1.12.18
We are pleased to release Cilium v1.12.18.
This release includes various bugfixes and performance enhancements. The amount of trace events is reduced when monitor aggregation is enabled, allowing to improve pod-to-pod performance with tunneling and IPsec. Other fixes include fixes for DNS proxy, datapath, etc.
Summary of Changes
Minor Changes:
- Add option to configure the resources of the cgroups automount init Container in the Cilium Agent DaemonSet. (Backport PR #30004, Upstream PR #22384, @shaardie)
Bugfixes:
- Cilium DNS proxy can now use the original pod's address as the source address towards the DNS servers (--dnsproxy-enable-transparent-mode). (Backport PR #30217, Upstream PR #29239, @jrajahalme)
- cilium-preflight: use the k8s node name instead of relying on hostname (Backport PR #30004, Upstream PR #29809, @marseel)
- Fix and prevent future bugs limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #30004, Upstream PR #29616, @learnitall)
- iptables: remove logic to control non-existent net.ipv6.ip_early_demux (Backport PR #30181, Upstream PR #29310, @julianwiedmann)
- nodediscovery: Fix bug where CiliumInternalIP was flapping (Backport PR #29979, Upstream PR #29964, @gandro)
CI Changes:
- ci-ipsec-upgrade: Add vxlan w/ no EP routes (Backport PR #29701, Upstream PR #29653, @brb)
- ci: always use full matrix for scheduled cloud-provider workflows (Backport PR #29842, Upstream PR #29694, @mhofstetter)
- datapath: Cover subnet encryption in XFRM leak test (Backport PR #30082, Upstream PR #27212, @pchaigno)
- datapath: Fix TestNodeChurnXFRMLeaks (Backport PR #30082, Upstream PR #27274, @brb)
- gha: enable IPv6 in clustermesh upgrade/downgrade workflow (Backport PR #29842, Upstream PR #29675, @giorio94)
- node: Integration test for XFRM leaks on node churn (Backport PR #30082, Upstream PR #27187, @pchaigno)
- workflows: Increase IPsec e2e test's timeout (Backport PR #30268, Upstream PR #30194, @julianwiedmann)
- workflows: Increase IPsec upgrade test's timeout (Backport PR #30082, Upstream PR #29934, @pchaigno)
- workflows: Make the conn-disrupt test more sensitive (Backport PR #29701, Upstream PR #29623, @pchaigno)
Misc Changes:
- bpf: ipv4: always return drop reason from ipv4_handle_fragmentation() (Backport PR #30004, Upstream PR #29880, @julianwiedmann)
- docs: Fix keyid derivation in IPsec docs (Backport PR #30082, Upstream PR #30000, @brb)
- fix(deps): update module golang.org/x/crypto to v0.17.0 [security] (main) (Backport PR #30181, Upstream PR #29971, @renovate[bot])
- Revert "cilium: Ensure xfrm state is initialized for route IP before … (Backport PR #29871, Upstream PR #29801, @jrfastab)
Other Changes:
- install: Update image digests for v1.12.17 (#29808, @nebril)
- v1.12: Ignore packet drops of type
Failed to update or lookup TC buffer
(#30202, @pchaigno) - v1.12: ipam: Fix invalid PodCIDR in CiliumNode in ENI/Azure/MultiPool mode (#30147, @pchaigno)
- v1.12: update dependency cilium/cilium-cli to v0.15.19 (#30146, @pchaigno)
- v1.12: workflow/ipsec-e2e: bump CLI to v0.15.19 (#30239, @pchaigno)