Google Distributed Cloud air-gapped 1.12.2 release notes
Stay organized with collectionsSave and categorize content based on your preferences.
April 5, 2024
Google Distributed Cloud (GDC) air-gapped 1.12.2 is available. See theproduct overviewto learn about the
features of Distributed Cloud.
Updated Rocky Linux OS image version to 20240306 to apply the latest security
patches and important updates. The following security vulnerabilities are fixed:
Fixed a vulnerability with Microsoft Visual Studio Code in Operations Suite Infrastructure (OI)
by updating Microsoft Visual Studio Code to version 1.86.2.
Fixed multiple vulnerabilities with Google Chrome in Operations Suite Infrastructure (OI)
by updating to version 122.0.6261.69.
Fixed the vulnerabilities related to the prebuilt Ubuntu OS.
Updated thegcr.io/distroless/libcbase image to digestsha256:4f834e207f2721977094aeec4c9daee7032c5daec2083c0be97760f4306e4f88to apply the latest security patches and important updates.
Cluster management:
User clusters with Kubernetes version 1.27.x might have node pools that fail to initialize.
The required IPv4 PodCIDR is not available.
File and block storage:
When upgrading from 1.11.1 to 1.12.2, thefile-netapp-tridentsubcomponent rollout might fail.
Firewall:
bm-system-machine-initis failing on the first node. Default IDPS firewall policies don't support the organization custom IPs for the Direct Connect (DX) Interconnect.
Hardware security module (HSM):
A rotatable secret for hardware security modules is in an unknown state.
Lower networking:
Network switches preloaded with version lower than 9.3.10 may fail to bootstrap.
Some connections to theorg-adminnode time out.
Networking:
GDC fails to create switch ACLs from traffic policies
during the initial bootstrapping process.
NTP server:
The Node OS has unsynchronized time.
Object storage:
Object storage buckets might not be ready after root org upgrade.
Monitoring:
Configuring the ServiceNow webhookresults in Lifecycle Management (LCM) re-reconciling and reverting the changes made to theConfigMapobjectmon-alertmanager-servicenow-webhook-backendand theSecretobjectmon-alertmanager-servicenow-webhook-backendin themon-systemnamespace.
Themon-commonsubcomponent doesn't deploy the Istio Telemetry object on themon-systemnamespace.
The metrics storage class is incorrectly defined in the configuration.
Themon-prober-backend-prometheus-configConfigMap gets reset to include no probe jobs, and alertMON-A0001is triggered.
Physical servers:
ANodePoolhas a server in unknown state during creation.
The node firmware upgrade fails on an org.
System artifact registry:
The job service pod is not ready.
Ticketing system:
The ticketing system knowledge base sync fails.
The ticketing system has no healthy upstream.
Vertex AI:
TheMonitoringTargetshows aNot Readystatus when user clusters are being created, causing pre-trained APIs to continually show anEnablingstate in the user interface.
Virtual machines:
The importer pods are failing or stuck.
Virtual machine disks might take a long time to provision.
VMRuntime might not be ready due to network-controller-manager installation failure.
Upgrade:
Upgrade:
Theunet-nodenetworkpolicy-infrasubcomponent fails during upgrade.
System cluster fails during upgrade from 1.11.x to 1.12.2.
Thefile-observabilitysubcomponent fails on
theorg-1-system-clusterwhen upgrading from 1.11.x to 1.12.2.
TheHSMupgradefails when upgrading from 1.11.x to 1.12.2.
Loki pods are stuck in a terminating state for more than 1.5 hours when upgrading from 1.11.x to 1.12.2.
SSH for a VM with management IP and the cilium logs fails when upgrading from 1.11.x to 1.12.2.
The object storage upgrade shows an error during the postflight or preflight check.
Themz-etcdsubcomponent updatesspec.deployTargetandspec.Namespacecausing the upgrade from 1.11.x to 1.12.x to fail.
An NTPOSPolicyfailure blocks all otherOSPoliciesfrom running.
Cluster management:
Fixed the issue with the namespace deletion operation getting stuck in theTerminatingstate when deleting a user cluster.
Logging:
Fixed the issue with Loki instances not collecting audit logs and
operational logs.
Fixed the issue withValidatingWebhookConfiguration,MutatingWebhookConfiguration, andMonitoringRuleresources deployed by the Log component failing to upgrade from 1.11.x to 1.12.x.
Fixed the issue with Kubernetes API server logs not being forwarded to an external SIEM destination whenenabling logs export.
Monitoring:
Fixed the issue with the Cortex bucket deletion failure when upgrading from
1.11.x to 1.12.2.
NTP server:
Fixed an issue with the NTP relay server pod crash looping.
Physical servers:
Fixed the issue where servers were stuck in theInspectingphase during bootstrap.
Upgrade:
Fixed the issue when OS in-place node upgrade might stop responding.
Fixed the issue with user cluster upgrades being blocked due to a reconciling error.
Volume backup and restore:
Fixed the issue that prevented volume backups from resolving org buckets.
Add-on Manager:
The Google Distributed Cloud version is updated to 1.28.300-gke.131 to apply the latest security patches and important updates.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eGoogle Distributed Cloud (GDC) air-gapped 1.12.2 is now available, offering new features detailed in the product overview.\u003c/p\u003e\n"],["\u003cp\u003eThe Rocky Linux OS image has been updated to version 20240306, addressing multiple security vulnerabilities, including CVE-2023-28486, CVE-2023-28487, and CVE-2023-42465.\u003c/p\u003e\n"],["\u003cp\u003eSeveral security vulnerabilities related to container images, Microsoft Visual Studio Code, Google Chrome, and the prebuilt Ubuntu OS have been fixed in this update.\u003c/p\u003e\n"],["\u003cp\u003eNumerous issues have been addressed across various GDC components, such as cluster management, file and block storage, firewall, networking, monitoring, physical servers, and upgrade processes, resulting in improved stability and functionality.\u003c/p\u003e\n"],["\u003cp\u003eThe Google Distributed Cloud version has been updated to 1.28.300-gke.131, incorporating the latest security patches and updates, as detailed in the release notes.\u003c/p\u003e\n"]]],[],null,["# Google Distributed Cloud air-gapped 1.12.2 release notes\n\n\u003cbr /\u003e\n\nApril 5, 2024\n-------------\n\n*** ** * ** ***\n\nGoogle Distributed Cloud (GDC) air-gapped 1.12.2 is available. \n\nSee the [product overview](/distributed-cloud/hosted/docs/latest/gdch/overview) to learn about the\nfeatures of Distributed Cloud.\n\n*** ** * ** ***\n\n\nUpdated Rocky Linux OS image version to 20240306 to apply the latest security\npatches and important updates. The following security vulnerabilities are fixed:\n\n- [CVE-2023-28486](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28486)\n- [CVE-2023-28487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28487)\n- [CVE-2023-42465](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42465)\n\n*** ** * ** ***\n\nThe following container image security vulnerabilities are fixed:\n\n- [CVE-2018-1099](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1099)\n\n*** ** * ** ***\n\nFixed a vulnerability with Microsoft Visual Studio Code in Operations Suite Infrastructure (OI)\nby updating Microsoft Visual Studio Code to version 1.86.2.\n\n*** ** * ** ***\n\nFixed multiple vulnerabilities with Google Chrome in Operations Suite Infrastructure (OI)\nby updating to version 122.0.6261.69.\n\n*** ** * ** ***\n\nFixed the vulnerabilities related to the prebuilt Ubuntu OS.\n\n*** ** * ** ***\n\nUpdated the `gcr.io/distroless/libc` base image to digest `sha256:4f834e207f2721977094aeec4c9daee7032c5daec2083c0be97760f4306e4f88` to apply the latest security patches and important updates.\n\n*** ** * ** ***\n\n**Cluster management**:\n\n- User clusters with Kubernetes version 1.27.x might have node pools that fail to initialize.\n- The required IPv4 PodCIDR is not available.\n\n**File and block storage**:\n\n- When upgrading from 1.11.1 to 1.12.2, the `file-netapp-trident` subcomponent rollout might fail.\n\n**Firewall**:\n\n- `bm-system-machine-init` is failing on the first node. Default IDPS firewall policies don't support the organization custom IPs for the Direct Connect (DX) Interconnect.\n\n**Hardware security module (HSM)**:\n\n- A rotatable secret for hardware security modules is in an unknown state.\n\n**Lower networking**:\n\n- Network switches preloaded with version lower than 9.3.10 may fail to bootstrap.\n- Some connections to the `org-admin` node time out.\n\n**Networking**:\n\n- GDC fails to create switch ACLs from traffic policies during the initial bootstrapping process.\n\n**NTP server**:\n\n- The Node OS has unsynchronized time.\n\n**Object storage**:\n\n- Object storage buckets might not be ready after root org upgrade.\n\n**Monitoring**:\n\n- [Configuring the ServiceNow webhook](/distributed-cloud/hosted/docs/latest/gdch/infrastructure/install-30/sn-webhooks) results in Lifecycle Management (LCM) re-reconciling and reverting the changes made to the `ConfigMap` object `mon-alertmanager-servicenow-webhook-backend` and the `Secret` object `mon-alertmanager-servicenow-webhook-backend` in the `mon-system` namespace.\n- The `mon-common` subcomponent doesn't deploy the Istio Telemetry object on the `mon-system` namespace.\n- The metrics storage class is incorrectly defined in the configuration.\n- The `mon-prober-backend-prometheus-config` ConfigMap gets reset to include no probe jobs, and alert `MON-A0001` is triggered.\n\n**Physical servers**:\n\n- A `NodePool` has a server in unknown state during creation.\n- The node firmware upgrade fails on an org.\n\n**System artifact registry**:\n\n- The job service pod is not ready.\n\n**Ticketing system**:\n\n- The ticketing system knowledge base sync fails.\n- The ticketing system has no healthy upstream.\n\n**Vertex AI**:\n\n- The `MonitoringTarget` shows a `Not Ready` status when user clusters are being created, causing pre-trained APIs to continually show an `Enabling` state in the user interface.\n\n**Virtual machines**:\n\n- The importer pods are failing or stuck.\n- Virtual machine disks might take a long time to provision.\n- VMRuntime might not be ready due to network-controller-manager installation failure. \u003cbr /\u003e\n\n**Upgrade**:\n\n**Upgrade**:\n\n- The `unet-nodenetworkpolicy-infra` subcomponent fails during upgrade.\n- System cluster fails during upgrade from 1.11.x to 1.12.2.\n- The `file-observability` subcomponent fails on the `org-1-system-cluster` when upgrading from 1.11.x to 1.12.2.\n- The `HSMupgrade` fails when upgrading from 1.11.x to 1.12.2.\n- Loki pods are stuck in a terminating state for more than 1.5 hours when upgrading from 1.11.x to 1.12.2.\n- SSH for a VM with management IP and the cilium logs fails when upgrading from 1.11.x to 1.12.2.\n- The object storage upgrade shows an error during the postflight or preflight check.\n- The `mz-etcd` subcomponent updates `spec.deployTarget` and `spec.Namespace` causing the upgrade from 1.11.x to 1.12.x to fail.\n- An NTP `OSPolicy` failure blocks all other `OSPolicies` from running.\n\n*** ** * ** ***\n\n**Cluster management**:\n\n- Fixed the issue with the namespace deletion operation getting stuck in the `Terminating` state when deleting a user cluster.\n\n**Logging**:\n\n- Fixed the issue with Loki instances not collecting audit logs and operational logs.\n- Fixed the issue with `ValidatingWebhookConfiguration`, `MutatingWebhookConfiguration`, and `MonitoringRule` resources deployed by the Log component failing to upgrade from 1.11.x to 1.12.x.\n- Fixed the issue with Kubernetes API server logs not being forwarded to an external SIEM destination when [enabling logs export](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/export-logs-external).\n\n**Monitoring**:\n\n- Fixed the issue with the Cortex bucket deletion failure when upgrading from 1.11.x to 1.12.2.\n\n**NTP server**:\n\n- Fixed an issue with the NTP relay server pod crash looping.\n\n**Physical servers**:\n\n- Fixed the issue where servers were stuck in the `Inspecting` phase during bootstrap.\n\n**Upgrade**:\n\n- Fixed the issue when OS in-place node upgrade might stop responding.\n- Fixed the issue with user cluster upgrades being blocked due to a reconciling error.\n\n**Volume backup and restore**:\n\n- Fixed the issue that prevented volume backups from resolving org buckets.\n\n*** ** * ** ***\n\n\n**Add-on Manager**:\n\n- The Google Distributed Cloud version is updated to 1.28.300-gke.131 to apply the latest security patches and important updates.\n\n See the\n [Google Distributed Cloud 1.28.300-gke.131 release notes](https://cloud.google.com/anthos/clusters/docs/bare-metal/latest/release-notes-ver-1#release_128300-gke131) for details."]]
