Welcome to issue #397 May 6th, 2024

News

Introducing Dataflux Dataset for Cloud Storage to accelerate PyTorch AI training

Auto-upgrades for Config Sync in GKE Enterprise now in preview

Google is a Leader in the 2024 Gartner® Magic Quadrant™ for Cloud AI Developer Services

Google Cloud named a leader in the 2024 Forrester Wave™: Data Lakehouses

---

Your cloud, simplified

DoiT delivers technology and cloud expertise to buy, optimize, and manage Google Cloud with ease. Access a global team of cloud experts with decades of experience in cloud architecture, Kubernetes, machine learning, and much more – all on call for you. Learn More

---

Articles, Tutorials

Infrastructure, Networking, Security, Kubernetes

Scalable multi-tenancy management with Config Sync and team scopes - With Config Sync team scopes, platform admins can define fleet-wide and team-specific cluster configurations such as resource quotas and network policies, allowing each application team to manage their own workloads within designated namespaces across clusters.

Uncharmed: Untangling Iran's APT42 Operations

5 ways Service Extensions callouts can improve your Cloud Load Balancing environment - In this blog, we delve into the benefits of Service Extensions callouts for Application Load Balancers, exploring how they optimize performance, bolster security, and foster greater operational efficiency.

Cloud CISO Perspectives: Tour the new Security Command Center Enterprise

Ransomware Protection and Containment Strategies: Practical Guidance for Hardening and Protecting Infrastructure, Identities and Endpoints

Transform your telecom applications with multi-networking and Kubernetes

Running out of IP addresses for your Kubernetes Pods? Here’s a tried and true solution

From Assistant to Analyst: The Power of Gemini 1.5 Pro for Malware Analysis

Deep dive into Google Cloud Compute Engine commitments - This blog post discusses how to combine Flex and Resouce-based commitments.

App Development, Serverless, Databases, DevOps

Enhancing iEEG seizure identification and similarity search with Google Cloud

Making API calls exactly once when using Workflows

Uncomplicating the complex: How Spanner simplifies microservices-based architectures

AI can be the catalyst to reignite your digital transformation

Managing Cloud Storage soft delete at scale

In-context observability with customizable dashboards everywhere on Google Cloud

Event-Driven Cloud Function Triggered Multiple Times & How to Address It - Finding out why Cloud Function was triggered multiple times during a pipeline execution.

How Konfig provides an enterprise platform with GitLab and Google Cloud - Explaining Konfig, an enterprise integration of GitLab and Google Cloud that addresses security and governance, maintainability, and speed to production.

Cloud Build + Cloud Deploy: Best Siblings - This article explores a complete CI/CD pipeline using Cloud Build and Cloud Deploy for deploying an application to Cloud Run.

Big Data, Analytics, ML&AI

Woven by Toyota decreased their AI training times by 20% by using Cloud Storage FUSE

Simplifying data modeling and schema generation in BigQuery using multi-modal LLMs - Now you can pass multi-modal input to Gemini to create data models for your data warehouse.

Demystifying Dataproc spark job executions - This blog focuses on the issue of optimizing job concurrency and allowing Dataproc to process Spark jobs faster and more efficiently.

Private networking patterns to Vertex AI workloads

RAG in production faster with Ray, LangChain and HuggingFace - A quickstart solution and reference architecture for retrieval augmented generation (RAG) applications, designed to accelerate your journey to production on Google Kubernetes Engine (GKE), and Cloud SQL for PostgreSQL and pgvector, using Ray, LangChain, and Hugging Face.

Long document summarization with Workflows and Gemini models - This blog post illustrates how Workflows can perform long-document summarization.

Transforming customer feedback: analyzing audio customer reviews with BigQuery ML’s speech-to-text

When to use Gemini or purpose-built AI models in BigQuery - This post provides some high-level guidance to consider when determining whether Gemini foundation models or purpose-built AI models are a better fit for your workload’s requirements.

Multimodal citations with Google’s Vertex AI - A novel approach to enhance the user experience with GenAI applications.

Unlocking the Power of Gemini in BigQuery - A Guide for SQL Code AI Assistance.

Level Up your RAG: Tuning Embeddings on Vertex AI - In this article, you will learn how to tune the text embedding model for adapting to your retrieval-specific domain.

Various

How to Pass the Google Professional Cloud DevOps Exam - Share some tips to help pass GCP DevOps certification exam.

Slides, Videos, Audio

Kubernetes Podcast - #224 OpenFeature, with Thomas Poignant and Todd Baert.

Security Podcast - #170 Redefining Security Operations: Practical Applications of GenAI in the SOC.

Releases

AlloyDB - You can now set maintenance windows for your AlloyDB clusters. AlloyDB now supports up to 64 TiB storage per cluster in all locations.

Anthos Config Management - 1.18.0. Installing Policy Controller 1.18.0 or newer will fail unless you first enable the anthospolicycontroller.googleapis.com API. Policy Controller now has its own release notes page. Dynamic namespace selection using the spec.mode field in the NamespaceSelector CRD is now generally available (GA). Config Sync now supports specifying CA certificates for helm and OCI source types. Policy Controller bundles have been updated to the following versions: cis-gke-v1.5.0: 202403.0, nist-sp-800-190: 202403.0, nist-sp-800-53-r5: 202403.0, pci-dss-v3.2.1: 202403.0, pci-dss-v4.0: 202403.0, policy-essentials-v2022: 202403.0, pss-baseline-v2022: 202403.1, pss-restricted-v2022: 202403.1. When syncing from Helm, Config Sync now retries faster on errors with exponential backoff. Reduced memory footprint in reconcilers by not loading the OpenAPI when the Config Sync admission webhook is disabled. On Autopilot clusters, the helm-sync container CPU request is changed from 150m to 250m, and memory request is changed from 256Mi to 384Mi. Upgraded bundled Helm version from v3.13.3 to v3.14.3 to pick up vulnerability fixes.

Google Distributed Cloud VM Runtime - 1.29. Release 1.29.0-gke.1449 A new release of VM Runtime on Google Distributed Cloud is available as part of the GKE on Bare Metal 1.29.0-gke.1449 release, which is now available for download. Added support for configuring the running state (Running or Stopped) of a GVM through the runningState field in the GVM resource spec. Added support for applying real-time label patching to the vm Pod by adding labels to GVM resources. Reduced the CPU and memory resource request settings for the macvtap DaemonSet. Added vmruntime preflight check result to the output of kubectl get vmruntime. Enabled the ability to override the pod network configuration through the virtSpec ConfigMap. Changed the default VM high availability grace period from 90 seconds to 35 seconds. Added ResponseReadTimeout for use when fetching images from an S3 repository. Fixed the guest agent installation script. Fixed the virt-launcher log container termination issues that sometimes caused VM statuses of not ready. Fixed issues on the persistent non-volatile random access memory NVRAM feature, which caused the created PVC to get stuck in a pending state. Fixed an issue with the virtctl create vm command that caused failures when os-type was set to windows.

Anthos clusters on bare metal - 1.28. Release 1.28.500-gke.120 GKE on Bare Metal 1.28.500-gke.120 is now available for download. The following container image security vulnerabilities have been fixed in 1.28.500-gke.120: Critical container vulnerabilities: CVE-2021-38297 CVE-2022-23806 CVE-2023-24538 CVE-2023-24540 CVE-2023-29402 CVE-2023-29404 CVE-2023-29405 High-severity container vulnerabilities: CVE-2020-29652 CVE-2021-29923 CVE-2021-33195 CVE-2021-33196 CVE-2021-33198 CVE-2021-39293 CVE-2021-41771 CVE-2021-41772 CVE-2021-44716 CVE-2022-2879 CVE-2022-2880 CVE-2022-21698 CVE-2022-23772 CVE-2022-23773 CVE-2022-24675 CVE-2022-24921 CVE-2022-28131 CVE-2022-28327 CVE-2022-30580 CVE-2022-30630 CVE-2022-30631 CVE-2022-30632 CVE-2022-30633 CVE-2022-30635 CVE-2022-32189 CVE-2022-41715 CVE-2022-41724 CVE-2022-41725 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24539 CVE-2023-29400 CVE-2023-29403 CVE-2023-45287 Medium-severity container vulnerabilities: CVE-2020-29509 CVE-2020-29511 CVE-2021-33197 CVE-2021-34558 CVE-2021-36221 CVE-2022-1705 CVE-2022-1962 CVE-2022-32148 CVE-2022-41717 CVE-2023-24532 CVE-2023-29406 CVE-2023-29409 CVE-2024-26908 CVE-2024-28085 Low-severity container vulnerabilities: CVE-2022-30629 CVE-2023-52630. Known issues: For information about the latest known issues, see GKE on Bare Metal known issues in the Troubleshooting section. 1.29. Release 1.29.0-gke.1449 GKE on Bare Metal 1.29.0-gke.1449 is now available for download. Version 1.15 end of life: In accordance with the Version Support Policy, version 1.15 (all patch releases) of GKE on Bare Metal has reached its end of life and is no longer supported. GA: Support GKE Identity Service v2 capability for an improved security flow when you authenticate with third-party identity solutions. Functionality changes: GKE Identity Service v2 now sends extra parameters (extraParams) to your OIDC provider. Fixes: Fixed an issue where the kubelet doesn't honor shortened, 1-second grace period for pod deletion during eviction-based draining. The following container image security vulnerabilities have been fixed in version 1.29.0-gke.1449: Critical container vulnerabilities: CVE-2021-38297 CVE-2022-23806 CVE-2023-24538 CVE-2023-24540 CVE-2023-25775 CVE-2023-29402 CVE-2023-29404 CVE-2023-29405 High-severity container vulnerabilities: CVE-2020-29652 CVE-2021-29923 CVE-2021-33195 CVE-2021-33196 CVE-2021-33198 CVE-2021-39293 CVE-2021-41771 CVE-2021-41772 CVE-2021-44716 CVE-2022-2879 CVE-2022-2880 CVE-2022-21698 CVE-2022-23772 CVE-2022-23773 CVE-2022-24675 CVE-2022-24921 CVE-2022-28131 CVE-2022-28327 CVE-2022-28948 CVE-2022-30580 CVE-2022-30630 CVE-2022-30631 CVE-2022-30632 CVE-2022-30633 CVE-2022-30635 CVE-2022-32189 CVE-2022-41715 CVE-2022-41724 CVE-2022-41725 CVE-2023-5717 CVE-2023-6040 CVE-2023-6356 CVE-2023-6536 CVE-2023-6606 CVE-2023-6931 CVE-2023-6932 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24539 CVE-2023-29400 CVE-2023-29403 CVE-2023-29499 CVE-2023-35827 CVE-2023-46838 CVE-2023-51780 CVE-2023-51781 CVE-2023-51782 CVE-2023-52436 CVE-2023-52439 CVE-2023-52444 CVE-2023-52445 CVE-2023-52451 CVE-2023-52464 CVE-2023-52469 CVE-2024-1086 CVE-2024-26586 CVE-2024-26597 CVE-2024-26598 Medium-severity container vulnerabilities: CVE-2020-29509 CVE-2020-29511 CVE-2021-33197 CVE-2021-34558 CVE-2021-36221 CVE-2021-44879 CVE-2022-1705 CVE-2022-1962 CVE-2022-32148 CVE-2022-41717 CVE-2023-3446 CVE-2023-3817 CVE-2023-6004 CVE-2023-6121 CVE-2023-6915 CVE-2023-6918 CVE-2023-24532 CVE-2023-29406 CVE-2023-29409 CVE-2023-32611 CVE-2023-32665 CVE-2023-34324 CVE-2023-39198 CVE-2023-39804 CVE-2023-45863 CVE-2023-46218 CVE-2023-46343 CVE-2023-49290 CVE-2023-52443 CVE-2023-52449 CVE-2023-52470 CVE-2024-21664 CVE-2024-28085 GHSA-2c7c-3mj9-8fqh Low-severity container vulnerabilities: CVE-2021-25743 CVE-2022-30629 CVE-2023-26604 CVE-2023-2975 CVE-2023-5178 CVE-2023-5197 CVE-2023-6531 CVE-2023-6817 CVE-2023-46813 CVE-2023-46862 CVE-2023-52438 CVE-2023-52448 CVE-2023-52454 CVE-2023-52456 CVE-2023-52457 CVE-2023-52462 CVE-2023-52463 CVE-2023-52467 CVE-2023-52503 CVE-2023-52513 CVE-2023-52524 CVE-2023-52564 CVE-2023-52573 CVE-2023-52575 CVE-2024-0193 CVE-2024-0641 CVE-2024-0646 CVE-2024-24860. Known issues: Clusters that use bundled load balancing with BGP might have performance degradation as the total number of Services of type LoadBalancer approaches 2,000.

Anthos clusters on VMware - GKE on VMware 1.29.0-gke.1456 is now available. Preview: Support migrating a vSphere datastore to SPBM. Server-side preflight checks are enabled by default for admin and user cluster create, update, and upgrade. Version changes in GKE on VMware 1.29.0-gke.1456: Updated Dataplane V2 to use Cilium 1.13. The following issues are fixed in 1.29.0-gke.1456: Fixed the issue where the admin cluster backup did a retry on non-idempotent operations.

GDCV for VMware - GKE on VMware 1.29.0-gke.1456 is now available. Preview: Support migrating a vSphere datastore to SPBM. Server-side preflight checks are enabled by default for admin and user cluster create, update, and upgrade. Version changes in GKE on VMware 1.29.0-gke.1456: Updated Dataplane V2 to use Cilium 1.13. The following issues are fixed in 1.29.0-gke.1456: Fixed the issue where the admin cluster backup did a retry on non-idempotent operations.

Apigee Integrated Portal - On May 1, 2024 we released an updated version of Apigee integrated portal. This release contains multiple security fixes.

Application Integration - Loop Metadata variables are changing In the For each loop and While loop tasks, there's a Loop metadata variable in which you will find duplicate keys for the output variable–for example, Current Iteration Count and current_iteration_count. With Gemini, you can now build integrations in Application Integration: Create and build integrations Configure connector tasks in an integration Add edge conditions and append additional tasks to an integration Generate integration description This feature is in preview.

Cloud Asset Inventory - The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, and Search (SearchAllResources, SearchAllIamPolicies) APIs. The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, and Search (SearchAllResources, SearchAllIamPolicies) APIs.

Bare Metal Solution - You can now set up Ops Agent on your Bare Metal Solution server to view Bare Metal Solution metrics. Bare Metal Solution now supports Oracle Linux 9.

BigQuery - Analytics Hub Subscription Management is generally available (GA). Analytics Hub Provider Usage Metrics is now generally available (GA). AWS Glue federated datasets are now generally available (GA). You can now specify translation configurations in the BigQuery interactive SQL translator and use it to debug batch SQL translator jobs. The following BigQuery ML data preprocessing features are now generally available (GA): The ML.TRANSFORM function, which you can use to preprocess feature data. You can now reference Iceberg tables in materialized views instead of migrating that data to BigQuery-managed storage. You can now let users that are in Microsoft Entra groups access BigQuery data in Power BI by using Workforce Identity Federation.

Bigtable - The Bigtable Spark connector lets you read and write data from and to Bigtable using Spark SQL and DataFrames inside your Spark application.

Chronicle Security Operations - Create a new playbook using Gemini (Preview) You can now use Gemini to create a fully structured playbook. The following supported default parsers have changed.

Chronicle SOAR - Remote Agents Release 1.6.0 is currently in Preview. Jobs can now be run remotely over remote agents. Release 6.3.1 is currently in Preview. Create a new playbook using Gemini (Preview) You can now use Gemini to create a fully structured playbook. Change entities to be marked as non suspicious When an entity is marked as IsSuspicious, you can now change the value from True to False. Two changes have been made to the sort within cases ability: Option to sort cases by name has been removed. Cannot insert images in reports (ID #00244001). HTML templates, case sensitivity issue and generic error (ID #44058663). Change Alert Priority action not working as expected (ID #00277602). Clicking on events configuration takes you to the wrong mapping & modeling rules. Alert Grouping settings not displaying correctly.

Cloud Composer - Cloud Composer 2.7.1 release started on April 29, 2024. The apache-airflow-providers-google package is upgraded to version 10.17.0. The apache-airflow-providers-cncf-kubernetes package was upgraded to version 8.1.0. Cloud Composer 2.7.1 images are available: composer-2.7.1-airflow-2.7.3 (default) composer-2.7.1-airflow-2.6.3. Cloud Composer version 2.1.14 has reached its end of full support period.

Compute Engine - The global serial console gateway is deprecated. Starting the week of April 29, 2024, when you limit the run time of a standalone VM or a VM in a managed instance group (MIG), the following changes take effect: When you stop or suspend a VM that has a time limit, the time limit will no longer be automatically removed.

Dataproc Serverless - New Dataproc Serverless for Spark runtime versions: 1.1.60 1.2.4 2.0.68 2.1.47 2.2.4. Dataproc Serverless for Spark: Upgraded Spark RAPIDS to version 24.04.0 in 1.2 and 2.2 Dataproc Serverless for Spark runtimes. When you submit a Dataproc Serverless Batch with a CMEK key: In addition to encrypting disk and Cloud Storage data, Dataproc Serverless will use your CMEK to also encrypt batch job arguments.

Dataproc - New Dataproc on Compute Engine subminor image versions: 2.0.99-debian10, 2.0.99-rocky8, 2.0.99-ubuntu18 2.1.47-debian11, 2.1.47-rocky8, 2.1.47-ubuntu20, 2.1.47-ubuntu20-arm 2.2.13-debian12, 2.2.13-rocky9, 2.2.13-ubuntu22.

Datastore - Firestore in Datastore mode now supports the us-south1 Dallas region.

Dialogflow - Vertex AI Conversation has been renamed to Vertex AI Agents. Vertex AI Agents: Agent apps now support all languages supported by Vertex AI generative models. Vertex AI Agents: Agent apps now support the eu multi-region. Dialogflow CX: You can now access the session ID with built-in parameters.

Cloud Quotas - The Quota adjuster feature is generally available (GA). Cloud Quotas support for VPC Service Controls is generally available (GA).

Document AI - v1beta3. Online processing is available for Layout Parser in Document AI.

Eventarc - Eventarc support for creating triggers for direct events from Cloud Speech-to-Text is generally available (GA).

Cloud Filestore - You can now revert an instance to a snapshot state. Filestore supports IP-based access control for your volumes.

Cloud Firestore - Firestore now supports the us-south1 Dallas region.

IAM - As of May 3, 2024, when you create a new organization, it enforces the following organization policy constraints by default: iam.disableServiceAccountKeyCreation iam.disableServiceAccountKeyUpload iam.automaticGrantsForDefaultServiceAccounts iam.allowedPolicyMemberDomains For more information, see Restricting service account usage and Restricting identities by domain.

Google Kubernetes Engine - The new release of the GKE Gateway controller (2024-R1) is now generally available. Starting in GKE 1.30, the metric scheduler_pod_scheduling_duration_seconds in control plane metrics package will no longer be available, as a result of deprecation in the upstream OSS. (2024-R12) Version updates GKE cluster versions have been updated. 1.30 is now available in the Rapid channel Kubernetes 1.30 is now available in the Rapid channel. New features in 1.30 The following features are new in Kubernetes 1.30: ValidatingAdmissionPolicy is GA and now enabled by default. New APIs in 1.30 The following APIs are new in Kubernetes 1.30: admissionregistration.k8s.io/v1 ValidatingAdmissionPolicyBinding and ValidatingAdmissionPolicy. Deprecated APIs in 1.30 The following Beta versions of graduated APIs were previously deprecated in 1.29 in favor of newer versions: flowcontrol.apiserver.k8s.io/v1beta3 FlowSchema, PriorityLevelConfiguration: Deprecated since 1.29, will no longer be served in 1.32. Deprecated features in 1.30 The Ceph CephFS (kubernetes.io/cephfs) and RBD (kubernetes.io/rbd) volume plugins are deprecated since 1.28 and will be removed in a future release. (2024-R11) Version updates GKE cluster versions have been updated. You can now configure access to private image registries that use private certificates using a containerd configuration file. In GKE 1.29.2-gke.1355000 and later, GPU workloads using the Accelerator compute class in GKE Autopilot support scheduling multiple GPU pods on a single node. A Quick Start Solution and Reference Architecture are now available for developing and deploying Retrieval Augmented Generation (RAG) applications on GKE. Dual-stack LoadBalancer Services are now generally available with GKE. Cloud DNS additive VPC scope is now available in Preview.

GKE new features - The new release of the GKE Gateway controller (2024-R1) is now generally available. Starting in GKE 1.30, the metric scheduler_pod_scheduling_duration_seconds in control plane metrics package will no longer be available, as a result of deprecation in the upstream OSS. You can now configure access to private image registries that use private certificates using a containerd configuration file. In GKE 1.29.2-gke.1355000 and later, GPU workloads using the Accelerator compute class in GKE Autopilot support scheduling multiple GPU pods on a single node. A Quick Start Solution and Reference Architecture are now available for developing and deploying Retrieval Augmented Generation (RAG) applications on GKE. Dual-stack LoadBalancer Services are now generally available with GKE. Cloud DNS additive VPC scope is now available in Preview.

Google Kubernetes Engine Rapid - (2024-R12) Version updates Note: Your clusters might not have these versions available. 1.30 is now available in the Rapid channel Kubernetes 1.30 is now available in the Rapid channel. New features in 1.30 The following features are new in Kubernetes 1.30: ValidatingAdmissionPolicy is GA and now enabled by default. New APIs in 1.30 The following APIs are new in Kubernetes 1.30: admissionregistration.k8s.io/v1 ValidatingAdmissionPolicyBinding and ValidatingAdmissionPolicy. Deprecated APIs in 1.30 The following Beta versions of graduated APIs were previously deprecated in 1.29 in favor of newer versions: flowcontrol.apiserver.k8s.io/v1beta3 FlowSchema, PriorityLevelConfiguration: Deprecated since 1.29, will no longer be served in 1.32. Deprecated features in 1.30 The Ceph CephFS (kubernetes.io/cephfs) and RBD (kubernetes.io/rbd) volume plugins are deprecated since 1.28 and will be removed in a future release. (2024-R11) Version updates Note: Your clusters might not have these versions available.

Migrate for Compute Engine - 5.0. Migrate to Virtual Machines now supports importing virtual disk image files in the following formats: QEMU copy-on-write (QCOW) QEMU copy-on-write 2 (QCOW2) QEMU enhanced disk format (QED) VPC Virtual disk image (VDI) Virtual hard disk v2 (VHDX) Virtual hard disk (VHD) In addition to these formats, Virtual machine disk (VMDK), and raw files compressed as a .tar.gz file are also supported.

Migrate to Virtual Machines - Migrate to Virtual Machines now supports importing virtual disk image files in the following formats: QEMU copy-on-write (QCOW) QEMU copy-on-write 2 (QCOW2) QEMU enhanced disk format (QED) VPC Virtual disk image (VDI) Virtual hard disk v2 (VHDX) Virtual hard disk (VHD) In addition to these formats, Virtual machine disk (VMDK), and raw files compressed as a .tar.gz file are also supported.

Policy Intelligence - Some Policy Intelligence features are only available for customers with organization-level activations of Security Command Center.

reCAPTCHA Enterprise - reCAPTCHA Enterprise Mobile SDK v18.5.0-beta03 is now available for Android. reCAPTCHA Enterprise Mobile SDK v18.5.0-beta04 is now available for iOS.

Cloud Spanner - Spanner now supports the following for PostgreSQL arrays: UNNEST WITH ORDINALITY Array slices ANY, SOME, and ALL array comparison operators arrayoverlap, arraycontains, and arraycontained functions and their operators. Through self-service and with zero downtime, you can now add and remove read-only replicas in base instance configurations and move your Spanner instance to a different instance configuration.

Vertex AI - Vertex AI custom training supports TPU v5e.

Vertex AI Workbench - The M120 release of Vertex AI Workbench managed notebooks includes the following: Minor bug fixes for the libcurl package.

VPC Service Controls - General availability support for the following integration: Backup and DR Service. General availability support for the following integration: Cloud Quotas.

Virtual Private Cloud - Private Service Connect supports IPv6 in Preview for the following supported configurations: Service consumers can access published services by using Private Service Connect endpoints that have IPv6 addresses. Service producers are no longer charged producer data processing for ingress or egress traffic through a Private Service Connect service attachment. Private Service Connect now offers consumers volume-based discounts for consumer data processing.

Workstation - Cloud Workstations base images are being upgraded to Ubuntu 22.04 from Ubuntu 20.04 this week. Cloud Workstations base images now default to Python 3.10.12.