Skip to content

Releases: cilium/cilium

1.0.0-rc10

06 Apr 17:07
@tgraf tgraf
v1.0.0-rc10
2c62c9a
Compare
Choose a tag to compare
1.0.0-rc10

API preparation for 1.0

We have changed the base prefix of the API from /v1beta to /v1 🎉. The API will become stable with the 1.0 release. This makes client binaries with version < 1.0.0-rc10.

Bugfixes Changes

  • policymap: Avoid using golang arrays in entry (#3506, @joestringer)
  • etcd: Run etcd version check in the background (#3499, @tgraf)
  • Test: Fix bugtool on kubernetes 1.7 (#3487, @eloycoto)
  • Fix L4-only policy egress to world and CIDR-only egress to world (#3486, @joestringer)
  • proxy: Use the same proxy map size as in BPF (#3485, @rlenglet)
  • bpf: Do not route packets from egress proxy back into cilium_host (#3473, @tgraf)
  • Continue to show timestamps in error cases in CiliumNetworkPolicy NodeStatus. (#3461, @aanm)
  • policy: Add missing EntitySlice autogen code (#3458, @raybejjani)
  • Fix l3-dependent L4/L7 rules applying to CIDR egress traffic (#3434, @joestringer)

Other Changes

Assets 2

1.0.0-rc9

02 Apr 22:03
@tgraf tgraf
v1.0.0-rc9
f1d4144
Compare
Choose a tag to compare
1.0.0-rc9

Upgrade Instructions

No special upgrade instructions are required. Please follow the upgrade instructions in the following simple guide: http://docs.cilium.io/en/latest/install/upgrade/

Major Changes

Bugfixes Changes

  • Fix entity dependent L4 enforcement (#3451, @tgraf)
  • cli: Fix cilium bpf policy get (#3446, @tgraf)
  • Fix CIDR ingress lookup (#3406, @joestringer)
  • xds: Handle NACKs of initial versions of resources (#3405, @rlenglet)
  • datapath: fix egress to world entity traffic, add e2e test (#3386, @ianvernon)
  • bug: Fix panic in health server logs if /healthz didn't respond before checking status (#3378, @nebril)
  • pkg/policy: remove fromEntities and toEntities from rule type (#3375, @ianvernon)
  • Fix IPv4 CIDR lookup on older kernels (#3366, @joestringer)
  • Fix egress CIDR policy enforcement (#3348, @tgraf)
  • envoy: Fix concurrency issues in Cilium xDS server (#3341, @rlenglet)
  • Fix bug where policies associated with stale identities remain in BPF policy maps, which could lead to "Argument list too long" errors while regenerating endpoints (#3321, @joestringer)
  • Update CI and docs : kafka zookeeper connection timeout to 20 sec (#3308, @manalibhutiyani)
  • Reject CiliumNetworkPolicy rules which do not have EndpointSelector field (#3275, @ianvernon)
  • Envoy: delete proxymap on connection close (#3271, @jrajahalme)
  • Fix nested cmdref links in documentation (#3265, @joestringer)
  • completion: Fix race condition that can cause panic (#3256, @rlenglet)
  • Additional NetworkPolicy tests and egress wildcard fix (#3246, @tgraf)
  • Add timeout for getting etcd session (#3228, @nebril)
  • conntrack: Cleanup egress entries and distinguish redirects per endpoint (#3221, @rlenglet)
  • Silence warnings during endpoint restore (#3216, @tgraf)
  • Fix MTU connectivity issue with external services (#3205, @joestringer)
  • endpoint: Don't fail with fatal on l4 policy application (#3199, @tgraf)
  • Add new Kafka Role to the docs (#3186, @manalibhutiyani)
  • Fix log records for Kafka responses (#3127, @tgraf)

Other Changes

Assets 2

1.0.0-rc8

19 Mar 13:56
@tgraf tgraf
v1.0.0-rc8
fd2f515
Compare
Choose a tag to compare
1.0.0-rc8

RBAC Upgrade Warning

This release contains a change in the Kubernetes RBAC file. Upgrading by modifying the image version is not enough. Please see http://docs.cilium.io/en/latest/install/upgrade/

Major Changes

  • Bump kubernetes minimal version supported to 1.7 (#3102, @aanm)
  • Add Kafka roles to simplify policy specification language (#2997, @manalibhutiyani)
  • Add support for label-based policies on egress (#2878, @ianvernon)
  • Add mapping of endpoint IPs to security identities in the key-value store. Watch the key-value store for updates and cache them locally per agent. (#2875, @ianvernon)
  • Cilium exports CiliumEndpoint objects to kubernetes clusters. (#2772, @raybejjani)

Bugfixes Changes

  • pkg/ipcache: check if event type is EventTypeListDone before unmarshal of value (#3193, @ianvernon)
  • proxy: envoy: use url.Parse(#) to generate URL field (3188, @tgraf)
  • Fix bug where IPv6 proxy map entries were never garbage collected (#3181, @joestringer)
    • Log failure to insert into proxymap as its own monitor drop log
    • Lower timeout for bpf proxy map entries (#now 12 minutes)
  • Kafka CI: Add a WaitKafkaBroker to wait for Kafka broker to be up before produce/consume (#3156, @manalibhutiyani)
  • GinkgoRuntime CI: Avoid possible race between Kafka consume and produce (#3153, @manalibhutiyani)
  • Documentation: Fix generated links when documentation is built from tags (#3128, @tgraf)
  • create new identity when endpoint labels change and re assign identity based on all endpoint labels when restoring (#3104, @aanm)
  • Fix cilium status of k8s CRD watcher when unable to set up k8s client (#3103, @aanm)
  • examples/mesos: Change ubuntu VB to be correct version (#3094, @jmuzsik)
  • cilium status: Fix exit code when components are disabled (#3069, @tgraf)
  • Fix L4-only policy enforcement on ingress without fromEndpoints selector (#2992, @joestringer)
  • Add compatibility for kubernetes 1.11 (#2966, @aanm)
  • Remove proxymap entry after closing connection (#3190, @tgraf)

Other Changes

  • examples: Provide simple etcd standalone deployment example (#3167, @tgraf)
  • Report policy revision implemented by the proxy in Endpoint model (#3151, @joestringer)
  • Ginkgo: Add a option to run test in different vms (#3120, @eloycoto)
  • Support a larger number of CIDR prefixes when running on older kernels. Now limited by the number of unique prefix lengths in the policies for an endpoint, which should be less than forty. (#3119, @joestringer)
  • Only expose cilium-health API over unix socket by default (#3096, @joestringer)
  • Reject policies that contain rules with more than one L3 match in a single rule (#3015, @joestringer)

Release binaries

Assets 2

1.0.0-rc7 release

08 Mar 22:59
@tgraf tgraf
v1.0.0-rc7
a8a9ccd
Compare
Choose a tag to compare
1.0.0-rc7 release

Bugfixes Changes

  • add "update" verb for customresourcedefinitions in cilium DaemonSet spec file (#3052, @aanm)
  • bpf: Move calls map to temporary location and remove after filter replacement (#3049, @tgraf)
  • bpf: Remove policy maps of programs loaded in init.sh (#3042, @tgraf)
  • agent: Fix manual endpoint regeneration (#3040, @tgraf)
  • Fix cilium CRD update in case schema validation changes (#3029, @aanm)
  • examples/getting-started: Fix failure to install docker (#3020, @tgraf)
  • bpf: Retry opening map after initial error (#3018, @tgraf)
  • consul: Report modified keys even if previously not known (#3013, @tgraf)
  • Restore error behaviour of endpoint config updates (#3054, @ianvernon)

Other Changes

Assets 2

1.0.0-rc6

02 Mar 22:14
@tgraf tgraf
v1.0.0-rc6
8703e8d
Compare
Choose a tag to compare
1.0.0-rc6

Bugfixes Changes

Other Changes

Release binaries

Assets 2

1.0.0-rc5

28 Feb 00:02
@tgraf tgraf
v1.0.0-rc5
1eb7ae1
Compare
Choose a tag to compare
1.0.0-rc5

Bugfixes Changes

  • Fix BPF policy map specification inconsistency between BPF programs (#2953 @joestringer)
  • k8s: Do not attempt to sync headless services to datapath (#2937 @tgraf)
  • identity cache: Support looking up reserved identities (#2922 @tgraf)
  • Fix IPv4 L4 egress policy enforcement with service port mapping (#2912 @joestringer)
  • Fix kubernetes default deny policy for kubernetes 1.7 (#2887 @aanm)
  • Log Kafka responses (#2881 @tgraf)
  • Several fixes to support long-lived persistent connections (#2855 @tgraf)
  • Clean endpoint BPF map on daemon start (#2814 @mrostecki)

Other Changes

  • Add documentation on how to retrieve overall health of cluster (#2944 @tgraf)
  • monitor: Introduce channel to buffer notifications and listeners (#2933 @tgraf)
  • bpf: Warn if another program is using a VXLAN device (#2929 @tgraf)
  • Make Kafka K8s GSG CI tests work on multinode setup (#2926 @manalibhutiyani)
  • Add proxy status to cilium status (#2894 @tgraf)
  • contrib: Add script to run cilium monitor on all k8s nodes (#2867 @tgraf)
  • Update example cilium-ds.yaml files to support rolling updates. (#2865 @ashwinp)
  • Add cluster health summary to cilium status (#2858 @joestringer)
  • Consistently use -o json as the CLI arguments for printing JSON output across all commands that support JSON output (#2852 @joestringer)
  • Simplify output of cilium status by default, add new --verbose, --brief options (#2821 @joestringer)
  • Ginkgo : Support K8s CI Coverage for Kafka GSG (#2806 @manalibhutiyani)

Release binaries

Assets 2

1.0.0-rc4

16 Feb 16:24
@tgraf tgraf
v1.0.0-rc4
3389456
Compare
Choose a tag to compare
1.0.0-rc4

Major Changes

  • api: Introduce & expose endpoint controller statuses (#2720, @tgraf)
  • More scalable kvstore interaction layer (#2708, @tgraf)
  • Add agent notifications & access log records to monitor (#2667, @tgraf)
  • Remove oxyproxy and make Envoy the default proxy (#2625, @jrajahalme)
  • New controller pattern for async operations that can fail (#2597, @tgraf)
  • Add cilium-health endpoints for datapath connectivity probing (#2315, @joestringer)

Bugfixes Changes

  • Avoid concurrent access of rand.Rand (#2823, @tgraf)
  • kafka: Use policy identity cache to lookup identity for L3 dependant rules (#2813, @manalibhutiyani)
  • envoy: Set source identity correctly in access log. (#2807, @jrajahalme)
  • replaced sysctl invocation with echo redirects (#2789, @aanm)
  • Set up the k8s watchers based on the kube-apiserver version 2731 (##2735, @aanm)
  • bpf: Use upper 16 bits of mark for identity (#2719, @tgraf)
  • bpf: Generate BPF header in order after generating policy (#2718, @tgraf)
  • Kubernetes NetworkPolicyPeer allows for PodSelector and NamespaceSelector fields to be optional. (#2699, @ianvernon)
    • Gracefully handle when these objects are nil when we are parsing NetworkPolicy.
  • Enforce policy update immediately on ongoing connections 2569 #2408 (##2684, @aanm)
  • envoy: fix rule regex matching by host (#2649, @aanm)
  • Kafka: Correctly check msgSize in ReadResp before discarding. (#2637, @manalibhutiyani)
  • Fix envoy deadlock after first crash (#2633, @aanm)
  • kafka: Reject requests on empty rule set (#2619, @tgraf)
  • CNP CRD schema versioning (#2614, @nebril)
  • Fix race while updating L7 proxy redirect in L4PolicyMap (#2607, @joestringer)
  • Don't allow API users to modify reserved labels for endpoints. (#2595, @joestringer)

Release binaries

Assets 2

v1.0.0-rc2

04 Dec 06:11
@tgraf tgraf
v1.0.0-rc2
40557c1
Compare
Choose a tag to compare
v1.0.0-rc2

Major Changes

  • Tech preview of Envoy as Cilium HTTP proxy, adding HTTP2 and gRPC support. (#1580, @jrajahalme)
  • Introduce "cilium-health", a new tool for investigating cluster connectivity issues. (#2052, @joestringer)
  • cilium-agent collects and serves prometheus metrics (#2127, @raybejjani)
  • bugtool and debuginfo (#2044, @scanf)
  • Add nightly test infrastructure (#2212, @ianvernon)
  • Separate ingress and egress default deny modes with better control (#2156, @manalibhutiyani)
  • k8s: add support for IPBlock and Egress Rules with IPBlock (#2096, @ianvernon)
  • Kafka: Support access logging for Kafka requests/responses (#1870, @manalibhutiyani)
  • Added cilium endpoint log command that returns the endpoint's status log (#2060, @raybejjani)
    • Change endpoint status log in cilium endpoint get to show only the most recent log
  • Routes connecting the host to the Cilium IP space is now implemented as
    individual route for each node in the cluster. This allows to assign IPs
    which are part of the cluster CIDR to endpoints outside of the cluster
    as long as the IPs are never used as node CIDRs. (#1888, @tgraf)
  • Standardized structured logging (#1801, #1828, #1836, #1826, #1833, #1834, #1827, #1829, #1832, #1835, @raybejjani)

Bugfixes Changes

  • Fix L4Filter JSON marshalling (#1871, @joestringer)
  • Fix swapped src dst IPs on Conntrack related messages on the monitor's output (#2228, @aanm)
  • Fix output of cilium endpoint list for endpoints using multiple labels. (#2225, @aanm)
  • bpf: fix verifier error in dameon debug mode with newer LLVM versions (#2181, @borkmann)
  • pkg/kvstore: fixed race in internal mutex map (#2179, @aanm)
  • Proxy ingress policy fix for LLVM 4.0 and greater. Resolves return code 500 'Internal Error' seen with some policies and traffic patterns. (#2162, @jrfastab)
  • Printing patch clang and kernel patch versions when starting cilium. (#2137, @aanm)
  • Clean up Connection Tracking entries when a new policy no longer allows it. #1667, #1823 (#2136, @aanm)
  • k8s: fix data race in d.loadBalancer.K8sEndpoints (#2129, @aanm)
  • Add internal queue for k8s watcher updates #1966 (#2123, @aanm)
  • k8s: fix missing deep copy when updating status (#2115, @aanm)
  • Accept traffic to Cilium in FORWARD chain (#2112, @tgraf)
    • Also clear the masquerade bit in the FORWARD chain to skip the masquerade rule installed by kube-proxy
  • Fix SNAT issue in combination with kube-proxy, when masquerade rule installed by kube-proxy takes precedence over rule installed by Cilium. (#2108, @tgraf)
  • Fixed infinite loop when importing CNP to kubernetes with an empty kafka version (#2090, @aanm)
  • Mark cilium pod as CriticalPod in the DaemonSet (#2024, @manalibhutiyani)
  • proxy: Provide identities { host | world | cluster } in SourceEndpoint (#2022, @manalibhutiyani)
  • In kubernetes mode, fixed bug that was allowing cilium to start up even if the kubernetes api-server was not reachable #1973 (#2014, @aanm)
  • Support policy with EndpointSelector missing (#1987, @raybejjani)
  • Implemented deep copy functionality when receiving events from kubernetes watcher #1885 (#1986, @aanm)
  • pkg/labels: Filter out pod-template-generation label (#1979, @michi-covalent)
  • bpf: Double timeout on building BPF programs (#1949, @raybejjani)
  • policy: add PolicyTrace msg to AllowsRLocked() when L4 policies not evaluated (#1939, @gnahckire)
  • Handle Kafka responses correctly (#1924, @manalibhutiyani)
  • bpf: Avoid excessive proxymap updates (#2210, @joestringer)
  • cilium-agent correctly restarts listening for CiliumNetworkPolicy changes when it sees decoding errors (#1899, @raybejjani)

Other Changes

  • Automatically generate command reference of agent (#2223, @tgraf)
  • Access log rotation support with backup compression and automatic deletion support. (#1995, @manalibhutiyani)
  • kubernetes examples support prometheus metrics scraping (along with sample prometheus configuration) (#2192, @raybejjani)
  • Start serving the cilium API almost immediately while restoring endpoints on the background. (#2116, @aanm)
  • Added cilium endpoint healthz command that returns a summary of the endpoint's health (#2099, @raybejjani)
  • Documentation: add a CLI reference section (#2079, @scanf)
  • Documentation: add support for tabs via plugin (#2078, @scanf)
  • Feature Request: Add option to disable loadbalancing (#2048, @manalibhutiyani)
  • monitor: reduce overhead (#2037, @scanf)
  • Use auto-generated client to communicate with kube-apiserver (#2007, @aanm)
  • Documented kubernetes API Group usage in docs (#1989, @raybejjani)
    • cilium status returns which kubernetes API Groups are supported/used by the agent
  • doc: Add Kafka policy documentation (#1970, @tgraf)
  • Add Pull request and issue template (#1951, @tgraf)
  • Update Vagrant images to ubuntu 17.04 for the getting started guides (#1917, @aanm)
  • Add CONTRIBUTING.md (#1898, @tgraf)
  • Introduction of release notes gathering script in use by the Kubernetes project (#1893, @tgraf)
  • node: Install individual per node routes (#1888, @tgraf)
  • Add CLI for dumping BPF endpoint map (lxcmap) (#1854, @joestringer)
  • add command for resetting agent state (#1678, @scanf)
  • Improved CI testing infrastructure and fixed several test flakes (#1848, #1865)
  • Foundation of new Ginkgo build-driven-development framework for CI (#1733)
Assets 3

1.0.0-rc1

27 Nov 18:07
@tgraf tgraf
v1.0.0-rc1
aee4d25
Compare
Choose a tag to compare
1.0.0-rc1 Pre-release
Pre-release 
v1.0.0-rc1

1.0.0-rc1
Assets 2

0.11 release

10 Sep 04:09
@tgraf tgraf
v0.11
6725f0c
Compare
Choose a tag to compare
0.11 release

Bug Fixes

  • Fixed an issue where service IDs were leaked in etcd/consul. Services have
    been moved to a new prefix in the kvstore. Old, leaked service IDs are
    automatically removed when a fixed cilium-agent is started. (#1182, #1195)
  • Fixed accuracy of policy revision field. The policy revision field was bumped
    after policy for an endpoint was recalculated. The policy revision field is
    now bumped after complete synchronization with the datapath has occurred
    (#1196)
  • Fixed graceful connection closure where final ACK after FIN+ACK was dropped
    (#1186)
  • Fixed several bugs in endpoint restore functionality where endpoints were not
    correctly recovered after agent restart (#1140, #1242, #1330, #1338)
  • Fixed unnecessary consumer map deletion attempt which resulted in confusion
    due to warning log messages (#1206)
  • Fixed stateful connection recognition of reply|related packets from an
    endpoint to the host. This resulted in reply packets getting dropped if the
    path from endpoint to host was restricted by policy but a connection from
    the host to the endpoint was permitted (#1211)
  • Fixed debian packages build process (#1153)
  • Fixed a typo in the getting started guide examples section (#1213)
  • Fixed Kubernetes CI test to use locally built container image (#1188)
  • Fixed logic which picks up Kubernetes log files on failed CI testruns (#1169)
  • Agent now fails during bootup if kvstore cannot be reached (#1266)
  • Fixed the L7 redirection logic to only report the new PolicyRevision after
    the proxy has started listening on the port. This resolves a race condition
    when deploying both policy and workload at the same time and the proxy is not
    up yet. (#1286)
  • Fixed a bug in cilium monitor memory allocation with regard to handling data
    from the perf ring buffer (#1304)
  • Correctly ignore policy resources with an empty ruleset (#1296, #1297)
  • Ignore the controller-revision-hash label to derive security identity (#1320)
  • Removed ip: field name for CIDR policy rules, CIDR rules are now a slice of
    strings describing prefixes (#1322)
  • Ignore Kubernetes annotations done by cilium which show up as labels on the
    container when deriving security identity (#1338)
  • Increased the ReadTimeout of the HTTP proxy to 120 seconds (#1349)
  • Fixed use of node address when running with IPv4 disabled (#1260)
  • Several fixes around when an endpoint should go into policy enforcement for
    Kubernetes and non-Kubernetes environments (#1328)
  • When creating the Kubernetes client, wait for Kubernetes cluster to be in
    ready state (#1350)
  • Fixed drop notifications to include as much metadata as possible (#1427, #1444)
  • Fixed a bug where the compilation of the base programs and writing of header
    files could occur in parallel with compilation of programs for endpoints which
    could lead to temporary compilation errors (#1440)
  • Fail gracefully when configuring more than the maximum supported L4 ports in
    the policy (#1406)
  • Fixed a bug where not all policy rules were JSON validated before sending it
    to the agent (#1406)
  • Fixed a bug in the SHA256 calculation (#1454)
  • Fixed the datapath to differentiate the packets from a regular local process
    and packets originating from the proxy (previously redirected to by the
    datapath). (#1459)

Features

  • The monitor now supports multiple readers, you can run cilium monitor
    multiple times in parallel. All monitors will see all events. (#1288)
  • cilium policy trace can now trace policy decisions based on Kubernetes pod
    names, security identities, endpoint IDs and Kubernetes YAML resources
    Deployments, ReplicaSets, ReplicationControllers, Pods
  • It is now possible to reach the local host on IPs which are within the
    overall cluster prefix (#1394)
  • The cilium identity get CLI and API can now resolve global identities with
    the help of the kvstore (#1313)
  • Use new probe functionality of LLVM to automatically use new BPF compare
    instructions if supported by both LLVM and the kernel (#1356)
  • CIDR network policy is now visible in cilium endpoint get (#1328)
  • Set minimum amount of compilation workers to 4 (#1227)
  • Removed local backend (#1235)
  • Reduced use of cgo in in bpf packages (#1275)
  • Do sparse checks during BPF compilation (#1175)
  • New cilium bpf lb list command (#1317)
  • New optimized kvstore interaction code (#1365, #1397, #1370)
  • The access log now includes a SHA hash for each reported label to allow for
    validation with the kvstore (#1425)

CI

Documentation

  • Multi networking documentation (#1244)
  • Documentation of the policy specification (#1344)
  • New improved top level structuring of the sections (#1344)
  • Example for etcd configuration file (#1268)
  • Tutorial on how to use cilium monitor for troubleshooting (#1451)

Mesos

  • Getting started guide with L7 policy example (#1301, #1246)

Kubernetes

  • Added support for Custom Resource Definition (CRD). Be aware that parallel
    usage of CRD and Third party Resources (TPR) leads to unexpected behaviour.
    See cilium.link/migrate-tpr for more details. Upgrade your
    CiliumNetworkPolicy resources to cilium.io/v2 in order to use CRD. Keep them
    at cilium.io/v1 to stay on TPR. (#1169, #1219)
  • The CiliumNetworkPolicy resource now has a status field which contains the
    status of each node enforcing the policy (#1354)
  • Added RBAC rules for v1/NetworkPolicy (#1188)
  • Upgraded Kubernetes example to 1.7.0 (#1180)
  • Delay pod healthcheck for 180 seconds to account for endpoint restore (#1271)
  • Added tolerations to DaemonSet to schedule Cilium onto master nodes as well (#1426)
Assets 3