Skip to content

Releases: cilium/cilium

1.15.4

19 Apr 22:06
@asauber asauber
v1.15.4
This tag was signed with the committer’s verified signature.
joestringer Joe Stringer
SSH Key Fingerprint: up2UNiGoKPJzKD6RD0wAbZjD7U0m/YpqXK1sjpCgLQI Learn about vigilant mode.
9b3f9a8
Compare
Choose a tag to compare
1.15.4 Latest
Latest

We are pleased to announce the release of Cilium v1.15.4.

This release includes the option to configure Node map size, additional detail when using cilium-dbg bpf metrics list, a fix to an issue with overlapping keys that may have affected the ability to recover from a full Service map, and performance improvements to the Connection Tracking implementation. Bugfixes include improved behavior for overlapping and restored DNS policies, a fix to a race condition in Service updates for L7 LB, and a fix to the retry logic in the cilium health controllers.

Security Advisories

This release addresses a security vulnerability. For more information, see GHSA-j654-3ccm-vfmm

Summary of Changes

Minor Changes:

  • Add "node-map-max" to allow configuring nodemap size. (Backport PR #31727, Upstream PR #31407, @tommyp1ckles)
  • Add line numbers and file names to all metrics in 'cilium-dbg bpf metrics list' (Backport PR #31558, Upstream PR #30972, @ti-mo)
  • bugtool: Collect hubble metrics (Backport PR #31890, Upstream PR #31533, @chancez)
  • feat: Add the http return code to metric api_processed_total (Backport PR #31890, Upstream PR #31227, @vipul-21)
  • Fix overlapping keys in agent-side service BPF map cache used for retries. In rare cases this bug may have caused retrying of a failed BPF map update for a services entry to be skipped leading to a missing entry. This may have, for example, adversely affected recovering from a full BPF service map after excess services were removed. (Backport PR #31890, Upstream PR #29581, @xyz-li)
  • Skip overlay traffic in the BPF SNAT processing, and thus reduce pressure on the BPF Connection tracking and NAT maps. (Backport PR #31785, Upstream PR #31082, @julianwiedmann)

Bugfixes:

  • Avoid drops with "CT: Unknown L4 protocol" for non-ICMP/TCP/UDP traffic, caused by an error check in the BPF NAT engine. (Backport PR #31890, Upstream PR #31820, @julianwiedmann)
  • cilium-health: Fix broken retry loop in cilium-health-ep controller (Backport PR #31727, Upstream PR #31622, @gandro)
  • cni: Allow text-ts log format value (Backport PR #31890, Upstream PR #31686, @sayboras)
  • Fix a bug that could cause local packet delivery to be skipped, leading to lower performance, when IPsec was enabled and --devices provided. (Backport PR #31601, Upstream PR #31345, @pchaigno)
  • Fix incorrect reporting of the number of etcd lock leases in cilium-dbg status. (Backport PR #31890, Upstream PR #31781, @giorio94)
  • fix: Delegated ipam not configure ipv6 if ipv6 disabled in agent (Backport PR #31727, Upstream PR #31104, @tamilmani1989)
  • Fixed a race condition in service updates for L7 LB. (Backport PR #31860, Upstream PR #31744, @jrajahalme)
  • fqdn: Fix minor restore bug that causes false negative checks against a restored DNS IP map. (#31870, @nathanjsweet)
  • fqdn: Fixed bug that caused DNS Proxy to be overly restrictive on allowed DNS selectors. (Backport PR #31727, Upstream PR #31328, @nathanjsweet)
  • gateway-api: Ensure hostname check when set on both the HTTPRoute and the Gateway Listener (Backport PR #31769, Upstream PR #30686, @cjvirtucio87)
  • gateway-api: fixed RequestRedirect picks wrong port with multiple listeners (Backport PR #31769, Upstream PR #31361, @chaunceyjiang)
  • gateway-api: shorten the length of the value of the svc's label. (Backport PR #31769, Upstream PR #31292, @chaunceyjiang)
  • ingress/gateway-api: sort virtual hosts in CEC (Backport PR #31739, Upstream PR #31493, @mhofstetter)
  • ingress/gateway-api: stable envoy listener filterchain sort-order (Backport PR #31601, Upstream PR #31572, @mhofstetter)
  • metric: Avoid memory leak/increase in cilium-agent (Backport PR #31890, Upstream PR #31714, @sayboras)

CI Changes:

  • ci-e2e: Add e2e test with WireGuard + Host Firewall (Backport PR #31727, Upstream PR #31594, @qmonnet)
  • ci/ipsec: Print more info to debug credentials removal check failures (Backport PR #31727, Upstream PR #31652, @qmonnet)
  • deflake endpointmanager tests (Backport PR #31601, Upstream PR #31488, @bimmlerd)
  • gh/workflows: Add IPsec key rotation action and use it in ci-eks / ci-ipsec-e2e (Backport PR #31428, Upstream PR #29704, @brb)
  • Make BPF unit tests reproducible (Backport PR #31663, Upstream PR #31526, @ti-mo)
  • Make testdata build output more stable by reducing header includes (Backport PR #31663, Upstream PR #31644, @ti-mo)
  • update azure k8s versions (Backport PR #31890, Upstream PR #31220, @brlbil)
  • workflows: Debug info for key rotations (Backport PR #31727, Upstream PR #31627, @pchaigno)
  • workflows: ipsec-e2e: add missing key types for some configs (Backport PR #31727, Upstream PR #31636, @julianwiedmann)

Misc Changes:

Other Changes:

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.4@sha256:b760a4831f5aab71c711f7537a107b751d0d0ce90dd32d8b358df3c5da385426
quay.io/cilium/cilium:stable@sha256:b760a4831f5aab71c711f7537a107b751d0d0ce90dd32d8b358df3c5da385426

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.4@sha256:3fadf85d2aa0ecec09152e7e2d57648bda7e35bdc161b25ab54066dd4c3b299c
quay.io/cilium/clustermesh-apiserver:stable@sha256:3fadf85d2aa0ecec09152e7e2d57648bda7e35bdc161b25ab54066dd4c3b299c

docker-plugin

quay.io/cilium/docker-plugin:v1.15.4@sha256:af22e26e927ec01633526b3d2fd5e15f2c7f3aab9d8c399081eeb746a4e0db47
quay.io/cilium/docker-plugin:stable@sha256:af22e26e927ec01633526b3d2fd5e15f2c7f3aab9d8c399081eeb746a4e0db47

hubble-relay

quay.io/cilium/hubble-relay:v1.15.4@sha256:03ad857feaf52f1b4774c29614f42a50b370680eb7d0bfbc1ae065df84b1070a
quay.io/cilium/hubble-relay:stable@sha256:03ad857feaf52f1b4774c29614f42a50b370680eb7d0bfbc1ae065df84b1070a

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.4@sha256:7c0e5346483a517e18a8951f4d4399337fb47020f2d9225e2ceaa8c5d9a45a5f
quay.io/cilium/operator-alibabacloud:stable@sha256:7c0e5346483a517e18a8951f4d4399337fb47020f2d9225e2ceaa8c5d9a45a5f

operator-aws

quay.io/cilium/operator-aws:v1.15.4@sha256:8675486ce8938333390c37302af162ebd12aaebc08eeeaf383bfb73128143fa9
quay.io/cilium/operator-aws:stable@sha256:8675486ce8938333390c37302af162ebd12aaebc08eeeaf383bfb73128143fa9

operator-azure

quay.io/cilium/operator-azure:v1.15.4@sha256:4c1a31502931681fa18a41ead2a3904b97d47172a92b7a7b205026bd1e715207
quay.io/cilium/operator-azure:stable@sha256:4c1a31502931681fa18a41ead2a3904b97d47172a92b7a7b205026bd1e715207

operator-generic

quay.io/cilium/operator-generic:v1.15.4@sha256:404890a83cca3f28829eb7e54c1564bb6904708cdb7be04ebe69c2b60f164e9a
quay.io/cilium/operator-generic:stable@sha256:404890a83cca3f28829eb7e54c1564bb6904708cdb7be04ebe69c2b60f164e9a

operator

quay.io/cilium/operator:v1.15.4@sha256:4e42b867d816808f10b38f555d6ae50065ebdc6ddc4549635f2fe50ed6dc8d7f
quay.io/cilium/operator:stable@sha256:4e42b867d816808f10b38f555d6ae50065ebdc6ddc4549635f2fe50ed6dc8d7f

Contributors

gandro, brb, and 28 other contributors
Assets 2

1.14.10

19 Apr 22:09
@asauber asauber
v1.14.10
This tag was signed with the committer’s verified signature.
joestringer Joe Stringer
SSH Key Fingerprint: up2UNiGoKPJzKD6RD0wAbZjD7U0m/YpqXK1sjpCgLQI Learn about vigilant mode.
a579214
Compare
Choose a tag to compare
1.14.10

We are pleased to announce the release of Cilium v1.14.10.

This release includes hubble metrics when using cilium sysdump, and a fix to an issue with overlapping keys that may have affected the ability to recover from a full Service map. Bugfixes include improved behavior for overlapping and restored DNS policies, a fix to a race condition in Service updates for L7 LB, and a fix to the retry logic in the cilium health controllers.

Security Advisories

This release addresses a security vulnerability. For more information, see GHSA-j654-3ccm-vfmm

Summary of Changes

Minor Changes:

  • bugtool: Collect hubble metrics (Backport PR #31888, Upstream PR #31533, @chancez)
  • Fix overlapping keys in agent-side service BPF map cache used for retries. In rare cases this bug may have caused retrying of a failed BPF map update for a services entry to be skipped leading to a missing entry. This may have, for example, adversely affected recovering from a full BPF service map after excess services were removed. (Backport PR #31888, Upstream PR #29581, @xyz-li)
  • Update to Envoy 1.27.0, run cilium-envoy process without any privileges. (Backport PR #31007, Upstream PR #27498, @jrajahalme)

Bugfixes:

  • cilium-health: Fix broken retry loop in cilium-health-ep controller (Backport PR #31724, Upstream PR #31622, @gandro)
  • cni: Allow text-ts log format value (Backport PR #31888, Upstream PR #31686, @sayboras)
  • fix: Delegated ipam not configure ipv6 if ipv6 disabled in agent (Backport PR #31724, Upstream PR #31104, @tamilmani1989)
  • Fixed a race condition in service updates for L7 LB. (Backport PR #31861, Upstream PR #31744, @jrajahalme)
  • Fixed issue with assigning 0 nodeID when corresponding bpf map run out of space.
    Potentially it could have impacted connectivity in large clusters (>4k nodes) with IPSec or Mutual Auth enabled.
    Otherwise, it was merely generating unnecessary error log messages. (Backport PR #31656, Upstream PR #31380, @marseel)
  • fqdn: Fix minor restore bug that causes false negative checks against a restored DNS IP map. (#31871, @nathanjsweet)
  • fqdn: Fixed bug that caused DNS Proxy to be overly restrictive on allowed DNS selectors. (#31801, @nathanjsweet)
  • metric: Avoid memory leak/increase in cilium-agent (Backport PR #31888, Upstream PR #31714, @sayboras)

CI Changes:

  • ci-e2e: Add e2e test with WireGuard + Host Firewall (Backport PR #31724, Upstream PR #31594, @qmonnet)
  • ci-e2e: Enable Ingress Controller test for more setup (Backport PR #31658, Upstream PR #30657, @sayboras)
  • ci-ipsec-e2e: Misc refactor + more keys (Backport PR #31429, Upstream PR #29592, @brb)
  • ci/ipsec: Print more info to debug credentials removal check failures (Backport PR #31724, Upstream PR #31652, @qmonnet)
  • deflake endpointmanager tests (Backport PR #31724, Upstream PR #31488, @bimmlerd)
  • gh/workflows: Add IPsec key rotation action and use it in ci-eks / ci-ipsec-e2e (Backport PR #31429, Upstream PR #29704, @brb)
  • gha: Enable Ingress Controller tests in conformance-e2e (Backport PR #31658, Upstream PR #29130, @sayboras)
  • workflows: Debug info for key rotations (Backport PR #31724, Upstream PR #31627, @pchaigno)

Misc Changes:

Other Changes:

Docker Manifests

cilium

docker.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031
quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.14.10@sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798
quay.io/cilium/clustermesh-apiserver:v1.14.10@sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798

docker-plugin

docker.io/cilium/docker-plugin:v1.14.10@sha256:8aa57cb38a30dbe56345b5d549054beaea96a210c15a1e4ca5224b4f858cdcda
quay.io/cilium/docker-plugin:v1.14.10@sha256:8aa57cb38a30dbe56345b5d549054beaea96a210c15a1e4ca5224b4f858cdcda

hubble-relay

docker.io/cilium/hubble-relay:v1.14.10@sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0
quay.io/cilium/hubble-relay:v1.14.10@sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.14.10@sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14
quay.io/cilium/operator-alibabacloud:v1.14.10@sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14

operator-aws

docker.io/cilium/operator-aws:v1.14.10@sha256:72440aa4cb8a42dddb05cfc74c6fba0a18d0902b1e434f5dcde8dca0354a8be6
quay.io/cilium/operator-aws:v1.14.10@sha256:72440aa4cb8a42dddb05cfc74c6fba0a18d0902b1e434f5dcde8dca0354a8be6

operator-azure

docker.io/cilium/operator-azure:v1.14.10@sha256:404a46bb0a232c7d5ab7ab97a1d1a55635cdf0e334529a18d1ddb50f4aad71b4
quay.io/cilium/operator-azure:v1.14.10@sha256:404a46bb0a232c7d5ab7ab97a1d1a55635cdf0e334529a18d1ddb50f4aad71b4

operator-generic

docker.io/cilium/operator-generic:v1.14.10@sha256:415b7f0bb0e7339c6231d4b9ee74a6a513b2865acfccec884dbc806ecc3dd909
quay.io/cilium/operator-generic:v1.14.10@sha256:415b7f0bb0e7339c6231d4b9ee74a6a513b2865acfccec884dbc806ecc3dd909

operator

docker.io/cilium/operator:v1.14.10@sha256:20cadfbc68b37766b5747ca21f1cbfe8dec518c26232852f6c655f76999a8f92
quay.io/cilium/operator:v1.14.10@sha256:20cadfbc68b37766b5747ca21f1cbfe8dec518c26232852f6c655f76999a8f92

Contributors

gandro, brb, and 20 other contributors
Assets 2

1.13.15

19 Apr 22:11
@asauber asauber
v1.13.15
This tag was signed with the committer’s verified signature.
joestringer Joe Stringer
SSH Key Fingerprint: up2UNiGoKPJzKD6RD0wAbZjD7U0m/YpqXK1sjpCgLQI Learn about vigilant mode.
8b532b5
Compare
Choose a tag to compare
1.13.15

We are pleased to announce the release of Cilium v1.13.15.

This release includes a fix to the retry logic in the cilium health controllers, a fix to a race condition when updating L7 LB Services, and a fix for Node ID assignment in BPF maps for very large clusters. In addition, there were a variety of testing enhancements and documentation updates.

Security Advisories

This release addresses a security vulnerability. For more information, see GHSA-j654-3ccm-vfmm

Summary of Changes

Minor Changes:

Bugfixes:

  • cilium-health: Fix broken retry loop in cilium-health-ep controller (Backport PR #31722, Upstream PR #31622, @gandro)
  • Fixed a race condition in service updates for L7 LB. (Backport PR #31862, Upstream PR #31744, @jrajahalme)
  • Fixed issue with assigning 0 nodeID when corresponding bpf map run out of space.
    Potentially it could have impacted connectivity in large clusters (>4k nodes) with IPSec or Mutual Auth enabled.
    Otherwise, it was merely generating unnecessary error log messages. (Backport PR #31657, Upstream PR #31380, @marseel)

CI Changes:

Misc Changes:

  • chore(deps): update all github action dependencies (v1.13) (#31835, @renovate[bot])
  • chore(deps): update cilium/little-vm-helper action to v0.0.17 (v1.13) (#31709, @renovate[bot])
  • chore(deps): update go to v1.21.9 (v1.13) (#31766, @renovate[bot])
  • chore(deps): update stable lvh-images (v1.13) (patch) (#31710, @renovate[bot])
  • docs: Document No node ID found drops in case of remote node deletion (Backport PR #31722, Upstream PR #31635, @pchaigno)
  • docs: ipsec: document native-routing + Egress proxy case (Backport PR #31722, Upstream PR #31478, @julianwiedmann)
  • helm: update nodeinit image using renovate (Backport PR #31722, Upstream PR #31641, @tklauser)
  • Restructure OpenShift installation instructions to point to Red Hat Ecosystem Catalog (Backport PR #31722, Upstream PR #29300, @learnitall)
  • v1.13: update cilium/certgen to v0.1.11 (#31884, @rolinh)

Other Changes:

Docker Manifests

cilium

docker.io/cilium/cilium:v1.13.15@sha256:3d77d6e463ccc462c7574399fe22f6177a6e484bc5c149c76b7d597163253eed
quay.io/cilium/cilium:v1.13.15@sha256:3d77d6e463ccc462c7574399fe22f6177a6e484bc5c149c76b7d597163253eed

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.13.15@sha256:9cfdc40a689fc087d19aff4944657ca98df7795ba1836744400f6b77e59e1e5c
quay.io/cilium/clustermesh-apiserver:v1.13.15@sha256:9cfdc40a689fc087d19aff4944657ca98df7795ba1836744400f6b77e59e1e5c

docker-plugin

docker.io/cilium/docker-plugin:v1.13.15@sha256:485857b80cb4c726aba7e8c41536db97b0558f05f22dce6f97c8db2c1792cf75
quay.io/cilium/docker-plugin:v1.13.15@sha256:485857b80cb4c726aba7e8c41536db97b0558f05f22dce6f97c8db2c1792cf75

hubble-relay

docker.io/cilium/hubble-relay:v1.13.15@sha256:40135c6b0e2034c9f06abfe0c85f7f088ac6ba2c619d5354d4af6179d33b9a1e
quay.io/cilium/hubble-relay:v1.13.15@sha256:40135c6b0e2034c9f06abfe0c85f7f088ac6ba2c619d5354d4af6179d33b9a1e

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.13.15@sha256:99c124f199f3cb48c41d43a423144bd9638d68705f347ec2326b34af50291a05
quay.io/cilium/operator-alibabacloud:v1.13.15@sha256:99c124f199f3cb48c41d43a423144bd9638d68705f347ec2326b34af50291a05

operator-aws

docker.io/cilium/operator-aws:v1.13.15@sha256:e09044b516be9ce9936253469411618d6790791dbe501829e6062244a24e815a
quay.io/cilium/operator-aws:v1.13.15@sha256:e09044b516be9ce9936253469411618d6790791dbe501829e6062244a24e815a

operator-azure

docker.io/cilium/operator-azure:v1.13.15@sha256:ea05ba909b573b4a52731aec36b91a0a582781a48c2ade7719dfbae05c21d268
quay.io/cilium/operator-azure:v1.13.15@sha256:ea05ba909b573b4a52731aec36b91a0a582781a48c2ade7719dfbae05c21d268

operator-generic

docker.io/cilium/operator-generic:v1.13.15@sha256:21f6707e99722b41a24e9bf4e24b7e4d00597cc7dbaef6e7588dedbf3b270101
quay.io/cilium/operator-generic:v1.13.15@sha256:21f6707e99722b41a24e9bf4e24b7e4d00597cc7dbaef6e7588dedbf3b270101

operator

docker.io/cilium/operator:v1.13.15@sha256:971c9b6294216df668881917132a4a41fcc43fba64315e91ed632f62eab9eac9
quay.io/cilium/operator:v1.13.15@sha256:971c9b6294216df668881917132a4a41fcc43fba64315e91ed632f62eab9eac9

Contributors

gandro, nathanjsweet, and 14 other contributors
Assets 2

1.16.0-pre.1

03 Apr 03:35
@joestringer joestringer
v1.16.0-pre.1
This tag was signed with the committer’s verified signature.
joestringer Joe Stringer
SSH Key Fingerprint: up2UNiGoKPJzKD6RD0wAbZjD7U0m/YpqXK1sjpCgLQI Learn about vigilant mode.
e37b3e4
Compare
Choose a tag to compare
1.16.0-pre.1 Pre-release
Pre-release

Summary of Changes

Major Changes:

  • Add a readinessProbe to the kvstoremesh container that reports initial synchronization status to support configuring a separate, initial rate-limit to be used while synchronizing. Both clustermesh-apiserver and kvstoremesh now use a high initial rate-limit to decrease start time. (#30361, @thorn3r)
  • bpf: introduce encrypted overlay datapath support (#31073, @ldelossa)
  • multicast: add CLIs to manage multicast BPF maps (#31355, @harsimran-pabla)
  • policy/k8s: Add support for CIDRGroupRef in IngressDeny and EgressDeny (#30933, @pippolo84)
  • This adds a new policy field, EnableDefaultDeny, which permits the creation of network polices that do not drop non-matching traffic. (#30572, @squeed)

Minor Changes:

  • Add "node-map-max" to allow configuring nodemap size. (#31407, @tommyp1ckles)
  • Add helm values.schema.json file for validating supplied values for correct type. (#30631, @ubergesundheit)
  • Add line numbers and file names to all metrics in 'cilium-dbg bpf metrics list' (#30972, @ti-mo)
  • Add support for ClusterIP service advertisement with BGP Control Plane (#30963, @chaunceyjiang)
  • Add support for ExternalIP service advertisement with BGP Control Plane (#31245, @chaunceyjiang)
  • agent: add several new flags to control Cilium's datapath events notifications (#30063, @mvisonneau)
  • Allow the Host Firewall and IPv6 BPF masquerading to be used together. (#31511, @qmonnet)
  • Allows for using AWS SGs in the ingress section of rules. (#30708, @Alex-Waring)
  • bgpv1: Add Local internalTrafficPolicy support for ClusterIP advertisements (#31442, @chaunceyjiang)
  • bgpv1: BGP Control Plane metrics (#31469, @YutaroHayakawa)
  • bugtool: Collect hubble metrics (#31533, @chancez)
  • Change Node IPAM to select all nodes if externalTrafficPolicy=Cluster and add nodeipam.cilium.io/match-node-labels annotation (#31406, @MrFreezeex)
  • cleanup: Remove deprecated values for KPR (#31286, @sayboras)
  • cni: use default logger with timestamps. (#31014, @tommyp1ckles)
  • envoy: Add support for exposing Envoy Admin API (#30655, @sayboras)
  • feat: Add the http return code to metric api_processed_total (#31227, @vipul-21)
  • Fix Cilium default values for EKS when Cilium clustermesh-apiserver LoadBalancer fails to create NLB with AWS Load Balancer Controller with syntax error. (#31329, @oshangalwaduge)
  • Fixes a bug where ToFQDN IPs may be garbage collected too early, disrupting existing connections. (#31205, @squeed)
  • fqdn: avoid expensive sort/unique of names during GC (#30920, @tklauser)
  • GatewayAPI supports to setting the number of trusted loadbalancer hops (#30662, @chaunceyjiang)
  • helm: Bump minimum k8s version to v1.21+ (#31648, @sayboras)
  • ingress: Allow strict kube-proxy-replacement (#31284, @sayboras)
  • Introduce cilium-dbg encrypt flush --stale flag to remove XFRM states and policies with stale node IDs. (#31159, @pchaigno)
  • labelsfilter: Always apply Cluster entity specific identity-relevant label (#31178, @soggiest)
  • Only detach Cilium-owned legacy XDP programs when XDP is disabled (#31654, @ti-mo)
  • pkg/kvstore/allocator: Standardize usage of logfields (#30526, @antonipp)
  • Remove helm option enable-remote-node-identity after being deprecated in v1.15. (#31228, @doniacld)
  • Support IPv4 fragmentation for service backends. (#31364, @julianwiedmann)
  • This allows the initialDelaySeconds option to be configured. This allows users running larger clusters to extend the time it takes for preflight to become ready. (#30495, @chaunceyjiang)
  • WG: Improve L7 checks (#31299, @brb)

Bugfixes:

  • bpf: use bpf_htons instead of using shift (#31247, @chez-shanpu)
  • Cilium allows selecting 'lo' as a device again. (#31200, @bimmlerd)
  • cilium-health: Fix broken retry loop in cilium-health-ep controller (#31622, @gandro)
  • cni: Allow text-ts log format value (#31686, @sayboras)
  • cni: Use batch endpoint deletion API in chaining plugin (#31456, @sayboras)
  • envoy: register secret syncer even if only CEC is enabled (#31447, @mhofstetter)
  • Fix a bug in the StateDB library that may have caused stale read after write. This may have potentially affected the L2 announcements feature and the node address selection. (#31164, @joamaki)
  • Fix a bug that could cause local packet delivery to be skipped, leading to lower performance, when IPsec was enabled and --devices provided. (#31345, @pchaigno)
  • Fix a bug where pod label updates are not reflected in endpoint labels in presence of filtered labels. (#31395, @tklauser)
  • Fix the logic of the api-server connectivity check for the kubernetes probe (#31019, @tkna)
  • fix: Delegated ipam not configure ipv6 if ipv6 disabled in agent (#31104, @tamilmani1989)
  • Fixed issue when updated nodes were being reported with unknown connectivity status in health report (#30917, @marseel)
  • Fixed issue with assigning 0 nodeID when corresponding bpf map run out of space.
    Potentially it could have impacted connectivity in large clusters (>4k nodes) with IPSec or Mutual Auth enabled.
    Otherwise, it was merely generating unnecessary error log messages. (#31380, @marseel)
  • fqdn: Fixed bug that caused DNS Proxy to be overly restrictive on allowed DNS selectors. (#31328, @nathanjsweet)
  • gateway-api: Ensure hostname check when set on both the HTTPRoute and the Gateway Listener (#30686, @cjvirtucio87)
  • gateway-api: fixed RequestRedirect picks wrong port with multiple listeners (#31361, @chaunceyjiang)
  • gateway-api: Retrieve LB service from same namespace (#31271, @sayboras)
  • gateway-api: shorten the length of the value of the svc's label. (#31292, @chaunceyjiang)
  • helm: Update pod affinity for cilium-envoy (#31150, @sayboras)
  • hubble/relay: Fix certificate reloading in PeerManager (#31376, @glrf)
  • hubble: fix parsing of invalid HTTP URLs (#31100, @kaworu)
  • Hubble: fix traffic direction and is reply when IPSec is enabled (#31211, @kaworu)
  • ingress/gateway-api: sort virtual hosts in CEC (#31493, @mhofstetter)
  • ingress/gateway-api: stable envoy listener filterchain sort-order (#31572, @mhofstetter)
  • k8s/utils: correctly filter out labels in StripPodSpecialLabels (#31421, @tklauser)
  • metric: Avoid memory leak/increase in cilium-agent (#31714, @sayboras)
  • metrics: Disable prometheus metrics by default (#31144, @joestringer)
  • operator: fix errors/warnings metric. (#31214, @tommyp1ckles)
  • Updated Kernel parsing to handle single and double digit kernel version as well (#30699, @MeherRushi)

CI Changes:

Misc Changes:

Read more

Contributors

derailed, gandro, and 68 other contributors
Assets 2

1.15.3

26 Mar 17:27
@jrajahalme jrajahalme
v1.15.3
This tag was signed with the committer’s verified signature.
jrajahalme Jarno Rajahalme
GPG key ID: 263F7D984804D3FE
Learn about vigilant mode.
22dfbc5
Compare
Choose a tag to compare
1.15.3

We are pleased to release Cilium v1.15.3.

Security Advisories

This release addresses a security vulnerability. For more information, see GHSA-pwqm-x5x6-5586.

Summary of Changes

Minor Changes:

Bugfixes:

  • [v1.15 - Author backport] envoy: enable k8s secret watch even if only CEC is enabled (#31451, @mhofstetter)
  • cni: Use batch endpoint deletion API in chaining plugin (Backport PR #31515, Upstream PR #31456, @sayboras)
  • Fix a bug in the StateDB library that may have caused stale read after write. This may have potentially affected the L2 announcements feature and the node address selection. (Backport PR #31342, Upstream PR #31164, @joamaki)
  • Fix a bug where pod label updates are not reflected in endpoint labels in presence of filtered labels. (Backport PR #31473, Upstream PR #31395, @tklauser)
  • Fixed issue with assigning 0 nodeID when corresponding bpf map run out of space.
    Potentially it could have impacted connectivity in large clusters (>4k nodes) with IPSec or Mutual Auth enabled.
    Otherwise, it was merely generating unnecessary error log messages. (Backport PR #31490, Upstream PR #31380, @marseel)
  • gateway-api: Retrieve LB service from same namespace (Backport PR #31490, Upstream PR #31271, @sayboras)
  • Handle InvalidParameterValue as well for PD fallback (Backport PR #31490, Upstream PR #31016, @hemanthmalla)
  • helm: Update pod affinity for cilium-envoy (Backport PR #31490, Upstream PR #31150, @sayboras)
  • hubble/relay: Fix certificate reloading in PeerManager (Backport PR #31568, Upstream PR #31376, @glrf)
  • Hubble: fix traffic direction and is reply when IPSec is enabled (Backport PR #31568, Upstream PR #31211, @kaworu)
  • k8s/utils: correctly filter out labels in StripPodSpecialLabels (Backport PR #31473, Upstream PR #31421, @tklauser)
  • metrics: Disable prometheus metrics by default (Backport PR #31342, Upstream PR #31144, @joestringer)
  • operator: fix errors/warnings metric. (Backport PR #31490, Upstream PR #31214, @tommyp1ckles)

CI Changes:

Misc Changes:

  • Add monitor aggregation for all events related to packets ingressing to the network-facing device. (Backport PR #31342, Upstream PR #31015, @learnitall)
  • Address race condition in TestGetIdentity (Backport PR #31541, Upstream PR #30885, @bimmlerd)
  • bgpv1: Adjust ConnectionRetryTimeSeconds to 1 in component tests (Backport PR #31342, Upstream PR #31218, @YutaroHayakawa)
  • chore(deps): update all github action dependencies (v1.15) (#31480, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.15) (#31582, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.3 (v1.15) (#31464, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.21.8 docker digest to 8560736 (v1.15) (#31450, @renovate[bot])
  • chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 55c6361 (v1.15) (#31453, @renovate[bot])
  • chore: update json-mock image source in examples (Backport PR #31568, Upstream PR #31373, @loomkoom)
  • cilium-dbg: listing load-balancing configurations displays L7LB proxy port (Backport PR #31568, Upstream PR #31503, @mhofstetter)
  • datapath, bpf: Remove unnecessary IPsec code (Backport PR #31490, Upstream PR #31344, @pchaigno)
  • doc: Clarified GwAPI KPR prerequisites (Backport PR #31490, Upstream PR #31366, @PhilipSchmid)
  • docs: Warn on key rotations during upgrades (Backport PR #31490, Upstream PR #31437, @pchaigno)
  • Don't emit an error message on namespace termination due to Ingress reconciliation (Backport PR #31342, Upstream PR #30808, @giorio94)
  • Downgrade L2 Neighbor Discovery failure log to Debug (Backport PR #31342, Upstream PR #31179, @YutaroHayakawa)
  • endpointmanager: Improve health reporter messages when stopped (Backport PR #31342, Upstream PR #31231, @christarazi)
  • hive/cell/health: don't warn when reporting on stopped reporter. (Backport PR #31490, Upstream PR #31262, @tommyp1ckles)
  • ingress: Update docs with network policy example (Backport PR #31342, Upstream PR #31060, @sayboras)
  • job: avoid a race condition in TestTimer_ExitOnCloseFnCtx (Backport PR #31490, Upstream PR #30929, @bimmlerd)
  • loader: add message if error is ENOTSUP (Backport PR #31490, Upstream PR #31413, @kkourt)
  • policy: Fix missing labels from SelectorCache selectors (Backport PR #31490, Upstream PR #31358, @christarazi)
  • Replaced declare_tailcall_if with logic in the loader (Backport PR #31554, Upstream PR #30467, @dylandreimerink)

Other Changes:

Contributors

kaworu, kkourt, and 23 other contributors
Assets 2

1.14.9

26 Mar 19:19
@jrajahalme jrajahalme
v1.14.9
This tag was signed with the committer’s verified signature.
jrajahalme Jarno Rajahalme
GPG key ID: 263F7D984804D3FE
Learn about vigilant mode.
dfaccc1
Compare
Choose a tag to compare
1.14.9

We are pleased to release Cilium v1.14.9.

Security Advisories

This release addresses a security vulnerability. For more information, see GHSA-pwqm-x5x6-5586.

Summary of Changes

Minor Changes:

Bugfixes:

  • [v1.14 - Author backport] envoy: enable k8s secret watch even if only CEC is enabled (#31452, @mhofstetter)
  • Fix a bug where pod label updates are not reflected in endpoint labels in presence of filtered labels. (Backport PR #31474, Upstream PR #31395, @tklauser)
  • gateway-api: Retrieve LB service from same namespace (Backport PR #31495, Upstream PR #31271, @sayboras)
  • Handle InvalidParameterValue as well for PD fallback (Backport PR #31495, Upstream PR #31016, @hemanthmalla)
  • helm: Update pod affinity for cilium-envoy (Backport PR #31495, Upstream PR #31150, @sayboras)
  • Hubble: fix traffic direction and is reply when IPSec is enabled (Backport PR #31569, Upstream PR #31211, @kaworu)
  • k8s/utils: correctly filter out labels in StripPodSpecialLabels (Backport PR #31474, Upstream PR #31421, @tklauser)

CI Changes:

Misc Changes:

  • Add monitor aggregation for all events related to packets ingressing to the network-facing device. (Backport PR #31335, Upstream PR #31015, @learnitall)
  • Address race condition in TestGetIdentity (Backport PR #31542, Upstream PR #30885, @bimmlerd)
  • bgpv1: Adjust ConnectionRetryTimeSeconds to 1 in component tests (Backport PR #31335, Upstream PR #31218, @YutaroHayakawa)
  • chore(deps): update all github action dependencies (v1.14) (#31483, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.14) (#31583, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.3 (v1.14) (#31465, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.21.8 docker digest to 8560736 (v1.14) (#31481, @renovate[bot])
  • chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 55c6361 (v1.14) (#31482, @renovate[bot])
  • cilium-dbg: listing load-balancing configurations displays L7LB proxy port (Backport PR #31569, Upstream PR #31503, @mhofstetter)
  • doc: Clarified GwAPI KPR prerequisites (Backport PR #31495, Upstream PR #31366, @PhilipSchmid)
  • docs: Warn on key rotations during upgrades (Backport PR #31495, Upstream PR #31437, @pchaigno)
  • Downgrade L2 Neighbor Discovery failure log to Debug (Backport PR #31335, Upstream PR #31179, @YutaroHayakawa)
  • ingress: Update docs with network policy example (Backport PR #31335, Upstream PR #31060, @sayboras)

Other Changes:

Contributors

kaworu, tklauser, and 14 other contributors
Assets 2

1.13.14

26 Mar 21:16
@jrajahalme jrajahalme
v1.13.14
This tag was signed with the committer’s verified signature.
jrajahalme Jarno Rajahalme
GPG key ID: 263F7D984804D3FE
Learn about vigilant mode.
514c397
Compare
Choose a tag to compare
1.13.14

We are pleased to release Cilium v1.13.14.

Security Advisories

This release addresses a security vulnerability. For more information, see GHSA-pwqm-x5x6-5586.

Summary of Changes

Minor Changes:

  • cni: use default logger with timestamps. (Backport PR #31309, Upstream PR #31014, @tommyp1ckles)
  • Introduce cilium-dbg encrypt flush --stale flag to remove XFRM states and policies with stale node IDs. (Backport PR #31309, Upstream PR #31159, @pchaigno)

Bugfixes:

  • Fix a bug where pod label updates are not reflected in endpoint labels in presence of filtered labels. (Backport PR #31476, Upstream PR #31395, @tklauser)
  • Fix bug leading to missed ipcache updates for the CiliumInternalIP when --enable-remote-node-identity=false, and unnecessary ipcache_errors_total metric increase if Cilium operates in kvstore mode. (#31396, @giorio94)
  • gateway-api: Retrieve LB service from same namespace (Backport PR #31496, Upstream PR #31271, @sayboras)
  • Handle InvalidParameterValue as well for PD fallback (Backport PR #31496, Upstream PR #31016, @hemanthmalla)
  • Hubble: fix traffic direction and is reply when IPSec is enabled (Backport PR #31496, Upstream PR #31211, @kaworu)
  • k8s/utils: correctly filter out labels in StripPodSpecialLabels (Backport PR #31476, Upstream PR #31421, @tklauser)

CI Changes:

Misc Changes:

  • Add monitor aggregation for all events related to packets ingressing to the network-facing device. (Backport PR #31309, Upstream PR #31015, @learnitall)
  • chore(deps): update all github action dependencies (v1.13) (#31485, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.13) (#31584, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.21.8 docker digest to 8560736 (v1.13) (#31484, @renovate[bot])
  • cilium-dbg: listing load-balancing configurations displays L7LB proxy port (Backport PR #31570, Upstream PR #31503, @mhofstetter)
  • doc: Clarified GwAPI KPR prerequisites (Backport PR #31496, Upstream PR #31366, @PhilipSchmid)
  • docs: Warn on key rotations during upgrades (Backport PR #31496, Upstream PR #31437, @pchaigno)

Other Changes:

Contributors

kaworu, tklauser, and 13 other contributors
Assets 2

1.14.8

15 Mar 16:14
@michi-covalent michi-covalent
v1.14.8
This tag was signed with the committer’s verified signature.
michi-covalent Michi Mutsuzaki
SSH Key Fingerprint: RngEJjA5w42lLJdRmH5DaepFJ6sSsTuslhfvgbon7g4 Learn about vigilant mode.
cf6e022
Compare
Choose a tag to compare
1.14.8

We are pleased to release Cilium v1.14.8.

Security Advisories

This patch release addresses security vulnerabilities. See the following security advisories
for details.

IPsec

This patch release includes significant changes for the IPsec stack, to resolve issues for connections that are selected by a L7 Network Policy or a DNS Policy.

Such connections may experience disruption during the upgrade, in particular in configurations with overlay routing mode.

Summary of Changes

Minor Changes:

  • Enhance trace events from the outbound SNAT path, to report the pre-SNAT IP address and the interface index of the egress interface. (Backport PR #30835, Upstream PR #28723, @julianwiedmann)
  • Fixes a bug where ToFQDN IPs may be garbage collected too early, disrupting existing connections. (Backport PR #31337, Upstream PR #31205, @squeed)

Bugfixes:

  • endpoint: fix inability to create endpoint with labels in a single API call (Backport PR #31000, Upstream PR #30170, @oblazek)
  • Fix bug prevented endpoints from sending or receiving network traffic due to the 'reserved:init' label persisting after initialization. (Backport PR #31048, Upstream PR #30909, @aanm)
  • Fixes an IPv6 issue that cilium doesn't respond to Neighbor Solicitation targeting the pods on same node. (Backport PR #31186, Upstream PR #30837, @jschwinger233)
  • Fixes an L7 proxy issue by re-introducing 2005 route table. (Backport PR #31160, Upstream PR #29530, @jschwinger233)
  • Fixes proxy issues by opting out from SNAT for L7 + Tunnel. (Backport PR #31160, Upstream PR #29594, @jschwinger233)
  • Fixes proxy issues in egress direction (Backport PR #31160, Upstream PR #30095, @jschwinger233)
  • helm: Probe Envoy DaemonSet localhost IP directly (Backport PR #31000, Upstream PR #30970, @iandrewt)
  • Policy revert used in rare error cases has been corrected. (Backport PR #30882, Upstream PR #29162, @jrajahalme)
  • srv6: Fix packet drop with GSO type mismatch (Backport PR #30800, Upstream PR #30732, @YutaroHayakawa)
  • xds: Avoid xds timeout due to agent restart in envoy DS mode (Backport PR #31156, Upstream PR #31061, @sayboras)

CI Changes:

  • Align again conformance clustermesh matrix entries with main as the interoperability issue has been fixed (#30912, @giorio94)
  • ci-e2e: restore 6.1 kernels (#30862, @lmb)
  • ci/ipsec: Fix downgrade version retrieval (Backport PR #31048, Upstream PR #30742, @qmonnet)
  • ci: Enhance test execution security by restricting permissions to the 'organization-members' team (Backport PR #30864, Upstream PR #30790, @brlbil)
  • CI: Update tested K8S versions across all cloud providers (Backport PR #30864, Upstream PR #30795, @brlbil)
  • Fix datapath mode in Network Performance CI test (Backport PR #30864, Upstream PR #30756, @marseel)
  • workflows: Clean IPsec test output (Backport PR #30800, Upstream PR #30759, @pchaigno)

Misc Changes:

Other Changes:

Contributors

brb, lmb, and 22 other contributors
Assets 2

1.13.13

15 Mar 16:14
@michi-covalent michi-covalent
v1.13.13
This tag was signed with the committer’s verified signature.
michi-covalent Michi Mutsuzaki
SSH Key Fingerprint: RngEJjA5w42lLJdRmH5DaepFJ6sSsTuslhfvgbon7g4 Learn about vigilant mode.
ca1af73
Compare
Choose a tag to compare
1.13.13

We are pleased to release Cilium v1.13.13.

Security Advisories

This patch release addresses security vulnerabilities. See the following security advisories
for details.

IPsec

This patch release includes significant changes for the IPsec stack, to resolve issues for connections that are selected by a L7 Network Policy or a DNS Policy.

Such connections may experience disruption during the upgrade, in particular in configurations with overlay routing mode.

Summary of Changes

Bugfixes:

CI Changes:

  • ci/ipsec: Fix downgrade version retrieval (Backport PR #31049, Upstream PR #30742, @qmonnet)
  • ci: Enhance test execution security by restricting permissions to the 'organization-members' team (Backport PR #30865, Upstream PR #30790, @brlbil)
  • CI: Update tested K8S versions across all cloud providers (Backport PR #30865, Upstream PR #30795, @brlbil)
  • Fix datapath mode in Network Performance CI test (Backport PR #30865, Upstream PR #30756, @marseel)
  • k8s_install.sh: specify the CNI version (Backport PR #31246, Upstream PR #31182, @aanm)
  • workflows: Clean IPsec test output (Backport PR #30801, Upstream PR #30759, @pchaigno)

Misc Changes:

  • bpf: host: skip from-proxy handling in from-netdev (Backport PR #31161, Upstream PR #29962, @julianwiedmann)
  • bpf: l3: restore MARK_MAGIC_PROXY_INGRESS for from-proxy traffic (Backport PR #31161, Upstream PR #29721, @julianwiedmann)
  • bugtool: Capture memory fragmentation info from /proc (Backport PR #31157, Upstream PR #30966, @pchaigno)
  • Bump google.golang.org/protobuf (v1.13) (#31312, @ferozsalam)
  • Change ariane config CODEOWNERS (Backport PR #30865, Upstream PR #30803, @brlbil)
  • chore(deps): update all github action dependencies (v1.13) (#30957, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.13) (#31115, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.13) (#31298, @renovate[bot])
  • chore(deps): update all github action dependencies to v4 (v1.13) (major) (#30783, @renovate[bot])
  • chore(deps): update all-dependencies (v1.13) (#30955, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 77906da (v1.13) (#31295, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to e9569c2 (v1.13) (#30737, @renovate[bot])
  • chore(deps): update go to v1.21.7 (v1.13) (#30956, @renovate[bot])
  • chore(deps): update go to v1.21.8 (v1.13) (#31185, @renovate[bot])
  • chore(deps): update hubble cli to v0.13.2 (v1.13) (#31340, @renovate[bot])
  • chore(deps): update kindest/node docker tag to v1.27.11 (v1.13) (#31141, @renovate[bot])
  • chore(deps): update quay.io/lvh-images/kind docker tag to v6.6-20240221.111541 (v1.13) (#30982, @renovate[bot])
  • chore(deps): update stable lvh-images (v1.13) (patch) (#30812, @renovate[bot])
  • chore(deps): update stable lvh-images (v1.13) (patch) (#31142, @renovate[bot])
  • chore(deps): update stable lvh-images (v1.13) (patch) (#31296, @renovate[bot])
  • docs: Document XfrmInStateInvalid errors (Backport PR #30801, Upstream PR #30151, @pchaigno)
  • docs: Fix 'kubectl exec' invocations (quotes, double dash separator) in example script kafka-sw-gen-traffic.sh (Backport PR #31157, Upstream PR #30462, @saintdle)
  • images: bump cni plugins to v1.4.1 (#31350, @aanm)
  • pkg: proxy: only install from-proxy rules/routes for native routing (Backport PR #31161, Upstream PR #29761, @julianwiedmann)

Other Changes:

Contributors

ferozsalam, pchaigno, and 10 other contributors
Assets 2

1.15.2

13 Mar 17:39
@jrajahalme jrajahalme
v1.15.2
This tag was signed with the committer’s verified signature.
jrajahalme Jarno Rajahalme
GPG key ID: 263F7D984804D3FE
Learn about vigilant mode.
7cf5782
Compare
Choose a tag to compare
1.15.2

We are pleased to release Cilium v1.15.2. This release contains various bug fixes and improvements.

Security Advisories

This patch release addresses security vulnerabilities. See the following security advisories
for details.

IPsec

This patch release includes significant changes for the IPsec stack, to resolve issues for connections that are selected by a L7 Network Policy or a DNS Policy.

Such connections may experience disruption during the upgrade, in particular in configurations with overlay routing mode.

Summary of Changes

Minor Changes:

  • Add default divisor for GOMEMLIMIT to satisfy Argo CD diff (Backport PR #30997, Upstream PR #30635, @jdmcmahan)
  • Fixes a bug where ToFQDN IPs may be garbage collected too early, disrupting existing connections. (Backport PR #31318, Upstream PR #31205, @squeed)
  • Gateway API BackendRef filters support (Backport PR #30997, Upstream PR #30090, @chaunceyjiang)

Bugfixes:

  • Cilium allows selecting 'lo' as a device again. (Backport PR #31206, Upstream PR #31200, @bimmlerd)
  • endpoint: fix inability to create endpoint with labels in a single API call (Backport PR #30997, Upstream PR #30170, @oblazek)
  • Fix bug in the VTEP feature which caused all traffic from the VTEP to be dropped with "Incorrect VNI from VTEP" (Backport PR #31154, Upstream PR #31039, @joestringer)
  • Fix bug prevented endpoints from sending or receiving network traffic due to the 'reserved:init' label persisting after initialization. (Backport PR #31047, Upstream PR #30909, @aanm)
  • Fix GC interval calculation by taking into account the actual time passed between GC runs. (Backport PR #31154, Upstream PR #28657, @gentoo-root)
  • Fix host firewall policy enforcement for pod to node traffic when tunneling is enabled and KPR is disabled (Backport PR #30997, Upstream PR #30818, @giorio94)
  • Fix the referenced interface in iptables rules (eni+ instead of lxc+) when --enable-endpoint-routes=true and --cni-chaining-mode="aws-cni" (Backport PR #31154, Upstream PR #30766, @pippolo84)
  • Fixes an IPv6 issue that cilium doesn't respond to Neighbor Solicitation targeting the pods on same node. (Backport PR #31155, Upstream PR #30837, @jschwinger233)
  • Fixes proxy issues by opting out from SNAT for L7 + Tunnel. (Backport PR #31158, Upstream PR #29594, @jschwinger233)
  • Fixes proxy issues in egress direction (Backport PR #31158, Upstream PR #30095, @jschwinger233)
  • Fixes some valid GC entries being removed at agent restart (Backport PR #30863, Upstream PR #29696, @rsafonseca)
  • gateway-api: Correct the null check for GRPRRoute Match (Backport PR #31154, Upstream PR #31052, @sayboras)
  • helm: Probe Envoy DaemonSet localhost IP directly (Backport PR #30997, Upstream PR #30970, @iandrewt)
  • hubble: fix parsing of invalid HTTP URLs (Backport PR #31154, Upstream PR #31100, @kaworu)
  • srv6: Fix packet drop with GSO type mismatch (Backport PR #30799, Upstream PR #30732, @YutaroHayakawa)
  • statedb: Fix race between Observable and DB stopping (Backport PR #30863, Upstream PR #30816, @joamaki)
  • xds: Avoid xds timeout due to agent restart in envoy DS mode (Backport PR #31154, Upstream PR #31061, @sayboras)

CI Changes:

  • ci/ipsec: Fix downgrade version retrieval (Backport PR #31047, Upstream PR #30742, @qmonnet)
  • ci: Enhance test execution security by restricting permissions to the 'organization-members' team (Backport PR #30863, Upstream PR #30790, @brlbil)
  • CI: Update tested K8S versions across all cloud providers (Backport PR #30863, Upstream PR #30795, @brlbil)
  • Fix datapath mode in Network Performance CI test (Backport PR #30863, Upstream PR #30756, @marseel)
  • Prevent E2E tests from failing on a known-ok warning log of temporary CRD failure (Backport PR #31154, Upstream PR #30778, @learnitall)

Misc Changes:

Other Changes:

Contributors

kaworu, brb, and 29 other contributors
Assets 2