Skip to content

Releases: cilium/cilium

1.14.3

18 Oct 20:21
@jrajahalme jrajahalme
v1.14.3
This tag was signed with the committer’s verified signature.
jrajahalme Jarno Rajahalme
GPG key ID: 263F7D984804D3FE
Learn about vigilant mode.
252a99e
Compare
Choose a tag to compare
1.14.3

We are pleased to release Cilium v1.14.3. This is bug fix release addressing the recent HTTP/2 Stream Cancellation Attack (CVE-2023-44487) and other bugs:

Summary of Changes

Minor Changes:

  • bump grpc dependency to 1.56.3 to fix security vulnerability GHSA-qppj-fm5r-hxr3 (#28527, @aanm)
  • Cut Cilium's initialization time for clusters with a large number of Kubernetes and Cilium Network Policies by 90% (Backport PR #28282, Upstream PR #28173, @aanm)
  • endpoint: Only perform the full policy map synchronization periodically (every 15 minutes) to reduce overhead with large endpoint policy maps (Backport PR #28095, Upstream PR #27693, @joamaki)
  • ipam: report IP owner of non-default pool IPs in multi-pool IPAM (Backport PR #28095, Upstream PR #27968, @tklauser)
  • metrics: add a metric for max observed endpoint ifindex (Backport PR #28282, Upstream PR #27953, @asauber)
  • metrics: Add map pressure metric for auth map (Backport PR #28442, Upstream PR #28357, @sayboras)
  • vendor, azure: Bump Azure SDK to Aug 2021 (Backport PR #28330, Upstream PR #28311, @christarazi)

Bugfixes:

  • bpf: lxc: support Pod->Service->Pod hairpinning with endpoint routes (Backport PR #28123, Upstream PR #27798, @ti-mo)
  • bpf: overlay: fix missing DBG_DECAP for Inter-Cluster-SNAT (Backport PR #28494, Upstream PR #28466, @julianwiedmann)
  • Change routing-mode and tunnel-protocol based on .Values.tunnel and .Values.routingMode (Backport PR #28282, Upstream PR #27841, @macmiranda)
  • datapath: fix NodePort to remote hostns backend with tunnel config (Backport PR #28494, Upstream PR #27323, @michaelasp)
  • envoy: Sync supported resources to fix not found issue (Backport PR #28349, Upstream PR #28272, @sayboras)
  • Fix a bug that causes pod-to-pod traffic between nodes to be dropped when IPsec is enabled and kube-proxy installed rules in both iptables-nft and iptables-legacy. (Backport PR #28442, Upstream PR #28258, @pchaigno)
  • fix bug: pull skb data in cil_from_netdev path for HIGH_SCALE_IPCACHE mode (Backport PR #28095, Upstream PR #27913, @sofat1989)
  • Fix Gateway API HttpRoute cannot strip path prefix. (Backport PR #28282, Upstream PR #28018, @chaunceyjiang)
  • Fix hubble metric labeling when only directed Source/Destination Ingress/Egress options are specified. (Backport PR #28095, Upstream PR #27792, @marqc)
  • Fix minor bug where the previous Cilium proxy port was not reused (Backport PR #28127, Upstream PR #27634, @christarazi)
  • Fix the trace notification for hairpinned reply traffic, to indicate the correct security identity for the client. (Backport PR #28282, Upstream PR #28133, @julianwiedmann)
  • Fix wrong host and router IP being used for some IPv6 deployments, which was causing various connectivity problems. (Backport PR #28435, Upstream PR #28417, @ti-mo)
  • Fix: Gateway API double slash while stripping path prefix (Backport PR #28442, Upstream PR #28294, @nxy7)
  • Fixes a bug causing panic when counting IPsec keys number via "cilium encrypt status". (Backport PR #28282, Upstream PR #27996, @jschwinger233)
  • fqdn proxy: fix data race by using separate sessionUDPFactories (Backport PR #28282, Upstream PR #28163, @mhofstetter)
  • ipam/multipool: Fix bug where allocator was unable to update CiliumNode (Backport PR #28095, Upstream PR #27963, @gandro)
  • ipcache: fix flapping labels in SelectorCache when reserved:host identity has multiple IPs (Backport PR #28418, Upstream PR #28332, @squeed)
  • Must have port for Service reference (Backport PR #28282, Upstream PR #27959, @chaunceyjiang)
  • pkg/k8s: use a deep copy of CNP in UpdateStatus to avoid race condition (Backport PR #28494, Upstream PR #28364, @aanm)
  • pkg/node: Updates GetIPv6AllocCIDRs() to Properly Return Secondary CIDRs (Backport PR #28095, Upstream PR #27855, @danehans)
  • resource: Fix race condition in handling of Kubernetes object delete event retrying. In the very rare case when an object was created, deleted and re-created with the same name and the handling of the first deletion failed, the handling of delete event may have been retried even though the object was re-created. Only affected features using the Resource-library (LB IPAM, Mutual Auth and ClusterMesh). (Backport PR #28494, Upstream PR #27340, @joamaki)
  • Restore host-stack bypass for pod-to-pod traffic in a configuration with kube-proxy, tunnel routing and per-endpoint routes. (Backport PR #28095, Upstream PR #27908, @julianwiedmann)

CI Changes:

Misc Changes:

  • [Docs] Clarify ClusterMesh troubleshooting steps when KVStoreMesh is enabled (Backport PR #28282, Upstream PR #27691, @weizhoublue)
  • Add option conntrackGCMaxInterval to allow limiting the maximum connection tracking GC interval. By default the automatic interval calculation may increase the interval up to 12 hours, which may incur an unreasonable delay to releasing of CIDR identities created from ToFQDN policies. Setting this option will limit the interval and ensure such identities are marked unused earlier and removed. (Backport PR #28282, Upstream PR #27870, @joamaki)
  • bugtool: various updates to BPF map dump (Backport PR #28282, Upstream PR #28065, @julianwiedmann)
  • bump k8s dependencies to 1.27.6 (#28560, @aanm)
  • chore(deps): update actions/checkout action to v4 (v1.14) (#27944, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.14) (minor) (#27776, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.14) (patch) (#28078, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.14) (patch) (#28209, @renovate[bot])
  • chore(deps): update all github action dependencies to v3 (v1.14) (major) (#28101, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.14) (patch) (#27942, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.14) (patch) (#28210, @renovate[bot])
  • chore(deps): update aws-actions/configure-aws-credentials action to v4 (v1.14) (#28102, @renovate[bot])
  • chore(deps): update cilium/cilium digest to 6c12a0f (v1.14) (#28075, @renovate[bot])
  • chore(deps): update cilium/cilium digest to 8b7844d (v1.14) (#28196, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.8 (v1.14) (#28211, @renovate[bot])
  • chore(deps): update dependency cilium/hubble to v0.12.1 (v1.14) (#28521, @renovate[bot])
  • chore(deps): update dependency cilium/hubble to v0.12.2 (v1.14) (#28566, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.20.10 docker digest to 098d628 (v1.14) (#28623, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.20.8 docker digest to 6e1a67e (v1.14) (#28197, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 2b7412e (v1.14) (#28630, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 990350f (v1.14) (#28579, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 9b8dec3 (v1.14) (#28384, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to aabed32 (v1.14) (#28076, @renovate[bot])
  • chore(deps): update docker/build-push-action action to v5 (v1.14) (#28093, @renovate[bot])
  • chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 92d40ee (v1.14) (#27941, @renovate[bot])
  • chore(deps): update go to v1.20.10 (v1.14) (patch) (#28515, @renovate[bot])
  • chore(deps): update myrotvorets/set-commit-status-action action to v2 (v1.14) (#28082, @renovate[bot])
  • chore(deps): update quay.io/cilium/hubble docker tag to v0.12.1 (v1.14) (#28538, @renovate[bot])
  • chore(deps): update quay.io/cilium/hubble docker tag to v0.12.2 (v1.14) (#28569, @renovate[bot])
  • chore(deps): update sigstore/cosign-installer action to v3.1.2 (v1.14) (#27943, @renovate[bot])
  • ci: fix AWS EKS K8s versions comment (Backport PR #28282, Upstream PR #28249, @nbusseneau)
  • docs: Add instructions for running LVH against custom kernel (Backport PR #28349, Upstream PR #28305, @brb)
  • docs: Add Makefile and documentation for "fast" development targets (Backport PR #28095, Upstream PR #27931, @aanm)
  • docs: Add more details for the Cluster Mesh key rotation (Backport PR #28282, Upstream PR #28145, @margamanterola)
  • docs: egressgw: document incompatibility with Clustermesh (Backport PR #28095, Upstream PR #27918, @julianwiedmann)
  • docs: Makefile, check-build.sh clean-ups and perf improvements (Backport PR #28282, Upstream PR #28161, @qmonnet)
  • docs: Mention RouteTableInterfacesOffset in system requiremen...
Read more

Contributors

gandro, brb, and 34 other contributors
Assets 2

1.13.8

17 Oct 11:49
@jrajahalme jrajahalme
v1.13.8
This tag was signed with the committer’s verified signature.
jrajahalme Jarno Rajahalme
GPG key ID: 263F7D984804D3FE
Learn about vigilant mode.
96f0558
Compare
Choose a tag to compare
1.13.8

We are pleased to release Cilium v1.13.8. This is bug fix release addressing the recent HTTP/2 Stream Cancellation Attack (CVE-2023-44487) and other bugs:

Summary of Changes

Minor Changes:

Bugfixes:

  • Add drop notifications from various error paths in the BPF datapath. (Backport PR #28443, Upstream PR #26956, @julianwiedmann)
  • envoy: Sync supported resources to fix not found issue (Backport PR #28350, Upstream PR #28272, @sayboras)
  • Fix a bug that causes pod-to-pod traffic between nodes to be dropped when IPsec is enabled and kube-proxy installed rules in both iptables-nft and iptables-legacy. (Backport PR #28443, Upstream PR #28258, @pchaigno)
  • Fix the trace notification for hairpinned reply traffic, to indicate the correct security identity for the client. (Backport PR #28251, Upstream PR #28133, @julianwiedmann)
  • Fixes a bug causing panic when counting IPsec keys number via "cilium encrypt status". (Backport PR #28251, Upstream PR #27996, @jschwinger233)
  • ipcache: fix flapping labels in SelectorCache when reserved:host identity has multiple IPs (Backport PR #28416, Upstream PR #28332, @squeed)
  • pkg/k8s: use a deep copy of CNP in UpdateStatus to avoid race condition (Backport PR #28519, Upstream PR #28364, @aanm)
  • pkg/node: Updates GetIPv6AllocCIDRs() to Properly Return Secondary CIDRs (Backport PR #28103, Upstream PR #27855, @danehans)

CI Changes:

Misc Changes:

  • Add option conntrackGCMaxInterval to allow limiting the maximum connection tracking GC interval. By default the automatic interval calculation may increase the interval up to 12 hours, which may incur an unreasonable delay to releasing of CIDR identities created from ToFQDN policies. Setting this option will limit the interval and ensure such identities are marked unused earlier and removed. (Backport PR #28251, Upstream PR #27870, @joamaki)
  • bump k8s dependencies to 1.26.9 (#28559, @aanm)
  • chore(deps): update all github action dependencies (v1.13) (patch) (#28106, @renovate[bot])
  • chore(deps): update all github action dependencies to v3 (v1.13) (major) (#28109, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.13) (patch) (#28107, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.13) (patch) (#28213, @renovate[bot])
  • chore(deps): update aws-actions/configure-aws-credentials action to v4 (v1.13) (#28110, @renovate[bot])
  • chore(deps): update dependency cilium/hubble to v0.12.1 (v1.13) (#28525, @renovate[bot])
  • chore(deps): update dependency cilium/hubble to v0.12.2 (v1.13) (#28567, @renovate[bot])
  • chore(deps): update docker.io/library/golang docker tag to v1.20.10 (v1.13) (#28516, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.20.8 docker digest to 6b29720 (v1.13) (#28212, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.20.8 docker digest to 700d726 (v1.13) (#28083, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 9b8dec3 (v1.13) (#28385, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to a903800 (v1.13) (#28581, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to aabed32 (v1.13) (#27897, @renovate[bot])
  • chore(deps): update docker/build-push-action action to v5 (v1.13) (#28111, @renovate[bot])
  • chore(deps): update github/codeql-action action to v2.21.7 (v1.13) (#28214, @renovate[bot])
  • chore(deps): update myrotvorets/set-commit-status-action action to v2 (v1.13) (#28112, @renovate[bot])
  • chore(deps): update quay.io/cilium/hubble docker tag to v0.12.1 (v1.13) (#28543, @renovate[bot])
  • chore(deps): update quay.io/cilium/hubble docker tag to v0.12.2 (v1.13) (#28572, @renovate[bot])
  • ci: fix AWS EKS K8s versions comment (Backport PR #28350, Upstream PR #28249, @nbusseneau)
  • docs: Add more details for the Cluster Mesh key rotation (Backport PR #28251, Upstream PR #28145, @margamanterola)
  • docs: egressgw: document incompatibility with Clustermesh (Backport PR #28103, Upstream PR #27918, @julianwiedmann)
  • docs: Makefile, check-build.sh clean-ups and perf improvements (Backport PR #28251, Upstream PR #28161, @qmonnet)
  • docs: Mention RouteTableInterfacesOffset in system requirements (Backport PR #28443, Upstream PR #28358, @gandro)
  • docs: rephrasing the hubble intro doc (Backport PR #28103, Upstream PR #27712, @vipul-21)
  • docs: Update Sphinx and its dependencies, Cilium theme (Backport PR #28251, Upstream PR #28172, @qmonnet)
  • Fix potential nil pointer dereference in SelectorManager implementation (Backport PR #28103, Upstream PR #27805, @learnitall)
  • fix(deps): update module golang.org/x/net to v0.17.0 [security] (#28551, @aanm)
  • hubble: Remove spammy debug log message on lost events (Backport PR #28103, Upstream PR #25321, @pchaigno)
  • install/kubernetes: add the cilium/values.yaml target to .PHONY (Backport PR #28350, Upstream PR #28225, @nbusseneau)
  • ipsec: Atomically upgrade XFRM states with new output-mark (Backport PR #28519, Upstream PR #28485, @pchaigno)
  • Update docs theme (Backport PR #28443, Upstream PR #28403, @raphink)
  • Update Hubble UI from v0.11.0 to v0.12.1 (#28534, @rolinh)

Other Changes:

Contributors

gandro, brb, and 22 other contributors
Assets 2

1.12.15

18 Oct 07:52
@jrajahalme jrajahalme
v1.12.15
This tag was signed with the committer’s verified signature.
jrajahalme Jarno Rajahalme
GPG key ID: 263F7D984804D3FE
Learn about vigilant mode.
dd1c06e
Compare
Choose a tag to compare
1.12.15

We are pleased to release Cilium v1.12.15. This is bug fix release addressing the recent HTTP/2 Stream Cancellation Attack (CVE-2023-44487) and other bugs:

Summary of Changes

Minor Changes:

Bugfixes:

  • Add drop notifications for various error paths in the datapath. (Backport PR #28437, Upstream PR #25183, @julianwiedmann)
  • Add drop notifications from various error paths in the BPF datapath. (Backport PR #28444, Upstream PR #26956, @julianwiedmann)
  • bpf: fix error handling for invoke_tailcall_if() (Backport PR #28414, Upstream PR #26118, @julianwiedmann)
  • bpf: lxc: fix one missing drop notification in CT lookup tail calls (Backport PR #28351, Upstream PR #26115, @julianwiedmann)
  • envoy: Sync supported resources to fix not found issue (Backport PR #28351, Upstream PR #28272, @sayboras)
  • Fix a bug that causes pod-to-pod traffic between nodes to be dropped when IPsec is enabled and kube-proxy installed rules in both iptables-nft and iptables-legacy. (Backport PR #28444, Upstream PR #28258, @pchaigno)
  • Fix missing drop notifications on conntrack lookup failures when IPv4 and IPv6 are both enabled or socket-level load balancing is disabled. (Backport PR #28295, Upstream PR #25426, @bleggett)
  • Fix the trace notification for hairpinned reply traffic, to indicate the correct security identity for the client. (Backport PR #28295, Upstream PR #28133, @julianwiedmann)
  • Fixes a bug causing panic when counting IPsec keys number via "cilium encrypt status". (Backport PR #28295, Upstream PR #27996, @jschwinger233)
  • pkg/node: Updates GetIPv6AllocCIDRs() to Properly Return Secondary CIDRs (Backport PR #28104, Upstream PR #27855, @danehans)

CI Changes:

Misc Changes:

  • chore(deps): update all github action dependencies (v1.12) (patch) (#28114, @renovate[bot])
  • chore(deps): update all github action dependencies to v3 (v1.12) (major) (#28116, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.12) (patch) (#27948, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.12) (patch) (#28215, @renovate[bot])
  • chore(deps): update aws-actions/configure-aws-credentials action to v4 (v1.12) (#28117, @renovate[bot])
  • chore(deps): update dependency cilium/hubble to v0.12.1 (v1.12) (#28526, @renovate[bot])
  • chore(deps): update dependency cilium/hubble to v0.12.2 (v1.12) (#28568, @renovate[bot])
  • chore(deps): update docker.io/library/golang docker tag to v1.20.10 (v1.12) (#28517, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.20.8 docker digest to 700d726 (v1.12) (#28113, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 0b5642e (v1.12) (#28582, @renovate[bot])
  • chore(deps): update docker/build-push-action action to v4.2.1 (v1.12) (#28115, @renovate[bot])
  • chore(deps): update docker/build-push-action action to v5 (v1.12) (#28118, @renovate[bot])
  • chore(deps): update myrotvorets/set-commit-status-action action to v2 (v1.12) (#28119, @renovate[bot])
  • chore(deps): update quay.io/cilium/hubble docker tag to v0.12.1 (v1.12) (#28544, @renovate[bot])
  • chore(deps): update quay.io/cilium/hubble docker tag to v0.12.2 (v1.12) (#28573, @renovate[bot])
  • ci: fix AWS EKS K8s versions comment (Backport PR #28295, Upstream PR #28249, @nbusseneau)
  • docs: Add more details for the Cluster Mesh key rotation (Backport PR #28295, Upstream PR #28145, @margamanterola)
  • docs: egressgw: document incompatibility with Clustermesh (Backport PR #28104, Upstream PR #27918, @julianwiedmann)
  • docs: Makefile, check-build.sh clean-ups and perf improvements (Backport PR #28295, Upstream PR #28161, @qmonnet)
  • docs: Mention RouteTableInterfacesOffset in system requirements (Backport PR #28444, Upstream PR #28358, @gandro)
  • docs: Update Sphinx and its dependencies, Cilium theme (Backport PR #28295, Upstream PR #28172, @qmonnet)
  • Fix potential nil pointer dereference in SelectorManager implementation (Backport PR #28104, Upstream PR #27805, @learnitall)
  • fix(deps): update module golang.org/x/net to v0.17.0 [security] (#28552, @aanm)
  • install/kubernetes: add the cilium/values.yaml target to .PHONY (Backport PR #28295, Upstream PR #28225, @nbusseneau)
  • ipsec: Atomically upgrade XFRM states with new output-mark (Backport PR #28564, Upstream PR #28485, @pchaigno)
  • Update docs theme (Backport PR #28444, Upstream PR #28403, @raphink)
  • Update Hubble UI from v0.11.0 to v0.12.1 (#28536, @rolinh)

Other Changes:

Contributors

gandro, raphink, and 19 other contributors
Assets 2

1.15.0-pre.1

29 Sep 22:42
@aanm aanm
v1.15.0-pre.1
This tag was signed with the committer’s verified signature.
aanm André Martins
GPG key ID: A38D2FBA880D16AB
Learn about vigilant mode.
4fd2030
Compare
Choose a tag to compare
1.15.0-pre.1 Pre-release
Pre-release

Summary of Changes

Major Changes:

Minor Changes:

  • io.cilium.podippool.namespace: <CiliumPodIPPool_NAMESPACE> and io.cilium.podippool.name: <CiliumPodIPPool_NAME> selectors can be specified for a PodIPPoolSelector of a CiliumBGPPeeringPolicy to select a CiliumPodIPPool by namespaced name instead of labels. (#28314, @danehans)
  • Add an option to Cilium to set the persistent keepalive for cilium_wg0 (#27932, @chaunceyjiang)
  • Add Hubble Grafana dashboards: Network and DNS overview (#27751, @lambdanis)
  • Add option to pass api-rate-limit via Helm values (#28239, @ungureanuvladvictor)
  • Add Proxy l7 metrics proxy_type label and and Cleanup (#27863, @tommyp1ckles)
  • Add support for filtering on HTTP URLs in Hubble (#28275, @glrf)
  • Allow case-insensitive name for CNI chaining mode (#28050, @asauber)
  • can create the directory for the customized cni conf and remove the cni conf file in cleanup command (#27933, @sofat1989)
  • Cilium-operator and clustermesh's kvstore metrics are now enabled by default in Helm. (#27653, @marseel)
  • CiliumL2AnnouncementPolicy will only select Services that do not specify a LoadBalancerClass or specify a LoadBalancerClass of "io.cilium/l2-announcer". (#27976, @danehans)
  • Correlate flows with CiliumNetworkPolicies (#27854, @chancez)
  • Cut Cilium's initialization time for clusters with a large number of Kubernetes and Cilium Network Policies by 90% (#28173, @aanm)
  • daemon: don't wait for presence of unused CiliumNodeConfig CRD (#27684, @akhilles)
  • daemon: The option "EnableRemoteNodeIdentity" is now deprecated and will be removed from the v1.16 release. (#28300, @nathanjsweet)
  • Delete auth map entries for removed Security IDs in SPIRE (#27663, @meyskens)
  • Don't automatically infer ClusterID and ClusterName for external workloads. (#27886, @giorio94)
  • egressgw: reject config with CiliumEndpointSlice (#27984, @julianwiedmann)
  • endpoint: Only perform the full policy map synchronization periodically (every 15 minutes) to reduce overhead with large endpoint policy maps (#27693, @joamaki)
  • Fix inaccurate calculation for bootstrap stats of restore (#27983, @PlatformLC)
  • Fixes name used for disabling KVStoreMesh metrics. (#27680, @marseel)
  • gateway-api: Bump the version to v0.8.1 (#28195, @sayboras)
  • helm: allow annotations to be set for preflight resources (#27860, @bradwhitfield)
  • Ignore StatefulSet-specific labels by default for CID creation. This includes the two following labels:
  • statefulset.kubernetes.io/pod-name
  • apps.kubernetes.io/pod-index (#28003, @tosi3k)
  • Implement AdvertisedPathAttributes for CiliumBGPNeighbor in the CiliumBGPPeeringPolicy CRD to allow setting BGP Community and Local Preference path attributes for advertised BGP routes. (#27705, @rastislavs)
  • Improve cilium status --verbose and cilium-health status --succinct support to show IPv6 IPs as well (#27912, @chaunceyjiang)
  • ipam: Remove cluster-pool-v2beta code (#27753, @gandro)
  • ipam: report IP owner of non-default pool IPs in multi-pool IPAM (#27968, @tklauser)
  • metrics: add a metric for max observed endpoint ifindex (#27953, @asauber)
  • metrics: Add workqueue metrics (#27042, @ysksuzuki)
  • Mutual Auth: only respond handshake with certificate if security ID is in use on node (#27682, @meyskens)
  • Operator modular metrics (#28005, @pippolo84)
  • operator: Remove identity GC and CES controller legacy metrics (#28166, @pippolo84)
  • The cilium-agent now sets GOMEMLIMIT to the container's memory resource limit, which helps the Go GC to avoid unnecessary OOMs. (#27958, @bimmlerd)
  • The podIPPoolSelector field has been added to CiliumBGPVirtualRouter for selectively advertising multi-pool IPAM CIDRs. (#27100, @danehans)
  • Update to Envoy 1.27.0, run cilium-envoy process without any privileges. (#27498, @jrajahalme)
  • vendor, azure: Bump Azure SDK to Aug 2021 (#28311, @christarazi)

Bugfixes:

  • bpf: lxc: support Pod->Service->Pod hairpinning with endpoint routes (#27798, @ti-mo)
  • bug fix: close status collector when daemon exits (#27937, @sofat1989)
  • Change routing-mode and tunnel-protocol based on .Values.tunnel and .Values.routingMode (#27841, @macmiranda)
  • datapath: fix dbg-capture-proxy-[pre/post] reporting (#27704, @mhofstetter)
  • datapath: fix NodePort to remote hostns backend with tunnel config (#27323, @michaelasp)
  • examples: Fix YAML error backendRefs in HTTP Header Modifier (#27871, @haiyuewa)
  • fix bug: pull skb data in cil_from_netdev path for HIGH_SCALE_IPCACHE mode (#27913, @sofat1989)
  • Fix Gateway API HttpRoute cannot strip path prefix. (#28018, @chaunceyjiang)
  • Fix hubble metric labeling when only directed Source/Destination Ingress/Egress options are specified. (#27792, @marqc)
  • Fix minor bug where the previous Cilium proxy port was not reused (#27634, @christarazi)
  • Fix missing packet trace after from-container for reply traffic to the proxy. (#27872, @pchaigno)
  • Fix the trace notification for hairpinned reply traffic, to indicate the correct security identity for the client. (#28133, @julianwiedmann)
  • Fixes a bug causing panic when counting IPsec keys number via "cilium encrypt status". (#27996, @jschwinger233)
  • fqdn proxy: fix data race by using separate sessionUDPFactories (#28163, @mhofstetter)
  • Implement full CES reconciliation logic in the operator (#26836, @alan-kut)
  • ipam/multipool: Fix bug where allocator was unable to update CiliumNode (#27963, @gandro)
  • IPSec fix for race on init resulting in XfrmIn errors and dropped packets (#28012, @jrfastab)
  • k8s: Restrict configuring reserved:init policy via CNP (#28007, @joestringer)
  • Must have port for Service reference (#27959, @chaunceyjiang)
  • pkg/node: Updates GetIPv6AllocCIDRs() to Properly Return Secondary CIDRs (#27855, @danehans)
  • Replace use of strict to true for kubeProxyReplacement in helm chart (#27433, @xtineskim)
  • Restore host-stack bypass for pod-to-pod traffic in a configuration with kube-proxy, tunnel routing and per-endpoint routes. (#27908, @julianwiedmann)

CI Changes:

Misc Changes:

  • .github: Build images for vX.Y.Z-pre.N releases (#27862, @joestringer)
  • @eloycoto is no longer an active committer (#27978, @eloycoto)
  • [Docs] Clarify ClusterMesh troubleshooting steps when KVStoreMesh is enabled (#27691, @weizhoublue)
  • Add error check during datapath/loader reinitialization as ApplySettings could return an error while applying sysctl settings. (#27195, @derailed)
  • Add option conntrackGCMaxInterval to allow limiting the maximum connection tracking GC interval. By default the automatic interval calculation may increase the interval up to 12 hours, which may incur an unreasonable delay to releasing of CIDR identities created from ToFQDN policies. Setting this option will limit the interval and ensure such identities are marked unused earlier and removed. (#27870, @joamaki)
  • Add Schenker to the user list (#27833, @amirkkn)
  • Add WireGuard to the firewall rules documentation (#27170, @joestringer)
  • api: regenerate flow.pb.go (#27852, @Jack-R-lantern)
  • BGP CP: Calls String() Afi/Safi Methods instead of Duplicative Funcs (#28035, @danehans)
  • bgpv1: Consolidate reconciler-specific maps into generic ReconcilerMetadata (#27568, @rastislavs)
  • bpf,fib: refactor lib/fib.h to remove the now redundant code (#26380, @ldelossa)
  • bpf: ct: reuse get_ct_ma...
Read more

Contributors

derailed, jspaleta, and 69 other contributors
Assets 2

1.14.2

15 Sep 17:40
@michi-covalent michi-covalent
v1.14.2
This tag was signed with the committer’s verified signature.
michi-covalent Michi Mutsuzaki
SSH Key Fingerprint: RngEJjA5w42lLJdRmH5DaepFJ6sSsTuslhfvgbon7g4 Learn about vigilant mode.
a674894
Compare
Choose a tag to compare
1.14.2

We are pleased to release Cilium v1.14.2.

Known IPsec related issues have been fixed. We encourage users to test this release and report any potentially remaining issues.

Summary of Changes

Minor Changes:

Bugfixes:

  • bpf: nodeport: add RevDNAT-based FIB lookup for reply traffic (Backport PR #27381, Upstream PR #26638, @julianwiedmann)
  • cgroups: Fix race to load cgroup.hostRoot option (Backport PR #27629, Upstream PR #27561, @kvaps)
  • Do mutual authentication handshake again if mismatch between bpf map and cached map happens (Backport PR #27739, Upstream PR #27241, @meyskens)
  • envoy: fix panic writing accesslog without L7 tags (Backport PR #27629, Upstream PR #27453, @mhofstetter)
  • Fix a bug that could cause an incorrect max. sequence number to be reported by cilium encrypt status when IPsec is enabled. (Backport PR #27917, Upstream PR #27656, @pchaigno)
  • Fix a bug where cilium host IP is not read from k8s node annotations (Backport PR #27679, Upstream PR #27590, @hemanthmalla)
  • Fix behavior where SPIRE doesn't work when kubelet does not listen on 127.0.0.1 (Backport PR #27679, Upstream PR #27583, @weizhoublue)
  • Fix bug that could cause packet drops of type XfrmOutPolBlock while rotating the IPsec key. (Backport PR #27586, Upstream PR #27319, @jrfastab)
  • Fix connectivity issues caused by missing conntrack entry when service pod connects to itself via clusterIP. (Backport PR #27920, Upstream PR #27602, @julianwiedmann)
  • Fix deletion of tunnel map entries when node has non-zero cluster ID. (Backport PR #27629, Upstream PR #27353, @giorio94)
  • Fix Gateway managed services not exposing all ports (Backport PR #27917, Upstream PR #27695, @Managarmrr)
  • Fix global service incompatibility when v1.14 agents connect to a v1.13 cluster (#27882, @giorio94)
  • Fix issue which caused the map reconciliation process to never complete successfully if the error resolved automatically (Backport PR #27629, Upstream PR #26742, @giorio94)
  • Fix missing packet trace after from-container for reply traffic to the proxy. (Backport PR #27917, Upstream PR #27872, @pchaigno)
  • Fix potential cross-node connectivity issue when IPsec is enabled with ENI or Azure IPAM modes. (Backport PR #27924, Upstream PR #26663, @gandro)
  • Fix propagation of namespace labels to CEP labels (Backport PR #27917, Upstream PR #27831, @tklauser)
  • Fix several paths in the North-South load-balancer where the TTL / hop-limit field of a forwarded packet was not updated. (Backport PR #27379, Upstream PR #27299, @julianwiedmann)
  • Fixes a issue that IPsec key rotation can't be triggered. (Backport PR #27739, Upstream PR #27694, @jschwinger233)
  • gateway-api: Filter routes based on Section Name and port (Backport PR #27629, Upstream PR #27309, @sayboras)
  • gateway-api: Merge externally annotations and labels for kubernetes types (Backport PR #27629, Upstream PR #27251, @farodin91)
  • helm: fix envoy daemonset loglevel with multiple verbose debug groups (Backport PR #27917, Upstream PR #27698, @mhofstetter)
  • ingress: fix panic on ingress rule without HTTPIngressRule (Backport PR #27917, Upstream PR #27818, @mhofstetter)
  • ipam: when a CiliumNode is removed, delete node label from metrics. (Backport PR #27917, Upstream PR #27713, @tommyp1ckles)
  • IPSec fix for race on init resulting in XfrmIn errors and dropped packets (Backport PR #28021, Upstream PR #28012, @jrfastab)
  • k8s: Restrict configuring reserved:init policy via CNP (Backport PR #28038, Upstream PR #28007, @joestringer)
  • Prioritization of which DNS mappings to keep was suboptimal, leading to evictions of mappings related to alive connections, worsening performance of fqdn policies and causing spurious logging. (Backport PR #27917, Upstream PR #27572, @bimmlerd)
  • proxy: Ignore visibility annotation if proxy is disabled (Backport PR #27679, Upstream PR #27597, @sayboras)
  • Read FQDNRejectResponseCode from config (Backport PR #27739, Upstream PR #27362, @ayuspin)

CI Changes:

  • .github/workflows: unify time to wait for images to become available (Backport PR #27917, Upstream PR #27706, @tklauser)
  • Add missing ariane trigger phrases (Backport PR #27917, Upstream PR #27822, @tklauser)
  • Add secondary iface to KIND network (Backport PR #27679, Upstream PR #26338, @ysksuzuki)
  • bpf: complexity-tests: set -DHAVE_LARGE_INSN_LIMIT=1 for new kernels (Backport PR #27701, Upstream PR #27490, @julianwiedmann)
  • ci-e2e: Add secondary network NodePort tests (Backport PR #27917, Upstream PR #27738, @brb)
  • ci-ipsec-upgrade: Bump CLI to v0.15.5 (Backport PR #27629, Upstream PR #27230, @brb)
  • ci-ipsec-upgrade: Skip upon test/Documentation changes (Backport PR #27679, Upstream PR #27644, @brb)
  • ci: remove unavailable K8s 1.22 from GKE config (Backport PR #27629, Upstream PR #27365, @mhofstetter)
  • CI: Rename workflow names (Backport PR #27739, Upstream PR #27391, @brlbil)
  • CI: Update tested k8s version for aks (Backport PR #27629, Upstream PR #27457, @brlbil)
  • Disable the images digest when pushing the development helm chart (Backport PR #27739, Upstream PR #27646, @giorio94)
  • gh/actions: Customize cilium-config (Backport PR #27917, Upstream PR #27416, @brb)
  • gh/workflows: Use cilium-config action in ci-ipsec-upgrade (Backport PR #27917, Upstream PR #27359, @brb)
  • gha: fix waiting for images in conformance-gingko (Backport PR #27629, Upstream PR #27397, @giorio94)
  • Set kvstoremesh image when pushing the development helm chart (Backport PR #27679, Upstream PR #27645, @giorio94)
  • test: print logical instruction count per program (Backport PR #27629, Upstream PR #26641, @ti-mo)

Misc Changes:

  • [v1.14] cilium: Fix 16bit ifindex limitation (#27880, @borkmann)
  • Add WireGuard to the firewall rules documentation (Backport PR #27917, Upstream PR #27170, @joestringer)
  • bpf: egressgw: set trace reason for reply traffic (Backport PR #27524, Upstream PR #27218, @julianwiedmann)
  • bpf: nat: enable CT-driven trace aggregation (Backport PR #27524, Upstream PR #27178, @julianwiedmann)
  • bpf: nat: let caller determine whether SNATed connection needs CT (Backport PR #27524, Upstream PR #27079, @julianwiedmann)
  • bpf: nodeport: consolidate packet rewrite in RevDNAT path (Backport PR #27381, Upstream PR #26852, @julianwiedmann)
  • bpf: split complexity configurations into separate files (Backport PR #27701, Upstream PR #26925, @lmb)
  • chore(deps): update all kind-images main (v1.14) (#27746, @renovate[bot])
  • chore(deps): update all kind-images main (v1.14) (patch) (#27772, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.14) (patch) (#27422, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.14) (patch) (#27773, @renovate[bot])
  • chore(deps): update aws-actions/configure-aws-credentials action to v3 (v1.14) (#27777, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.6 (v1.14) (#27769, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.7 (v1.14) (#27919, @renovate[bot])
  • chore(deps): update dependency google/gops to v0.3.28 (v1.14) (#27413, @renovate[bot])
  • chore(deps): update dependency kubernetes/kubernetes to v1.27.5 (v1.14) (#27774, @renovate[bot])
  • chore(deps): update dependency ubuntu to v22 (v1.14) (#27778, @renovate[bot])
  • chore(deps): update docker.io/library/alpine docker tag to v3.18.3 (v1.14) (#27775, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.20.7 docker digest to 741d6f9 (v1.14) (#27768, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.20.8 docker digest to 700d726 (v1.14) (#28049, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to ec050c3 (v1.14) (#27546, @renovate[bot])
  • chore(deps): update go to v1.20.8 (v1.14) (patch) (#27990, @renovate[bot])
  • chore: fixing blank k8sPodName in endpoint logger (Backport PR #27629, Upstream PR #26964, @vakalapa)
  • cilium, docs: Add a note about KPR and nfs dependencies (Backport PR #27739, Upstream PR #27678, @borkmann)
  • clean-up: remove check for permissive CCNPs (Backport PR #27739, Upstream PR #27690, @shawnh2)
  • contrib/scripts/kind.sh: specify IPv4 prefix and range on secondary network (Backport PR #27679, Upstream PR #27573, @tklauser)
  • Correct cni path in k3s installation documentation for rancher desktop (Backport PR #27739, Upstream PR #27702, @RichardoC)
  • docs: Clean up prerequisites for the Ingress Controller (Backport PR #27629, Upstream PR #27222, @qmonnet)
  • docs: Clean up references to deprecated modes "strict" and "partial" for kube-proxy replacement feature flag (Backport PR #27679, Upstream PR #27314, @qmonnet)
  • docs: Correct comment on toFQDN API definition (Backport PR #27629, Upstream PR #27496, @Alex-Waring)
  • docs: Fix config option for spelling filters (Backport PR #27629, Upstream PR #27537, @qmonnet)
  • docs: Fix Documentation Makefile to make Helm reference updates compatible with macOS (Backport PR #27629, Upstream PR #27495, @ishuar)
  • docs: Harmonise references to Cilium Slack (Backport PR #27629, Upstream PR #27346, @qmonnet)
  • docs: Improve wording for labels and services policies (Backport PR #27917, Upstream PR #27171, @joestringer)
  • docs: Remove proxylib limitation in observability section (Backport PR #27629, Upstream PR #27306, @darkrift)
  • docs: update L7 traffic CiliumClusterwideEnvoyConfig example (Backport PR #27629, Upstream PR #27409, @tanjunchen)
  • docs: Update the microservices-demo link (Backport PR #27917, Upstream PR #27814, @haiyuewa)
  • docs: Update the mutual authentication key format (Backport PR #27679, Upstream PR #27640, @haiyuewa)
  • eg...
Read more

Contributors

gandro, brb, and 37 other contributors
Assets 2

1.13.7

15 Sep 17:40
@michi-covalent michi-covalent
v1.13.7
This tag was signed with the committer’s verified signature.
michi-covalent Michi Mutsuzaki
SSH Key Fingerprint: RngEJjA5w42lLJdRmH5DaepFJ6sSsTuslhfvgbon7g4 Learn about vigilant mode.
e1eb268
Compare
Choose a tag to compare
1.13.7

We are pleased to release Cilium v1.13.7.

Known IPsec related issues have been fixed. We encourage users to test this release and report any potentially remaining issues.

Summary of Changes

Minor Changes:

  • Report the kernel error code in case of packet drops due to failures to create NAT map entries. (Backport PR #27652, Upstream PR #25883, @julianwiedmann)

Bugfixes:

  • bpf: lxc: support Pod->Service->Pod hairpinning with endpoint routes (Backport PR #27998, Upstream PR #27798, @ti-mo)
  • envoy: fix panic writing accesslog without L7 tags (Backport PR #27651, Upstream PR #27453, @mhofstetter)
  • Fix a bug that affected the RevDNAT translation of IPv6 packets with extension headers. (Backport PR #27393, Upstream PR #27312, @julianwiedmann)
  • Fix a bug that could cause an incorrect max. sequence number to be reported by cilium encrypt status when IPsec is enabled. (Backport PR #27925, Upstream PR #27656, @pchaigno)
  • Fix a bug where cilium host IP is not read from k8s node annotations (Backport PR #27651, Upstream PR #27590, @hemanthmalla)
  • Fix bug limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #27393, Upstream PR #27168, @learnitall)
  • Fix bug that could cause packet drops of type XfrmOutPolBlock while rotating the IPsec key. (Backport PR #27587, Upstream PR #27319, @jrfastab)
  • Fix connectivity issues caused by missing conntrack entry when service pod connects to itself via clusterIP. (Backport PR #27998, Upstream PR #27602, @julianwiedmann)
  • gateway-api: Merge externally annotations and labels for kubernetes types (Backport PR #27651, Upstream PR #27251, @farodin91)
  • ingress: fix panic on ingress rule without HTTPIngressRule (Backport PR #27925, Upstream PR #27818, @mhofstetter)
  • IPSec fix for race on init resulting in XfrmIn errors and dropped packets (Backport PR #28022, Upstream PR #28012, @jrfastab)
  • k8s: Restrict configuring reserved:init policy via CNP (Backport PR #28039, Upstream PR #28007, @joestringer)
  • Prioritization of which DNS mappings to keep was suboptimal, leading to evictions of mappings related to alive connections, worsening performance of fqdn policies and causing spurious logging. (Backport PR #27925, Upstream PR #27572, @bimmlerd)
  • proxy: Ignore visibility annotation if proxy is disabled (Backport PR #27741, Upstream PR #27597, @sayboras)

CI Changes:

  • .github/workflows: unify time to wait for images to become available (Backport PR #27925, Upstream PR #27706, @tklauser)
  • ci-ipsec-upgrade: Bump CLI to v0.15.5 (Backport PR #27393, Upstream PR #27230, @brb)
  • ci-ipsec-upgrade: Skip upon test/Documentation changes (Backport PR #27741, Upstream PR #27644, @brb)
  • ci: fix and standardize checkouts in privileged workflows (Backport PR #27393, Upstream PR #27193, @nbusseneau)
  • ci: increase connectivity test timeout in GHA external workload (Backport PR #27393, Upstream PR #26975, @mhofstetter)
  • ci: remove unavailable K8s 1.22 from GKE config (Backport PR #27393, Upstream PR #27365, @mhofstetter)
  • CI: Rename workflow names (Backport PR #27741, Upstream PR #27391, @brlbil)
  • CI: Update tested k8s version for aks (Backport PR #27651, Upstream PR #27457, @brlbil)
  • gh/actions: Customize cilium-config (Backport PR #27925, Upstream PR #27416, @brb)
  • gh/workflows: Use cilium-config action in ci-ipsec-upgrade (Backport PR #27925, Upstream PR #27359, @brb)
  • ginkgo: Remove K8sDatapathCustomCalls (Backport PR #27925, Upstream PR #27911, @brb)

Misc Changes:

  • Add WireGuard to the firewall rules documentation (Backport PR #27925, Upstream PR #27170, @joestringer)
  • bpf: egressgw: set trace reason for reply traffic (Backport PR #27526, Upstream PR #27218, @julianwiedmann)
  • bpf: nat: enable CT-driven trace aggregation (Backport PR #27526, Upstream PR #27178, @julianwiedmann)
  • chore(deps): update actions/checkout action to v4 (v1.13) (#27927, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.13) (minor) (#27782, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.13) (patch) (#27423, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.13) (patch) (#27780, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.13) (patch) (#27945, @renovate[bot])
  • chore(deps): update aws-actions/configure-aws-credentials action to v3 (v1.13) (#27783, @renovate[bot])
  • chore(deps): update cilium/coccicheck docker tag to v2.4 (v1.13) (#27947, @renovate[bot])
  • chore(deps): update dependency ubuntu to v22 (v1.13) (#27784, @renovate[bot])
  • chore(deps): update docker.io/library/alpine docker tag to v3.17.5 (v1.13) (#27781, @renovate[bot])
  • chore(deps): update docker.io/library/golang docker tag to v1.20.7 (v1.13) (#27486, @renovate[bot])
  • chore(deps): update docker.io/library/golang docker tag to v1.20.8 (v1.13) (#27991, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.20.7 docker digest to 741d6f9 (v1.13) (#27779, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to ec050c3 (v1.13) (#27554, @renovate[bot])
  • chore(deps): update sigstore/cosign-installer action to v3.1.2 (v1.13) (#27946, @renovate[bot])
  • docs: Document DROP_NO_NODE_ID for IPsec (Backport PR #27393, Upstream PR #27184, @pchaigno)
  • docs: Fix config option for spelling filters (Backport PR #27651, Upstream PR #27537, @qmonnet)
  • docs: Fix Documentation Makefile to make Helm reference updates compatible with macOS (Backport PR #27651, Upstream PR #27495, @ishuar)
  • docs: Harmonise references to Cilium Slack (Backport PR #27393, Upstream PR #27346, @qmonnet)
  • docs: Have Makefile print generated image tags when running with V=0 (Backport PR #27393, Upstream PR #27250, @qmonnet)
  • docs: Improve wording for labels and services policies (Backport PR #27925, Upstream PR #27171, @joestringer)
  • docs: update L7 traffic CiliumClusterwideEnvoyConfig example (Backport PR #27651, Upstream PR #27409, @tanjunchen)
  • docs: Update the microservices-demo link (Backport PR #27925, Upstream PR #27814, @haiyuewa)
  • Update Cilium certgen from v0.1.8 to v0.1.9 (Backport PR #27651, Upstream PR #27511, @rolinh)

Other Changes:

  • [1.13] test: add namespace name in pod metadata test (#28033, @nebril)
  • doc: Migrate to .readthedocs.yaml configuration file v2 (#27570, @doniacld)
  • install: Update image digests for v1.13.6 (#27455, @nebril)

Contributors

brb, tklauser, and 21 other contributors
Assets 2

1.12.14

15 Sep 17:41
@michi-covalent michi-covalent
v1.12.14
This tag was signed with the committer’s verified signature.
michi-covalent Michi Mutsuzaki
SSH Key Fingerprint: RngEJjA5w42lLJdRmH5DaepFJ6sSsTuslhfvgbon7g4 Learn about vigilant mode.
d1f9752
Compare
Choose a tag to compare
1.12.14

We are pleased to release Cilium v1.12.14.

Known IPsec related issues have been fixed. We encourage users to test this release and report any potentially remaining issues.

Summary of Changes

Bugfixes:

  • bpf: lxc: support Pod->Service->Pod hairpinning with endpoint routes (Backport PR #27980, Upstream PR #27798, @ti-mo)
  • Fix a bug that affected the RevDNAT translation of IPv6 packets with extension headers. (Backport PR #27394, Upstream PR #27312, @julianwiedmann)
  • Fix a bug that could cause an incorrect max. sequence number to be reported by cilium encrypt status when IPsec is enabled. (Backport PR #27934, Upstream PR #27656, @pchaigno)
  • Fix bug limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #27394, Upstream PR #27168, @learnitall)
  • Fix bug that could cause packet drops of type XfrmOutPolBlock while rotating the IPsec key. (Backport PR #27588, Upstream PR #27319, @jrfastab)
  • Fix connectivity issues caused by missing conntrack entry when service pod connects to itself via clusterIP. (Backport PR #27980, Upstream PR #27602, @julianwiedmann)
  • IPSec fix for race on init resulting in XfrmIn errors and dropped packets (Backport PR #28029, Upstream PR #28012, @jrfastab)
  • k8s: Restrict configuring reserved:init policy via CNP (Backport PR #28040, Upstream PR #28007, @joestringer)
  • Prioritization of which DNS mappings to keep was suboptimal, leading to evictions of mappings related to alive connections, worsening performance of fqdn policies and causing spurious logging. (Backport PR #27934, Upstream PR #27572, @bimmlerd)
  • proxy: Ignore visibility annotation if proxy is disabled (Backport PR #27660, Upstream PR #27597, @sayboras)

CI Changes:

  • .github/workflows: unify time to wait for images to become available (Backport PR #27934, Upstream PR #27706, @tklauser)
  • Add missing ariane trigger phrases (Backport PR #27980, Upstream PR #27822, @tklauser)
  • ci-ipsec-upgrade: Bump CLI to v0.15.5 (Backport PR #27394, Upstream PR #27230, @brb)
  • ci-ipsec-upgrade: Skip upon test/Documentation changes (Backport PR #27744, Upstream PR #27644, @brb)
  • ci: remove unavailable K8s 1.22 from GKE config (Backport PR #27394, Upstream PR #27365, @mhofstetter)
  • CI: Rename workflow names (Backport PR #27744, Upstream PR #27391, @brlbil)
  • CI: Update tested k8s version for aks (Backport PR #27660, Upstream PR #27457, @brlbil)
  • gh/workflows: Use cilium-config action in ci-ipsec-upgrade (Backport PR #27934, Upstream PR #27359, @brb)
  • ingress: Add conformance test for KPR=false (Backport PR #27980, Upstream PR #27304, @sayboras)

Misc Changes:

  • chore(deps): update actions/checkout action to v4 (v1.12) (#27950, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.12) (minor) (#27787, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.12) (patch) (#27785, @renovate[bot])
  • chore(deps): update aws-actions/configure-aws-credentials action to v3 (v1.12) (#27788, @renovate[bot])
  • chore(deps): update cilium/coccicheck docker tag to v2.4 (v1.12) (#27949, @renovate[bot])
  • chore(deps): update dependency ubuntu to v22 (v1.12) (#27789, @renovate[bot])
  • chore(deps): update docker.io/library/alpine docker tag to v3.16.7 (v1.12) (#27786, @renovate[bot])
  • chore(deps): update docker.io/library/golang docker tag to v1.20.7 (v1.12) (#27487, @renovate[bot])
  • chore(deps): update docker.io/library/golang docker tag to v1.20.8 (v1.12) (#27992, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 33a5cc2 (v1.12) (#27338, @renovate[bot])
  • docs: Document DROP_NO_NODE_ID for IPsec (Backport PR #27394, Upstream PR #27184, @pchaigno)
  • docs: Fix config option for spelling filters (Backport PR #27660, Upstream PR #27537, @qmonnet)
  • docs: Fix Documentation Makefile to make Helm reference updates compatible with macOS (Backport PR #27660, Upstream PR #27495, @ishuar)
  • docs: Harmonise references to Cilium Slack (Backport PR #27832, Upstream PR #27346, @qmonnet)
  • docs: Have Makefile print generated image tags when running with V=0 (Backport PR #27394, Upstream PR #27250, @qmonnet)
  • docs: update L7 traffic CiliumClusterwideEnvoyConfig example (Backport PR #27660, Upstream PR #27409, @tanjunchen)
  • docs: Update the microservices-demo link (Backport PR #27934, Upstream PR #27814, @haiyuewa)
  • Update Cilium certgen from v0.1.8 to v0.1.9 (Backport PR #27660, Upstream PR #27511, @rolinh)

Other Changes:

  • [1.12] test: add namespace name in pod metadata test (#28034, @nebril)
  • doc: Migrate to .readthedocs.yaml configuration file v2 (#27569, @doniacld)
  • install: Update image digests for v1.12.13 (#27501, @asauber)

Contributors

brb, tklauser, and 19 other contributors
Assets 2

1.15.0-pre.0

31 Aug 21:30
@aanm aanm
v1.15.0-pre.0
This tag was signed with the committer’s verified signature.
aanm André Martins
GPG key ID: A38D2FBA880D16AB
Learn about vigilant mode.
deb823a
Compare
Choose a tag to compare
1.15.0-pre.0 Pre-release
Pre-release

Changelog

v1.15.0-pre.0

Summary of Changes

Major Changes:

Minor Changes:

  • *_kvstore_operations_duration_seconds metrics do not include client-side rate-limiting latency anymore. (#27396, @marseel)
  • .github/workflows: don't error out if pkill finds no processes (#26357, @lmb)
  • .github: dump buddyinfo and pagetypeinfo when ci-e2e fails (#26600, @lmb)
  • Add cilium bpf auth flush command for debugging purposes (#27216, @meyskens)
  • Add an option to specify a filters and field mask for hubble-exporter (#26379, @AwesomePatrol)
  • Add documentation of Hubble exporter - an option to save Hubble flows to a file (#27610, @AwesomePatrol)
  • Add per-controller success/failure count metrics and a config option for these (#26850, @asauber)
  • Add Prometheus map pressure metrics for NAT maps (#27001, @derailed)
  • Add securityContext for spire pod in helm chart (#27363, @ishuar)
  • Add source and destination workload_kind context labels (Hubble). (#27350, @marqc)
  • Add SPIRE connection to cilium status (#26896, @meyskens)
  • Add strict mode for WireGuard Pod2Pod encryption (#21856, @3u13r)
  • Added the EnableHealthCheckLoadBalancerIP flag to address health checks on LoadBalancerIP in Google Cloud Platform using KubeProxyReplacement. (#26728, @nberlee)
  • api: Add extensions field to observer.GetFlowsRequest and flow.Flows types (#27577, @chancez)
  • Augments cilium status CLI to report on agent modules health status. (#25714, @derailed)
  • bpf: allow overriding Makefile variables (#27492, @lmb)
  • bpf: compile test ENABLE_EGRESS_GATEWAY_COMMON (#27515, @lmb)
  • bpf: gate egressgw datapath on separate defines (#27189, @lmb)
  • bpgv1: move the internal BGP signaler to a cell and allow other cells to depend on it. (#26745, @ldelossa)
  • Change the Helm values configuration for SPIRE to match other images in the Helm charts (#27621, @weizhoublue)
  • cilium/cmd: make output of 'cilium policy selectors' sorted. (#27803, @tommyp1ckles)
  • cilium: export intermediate cobra.Commands (#26265, @lmb)
  • cilium: use absolute path to include Makefile.defs (#27054, @lmb)
  • cli: Update cilium policy import to allow policy replacement by label (#27103, @deverton-godaddy)
  • clustermesh-apiserver deployment support lifecycle and terminationGracePeriodSeconds. (#26945, @acgs771126)
  • daemon: Do not require native routing CIDR if ipmasq-agent is enabled (#27747, @gandro)
  • docs, cilium: Remove cilium endpoint regenerate command (#27326, @christarazi)
  • egressgw: inject datapath config via hive (#27414, @lmb)
  • egressgw: refactor check for conflicting egress IPs (#27491, @lmb)
  • egressgw: tidy up Config handling (#27221, @lmb)
  • endpoint, endpointmanager: Publish max policymap size as metric (#27367, @christarazi)
  • envoy: Bump envoy to 1.26.2 (#26851, @sayboras)
  • envoy: Bump envoy version to v1.26.4 (#27104, @sayboras)
  • envoy: Update envoy version to the latest build (#27819, @jrajahalme)
  • Extend AWS metadata-based policy enforcement to work with any VPC-enabled service. (#27071, @spacepants)
  • Fix LookupReservedIdentityByLabels function to return consistent results (#26795, @skmatti)
  • gateway-api: Bump version to v0.8.0-rc1 (#27592, @sayboras)
  • Hubble: improve security by adding an option to redact API key in Kafka requests (L7) (#25844, @ioandr)
  • hubble: replace deprecated usage of grpc.WithInsecure. (#25631, @tommyp1ckles)
  • Increase number of dnsproxy mutexes from 128 to 131. (#27147, @marseel)
  • ipam, metrics: Add new capacity metric (#27710, @christarazi)
  • Modular daemon and operator (#25986, @pippolo84)
  • Refactor hubble redact settings schema (#26989, @ChrsMark)
  • Refactor hubble redact settings schema [v2] (#27553, @ChrsMark)
  • Remove deprecate clustermesh CA configuration from the helm chart (#27162, @giorio94)
  • When BGP control plane is enabled and configured for service announcements, it will only advertise a matching service that has an unspecified loadbalancerClass or set for "io.cilium/bgp-control-plane". (#26905, @danehans)

Bugfixes:

  • Add a 5 second timeout to the Mutual Auth TCP handshake (#26650, @meyskens)
  • bgpv1: fix manager_test.go build error (#27543, @ldelossa)
  • bpf: nat: set .from_local_endpoint for all inter-cluster SNAT traffic (#26853, @julianwiedmann)
  • bpf: nodeport: add RevDNAT-based FIB lookup for reply traffic (#26638, @julianwiedmann)
  • bug: In dual-stack mode (both IPv4 and IPv6 are enabled), Cilium incorrectly converted CIDRs that covered all possible addresses for an IP Family (e.g. 0.0.0.0/0) to the "reserved:world" entity. Both IP families must be completely covered for "reserved:world" to apply. This resulted in dual-stack mode network policies that could not distinguish between world IPv4 and IPv6 traffic, treating them as one entity instead. (#22625, @nathanjsweet)
  • cleanup: can clean the bpf filters created by the cilium agent with lower version (#27373, @sofat1989)
  • Do mutual authentication handshake again if mismatch between bpf map and cached map happens (#27241, @meyskens)
  • egressgw: policy: ensure egressGateway field is not nil (#27802, @jibi)
  • envoy: fix init order between accesslog and xDS server (#27617, @mhofstetter)
  • Fix a bug that could cause an incorrect max. sequence number to be reported by cilium encrypt status when IPsec is enabled. (#27656, @pchaigno)
  • Fix cilium-envoy ServiceMonitor port name (#27207, @pixiono)
  • Fix connection disruption for IPsec during downgrade to v1.14 by attaching correct bpf program to devices. (#27480, @jschwinger233)
  • Fix connectivity issues caused by missing conntrack entry when service pod connects to itself via clusterIP. (#27602, @julianwiedmann)
  • Fix endpoint logger not formatting logs as JSON when daemon log format is set to JSON (#27263, @leblowl)
  • Fix Gateway managed services not exposing all ports (#27695, @Managarmrr)
  • Fix possible cross-cluster connection drops on agents restart when clustermesh is enabled (#27575, @giorio94)
  • Fix potential cross-node connectivity issue when IPsec is enabled with ENI or Azure IPAM modes. (#26663, @gandro)
  • Fixes a issue that IPsec key rotation can't be triggered. (#27694, @jschwinger233)
  • Fixes an issue where an empty ControlPlaneState was used during registration of BGP speakers. This would cause reconciliation issues as the current state would be unknown. (#27117, @ldelossa)
  • Handle .status.conditions on Services using in accordance with KEP-1623 (#27399, @addreas)
  • health: Update Cilium agent to listen on nodeip (#26845, @tamilmani1989)
  • helm: fix envoy daemonset loglevel with multiple verbose debug groups (#27698, @mhofstetter)
  • ingress: fix panic on ingress rule without HTTPIngressRule (#27818, @mhofstetter)
  • ipam: when a CiliumNode is removed, delete node label from metrics. (#27713, @tommyp1ckles)
  • metrics: fix potential conflict on metrics registration (#27007, @ysksuzuki)
  • Prioritization of which DNS mappings to keep was suboptimal, leading to evictions of mappings related to alive connections, worsening performance of fqdn policies and causing spurious logging. (#27572, @bimmlerd)
  • proxy: fix multiple envoy listeners for same proxyType (#27510, @mhofstetter)
  • Read FQDNRejectResponseCode from config (#27362, @ayuspin)
  • spire: add scheduling configurations to helm-chart (#27229, @tvonhacht-apple)

CI Changes:

Read more

Contributors

derailed, dgl, and 105 other contributors
Assets 2

1.14.1

15 Aug 18:46
@nebril nebril
v1.14.1
This tag was signed with the committer’s verified signature.
nebril Maciej Kwiek
GPG key ID: 436B9694E3F0E75D
Learn about vigilant mode.
c191ef6
Compare
Choose a tag to compare
1.14.1

We are pleased to release Cilium v1.14.1. This release comes with fixes for IPsec, performance and resilience improvements and many CI and doc changes.

Remaining issues on the IPSec stack may cause interrupted connections during key rotations. Users may upgrade to this release only if this is considered acceptable.

Summary of Changes

Minor Changes:

Bugfixes:

  • Fix a bug that affected the health-check feature in Stand-alone L4LB mode. For certain configurations (eg if both IPv4 and IPv6 support is enabled) health-check traffic would not get IPIP-encapsulated. (Backport PR #27190, Upstream PR #27015, @julianwiedmann)
  • Fix a bug that affected the RevDNAT translation of IPv6 packets with extension headers. (Backport PR #27345, Upstream PR #27312, @julianwiedmann)
  • Fix a bug that could cause packet drops of type XfrmOutPolBlock when IPsec is enabled and node are recycled.
  • Fix a bug that could cause IPsec-encrypted packets to be sent to the wrong destination node when node churn is high. (Backport PR #27238, Upstream PR #27029, @pchaigno)
  • Fix agent panic in case malformed objects are retrieved from the kvstore, and improve validation (Backport PR #27345, Upstream PR #27237, @giorio94)
  • Fix bug limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #27345, Upstream PR #27168, @learnitall)
  • Fix bug where startup CIDR restore logic would mishandle reference counting, leading to persistent packet loss to those CIDRs (Backport PR #27419, Upstream PR #27327, @joestringer)
  • Fix generation of the clustermesh config through Helm when kvstoremesh is enabled, and the TLS key/cert pair is manually specified for a given remote cluster (Backport PR #27238, Upstream PR #27177, @giorio94)
  • operator: Adjust CiliumEndpoint gc to account for kvstore mode (Backport PR #27190, Upstream PR #25324, @learnitall)
  • Resolve a deadlock on startup when local redirect policies are used. (Backport PR #27238, Upstream PR #27115, @bimmlerd)

CI Changes:

  • .github: rebuild ginkgo tests in case of cache miss (Backport PR #27190, Upstream PR #27158, @sayboras)
  • Add renovate tags for automatic updates of kernel version in v1.14 (#27386, @aanm)
  • ci: fix and standardize checkouts in privileged workflows (Backport PR #27238, Upstream PR #27193, @nbusseneau)
  • ci: increase connectivity test timeout in GHA external workload (Backport PR #27345, Upstream PR #26975, @mhofstetter)

Misc Changes:

Other Changes:

  • backport v1.14: IPsec upgrade tests (#27175, @brb)
  • install: Update image digests for v1.14.0 (#27111, @aanm)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.14.1@sha256:edc1d05ea1365c4a8f6ac6982247d5c145181704894bb698619c3827b6963a72
quay.io/cilium/cilium:v1.14.1@sha256:edc1d05ea1365c4a8f6ac6982247d5c145181704894bb698619c3827b6963a72
docker.io/cilium/cilium:stable@sha256:edc1d05ea1365c4a8f6ac6982247d5c145181704894bb698619c3827b6963a72
quay.io/cilium/cilium:stable@sha256:edc1d05ea1365c4a8f6ac6982247d5c145181704894bb698619c3827b6963a72

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.14.1@sha256:a7353669b1f7cb96cd600d98c7dd12e909d876843a7a272a1bc407e114ed225c
quay.io/cilium/clustermesh-apiserver:v1.14.1@sha256:a7353669b1f7cb96cd600d98c7dd12e909d876843a7a272a1bc407e114ed225c
docker.io/cilium/clustermesh-apiserver:stable@sha256:a7353669b1f7cb96cd600d98c7dd12e909d876843a7a272a1bc407e114ed225c
quay.io/cilium/clustermesh-apiserver:stable@sha256:a7353669b1f7cb96cd600d98c7dd12e909d876843a7a272a1bc407e114ed225c

docker-plugin

docker.io/cilium/docker-plugin:v1.14.1@sha256:e8654c133119dff2447ebd93342a11ddaa5472eae1625c1c6866eea8d99c74ad
quay.io/cilium/docker-plugin:v1.14.1@sha256:e8654c133119dff2447ebd93342a11ddaa5472eae1625c1c6866eea8d99c74ad
docker.io/cilium/docker-plugin:stable@sha256:e8654c133119dff2447ebd93342a11ddaa5472eae1625c1c6866eea8d99c74ad
quay.io/cilium/docker-plugin:stable@sha256:e8654c133119dff2447ebd93342a11ddaa5472eae1625c1c6866eea8d99c74ad

hubble-relay

docker.io/cilium/hubble-relay:v1.14.1@sha256:db30e85a7abc10589ce2a97d61ee18696a03dc5ea04d44b4d836d88bd75b59d8
quay.io/cilium/hubble-relay:v1.14.1@sha256:db30e85a7abc10589ce2a97d61ee18696a03dc5ea04d44b4d836d88bd75b59d8
docker.io/cilium/hubble-relay:stable@sha256:db30e85a7abc10589ce2a97d61ee18696a03dc5ea04d44b4d836d88bd75b59d8
quay.io/cilium/hubble-relay:stable@sha256:db30e85a7abc10589ce2a97d61ee18696a03dc5ea04d44b4d836d88bd75b59d8

kvstoremesh

docker.io/cilium/kvstoremesh:v1.14.1@sha256:6a4083b79290d1278462c4e1269e927e71c2df05cc80f999d58b66b6b501bc8e
quay.io/cilium/kvstoremesh:v1.14.1@sha256:6a4083b79290d1278462c4e1269e927e71c2df05cc80f999d58b66b6b501bc8e
docker.io/cilium/kvstoremesh:stable@sha256:6a4083b79290d1278462c4e1269e927e71c2df05cc80f999d58b66b6b501bc8e
quay.io/cilium/kvstoremesh:stable@sha256:6a4083b79290d1278462c4e1269e927e71c2df05cc80f999d58b66b6b501bc8e

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.14.1@sha256:edecc162279afba4af27f38afc4bc716a2e91df6b5ca6f88714029b27fb5920b
quay.io/cilium/operator-alibabacloud:v1.14.1@sha256:edecc162279afba4af27f38afc4bc716a2e91df6b5ca6f88714029b27fb5920b
docker.io/cilium/operator-alibabacloud:stable@sha256:edecc162279afba4af27f38afc4bc716a2e91df6b5ca6f88714029b27fb5920b
quay.io/cilium/operator-alibabacloud:stable@sha256:edecc162279afba4af27f38afc4bc716a2e91df6b5ca6f88714029b27fb5920b

operator-aws

docker.io/cilium/operator-aws:v1.14.1@sha256:ff57964aefd903456745e53a4697a4f6a026d8fffdb06f53f624a23d23ade37a
quay.io/cilium/operator-aws:v1.14.1@sha256:ff57964aefd903456745e53a4697a4f6a026d8fffdb06f53f624a23d23ade37a
docker.io/cilium/operator-aws:stable@sha256:ff57964aefd903456745e53a4697a4f6a026d8fffdb06f53f624a23d23ade37a
quay.io/cilium/operator-aws:stable@sha256:ff57964aefd903456745e53a4697a4f6a026d8fffdb06f53f624a23d23ade37a

operator-azure

docker.io/cilium/operator-azure:v1.14.1@sha256:2cba2cee3463c9349c47b2deb8736ffe6d8589d5e4c29b7c442b992fe0ef1fb7
quay.io/cilium/operator-azure:v1.14.1@sha256:2cba2cee3463c9349c47b2deb8736ffe6d8589d5e4c29b7c442b992fe0ef1fb7
docker.io/cilium/operator-azure:stable@sha256:2cba2cee3463c9349c47b2deb8736ffe6d8589d5e4c29b7c442b992fe0ef1fb7
quay.io/cilium/operator-azure:stable@sha256:2cba2cee3463c9349c47b2deb8736ffe6d8589d5e4c29b7c442b992fe0ef1fb7

operator-generic

docker.io/cilium/operator-generic:v1.14.1@sha256:e061de0a930534c7e3f8feda8330976367971238ccafff42659f104effd4b5f7
quay.io/cilium/operator-generic:v1.14.1@sha256:e061de0a930534c7e3f8feda8330976367971238ccafff42659f104effd4b5f7
docker.io/cilium/operator-generic:stable@sha256:e061de0a930534c7e3f8feda8330976367971238ccafff42659f104effd4b5f7
quay.io/cilium/operator-generic:stable@sha256:e061de0a930534c7e3f8feda8330976367971238ccafff42659f104effd4b5f7

operator

docker.io/cilium/operator:v1.14.1@sha256:f15b3252dfa3fc71897fd9276a1d75c8d0ff8c9dd930832586491c8e4e4b77a5
quay.io/cilium/operator:v1.14.1@sha256:f15b3252dfa3fc71897fd9276a1d75c8d0ff8c9dd930832586491c8e4e4b77a5
docker.io/cilium/operator:stable@sha256:f15b3252dfa3fc71897fd9276a1d75c8d0ff8c9dd930832586491c8e4e4b77a5
quay.io/cilium/operator:stable@sha256:f15b3252dfa3fc71897fd9276a1d75c8d0ff8c9dd930832586491c8e4e4b77a5

Contributors

brb, lizrice, and 18 other contributors
Assets 2

1.12.13

15 Aug 18:02
@nebril nebril
v1.12.13
This tag was signed with the committer’s verified signature.
nebril Maciej Kwiek
GPG key ID: 436B9694E3F0E75D
Learn about vigilant mode.
a701011
Compare
Choose a tag to compare
1.12.13

We are pleased to release Cilium v1.12.13. This release includes bugfixes for IPsec and ipcache as well as many docs and CI changes.

Remaining issues on the IPSec stack may cause interrupted connections during key rotations. Users may upgrade to this release only if this is considered acceptable.

Summary of Changes

Bugfixes:

  • Remove remote-node labels from ipcache on node delete (#27406, @joestringer)
  • Fix a bug that could cause packet drops of type XfrmOutPolBlock when IPsec is enabled and node are recycled. (Backport PR #27138, Upstream PR #27029, @pchaigno)
  • Fix a bug that could cause IPsec-encrypted packets to be sent to the wrong destination node when node churn is high. (Backport PR #27138, Upstream PR #27029, @pchaigno)
  • operator: Adjust CiliumEndpoint gc to account for kvstore mode (Backport PR #27155, Upstream PR #25324, @learnitall)

CI Changes:

Misc Changes:

  • chore(deps): update all github action dependencies (v1.12) (patch) (#27294, @renovate[bot])
  • chore(deps): update docker.io/library/golang docker tag to v1.19.11 (v1.12) (#27019, @renovate[bot])
  • chore(deps): update docker.io/library/golang docker tag to v1.19.12 (v1.12) (#27295, @renovate[bot])
  • chore(deps): update helm/kind-action action to v1.8.0 (v1.12) (#26830, @renovate[bot])
  • docs/ipsec: Document RSS limitation (Backport PR #27031, Upstream PR #26979, @pchaigno)
  • docs/ipsec: Extend troubleshooting section (Backport PR #27031, Upstream PR #26808, @pchaigno)
  • docs: Fix gRPC API generation for online docs (Backport PR #27094, Upstream PR #27014, @qmonnet)
  • docs: Replace non-portable "sed -i" in Makefile (Backport PR #27240, Upstream PR #27122, @qmonnet)
  • docs: Specify Helm chart version in "cilium install" commands (Backport PR #27031, Upstream PR #26934, @michi-covalent)
  • Documentation: fix the broken links/dead links (Backport PR #27155, Upstream PR #26880, @vipul-21)

Other Changes:

Docker Manifests

cilium

docker.io/cilium/cilium:v1.12.13@sha256:4d19b0b809889debc768fc20d9eb2b53e2ff60d45be639c2e898923eeb124e80
quay.io/cilium/cilium:v1.12.13@sha256:4d19b0b809889debc768fc20d9eb2b53e2ff60d45be639c2e898923eeb124e80

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.12.13@sha256:b2e35ca950680fe9a431d8b3e6c4fe1014497ccb7ba48437915850e16c1fd1e1
quay.io/cilium/clustermesh-apiserver:v1.12.13@sha256:b2e35ca950680fe9a431d8b3e6c4fe1014497ccb7ba48437915850e16c1fd1e1

docker-plugin

docker.io/cilium/docker-plugin:v1.12.13@sha256:08f4ab574ea2bbbc49f24c8ce7fb3cd4509eff4c7c82619610e0ff5079cb2046
quay.io/cilium/docker-plugin:v1.12.13@sha256:08f4ab574ea2bbbc49f24c8ce7fb3cd4509eff4c7c82619610e0ff5079cb2046

hubble-relay

docker.io/cilium/hubble-relay:v1.12.13@sha256:9b7fc17534514342b12ee9a7ed05084d1f933028d778eb5173c7f0f0aa494414
quay.io/cilium/hubble-relay:v1.12.13@sha256:9b7fc17534514342b12ee9a7ed05084d1f933028d778eb5173c7f0f0aa494414

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.12.13@sha256:f53cc108451a3a57e5733c6bcd07950fc1e9f3c36ea8300f271f6c088a073e87
quay.io/cilium/operator-alibabacloud:v1.12.13@sha256:f53cc108451a3a57e5733c6bcd07950fc1e9f3c36ea8300f271f6c088a073e87

operator-aws

docker.io/cilium/operator-aws:v1.12.13@sha256:fd95a5ff57718809e1ccf3555d98b5c646e003e5de4a2da11775aa74ef1bafb8
quay.io/cilium/operator-aws:v1.12.13@sha256:fd95a5ff57718809e1ccf3555d98b5c646e003e5de4a2da11775aa74ef1bafb8

operator-azure

docker.io/cilium/operator-azure:v1.12.13@sha256:7a79de4cad736611e3e24138012b1d9c9f47a8d672dc08bd1e65ee0ef0661149
quay.io/cilium/operator-azure:v1.12.13@sha256:7a79de4cad736611e3e24138012b1d9c9f47a8d672dc08bd1e65ee0ef0661149

operator-generic

docker.io/cilium/operator-generic:v1.12.13@sha256:4a7387684297f5072f0933331696c5d89954c35d30669aca0f5d92c2294fff37
quay.io/cilium/operator-generic:v1.12.13@sha256:4a7387684297f5072f0933331696c5d89954c35d30669aca0f5d92c2294fff37

operator

docker.io/cilium/operator:v1.12.13@sha256:a37c66f243a2b7555aeb6f2ab59e69eb9384a50446a3818fe0225dde4876d9ca
quay.io/cilium/operator:v1.12.13@sha256:a37c66f243a2b7555aeb6f2ab59e69eb9384a50446a3818fe0225dde4876d9ca

Contributors

brb, nathanjsweet, and 12 other contributors
Assets 2