1.11.19
nathanjsweet
Nathan Sweet
We are pleased to release Cilium v1.11.19.
This release addresses the following security issues:
This release includes a security fix for Envoy and improvements to Network Policies.
See the notes below for a full description of the changes.
⚠️ Warning - IPsec ⚠️
Do NOT upgrade to this release if you are using IPsec.
Summary of Changes
Bugfixes:
- client, health/client: set dummy host header on unix:// local communication (Backport PR #26917, Upstream PR #26800, @tklauser)
- Fix bug that caused transient IPsec packet drops on upgrades when tunneling is enabled. (Backport PR #26872, Upstream PR #26708, @pchaigno)
- Fix bug where CNI gets installed even if cni.install=false (Backport PR #26419, Upstream PR #26278, @joestringer)
- Fix path asymmetry when using pod-to-pod encryption with IPsec and tunnel mode. (Backport PR #26872, Upstream PR #25440, @pchaigno)
- Fixed Cilium agent crash when policy refers to a non-existing Envoy listener. (Backport PR #26419, Upstream PR #25969, @jrajahalme)
- Fixed proxy redirect policy implementation when any deny rule prevents them. (Backport PR #26752, Upstream PR #26344, @jrajahalme)
- ipsec: Split removeStaleXFRMOnce to fix deprioritization issue (Backport PR #26419, Upstream PR #26113, @jschwinger233)
CI Changes:
- ariane: don't skip verifier and l4lb tests on vendor/ changes (Backport PR #26801, Upstream PR #26715, @tklauser)
- hostfw tests flake workaround (Backport PR #25557, Upstream PR #25323, @tommyp1ckles)
- test: Fix and unquarantine
Skip conntracktest (Backport PR #27030, Upstream PR #25038, @pchaigno) - v1.11: ci: increase ginkgo kernel test timeout (#26921, @mhofstetter)
- v1.11: ci: use Ariane to trigger workflows (#26578, @nbusseneau)
Misc Changes:
- Add cilium bpf nodeid list to bugtool and print nodeid in hex in ipcache dump (Backport PR #26419, Upstream PR #26130, @brb)
- chore(deps): update actions/setup-go action to v4 (v1.11) (#26391, @renovate[bot])
- chore(deps): update all github action dependencies (v1.11) (minor) (#26452, @renovate[bot])
- chore(deps): update all github action dependencies (v1.11) (patch) (#26449, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.16.6 (v1.11) (#26450, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.16.6 (v1.11) (#26451, @renovate[bot])
- chore(deps): update docker.io/library/ubuntu:20.04 docker digest to c9820a4 (v1.11) (#26448, @renovate[bot])
- chore(deps): update hubble cli to v0.12.0 (v1.11) (minor) (#26769, @renovate[bot])
- docker: Detect default "desktop-linux" builder (Backport PR #26419, Upstream PR #25908, @jrajahalme)
- docs/ipsec: Clarify limitation on number of nodes (Backport PR #26872, Upstream PR #26810, @pchaigno)
- docs/ipsec: Document RSS limitation (Backport PR #27030, Upstream PR #26979, @pchaigno)
- docs/ipsec: Extend troubleshooting section (Backport PR #27030, Upstream PR #26808, @pchaigno)
- docs: clarify that L3 DNS policies require L7 proxy enabled (Backport PR #26419, Upstream PR #26180, @wedaly)
- docs: Pick up PyYAML 6.0.1 (Backport PR #26917, Upstream PR #26883, @michi-covalent)
- docs: reword incorrect L7 policy description (Backport PR #26419, Upstream PR #26092, @peterj)
- docs: Specify Helm chart version in "cilium install" commands (Backport PR #27030, Upstream PR #26934, @michi-covalent)
- Fix "make -C Documentation builder-image" (Backport PR #26917, Upstream PR #26874, @michi-covalent)
- test/provision/compile.sh: Make usable from dev VM (Backport PR #25557, Upstream PR #25352, @jrajahalme)
Other Changes:
- envoy: Bump envoy to v1.24.9 (#26807, @sayboras)
- envoy: Bump envoy version to v1.23.10 (#25891, @mhofstetter)
- envoy: Bump envoy version to v1.24.10 (#27067, @sayboras)
- envoy: Bump minor version to v1.24.x (#26329, @sayboras)
- install: Update image digests for v1.11.18 (#26268, @qmonnet)
- v1.11 docs: Use stable-v0.14.txt for cilium-cli version (#26467, @michi-covalent)
Docker Manifests
cilium
docker.io/cilium/cilium:v1.11.19@sha256:f71c973a9159158704012e1a065a3d484353ff4c2b4e05e10a03382f055adad4
quay.io/cilium/cilium:v1.11.19@sha256:f71c973a9159158704012e1a065a3d484353ff4c2b4e05e10a03382f055adad4
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.11.19@sha256:9346b296322036d2df98bd0ebdc721f4fafd5449030c7fd5dc53b20103758eee
quay.io/cilium/clustermesh-apiserver:v1.11.19@sha256:9346b296322036d2df98bd0ebdc721f4fafd5449030c7fd5dc53b20103758eee
docker-plugin
docker.io/cilium/docker-plugin:v1.11.19@sha256:dc5eb50a89ef4fc31596f922fb63149f1e2d68a563ae5844cd83b61d7da7c04e
quay.io/cilium/docker-plugin:v1.11.19@sha256:dc5eb50a89ef4fc31596f922fb63149f1e2d68a563ae5844cd83b61d7da7c04e
hubble-relay
docker.io/cilium/hubble-relay:v1.11.19@sha256:8c1032dfb03359e0576061502196e06eefb8ef12743d602e075e7f97f56667e4
quay.io/cilium/hubble-relay:v1.11.19@sha256:8c1032dfb03359e0576061502196e06eefb8ef12743d602e075e7f97f56667e4
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.11.19@sha256:9cb60d9362a362b58bb33da6b7a4b73f7882d0bc580af74c91c50d3112a74e2e
quay.io/cilium/operator-alibabacloud:v1.11.19@sha256:9cb60d9362a362b58bb33da6b7a4b73f7882d0bc580af74c91c50d3112a74e2e
operator-aws
docker.io/cilium/operator-aws:v1.11.19@sha256:b121c72160abc99112bf155d05f3c09fca266a3ea026143d86da7376654f708b
quay.io/cilium/operator-aws:v1.11.19@sha256:b121c72160abc99112bf155d05f3c09fca266a3ea026143d86da7376654f708b
operator-azure
docker.io/cilium/operator-azure:v1.11.19@sha256:13c1030a90f38c483ae5b0696e0597c4129697f3af81e1eeb238d7d5a04e326e
quay.io/cilium/operator-azure:v1.11.19@sha256:13c1030a90f38c483ae5b0696e0597c4129697f3af81e1eeb238d7d5a04e326e
operator-generic
docker.io/cilium/operator-generic:v1.11.19@sha256:79b622067205037489dcfc3280a2b9a19b0ede9a1c83eb5b3064926fa6af6a23
quay.io/cilium/operator-generic:v1.11.19@sha256:79b622067205037489dcfc3280a2b9a19b0ede9a1c83eb5b3064926fa6af6a23
operator
docker.io/cilium/operator:v1.11.19@sha256:26f479a21f3079eb0da4700b9ffd012dfce9b38d635486998bbe352b8f8df740
quay.io/cilium/operator:v1.11.19@sha256:26f479a21f3079eb0da4700b9ffd012dfce9b38d635486998bbe352b8f8df740
