Container Images
| Component |
Image |
| Runner |
us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260504.828 |
| Proxy |
us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260504.828 |
| Prometheus |
us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3 |
| Node Exporter |
us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1 |
Assets
| Asset |
URL |
| CLI Binary |
https://storage.googleapis.com/gitpod-runner-releases/gcp/releases/20260504.828/gitpod-linux-amd64 |
| Supervisor Binary |
https://storage.googleapis.com/gitpod-runner-releases/gcp/releases/20260504.828/supervisor-amd64.xz |
| VM Image |
projects/gitpod-next-production/global/images/ona-environment-20260429-1144 |
⚠️ IAM/Permission Changes
This release adds warm pool support and includes IAM changes since v1.0.0. If you use pre-created service accounts, update your custom role and SA bindings manually.
New permissions added to the runner custom role
| Permission |
Purpose |
compute.autoscalers.create |
Manage MIG autoscalers for dynamic warm pool scaling |
compute.autoscalers.delete |
Clean up autoscalers when warm pools are removed |
compute.autoscalers.get |
Read autoscaler state during reconciliation |
compute.autoscalers.update |
Adjust autoscaler targets as demand changes |
compute.instanceGroupManagers.use |
Required for autoscaler to manage MIG instances |
compute.instances.listReferrers |
Discover which MIG owns a VM during warm pool operations |
compute.instances.resume |
Resume suspended warm pool VMs on claim |
monitoring.timeSeries.create |
Publish scaling metrics that drive the autoscaler |
Role changes
| Resource |
Previous |
New |
Reason |
Runner assets bucket (runner_runner_assets_access) |
roles/storage.objectViewer |
roles/storage.objectAdmin |
Runner now writes managed metrics audit payloads to the assets bucket |
IAM role binding changes
iam.serviceAccounts.actAs removed from the runner custom role. Replaced by per-SA roles/iam.serviceAccountUser bindings.iam.serviceAccounts.getAccessToken removed from the runner custom role (unused — the runner authenticates via GCE metadata server).- New per-SA bindings: The runner SA is granted
roles/iam.serviceAccountUser on three specific service accounts:
runner_sa (self) — for runner VM instance templatesenvironment_vm_sa — for environment VMs created by the orchestratorproxy_vm_sa — for proxy VM instance templates
- Unused service accounts removed:
build_cache, secret_manager, pubsub_processor.
⚠️ Breaking change for pre-created service accounts: If you use pre_created_service_accounts, you must grant roles/iam.serviceAccountUser on the runner_sa, environment_vm_sa, and proxy_vm_sa service accounts to the runner SA out of band. Previously, the project-level actAs in the custom role covered this implicitly.
See docs/iam.md and docs/terraform_service_account_permissions.md for the full updated permission requirements.
What's New
- Warm pools are now enabled by default for all new runners. Pre-initialized suspended VMs cut environment startup from minutes to ~10 seconds. See the warm pools documentation.
- Organization ID added to Prometheus
external_labels for multi-org metric filtering.
Other Changes
- Environment UDP egress restricted to DNS, NTP, and QUIC.
- Port 7070 added to firewall rules for port authentication.
- Local
remote_write target for managed metrics pipeline.
- Prometheus updated to v3.11.3.
