Anthos clusters on AWS (previous generation) aws-1.14.1-gke.0 is now available.
You can now launch clusters with the following Kubernetes versions:
This release fixes the following vulnerabilities:
Upgraded to containerd 1.6.12.
]]>A new vulnerability (CVE-2022-2602) has been discovered in the io_uring subsystem in the Linux kernel that can allow an attacker to potentially execute arbitrary code. For more information, see the GCP-2022-2025 security bulletin.
]]>Anthos clusters on AWS (previous generation) aws-1.14.0-gke.2 is now available.
This release fixes the following vulnerabilities:
Kubernetes version 1.25 deprecates several APIs. See the Kubernetes Deprecated API Migration Guide for details.
You can now launch clusters with the following Kubernetes versions:
Two new vulnerabilities (CVE-2022-2585 and CVE-2022-2588) have been discovered in the Linux kernel that can lead to a full container break out to root on the node.
For more information, see the GCP-2022-024 security bulletin.
]]>Anthos clusters on AWS (previous generation) aws-1.13.1-gke.1 is now available.
You can now launch clusters with the following Kubernetes versions:
This release fixes the following vulnerabilities:
]]>A new vulnerability, CVE-2022-3176, has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve full container breakout to root on the node.
For instructions and more details, see the Anthos clusters on AWS security bulletin.
]]>Anthos clusters on AWS (previous generation) aws-1.13.0-gke.5 is now available.
You can now launch clusters with the following Kubernetes versions:
This release fixes the following vulnerabilities:
If you use the deprecated ubuntuRepositoryMirror: 'packages.cloud.google.com' field in the AWSManagementService resource and are upgrading your node pool, you must upgrade only to the 1.22.15-gke.300 or 1.23.12-gke.300 versions included in this release. Upgrading to any other node pool version will cause your upgrade to hang. If your node pool is already hanging in the upgrading state, you need to delete and re-create the node pool. If you aren't using this field, this issue doesn't affect you and you can upgrade to any supported version.
Anthos clusters on AWS (previous generation) aws-1.12.2-gke.1 is now available.
You can now launch clusters with the following Kubernetes versions:
This release fixes the following vulnerabilities:
]]>Anthos clusters on AWS (previous generation) aws-1.12.1-gke.0 is now available.
You can now launch clusters with the following Kubernetes versions:
This release fixes the following vulnerabilities:
]]>A new vulnerability (CVE-2022-2327) has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve a full container breakout to root on the node.
For more information, see the GCP-2022-018 security bulletin.
Anthos clusters on AWS (previous generation) aws-1.12.0-gke.0 is now available.
This release note has been updated to mark the actual date of release, July 7, 2022. Previously, the release date was mentioned as June 24th.
You can now launch clusters with the following Kubernetes versions:
You can now launch Kubernetes 1.23 clusters.
Kubernetes 1.20 clusters are no longer supported. This version no longer supports creation or maintenance of Kubernetes 1.19 clusters.
This release fixes the following vulnerabilities:
Three new memory corruption vulnerabilities (CVE-2022-29581, CVE-2022-29582, CVE-2022-1116) have been discovered in the Linux kernel. These vulnerabilities allow an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node. For more information, refer to the GCP-2022-016 security bulletin.
]]>Anthos Clusters on AWS aws-1.11.1-gke.7 (previous generation) is now available. Clusters in this release support the following Kubernetes versions:
This release fixes the following CVEs:
]]>Anthos Clusters on AWS aws-1.11.0-gke.6 (previous generation) is now available. Clusters in this release support the following Kubernetes versions:
This release removes unneeded permissions from the coredns-autoscaler, calico-typha, and konnectivity-agent-autoscaler components.
This release fixes the following CVEs:
The issue announced in the April 19th release note regarding the creation of 1.22 clusters has been resolved. You can now create 1.22 clusters.
]]>Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666 have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all GKE node operating systems (Container-Optimized OS and Ubuntu). For instructions and more details, see the GCP-2022-014 security bulletin.
]]>An issue has been discovered in Anthos clusters on AWS (previous generation). Do not launch Kubernetes 1.22 clusters at this time.
The Anthos clusters on AWS (previous generation) release 1.11.0-gke.1 has been removed. We are working on a fix.
A security vulnerability, CVE-2022-23648, has been discovered in containerd's handling of path traversal in the OCI image volume specification. Containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain full read access to arbitrary files and directories on the host.
For more information, see the GCP-2022-013 security bulletin.
]]>A security vulnerability, CVE-2022-0847, has been discovered in the Linux kernel version 5.8 and later that can potentially escalate container privileges to root. This vulnerability affects Anthos Clusters on AWS (previous generation) running Kubernetes version v1.19, v1.20 or v1.21 on Ubuntu.
For more information, see the GCP-2022-012 security bulletin.
]]>Anthos Clusters on AWS aws-1.11.0-gke.1 (previous generation) is now available. Clusters in this release support the following Kubernetes versions:
To use an Application Load Balancer (ALBs) with version 1.22 clusters, you need to upgrade your ALB controller configuration.
This version adds support for Kubernetes 1.22 clusters.
Because Kubernetes 1.22 replaces some v1beta APIs with v1 APIs, your workloads might need to be updated to use 1.22. For more information, see Kubernetes 1.22 Deprecated APIs.
The workload identity webhook is not supported on cluster versions 1.22 and later. Before you upgrade your clusters to version 1.22, you should modify any workloads that depend on the webhook to configure their credentials without it.
This version no longer supports creation or maintenance of Kubernetes 1.18 clusters.
This release includes fixes for the following CVEs:
]]>Anthos Clusters on AWS aws-1.10.2-gke.0 (previous generation) is now available. Clusters in this release support the following Kubernetes versions:
This release includes fixes for the following CVEs:
]]>A security vulnerability, CVE-2021-4034, has been discovered in pkexec, a part of the Linux policy kit package (polkit), that allows an authenticated user to perform a privilege escalation attack. PolicyKit is generally used only on Linux desktop systems to allow non-root users to perform actions such as rebooting the system, installing packages, restarting services etc, as governed by a policy.
Anthos clusters on AWS is unaffected.
For instructions and more details, see the GCP-2022-004 security bulletin.
]]>Anthos Clusters on AWS aws-1.10.1-gke.0 (previous generation) is now available. Clusters in this release support the following Kubernetes versions:
This release includes fixes for the following CVEs:
The release note from December 14 has been updated to clarify which service account no longer needs the ServiceUsageViewer role. The ServiceUsageViewer role is now required for the user that runs the anthos-gke command-line tool.
Anthos Clusters on AWS aws-1.10.0-gke.5 (previous generation) is now available.
Anthos clusters on AWS aws-1.10.0-gke.5 (previous generation) clusters run the following Kubernetes versions:
Kubernetes 1.18 is no longer supported. You can no longer launch Kubernetes 1.17 clusters. Your existing 1.17 clusters will continue to run.
This release supports creating instances in the c5a, c5ad, i3en, m5a, m5ad, r5a, r5ad, and t3a families.
This release fixes the following security issues:
This release fixes an earlier issue with 1.21 clusters that use both OIDC and an HTTP proxy.
To install Anthos Service Mesh, follow the steps in Connecting to your cluster before starting your Anthos Service Mesh installation.
Updated: The management service account no longer needs the ServiceUsageViewer role to install Anthos clusters on AWS. For more information, see Prerequisites.
]]>If your cluster uses both a proxy and OIDC authentication, do not upgrade to version 1.21.4 or 1.21.5. If you encounter an issue during an upgrade, contact support for assistance.
]]>Anthos Clusters on AWS aws-1.9.1-gke.0 is now available.
Anthos clusters on AWS aws-1.9.1-gke.0 clusters run the following Kubernetes versions:
Release aws-1.9.1-gke.0 fixes an issue in release 1.9.0 in which authorization with AWS IAM assumed roles failed.
Release aws-1.9.1-gke.0 of Anthos Clusters on AWS fixes the following security issues:
For more information, click on the CVE or search for details at https://nvd.nist.gov.
]]>A security issue was discovered in the Kubernetes ingress-nginx controller, CVE-2021-25742. Ingress-nginx custom snippets allows retrieval of ingress-nginx service account tokens and secrets across all namespaces. For more information, see the GCP-2021-024 security bulletin.
The security community recently disclosed a new security vulnerability CVE-2021-30465 found in runc that has the potential to allow full access to a node filesystem.
For more information, see the GCP-2021-011 security bulletin.
]]>Anthos Clusters on AWS aws-1.9.0-gke.2 is now available.
Anthos clusters on AWS aws-1.9.0-gke.2 clusters run the following Kubernetes versions:
Anthos Identity Service is available on Kubernetes clusters version 1.21 and above.
Kubernetes 1.21 clusters now support the Kubernetes Konnectivity tool for communication between nodes and the control plane. When you launch a 1.21 cluster, you must allow connections between control plane nodes and node pool nodes on port 8132.
The VolumeSnapshot resource API version v1beta1 is deprecated in Kubernetes 1.21 clusters. Use API version v1 for 1.21 clusters and above. All previously persisted VolumeSnapshot objects remain functional.
A security vulnerability, CVE-2020-8561,
has been discovered in Kubernetes where certain webhooks can be made to
redirect kube-apiserver requests to private networks of that API
server.
For more information, see the GCP-2021-021 security bulletin.
You can now specify a Cloud Storage Bucket name where Anthos clusters on AWS stores configuration data.
You can now launch node pools with AWS R5 instances.
You can now launch Kubernetes 1.21 clusters.
You can now update the OIDC configuration on a running cluster.
You cannot create new 1.16 clusters. Existing 1.16 clusters continue to function.
Error messages when upgrading or downgrading your clusters have been clarified.
]]>A security issue was discovered in Kubernetes, CVE-2021-25741, where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. For more information, see the GCP-2021-018 security bulletin.
]]>Anthos clusters on AWS aws-1.8.2-gke.2 is now available.
Anthos clusters on AWS aws-1.8.2-gke.2 clusters run the following Kubernetes versions:
The supported versions also offer the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on AWS 1.8.
]]>Anthos clusters on AWS aws-1.8.1-gke.1 is now available.
Anthos clusters on AWS aws-1.8.1-gke.1 clusters run the following Kubernetes versions:
This release contains fixes for the following security vulnerabilities:
Anthos clusters on AWS now requires kubectl version 1.17 or higher and terraform version v0.14.3 or higher.