Releases: cilium/cilium
Releases · cilium/cilium
1.0.0-rc10
API preparation for 1.0
We have changed the base prefix of the API from /v1beta
to /v1
🎉. The API will become stable with the 1.0 release. This makes client binaries with version < 1.0.0-rc10.
Bugfixes Changes
- policymap: Avoid using golang arrays in entry (#3506, @joestringer)
- etcd: Run etcd version check in the background (#3499, @tgraf)
- Test: Fix bugtool on kubernetes 1.7 (#3487, @eloycoto)
- Fix L4-only policy egress to world and CIDR-only egress to world (#3486, @joestringer)
- proxy: Use the same proxy map size as in BPF (#3485, @rlenglet)
- bpf: Do not route packets from egress proxy back into cilium_host (#3473, @tgraf)
- Continue to show timestamps in error cases in CiliumNetworkPolicy NodeStatus. (#3461, @aanm)
- policy: Add missing EntitySlice autogen code (#3458, @raybejjani)
- Fix l3-dependent L4/L7 rules applying to CIDR egress traffic (#3434, @joestringer)
Other Changes
- bugtool: add
ip rule
andcilium-health status
commands (#3500, @ianvernon) - Policy: Kafka multi-topic request support (#3445, @manalibhutiyani)
Release binaries
1.0.0-rc9
Upgrade Instructions
No special upgrade instructions are required. Please follow the upgrade instructions in the following simple guide: http://docs.cilium.io/en/latest/install/upgrade/
Major Changes
- envoy: Make 403 message configurable. (#3430, @jrajahalme)
- Add support label-dependent L4 egress policy (#3372, @ianvernon)
Bugfixes Changes
- Fix entity dependent L4 enforcement (#3451, @tgraf)
- cli: Fix cilium bpf policy get (#3446, @tgraf)
- Fix CIDR ingress lookup (#3406, @joestringer)
- xds: Handle NACKs of initial versions of resources (#3405, @rlenglet)
- datapath: fix egress to world entity traffic, add e2e test (#3386, @ianvernon)
- bug: Fix panic in health server logs if /healthz didn't respond before checking status (#3378, @nebril)
- pkg/policy: remove fromEntities and toEntities from rule type (#3375, @ianvernon)
- Fix IPv4 CIDR lookup on older kernels (#3366, @joestringer)
- Fix egress CIDR policy enforcement (#3348, @tgraf)
- envoy: Fix concurrency issues in Cilium xDS server (#3341, @rlenglet)
- Fix bug where policies associated with stale identities remain in BPF policy maps, which could lead to "Argument list too long" errors while regenerating endpoints (#3321, @joestringer)
- Update CI and docs : kafka zookeeper connection timeout to 20 sec (#3308, @manalibhutiyani)
- Reject CiliumNetworkPolicy rules which do not have EndpointSelector field (#3275, @ianvernon)
- Envoy: delete proxymap on connection close (#3271, @jrajahalme)
- Fix nested cmdref links in documentation (#3265, @joestringer)
- completion: Fix race condition that can cause panic (#3256, @rlenglet)
- Additional NetworkPolicy tests and egress wildcard fix (#3246, @tgraf)
- Add timeout for getting etcd session (#3228, @nebril)
- conntrack: Cleanup egress entries and distinguish redirects per endpoint (#3221, @rlenglet)
- Silence warnings during endpoint restore (#3216, @tgraf)
- Fix MTU connectivity issue with external services (#3205, @joestringer)
- endpoint: Don't fail with fatal on l4 policy application (#3199, @tgraf)
- Add new Kafka Role to the docs (#3186, @manalibhutiyani)
- Fix log records for Kafka responses (#3127, @tgraf)
Other Changes
- Refactor /endpoint/{id}/config for API 1.0 stabilit (#3448, @tgraf)
- envoy: Add host identity (#nphds) gRPC client (3407, @jrajahalme)
- Increase capacity of BPF maps (#3391, @tgraf)
- daemon: Merge Envoy logs with cilium logs by default. (#3364, @jrajahalme)
- docs: Fix the Kafka policy to use the new role in the GSG (#3350, @manalibhutiyani)
- CI / GSG : make Kafka service headless (#3320, @manalibhutiyani)
- Use alpine as base image for Docs container (#3301, @iamShantanu101)
- Update kafka zookeeper session timeout to 20 sec in CI tests and docs (#3298, @manalibhutiyani)
- Support access log from sidecar and per-endpoint redirect stats (#3278, @rlenglet)
- Improve sanity checking in endpoint PATCH API (#3274, @joestringer)
- Update Kafka GSG policy and docs to use the new "roles" (#3269, @manalibhutiyani)
- maps: allow for migration when map properties change (#3267, @borkmann)
- bpf: Retire CT entries quickly for unreplied connections (#3238, @joestringer)
- CMD: Add json output on endpoint config (#3234, @eloycoto)
- Plumb the contents of the ip-identity cache to a BPF map for lookup in the datapath. (#3037, @ianvernon)
Release binaries
1.0.0-rc8
RBAC Upgrade Warning
This release contains a change in the Kubernetes RBAC file. Upgrading by modifying the image version is not enough. Please see http://docs.cilium.io/en/latest/install/upgrade/
Major Changes
- Bump kubernetes minimal version supported to 1.7 (#3102, @aanm)
- Add Kafka roles to simplify policy specification language (#2997, @manalibhutiyani)
- Add support for label-based policies on egress (#2878, @ianvernon)
- Add mapping of endpoint IPs to security identities in the key-value store. Watch the key-value store for updates and cache them locally per agent. (#2875, @ianvernon)
- Cilium exports CiliumEndpoint objects to kubernetes clusters. (#2772, @raybejjani)
Bugfixes Changes
- pkg/ipcache: check if event type is EventTypeListDone before unmarshal of value (#3193, @ianvernon)
- proxy: envoy: use url.Parse(#) to generate URL field (3188, @tgraf)
- Fix bug where IPv6 proxy map entries were never garbage collected (#3181, @joestringer)
- Log failure to insert into proxymap as its own monitor drop log
- Lower timeout for bpf proxy map entries (#now 12 minutes)
- Kafka CI: Add a WaitKafkaBroker to wait for Kafka broker to be up before produce/consume (#3156, @manalibhutiyani)
- GinkgoRuntime CI: Avoid possible race between Kafka consume and produce (#3153, @manalibhutiyani)
- Documentation: Fix generated links when documentation is built from tags (#3128, @tgraf)
- create new identity when endpoint labels change and re assign identity based on all endpoint labels when restoring (#3104, @aanm)
- Fix cilium status of k8s CRD watcher when unable to set up k8s client (#3103, @aanm)
- examples/mesos: Change ubuntu VB to be correct version (#3094, @jmuzsik)
- cilium status: Fix exit code when components are disabled (#3069, @tgraf)
- Fix L4-only policy enforcement on ingress without
fromEndpoints
selector (#2992, @joestringer) - Add compatibility for kubernetes 1.11 (#2966, @aanm)
- Remove proxymap entry after closing connection (#3190, @tgraf)
Other Changes
- examples: Provide simple etcd standalone deployment example (#3167, @tgraf)
- Report policy revision implemented by the proxy in Endpoint model (#3151, @joestringer)
- Ginkgo: Add a option to run test in different vms (#3120, @eloycoto)
- Support a larger number of CIDR prefixes when running on older kernels. Now limited by the number of unique prefix lengths in the policies for an endpoint, which should be less than forty. (#3119, @joestringer)
- Only expose cilium-health API over unix socket by default (#3096, @joestringer)
- Reject policies that contain rules with more than one L3 match in a single rule (#3015, @joestringer)
Release binaries
1.0.0-rc7 release
Bugfixes Changes
- add "update" verb for customresourcedefinitions in cilium DaemonSet spec file (#3052, @aanm)
- bpf: Move calls map to temporary location and remove after filter replacement (#3049, @tgraf)
- bpf: Remove policy maps of programs loaded in init.sh (#3042, @tgraf)
- agent: Fix manual endpoint regeneration (#3040, @tgraf)
- Fix cilium CRD update in case schema validation changes (#3029, @aanm)
- examples/getting-started: Fix failure to install docker (#3020, @tgraf)
- bpf: Retry opening map after initial error (#3018, @tgraf)
- consul: Report modified keys even if previously not known (#3013, @tgraf)
- Restore error behaviour of endpoint config updates (#3054, @ianvernon)
Other Changes
- Delete obsolete cilium-envoy.log on startup (#3047, @manalibhutiyani)
- Introduce
DebugLB
option in endpoint config (#3036, @joestringer) - Support log rotation for envoy log (#3034, @manalibhutiyani)
Release binaries
1.0.0-rc6
Bugfixes Changes
- Envoy: add NACK processing (#2991 @jrajahalme)
- envoy: Use downstream HTTP protocol for upstream connections. (#2970 @jrajahalme)
Other Changes
- Removed action field from BPF policy map entries (#2918 @joestringer)
Release binaries
1.0.0-rc5
Bugfixes Changes
- Fix BPF policy map specification inconsistency between BPF programs (#2953 @joestringer)
- k8s: Do not attempt to sync headless services to datapath (#2937 @tgraf)
- identity cache: Support looking up reserved identities (#2922 @tgraf)
- Fix IPv4 L4 egress policy enforcement with service port mapping (#2912 @joestringer)
- Fix kubernetes default deny policy for kubernetes 1.7 (#2887 @aanm)
- Log Kafka responses (#2881 @tgraf)
- Several fixes to support long-lived persistent connections (#2855 @tgraf)
- Clean endpoint BPF map on daemon start (#2814 @mrostecki)
Other Changes
- Add documentation on how to retrieve overall health of cluster (#2944 @tgraf)
- monitor: Introduce channel to buffer notifications and listeners (#2933 @tgraf)
- bpf: Warn if another program is using a VXLAN device (#2929 @tgraf)
- Make Kafka K8s GSG CI tests work on multinode setup (#2926 @manalibhutiyani)
- Add proxy status to cilium status (#2894 @tgraf)
- contrib: Add script to run cilium monitor on all k8s nodes (#2867 @tgraf)
- Update example cilium-ds.yaml files to support rolling updates. (#2865 @ashwinp)
- Add cluster health summary to
cilium status
(#2858 @joestringer) - Consistently use
-o json
as the CLI arguments for printing JSON output across all commands that support JSON output (#2852 @joestringer) - Simplify output of
cilium status
by default, add new--verbose
,--brief
options (#2821 @joestringer) - Ginkgo : Support K8s CI Coverage for Kafka GSG (#2806 @manalibhutiyani)
Release binaries
1.0.0-rc4
Major Changes
- api: Introduce & expose endpoint controller statuses (#2720, @tgraf)
- More scalable kvstore interaction layer (#2708, @tgraf)
- Add agent notifications & access log records to monitor (#2667, @tgraf)
- Remove oxyproxy and make Envoy the default proxy (#2625, @jrajahalme)
- New controller pattern for async operations that can fail (#2597, @tgraf)
- Add cilium-health endpoints for datapath connectivity probing (#2315, @joestringer)
Bugfixes Changes
- Avoid concurrent access of rand.Rand (#2823, @tgraf)
- kafka: Use policy identity cache to lookup identity for L3 dependant rules (#2813, @manalibhutiyani)
- envoy: Set source identity correctly in access log. (#2807, @jrajahalme)
- replaced sysctl invocation with echo redirects (#2789, @aanm)
- Set up the k8s watchers based on the kube-apiserver version 2731 (##2735, @aanm)
- bpf: Use upper 16 bits of mark for identity (#2719, @tgraf)
- bpf: Generate BPF header in order after generating policy (#2718, @tgraf)
- Kubernetes NetworkPolicyPeer allows for PodSelector and NamespaceSelector fields to be optional. (#2699, @ianvernon)
- Gracefully handle when these objects are nil when we are parsing NetworkPolicy.
- Enforce policy update immediately on ongoing connections 2569 #2408 (##2684, @aanm)
- envoy: fix rule regex matching by host (#2649, @aanm)
- Kafka: Correctly check msgSize in ReadResp before discarding. (#2637, @manalibhutiyani)
- Fix envoy deadlock after first crash (#2633, @aanm)
- kafka: Reject requests on empty rule set (#2619, @tgraf)
- CNP CRD schema versioning (#2614, @nebril)
- Fix race while updating L7 proxy redirect in L4PolicyMap (#2607, @joestringer)
- Don't allow API users to modify reserved labels for endpoints. (#2595, @joestringer)
Release binaries
v1.0.0-rc2
Major Changes
- Tech preview of Envoy as Cilium HTTP proxy, adding HTTP2 and gRPC support. (#1580, @jrajahalme)
- Introduce "cilium-health", a new tool for investigating cluster connectivity issues. (#2052, @joestringer)
- cilium-agent collects and serves prometheus metrics (#2127, @raybejjani)
- bugtool and debuginfo (#2044, @scanf)
- Add nightly test infrastructure (#2212, @ianvernon)
- Separate ingress and egress default deny modes with better control (#2156, @manalibhutiyani)
- k8s: add support for IPBlock and Egress Rules with IPBlock (#2096, @ianvernon)
- Kafka: Support access logging for Kafka requests/responses (#1870, @manalibhutiyani)
- Added cilium endpoint log command that returns the endpoint's status log (#2060, @raybejjani)
- Change endpoint status log in cilium endpoint get to show only the most recent log
- Routes connecting the host to the Cilium IP space is now implemented as
individual route for each node in the cluster. This allows to assign IPs
which are part of the cluster CIDR to endpoints outside of the cluster
as long as the IPs are never used as node CIDRs. (#1888, @tgraf) - Standardized structured logging (#1801, #1828, #1836, #1826, #1833, #1834, #1827, #1829, #1832, #1835, @raybejjani)
Bugfixes Changes
- Fix L4Filter JSON marshalling (#1871, @joestringer)
- Fix swapped src dst IPs on Conntrack related messages on the monitor's output (#2228, @aanm)
- Fix output of cilium endpoint list for endpoints using multiple labels. (#2225, @aanm)
- bpf: fix verifier error in dameon debug mode with newer LLVM versions (#2181, @borkmann)
- pkg/kvstore: fixed race in internal mutex map (#2179, @aanm)
- Proxy ingress policy fix for LLVM 4.0 and greater. Resolves return code 500 'Internal Error' seen with some policies and traffic patterns. (#2162, @jrfastab)
- Printing patch clang and kernel patch versions when starting cilium. (#2137, @aanm)
- Clean up Connection Tracking entries when a new policy no longer allows it. #1667, #1823 (#2136, @aanm)
- k8s: fix data race in d.loadBalancer.K8sEndpoints (#2129, @aanm)
- Add internal queue for k8s watcher updates #1966 (#2123, @aanm)
- k8s: fix missing deep copy when updating status (#2115, @aanm)
- Accept traffic to Cilium in FORWARD chain (#2112, @tgraf)
- Also clear the masquerade bit in the FORWARD chain to skip the masquerade rule installed by kube-proxy
- Fix SNAT issue in combination with kube-proxy, when masquerade rule installed by kube-proxy takes precedence over rule installed by Cilium. (#2108, @tgraf)
- Fixed infinite loop when importing CNP to kubernetes with an empty kafka version (#2090, @aanm)
- Mark cilium pod as CriticalPod in the DaemonSet (#2024, @manalibhutiyani)
- proxy: Provide identities { host | world | cluster } in SourceEndpoint (#2022, @manalibhutiyani)
- In kubernetes mode, fixed bug that was allowing cilium to start up even if the kubernetes api-server was not reachable #1973 (#2014, @aanm)
- Support policy with EndpointSelector missing (#1987, @raybejjani)
- Implemented deep copy functionality when receiving events from kubernetes watcher #1885 (#1986, @aanm)
- pkg/labels: Filter out pod-template-generation label (#1979, @michi-covalent)
- bpf: Double timeout on building BPF programs (#1949, @raybejjani)
- policy: add PolicyTrace msg to AllowsRLocked() when L4 policies not evaluated (#1939, @gnahckire)
- Handle Kafka responses correctly (#1924, @manalibhutiyani)
- bpf: Avoid excessive proxymap updates (#2210, @joestringer)
- cilium-agent correctly restarts listening for CiliumNetworkPolicy changes when it sees decoding errors (#1899, @raybejjani)
Other Changes
- Automatically generate command reference of agent (#2223, @tgraf)
- Access log rotation support with backup compression and automatic deletion support. (#1995, @manalibhutiyani)
- kubernetes examples support prometheus metrics scraping (along with sample prometheus configuration) (#2192, @raybejjani)
- Start serving the cilium API almost immediately while restoring endpoints on the background. (#2116, @aanm)
- Added cilium endpoint healthz command that returns a summary of the endpoint's health (#2099, @raybejjani)
- Documentation: add a CLI reference section (#2079, @scanf)
- Documentation: add support for tabs via plugin (#2078, @scanf)
- Feature Request: Add option to disable loadbalancing (#2048, @manalibhutiyani)
- monitor: reduce overhead (#2037, @scanf)
- Use auto-generated client to communicate with kube-apiserver (#2007, @aanm)
- Documented kubernetes API Group usage in docs (#1989, @raybejjani)
- cilium status returns which kubernetes API Groups are supported/used by the agent
- doc: Add Kafka policy documentation (#1970, @tgraf)
- Add Pull request and issue template (#1951, @tgraf)
- Update Vagrant images to ubuntu 17.04 for the getting started guides (#1917, @aanm)
- Add CONTRIBUTING.md (#1898, @tgraf)
- Introduction of release notes gathering script in use by the Kubernetes project (#1893, @tgraf)
- node: Install individual per node routes (#1888, @tgraf)
- Add CLI for dumping BPF endpoint map (lxcmap) (#1854, @joestringer)
- add command for resetting agent state (#1678, @scanf)
- Improved CI testing infrastructure and fixed several test flakes (#1848, #1865)
- Foundation of new Ginkgo build-driven-development framework for CI (#1733)
1.0.0-rc1
v1.0.0-rc1 1.0.0-rc1
0.11 release
Bug Fixes
- Fixed an issue where service IDs were leaked in etcd/consul. Services have
been moved to a new prefix in the kvstore. Old, leaked service IDs are
automatically removed when a fixed cilium-agent is started. (#1182, #1195) - Fixed accuracy of policy revision field. The policy revision field was bumped
after policy for an endpoint was recalculated. The policy revision field is
now bumped after complete synchronization with the datapath has occurred
(#1196) - Fixed graceful connection closure where final ACK after FIN+ACK was dropped
(#1186) - Fixed several bugs in endpoint restore functionality where endpoints were not
correctly recovered after agent restart (#1140, #1242, #1330, #1338) - Fixed unnecessary consumer map deletion attempt which resulted in confusion
due to warning log messages (#1206) - Fixed stateful connection recognition of reply|related packets from an
endpoint to the host. This resulted in reply packets getting dropped if the
path from endpoint to host was restricted by policy but a connection from
the host to the endpoint was permitted (#1211) - Fixed debian packages build process (#1153)
- Fixed a typo in the getting started guide examples section (#1213)
- Fixed Kubernetes CI test to use locally built container image (#1188)
- Fixed logic which picks up Kubernetes log files on failed CI testruns (#1169)
- Agent now fails during bootup if kvstore cannot be reached (#1266)
- Fixed the L7 redirection logic to only report the new PolicyRevision after
the proxy has started listening on the port. This resolves a race condition
when deploying both policy and workload at the same time and the proxy is not
up yet. (#1286) - Fixed a bug in cilium monitor memory allocation with regard to handling data
from the perf ring buffer (#1304) - Correctly ignore policy resources with an empty ruleset (#1296, #1297)
- Ignore the controller-revision-hash label to derive security identity (#1320)
- Removed
ip:
field name for CIDR policy rules, CIDR rules are now a slice of
strings describing prefixes (#1322) - Ignore Kubernetes annotations done by cilium which show up as labels on the
container when deriving security identity (#1338) - Increased the
ReadTimeout
of the HTTP proxy to 120 seconds (#1349) - Fixed use of node address when running with IPv4 disabled (#1260)
- Several fixes around when an endpoint should go into policy enforcement for
Kubernetes and non-Kubernetes environments (#1328) - When creating the Kubernetes client, wait for Kubernetes cluster to be in
ready state (#1350) - Fixed drop notifications to include as much metadata as possible (#1427, #1444)
- Fixed a bug where the compilation of the base programs and writing of header
files could occur in parallel with compilation of programs for endpoints which
could lead to temporary compilation errors (#1440) - Fail gracefully when configuring more than the maximum supported L4 ports in
the policy (#1406) - Fixed a bug where not all policy rules were JSON validated before sending it
to the agent (#1406) - Fixed a bug in the SHA256 calculation (#1454)
- Fixed the datapath to differentiate the packets from a regular local process
and packets originating from the proxy (previously redirected to by the
datapath). (#1459)
Features
- The monitor now supports multiple readers, you can run
cilium monitor
multiple times in parallel. All monitors will see all events. (#1288) cilium policy trace
can now trace policy decisions based on Kubernetes pod
names, security identities, endpoint IDs and Kubernetes YAML resources
Deployments, ReplicaSets, ReplicationControllers, Pods- It is now possible to reach the local host on IPs which are within the
overall cluster prefix (#1394) - The
cilium identity get
CLI and API can now resolve global identities with
the help of the kvstore (#1313) - Use new probe functionality of LLVM to automatically use new BPF compare
instructions if supported by both LLVM and the kernel (#1356) - CIDR network policy is now visible in
cilium endpoint get
(#1328) - Set minimum amount of compilation workers to 4 (#1227)
- Removed local backend (#1235)
- Reduced use of cgo in in bpf packages (#1275)
- Do sparse checks during BPF compilation (#1175)
- New
cilium bpf lb list
command (#1317) - New optimized kvstore interaction code (#1365, #1397, #1370)
- The access log now includes a SHA hash for each reported label to allow for
validation with the kvstore (#1425)
CI
- Improved CI testing infrastructure (#1262, #1207, #1380, #1373, #1390, #1385, #1410)
- Upgraded to kubeadm 1.7.0 (#1179)
Documentation
- Multi networking documentation (#1244)
- Documentation of the policy specification (#1344)
- New improved top level structuring of the sections (#1344)
- Example for etcd configuration file (#1268)
- Tutorial on how to use cilium monitor for troubleshooting (#1451)
Mesos
Kubernetes
- Added support for Custom Resource Definition (CRD). Be aware that parallel
usage of CRD and Third party Resources (TPR) leads to unexpected behaviour.
See cilium.link/migrate-tpr for more details. Upgrade your
CiliumNetworkPolicy resources to cilium.io/v2 in order to use CRD. Keep them
at cilium.io/v1 to stay on TPR. (#1169, #1219) - The CiliumNetworkPolicy resource now has a status field which contains the
status of each node enforcing the policy (#1354) - Added RBAC rules for v1/NetworkPolicy (#1188)
- Upgraded Kubernetes example to 1.7.0 (#1180)
- Delay pod healthcheck for 180 seconds to account for endpoint restore (#1271)
- Added tolerations to DaemonSet to schedule Cilium onto master nodes as well (#1426)