Welcome to issue #352 June 26th, 2023


Google Cloud Platform Official Blog

Google Cloud is officially a FinOps Certified Service Provider - Google Cloud is presenting at the FinOps X Conference in San Diego from June 27-30, 2023 in our capacity as a FinOps Certified Service Provider.

Monitoring Official Blog Prometheus

Trace exemplars now available in Managed Service for Prometheus - Connect your metrics to your traces with exemplars to quickly troubleshoot and resolve latency issues.

Assured workloads Official Blog

What’s new in Assured Workloads: Region expansion, TLS version restrictions, new supported services - New features and services come to Assured Workloads, which can help organizations achieve and maintain compliance around the world without refactoring.

Cloud Marketplace Official Blog

Marketplace Exchange: Partnership perks with Google Cloud - Learn how to position your partner solution on Google Cloud Marketplace.


Articles, Tutorials

Infrastructure, Networking, Security, Kubernetes

GKE Autopilot Google Kubernetes Engine Kubernetes

Are Kubernetes days numbered? - …and if so — what is the future for containers?

Cloud Asset Inventory Infrastructure

Evaluating your existing GCP resources - How to build a service to validate existing GCP resources from a CAI export.

Google Kubernetes Engine Istio Kubernetes

Fight The Hidden Cost of Regional Kubernetes Clusters — Cross Zonal Egress — Part 2 - Using Istio for advanced traffic management to ensure that traffic doesn't cross zonal boundaries.

Google Kubernetes Engine Istio Kubernetes

Centrally manage the scope of Istio resources in a multi-tenant Kubernetes cluster

Google Kubernetes Engine Kubernetes

Cert-manager for GKE Multi Cluster Ingress - This blog post will show you how to set up Multi cluster ingress in GKE and integrate cert-manager to automate the certificate management process.

Infrastructure Terraform

IaC CI/CD integration for Terraform Vet - This article describes how to integrate gcloud beta terraform vet with your CI/CD pipeline.

GKE Autopilot Istio Kubernetes

Installing Istio (Not Anthos Service Mesh) on GKE Autopilot - GKE Autopilot now supports the deployment of custom service meshes and provides the option to enable the NET_ADMIN capability on Autopilot clusters. This allows for the utilization of service meshes and other opt-in use cases.

Billing Official Blog

Build better budgets using folders and organizations - Your cloud resource hierarchy, and associated budgets for cost management, enable you to track and control how much you spend.

Kubernetes VPC

Publish Service to external VPC through Private Service Connect - Exploring Private Service Connect to create publisher-consumer service between VPC in GCP.

Infrastructure Networking

GCP Network Design (Part-1) Things to Consider Before Starting GCP Network Design

Infrastructure Terraform

Policy Validation — Preventive Control with Terraform Vet - Preventive controls are realized through policy. Policy is defined as a series of programmatic constraints that protect GCP resources.

Cloud Domains

RIP Google Domains & Cloud Domains - A personal opinion on Google selling Google Domains to Squarespace.

App Development, Serverless, Databases, DevOps

Apigee GCP Experience Official Blog

From B2C to B2B: Picsart's Apigee-powered pivot - When a social media site asked Picsart to offer its editing tools to their users via APIs, Picsart turned to Apigee to help out with API management.

Cloud Run gRPC

gRPC Service to Service on Cloud Run and Private Networking - Three part blog posts on using gRPC in Cloud Run.

CI Cloud Run DevOps GitHub

How To Build a Simple CI/CD Pipeline using Docker, Github Actions, and Google Cloud Run - Learn how to build a simple CI/CD pipeline using Docker, GitHub Actions, and Google Cloud Run for seamless software delivery.

Cloud Run Docker Serverless

Cloud run jobs, your parallel tasks solution - An overview of Cloud Run tasks.


GCP — small things — big savings - A few things to lower your GCP bill.

Cloud SQL

Bi-directional logical replication for CloudSQL using ‘Private IP’ - Step-by-step instructions on how you can configure and implement Bi-directional logical Cloud SQL replication over Private IP.

Big Data, Analytics, ML&AI

GCP Experience Official Blog

Arpeely disrupts digital advertising with ML-based demand generation platform on Google Cloud - Arpeely transforms digital advertising with innovative machine learning and algorithm engine powered by Google Cloud, including BigQuery and GKE.

BigLake BigQuery Official Blog

Accelerate BigLake performance to run large-scale analytics workloads - BigLake accelerates query performance through a combination of its scalable metadata system, efficient query plans and materialized views.

BigLake Official Blog

Transform your Apache Iceberg lakehouse with BigLake - You can now use Apache Iceberg as the data management layer for building lakehouses with BigLake, and query the data with BigQuery.

Airflow Workflows

Google Workflows: A Potential Replacement for Simple ETL? - An example of using Cloud Workflows.

Cloud Dataproc Security

Access Control on Dataproc for Hive and Spark jobs - What are the basics of access control? What options do we have on Dataproc for properly handling access control?

BigQuery Dataform dbt

Dataform, what’s the story? - Just exactly what is Google Cloud’s Dataform service and how easy is it to implement.


Simplifying SAML Authentication in Looker: A Step-by-Step Guide - Integrating Looker and Okta with SAML: A Simplified Guide.

Kubeflow Vertex AI

Vertex AI Tips and Tricks: Using Exit Handlers to Create Robust ML Pipelines in Production - Example of using Exit Handler in Kubeflow Vertex AI pipelines.

AI Machine Learning TensorFlow Vertex AI

What you can expect from Vertex TensorBoard - How Google integrates TensorBoard into its Vertex exosystem, where it differs from its open source sibling and how you make the most of it.

AI Machine Learning Recommendations AI

Provide a Personalized Experience to Your Customers Using Google Cloud Recommendation AI - Implement a highly advanced recommender system using Google Cloud Recommendation AI.

BigQuery Machine Learning Official Blog Vertex AI

RNA-Seq and protein structure prediction with BigQuery and Vertex AI - We’ve developed an end-to-end pipeline for RNA-Seq and protein structure prediction using BigQuery and Vertex AI that processes terabyte-scale data.

Data Science Vertex AI

Google PaLM API: Generative Models for Code Generation - VertexAI API for GenAI.

AI Vertex AI

Sentiment analysis with generative AI: a data-driven PaLM 2 prompt evaluation - A simple overview of how to evaluate the quality of a sentiment analysis prompt.

Slides, Videos, Audio

Kubernetes Podcast - #203 Docker & WASM with Justin Cormack.

Security Podcast - #126 What is Policy as Code and How Can It Help You Secure Your Cloud Environment?



AlloyDB - AlloyDB cross-region replication is generally available (GA). The extension anon has been added to extensions supported by AlloyDB.

Anthos clusters on bare metal - 1.14. Release 1.14.6 Anthos clusters on bare metal 1.14.6 is now available for download. Functionality changes: Upgraded etcd version to v3.4.26-0-gke.0. Fixes: The following container image security vulnerabilities have been fixed: CVE-2019-17594 CVE-2019-17595 CVE-2021-20206 CVE-2022-3821 CVE-2022-4415 CVE-2022-29458 CVE-2022-32190 CVE-2023-2454 CVE-2023-2455. Known issues: For information about the latest known issues, see Anthos clusters on bare metal known issues in the Troubleshooting section. 1.15. Release 1.15.2 Anthos clusters on bare metal 1.15.2 is now available for download. Functionality changes: Added preflight check to make sure control plane and load balancer nodes aren't in maintenance mode before an upgrade. Fixes: Fixed an issue where containerd didn't restart when there was a version mismatch. Known issues: For information about the latest known issues, see Anthos clusters on bare metal known issues in the Troubleshooting section.

Anthos clusters on VMware - Security bulletin A new vulnerability, CVE-2023-0468, has been discovered in the Linux kernel that could allow an unprivileged user to escalate privileges to root when io_poll_get_ownership will keep increasing req->poll_refs on every io_poll_wake then overflow to 0 which will fput req->file twice and cause a struct file refcount issue.

Apigee X - On June 20, 2023, we released an updated version of Apigee X (1-10-0-apigee-3). Bug ID Description 284114575 Implemented fix to prevent the execution of untrusted code in Apigee policies. Bug ID Description 273801301 Security fix for apigee-diagnostics-collector, apigee-mart-server, apigee-runtime, and apigee-synchronizer.

AppEngine Flexible Java - The Java runtime now supports using Maven wrappers for managing your project's dependency on Maven.

Google Cloud Armor - DDoS attack visibility is now available in public preview.

Bare Metal Solution - You can now view storage volume and LUN metrics in the Google Cloud console. You can now rename your Bare Metal Solution resources, including servers, networks, storage volumes, and NFS shares.

Batch - Cloud Client Libraries for C++ are available for the Batch API.

BigQuery - TRUNCATE TABLE is now supported for multi-statement transactions. Metadata caching is now generally available (GA). BigQuery now supports querying Apache Iceberg tables that are created by open source engines.

Cloud Build - The Cloud Build Security insights panel that displays security metrics such as Supply-chain Levels for Software Artifacts (SLSA) level for built artifacts, vulnerabilities, and build details is now generally available. Cloud Build now provides the ability to upload npm packages to Artifact Registry automatically and generate Supply-chain Levels for Software Artifacts (SLSA) Level 3 build provenance.

Chronicle - The Chronicle Data in BigQuery feature, including the export pipeline and events table, has been improved. You can now share a dashboard file between instances or within an instance between different users. The predefined reference lists for Curated Detections have been replaced by rule exclusions.

Cloud Composer - Cloud Composer 2.3.2 release started on June 20, 2023. (Airflow 2.5.1 only) Logs produced in Airflow DAG callbacks are now visible in Cloud Logging in the "DAG processor manager" logs section. DataprocSubmitJobOperator now supports data lineage for Hive, SparkSQL, Presto, and Trino jobs. Changed the severity of triggerer watchdog messages from error to warning and updated the message's content to be more informative. Cloud Composer 2.3.2 images are available: composer-2.3.2-airflow-2.5.1 (default) composer-2.3.2-airflow-2.4.3.

Compute Engine - Preview: You can now use custom constraints to provide more granular and customizable control over specific fields for some Compute resources.

Database Migration Service - Database Migration Service support for PostgreSQL to AlloyDB for PostgreSQL migrations is now generally available (GA).

Dataproc Serverless - New Dataproc Serverless for Spark runtime versions: 1.1.20 2.0.28 2.1.7.

Dataproc - New Dataproc Serverless for Spark runtime versions: 1.1.20 2.0.28 2.1.7.

Datastore - OR queries are now supported at the General Availability level.

Cloud Deploy - You can now prevent Cloud Deploy from overprovisioning GKE and Anthos pods during a canary deployment.

Cloud Firestore - OR queries now supported at the General Availability level.

Cloud Functions - The Java runtime now supports projects that use Maven wrappers.

Google Kubernetes Engine - Automatic GPU driver installation is available in version 1.27.2-gke.1200 and later, which enables you to install NVIDIA GPU drivers on nodes without manually applying a DaemonSet. GKE Autopilot now supports the ability to deploy your own service mesh. A new vulnerability, CVE-2023-0468, has been discovered in the Linux kernel that could allow an unprivileged user to escalate privileges to root when io_poll_get_ownership will keep increasing req->poll_refs on every io_poll_wake then overflow to 0 which will fput req->file twice and cause a struct file refcount issue. GKE support for Hyperdisk Throughput and Hyperdisk Extreme as an attached persistent disk option is now generally available.

Live Stream API - You can now use VPC Service Controls to secure your live streams.

Load Balancing - We're announcing the rebranding of Cloud Load Balancing into two main types of load balancers: Application Load Balancers and Network Load Balancers.

Cloud Logging - Log buckets in the following regions can now be upgraded to use Log Analytics: asia-east1 europe-north1 northamerica-northeast2 us-east4 For more information, see Supported regions.

Security Command Center - Only the Security Center Service Agent (roles/securitycenter.serviceAgent) role is required by the Security Command Center service account. Event Threat Detection, a built-in service of Security Command Center, released the following new rules to General Availability.

Cloud Spanner - Spanner Vertex AI integration is now generally available.

Cloud Storage - Objects created using XML API multipart uploads can now be copied and rewritten normally.

Vertex AI - A100 80GB accelerators are now generally available (GA) for custom training jobs in the following regions: asia-southeast1 europe-west4 us-central1 us-east4 For more information, see Locations.

VMware Engine - Stretched Private Clouds are now available in the following region: London, England, Europe (europe-west2) Stretched Private Clouds allow you to stretch your vSphere/vSAN clusters across Google Cloud zones and protect against zone-level failures.

VPC Service Controls - Preview stage support for the following integration: Cloud Customer Care. General availability for the following integration: Live Stream API.

Virtual Private Cloud - The connection preference for a Private Service Connect published service can be configured on the VPC network level in addition to project level. Service consumers can use organization policies with the compute.restrictPrivateServiceConnectProducer list constraint to block Private Service Connect endpoints and backends from connecting to service attachments in other organizations.

Workflows - An issue with how Workflows handles HTTP headers with duplicate keys is resolved.


Latest Issues


Zdenko Hrček
Třebanická 183
Prague, Czech Republic
Phone: +420 777 283 075
Email: [email protected]