On GKE Autopilot clusters running version 1.30 and later, partner workloads that set AppArmor profiles might unexpectedly be rejected at admission

## Fix On GKE Autopilot clusters running version 1.30 and later, partner workloads that set AppArmor profiles might unexpectedly be rejected at admission. This might include installations of Prisma Defender, Wiz Runtime Sensor, Sentinel One Agent, Checkpoint CloudGuard, Aqua Security Enforcer and Splunk OTEL Collector. The following GKE versions contain a fix for this issue: * 1.30.5-gke.1355000 and later * 1.31.1-gke.1621000 and later Clusters in any release channel can be created on or upgraded to these versions. For details, see[Manually upgrading the control plane](https://cloud.google.com/kubernetes-engine/docs/how-to/upgrading-a-cluster#upgrade%5Fcp). ## Feature You can now create workloads with multiple network interfaces in GKE Autopilot clusters running version 1.29.5-gke.1091000 and later or version 1.30.1-gke.1280000 and later. For more information, see [Setup multi-network support for Pods](https://cloud.google.com/kubernetes-engine/docs/how-to/setup-multinetwork-support-for-pods). ## Change For newly-created VPC Peering-based clusters running version 1.27 or later, traffic from the `kube-apiserver` to nodes routes through [the Konnectivity service](https://kubernetes.io/docs/concepts/architecture/control-plane-node-communication/#konnectivity-service). For existing VPC Peering-based clusters, GKE gradually migrates your cluster to use the Konnectivity service.