Google Distributed Cloud air-gapped 1.14.3 hotfixes

Hotfix 22

---

---

Identity and access management:

• Login config request times can take minutes to complete.
• Application operators can't grant themselves access to roles in the infra cluster.
• Existing service accounts tokens become invalid.
• The namespace-admin project role is missing in a project.

Managed Kubernetes Service:

• There is a timeout waiting for a shared service cluster to become ready.

Monitoring:

• Project deletion is stuck due to dashboard and data source pending finalizers.
• Recurring usage fails to emit metrics.
• Metrics from KSM are not visible to PAs.
• Prometheus pods are scheduled on control plane nodes, leading to resource exhaustion and instability.
• KUB dashboards show incorrect data values.

Hotfix 21

---

---

CLI:

• The gdcloud compute images import command fails with QCOW images due to a file command version mismatch.
• The gdcloud resource-support get-report command produces a failed to get support information from cluster error.
• The gdcloud auth activate-service-account command resets the gdcloud config.
• Added gdcloud get-credentials support for vanilla clusters.
• Role bindings created with gdcloud bind to the platform namespace by default.
• The gdcloud resource-support get-report command fails with an error indicating a missing schema.
• Added SKUS to support more country-specific pricing.
• The gdcloud CLI doesn't use the correct zone when listing clusters, so the result of gdcloud clusters list shows one zone.

Hotfix 20

---

---

Console:

• Role bindings created for service accounts are not configured correctly.
• Project IAM Admins can't assign roles from the UI.
• When creating a custom role, the source role of a permission changes when you view it.
• The Roles Overview and Role Details pages show an error about not having permissions.
• The Access page is blocked even though users have some of the required permissions.

Virtual machines:

• The vmm-vm-controller subcomponent fails reconciliation due to a large config file exceeding the size limit (1MB).

Hotfix 19

---

---

Backup and restore:

• When deleting a snapshot in a user cluster, the corresponding snapshot in the infra cluster is not deleted.
• The backup subcomponent deployment uses a variable that prepends characters to the cluster name when creating a Kubernetes label which can sometimes violate the Kubernetes 63 character limit.

Billing:

• Added durable pricing SKUs.
• The prebuy calculator is not working.
• Recurring usage metrics are not emitted.
• Partner billing is not enabled.
• The prebuy calculator cannot access a community network.

Identity and access management:

• Service account creation fails due to a project in a deleting state causing role template reconciliation failures.
• Added P4SA support for vanilla clusters.
• Creating a service identity from the GDC console fails.

Hotfix 18

---

---

Object storage:

• Added support for S3 GetBucketVersioning.
• Cannot upload to sync dual-zone buckets using signed URLs.
• DeleteObject returns 500 for non-current versioned deletes.
• With dual zone buckets, S3 secrets are not generated after binding the project-bucket-object-admin role to a service account.

Hotfix 17

---

---

File storage:

• The Trident CSI driver deletes NetApp ONTAP volumes when they are offline, potentially leading to data loss.
• Multi-attach errors occur for volumes after cold reboot or node de-provision scenarios.
• The project-fileshare-admin role is missing patch and update access.
• Snapshots are not deleted in infra clusters when deleted in a user cluster.

Managed Kubernetes Service:

• Revert moving vanilla cluster VMs to user projects.

Networking:

• Invalid error code affects project network policies.
• A large CT ebpf map leads to create endpoint and delete endpoint failures.
• Leaked services might cause service IP duplication.

Hotfix 16

---

---

Identity and access management:

• There are forbidden errors when accessing vanilla Kubernetes clusters using kubeconfig from gdcloud.

Endpoint detection response:

• The endpoint detection response subcomponent gets stuck in a reconciliation error state.

Managed Kubernetes Service:

• Cluster validation should use the cluster's pod density when validating nodes.

Networking:

• The subnet predefined roles are missing verbs.

Platform authentication:

• CSRs for intermediary CAs are missing the basic constraint for CA.
• Added support for reusing a system domain in managed public DNS.

Ticketing system:

• An alert is not fired when the ticketing system is unavailable.

Hotfix 15

---

---

Console:

• There is an error when creating a role binding with a non-existent role.
• You can't add multiple role bindings to a service account in the Console.

Identity and access management:

• Added gdcloud get-credentials support for vanilla clusters.
• Custom roles should generate templates with the same name for global and zonal APIs.
• Exposed CertificateAuthority data on the well-known server.
• The identity and access management page is broken.
• There is an error when creating a role binding to a custom role.
• You can't attach user roles in the Console.

Managed Kubernetes Service:

• Move the vanilla cluster VMs to a user project.
• There are missing machine types for n3 type.

Hotfix 14

---

---

Console:

• The identity and access management page is broken.

Multizone:

• A pod in a vanilla cluster in zone1 cannot access the Management API server in zone2.

Hotfix 13

---

---

Console:

• Custom role creation does not work.

• Custom role creation from project scope shouldn't show the Limit to selected projects checkbox.

DNS:

• A pod in a vanilla cluster in zone1 cannot access the Management API server in zone2.

Monitoring:

• A pod in a vanilla cluster in zone1 cannot access the Management API server in zone2.

Networking:

• Controllers are stuck for hours in the unet-cm-backend-controller pod.

• Multiple clustermesh API servers reached their defined CPU limits.

• Data exfiltration protection (DEP) cannot be enabled on a global project that has DEP disabled.

Object storage:

• GetBucketVersioning for S3 is not supported.

• There is an error while initiating cp between different folders in a bucket.

Platform authentication:

• Cert Manager fails to issue certificates.

SIEM:

• You can't connect to a Splunk host from a user cluster.

Hotfix 12

---

---

Console:

• The global DNS is not resolving from a GDC VM.

Networking:

• Updated allow-all-ingress and allow-all-egress PNP Translation.
• Allow egress traffic from user workloads to system workloads automatically.
• The global DNS server is not reachable.

Object storage:

• Downloading from an S3 bucket fails.

Hotfix 11

---

---

Endpoint detection response:

• Nessus manager has duplicate agents and managers.

• There are gaps in EDR coverage on the perimeter, user, and service clusters.

Identity and access management:

• The service identity server fails to authenticate using zonal service account keys.

Service mesh:

• The dataplane-ingress-gateway pods are missing the networking.private.gdc.goog/infra-access: enabled label.

Virtual machines:

• There is a backwards compatibility issue for subnets.