GKE on Bare Metal 1.29.100-gke.251 is now available for download

## Announcement ### Release 1.29.100-gke.251 GKE on Bare Metal 1.29.100-gke.251 is now available for [download](https://cloud.google.com/anthos/clusters/docs/bare-metal/latest/downloads). To upgrade, see [Upgrade clusters](https://cloud.google.com/anthos/clusters/docs/bare-metal/latest/how-to/upgrade). GKE on Bare Metal 1.29.100-gke.251 runs on Kubernetes 1.29. If you use a third-party storage vendor, check the [GDCV Ready storage partners](https://cloud.google.com/anthos/docs/resources/partner-storage) document to make sure the storage vendor has already passed the qualification for this release of GKE on Bare Metal. ## Breaking * Added new API and IAM role requirements for Cloud Monitoring: * You must enable the `kubernetesmetadata.googleapis.com` API for your project and grant the `roles/kubernetesmetadata.publisher` IAM role to the Logging and Monitoring service account (`anthos-baremetal-cloud-ops`, when created automatically). Clusters use this API as an endpoint to send Kubernetes metadata to Google Cloud. The metadata is vital for cluster monitoring, debugging, and recovery. If you [install your clusters behind a proxy](https://cloud.google.com/anthos/clusters/docs/bare-metal/latest/installing/proxy), add `kubernetesmetadata.googleapis.com` to the list of allowed connections. * Due to changes in the way service accounts are checked, you must also grant the following IAM roles to the Logging and Monitoring service account: * `roles/monitoring.viewer` * `roles/serviceusage.serviceUsageViewer` These API and IAM role requirements apply to both creating new 1.29 clusters and upgrading existing clusters to 1.29. ## Change **Functionality changes:** * Added checks to validate the SSH client certificate file type before saving the certificate as a Secret. * Deprecated the `spec.gkeVersion` field in `Machine` and `BareMetalMachine` custom resources. After GKE on Bare Metal release 1.30, the value of `gkeVersion` isn't guaranteed to be reliable. * Added preflight checks for available disk space in specific directories: * During cluster creation, the following directories are checked: * `/` (the root directory) has at least 4 GiB of free space * `/var/log/fluent-bit-buffers` has at least 12 GiB of free space * `/var/opt/buffered-metrics` has at least 10016 MiB of free space * During a cluster upgrade, the following directory is checked: * `/` (the root directory) has at least 2 GiB of free space ## Fix **Fixes:** * Fixed an issue where the kubelet doesn't honor shortened, 1-second grace period for pod deletion during eviction-based draining. ## Fix The following container image security vulnerabilities have been fixed in 1.29.100-gke.251: * Medium-severity container vulnerabilities: * [CVE-2024-2961](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2961) * [CVE-2024-28182](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28182) ## Issue **Known issues:** For information about the latest known issues, see [GKE on Bare Metal known issues](https://cloud.google.com/anthos/clusters/docs/bare-metal/latest/troubleshooting/known-issues) in the Troubleshooting section.