August 26, 2024
Google Distributed Cloud (GDC) air-gapped 1.12.4 is available.
See the product overview to learn about the
features of Distributed Cloud.
Updated the Canonical Ubuntu OS image version to 20240621 to apply the latest security patches and important updates. To take advantage of the bug and security vulnerability fixes, you must upgrade all nodes with each release. The following security vulnerabilities are fixed:
- CVE-2015-1197
- CVE-2016-9840
- CVE-2016-9841
- CVE-2018-25032
- CVE-2020-26570
- CVE-2020-26571
- CVE-2020-26572
- CVE-2021-47063
- CVE-2021-47070
- CVE-2022-28948
- CVE-2022-37434
- CVE-2022-48622
- CVE-2023-0340
- CVE-2023-2861
- CVE-2023-3164
- CVE-2023-1523
- CVE-2023-4408
- CVE-2023-4421
- CVE-2023-4641
- CVE-2023-5517
- CVE-2023-5388
- CVE-2023-6135
- CVE-2023-6228
- CVE-2023-6277
- CVE-2023-6516
- CVE-2023-6915
- CVE-2023-7207
- CVE-2023-22655
- CVE-2023-22995
- CVE-2023-23000
- CVE-2023-23004
- CVE-2023-24023
- CVE-2023-28746
- CVE-2023-38575
- CVE-2023-39368
- CVE-2023-43490
- CVE-2023-45733
- CVE-2023-45745
- CVE-2023-46103
- CVE-2023-46838
- CVE-2023-47233
- CVE-2023-47855
- CVE-2023-48733
- CVE-2023-50387
- CVE-2023-50782
- CVE-2023-50868
- CVE-2023-51779
- CVE-2023-51781
- CVE-2023-51782
- CVE-2023-52356
- CVE-2023-52530
- CVE-2023-52600
- CVE-2023-52603
- CVE-2024-0565
- CVE-2024-0607
- CVE-2024-0646
- CVE-2024-1086
- CVE-2024-1441
- CVE-2024-2398
- CVE-2024-2494
- CVE-2024-2496
- CVE-2024-2961
- CVE-2024-3094
- CVE-2024-3651
- CVE-2024-4453
- CVE-2024-5197
- CVE-2024-22667
- CVE-2024-23851
- CVE-2024-24806
- CVE-2024-24855
- CVE-2024-26581
- CVE-2024-26589
- CVE-2024-26614
- CVE-2024-26622
- CVE-2024-26712
- CVE-2024-26733
- CVE-2024-28085
- CVE-2024-28182
- CVE-2024-28834
- CVE-2024-33599
- CVE-2024-33600
- CVE-2024-33601
- CVE-2024-33602
- CVE-2024-34064
- CVE-2024-34397
- CVE-2024-37535
The following container image security vulnerabilities are fixed:
Fixed vulnerabilities in the GDC console where strict transport security was not enforced.
Fixed a vulnerability with Microsoft Visual Studio Code in Operations Suite Infrastructure (OI) by updating Microsoft Visual Studio Code to version 1.88.1.
Backup and restore:
- Persistent volumes that are backed up cannot be deleted.
Billing:
-
The
bil-storage-system-clustersubcomponent fails to reconcile due to stale jobs.
Block storage:
-
Grafana pods stuck in
Initstate due to volume mount errors.
DNS:
- Org creation fails because DNS traffic to the root admin node ages out.
Istio:
-
The
istio-eastwestgatewaydeployment in theistio-systemnamespace is stuck.
Logging:
- The write-ahead log (WAL) can fill the persistent volume (PV) if a Loki pod cannot connect to the storage bucket for hours.
Networking
- A
PodCIDRis not assigned to nodes even though aClusterCIDRConfigis created. - The
machine-initjob fails during upgrade.
Object storage:
-
The creation of a new org gets stuck on the
VMImageDistributingstate. - Some object storage upgrade warnings can be ignored.
Operations Suite Infrastructure (OI) :
- The Fluent Bit installer path is incorrect.
- The Nessus installer path is incorrect.
Performance:
-
The
perf-ptaassubcomponent fails to reconcile due to failure to transfer ownership.
Physical servers:
- The server bootstrap fails.
-
The server's iLO can't connect to key manager.
Upgrade:
- The management IP of a server is unreachable during upgrade.
- A provisioned server might fail to boot and get stuck at retrieving encryption keys.
- There is an issue with ongoing reconciliation in a subcomponent.
-
When upgrading from 1.12.2 to 1.12.4, the
file-netapp-tridentsubcomponent is stuck on the deletion ofStorageClasses. -
An
ansibleplaybookis not upgraded as part of the cluster upgrade. - The IAM preflight check fails.
-
The version number for
storageclusteris not displayed during upgrade. -
OrganizationUpgradestatus isUnknown, after an upgrade is completed. -
The
opa gatekeepersubcomponent upgrade fails. - Jobs are scheduled continuously.
-
The
file-netapp-tridentsubcomponent upgrade has aReconciliation ongoingstatus. -
The system cluster cluster worker node upgrade fails to generate the delta between
manifestandsnapshot. -
kubeletfails to removecgroupfor pods with spamming logs. -
A healthy upstream for the ticketing system is not available.
For more information, see Known issues.
Vertex AI:
-
The
MonitoringTargetshows aNot Readystatus when user clusters are being created, causing pre-trained APIs to continually show anEnablingstate in the user interface.
Backup and restore:
- Fixed an issue where alerts for a backup repository may fire even when the repository is healthy.
Block storage:
-
Fixed an issue where HSM certificates in the
StorageClusterReconcilerare not parsed correctly. - Fixed an issue where performance storage classes don't have LUKS encryption enabled.
Cluster management:
- Fixed an issue where user clusters with Kubernetes version 1.27.x might have node pools that fail to initialize.
Hardware security module:
- Fixed an issue where a rotatable secret for hardware security modules is in an unknown state.
Identity and access management
- Fixed an issue where running the elevated access script added a duplicate entry in the
kustomization.yamlfile.
Monitoring:
-
Fixed an issue where the
mon-commonsubcomponent doesn't deploy the Istio Telemetry object on themon-systemnamespace. - Fixed an issue where the metrics storage class is incorrectly defined in the configuration.
- Fixed an issue where the Prober ConfigMap gets reset to include no probe jobs.
NTP server:
- Fixed an issue with the NTP server having unsynchronized time.
Physical servers:
- Fixed an issue where the server bootstrap fails due to a nil pointer dereference.
Resource Manager:
-
Fixed an issue where
ProjectRoleBindingcustom resources were propagating to Kubernetes clusters that weren't ready.
Ticketing system:
- Fixed an issue where the ticketing system has no healthy upstream.
Upgrade:
- Fixed an issue where the OS upgrade could prematurely fail due to a short reboot policy period.
-
Fixed an issue where the
HSMupgradefails during upgrade. -
Fixed an issue where the
file-observabilitysubcomponent fails on theorg-1-system-clusterduring upgrade.
Virtual machine management:
-
Fixed an issue where the
VirtualMachineDiskcustom resource showed theFailedstate after provisioning the underlying storage successfully. - Fixed an issue where cluster provisioning in VM disks took a lengthy time to complete.
-
Fixed an issue where a
VMRuntimemight not be ready due to anetwork-controller-managerinstallation failure.
Add-on Manager:
The Google Distributed Cloud version is updated to 1.28.500-gke.120 to apply the latest security patches and important updates.
See the Google Distributed Cloud 1.28.500-gke.120 release notes for details.