Google Distributed Cloud air-gapped 1.16.1 release notes

June 5, 2026

---

---

Cluster management

• Added support for A-series H200 and B300 machines for Kubernetes cluster nodes. For more information, see Cluster node machine types.

Infrastructure

• Added support for B300 bare metal machines in an organization.

Managed Harbor Services

• Added support for project Service Accounts. This lets you use your service account identity to securely interact with your Harbor instances and manage container repositories. For more information, see Managed Harbor Service overview.

Networking

• Cloud DNS is now generally available. This service provides a reliable, scalable way to manage Domain Name Service records, using a Kubernetes API or the command line. For more information, See About Cloud DNS.

• DNS now supports TLS based encryption of all DNS traffic for system and first party services, both internally within Distributed Cloud, and between Distributed Cloud and customer networks.

Observability

• Added observability tracking for workloads. This feature provides monitoring and logging capabilities designed to streamline the tracking and troubleshooting of workloads. For more information, see Observability tracking for workloads.

Storage

• Added support for auto-synchronous dual-zone buckets. During normal operations, the ingest policy synchronously writes object copies to both designated zones, with fallback to asynchronous replication during outages.

• Added support for supplying checksums in trailing HTTP headers in object uploads. This improves data integrity and error detection. For more information, see Upload and download storage objects.

• Added enhancement that ensures object storage credentials are automatically deleted when their associated Service Account is removed. This prevents orphaned secrets in a project namespace. For more information, see Delete storage buckets.

• Added support for windowed uptime SLO for zonal S3 availability. This change ensures that health metrics are not skewed by multiple retries from single high-volume projects, providing a more accurate reflection of the actual user experience across an organization.

Virtual machines

• Added A-series A4 B300 machines to the list of supported VM machine types. For more information, see View VM machine type.

• Added Windows 2022 image support for bring-your-own (BYO) custom images. For more information, see GDC-supported VM images.

• Added Secure Boot certificate renewal support for VMs with expiring certificates. For more information, see Update Secure Boot certificates.

---

The following security vulnerabilities are fixed:

• CVE-2019-15505
• CVE-2020-36558
• CVE-2021-4204
• CVE-2021-33631
• CVE-2021-47461
• CVE-2021-47670
• CVE-2022-0500
• CVE-2022-0854
• CVE-2022-1016
• CVE-2022-1048
• CVE-2022-1158
• CVE-2022-1679
• CVE-2022-2503
• CVE-2022-2639
• CVE-2022-2873
• CVE-2022-2938
• CVE-2022-2964
• CVE-2022-3028
• CVE-2022-3239
• CVE-2022-3545
• CVE-2022-3564
• CVE-2022-3565
• CVE-2022-3567
• CVE-2022-3625
• CVE-2022-3628
• CVE-2022-4129
• CVE-2022-4139
• CVE-2022-4269
• CVE-2022-4378
• CVE-2022-20141
• CVE-2022-20368
• CVE-2022-21499
• CVE-2022-23222
• CVE-2022-26373
• CVE-2022-28390
• CVE-2022-29581
• CVE-2022-30594
• CVE-2022-36879
• CVE-2022-39188
• CVE-2022-39189
• CVE-2022-41218
• CVE-2022-41222
• CVE-2022-41674
• CVE-2022-41858
• CVE-2022-42896
• CVE-2022-43750
• CVE-2022-45884
• CVE-2022-45886
• CVE-2022-45919
• CVE-2022-47929
• CVE-2022-48637
• CVE-2022-48796
• CVE-2022-48839
• CVE-2022-48925
• CVE-2022-48929
• CVE-2022-49058
• CVE-2022-49111
• CVE-2022-49114
• CVE-2022-49122
• CVE-2022-49290
• CVE-2022-49291
• CVE-2022-49328
• CVE-2022-49669
• CVE-2022-49696
• CVE-2022-49788
• CVE-2022-49803
• CVE-2022-49846
• CVE-2022-49872
• CVE-2022-49907
• CVE-2022-49921
• CVE-2022-49977
• CVE-2022-50020
• CVE-2022-50022
• CVE-2022-50030
• CVE-2022-50050
• CVE-2022-50066
• CVE-2022-50087
• CVE-2022-50341
• CVE-2022-50356
• CVE-2022-50367
• CVE-2022-50386
• CVE-2022-50403
• CVE-2022-50410
• CVE-2022-50543
• CVE-2023-0266
• CVE-2023-0386
• CVE-2023-0394
• CVE-2023-0461
• CVE-2023-0590
• CVE-2023-0597
• CVE-2023-1073
• CVE-2023-1079
• CVE-2023-1095
• CVE-2023-1192
• CVE-2023-1195
• CVE-2023-1206
• CVE-2023-1252
• CVE-2023-1281
• CVE-2023-1382
• CVE-2023-1829
• CVE-2023-1838
• CVE-2023-1855
• CVE-2023-1998
• CVE-2023-2124
• CVE-2023-2162
• CVE-2023-2163
• CVE-2023-2176
• CVE-2023-2235
• CVE-2023-2513
• CVE-2023-3090
• CVE-2023-3161
• CVE-2023-3268
• CVE-2023-3390
• CVE-2023-3567
• CVE-2023-3609
• CVE-2023-3611
• CVE-2023-3772
• CVE-2023-3776
• CVE-2023-3812
• CVE-2023-4004
• CVE-2023-4128
• CVE-2023-4206
• CVE-2023-4207
• CVE-2023-4208
• CVE-2023-4459
• CVE-2023-4622
• CVE-2023-4623
• CVE-2023-4732
• CVE-2023-4921
• CVE-2023-5178
• CVE-2023-5717
• CVE-2023-6546
• CVE-2023-6606
• CVE-2023-6610
• CVE-2023-6622
• CVE-2023-6931
• CVE-2023-6932
• CVE-2023-7324
• CVE-2023-23454
• CVE-2023-26545
• CVE-2023-28464
• CVE-2023-28466
• CVE-2023-31436
• CVE-2023-32233
• CVE-2023-33203
• CVE-2023-35001
• CVE-2023-35788
• CVE-2023-35823
• CVE-2023-35824
• CVE-2023-38409
• CVE-2023-39198
• CVE-2023-40283
• CVE-2023-42753
• CVE-2023-44466
• CVE-2023-45871
• CVE-2023-46813
• CVE-2023-51042
• CVE-2023-51043
• CVE-2023-51779
• CVE-2023-51780
• CVE-2023-52439
• CVE-2023-52525
• CVE-2023-52530
• CVE-2023-52707
• CVE-2023-52922
• CVE-2023-53178
• CVE-2023-53226
• CVE-2023-53232
• CVE-2023-53257
• CVE-2023-53297
• CVE-2023-53322
• CVE-2023-53354
• CVE-2023-53365
• CVE-2023-53401
• CVE-2023-53513
• CVE-2023-53581
• CVE-2023-53675
• CVE-2023-53680
• CVE-2023-53705
• CVE-2023-53821
• CVE-2024-0565
• CVE-2024-0646
• CVE-2024-1086
• CVE-2024-25742
• CVE-2024-26585
• CVE-2024-26598
• CVE-2024-26669
• CVE-2024-26704
• CVE-2024-26832
• CVE-2024-26852
• CVE-2024-26923
• CVE-2024-36904
• CVE-2024-36971
• CVE-2024-36978
• CVE-2024-41090
• CVE-2024-42281
• CVE-2024-42285
• CVE-2024-46858
• CVE-2024-47696
• CVE-2024-49978
• CVE-2024-53104
• CVE-2024-53141
• CVE-2024-53150
• CVE-2024-56642
• CVE-2024-56661
• CVE-2025-21756
• CVE-2025-21785
• CVE-2025-21919
• CVE-2025-21927
• CVE-2025-22004
• CVE-2025-23150
• CVE-2025-37738
• CVE-2025-37797
• CVE-2025-37890
• CVE-2025-37914
• CVE-2025-38000
• CVE-2025-38051
• CVE-2025-38052
• CVE-2025-38061
• CVE-2025-38079
• CVE-2025-38086
• CVE-2025-38107
• CVE-2025-38124
• CVE-2025-38159
• CVE-2025-38177
• CVE-2025-38200
• CVE-2025-38211
• CVE-2025-38250
• CVE-2025-38332
• CVE-2025-38350
• CVE-2025-38352
• CVE-2025-38380
• CVE-2025-38415
• CVE-2025-38459
• CVE-2025-38461
• CVE-2025-38464
• CVE-2025-38498
• CVE-2025-38684
• CVE-2025-38718
• CVE-2025-38729
• CVE-2025-39697
• CVE-2025-39751
• CVE-2025-39757
• CVE-2025-39817
• CVE-2025-39955
• CVE-2025-39971
• CVE-2025-40154
• CVE-2025-40186
• CVE-2025-40258
• CVE-2025-40277
• CVE-2025-40304
• CVE-2025-40322
• CVE-2025-68285
• CVE-2025-68349
• CVE-2026-23074

---

Cluster management

• Kubernetes cluster is not removed after deletion.

Endpoint detection and response

• The Isolate Host option is visible but not effective in the Kibana UI.

GDC console

• Documentation hosted in the GDC console shows a 404 error.

Identity and access management

• A CustomRole resource that includes a zonalRules section might not grant permissions reliably.

Infrastructure as Code (IAC)

• Upgrades from GDC version 1.15 to 1.16 with IAC might fail.

Inventory

• During inventory validation, a warning is shown when a cable has FS as a transceiver vendor.

Key management system:

• KMS configured to use a CTM root key does not failover when an HSM is unavailable.

Resource Manager

• The Resource Manager project controller might enter a crash loop state due to out-of-memory errors.

Servers

• The server bootstrap fails with an iDRAC error.

• Server provisioning fails with a BMCConfigPreinstallLicenseInstallCompleted status condition error for Dell servers.

• A BareMetalHostNetwork custom resource might contain multiple management gateway routes.

Storage

• When performing list object requests on buckets containing multi-part uploads, the requests might fail and the obj-s3-availability metric might drop.

• Object storage audit log forwarding might fail during a sequential upgrade due to missing Bucket custom resources.

• StorageGRID upgrades might get stuck with a no upgrade uploaded error.

Virtual machines

• A-series a4-ultragpu-8g VMs that use a guest OS with a 4.x kernel might take over 25 minutes to start.

Vulnerability management

• Vulnerability scans using Tenable Enclave might not complete.

---

Firewall

• Legacy firewall rules might block organization to root admin traffic after upgrade.

Identity and access management

• An OPA Gatekeeper trust issue after a root CA rotation prevents IAM role creation in new projects.

Storage

• Frequent OBJ-A0003 alerts persist despite standard silencing efforts.

• After StorageGRID primary admin node downtime, object storage upgrade attempts performed using an ObjectStorageUpgradeRequest CR might fail due to requests being directed to the non-primary StorageGRID admin node.

---

Version updates:

• The Google Distributed Cloud for bare metal version is updated to 1.32.1100-gke.88 to apply the latest security patches and important updates.

  For more information, see the Google Distributed Cloud for bare metal 1.32.1100 release notes.

---

Database services

• The Database Service is deprecating its legacy high availability (HA) implementation in versions 1.14.12 and earlier. Legacy HA database clusters will be supported until its sunset date, which is to be announced. There is no user-facing change in the new HA feature, as the API for enabling and disabling HA remains the same. To verify if your HA database cluster is using the new implementation, check if the annotation dbcluster.dbadmin.goog/raasEnabled exists on your HA database cluster CR. This annotation will only appear on HA database clusters using the new implementation. If you don't have this annotation, you can migrate to the latest HA implementation.