AI overview
  • Model weights overview
• Improvements to documentation organization and content, as well as the addition of new landing pages.

In GKE versions 1.21.0-gke.1500 and later, VPC-native is the default network mode during cluster creation. To create a routes-based cluster, you can use the --no-enable-ip-alias flag:

gcloud container clusters create CLUSTER_NAME --no-enable-ip-alias

You can now disable and enable service account keys.

Airflow 2 in Cloud Composer is now generally available (GA).

HA Scheduler in Cloud Composer is now generally available (GA).

Java Runtime in Airflow workers and schedulers is updated from version 8 to version 11.

Vertex Explainable AI is generally available (GA).

Cloud SQL for MySQL now supports custom formatting controls for CSVs. For more information on how to select custom characters for field delimiters, quotes, escapes, and other characters in admin exports and imports, see our documentation.

Cloud SQL for PostgreSQL has enhanced the support for multiline log entries in postgres.log. Before, when a log entry spanned multiple lines, each line was recorded as a separate entry in Cloud Logging. The lines are now recorded as a single entry in Cloud Logging for ease of query and processing.

Cloud SQL for PostgreSQL now supports custom formatting controls for CSVs. For more information on how to select custom characters for field delimiters, quotes, escapes, and other characters in admin exports and imports, see our documentation.

Cloud Shell is available directly in the Google Cloud documentation.

You can use this feature to activate Cloud Shell in the documentation and run sample code in the terminal on the page. For more information, see Launching within documentation.

The following list summarizes known issues that you might encounter:

• You can only activate Cloud Shell in the documentation when you're using Chrome desktop browsers (version 74 or higher).
• If Cloud Shell is activated and you open a site search result, the browser asks if you want to leave the site and then closes Cloud Shell.
• If Cloud Shell is activated and you open a URL that redirects you to a different URL, your Cloud Shell session restarts.

With GKE versions 1.21.4-gke.30 and later, users can create ServiceAttachment resources to provision Private Service Connect (PSC) for internal LoadBalancer Services. This feature is available in Preview.

Multi-cluster Ingress now supports SSL policies and HTTPS redirects using the FrontendConfig resource. This feature is generally available in GKE versions 1.17.13-gke.2600 and later.

Event Threat Detection, a built-in service of Security Command Center Premium, has launched new detectors in public preview.

The following detectors monitor your Google Workspace and Cloud Audit logs and alert you when external members are added to privileged Google Groups—groups that are granted sensitive IAM roles and permissions:

• Credential Access: Privileged Group Joinability Risk: Detects when Google Groups are changed to be accessible to the general public
• Persistence: IAM Anomalous Group Grant: Detects when sensitive roles are granted to privileged Google Groups with external members
• Credential Access: External Member In Privileged Group: Detects when an external member is added to a privileged Google Group

The following detectors monitor your Admin Activity logs and alert you to suspicious changes in Compute Engine instances:

• Persistence: Compute Engine Admin Added SSH Key: Detects modification of the Compute Engine instance metadata ssh key value on established instances
• Persistence: Compute Engine Admin Added Startup Script: Detects modification of the Compute Engine instance metadata startup script value on established instances

The Persistence: IAM Anomalous Grant detector is enhanced and detects when sensitive roles are granted to users and service accounts.

For more information on Event Threat Detection findings, see Rules. To learn how Event Threat Detection monitors changes in Google Groups and defines sensitive roles, see Unsafe Google Group changes.

Full control over which protocols are mirrored by Packet Mirroring is now available in General Availability.

Call logging is available in Preview.

You can now configure Cloud Run services to have CPU allocated for the entire lifetime of container instances. Pricing depends on the CPU allocation configuration. (Available in public preview.)

Generally Available: NVIDIA® T4 GPUs are now available in the following additional regions and zones:

• Las Vegas, Nevada,: us-west4-a,b
• Los Angeles, California: us-west2-b,c

For more information about using GPUs on Compute Engine, see GPUs on Compute Engine.

Eventarc can be configured for data location and is supported as a resource location.

You can use a pre-built container to serve predictions from TensorFlow 2.6 models.

Connectors are now generally available (GA).

New resource types are now available.

The following resource types are now publicly available through the Analyze Policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

• Container
  • k8s.io/Node
  • k8s.io/Pod
  • k8s.io/Namespace
  • rbac.authorization.k8s.io/Role
  • rbac.authorization.k8s.io/RoleBinding
  • rbac.authorization.k8s.io/ClusterRole
  • rbac.authorization.k8s.io/ClusterRoleBinding

The Cloud SQL out-of-disk recommender is now generally available. This feature proactively generates recommendations that help you reduce the risk of downtime that might be caused by your instances running out of disk space.

The Cloud SQL out-of-disk recommender is now generally available. This feature proactively generates recommendations that help you reduce the risk of downtime that might be caused by your instances running out of disk space.

Cloud SQL for PostgreSQL now supports the min_wal_size flag. For more information about this flag, see the Cloud SQL for PostgreSQL flags documentation.

The Cloud SQL out-of-disk recommender is now generally available. This feature proactively generates recommendations that help you reduce the risk of downtime that might be caused by your instances running out of disk space.

Added the securitySettings field to ComputeBackendService

Vertex Model Monitoring is generally available (GA).

When you perform custom training, you can access Cloud Storage buckets by reading and writing to the local filesystem. This feature, based on Cloud Storage Fuse, is available in Preview.

Cloud Billing Budgets & alerts now support configurable budget time periods, beyond monthly budgets

In the Cloud Billing Console Budgets & alerts settings, you can now specify the time period of your budgets. Using the Time range settings now available to budgets in the Cloud Console, you can configure the budget's time range to a calendar period or a custom date range, allowing you to create budgets to monitor spend for time frames beyond the default calendar month, such as a quarter, a year, or a custom date range that you specify.

With this update, you can create, view, and manage all budgets (monthly and non-monthly) in the Budgets & alerts page in the Cloud Console or by using the Cloud Billing Budget API.

For more information on budgets and alerts, see Create, edit, or delete budgets and budget alerts.

Cloud Composer 2 is available in Preview.

Cloud Composer 2 brings environments that scale automatically based on the demands of your workflows. For more information about Cloud Composer 2, see Major versions of Cloud Composer, Environment scaling, and Pricing pages in the documentation.

Cloud KMS now provides a library that conforms to the PKCS #11 standard, which enables working with existing applications that use the PKCS #11 API. See Library for PKCS #11 to learn more.

You can now collect JVM metrics from the Ops Agent, starting with version 2.2.0. For more information, see Monitoring third-party applications: JVM.

M79 release

• Updated Pytorch 1.9 containers (they were not refreshed in the last release).
• Updated Theia IDE (experimental) containers.
• Node.js is pinned to >=12.14.1,<13.

M79 release

• Updated Pytorch 1.9 images (they were not refreshed in the last release).
• Updated Theia IDE (experimental) images.
• Node.js is pinned to >=12.14.1,<13.

Firestore triggers for Cloud Functions are now supported at the General Availability release level.

The managed Filestore CSI driver for GKE is now available in GKE versions 1.21 and later to provision and manage Filestore instances for GKE workloads.

Firewall Insights now provides comprehensive analysis of whether your firewall rules are overly permissive. Through overly permissive rule insights, which are now in public preview, Firewall Insights identifies rules and attributes that could be made more strict and secure.

Overly permissive rule insights include the following:

• Allow rules with no hits
• Allow rules with unused attributes
• Allow rules with overly permissive IP address or port ranges

Firewall Insights uses Firewall Rules Logging to identify these rules. It uses machine learning to predict future usage of overly permissive rules.

By default, the product analyzes the past six weeks when it identifies overly permissive rules. However, you can choose a different observation period.

For more information about overly permissive rule insights, see the Firewall Insights overview. For details about how to enable overly permissive rules, see Using Firewall Insights.

Maven, npm, and Python repositories are now generally available.

Storage and network egress charges apply to all formats that are in Preview or are generally available.

Deleting the metadata for a specific job using the bq command-line tool is now generally available (GA).

Session support for BigQuery is now in Preview. With sessions:

• You can associate your SQL activities in a session across scripts and multi-statement transactions in BigQuery with a unique session identifier.
• You can use session variables (for example, default timezone or dataset) and temporary tables throughout the life of the session and also across scripts and transactions
• When you enable sessions, all actions performed across multiple sessions can be viewed using the SESSION_ID column now available in jobs INFORMATION_SCHEMA views.

Cloud SQL for MySQL now allows you to specify mysqldump options during migration from external servers. For more information, see Configuring Cloud SQL to replicate from an external server and Using a managed import to set up replication from external databases.

Preview: You can now review OS vulnerability report data, which is collected by VM Manager, from the Security Command Center. This feature is available for Security Command Center premium tier users. For more information, see View vulnerability report data.

Build triggers support for buildpacks is now generally available. To learn more, see Creating and managing build triggers.

Cloud Load Balancing now supports load-balancing traffic to endpoints that extend beyond Google Cloud, such as on-premises data centers and other public clouds that you can reach using hybrid connectivity.

Hybrid load balancing is supported by the following load balancers:

• External HTTP(S) Load Balancing
• Internal HTTP(S) Load Balancing
• TCP Proxy and SSL Proxy Load Balancing

For details, see Hybrid load balancing overview.

This feature is available in Preview.

Dataflow now supports Shielded VM workers.

Redis version 6.x is now Generally Available on Memorystore for Redis.

VM Manager vulnerability reports, which are in preview, are now available in Security Command Center Premium. The reports identify vulnerabilities in operating systems installed on Compute Engine virtual machines, including Common Vulnerabilities and Exposures (CVEs).

For more information on integrating VM Manager with Security Command Center, see VM Manager.

Support for callback endpoints is available in Preview.

Added support for overriding the default license type to explicitly specify a license type of PAYG or BYOL.

See Configuring the target for a migrated VM for more information.

Anthos clusters on VMware 1.7.3-gke.6 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.7.3-gke.X runs on Kubernetes v1.19.12-gke.1100

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.8, 1.7, and 1.6.

Cloud Functions has added support for a new runtime, Go 1.16, at the Preview release level.

Re-importing previously destroyed keys is now supported in Cloud KMS.

Cloud Monitoring now lets you configure how long Monitoring waits to close an incident when observations stop arriving. For more information, see Closing incidents.

Added a new KeywordMatchMode field to support more keyword matching options.

Added more DiversificationLevel configuration options.

Added support for ComputeFirewallPolicy resource.

Preview: Cloud Data Fusion version 6.5.0 is now available. This version is a Preview. This release is in parallel with the CDAP 6.5.0 release.

Features in 6.5.0:

• Preview: Cloud Data Fusion now supports role-based access control (RBAC). This gives administrators fine-grained access control over what users can do at the namespace level.

• Preview: Cloud Data Fusion now supports customer-managed encryption keys (CMEK), which provide user encryption control over the data written to Google internal resources in tenant projects, and data written by Cloud Data Fusion pipelines.

• Preview: Cloud Data Fusion Instance Admins can now create, view, duplicate, delete, import, and export connections from the Pipeline Studio, Wrangler, or the Namespace Admin page. A connection stores sensitive data, such as user credentials and host information, needed to connect to data sources. For more information, see Managing connections.

• Preview: Transformation pushdown is now available. It helps you efficiently design and execute ELT workloads by pushing join transformations down to BigQuery. It gives users that prefer ELT in BigQuery access to the same visual experience that ETL users get in Cloud Data Fusion, without needing to maintain complex SQL scripts. When you enable Transformation pushdown, Cloud Data Fusion executes Join operations in BigQuery (instead of Apache Spark). All other stages in a pipeline are executed using Spark. For pipelines that perform multiple complex joins, BigQuery can execute these joins operations faster than Spark.

• Preview: Dataproc cluster reuse is now available. It can be used to speed up pipeline run startup by reusing clusters from previous runs.

Cloud SQL for MySQL now supports using a custom import to set up replication from large external databases. To use this replication option, see Configuring Cloud SQL to replicate from an external server and Using a custom import to set up replication from large external databases.

Added DATA_READ and DATA_WRITE Data Access audit logs. See Firestore in Datastore mode audit logging information. This feature is available in Preview.

Added DATA_READ and DATA_WRITE Data Access audit logs. See Firestore audit logging information. This feature is available in Preview.

Multi-Instance GPU on GKE is is now generally available.

Support for iterating over a sequence of numbers or through a collection of data is generally available (GA).

Runtime version 2.6 is now available. You can use runtime version 2.6 to serve online predictions with TensorFlow 2.6.0, scikit-learn 0.24.2, or XGBoost 1.4.2. Runtime version 2.6 does not support batch prediction.

See the full list of updated dependencies in runtime version 2.6.

New resource types are now available.

The following resource types are now publicly available through the Analyze Policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

• Logging
  • logging.googleapis.com/LogBucket
  • logging.googleapis.com/LogSink
  • logging.googleapis.com/LogMetric

VPC Service Controls support for build triggers is now available in the preview release stage. This feature enables users to use build triggers in projects in the VPC Service Controls perimeter. For instructions, see Using VPC Service Controls.

Generally available: When deleting VMs from a managed instance group, you can flag the operation to continue even if some instances were already deleted or if other instance validation errors occur.

Support for Cloud Storage triggers is now available in Preview.

Anthos clusters on VMware 1.8.2-gke.11 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.8.2-gke.11 runs on Kubernetes 1.20.9-gke.701.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.8, 1.7, and 1.6.

You can now collect nginx metrics and logs from the Ops Agent, starting with version 2.1.0. For more information, see Monitoring third-party applications: nginx.

You can now collect nginx metrics and logs from the Ops Agent, starting with version 2.1.0. For more information, see Monitoring third-party applications: nginx.

The R2DBC driver for Cloud Spanner is available in Preview. This driver lets you connect to Cloud Spanner from fully reactive applications.

Generally available: You can now reference the latest available image in a public image family for a specific zone. This feature improves zonal fault tolerance for your workflows during Google image updates.

Dataflow Prime is now available in Preview.

All client library code samples updated to v1 of the API.

Access Approval supports Speaker ID in Preview stage.

Exporting table data in Parquet format is now generally available (GA).

Airflow 2.1.2 is available in Cloud Composer images.

(Airflow 2) Cloud Composer now supports the stable Airflow REST API. The stable Airflow REST API is enabled by default.

Cloud Functions adds support for setting a minimum number of instances, available at the Preview release level. For more information, see the blog post.

The VM Instances page features enhanced scorecards for VM health. The new scorecards now include both "maintenance" and "system" events that might affect your VMs and agents, along with other metrics and statistics about the health of your VMs. The filtering and sorting of the Inventory table have also been enhanced.

Cloud SQL for PostgreSQL support for pglogical, native logical replication, wal2json and test_decoding is now generally available.

Cloud SQL for PostgreSQL support for Automatic IAM database authentication is now generally available. See Automatic IAM database authentication.

In the Cloud Console, a database's Query page now supports multiple query tabs so you no longer have to clear one query to create and run another. Additionally, you can enter multiple query and DML statements in a single query tab. When you do so, the Results and Explanation subtabs let you choose which statement's results or query plan you want to view. See A tour of the query editor for details.

Added support for changing the leader region location of a Cloud Spanner database.

Added support for the JSON data type. For more information, see Working with JSON data.

GKE Autoscaling profiles are now generally available.

Traffic Director deployed with proxyless gRPC can now use the advanced traffic management features retry and session affinity.

You can now use a pre-built container to perform custom training with TensorFlow 2.6 and PyTorch 1.9.

Access Transparency supports Document AI in GA stage.

Release 1.8.3

Anthos clusters on bare metal 1.8.3 is now available. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.8.3 runs on Kubernetes 1.20.

Features:

• Preview: Anthos Identity Service now works with Anthos clusters on bare metal to support LDAP authentication methods in addition to OIDC. You can use AIS with Microsoft Active Directory without the need for provisioning Active Directory Federation Services. For more information, see Setting up Anthos Identity Service with LDAP.

• Preview: Anthos Metadata Agent replaces Stackdriver Metadata Collector and collects more accurate and usable metadata for Kubernetes resources. When you configure logging and monitoring, you need to enable the Config Monitoring for Ops API and grant the opsconfigmonitoring.resourceMetadata.writer IAM role to your logging-monitoring service account. If Anthos clusters on bare metal is installed behind a proxy, your proxy server must also allow connections to opsconfigmonitoring.googleapis.com.

• Added preflight checks to verify that specific APIs are enabled for your Google Cloud project. Preflight checks return an error if any of the following APIs aren't enabled for your project:

  • anthos.googleapis.com
  • anthosaudit.googleapis.com
  • anthosgke.googleapis.com
  • cloudresourcemanager.googleapis.com
  • gkeconnect.googleapis.com
  • gkehub.googleapis.com
  • iam.googleapis.com
  • opsconfigmonitoring.googleapis.com
  • logging.googleapis.com
  • monitoring.googleapis.com
  • stackdriver.googleapis.com

  To enable these APIs when you create a cluster configuration file, use the --enable-apis flag with the bmctl create config command. For an example that uses the --enable-apis flag, see Create an admin cluster config with bmctl.

• Added preflight checks for the following machine requirements:

  • Minimum supported Linux kernel version
  • Minimum required CPU
  • Minimum required RAM

The detailed usage cost data export to BigQuery is now generally available (GA).

The detailed export includes all of the data fields from the standard usage cost data export, along with additional fields that provide resource-level cost data. The resource-level cost data available in the detailed export is limited to Compute Engine resources, such as virtual machines or SSDs that generate service usage.

In your BigQuery dataset, the detailed usage cost data is exported to a table named gcp_billing_export_resource_v1_<BILLING_ACCOUNT_ID>.

The following are the newly available fields:

• resource (Struct) - The fields that describe the structure and value of information relevant to service resources (like a virtual machine or a SSD) that generate service usage.
• resource.global_name (String) - A globally unique service identifier for the resource that generated relevant usage.
• resource.name (String) - A service-specific identifier for the resource that generated relevant usage. This can be input generated by the user. Note, the first full day of data with this field is August 11, 2021.

The daily cost detail data export to BigQuery is now the standard usage cost data export.

To understand the differences between the standard and detailed usage cost data exports to BigQuery, see the documentation.

Cloud SQL for PostgreSQL now supports the following flags:

• huge_pages
• shared_buffers
• wal_buffers

For more information about these flags, see the Cloud SQL for PostgreSQL flags documentation.

Cloud Audit Logs and Platform Logs are now available directly in the Secret Manager UI. See the Secret Manager page to learn more.

Config Sync supports storing HTTPS/HTTP proxy credentials inside the git-creds Secret, using https_proxy or http_proxy as a key, to avoid exposing these credentials as plaintext.

Config Sync provides a way for users to override some system values:

• Use the spec.override.resources field of a RootSync or RepoSync object to override the resource limits for the reconciler container and the git-sync container.
• Use the spec.override.gitSyncDepth field of a RootSync or RepoSync object to override the number of git commits to fetch from the git repository.
• Set the spec.git.noSSLVerify field of a RootSync or RepoSync object to true to disable Git SSL certificate verification.

Anthos Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: 07e2fd0).

Cloud Functions has added support for a new runtime, Node 16, at the Preview release level.

Generally available: You can now collect core dumps for uses such as debugging of unresponsive VMs. For more information, see Collecting core dumps.

The asmcli script is now available in preview. With this script you can install and upgrade Anthos Service Mesh on GKE and On-premises. For more information, see About the asmcli.

Google-managed data plane is now available in preview as a part of managed Anthos Service Mesh. Google-managed data plane helps you upgrade data plane proxies automatically. For more information see Configure managed Anthos Service Mesh.

New resource types are now available.

The following resource types are now publicly available through the Analyze Policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

• Secret Manager
  • secretmanager.googleapis.com/Secret
  • secretmanager.googleapis.com/SecretVersion

Cloud Functions offers a native integration with Secret Manager, available at the Preview release level. For more information, see the blog post.

Deploying to Cloud Run from source code is now at General Availability (GA).

Identity Service for GKE (Preview) is available. Identity Service for GKE extends existing identity solutions for authentication into GKE clusters by supporting OpenID Connect (OIDC). For more information, see Authenticating with Identity Service for GKE.

You can now enable Google Virtual NIC in a new GKE cluster on GPU nodes. For more information, see Using Google Virtual NIC.

The following tools for creating embeddings to use with Vertex Matching Engine are available in Preview:

• the Two Tower built-in algorithm
• the Swivel pipeline template

BigQuery Admin Resource Charts are now generally available (GA) for reservation users, enabling administrators to more easily monitor and troubleshoot their BigQuery environment. They provide visibility into key metrics such as slot consumption, job concurrency, job execution time, job errors, and bytes processed across the entire organization.

BigQuery Slot Estimator is now in Preview for reservation users. This tool analyzes slot utilization data to help administrators estimate the right number of slots to purchase, and provides insights on how job performance might be impacted by adding or reducing slot capacity for the entire organization or specific reservations.

Proportional attribution for spend-based committed use discounts is now generally available (GA).

Proportional attribution applies the subscription fees from your committed use discounts to the projects in your Cloud Billing account, directly in proportion to the amount of eligible credit consumed by each project. Any subscription fees that are not attributed to a project are charged at the Cloud Billing account level.

Starting from August 2021, all spend-based commitments you purchase for any of your Cloud Billing accounts use proportional attribution by default. If you purchased spend-based commitments before then, you can request that they be converted from account to proportional attribution.

To understand proportional attribution for your spend-based commitments and how to enable it, see the documentation.

Google Cloud Armor now has rate-based throttling and ban rules that enable you to limit requests from clients. These rules help you protect your applications from a large volume of requests that flood your instances and block access for legitimate users.

Using Private Service Connect with consumer HTTP(S) service controls to access supported regional service endpoints is now available in Preview.

Cloud SQL now supports IAM Conditions.

You can use IAM Conditions to define and enforce conditional, attribute-based access control for Google Cloud resources, including Cloud SQL instances. See Overview of IAM Conditions for more information.

Cloud SQL now supports IAM Conditions.

You can use IAM Conditions to define and enforce conditional, attribute-based access control for Google Cloud resources, including Cloud SQL instances. See Overview of IAM Conditions for more information.

Cloud SQL now supports IAM Conditions.

You can use IAM Conditions to define and enforce conditional, attribute-based access control for Google Cloud resources, including Cloud SQL instances. See Overview of IAM Conditions for more information.