Releases: cilium/cilium
Releases · cilium/cilium
0.10.1 release
Bug Fixes
- Fixed an issue where service IDs were leaked in etcd/consul. Services have
been moved to a new prefix in the kvstore. Old, leaked service IDs are
automatically removed when a fixed cilium-agent is started. (#1182, #1195) - Fixed accuracy of policy revision field. The policy revision field was bumped
after policy for an endpoint was recalculated. The policy revision field is
now bumped after complete synchronization with the datapath has occurred
(#1196) - Fixed graceful connection closure where final ACK after FIN+ACK was dropped
(#1186) - Fixed unnecessary consumer map deletion attempt which resulted in confusion
due to warning log messages (#1206) - Fixed stateful connection recognition of reply|related packets from an
endpoint to the host. This resulted in reply packets getting dropped if the
path from endpoint to host was restricted by policy but a connection from
the host to the endpoint was permitted (#1211) - Fixed debian packages build process (#1153)
- Fixed a typo in the getting started guide examples section (#1213)
- Fixed Kubernetes CI test to use locally built container image (#1188)
- Fixed logic which picks up Kubernetes log files on failed CI testruns (#1169)
Kubernetes
- Added support for Custom Resource Definition (CRD). Be aware that parallel
usage of CRD and Third party Resources (TPR) leads to unexpected behaviour.
See cilium.link/migrate-tpr for more details. Upgrade your
CiliumNetworkPolicy resources to cilium.io/v2 in order to use CRD. Keep them
at cilium.io/v1 to stay on TPR. (#1169, #1219) - Added RBAC rules for v1/NetworkPolicy (#1188)
- Upgraded to kubeadm 1.7.0 (#1179)
- Upgraded Kubernetes example to 1.7.0 (#1180)
0.10 release
Major features
- CIDR based filter for ingress and egress (#886)
- New simplified encapsulation mode. No longer requires any network
configuration, the IP of the VM/host is automatically used as tunnel
endpoint across the mesh. There is no longer a need to configure any routes
for the container prefixes in the cloud network or the underlying fabric.
The node prefix to node ip mapping is automatically derived from the
Kubernetes PodCIDR (#1020, #1013, #1039) - When accessing external networks, outgoing traffic is automatically
masqueraded without requiring to install a masquerade rule manually.
This behaviour can be disabled with --masquerade=false (#1020) - Support to handle arbitrary IPv4 cluster prefix sizes. This was previously
required to be a /8 prefix. It can now be specified with
--ipv4-cluster-cidr-mask-size (#1094) - Cilium monitor has been enabled with a neat one-liner mode which is on by
default. It is similar to tcpdump but provides high level metadata such as
container IDs, endpoint IDs, security identities (#1112) - The agent policy repository now includes a revision which is returned after each
change of the policy. A new command cilium policy wait and be used to wait
until all endpoints have been updated to enforce the new policy revision
(#1115) cilium endpoint get
now supportsget -l <set of labels>
andget <endpointID | pod-name:namespace:k8s-pod | container-name:name>
(#1139)- Improve label source concept. Users can now match the source of a
particular label (e.g. k8s:app=foo, container:app=foo) or match on any
source (e.g. app=foo, any:app=foo) (#905)
Documentation
- CoreOS installation guide
Mesos
Kubernetes
- Drop support for extensions/v1beta1/NetworkPolicy and support
networking.k8s.io/v1/NetworkPolicy (#1150) - Allow fine grained inter namespace policy control. It is now possible to
specify policy rules which allow individual pods from another namespace to
access a pod (#1103) - The CiliumNetworkPolicy ThirdPartyResource now supports carrying a list of
rules to update atomically (#1055) - The example DaemonSet now schedules Cilium pods onto nodes which are not
ready to allow deploying Cilium on a cluster with a non functional CNI
configuration. The Cilium pod will automatically configure CNI properly.
(#1075) - Automatically derive node address prefix from Kubernetes (PodCIDR) (#1026)
- Automatically install CNI loopback driver if required (#860)
- Do not overwrite existing 10-cilium.conf CNI configuration if it already
exists (#871) - Full RBAC support (#873, #875)
- Correctly implement ClusterIP portion of k8s service types LoadBalancer and
NodePort (#1098) - The cilium and consul pod in the example DaemonSet now have health checks
(#925, #938) - Correctly ignore headless services without a warning in the log (#932)
- Derive node-name automatically (#1090)
- Labels are now attached to endpoints instead of containers. This will allow
to support labels attached to things other than containers (#1121)
CI
- Added Kubernetes getting started guide to CI test suite (#894)
- L7 stress tests (#1108)
- Automatically verify links documentation (#896)
- Kubernetes multi node testing environment (#980)
- Massively reduced build&test time (#982)
- Gather logfiles on failure (#1017, #1045)
- Guarantee isolation in between VMs for separate PRs CI runs (#1075)
More features
- Cilium load balancer can now encapsulate packets and carry the service-ID in
the packet (#912) - The filtering mechanism which decides which labels should be used for
security identity determination now supports regular expressions (#918) - Extended logging information of L7 requests in proxy (#964, #973, #991,
#998, #1002) - Improved rendering of cilium service list (#934)
- Upgraded to etcd 3.2.1 (#959)
- More factoring out of agent into separate packages (975, 985)
- Reduced cgo usage (#1003, #1018)
- Improve logging of BPF generation errors (#990)
- cilium policy trace now supports verbose output (#1080)
- Include
bpf-map
tool in cilium container image (#1088) - Carrying of security identities across the proxy (#1114)
Fixes
- Fixed use of IPv6 node addresses which are already configured on the
systme (#819) - Enforce minimal etcd and consul versions (#911)
- Connection tracking entries now get automatically cleaned if new policy no
longer allows the connection (#794) - Report status message in
cilium status
if a component is in error state
(#874) - Create L7 access log file if it does not exist (#881)
- Report kernel/clang versions on compilation issues (#888)
- Check that cilium binary is installed when agent starts up (#892)
- Fix checksum error in service + proxy redirection (#1011)
- Stricter connection tracking connection creation criteria (#1027)
- Cleanup of leftover veth if endpoint setup failed midway (#1122)
- Remove stale ids also from policy map (#1135)
0.9 release
Features
-
Core
- New simplified policy language (#670)
- Option to choose between a global (#default) and per endpoint connection tracking table (#659)
- Parallel endpoint BPF program & policy builds (#424, #587)
- Fluentd logging integration (#758)
- IPv6 proxy redirection support (#818)
- Transparent ingress proxy redirection (#773)
- Consider all labels for identity except dynamic k8s state labels (#849)
- Reduced size of cilium binary from 27M to 17M (#554)
- Add filtering support to
cilium monitor
(#673) - Allow rule now supports matching multiple labels (#638)
- Separate runtime state and template directory for security reasons (#537)
- Ability to specify L4 destination port in policy trace (#650)
- Improved log readability (#499)
- Optimized connection tracking map updates per packet (#829)
- New
--kvstore
and--kvstore-opt
flag (Replaces--consul, --etcd, --local
flags) (#767) - Configurable clang path (#620)
- Updated CNI to 5.2.0 (#529)
- Updated Golang to 1.8.3 (#853)
- Bump k8s client to v3.0.0-beta.0 (#646)
-
Kubernetes
- Support L4 filtering with v1beta1.NetworkPolicyPort (#638)
- ThirdPartyResources support for L3-L7 policies (#795, #814)
- Per pod policy enablement based on policy selection (#815)
- Support for full LabelSelector (#753)
- Option to always allow localhost to reach endpoints (#auto on with k8s) (#754)
- RBAC ClusterRole, ServiceAccount and bindings (#850)
- Scripts to install and uninstall CNI configuration (#745)
-
Documentation
Fixes
-
Core
- Endpoints are displayed in ascending order (#474)
- Warn about insufficient kernel version when starting up (#505)
- Work around Docker <17.05 disabling IPv6 in init namespace (#544)
- Fixed a connection tracking expiry a bug (#828)
- Only generate human readable ASM output if DEBUG is enabled (#599)
- Switch from package syscall to x/sys/unix (#588)
- Remove tail call map on endpoint leave (#736)
- Fixed ICMPv6 to service IP with LB back to own IP (#764)
- Respond to ARP also when temporary drop all policy is applied. (#724)
- Fixed several BPF resource leakages (#634, #684, #732)
- Fixed several L7 parser policy bugs (#512)
- Fixed tc call to specify prio and handle for replace (#611)
- Fixed off by one in consul connection retries (#610)
- Fixed lots of documentation typos
- Fix addition/deletion order when updating endpoint labels (#647)
- Graceful exit if lack of privileges (#694)
- use same tuple struct for both global and local CT (#822)
- bpf/init.sh: More robust deletion of routes. (#719)
- lxc endianess & src validation fixes (#747)
-
Kubernetes
- Correctly handle k8s NetworkPolicy matchLabels (#638)
- Allow all sources if []NetworkPolicyPeer is empty or missing (#638)
- Fix if k8s API server returns nil label (#567)
- Do not error out if k8s node does not have a CIDR assigned (#628)
- Only attempt to resolve CIDR from k8s API if client is available (#608)
- Log error if invalid k8s NetworkPolicy objects are received (#617)
0.9.0-rc1
Documentation: Adjust getting started guide to TPR policy Signed-off-by: Thomas Graf <thomas@cilium.io>
0.8.2 Release
0.8.1 release
Cilium 0.8.0
release: 0.8.0 release \o/ Signed-off-by: Thomas Graf <thomas@cilium.io>