This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

upgrading GKE version in autopilot cluster

Posted on 01-27-2025 05:16 AM
elad-canopycare
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi Guys,

I have an autopilot GKE cluster which is the backend of a managed cloud-composer (airflow) system.

I recieved a message from the Security command center regarding a security vulnerability (CVE-2024-50264) affecting our GKE Autopilot cluster.

While I have upgraded the control plane as required, the automatic node pool upgrades appear to be blocked. The system indicates an "unpermissive pod disruption budget" is preventing maintenance, but due to Autopilot restrictions, I cannot modify these settings directly.

 

Has anyone encountered this issue? 

what would be the correct way to tackle this?

 

Thanks

 

 

 

 

 

 

0 1 195
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
francislouie
Staff
Reply posted on --/--/---- --:-- AM

Hi elad-canopycare ,

Welcome to Google Cloud community!

Based on the error that you encountered, when a PDB matching a Pod is impossible to adhere to for any maintenance activities, such as a node upgrade. A PDB must allow for at least one Pod to be disrupted, so GKE violates this PDB for necessary maintenance after one hour. For troubleshooting, Ensure that Pod Disruption Budget's minAvailable setting is less than total Pod count, or ensure that the maxUnavailable setting is greater than 0. For single-replica workloads, consider longer Pod Disruption Budget wait times or consider configuring maintenance windows to define allowed downtime for workloads.

Regarding the security vulnerability (CVE-2024-50264), both GKE Standard and Autopilot clusters are impacted. If you are using Ubuntu, upgrade your nodes pools to one of the following version or later:

  • 1.27.16-gke.2270000
  • 1.28.15-gke.1641000
  • 1.29.13-gke.1006000
  • 1.30.8-gke.1282000
  • 1.31.5-gke.1023000
  • 1.32.1-gke.1002000

For Container-Optimized OS, upgrade your nodes pools to one of the following version or later:

  • 1.27.16-gke.2081000
  • 1.28.15-gke.1480000
  • 1.29.12-gke.1055000
  • 1.30.8-gke.1051000
  • 1.31.4-gke.1072000
  • 1.32.0-gke.1448000

Note: You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel.

In addition to Cloud Composer (Airflow), It is the Customer responsibilities to upgrade to newer Cloud Composer and Airflow versions to keep support for the product and to resolve security issues once Cloud Composer service publishes a Cloud Composer version that addresses the issues.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

Top Labels in this Space
Top Solution Authors
View all