Skip to content

1.15.0
Compare
Choose a tag to compare
@aanm aanm released this 31 Jan 20:07
· 2255 commits to main since this release
v1.15.0
This tag was signed with the committer’s verified signature.
aanm André Martins
GPG key ID: A38D2FBA880D16AB
Learn about vigilant mode.
2db45c4

Changelog

The Cilium core team are excited to announce the Cilium 1.15 release. 🎉

Summary of Changes

Major Changes:

  • Add dynamic flowlog exporters configured by yaml file (configmap) without a need of agent restart. (#28873, @marqc)
  • Add support for extending ClusterMesh to 511 clusters
    By setting the flag --max-connected-clusters=511, a new cluster will be able to connect to a ClusterMesh with up to 511 clusters. If enabled, the number of possible cluster-local identities will be reduced to 32,768. This feature can only be enabled on new clusters, and all clusters in the ClusterMesh must share the same configuration. (#27520, @thorn3r)
  • Add support for Gateway API v1.0 (#28836, @sayboras)
  • Add support for k8s 1.28 (#27361, @aanm)
  • Allow selecting nodes by CIDR policy (#27464, @squeed)
  • bgpv1: Add bgp/routes API endpoint and cilium bgp routes CLI command (#27182, @rastislavs)
  • gateway-api: Support GRPCRoute resource (#28654, @sayboras)
  • k8s: add support for k8s 1.29.0 (#29473, @aanm)
  • Module Health: Node Manager: First Iteration (#25994, @tommyp1ckles)
  • Support BGP passwords in the Go BGP implementation. (#23759, @dgl)

Minor Changes:

  • *_kvstore_operations_duration_seconds metrics do not include client-side rate-limiting latency anymore. (#27396, @marseel)
  • io.cilium.podippool.namespace: <CiliumPodIPPool_NAMESPACE> and io.cilium.podippool.name: <CiliumPodIPPool_NAME> selectors can be specified for a PodIPPoolSelector of a CiliumBGPPeeringPolicy to select a CiliumPodIPPool by namespaced name instead of labels. (#28314, @danehans)
  • Add cilium bpf auth flush command for debugging purposes (#27216, @meyskens)
  • Add an option to Cilium to set the persistent keepalive for cilium_wg0 (#27932, @chaunceyjiang)
  • Add an option to specify a filters and field mask for hubble-exporter (#26379, @AwesomePatrol)
  • Add documentation of Hubble exporter - an option to save Hubble flows to a file (#27610, @AwesomePatrol)
  • Add flows per second information to Hubble status (#28205, @glrf)
  • Add Hubble Grafana dashboards: Network and DNS overview (#27751, @lambdanis)
  • add Ingress controller proxy protocol support (#28194, @zetaab)
  • Add lbipam support for shared ips (#28806, @usiegl00)
  • Add option to pass api-rate-limit via Helm values (#28239, @ungureanuvladvictor)
  • Add option to redact http headers (#26724, @ChrsMark)
  • Add per-controller success/failure count metrics and a config option for these (#26850, @asauber)
  • Add Prometheus map pressure metrics for NAT maps (#27001, @derailed)
  • Add securityContext for spire pod in helm chart (#27363, @ishuar)
  • Add source and destination workload_kind context labels (Hubble). (#27350, @marqc)
  • Add strict mode for WireGuard Pod2Pod encryption (#21856, @3u13r)
  • Add support for filtering on HTTP URLs in Hubble (#28275, @glrf)
  • Added cilium_kvstoremesh_kvstore_sync_errors_counter, cilium_clustermesh_apiserver_kvstore_sync_errors_counter and kvstore_sync_errors_counter metrics that capture data synchronization errors to kvstore. (#28419, @marseel)
  • Added hubble_relay_pool_peer_connection_status metric for measuring the connection status of all peers. Metric keeps track of number of peers for each possible connectiion status. (#28217, @siwiutki)
  • Added new ingress.cilium.io/ssl-passthrough annotation for Ingress objects (#28751, @youngnick)
  • Added the EnableHealthCheckLoadBalancerIP flag to address health checks on LoadBalancerIP in Google Cloud Platform using KubeProxyReplacement. (#26728, @nberlee)
  • Adds "best-effort" mode for XDP to skip interfaces without driver support (#28666, @poblahblahblah)
  • Adds optional configurable jobLabel to cilium-agent, cilium-operator, and hubble serviceMonitors (#28125, @rbankston)
  • Adds the CiliumPodIPPool selector type to BGP CP AdvertisedPathAttributes to match CiliumPodIPPool custom resources. Path attributes apply to routes announced for selected CiliumPodIPPools. (#28310, @danehans)
  • Allow case-insensitive name for CNI chaining mode (#28050, @asauber)
  • api, cli: Show srv6 status in cilium status (#28700, @husnialhamdani)
  • api/cli: Encryption status now includes rendering IPsec status in JSON. (Backport PR #30529, Upstream PR #30167, @viktor-kurchenko)
  • api: Add extensions field to observer.GetFlowsRequest and flow.Flows types (#27577, @chancez)
  • Augments cilium status CLI to report on agent modules health status. (#25714, @derailed)
  • Auth map garbage collection will trigger if last local endpoint of a security identity was removed (#27697, @meyskens)
  • bgpv1: Add cilium-dbg bgp route-policies command & include it in the bugtool (#28973, @rastislavs)
  • bgpv1: Enable cilium-dbg bgp routes advertised command without specifying a peer (Backport PR #30230, Upstream PR #30033, @rastislavs)
  • BGPv1: Set R-bit in graceful restart capability negotiation. (#28293, @ArsenyBelorukov)
  • bgpv1: Use kube-system namespace by default for MD5 secret (#29478, @YutaroHayakawa)
  • bpf: allow overriding Makefile variables (#27492, @lmb)
  • bpf: compile test ENABLE_EGRESS_GATEWAY_COMMON (#27515, @lmb)
  • bpf: gate egressgw datapath on separate defines (#27189, @lmb)
  • bpf: static data: use inline asm to access static data (#27589, @ti-mo)
  • bpgv1: move the internal BGP signaler to a cell and allow other cells to depend on it. (#26745, @ldelossa)
  • can create the directory for the customized cni conf and remove the cni conf file in cleanup command (#27933, @sofat1989)
  • Change the Helm values configuration for SPIRE to match other images in the Helm charts (#27621, @weizhoublue)
  • cilium ingress should have an option to set the number of trusted loadbalancer hops (#27952, @chaunceyjiang)
  • cilium-agent: Remove the obsolete --bpf-lb-dev-ip-addr-inherit option (Backport PR #30264, Upstream PR #29963, @joamaki)
  • cilium-dbg: Add statedb query support and commands to inspect statedb tables devices, routes and l2-announce. (#28872, @joamaki)
  • Cilium-operator and clustermesh's kvstore metrics are now enabled by default in Helm. (#27653, @marseel)
  • cilium/cmd: make output of 'cilium policy selectors' sorted. (#27803, @tommyp1ckles)
  • cilium: export intermediate cobra.Commands (#26265, @lmb)
  • cilium: use absolute path to include Makefile.defs (#27054, @lmb)
  • CiliumL2AnnouncementPolicy will only select Services that do not specify a LoadBalancerClass or specify a LoadBalancerClass of "io.cilium/l2-announcer". (#27976, @danehans)
  • cli: Update cilium policy import to allow policy replacement by label (#27103, @deverton-godaddy)
  • clustermesh-apiserver deployment support lifecycle and terminationGracePeriodSeconds. (#26945, @acgs771126)
  • cmd/watchdogs: add health reporter to watchdog controller. (#29038, @tommyp1ckles)
  • cmd: Disable local node routes when endpoint routes are enabled (#28324, @gandro)
  • Config option to customize the default IP Pool when using MultiPool (#28818, @chaunceyjiang)
  • Correlate flows with CiliumNetworkPolicies (#27854, @chancez)
  • daemon: Do not require native routing CIDR if ipmasq-agent is enabled (#27747, @gandro)
  • daemon: don't wait for presence of unused CiliumNodeConfig CRD (#27684, @akhilles)
  • daemon: The option "EnableRemoteNodeIdentity" is now deprecated and will be removed from the v1.16 release. (#28300, @nathanjsweet)
  • Default client-go QPS and burst in agent and operator have been increased to 10 and 20 respectively for k8s versions 1.27+ (#29445, @marseel)
  • Delete auth map entries for removed Security IDs in SPIRE (#27663, @meyskens)
  • Deprecated helm options enableK8sEventHandover/enableCnpStatusUpdates were removed.
    Corresponding flag "enable-k8s-event-handover" in Agent and "cnp-status-update-interval" in operator were removed. (#29395, @marseel)
  • docs, cilium: Remove cilium endpoint regenerate command (#27326, @christarazi)
  • docs: remove annotations-based l7 visibility (#28449, @networkop)
  • Don't automatically infer ClusterID and ClusterName for external workloads. (#27886, @giorio94)
  • egressgw: inject datapath config via hive (#27414, @lmb)
  • EgressGW: interface selection is now done with BPF, using --install-egress-gateway-routes is no longer needed. (#26215, @jibi)
  • egressgw: refactor check for conflicting egress IPs (#27491, @lmb)
  • egressgw: reject config with CiliumEndpointSlice (#27984, @julianwiedmann)
  • egressgw: tidy up Config handling (#27221, @lmb)
  • endpoint, endpointmanager: Publish max policymap size as metric (#27367, @christarazi)
  • ENI: fix calculateExcessIPs excessive calculate of excess ip (#28467, @wu0407)
  • Envoy running inside the Cilium Agent may now be scraped by Prometheus when using Prometheus' ServiceMonitor objects. (Backport PR #30349, Upstream PR #30126, @youngnick)
  • envoy: Bump envoy to 1.26.2 (#26851, @sayboras)
  • envoy: Bump envoy version to v1.26.4 (#27104, @sayboras)
  • envoy: Bump envoy version to v1.27.1 (#28531, @sayboras)
  • envoy: Bump envoy version to v1.27.2 (#28671, @mhofstetter)
  • envoy: Update envoy version to the latest build (#27819, @jrajahalme)
  • Extend AWS metadata-based policy enforcement to work with any VPC-enabled service. (#27071, @spacepants)
  • Fix inaccurate calculation for bootstrap stats of restore (#27983, @PlatformLC)
  • fix: Preserve OwnerReferences when updating Ingresses with Load Balancer in shared mode (#28452, @bittermandel)
  • Fixes name used for disabling KVStoreMesh metrics. (#27680, @marseel)
  • FQDN: transition to asynchronous IPCache APIs (#29036, @squeed)
  • gateway-api: Add support for gateway.infrastructure attribute (#29122, @sayboras)
  • gateway-api: Add support for multiple request mirrors (#28342, @sayboras)
  • gateway-api: Add supported features in GatewayClass status (#29116, @sayboras)
  • gateway-api: Bump the version to v0.8.1 (#28195, @sayboras)
  • gateway-api: Bump the version to v1.0.0-rc1 (#28757, @sayboras)
  • gateway-api: Bump version to v0.8.0-rc1 (#27592, @sayboras)
  • gateway-api: Check for required CRDs upon startup (#28982, @sayboras)
  • gateway-api: Update API version for Reference Grant (#29811, @sayboras)
  • Handle IPv4 fragments in SNAT flows correctly. (#25340, @gentoo-root)
  • helm: Add extraVolumeMounts to cilium config init container (Backport PR #30349, Upstream PR #30131, @ayuspin)
  • helm: Added support for existing Cilium SPIRE NS (#29032, @PhilipSchmid)
  • helm: allow annotations to be set for preflight resources (#27860, @bradwhitfield)
  • Hide empty columns by default in "kubectl get ciliumendpoints" output (#28744, @Iiqbal2000)
  • hive/cell: remove health reporting on health provider. (#28773, @tommyp1ckles)
  • hubble-relay: Add support for peers joining during requests (#29326, @glrf)
  • Hubble: add option to filter for pods and services in any namespace (#28921, @glrf)
  • hubble: Add Support for filtering on HTTP headers (#28851, @ChrsMark)
  • hubble: Conditionally redact user info present in URLs in (L7) HTTP flows (#28848, @ioandr)
  • Hubble: improve security by adding an option to redact API key in Kafka requests (L7) (#25844, @ioandr)
  • hubble: replace deprecated usage of grpc.WithInsecure. (#25631, @tommyp1ckles)
  • Ignore Indexed Job-specific label by default for CID creation batch.kubernetes.io/job-completion-index. (#28897, @tosi3k)
  • Ignore StatefulSet-specific labels by default for CID creation. This includes the two following labels:
  • statefulset.kubernetes.io/pod-name
  • apps.kubernetes.io/pod-index (#28003, @tosi3k)
  • Implement AdvertisedPathAttributes for CiliumBGPNeighbor in the CiliumBGPPeeringPolicy CRD to allow setting BGP Community and Local Preference path attributes for advertised BGP routes. (#27705, @rastislavs)
  • Improve cilium status --verbose and cilium-health status --succinct support to show IPv6 IPs as well (#27912, @chaunceyjiang)
  • Improve cilium-agent bootstrap time when using cluster-pool ipam. (#28354, @marseel)
  • Improve helm validation for clustermesh, and allow creating the clustermesh configuration also in kvstore mode (#28763, @giorio94)
  • Improve Hubble Relay Kubernetes Readiness/Liveness check (#28765, @glrf)
  • Improve the usability of the cilium policy selectors command by including the policy name and namespace in order to easily understand which selector comes from what policy (#27838, @christarazi)
  • Increase number of dnsproxy mutexes from 128 to 131. (#27147, @marseel)
  • init: Poll CRD synchronization times have been lowered from 1 second to 50ms. (#28954, @howardjohn)
  • Introduce ability to specify SAFI/AFI for specific BGP peers. (#26940, @ldelossa)
  • ipam, metrics: Add new capacity metric (#27710, @christarazi)
  • ipam/multipool: Introduce specific ip family annotations for specifying ip pools (#28244, @hargrovee)
  • ipam: Remove cluster-pool-v2beta code (#27753, @gandro)
  • Merge clustermesh-apiserver and kvstoremesh into a single image (#27888, @giorio94)
  • metrics: add bpf_map_capacity metric which provides max size of maps (#28146, @tommyp1ckles)
  • metrics: Add workqueue metrics (#27042, @ysksuzuki)
  • Modular daemon and operator (#25986, @pippolo84)
  • Mutual Auth: only respond handshake with certificate if security ID is in use on node (#27682, @meyskens)
  • mutual-auth: Bump spire image version (#29101, @sayboras)
  • Named ports in DNS policies are now resolved correctly. (#29023, @jrajahalme)
  • Named ports in DNS policies are now resolved correctly. (Backport PR #30529, Upstream PR #29023, @jrajahalme)
  • Operator modular metrics (#28005, @pippolo84)
  • operator: Remove identity GC and CES controller legacy metrics (#28166, @pippolo84)
  • pkg/datapath: Remove defunct --single-cluster-route flag (#29221, @gandro)
  • pkg/labels: print all leaf CIDRs, not just the last one. (#28224, @squeed)
  • Pre-initialize several known metric vectors to avoid empty metrics (specifically: endpoint_regenerations_total, policy_change_total, policy_implementation_delay, policy_l7_total and kubernetes_events metrics). (#27835, @tommyp1ckles)
  • Propagate prefixed labels from Ingress resource to LB service (#28598, @log1cb0mb)
  • Refactor hubble redact settings schema (#26989, @ChrsMark)
  • Refactor hubble redact settings schema [v2] (#27553, @ChrsMark)
  • Remove deprecate clustermesh CA configuration from the helm chart (#27162, @giorio94)
  • Remove deprecated policy_import_errors_total metric (#28423, @tklauser)
  • Remove deprecated tunnel option, and corresponding helm values setting (#29053, @giorio94)
  • Rename the CLI for local Cilium API access to 'cilium-dbg' (#28085, @joestringer)
  • Replace etcd init script used for clustermesh with a Go equivalent.
    Upgrade etcd to v3.5.10. (#29109, @JamesLaverack)
  • Replace LB-IPAM IP allocator to remove limitations and enable additional features (#26488, @dylandreimerink)
  • Replace metricsmap-bpf-prom-sync with Prometheus Collector pattern (#27370, @carnerito)
  • Respond with ICMP reply for traffic to services without backends (#28157, @dylandreimerink)
  • show DSR-dispatch mode in cilium-dbg status (#29217, @chaunceyjiang)
  • Structured Health Reporter + EndpointManager Modular Health Checks (#27522, @tommyp1ckles)
  • The cilium-agent now sets GOMEMLIMIT to the container's memory resource limit, which helps the Go GC to avoid unnecessary OOMs. (#27958, @bimmlerd)
  • The podIPPoolSelector field has been added to CiliumBGPVirtualRouter for selectively advertising multi-pool IPAM CIDRs. (#27100, @danehans)
  • Update to Envoy 1.27.0, run cilium-envoy process without any privileges. (#27498, @jrajahalme)
  • When BGP control plane is enabled and configured for service announcements, it will only advertise a matching service that has an unspecified loadbalancerClass or set for "io.cilium/bgp-control-plane". (#26905, @danehans)
  • When master key protection is enabled, failed attempts at recreating k8s identity resources will now be retried. (#28912, @tommyp1ckles)
  • When tunneling is enabled, a packet will be encapsulated by Cilium's tunnel netdev before encrypting with WireGuard. (#29000, @brb)

Bugfixes:

  • ImplementationSpecific Ingress paths (which for Cilium Ingress means regex path matches) are now sorted correctly in between Exact and Prefix matches. (#29381, @youngnick)
  • Add a 5 second timeout to the Mutual Auth TCP handshake (#26650, @meyskens)
  • Add default toleration for SPIRE agent on control plane nodes (Backport PR #30230, Upstream PR #28947, @meyskens)
  • Allow unsupported protocol family errors when deleting IPv6 proxy routing rules (Backport PR #30529, Upstream PR #30299, @rgo3)
  • Avoid panic during BPF program compilation when clang command fails to start (Backport PR #30264, Upstream PR #30009, @ti-mo)
  • backporting: Revert changes until the new workflow will be in place (#28371, @pippolo84)
  • bgpv1: Avoid creating resource.Store in Start() hive hooks of BGP CP to ensure proper BGP CP initialization. (Backport PR #30079, Upstream PR #29954, @rastislavs)
  • bgpv1: fix manager_test.go build error (#27543, @ldelossa)
  • bpf: fix wrong loopback address mask value (Backport PR #30230, Upstream PR #29946, @haiyuewa)
  • bpf: fixes an issue where inserting inner maps into an outer may fail with EINVAL due to flags mismatch (#28710, @ldelossa)
  • bpf: nat: set .from_local_endpoint for all inter-cluster SNAT traffic (#26853, @julianwiedmann)
  • bug fix: close status collector when daemon exits (#27937, @sofat1989)
  • bug: In dual-stack mode (both IPv4 and IPv6 are enabled), Cilium incorrectly converted CIDRs that covered all possible addresses for an IP Family (e.g. 0.0.0.0/0) to the "reserved:world" entity. Both IP families must be completely covered for "reserved:world" to apply. This resulted in dual-stack mode network policies that could not distinguish between world IPv4 and IPv6 traffic, treating them as one entity instead. (#22625, @nathanjsweet)
  • Cilium DNS proxy can now use the original pod's address as the source address towards the DNS servers (--dnsproxy-enable-transparent-mode). (Backport PR #30212, Upstream PR #29239, @jrajahalme)
  • cleanup: can clean the bpf filters created by the cilium agent with lower version (#27373, @sofat1989)
  • Conntrack entries for Service connections are now printed in the canonical "source -> destination" format when using the "bpf ct list" command. (#28913, @julianwiedmann)
  • daemon/cmd: Updates restoreIPCache() to use errors.Is() (Backport PR #30529, Upstream PR #30220, @danehans)
  • daemon: Fail init if requirements for BPF masquerade are not met (Backport PR #30230, Upstream PR #29778, @pippolo84)
  • datapath: fix dbg-capture-proxy-[pre/post] reporting (#27704, @mhofstetter)
  • datapath: Fix primary flag in NodeAddress (#29483, @joamaki)
  • Do not attempt an mTLS handshake between reserved identities in Mutual Auth, as they would always fail (Backport PR #30230, Upstream PR #29400, @meyskens)
  • Don't orphan CEPs when node IPV6 is preferred at dual stack k8s config (#28142, @rawmind0)
  • Due to a race condition in the experimental runtime device detection, Cilium could fail to make a newly added device available for node port services. (Backport PR #30230, Upstream PR #29917, @bimmlerd)
  • egressgateway: Use UID to identify CiliumEndpoints in epDataStore (#29124, @rastislavs)
  • egressgw: Fix the issue that an iptables SNAT rule in the host netns interferes packets to egress gw and bypass the egress GW policy (#29379, @ysksuzuki)
  • egressgw: policy: ensure egressGateway field is not nil (#27802, @jibi)
  • endpointmanager: fix bpf policy pressure getting stuck. (#28185, @tommyp1ckles)
  • envoy: Bump envoy image to include proxy_protocol filter (Backport PR #30349, Upstream PR #30260, @sayboras)
  • envoy: fix init order between accesslog and xDS server (#27617, @mhofstetter)
  • envoy: fix SO_REUSEPORT with BPF TPROXY (#30459, @mhofstetter)
  • examples: Fix YAML error backendRefs in HTTP Header Modifier (#27871, @haiyuewa)
  • Fix a bug that may cause traffic to the node internal IP addresses to be incorrectly masqueraded when node encryption and remote node identities are both disabled, due to an inconsistency in the node manager when handling ipset entries insertions and deletions on node updates. (Backport PR #30230, Upstream PR #29986, @qmonnet)
  • Fix all packet drops due to missed tail calls, enable zero tolerance for these errors in CI (Backport PR #30324, Upstream PR #30248, @ti-mo)
  • Fix and prevent future bugs limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #30079, Upstream PR #29616, @learnitall)
  • Fix bug that could cause IPsec route change failures to be silent. (Backport PR #30529, Upstream PR #29423, @derailed)
  • Fix bugs in health-server that cause the state in the prober's cache to drift and allow nodes with empty IP addresses to be added. (Backport PR #30230, Upstream PR #29745, @thorn3r)
  • Fix cilium-envoy ServiceMonitor port name (#27207, @pixiono)
  • Fix connection disruption for IPsec during downgrade to v1.14 by attaching correct bpf program to devices. (#27480, @jschwinger233)
  • Fix endpoint logger not formatting logs as JSON when daemon log format is set to JSON (#27263, @leblowl)
  • Fix error when using multiple allowRoutes namespaces in gateway (#30550, @mhofstetter)
  • Fix Helm rendering for dashboards.enabled=true (#28542, @bakito)
  • Fix instances of leaked health reporter updates. (Backport PR #30230, Upstream PR #30134, @tommyp1ckles)
  • Fix issue where agent attempting to restore local node information (such as cilium_host ip) would fail on k8s fallback method. (Backport PR #30349, Upstream PR #29460, @tommyp1ckles)
  • Fix missing NODE_ADD Hubble peer messages in some cases (#28226, @AwesomePatrol)
  • Fix nodeinit issue causing NotReady state in Kubernetes nodes when laying down an incorrect CNI config (Backport PR #30529, Upstream PR #30399, @tlcowling)
  • Fix performance regression for pod-to-pod traffic WireGuard and tunneling. (Backport PR #30529, Upstream PR #30329, @3u13r)
  • Fix potential deadlock that results in stale authentication entries in Cilium (#29082, @meyskens)
  • Fix rare bug possibly causing connection disruption and/or agent panic due to node events processing before full initialization. (Backport PR #30529, Upstream PR #30282, @giorio94)
  • Fix rendering helm operator-dashboard annotations (#29106, @Zariel)
  • Fix wrong host and router IP being used for some IPv6 deployments, which was causing various connectivity problems. (Backport PR #28500, Upstream PR #28417, @ti-mo)
  • fix: PromQL syntax on cilium policy query Grafana dashboard (Backport PR #30529, Upstream PR #29938, @M0NsTeRRR)
  • Fixed health probing where ICMP probe was incorrectly reporting node as unreachable or reporting unreachable node as reachable in some cases. (Backport PR #30529, Upstream PR #30504, @marseel)
  • Fixes an issue where an empty ControlPlaneState was used during registration of BGP speakers. This would cause reconciliation issues as the current state would be unknown. (#27117, @ldelossa)
  • Fixes an L7 proxy issue by re-introducing 2005 route table. (#29530, @jschwinger233)
  • gateway-api: fix empty URI when removing path prefix (#28606, @dddddai)
  • gateway-api: fix status reconcile error handling (Backport PR #30230, Upstream PR #29894, @mhofstetter)
  • gateway-api: Requeue Gateway for owning GRPCRoute (Backport PR #30230, Upstream PR #30124, @sayboras)
  • gateway: Add GRPCRoute support for status changed predicate (Backport PR #30230, Upstream PR #30176, @sayboras)
  • Handle .status.conditions on Services using in accordance with KEP-1623 (#27399, @addreas)
  • health: Update Cilium agent to listen on nodeip (#26845, @tamilmani1989)
  • helm: Correct command for initContainer config (#28613, @sayboras)
  • helm: Fix envoy servicemonitor annotations (Backport PR #30230, Upstream PR #30017, @pmcgrath)
  • Implement full CES reconciliation logic in the operator (#26836, @alan-kut)
  • init well-known identity before new policy repository to fix the fqdn policy issue when enable well-known identity. (Backport PR #30529, Upstream PR #30052, @yingnanzhang666)
  • L2 announcements retry getting lease after losing it (Backport PR #30529, Upstream PR #30340, @dylandreimerink)
  • l2announcer: Leases are only created for services that are being announced. (#29446, @f1ko)
  • l7lb: Fix bug where not all relevant ports of a Service were synchronized to Envoy (Backport PR #30264, Upstream PR #30107, @mhofstetter)
  • lbipam: Fix off-by-one error in LBIPAM range allocation (#29425, @YutaroHayakawa)
  • maps/metricspath: protect against concurrent access in Collect (Backport PR #30230, Upstream PR #30104, @buroa)
  • neigh: Install neighbor entries only on devices where routes exist (#28782, @ysksuzuki)
  • node/wireguard: Fix node-to-node encryption inconsistencies in kvstore mode (Backport PR #30530, Upstream PR #30423, @gandro)
  • nodediscovery: Fix bug where CiliumInternalIP was flapping (Backport PR #29973, Upstream PR #29964, @gandro)
  • pkg/endpoint: fix endpoint health update always being ok. (Backport PR #30529, Upstream PR #30365, @tommyp1ckles)
  • pkg/nodediscovery: Updates updateCiliumNodeResource() Warning Message (Backport PR #30349, Upstream PR #30257, @danehans)
  • Policy revert used in rare error cases has been corrected. (#29162, @jrajahalme)
  • policy: Fix mapstate changes error in entry change comparison (Backport PR #30079, Upstream PR #29815, @jrajahalme)
  • proxy: fix multiple envoy listeners for same proxyType (#27510, @mhofstetter)
  • Remove a misplaces ls alias that caused cilium-dbg bpf auth ls to flush the map. (Backport PR #30529, Upstream PR #30445, @meyskens)
  • Remove non fatal errors from SPIRE client in the operator (Backport PR #30230, Upstream PR #28698, @meyskens)
  • Replace use of strict to true for kubeProxyReplacement in helm chart (#27433, @xtineskim)
  • Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. (#29202, @thorn3r)
  • srv6: modify h.encap location in the datapath to avoid incompatibility with IPv4Masq (#28817, @ldelossa)
  • statedb: Fix termination of string and IP keys (#29368, @joamaki)
  • The DNS proxy will now compute a UDP checksum over the IPv6 response packet and the pseudo-header. (#29493, @danehans)
  • Unify parsing of StringSlice flags and allow splitting by commas (preferably) or by spaces. This fixes parsing of 'prometheus.metrics'. (Backport PR #30079, Upstream PR #29848, @joamaki)

CI Changes:

Misc Changes:

Other Changes:

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.0@sha256:9cfd6a0a3a964780e73a11159f93cc363e616f7d9783608f62af6cfdf3759619
quay.io/cilium/cilium:stable@sha256:9cfd6a0a3a964780e73a11159f93cc363e616f7d9783608f62af6cfdf3759619

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.0@sha256:43feb49dfbaa82388dc653ce12c7626ce40ae375e9853d71b9f5cff0ce61d54a
quay.io/cilium/clustermesh-apiserver:stable@sha256:43feb49dfbaa82388dc653ce12c7626ce40ae375e9853d71b9f5cff0ce61d54a

docker-plugin

quay.io/cilium/docker-plugin:v1.15.0@sha256:6c79c492da7b3574509a94b0c6b4ef0570c005aa6be5879b71d8e59e103f2a7b
quay.io/cilium/docker-plugin:stable@sha256:6c79c492da7b3574509a94b0c6b4ef0570c005aa6be5879b71d8e59e103f2a7b

hubble-relay

quay.io/cilium/hubble-relay:v1.15.0@sha256:45b3ea70b73aee01644f800b8f6138c36446bfb130d2b88b0f75775ebe6a9ab6
quay.io/cilium/hubble-relay:stable@sha256:45b3ea70b73aee01644f800b8f6138c36446bfb130d2b88b0f75775ebe6a9ab6

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.0@sha256:ee03349caef5519f8e9123132cf17c85b771f8fff095c57f00a2af8bb3224b79
quay.io/cilium/operator-alibabacloud:stable@sha256:ee03349caef5519f8e9123132cf17c85b771f8fff095c57f00a2af8bb3224b79

operator-aws

quay.io/cilium/operator-aws:v1.15.0@sha256:cf45167a8bb336c763046553c6a97c0d7f12f7e2a498dfb2340fa27832a81b3a
quay.io/cilium/operator-aws:stable@sha256:cf45167a8bb336c763046553c6a97c0d7f12f7e2a498dfb2340fa27832a81b3a

operator-azure

quay.io/cilium/operator-azure:v1.15.0@sha256:498a9e940cddd4e58d401a13005b0784ed9597bfe1e5cf2f52b6ba9ccceee768
quay.io/cilium/operator-azure:stable@sha256:498a9e940cddd4e58d401a13005b0784ed9597bfe1e5cf2f52b6ba9ccceee768

operator-generic

quay.io/cilium/operator-generic:v1.15.0@sha256:e26ecd316e742e4c8aa1e302ba8b577c2d37d114583d6c4cdd2b638493546a79
quay.io/cilium/operator-generic:stable@sha256:e26ecd316e742e4c8aa1e302ba8b577c2d37d114583d6c4cdd2b638493546a79

operator

quay.io/cilium/operator:v1.15.0@sha256:949ec05e962d370437deb6ca4b27b05b8e9c8077bfa6a5b9b4d80d08a26d4fee
quay.io/cilium/operator:stable@sha256:949ec05e962d370437deb6ca4b27b05b8e9c8077bfa6a5b9b4d80d08a26d4fee

Contributors

Zariel, derailed, and 175 other contributors
Assets 2