Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary of Changes
Minor Changes:
enable-ipsec-key-watcher
to allow users to disable the IPsec key watcher and thus require an agent restart for the key rotation to take effect. (Backport PR v1.13 Backports 2023-06-07 #25977, Upstream PR ipsec: Flag to disable key watcher and Helm values #25893, @pchaigno)Bugfixes:
XfrmInNoStates
drops on ESK & AKS upgrades #25724, @pchaigno)XfrmOutPolBlock
drops on upgrades #25735, @pchaigno)x-forwarded-for
header by adding an explicituse_remote_address: true
config to Envoy HTTP configuration to always use the actual remote address of the incoming connection rather than the value ofx-forwarded-for
header, which may originate from an untrusted source. This change has no effect on Cilium policy enforcement where the source security identity is always resolved before HTTP headers are parsed. Previous Cilium behavior of not addingx-forwarded-for
headers is retained via an explicitskip_xff_append: true
config setting, except for Cilium Ingress where the source IP address is now appended tox-forwarded-for
header. (Backport PR v1.13 backports 2023-05-28 #25731, Upstream PR envoy: Never use x-forwarded-for header, add for Cilium Ingress #25674, @jrajahalme)cluster-pool
,kubernetes
, andcrd
when nodes are deleted.Fix incorrect catch-all default-drop XFRM OUT policy for IPsec IPv6 traffic that could lead to leaking plain-text IPv6 traffic if combined with some other bug. (Backport PR v1.13 backports 2023-06-09 #26079, Upstream PR ipsec: Change XFRM FWD policy to simplest wildcard #25953, @pchaigno)
CI Changes:
Misc Changes:
Other Changes: