1.15.0-pre.3

Summary of Changes

Major Changes:

• Add dynamic flowlog exporters configured by yaml file (configmap) without a need of agent restart. (#28873, @marqc)
• Add support for extending ClusterMesh to 511 clusters
  By setting the flag --max-connected-clusters=511, a new cluster will be able to connect to a ClusterMesh with up to 511 clusters. If enabled, the number of possible cluster-local identities will be reduced to 32,768. This feature can only be enabled on new clusters, and all clusters in the ClusterMesh must share the same configuration. (#27520, @thorn3r)
• Add support for Gateway API v1.0 (#28836, @sayboras)
• k8s: add support for k8s 1.29.0 (#29473, @aanm)

Minor Changes:

• Add a mode where routing is delegated to another CNI plugin. This enables support for using AWS security groups when chaining Cilium on top of AWS VPC CNI. (#29111, @Alex-Waring)
• Add lbipam support for shared ips (#28806, @usiegl00)
• Adds "best-effort" mode for XDP to skip interfaces without driver support (#28666, @poblahblahblah)
• Adds affinity, nodeSelector, podSecurityContext and securityContext to the SPIRE agent deployment values (#29077, @meyskens)
• Adds the CiliumPodIPPool selector type to BGP CP AdvertisedPathAttributes to match CiliumPodIPPool custom resources. Path attributes apply to routes announced for selected CiliumPodIPPools. (#28310, @danehans)
• api, cli: Show srv6 status in cilium status (#28700, @husnialhamdani)
• bgpv1: Add cilium-dbg bgp route-policies command & include it in the bugtool (#28973, @rastislavs)
• bgpv1: Use kube-system namespace by default for MD5 secret (#29478, @YutaroHayakawa)
• bpf: use bpf_xdp_load_bytes() / bpf_xdp_store_bytes() helpers when available (#29377, @julianwiedmann)
• Cilium DNS proxy now uses the original pod's address as the source address towards the DNS servers. (#28928, @jrajahalme)
• cilium-dbg: Add statedb query support and commands to inspect statedb tables devices, routes and l2-announce. (#28872, @joamaki)
• ciliumidentity resiliency improvement (#28912, @tommyp1ckles)
• cmd/watchdogs: add health reporter to watchdog controller. (#29038, @tommyp1ckles)
• Config option to customize the default IP Pool when using MultiPool (#28818, @chaunceyjiang)
• Default client-go QPS and burst in agent and operator have been increased to 10 and 20 respectively for k8s versions 1.27+ (#29445, @marseel)
• Deprecated helm options enableK8sEventHandover/enableCnpStatusUpdates were removed.
  Corresponding flag "enable-k8s-event-handover" in Agent and "cnp-status-update-interval" in operator were removed. (#29395, @marseel)
• FQDN: transition to asynchronous IPCache APIs (#29036, @squeed)
• gateway-api: Add support for gateway.infrastructure attribute (#29122, @sayboras)
• gateway-api: Add supported features in GatewayClass status (#29116, @sayboras)
• gateway-api: Check for required CRDs upon startup (#28982, @sayboras)
• Handle IPv4 fragments in SNAT flows correctly. (#25340, @gentoo-root)
• Hide empty columns by default in "kubectl get ciliumendpoints" output (#28744, @Iiqbal2000)
• hubble-relay: Add support for peers joining during requests (#29326, @glrf)
• Hubble: add option to filter for pods and services in any namespace (#28921, @glrf)
• hubble: Add Support for filtering on HTTP headers (#28851, @ChrsMark)
• hubble: Conditionally redact user info present in URLs in (L7) HTTP flows (#28848, @ioandr)
• Improve Hubble Relay Kubernetes Readiness/Liveness check (#28765, @glrf)
• init: Poll CRD synchronization times have been lowered from 1 second to 50ms. (#28954, @howardjohn)
• Merge clustermesh-apiserver and kvstoremesh into a single image (#27888, @giorio94)
• metric: provide way to declare labels. (#27835, @tommyp1ckles)
• mutual-auth: Bump spire image version (#29101, @sayboras)
• Named ports in DNS policies are now resolved correctly. (#29023, @jrajahalme)
• pkg/datapath: Remove defunct --single-cluster-route flag (#29221, @gandro)
• policy: Cilium will not process or enforce network policies with port ranges or Kubernetes network policies that use "EndPort". (#28704, @nathanjsweet)
• Propagate prefixed labels from Ingress resource to LB service (#28598, @log1cb0mb)
• Remove deprecated tunnel option, and corresponding helm values setting (#29053, @giorio94)
• Replace etcd init script used for clustermesh with a Go equivalent.
  Upgrade etcd to v3.5.10. (#29109, @JamesLaverack)
• Replace metricsmap-bpf-prom-sync with Prometheus Collector pattern (#27370, @carnerito)
• Respond with ICMP reply for traffic to services without backends (#28157, @dylandreimerink)
• show DSR-dispatch mode in cilium-dbg status (#29217, @chaunceyjiang)
• When tunneling is enabled, a packet will be encapsulated by Cilium's tunnel netdev before encrypting with WireGuard. (#29000, @brb)

Bugfixes:

• "envoy-admin" cluster is renamed as "/envoy-admin", requiring all references in CEC/CCEC to be updated. (#29020, @jrajahalme)
• ImplementationSpecific Ingress paths (which for Cilium Ingress means regex path matches) are now sorted correctly in between Exact and Prefix matches. (#29381, @youngnick)
• Avoid missed tail calls due to inserting policy programs too early during endpoint regeneration (#29307, @ti-mo)
• bpf: Add TC_ACT_REDIRECT check for nodeport (#28927, @sayboras)
• bpf: Fix drop of IPv6 reply traffic when 1) pod-originating connection is SNATed by iptables, and 2) Host Firewall is enabled. (#28813, @oblazek)
• bpf: xdp: don't support GENEVE passthrough with DSR-Hybrid (#28959, @julianwiedmann)
• Conntrack entries for Service connections are now printed in the canonical "source -> destination" format when using the "bpf ct list" command. (#28913, @julianwiedmann)
• ctmap: consider CT entry's .dsr flag in PurgeOrphanNATEntries() (#29098, @julianwiedmann)
• datapath: Fix ENI egress routing table for cilium_host IP (#29335, @gandro)
• datapath: Fix primary flag in NodeAddress (#29483, @joamaki)
• Do not skip FIB lookup when running in BPF Host Routing when Endpoint Routes enabled (#28264, @aspsk)
• egressgateway: Use UID to identify CiliumEndpoints in epDataStore (#29124, @rastislavs)
• egressgw: Fix the issue that an iptables SNAT rule in the host netns interferes packets to egress gw and bypass the egress GW policy (#29379, @ysksuzuki)
• endpointmanager: fix bpf policy pressure getting stuck. (#28185, @tommyp1ckles)
• endpointmanager: unmap ip for lookup (#29554, @tklauser)
• Fix external workloads not working with non-default ClusterID (#29378, @giorio94)
• Fix rendering helm operator-dashboard annotations (#29106, @Zariel)
• Fix source identity determination for DSR with Geneve-dispatch, by looking it up from the ipcache. (#29155, @chez-shanpu)
• Fix the Created timestamps in cilium bpf nat list that used to display the same values. (#27062, @gentoo-root)
• Fixed label synchronization issues in Cilium, ensuring accurate representation of endpoint labels during restoration and addressing out-of-sync problems caused by label changes while the Cilium agent is down. (#29248, @aanm)
• Fixes an L7 proxy issue by re-introducing 2005 route table. (#29530, @jschwinger233)
• gateway-api: add watch for reference grant in TLSRoute reconciler (#29007, @mhofstetter)
• gateway-api: Avoid redirect loop when the same host name is used for http and https listeners (#29115, @sayboras)
• gateway: Ignore loadbalancer class for Gateway service (#29547, @sayboras)
• Handle non-AEAD IPsec keys in cilium encrypt status. (#29182, @viktor-kurchenko)
• ingress: cleanup resources on changed ingress class field (#28886, @mhofstetter)
• ingress: fix foreground deletion of Ingress (#29367, @mhofstetter)
• Install loopback CNI atomically to protect against aborted copy (#29462, @akhilles)
• ipam: Fix bug where IP lease did not expire (#29443, @gandro)
• iptables: remove logic to control non-existent net.ipv6.ip_early_demux (#29310, @julianwiedmann)
• k8s ingress & gateway api: fix unintentional deletion of shared envoy cluster resource (#28896, @mhofstetter)
• l2announcer: Leases are only created for services that are being announced. (#29446, @f1ko)
• lbipam: Fix off-by-one error in LBIPAM range allocation (#29425, @YutaroHayakawa)
• neigh: Install neighbor entries only on devices where routes exist (#28782, @ysksuzuki)
• Policy revert used in rare error cases has been corrected. (#29162, @jrajahalme)
• Replace Cilium's base image from ubuntu:22.04 with Cilium's Runtime image (also ubuntu:22.04 based). (#29340, @aanm)
• Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. (#29202, @thorn3r)
• statedb: Fix termination of string and IP keys (#29368, @joamaki)
• When using stacked network interfaces (such as br0 -> eth0) in the egress path, ensure that BPF SNAT checks are applied on all interfaces. (#29160, @julianwiedmann)

CI Changes:

• Add 100 node scale test workflow (#29214, @learnitall)
• ariane: Disable ci-e2e-upgrade (#29488, @brb)
• bpf/tests: Fixed loop not unrolled error in pktgen (#28942, @dylandreimerink)
• bpf: complexity-tests: add HAVE_FIB_NEIGH (#29348, @julianwiedmann)
• ci aws: cleanup EKS cluster in separate job (#29412, @mhofstetter)
• ci-clustermesh-upgrade: Increment timeout between rollouts to 5min (#29560, @mhofstetter)
• ci-e2e-upgrade: Bring it on (#29073, @brb)
• ci-e2e-upgrade: Remove setting CLI vsn (#29435, @brb)
• ci-e2e: Use kernel 6.1 instead of 6.0 (#29345, @brb)
• ci-gke: remove duplicated wait for cilium (#29542, @mhofstetter)
• ci-ipsec-upgrade: Check for errors (#29189, @brb)
• ci-ipsec-upgrade: Drop no-missed-tail-calls exclusion (#29325, @brb)
• ci-ipsec-upgrade: Fix upgrade/downgrade path and add missed tail calls check to upgrade (#29072, @brb)
• ci: add K8s 1.28 platform testing (#29004, @nbusseneau)
• CI: Add merge_group trigger (#29276, @brlbil)
• ci: add nameserver 1.1.1.1 to conformance-runtime test LVM (#29455, @mhofstetter)
• ci: Bump timeout of ci-runtime (#29317, @YutaroHayakawa)
• ci: Bump up the memory of LVH in conformance-e2e (#29494, @michi-covalent)
• ci: bypass proxy.golang.org in Go toolchain installation (#29549, @tklauser)
• ci: disable envoy tracing in multi-pool workflow (#28966, @tklauser)
• ci: don't write github commit status on push event (#29404, @mhofstetter)
• ci: don't write github commit status on push event (#29438, @mhofstetter)
• ci: fix deployment issue with multiple clusters in same region (#29427, @mhofstetter)
• ci: fix dns issue when pulling cilium-docker-plugin in ci-runtime (#29502, @mhofstetter)
• ci: fix merge group required checks (#29337, @brlbil)
• ci: fix typo in clustermesh workflow job name (#29046, @tklauser)
• ci: increase cilium wait timeout to 10m on cloud providers (#29541, @mhofstetter)
• ci: increase disk size for GKE clusters (ci-gke & ci-external-workloads) (#29528, @mhofstetter)
• ci: migrate some schedule workflows to event trigger push (#29433, @mhofstetter)
• ci: Remove useless quotes in update label workflow (#28952, @pippolo84)
• cilium-cli action: Specify the repository parameter (#29338, @michi-covalent)
• datapath: Clean up XFRM configs after unit tests (#29332, @pchaigno)
• Drop support for EOLed Kubernetes versions (#29174, @michi-covalent)
• egressgw: tests: wait for initial sync reconciliation (#29084, @jibi)
• Extend BPF unit tests for IPsec (#28438, @jschwinger233)
• Fix pre-flight clusterrole check (#29224, @marseel)
• gh/workflows: Add lvh-kind action and use it in ci-e2e (#29485, @brb)
• gh/workflows: Dump Cilium LB node logs in case of failure (#28808, @brb)
• gh: datapath-verifier: also run on 6.1 kernel (#29349, @julianwiedmann)
• gha: Enable Ingress Controller tests in conformance-e2e (#29130, @sayboras)
• restore full go vet behaviour (#28945, @bimmlerd)
• scale-test-100-gce: Use CILIUM_CLI_VERSION (#29562, @michi-covalent)
• Set correct cluster name and id during upgrade test (#29165, @marseel)
• Skip k8s upstream conformance test for multiple protocols on a Service (#29524, @youngnick)
• Switch to on-demand instances for AWS tests on scheduled runs. (#29366, @marseel)
• Test upgrade/downgrade to patch release for IPsec (#28815, @qmonnet)
• test/k8s: clean up unused manifests (#29436, @tklauser)
• test: Use previous in-pod CLI name for updates (#29208, @joestringer)
• tests-e2e-upgrade: Use CILIUM_CLI_VERSION (#29496, @michi-covalent)
• Wait for downgrade images to be ready in GHA clustermesh upgrade/downgrade test (#29409, @giorio94)
• workflows: Add debug info to IPsec key rotation test (#29353, @pchaigno)
• workflows: move cilium_cli_version definition to set-env-variables action (#29237, @jibi)
• workflows: Pin conn-disrupt-test GH action to main (#29402, @pchaigno)

Misc Changes:

• .github/workflows: only cancel concurrent jobs if not in merge_group (#29431, @aanm)
• .github: do not group jobs on merge queues (#29551, @aanm)
• Add AirQo to Cilium USERS.md (#29467, @123MwanjeMike)
• Add an option to force BPF attachment to native device (#29176, @YutaroHayakawa)
• Add CEP and CES resources (#29244, @pippolo84)
• Add Cybozu to USERS.md (#29231, @chez-shanpu)
• Add Dcode.tech to USERS.md (#28996, @eliranw)
• Add IDNIC/Kadabra as user to Cilium (#28958, @ardikabs)
• Add node activity health reporters on node manager (#28799, @derailed)
• Add table for node addresses (#28962, @joamaki)
• add v1.15.0-pre.2 release (#28903, @aanm)
• api: Allow middleware to be injected via Hive (#29223, @gandro)
• BGP CP: Replaces LocalNodeStore with Local CiliumNode (#28238, @danehans)
• bgpv1: fix incorrect error messages in the reconcilePodIPPool function (#29125, @hargrovee)
• bgpv1: fix merge race conflict on NewGoBGPServer (#29321, @mhofstetter)
• bgpv1: Prevent multiple reconcilers with the same name (#29071, @rastislavs)
• bgpv1: Reorganize BGP config reconcilers (#29277, @rastislavs)
• bgpv1: Use specific log message and remove unused parameter (#28895, @hargrovee)
• bpf: fine-tune a few L3 header validations (#28669, @julianwiedmann)
• bpf: host: adjust scope of HostFW section in handle_ipv6() (#29052, @julianwiedmann)
• bpf: ipsec: move get_min_encrypt_key() to encrypt.h (#28991, @julianwiedmann)
• bpf: lb: fix missing drop reason in reverse_map_l4_port() (#28884, @julianwiedmann)
• bpf: lxc: avoid upgrade/downgrade woes with CB_FROM_TUNNEL in IPv6 path (#29304, @julianwiedmann)
• bpf: nat: fully switch to snat_v*_rewrite_helpers() (#29403, @julianwiedmann)
• bpf: nat: limit EgressGW redirect check to bpf_host (#29159, @julianwiedmann)
• bpf: nat: pass NAT map to snat_v4_new_mapping() (#29049, @julianwiedmann)
• bpf: nodeport: re-introduce Ingress HostFW between RevSNAT and RevDNAT (#28960, @julianwiedmann)
• bpf: tests: minor cleanups (#29354, @julianwiedmann)
• bpf: tunnel-related cleanups in to-container path (#28920, @julianwiedmann)
• bpf: use l4_load_ports() everywhere (#29135, @julianwiedmann)
• Bug: Fix module health status output (#29140, @derailed)
• build: Declare GO in makefile before first use (#28983, @sayboras)
• Changed cilium status CLI output to render the modules health section as a tree structure vs tabular data. (#28800, @derailed)
• chore(deps): update actions/checkout action to v4 (main) (#29539, @renovate[bot])
• chore(deps): update actions/github-script action to v7 (main) (#29142, @renovate[bot])
• chore(deps): update all github action dependencies (main) (#28987, @renovate[bot])
• chore(deps): update all github action dependencies (main) (minor) (#29260, @renovate[bot])
• chore(deps): update all github action dependencies (main) (patch) (#29262, @renovate[bot])
• chore(deps): update all github action dependencies (main) (patch) (#29387, @renovate[bot])
• chore(deps): update all github action dependencies (main) (patch) (#29533, @renovate[bot])
• chore(deps): update all github action dependencies to v2 (main) (major) (#29540, @renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#29388, @renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#29534, @renovate[bot])
• chore(deps): update anchore/scan-action action to v3.3.8 (main) (#29573, @renovate[bot])
• chore(deps): update cilium/cilium digest to 614f2dd (main) (#29386, @renovate[bot])
• chore(deps): update cilium/cilium digest to 93f26fd (main) (#29141, @renovate[bot])
• chore(deps): update cilium/cilium digest to ef8ca62 (main) (#29120, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.13 (main) (#28989, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.14 (main) (#29234, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.16 (main) (#29464, @renovate[bot])
• chore(deps): update dependency eksctl-io/eksctl to v0.165.0 (main) (#29537, @renovate[bot])
• chore(deps): update dependency go to v1.21.4 (main) (#29558, @renovate[bot])
• chore(deps): update dependency kubernetes/kops to v1.28.1 (main) (#29128, @renovate[bot])
• chore(deps): update docker.io/library/alpine docker tag to v3.18.5 (main) (#29535, @renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.4 docker digest to 9baee0e (main) (#29261, @renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 8eab65d (main) (#29572, @renovate[bot])
• chore(deps): update go to v1.21.4 (main) (patch) (#29043, @renovate[bot])
• chore(deps): update golangci/golangci-lint docker tag to v1.55.2 (main) (#28990, @renovate[bot])
• chore(deps): update module github.com/go-jose/go-jose/v3 to v3.0.1 [security] (main) (#29314, @renovate[bot])
• chore(deps): update quay.io/cilium/kindest-node docker tag to v1.28.3 (main) (#29057, @renovate[bot])
• chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231123.012848 (main) (#28992, @renovate[bot])
• ci-ipsec-upgrade: Do not run conn tests after installing Cilium (#29178, @brb)
• ci: Bump timeout on ci-runtime privileged worksflow (#28923, @jrajahalme)
• CI: fix broken BPF complexity tests (#29510, @lmb)
• cilium-dbg, policy, api: Fix labels in policy selectors output (#29152, @christarazi)
• cilium: Add a few bwm setting tweaks (#29552, @borkmann)
• Clarify cilium_event_ts metric description (#29303, @christarazi)
• client: Use options pattern for NewRuntime (#29271, @gandro)
• clustermesh install documentation: missing step (#28889, @dashaun)
• cni: remove unused CILIUM_CNI_CONF variable from install script (#29063, @wedaly)
• CODEOWNERS: claim some new ipsec-related files for cilium/ipsec (#29516, @julianwiedmann)
• CODEOWNERS: IPsec owns pkg/common/ipsec (#29002, @pchaigno)
• CODEOWNERS: Let IPsec team to own GH workflows for IPsec (#29190, @brb)
• contrib: Fix prerelease pullPolicy (#28906, @joestringer)
• ctmap: limit NAT purging to expected CT tuple types (#28871, @julianwiedmann)
• daemon: Simplify cilium_host IP restoration (#28781, @gandro)
• datapath: Few minor improvements to DevicesController (#28887, @joamaki)
• datapath: Move linuxNodeHandler IPsec functions to their own file (#28941, @pchaigno)
• devices: fix busy loop (#29163, @bimmlerd)
• dnsproxy: convert LookupEndpointByIP to use netip.Addr (#28891, @tklauser)
• doc: Add roadmap for mutual authentication (#29006, @tgraf)
• docs: Add CiliumPodIPPool option in BGP Adv. Path Attributes docs (#29177, @rastislavs)
• docs: Add cluster install/prep guide for GKE-to-GKE clustermesh (#29342, @Neutrollized)
• docs: add instructions to build kindest-node image (#29079, @aanm)
• docs: bump required Helm version (#29273, @nebril)
• docs: Drop references to Helm v2 (#29463, @joestringer)
• docs: update versions and parameters for XDP Acceleration on AKS (#29091, @jshr-w)
• Docs: Updates BGP CP Developer Docs (#28908, @danehans)
• don't remove neighbor link state file if migrateOnly (#28659, @liuyuan10)
• enabled initalDelaySeconds on StartupProbe (#28816, @jignyasamishra)
• endpoint: Clarify policy locking requirements (#29024, @jrajahalme)
• endpoint: fix removed code comment. (#29172, @tommyp1ckles)
• endpointstate: Add an interface to wait for endpoint restore (#29243, @pippolo84)
• envoy: periodic version-check with hive timer job (#29513, @mhofstetter)
• envoy: Support internal listeners in CiliumEnvoyConfig CRDs (#29026, @jrajahalme)
• envoy: Update to pick up deny policy support (#28862, @jrajahalme)
• Extract tunnel options to simplify override, and inject them through hive (#29051, @giorio94)
• Fix bug preventing endpoint-related debug logs from being emitted (#29495, @learnitall)
• Fix Cilium Datapath Prometheus metric names (#29226, @carnerito)
• fix(deps): update all go dependencies main (main) (minor) (#28994, @renovate[bot])
• fix(deps): update all go dependencies main (main) (minor) (#29264, @renovate[bot])
• fix(deps): update all go dependencies main (main) (minor) (#29398, @renovate[bot])
• fix(deps): update all go dependencies main (main) (minor) (#29538, @renovate[bot])
• fix(deps): update all go dependencies main (main) (patch) (#28993, @renovate[bot])
• fix(deps): update all go dependencies main (main) (patch) (#29134, @renovate[bot])
• fix(deps): update all go dependencies main (main) (patch) (#29389, @renovate[bot])
• fix(deps): update all go dependencies main (main) (patch) (#29536, @renovate[bot])
• fix(deps): update all go dependencies main (main) (patch) (#29574, @renovate[bot])
• fix(deps): update golang.org/x/sys digest to 13b15b7 (main) (#29279, @renovate[bot])
• fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.613 (main) (#29263, @renovate[bot])
• fix(deps): update module github.com/go-openapi/validate to v0.22.2 (main) (#29280, @renovate[bot])
• Fixes rate limiting for CES Controller (#28963, @alan-kut)
• Follow-up nits from etcd init script pull request (#29489, @JamesLaverack)
• fqdn/dnsproxy: drop dependency on global EnableIPv{4,6} option (#28968, @tklauser)
• gateway-api: cleanup cell imports & dependencies (#29204, @mhofstetter)
• gateway-api: don't register secretsync if required CRDs aren't present (#29437, @mhofstetter)
• gateway-api: fix up for import rename (#29143, @julianwiedmann)
• gateway-api: improve secret sync resiliency (#29017, @mhofstetter)
• gateway-api: Use Gateway API definition to check Route condition (#29359, @haiyuewa)
• go.mod, vendor: update golang.org/x/sys to latest unreleased version (#29070, @tklauser)
• Helm: Allow configuration of the install-cni container resources field (#27469, @RenaudWasTaken)
• helm: Fix annotation duplication problems for cilium-agent (#28978, @bradwhitfield)
• hubble/relay: Remove ReportOffline and refactor PeerManager (#28595, @glrf)
• images: drop the kvstoremesh dockerfile (#28961, @giorio94)
• images: Fix init-container script for cilium-dbg (#29424, @joestringer)
• Implement NodeAddressing on top of Table[NodeAddress] (#29033, @joamaki)
• Improve deletion of stale backends associated with non-global services, without waiting for full Cluster Mesh synchronization (#28745, @giorio94)
• ingress: migrate Cilium Ingress controller to use the controller-runtime library (#29327, @mhofstetter)
• ingress: migrate secret-sync to controller-runtime (#29198, @mhofstetter)
• Introduce sync.Map wrapper with generics support (#29452, @giorio94)
• ipam: Fix duplicate metric ipam_event release (#29520, @christarazi)
• ipcache: keep upserted prefixes from being deleted by InjectLabels (#29014, @squeed)
• ipcache: move CIDR restoration to asynchronous APIs (#28673, @squeed)
• ipsec: Improve encrypt flush command (#28795, @pchaigno)
• ipsec: Remove dead code for IPsec node encryption (#28898, @pchaigno)
• ipsec: Small refactorings on key loading and state creation (#29352, @pchaigno)
• k8s: remove unused slim k8s model for Ingress & IngressClass (#29517, @mhofstetter)
• L7 Loadbalancing: Migrate to controller-runtime library (#29126, @mhofstetter)
• labels: further optimize IPStringToLabel for single IP case (#29040, @tklauser)
• loader: attach XDP programs using bpf_link (#28308, @rgo3)
• loader: do not invoke llc separately (#29458, @lmb)
• makefile: add back the sed command to update the logo path (#28929, @bradwhitfield)
• maps: nat: fix copy & paste in error message from doFlush*() (#29097, @julianwiedmann)
• Minor documentation fixes and improvements for the BGP MD5 feature (#29375, @nvibert)
• Miscellaneous improvements about kvstore logging (#28843, @giorio94)
• Miscellaneous improvements to the etcd client (#28834, @giorio94)
• Modularise MTU discovery (#28964, @bimmlerd)
• Modularize ipcache BPF listener (#29194, @giorio94)
• Modularize iptables manager (#28746, @pippolo84)
• Modularize kernel modules manager into its own cell (#28713, @pippolo84)
• Modularized the bandwidth manager (#28619, @dylandreimerink)
• mountinfo: fix build on linux/386 (#29481, @tklauser)
• node: allow to override enable encapsulation on a per-node basis (#29232, @giorio94)
• operator: extract controller-runtime integration into its own cell (#28931, @mhofstetter)
• option: add LoadBalancerUsesDSR() helper (#26898, @julianwiedmann)
• pkg/allocator: store key in variable for error message (#29076, @aanm)
• pkg/bgpv1: Updates getPeerConfig() Method (#28474, @danehans)
• plugins/cilium-cni: Move implementation into separate package (#29336, @gandro)
• policy: Return a real nil rather than a non-nil interface (#29022, @jrajahalme)
• policy: Simplify AccumulateMapChanges prototypes (#29025, @jrajahalme)
• Prepare for release v1.15.0-pre.2 (#28901, @aanm)
• probes: remove HAVE_FIB_LOOKUP leftovers (#29401, @rgo3)
• proxy: define and use well known datapath constants (#28955, @tklauser)
• README: Update releases (#29170, @nathanjsweet)
• Refactor LocalNode synchronization logic and remove NodeChain (#29319, @giorio94)
• Remove accidentally checked in .orig file (#29145, @christarazi)
• Remove usage of global options from iptables cell (#29088, @pippolo84)
• Renamed Hubble Dashboard so that it can be installed by Grafana Sidecar. (#28971, @saintdle)
• Report node source in cilium-dbg node list (#29196, @tklauser)
• secret-sync: extract secret-sync logic from gateway api controller & introduce hive cell (#29100, @mhofstetter)
• service: fix service manager interface mismatch caused by merge race (#29018, @giorio94)
• Some small fixes to make kind-fast (#28621, @squeed)
• statedb: Allow non-terminated keys (#29440, @joamaki)
• statedb: Simplify integration with Hive (#28892, @joamaki)
• stream: fix spurious event on termination when Debounce is used (#29347, @giorio94)
• Update lb-ipam.rst (#28756, @nvibert)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.15.0-pre.3@sha256:c09d3fc906f26edbc93494cc46e6616668d7931a05470f02b9f9a266c2cfc279
quay.io/cilium/cilium:v1.15.0-pre.3@sha256:c09d3fc906f26edbc93494cc46e6616668d7931a05470f02b9f9a266c2cfc279

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.15.0-pre.3@sha256:74f30ab524a07ffb3e74e2c0d5c34f7a03f1b090f45e3f4450db3d34800ada4d
quay.io/cilium/clustermesh-apiserver:v1.15.0-pre.3@sha256:74f30ab524a07ffb3e74e2c0d5c34f7a03f1b090f45e3f4450db3d34800ada4d

docker-plugin

docker.io/cilium/docker-plugin:v1.15.0-pre.3@sha256:dee40ce43396547b8ef34b005679e207bdc9f8413ac1abdedbc6ce10a58e3ff2
quay.io/cilium/docker-plugin:v1.15.0-pre.3@sha256:dee40ce43396547b8ef34b005679e207bdc9f8413ac1abdedbc6ce10a58e3ff2

hubble-relay

docker.io/cilium/hubble-relay:v1.15.0-pre.3@sha256:95833c3375b48cf72d1c122da6ffed2f69bd7c6b76cd373f5a8455c0c527cc4b
quay.io/cilium/hubble-relay:v1.15.0-pre.3@sha256:95833c3375b48cf72d1c122da6ffed2f69bd7c6b76cd373f5a8455c0c527cc4b

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.15.0-pre.3@sha256:a4ad0149c6ebfa87692379cd090ee25a41621dcf98af2a910f767ef46df72a51
quay.io/cilium/operator-alibabacloud:v1.15.0-pre.3@sha256:a4ad0149c6ebfa87692379cd090ee25a41621dcf98af2a910f767ef46df72a51

operator-aws

docker.io/cilium/operator-aws:v1.15.0-pre.3@sha256:c99a09adf0be9ec82d6407ad5d8a87c635258a88292417e4feebf83fb90d36f6
quay.io/cilium/operator-aws:v1.15.0-pre.3@sha256:c99a09adf0be9ec82d6407ad5d8a87c635258a88292417e4feebf83fb90d36f6

operator-azure

docker.io/cilium/operator-azure:v1.15.0-pre.3@sha256:136d55f7ad5dbbae6c79f6a4d547f2641c590e37a80d745b9c8135fd5b8b5553
quay.io/cilium/operator-azure:v1.15.0-pre.3@sha256:136d55f7ad5dbbae6c79f6a4d547f2641c590e37a80d745b9c8135fd5b8b5553

operator-generic

docker.io/cilium/operator-generic:v1.15.0-pre.3@sha256:01959fb5e0164fbe3f265f42da4e444d9511f716ac26210fea1080c948d4583e
quay.io/cilium/operator-generic:v1.15.0-pre.3@sha256:01959fb5e0164fbe3f265f42da4e444d9511f716ac26210fea1080c948d4583e

operator

docker.io/cilium/operator:v1.15.0-pre.3@sha256:1df2ea3840ca1c012d86f8e9dd785c3f24ce319915db3e6c99150627dfdc08cb
quay.io/cilium/operator:v1.15.0-pre.3@sha256:1df2ea3840ca1c012d86f8e9dd785c3f24ce319915db3e6c99150627dfdc08cb