Google Distributed Cloud air-gapped 1.15.1 release notes

December 5, 2025

---

---

Cluster management:

• Added the new standard cluster configuration. Standard clusters are scoped to a single project, which gives application developers that are confined within a project direct control over how it functions. For more information, see Kubernetes cluster configurations.

gdcloud CLI:

• Added support for running the gdcloud CLI from macOS and Windows operating systems. For more information, see Available gdcloud CLI bundles.

• Added a lite version of the gdcloud CLI bundle for Linux, which provides a smaller binary with a subset of gdcloud CLI commands. For more information, see Available gdcloud CLI bundles.

Networking

• A new egress NAT functionality, Cloud NAT, has been added, which provides many more options for configuring how workloads reach outside the organization. For more information, see Cloud NAT. The previously available nat mechanism, known as project default egress NAT, has been deprecated; users are encouraged to migrate to Cloud NAT.

  In the 1.15.1 release, the Cloud NAT role cloud-nat-manager has been deprecated; use cloud-nat-developer instead.

• Added subnet groups to simplify IP address allocation. This new mechanism enables you to manage subnets of the same entity or same purpose as a group, simplifying the allocation of IP addresses from large sets of managed subnets. For more information, see Subnet groups.

• Interconnect subscription SKUs are available as a public Preview. This feature lets organizations reserve physical capacity on interconnects and associate the reservation to a billing project. The reservation is honor-based only at this time, and is not strictly enforced by the system. For more information about interconnects, see Establish connectivity with interconnects.

• Health checks using HTTP/HTTPS protocols are now available. A health check dictates whether an endpoint is eligible to receive new requests or connections. An unhealthy endpoint, as identified by the health check, won't receive traffic through the load balancer. For more information, see Configure health checks.

• Added support for monitoring of IP resource statistics as a Preview feature. Infrastructure Operators (IO) and Platform Administrators (PA) can view total, allocated, available, and percentage metrics for subnets from root to leaf level as well as for subnet groups. See Query and view metrics for guidance on how to access dashboards.

Platform authentication:

• Certificate Authority Service (CAS) supports predefined certificate templates, offering ready-made templates to issue certificates for common use cases.
• CAS supports certificate revocation by publishing Certificate Revocation Lists (CRLs) that client applications can check.

Resource Manager:

• Added project tags as a Preview feature. Tags let you organize projects based on business attributes. For more information, see Tags overview.

System:

• Published system limits that apply to GDC components. System limits are fixed values that cannot be changed. For more information, see System limits.

Virtual machines:

• Added NVIDIA GPU support for VM instances, which lets you run various GPU-accelerated workloads, for example, artificial intelligence (AI). For more information, see Create and start a VM instance with NVIDIA GPUs.
• Added H200 GPU support with the a3-ultragpu virtual machine family.
• Added configure Tier 1 networking for VMs. VMs with Tier 1 networking configurations are useful for large, distributed compute workloads with heavy internode communications, such as high performance computing (HPC), machine learning (ML), and deep learning (DL).
• Added the ability to create high-performance VMs.
• Added VM availability checks that offer insight into VM status.

• Added the ability to manage package repositories.

---

The following security vulnerabilities are fixed:

• CVE-2021-47013
• CVE-2021-47670
• CVE-2022-1048
• CVE-2022-1679
• CVE-2022-2938
• CVE-2022-3239
• CVE-2022-3545
• CVE-2022-3625
• CVE-2022-4139
• CVE-2022-4378
• CVE-2022-20141
• CVE-2022-20368
• CVE-2022-28390
• CVE-2022-29581
• CVE-2022-39189
• CVE-2022-41674
• CVE-2022-41858
• CVE-2022-45886
• CVE-2022-45919
• CVE-2022-48637
• CVE-2022-48839
• CVE-2022-48919
• CVE-2022-49011
• CVE-2022-49058
• CVE-2022-49111
• CVE-2022-49136
• CVE-2022-49291
• CVE-2022-49788
• CVE-2022-49977
• CVE-2022-49985
• CVE-2022-50020
• CVE-2022-50022
• CVE-2023-0266
• CVE-2023-0386
• CVE-2023-1281
• CVE-2023-1829
• CVE-2023-1838
• CVE-2023-2124
• CVE-2023-2163
• CVE-2023-2235
• CVE-2023-2513
• CVE-2023-3090
• CVE-2023-3390
• CVE-2023-3567
• CVE-2023-3609
• CVE-2023-3611
• CVE-2023-3776
• CVE-2023-3812
• CVE-2023-4004
• CVE-2023-4128
• CVE-2023-4206
• CVE-2023-4207
• CVE-2023-4208
• CVE-2023-5178
• CVE-2023-6040
• CVE-2023-6546
• CVE-2023-6817
• CVE-2023-6931
• CVE-2023-6932
• CVE-2023-28466
• CVE-2023-31436
• CVE-2023-32233
• CVE-2023-35001
• CVE-2023-35788
• CVE-2023-40283
• CVE-2023-42753
• CVE-2023-44466
• CVE-2023-45871
• CVE-2023-51042
• CVE-2023-51779
• CVE-2023-52439
• CVE-2024-1086
• CVE-2024-25742
• CVE-2024-26665
• CVE-2024-26669
• CVE-2024-36883
• CVE-2024-36960
• CVE-2024-38581
• CVE-2024-41013
• CVE-2024-42094
• CVE-2024-42284
• CVE-2024-43842
• CVE-2024-44970
• CVE-2024-46858
• CVE-2024-50301
• CVE-2025-22004
• CVE-2025-23150
• CVE-2025-37738
• CVE-2025-37890
• CVE-2025-38001
• CVE-2025-38079
• CVE-2025-38086
• CVE-2025-38352
• CVE-2025-38380

---

Anthos Service Mesh

• ASM mesh installation is blocked due to unhealthy node preventing CNI installation.

Backup and restore

• Backup and restore operations fail due to the back-lancer-agent-user-cp subcomponent being in ReconciliationError status after an upgrade.

• Restores involving volumes may take longer to complete due to slow data transfer rates.

• The restore process for a resource, such as a database clone or user workload restore, gets stuck and eventually times out due to a pending persistent volume claim.

• Users cannot create VM backup plans or perform end-to-end backup and restore tasks with the GDC console.

• The restore operation fails for cluster backups.

Block storage

• User pod freezes during volume unmount request.

• A Volume already exists error during CloneVolume is not addressed by the Trident API.

• Volumes fail to attach due to the presence of inactive LUNs.

• A FailedMount error occurs during upgrades due to the inability to find the csi.trident.netapp.io driver.

• File/block storage sessions aren't recovering automatically after events such as a storage upgrade or storage controller outage.

• ONTAP cluster upgrade never finishes due to giveback not being completed.

Cluster management

• Cluster gets stuck in a deleting state.

Database service

• The gdcloud stop database command takes a long time to complete.

• If a PostgreSQL or AlloyDB Omni database cluster is stopped while high availability (HA) is enabled, it might not restart successfully.

Deployments

The offline documentation bundled with the GDC air-gapped 1.15.1 GA release files needs updates. If you are following the offline documentation to deploy the release, you must download and update the latest 1.15.1 documentation for your environment separately and follow the updated documents to ensure a successful deployment. This step is not necessary if you have already updated the documentation.

Firewall

• After an AttachmentGroup is deployed, if the identifier field in that AttachmentGroup object is the same as orgName, the firewall fails to parse this object and the firewall config update gets stuck.

Harbor:

• The database password rotation is stuck.

Hardware security module:

• Deactivated trial licenses are still detectable in CipherTrust Manager, triggering false expiration warnings.

• A file descriptor leak causes a ServicesNotStarted error.

Infrastructure as Code

• Attempts to sign in to GitLab using Firefox fail with an error 422.

Monitoring

• If new KubeStateMetric Custom Resources are created, their metrics might not show up.

• Cortex compaction failures can be caused by corrupted blocks, leading to various problems, including errors in Grafana metric queries, gaps in recording rules, and error logs appearing in Cortex pods.

• Pods stuck in Pending state due to volume node affinity conflict.

• "Too many outstanding requests" error message is shown when viewing dashboards in grafana.

OS:

• OS policy resources can be slow to reconcile when there are a large number of servers provisioned.

• During a gdcloud storage cp or a gdcloud system container-registry load-oci operation from an OIC workstation, there is a slight chance that access to org-infra is lost followed by org-mgmt's kube-api going down.

• A PLATAUTH alert might trigger due to a OS rotatable secret rotation failure.

Upgrades:

When upgrading from 1.14.7 or earlier release to 1.15.x, for best results, we recommend the following steps:

• Upgrade to version 1.14.7.
• Apply hotfix2.
• Proceed with the upgrade to 1.15.1.

The offline documentation bundled with the GDC air-gapped 1.15.1 GA release files needs updates. If you are following the offline documentation for the upgrade, you must download and update the latest 1.15.1 documentation for your environment separately and follow the updated documents to ensure a successful upgrade. This step is not necessary if you have already updated the documentation.

Vertex AI:

• Disabling the Translation API might fail with the following error: Failed to disable translation API: VAI3002: Failed to patch subresource: failed to patch ODSPostgresDBCluster resource.

• Unable to establish connection with the Jupyter server.

---

Anthos Service Mesh:

• Misleading alerts with critical and error severity might fire in large meshes as controlplane_latency_slo does not take mesh size into account.

Backup and restore:

• The backup control plane pod crashes due to insufficient memory.

Storage:

• The HA group name is too long.

---

Version updates:

• The Google Distributed Cloud for bare metal version is updated to 1.30.1000-gke.85 to apply the latest security patches and important updates.
  
  For more information, see the Google Distributed Cloud for bare metal 1.30.1000 release notes .