Skip to content

Releases: cilium/cilium

1.15.0-pre.0

31 Aug 21:30
@aanm aanm
v1.15.0-pre.0
This tag was signed with the committer’s verified signature.
aanm André Martins
GPG key ID: A38D2FBA880D16AB
Learn about vigilant mode.
deb823a
Compare
Choose a tag to compare
1.15.0-pre.0 Pre-release
Pre-release

Changelog

v1.15.0-pre.0

Summary of Changes

Major Changes:

Minor Changes:

  • *_kvstore_operations_duration_seconds metrics do not include client-side rate-limiting latency anymore. (#27396, @marseel)
  • .github/workflows: don't error out if pkill finds no processes (#26357, @lmb)
  • .github: dump buddyinfo and pagetypeinfo when ci-e2e fails (#26600, @lmb)
  • Add cilium bpf auth flush command for debugging purposes (#27216, @meyskens)
  • Add an option to specify a filters and field mask for hubble-exporter (#26379, @AwesomePatrol)
  • Add documentation of Hubble exporter - an option to save Hubble flows to a file (#27610, @AwesomePatrol)
  • Add per-controller success/failure count metrics and a config option for these (#26850, @asauber)
  • Add Prometheus map pressure metrics for NAT maps (#27001, @derailed)
  • Add securityContext for spire pod in helm chart (#27363, @ishuar)
  • Add source and destination workload_kind context labels (Hubble). (#27350, @marqc)
  • Add SPIRE connection to cilium status (#26896, @meyskens)
  • Add strict mode for WireGuard Pod2Pod encryption (#21856, @3u13r)
  • Added the EnableHealthCheckLoadBalancerIP flag to address health checks on LoadBalancerIP in Google Cloud Platform using KubeProxyReplacement. (#26728, @nberlee)
  • api: Add extensions field to observer.GetFlowsRequest and flow.Flows types (#27577, @chancez)
  • Augments cilium status CLI to report on agent modules health status. (#25714, @derailed)
  • bpf: allow overriding Makefile variables (#27492, @lmb)
  • bpf: compile test ENABLE_EGRESS_GATEWAY_COMMON (#27515, @lmb)
  • bpf: gate egressgw datapath on separate defines (#27189, @lmb)
  • bpgv1: move the internal BGP signaler to a cell and allow other cells to depend on it. (#26745, @ldelossa)
  • Change the Helm values configuration for SPIRE to match other images in the Helm charts (#27621, @weizhoublue)
  • cilium/cmd: make output of 'cilium policy selectors' sorted. (#27803, @tommyp1ckles)
  • cilium: export intermediate cobra.Commands (#26265, @lmb)
  • cilium: use absolute path to include Makefile.defs (#27054, @lmb)
  • cli: Update cilium policy import to allow policy replacement by label (#27103, @deverton-godaddy)
  • clustermesh-apiserver deployment support lifecycle and terminationGracePeriodSeconds. (#26945, @acgs771126)
  • daemon: Do not require native routing CIDR if ipmasq-agent is enabled (#27747, @gandro)
  • docs, cilium: Remove cilium endpoint regenerate command (#27326, @christarazi)
  • egressgw: inject datapath config via hive (#27414, @lmb)
  • egressgw: refactor check for conflicting egress IPs (#27491, @lmb)
  • egressgw: tidy up Config handling (#27221, @lmb)
  • endpoint, endpointmanager: Publish max policymap size as metric (#27367, @christarazi)
  • envoy: Bump envoy to 1.26.2 (#26851, @sayboras)
  • envoy: Bump envoy version to v1.26.4 (#27104, @sayboras)
  • envoy: Update envoy version to the latest build (#27819, @jrajahalme)
  • Extend AWS metadata-based policy enforcement to work with any VPC-enabled service. (#27071, @spacepants)
  • Fix LookupReservedIdentityByLabels function to return consistent results (#26795, @skmatti)
  • gateway-api: Bump version to v0.8.0-rc1 (#27592, @sayboras)
  • Hubble: improve security by adding an option to redact API key in Kafka requests (L7) (#25844, @ioandr)
  • hubble: replace deprecated usage of grpc.WithInsecure. (#25631, @tommyp1ckles)
  • Increase number of dnsproxy mutexes from 128 to 131. (#27147, @marseel)
  • ipam, metrics: Add new capacity metric (#27710, @christarazi)
  • Modular daemon and operator (#25986, @pippolo84)
  • Refactor hubble redact settings schema (#26989, @ChrsMark)
  • Refactor hubble redact settings schema [v2] (#27553, @ChrsMark)
  • Remove deprecate clustermesh CA configuration from the helm chart (#27162, @giorio94)
  • When BGP control plane is enabled and configured for service announcements, it will only advertise a matching service that has an unspecified loadbalancerClass or set for "io.cilium/bgp-control-plane". (#26905, @danehans)

Bugfixes:

  • Add a 5 second timeout to the Mutual Auth TCP handshake (#26650, @meyskens)
  • bgpv1: fix manager_test.go build error (#27543, @ldelossa)
  • bpf: nat: set .from_local_endpoint for all inter-cluster SNAT traffic (#26853, @julianwiedmann)
  • bpf: nodeport: add RevDNAT-based FIB lookup for reply traffic (#26638, @julianwiedmann)
  • bug: In dual-stack mode (both IPv4 and IPv6 are enabled), Cilium incorrectly converted CIDRs that covered all possible addresses for an IP Family (e.g. 0.0.0.0/0) to the "reserved:world" entity. Both IP families must be completely covered for "reserved:world" to apply. This resulted in dual-stack mode network policies that could not distinguish between world IPv4 and IPv6 traffic, treating them as one entity instead. (#22625, @nathanjsweet)
  • cleanup: can clean the bpf filters created by the cilium agent with lower version (#27373, @sofat1989)
  • Do mutual authentication handshake again if mismatch between bpf map and cached map happens (#27241, @meyskens)
  • egressgw: policy: ensure egressGateway field is not nil (#27802, @jibi)
  • envoy: fix init order between accesslog and xDS server (#27617, @mhofstetter)
  • Fix a bug that could cause an incorrect max. sequence number to be reported by cilium encrypt status when IPsec is enabled. (#27656, @pchaigno)
  • Fix cilium-envoy ServiceMonitor port name (#27207, @pixiono)
  • Fix connection disruption for IPsec during downgrade to v1.14 by attaching correct bpf program to devices. (#27480, @jschwinger233)
  • Fix connectivity issues caused by missing conntrack entry when service pod connects to itself via clusterIP. (#27602, @julianwiedmann)
  • Fix endpoint logger not formatting logs as JSON when daemon log format is set to JSON (#27263, @leblowl)
  • Fix Gateway managed services not exposing all ports (#27695, @Managarmrr)
  • Fix possible cross-cluster connection drops on agents restart when clustermesh is enabled (#27575, @giorio94)
  • Fix potential cross-node connectivity issue when IPsec is enabled with ENI or Azure IPAM modes. (#26663, @gandro)
  • Fixes a issue that IPsec key rotation can't be triggered. (#27694, @jschwinger233)
  • Fixes an issue where an empty ControlPlaneState was used during registration of BGP speakers. This would cause reconciliation issues as the current state would be unknown. (#27117, @ldelossa)
  • Handle .status.conditions on Services using in accordance with KEP-1623 (#27399, @addreas)
  • health: Update Cilium agent to listen on nodeip (#26845, @tamilmani1989)
  • helm: fix envoy daemonset loglevel with multiple verbose debug groups (#27698, @mhofstetter)
  • ingress: fix panic on ingress rule without HTTPIngressRule (#27818, @mhofstetter)
  • ipam: when a CiliumNode is removed, delete node label from metrics. (#27713, @tommyp1ckles)
  • metrics: fix potential conflict on metrics registration (#27007, @ysksuzuki)
  • Prioritization of which DNS mappings to keep was suboptimal, leading to evictions of mappings related to alive connections, worsening performance of fqdn policies and causing spurious logging. (#27572, @bimmlerd)
  • proxy: fix multiple envoy listeners for same proxyType (#27510, @mhofstetter)
  • Read FQDNRejectResponseCode from config (#27362, @ayuspin)
  • spire: add scheduling configurations to helm-chart (#27229, @tvonhacht-apple)

CI Changes:

Read more

Contributors

derailed, dgl, and 105 other contributors
Assets 2

1.14.1

15 Aug 18:46
@nebril nebril
v1.14.1
This tag was signed with the committer’s verified signature.
nebril Maciej Kwiek
GPG key ID: 436B9694E3F0E75D
Learn about vigilant mode.
c191ef6
Compare
Choose a tag to compare
1.14.1

We are pleased to release Cilium v1.14.1. This release comes with fixes for IPsec, performance and resilience improvements and many CI and doc changes.

Remaining issues on the IPSec stack may cause interrupted connections during key rotations. Users may upgrade to this release only if this is considered acceptable.

Summary of Changes

Minor Changes:

Bugfixes:

  • Fix a bug that affected the health-check feature in Stand-alone L4LB mode. For certain configurations (eg if both IPv4 and IPv6 support is enabled) health-check traffic would not get IPIP-encapsulated. (Backport PR #27190, Upstream PR #27015, @julianwiedmann)
  • Fix a bug that affected the RevDNAT translation of IPv6 packets with extension headers. (Backport PR #27345, Upstream PR #27312, @julianwiedmann)
  • Fix a bug that could cause packet drops of type XfrmOutPolBlock when IPsec is enabled and node are recycled.
  • Fix a bug that could cause IPsec-encrypted packets to be sent to the wrong destination node when node churn is high. (Backport PR #27238, Upstream PR #27029, @pchaigno)
  • Fix agent panic in case malformed objects are retrieved from the kvstore, and improve validation (Backport PR #27345, Upstream PR #27237, @giorio94)
  • Fix bug limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #27345, Upstream PR #27168, @learnitall)
  • Fix bug where startup CIDR restore logic would mishandle reference counting, leading to persistent packet loss to those CIDRs (Backport PR #27419, Upstream PR #27327, @joestringer)
  • Fix generation of the clustermesh config through Helm when kvstoremesh is enabled, and the TLS key/cert pair is manually specified for a given remote cluster (Backport PR #27238, Upstream PR #27177, @giorio94)
  • operator: Adjust CiliumEndpoint gc to account for kvstore mode (Backport PR #27190, Upstream PR #25324, @learnitall)
  • Resolve a deadlock on startup when local redirect policies are used. (Backport PR #27238, Upstream PR #27115, @bimmlerd)

CI Changes:

  • .github: rebuild ginkgo tests in case of cache miss (Backport PR #27190, Upstream PR #27158, @sayboras)
  • Add renovate tags for automatic updates of kernel version in v1.14 (#27386, @aanm)
  • ci: fix and standardize checkouts in privileged workflows (Backport PR #27238, Upstream PR #27193, @nbusseneau)
  • ci: increase connectivity test timeout in GHA external workload (Backport PR #27345, Upstream PR #26975, @mhofstetter)

Misc Changes:

Other Changes:

  • backport v1.14: IPsec upgrade tests (#27175, @brb)
  • install: Update image digests for v1.14.0 (#27111, @aanm)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.14.1@sha256:edc1d05ea1365c4a8f6ac6982247d5c145181704894bb698619c3827b6963a72
quay.io/cilium/cilium:v1.14.1@sha256:edc1d05ea1365c4a8f6ac6982247d5c145181704894bb698619c3827b6963a72
docker.io/cilium/cilium:stable@sha256:edc1d05ea1365c4a8f6ac6982247d5c145181704894bb698619c3827b6963a72
quay.io/cilium/cilium:stable@sha256:edc1d05ea1365c4a8f6ac6982247d5c145181704894bb698619c3827b6963a72

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.14.1@sha256:a7353669b1f7cb96cd600d98c7dd12e909d876843a7a272a1bc407e114ed225c
quay.io/cilium/clustermesh-apiserver:v1.14.1@sha256:a7353669b1f7cb96cd600d98c7dd12e909d876843a7a272a1bc407e114ed225c
docker.io/cilium/clustermesh-apiserver:stable@sha256:a7353669b1f7cb96cd600d98c7dd12e909d876843a7a272a1bc407e114ed225c
quay.io/cilium/clustermesh-apiserver:stable@sha256:a7353669b1f7cb96cd600d98c7dd12e909d876843a7a272a1bc407e114ed225c

docker-plugin

docker.io/cilium/docker-plugin:v1.14.1@sha256:e8654c133119dff2447ebd93342a11ddaa5472eae1625c1c6866eea8d99c74ad
quay.io/cilium/docker-plugin:v1.14.1@sha256:e8654c133119dff2447ebd93342a11ddaa5472eae1625c1c6866eea8d99c74ad
docker.io/cilium/docker-plugin:stable@sha256:e8654c133119dff2447ebd93342a11ddaa5472eae1625c1c6866eea8d99c74ad
quay.io/cilium/docker-plugin:stable@sha256:e8654c133119dff2447ebd93342a11ddaa5472eae1625c1c6866eea8d99c74ad

hubble-relay

docker.io/cilium/hubble-relay:v1.14.1@sha256:db30e85a7abc10589ce2a97d61ee18696a03dc5ea04d44b4d836d88bd75b59d8
quay.io/cilium/hubble-relay:v1.14.1@sha256:db30e85a7abc10589ce2a97d61ee18696a03dc5ea04d44b4d836d88bd75b59d8
docker.io/cilium/hubble-relay:stable@sha256:db30e85a7abc10589ce2a97d61ee18696a03dc5ea04d44b4d836d88bd75b59d8
quay.io/cilium/hubble-relay:stable@sha256:db30e85a7abc10589ce2a97d61ee18696a03dc5ea04d44b4d836d88bd75b59d8

kvstoremesh

docker.io/cilium/kvstoremesh:v1.14.1@sha256:6a4083b79290d1278462c4e1269e927e71c2df05cc80f999d58b66b6b501bc8e
quay.io/cilium/kvstoremesh:v1.14.1@sha256:6a4083b79290d1278462c4e1269e927e71c2df05cc80f999d58b66b6b501bc8e
docker.io/cilium/kvstoremesh:stable@sha256:6a4083b79290d1278462c4e1269e927e71c2df05cc80f999d58b66b6b501bc8e
quay.io/cilium/kvstoremesh:stable@sha256:6a4083b79290d1278462c4e1269e927e71c2df05cc80f999d58b66b6b501bc8e

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.14.1@sha256:edecc162279afba4af27f38afc4bc716a2e91df6b5ca6f88714029b27fb5920b
quay.io/cilium/operator-alibabacloud:v1.14.1@sha256:edecc162279afba4af27f38afc4bc716a2e91df6b5ca6f88714029b27fb5920b
docker.io/cilium/operator-alibabacloud:stable@sha256:edecc162279afba4af27f38afc4bc716a2e91df6b5ca6f88714029b27fb5920b
quay.io/cilium/operator-alibabacloud:stable@sha256:edecc162279afba4af27f38afc4bc716a2e91df6b5ca6f88714029b27fb5920b

operator-aws

docker.io/cilium/operator-aws:v1.14.1@sha256:ff57964aefd903456745e53a4697a4f6a026d8fffdb06f53f624a23d23ade37a
quay.io/cilium/operator-aws:v1.14.1@sha256:ff57964aefd903456745e53a4697a4f6a026d8fffdb06f53f624a23d23ade37a
docker.io/cilium/operator-aws:stable@sha256:ff57964aefd903456745e53a4697a4f6a026d8fffdb06f53f624a23d23ade37a
quay.io/cilium/operator-aws:stable@sha256:ff57964aefd903456745e53a4697a4f6a026d8fffdb06f53f624a23d23ade37a

operator-azure

docker.io/cilium/operator-azure:v1.14.1@sha256:2cba2cee3463c9349c47b2deb8736ffe6d8589d5e4c29b7c442b992fe0ef1fb7
quay.io/cilium/operator-azure:v1.14.1@sha256:2cba2cee3463c9349c47b2deb8736ffe6d8589d5e4c29b7c442b992fe0ef1fb7
docker.io/cilium/operator-azure:stable@sha256:2cba2cee3463c9349c47b2deb8736ffe6d8589d5e4c29b7c442b992fe0ef1fb7
quay.io/cilium/operator-azure:stable@sha256:2cba2cee3463c9349c47b2deb8736ffe6d8589d5e4c29b7c442b992fe0ef1fb7

operator-generic

docker.io/cilium/operator-generic:v1.14.1@sha256:e061de0a930534c7e3f8feda8330976367971238ccafff42659f104effd4b5f7
quay.io/cilium/operator-generic:v1.14.1@sha256:e061de0a930534c7e3f8feda8330976367971238ccafff42659f104effd4b5f7
docker.io/cilium/operator-generic:stable@sha256:e061de0a930534c7e3f8feda8330976367971238ccafff42659f104effd4b5f7
quay.io/cilium/operator-generic:stable@sha256:e061de0a930534c7e3f8feda8330976367971238ccafff42659f104effd4b5f7

operator

docker.io/cilium/operator:v1.14.1@sha256:f15b3252dfa3fc71897fd9276a1d75c8d0ff8c9dd930832586491c8e4e4b77a5
quay.io/cilium/operator:v1.14.1@sha256:f15b3252dfa3fc71897fd9276a1d75c8d0ff8c9dd930832586491c8e4e4b77a5
docker.io/cilium/operator:stable@sha256:f15b3252dfa3fc71897fd9276a1d75c8d0ff8c9dd930832586491c8e4e4b77a5
quay.io/cilium/operator:stable@sha256:f15b3252dfa3fc71897fd9276a1d75c8d0ff8c9dd930832586491c8e4e4b77a5

Contributors

brb, lizrice, and 18 other contributors
Assets 2

1.12.13

15 Aug 18:02
@nebril nebril
v1.12.13
This tag was signed with the committer’s verified signature.
nebril Maciej Kwiek
GPG key ID: 436B9694E3F0E75D
Learn about vigilant mode.
a701011
Compare
Choose a tag to compare
1.12.13

We are pleased to release Cilium v1.12.13. This release includes bugfixes for IPsec and ipcache as well as many docs and CI changes.

Remaining issues on the IPSec stack may cause interrupted connections during key rotations. Users may upgrade to this release only if this is considered acceptable.

Summary of Changes

Bugfixes:

  • Remove remote-node labels from ipcache on node delete (#27406, @joestringer)
  • Fix a bug that could cause packet drops of type XfrmOutPolBlock when IPsec is enabled and node are recycled. (Backport PR #27138, Upstream PR #27029, @pchaigno)
  • Fix a bug that could cause IPsec-encrypted packets to be sent to the wrong destination node when node churn is high. (Backport PR #27138, Upstream PR #27029, @pchaigno)
  • operator: Adjust CiliumEndpoint gc to account for kvstore mode (Backport PR #27155, Upstream PR #25324, @learnitall)

CI Changes:

Misc Changes:

  • chore(deps): update all github action dependencies (v1.12) (patch) (#27294, @renovate[bot])
  • chore(deps): update docker.io/library/golang docker tag to v1.19.11 (v1.12) (#27019, @renovate[bot])
  • chore(deps): update docker.io/library/golang docker tag to v1.19.12 (v1.12) (#27295, @renovate[bot])
  • chore(deps): update helm/kind-action action to v1.8.0 (v1.12) (#26830, @renovate[bot])
  • docs/ipsec: Document RSS limitation (Backport PR #27031, Upstream PR #26979, @pchaigno)
  • docs/ipsec: Extend troubleshooting section (Backport PR #27031, Upstream PR #26808, @pchaigno)
  • docs: Fix gRPC API generation for online docs (Backport PR #27094, Upstream PR #27014, @qmonnet)
  • docs: Replace non-portable "sed -i" in Makefile (Backport PR #27240, Upstream PR #27122, @qmonnet)
  • docs: Specify Helm chart version in "cilium install" commands (Backport PR #27031, Upstream PR #26934, @michi-covalent)
  • Documentation: fix the broken links/dead links (Backport PR #27155, Upstream PR #26880, @vipul-21)

Other Changes:

Docker Manifests

cilium

docker.io/cilium/cilium:v1.12.13@sha256:4d19b0b809889debc768fc20d9eb2b53e2ff60d45be639c2e898923eeb124e80
quay.io/cilium/cilium:v1.12.13@sha256:4d19b0b809889debc768fc20d9eb2b53e2ff60d45be639c2e898923eeb124e80

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.12.13@sha256:b2e35ca950680fe9a431d8b3e6c4fe1014497ccb7ba48437915850e16c1fd1e1
quay.io/cilium/clustermesh-apiserver:v1.12.13@sha256:b2e35ca950680fe9a431d8b3e6c4fe1014497ccb7ba48437915850e16c1fd1e1

docker-plugin

docker.io/cilium/docker-plugin:v1.12.13@sha256:08f4ab574ea2bbbc49f24c8ce7fb3cd4509eff4c7c82619610e0ff5079cb2046
quay.io/cilium/docker-plugin:v1.12.13@sha256:08f4ab574ea2bbbc49f24c8ce7fb3cd4509eff4c7c82619610e0ff5079cb2046

hubble-relay

docker.io/cilium/hubble-relay:v1.12.13@sha256:9b7fc17534514342b12ee9a7ed05084d1f933028d778eb5173c7f0f0aa494414
quay.io/cilium/hubble-relay:v1.12.13@sha256:9b7fc17534514342b12ee9a7ed05084d1f933028d778eb5173c7f0f0aa494414

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.12.13@sha256:f53cc108451a3a57e5733c6bcd07950fc1e9f3c36ea8300f271f6c088a073e87
quay.io/cilium/operator-alibabacloud:v1.12.13@sha256:f53cc108451a3a57e5733c6bcd07950fc1e9f3c36ea8300f271f6c088a073e87

operator-aws

docker.io/cilium/operator-aws:v1.12.13@sha256:fd95a5ff57718809e1ccf3555d98b5c646e003e5de4a2da11775aa74ef1bafb8
quay.io/cilium/operator-aws:v1.12.13@sha256:fd95a5ff57718809e1ccf3555d98b5c646e003e5de4a2da11775aa74ef1bafb8

operator-azure

docker.io/cilium/operator-azure:v1.12.13@sha256:7a79de4cad736611e3e24138012b1d9c9f47a8d672dc08bd1e65ee0ef0661149
quay.io/cilium/operator-azure:v1.12.13@sha256:7a79de4cad736611e3e24138012b1d9c9f47a8d672dc08bd1e65ee0ef0661149

operator-generic

docker.io/cilium/operator-generic:v1.12.13@sha256:4a7387684297f5072f0933331696c5d89954c35d30669aca0f5d92c2294fff37
quay.io/cilium/operator-generic:v1.12.13@sha256:4a7387684297f5072f0933331696c5d89954c35d30669aca0f5d92c2294fff37

operator

docker.io/cilium/operator:v1.12.13@sha256:a37c66f243a2b7555aeb6f2ab59e69eb9384a50446a3818fe0225dde4876d9ca
quay.io/cilium/operator:v1.12.13@sha256:a37c66f243a2b7555aeb6f2ab59e69eb9384a50446a3818fe0225dde4876d9ca

Contributors

brb, nathanjsweet, and 12 other contributors
Assets 2

1.13.6

15 Aug 18:02
@nebril nebril
v1.13.6
This tag was signed with the committer’s verified signature.
nebril Maciej Kwiek
GPG key ID: 436B9694E3F0E75D
Learn about vigilant mode.
792ad58
Compare
Choose a tag to compare
1.13.6

We are pleased to release Cilium v1.13.6. This release comes with many docs updates, health check bug fixes, an IPsec fix and many other changes!

Remaining issues on the IPSec stack may cause interrupted connections during key rotations. Users may upgrade to this release only if this is considered acceptable.

Summary of Changes

Minor Changes:

  • Prevent Cilium from running with Delegated IPAM at the same time as Ingress (Backport PR #27239, Upstream PR #26744, @rickysumho)

Bugfixes:

  • Fix a bug that affected the health-check feature in Stand-alone L4LB mode. For certain configurations (eg if both IPv4 and IPv6 support is enabled) health-check traffic would not get IPIP-encapsulated. (Backport PR #27154, Upstream PR #27015, @julianwiedmann)
  • Fix a bug that could cause packet drops of type XfrmOutPolBlock when IPsec is enabled and node are recycled.
    Fix a bug that could cause IPsec-encrypted packets to be sent to the wrong destination node when node churn is high. (Backport PR #27107, Upstream PR #27029, @pchaigno)
  • operator: Adjust CiliumEndpoint gc to account for kvstore mode (Backport PR #27154, Upstream PR #25324, @learnitall)

CI Changes:

Misc Changes:

  • Add note for changing IPAM settings (Backport PR #27239, Upstream PR #27090, @darox)
  • bpf: test: Fix the byte order in the IPV4 macro (Backport PR #27107, Upstream PR #25114, @gentoo-root)
  • chore(deps): update all github action dependencies (v1.13) (patch) (#27290, @renovate[bot])
  • chore(deps): update docker.io/library/golang docker tag to v1.19.12 (v1.13) (#26825, @renovate[bot])
  • chore(deps): update docker/setup-buildx-action action to v2.9.1 (v1.13) (#26827, @renovate[bot])
  • chore(deps): update helm/kind-action action to v1.8.0 (v1.13) (#26828, @renovate[bot])
  • docs: Fix gRPC API generation for online docs (Backport PR #27095, Upstream PR #27014, @qmonnet)
  • docs: fixed search for every page (Backport PR #26906, Upstream PR #26892, @geakstr)
  • docs: Ignore Helm values, update spelling list (Backport PR #26906, Upstream PR #26759, @qmonnet)
  • docs: Replace non-portable "sed -i" in Makefile (Backport PR #27239, Upstream PR #27122, @qmonnet)
  • docs: Revert Python version in docs-builder image to 3.7.9, downgrade sphinxcontrib-applehelp, to fix builds on Read The Docs (Backport PR #26906, Upstream PR #24099, @qmonnet)
  • docs: Simplify clustermesh example (Backport PR #27239, Upstream PR #27172, @joestringer)
  • docs: Update dependencies for documentation build system (Sphinx, add-ons etc.) (Backport PR #26906, Upstream PR #24014, @qmonnet)
  • Documentation: enable parallel builds (Backport PR #26906, Upstream PR #23752, @squeed)
  • Documentation: fix the broken links/dead links (Backport PR #27154, Upstream PR #26880, @vipul-21)
  • endpoint: don't hold the endpoint lock while generating policy (Backport PR #26735, Upstream PR #26242, @squeed)
  • Update Service Mesh docs to fix a number of issues (#27333, @youngnick)

Other Changes:

Docker Manifests

cilium

docker.io/cilium/cilium:v1.13.6@sha256:994b8b3b26d8a1ef74b51a163daa1ac02aceb9b16f794f8120f15a12011739dc
quay.io/cilium/cilium:v1.13.6@sha256:994b8b3b26d8a1ef74b51a163daa1ac02aceb9b16f794f8120f15a12011739dc

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.13.6@sha256:9b4f3f849c3d994adc42f30900ce99e39f01aeb370e33e10403f0ffe8edf28a2
quay.io/cilium/clustermesh-apiserver:v1.13.6@sha256:9b4f3f849c3d994adc42f30900ce99e39f01aeb370e33e10403f0ffe8edf28a2

docker-plugin

docker.io/cilium/docker-plugin:v1.13.6@sha256:06d3be87c59f5bdf34e26ab6e236896bb76d84a0182ddaf46bd78b0a785d7ed2
quay.io/cilium/docker-plugin:v1.13.6@sha256:06d3be87c59f5bdf34e26ab6e236896bb76d84a0182ddaf46bd78b0a785d7ed2

hubble-relay

docker.io/cilium/hubble-relay:v1.13.6@sha256:da96840b638d3e9705cfc48af2bddfe92d17eb4f5a776b075bef9ac50efbb042
quay.io/cilium/hubble-relay:v1.13.6@sha256:da96840b638d3e9705cfc48af2bddfe92d17eb4f5a776b075bef9ac50efbb042

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.13.6@sha256:e9ab58faf4e4fec9519474c18d166ba8cc144de85035c93b73b7dd40b6cf308b
quay.io/cilium/operator-alibabacloud:v1.13.6@sha256:e9ab58faf4e4fec9519474c18d166ba8cc144de85035c93b73b7dd40b6cf308b

operator-aws

docker.io/cilium/operator-aws:v1.13.6@sha256:f49f26454b4406c8f6438ca25de0a4f4b5392036ee6a4620d38353d94a2466d7
quay.io/cilium/operator-aws:v1.13.6@sha256:f49f26454b4406c8f6438ca25de0a4f4b5392036ee6a4620d38353d94a2466d7

operator-azure

docker.io/cilium/operator-azure:v1.13.6@sha256:028fe39733a64b36bb043e7d67d8aa6f2e3f0b46b5ab08865db5afdcae1133fb
quay.io/cilium/operator-azure:v1.13.6@sha256:028fe39733a64b36bb043e7d67d8aa6f2e3f0b46b5ab08865db5afdcae1133fb

operator-generic

docker.io/cilium/operator-generic:v1.13.6@sha256:753c1d0549032da83ec45333feec6f4b283331618a1f7fed2f7e2d36efbd4bc9
quay.io/cilium/operator-generic:v1.13.6@sha256:753c1d0549032da83ec45333feec6f4b283331618a1f7fed2f7e2d36efbd4bc9

operator

docker.io/cilium/operator:v1.13.6@sha256:d2196d141384d325b343c2e9bd7cdecbe4f2384e2ce95a3184c1cfff21475279
quay.io/cilium/operator:v1.13.6@sha256:d2196d141384d325b343c2e9bd7cdecbe4f2384e2ce95a3184c1cfff21475279

Contributors

brb, nathanjsweet, and 18 other contributors
Assets 2

1.11.20

15 Aug 18:02
@nebril nebril
v1.11.20
This tag was signed with the committer’s verified signature.
nebril Maciej Kwiek
GPG key ID: 436B9694E3F0E75D
Learn about vigilant mode.
5269aad
Compare
Choose a tag to compare
1.11.20

We are pleased to release Cilium v1.11.20. This release comes with an important fix for IPsec.

Remaining issues on the IPSec stack may cause interrupted connections during key rotations. Users may upgrade to this release only if this is considered acceptable.

Summary of Changes

Bugfixes:

  • Fix a bug that could cause packet drops of type XfrmOutPolBlock when IPsec is enabled and node are recycled.
  • Fix a bug that could cause IPsec-encrypted packets to be sent to the wrong destination node when node churn is high. (Backport PR #27148, Upstream PR #27029, @pchaigno)

Misc Changes:

  • chore(deps): update docker.io/library/golang docker tag to v1.19.11 (#27252, @ferozsalam)

Other Changes:

Docker Manifests

cilium

docker.io/cilium/cilium:v1.11.20@sha256:60df3cb7155886e0b62060c7a4a31e457933c6e35af79febad5fd6e43bab2a99
quay.io/cilium/cilium:v1.11.20@sha256:60df3cb7155886e0b62060c7a4a31e457933c6e35af79febad5fd6e43bab2a99

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.11.20@sha256:46760182f8c98227cfac27627275616987b71509227775350573d834133a6d49
quay.io/cilium/clustermesh-apiserver:v1.11.20@sha256:46760182f8c98227cfac27627275616987b71509227775350573d834133a6d49

docker-plugin

docker.io/cilium/docker-plugin:v1.11.20@sha256:9e036af06498d1a90d8eee3ce3c3dbeb10a6bbe2b2e6a55d04941c82624a2e3a
quay.io/cilium/docker-plugin:v1.11.20@sha256:9e036af06498d1a90d8eee3ce3c3dbeb10a6bbe2b2e6a55d04941c82624a2e3a

hubble-relay

docker.io/cilium/hubble-relay:v1.11.20@sha256:e2f38b901fd8bd5adc9a765a5e68836364ebd1e7dfb85c2bcd8a5488b23c3470
quay.io/cilium/hubble-relay:v1.11.20@sha256:e2f38b901fd8bd5adc9a765a5e68836364ebd1e7dfb85c2bcd8a5488b23c3470

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.11.20@sha256:5d5b44f0a08802972323adb7ca2d5df7e0983736ab3b195090906d2fa97f9594
quay.io/cilium/operator-alibabacloud:v1.11.20@sha256:5d5b44f0a08802972323adb7ca2d5df7e0983736ab3b195090906d2fa97f9594

operator-aws

docker.io/cilium/operator-aws:v1.11.20@sha256:48b755858729f783a682d80693ef3a208ddb70fa912b119f82f99bb988b23586
quay.io/cilium/operator-aws:v1.11.20@sha256:48b755858729f783a682d80693ef3a208ddb70fa912b119f82f99bb988b23586

operator-azure

docker.io/cilium/operator-azure:v1.11.20@sha256:65b2d2b143830e5a5764416d000244ac447b3e1fca07fe9c138c84094fa42085
quay.io/cilium/operator-azure:v1.11.20@sha256:65b2d2b143830e5a5764416d000244ac447b3e1fca07fe9c138c84094fa42085

operator-generic

docker.io/cilium/operator-generic:v1.11.20@sha256:1439954acf620f048ef663524ae70b4a25693c58527a2f2cee51124496e29f90
quay.io/cilium/operator-generic:v1.11.20@sha256:1439954acf620f048ef663524ae70b4a25693c58527a2f2cee51124496e29f90

operator

docker.io/cilium/operator:v1.11.20@sha256:998f7df39d12324a7d968a8c8725533b10b54c01f4aeab33d12b395af1f2edf8
quay.io/cilium/operator:v1.11.20@sha256:998f7df39d12324a7d968a8c8725533b10b54c01f4aeab33d12b395af1f2edf8

Contributors

nathanjsweet, ferozsalam, and pchaigno
Assets 2

1.14.0

27 Jul 14:56
@aanm aanm
v1.14.0
This tag was signed with the committer’s verified signature.
aanm André Martins
GPG key ID: A38D2FBA880D16AB
Learn about vigilant mode.
b5013e1
Compare
Choose a tag to compare
1.14.0

Changelog

The Cilium core team are excited to announce the Cilium 1.14 release. 🎉

⚠️ Warning - IPsec ⚠️

Do NOT upgrade to this release if you are using IPsec.

Summary of Changes

Major Changes:

  • Add mtls-spiffe as auth mode in the CiliumNetworkPolicy (#24263, @meyskens)
  • Add support for Kubernetes v1.27 (#24837, @tklauser)
  • Add support for Kubernetes v1.27 (#25602, @nathanjsweet)
  • Add support for references to CiliumCIDRGroup inside FromCIDRSet for ingress rules in CNPs (#24638, @pippolo84)
  • Add TLSRoute support to GatewayAPI (#25106, @meyskens)
  • Add WireGuard host2host and LB encryption (#19401, @brb)
  • Added L2 announcement feature (#25471, @dylandreimerink)
  • cilium: fib lookup consolidation (#23884, @borkmann)
  • cilium: IPv4 BIG TCP support (#26172, @borkmann)
  • Implement BPF-based masquerading for IPv6 (#23165, @qmonnet)
  • Introduce kvstoremesh, a clustermesh-apiserver companion component allowing to cache remote cluster information in the local kvstore for increased scalability and separation. (#26083, @giorio94)
  • Module Health: Add Health Provider/Reporter (#25662, @tommyp1ckles)
  • New high-scale ipcache mode to support clustermeshes with millions of pods. (#25148, @pchaigno)
  • Support DSR with Geneve dispatch in CNI mode (#23890, @ysksuzuki)
  • Support for deploying Cilium L7 Proxy (Envoy) independently as a separate DaemonSet for availability, performance, and security benefits. (#25081, @mhofstetter)
  • The Cilium operator now taints nodes where Cilium is scheduled to run but is not running.
    This prevents pods from being scheduled on nodes without Cilium.
    The CNI configuration file is no longer removed on agent shutdown.
    This means that pod deletion will always succeed; previously it would fail if Cilium was down for an upgrade.
    This should help prevent nodes accidentally entering an unmanageable state.
    It also means that nodes are not removed from cloud LoadBalancer backends during Cilium upgrades. (#23486, @squeed)

Minor Changes:

    1. Add a new set of flags for CES work queue limit and burst rates, CESWriteQPSLimit to andCESWriteQPSBurst`.
      The processed work queue items always trigger a single CES create, update or write request to the kube-apiserver.
      The work queue rate limiting effectively limits the rate of writes to the kube-apiserver for CES api objects.
    2. Set the default CESWriteQPSLimit to 10 and CESWriteQPSBurst to 20.
    3. Set the maximums for qps 50 and burst 100. These values cannot be exceeded regardless of any configuration.
    4. Unhide CESMaxCEPsInCES and CESSlicingMode flags from appearing in logs when CES is enabled. (#24675, @dlapcevic)
  • [SNAT] add "need to frag" ICMP support (#18414, @sahid)
  • Add --hubble-monitor-events flag, to control the event types that get to the hubble subsystem. (#24828, @epk)
  • Add a mechanism for the SPIRE server to signal rotated certificates for re-authenticating connections (#24300, @meyskens)
  • Add a SPIRE delegate API client to receive SPIFFE certificates for mTLS (#23968, @meyskens)
  • Add flag to administratively enable APIs on bootstrap (#25009, @joestringer)
  • Add flag to configure the size of the egress gateway policy map (#23019, @cyclinder)
  • Add hubble_lost_events_total metric for the number of events lost by Hubble. (#22865, @lambdanis)
  • add native tunnel encapsulation support for the XDP Loadbalancer (#24422, @julianwiedmann)
  • Add network policy auth method "always-fail" (#24609, @meyskens)
  • Add new logging format option, 'json-ts', for JSON formatted logs with timestamps (#24307, @learnitall)
  • Add option to remove query from HTTP flows (#25746, @ChrsMark)
  • Add pod-asymmetric context labeling that either uses pod or pod-short based on traffic direction. (#22731, @marqc)
  • Add Prometheus metrics support to clustermesh-apiserver (#25316, @giorio94)
  • Add support for allocating PodCIDRs from multiple IPAM pools (#22762, @gandro)
  • Add support for BGP graceful restart configuration via CiliumBGPPeeringPolicy CRD (#25660, @harsimran-pabla)
  • Add support for eBGP-multihop configuration for CiliumBGPNeighbor in CiliumBGPPeeringPolicy CRD (#25708, @rastislavs)
  • Add support for Hybrid mode when using DSR with Geneve dispatch. (#25553, @julianwiedmann)
  • Add support for load-balancing encapsulated requests in a configuration with high-scale ipcache. (#25854, @julianwiedmann)
  • Add support for load-balancing unencapsulated requests in a configuration with high-scale ipcache. (#25745, @julianwiedmann)
  • Add support for paginated lists in etcd, and propagate config options (#25469, @giorio94)
  • Add support for setting BGP timer parameters in CiliumBGPNeighbor CRD (#25408, @rastislavs)
  • Add support for the ingressclass.kubernetes.io/is-default-class annotation on Cilium's IngressClass (#23719, @meyskens)
  • Add tls-server-enforce-mtls flag to hubble-relay to enforce mTLS connection with clients. (Backport PR #26636, Upstream PR #25582, @marqc)
  • Added Gratuitous ARP Pod Announcements (#25482, @markpash)
  • Adds peerPort field to CiliumBGPPeeringPolicy for specifying the port of a BGP neighbor. If unspecified, port 179 is used. (#25809, @danehans)
  • agent/helm: Deprecate --kpr=partial|strict|disabled and use --kpr=true|false instead (#26036, @brb)
  • alibabacloud: Support selecting subnet by IDs (#23131, @jaffcheng)
  • Align selection of IP addresses used for masquerading and NodePort SNAT with Linux kernel behavior, by preferring addresses assigned to the interface earlier and filtering out secondary addresses. (#22866, @akhilles)
  • Allow Cilium Operator to restart any unmanaged pods via --pod-restart-selector, rather than just kube-dns pods (#22911, @lvyanru8200)
  • Allow devices from local route table to be used for datapath programs. (#24608, @oblazek)
  • Allow to use a Secret for the caBundle (#25728, @farcaller)
  • auth: Add spire identity registration for CiliumIdentity (#24471, @sayboras)
  • bgpv1: Consolidate CRD API to follow K8s API Conventions (#26040, @rastislavs)
  • BGPv1: Set N-bit in graceful restart capability negotiation. (#26325, @harsimran-pabla)
  • BPF NodePort is now enabled by default if CiliumEnvoyConfig is configured. (Backport PR #26636, Upstream PR #25901, @jrajahalme)
  • bpf, ipcache: unconditionally assume support for LPM trie maps (#24258, @tklauser)
  • Change cilium_host IPv6 address, use node router IPv6 instead of native node IPv6, and fixed several relative IPv6 issues. (#24208, @jschwinger233)
  • Change default helm value of authentication.mutual.spire.install.enabled to true (Backport PR #27038, Upstream PR #26864, @meyskens)
  • Cilium by default overwrites changes to its CNI configuration file. With this change, setting cni.exclusive to false disables this behavior. This is useful when additional plugins wish to chain after Cilium, such as Istio. (Backport PR #27038, Upstream PR #26773, @squeed)
  • Cilium L7 Proxy: Envoy config dump contains Cilium network policies (#25028, @mhofstetter)
  • Cilium now supports chaining with arbitrary CNI plugins. To use, set the Helm value cni.chainingTarget. (#24956, @squeed)
  • Cilium now waits longer before returning a failure in the event of a pod creation burst. (#25805, @squeed)
  • cilium/cmd: Remove deprecated policy_trace command (#23550, @sayboras)
  • clustermesh-apiserver: expose information about completion of initial synchronization through etcd (#25388, @giorio94)
  • clustermesh-apiserver: expose information about completion of initial synchronization through etcd (#25905, @giorio94)
  • clustermesh-apiserver: rework services synchronization to improve performance (#25260, @giorio94)
  • clustermesh: enable per-cluster RBAC in etcd server (#24284, @giorio94)
  • cmd/cleanup: add socketlb program cleanup (#25136, @rgo3)
  • cmd/service: unify service list/get output (#24136, @oblazek)
  • cmd: Add NodeEncryption status to the cilium status command (#24399, @romanspb80)
  • daemon: remove deprecated force-local-policy-eval-at-source option (#24727, @tklauser)
  • Deprecate --tunnel in favor of --routing-mode and --tunnel-protocol. (#24561, @pchaigno)
  • Deprecate CNP Node status updates. (#24464, @marseel)
  • Disable by default CNP Node Status GC in cilium-operator. (#24390, @marseel)
  • DNS Proxy binds to loopback interfaces only (#25309, @mhofstetter)
  • dns proxy: Only reuse DNS proxy port when it's free (#25466, @anfernee)
  • dns: Set --tofqdns-min-ttl to zero by default (#21439, @michi-covalent)
  • egressgw: add support for excludedCIDRs (#23448, @jibi)
  • Enable configuration of the source IP verification per endpoint (#23985, @pchaigno)
  • Enable endpoint routes + veth fast redirect support (#22006, @aspsk)
  • Enable update-ec2-adapter-limit-via-api by default (#24564, @christarazi)
  • Enabled cilium_bpf_map_pressure metric by default (#24721, @vishal-chdhry)
  • endpoint: omit pre-1.11 compatibility restoration symlink (#24730, @tklauser)
  • envoy: Add idle timeout configuration option (#25214, @sayboras)
  • envoy: Bump envoy to 1.24.2 (#23940, @sayboras)
  • envoy: Bump envoy to 1.24.3 (#24148, @sayboras)
  • envoy: Bump envoy to v1.25.4 (#24649, @sayboras)
  • envoy: Bump envoy to v1.25.8 (Backport PR #26887, Upstream PR #26815, @sayboras)
  • envoy: Bump envoy version to v1.25.5 (#24893, @sayboras)
  • envoy: Bump envoy version to v1.25.6 (#25165, @mhofstetter)
  • envoy: Bump envoy version to v1.25.7 (#25882, @mhofstetter)
  • envoy: Use embedded proxylib from cilium-proxy image (#26101, @sayboras)
  • etcd: extend rate limiting to consider the number of inflight requests (#25817, @giorio94)
  • Expand agent metric Policy Import Errors to count all policy changes (#23349, @dlapcevic)
  • Expose Cilium agent go runtime scheduler latency prometheus metric go_sched_latencies_seconds (#24745, @derailed)
  • Extend clustermesh status reporting with remote configuration and sy...
Read more

Contributors

farcaller, derailed, and 169 other contributors
Assets 2

1.13.5

27 Jul 22:23
@nathanjsweet nathanjsweet
v1.13.5
This tag was signed with the committer’s verified signature.
nathanjsweet Nathan Sweet
GPG key ID: 12A8E6DA82970B15
Learn about vigilant mode.
9b8fa41
Compare
Choose a tag to compare
1.13.5

We are pleased to release Cilium v1.13.5.

This release addresses the following security issues:

This release includes a security fix for Envoy, performance improvements to clustermesh, the addition of loadBalancerIP and loadBalancerClass on ingress services, and numerous networking improvements.

See the notes below for a full description of the changes.

⚠️ Warning - IPsec ⚠️

Do NOT upgrade to this release if you are using IPsec.

Summary of Changes

Minor Changes:

  • Add helm value envoyConfig.enabled that can be used to enable CiliumEnvoyConfig CRD independently of Cilium Ingress controller. (Backport PR #26421, Upstream PR #26005, @jrajahalme)
  • Allow to disable external workloads support in clustermesh-apiserver to improve performance when not needed. (Backport PR #26421, Upstream PR #25259, @giorio94)
  • daemon: don't allow egress gateway with KV store identity allocation (Backport PR #26421, Upstream PR #26189, @jibi)
  • helm: Allow node port allocation for Ingress LB service (Backport PR #26861, Upstream PR #26502, @sayboras)
  • ingress: Add loadBalancerIP and loadBalancerClass (Backport PR #26528, Upstream PR #22670, @oliver-ni)

Bugfixes:

  • Avoid dropping short packets (that don't have their L3 header in linear data) in the to-netdev and from-host paths. (Backport PR #25739, Upstream PR #25159, @julianwiedmann)
  • bgpv1: Unconditionally select node when empty nodeSelector is given (Backport PR #26737, Upstream PR #26590, @YutaroHayakawa)
  • bpf: ct: fix CT-based packet tracing for IPv6 (Backport PR #26528, Upstream PR #26476, @julianwiedmann)
  • bpf: fix error handling for invoke_tailcall_if() (Backport PR #26497, Upstream PR #26118, @julianwiedmann)
  • bpf: lxc: fix one missing drop notification in CT lookup tail calls (Backport PR #26421, Upstream PR #26115, @julianwiedmann)
  • client, health/client: set dummy host header on unix:// local communication (Backport PR #26861, Upstream PR #26800, @tklauser)
  • Envoy resource namespacing (Backport PR #26421, Upstream PR #26037, @jrajahalme)
  • Fix a bug in the Egress Gateway feature when using the --install-egress-gateway-routes option. Delete stale IP rules after a CiliumEgressGatewayPolicy is updated and selects a different egress network interface. (Backport PR #26947, Upstream PR #26846, @julianwiedmann)
  • Fix bug that caused transient IPsec packet drops on upgrades when tunneling is enabled. (Backport PR #26792, Upstream PR #26708, @pchaigno)
  • Fix bug where CNI gets installed even if cni.install=false (Backport PR #26421, Upstream PR #26278, @joestringer)
  • Fix crash of cilium-agent happening when a remote node without node IP addresses is removed. (Backport PR #26421, Upstream PR #25851, @cyclinder)
  • Fix missing metric "cilium_services_events_total" (Backport PR #27036, Upstream PR #26719, @christarazi)
  • Fix path asymmetry when using pod-to-pod encryption with IPsec and tunnel mode. (Backport PR #26792, Upstream PR #25440, @pchaigno)
  • Fix possible connection drops on agents restart when a service is associated with multiple endpointslices or has backends across multiple clusters (Backport PR #27036, Upstream PR #26912, @giorio94)
  • Fix: Return "Content-Type" and "X-Content-Type-Options" headers from Health Check Node Port (Backport PR #26528, Upstream PR #26458, @cezarygerard)
  • Fixed proxy redirect policy implementation when any deny rule prevents them. (Backport PR #26749, Upstream PR #26344, @jrajahalme)
  • helm: Fix a bug caused by incorrect indentation of the extraEnv parameter for Hubble UI backend (Backport PR #26915, Upstream PR #26797, @toVersus)
  • ingress: Delay secret sync if not available (Backport PR #26993, Upstream PR #26988, @sayboras)
  • ipsec: Split removeStaleXFRMOnce to fix deprioritization issue (Backport PR #26421, Upstream PR #26113, @jschwinger233)
  • Parses the IP addr passed as CIDR from the delegated IPAM and then use the IP addr from the parsed prefix. (Backport PR #26421, Upstream PR #22918, @vipul-21)
  • Temporarily disable bpf-clock-probe to avoid causing interruptions for long-lived connections during upgrades (Backport PR #27034, Upstream PR #26981, @margamanterola)

CI Changes:

  • .github: add 'name' field for the conformance-e2e job (Backport PR #26861, Upstream PR #26791, @aanm)
  • ariane: don't skip verifier and l4lb tests on vendor/ changes (Backport PR #26737, Upstream PR #26715, @tklauser)
  • ci: fix Azure cluster names sometimes being too long (Backport PR #27036, Upstream PR #26933, @nbusseneau)
  • gh/workflows: Optionally enable dual stack in ci-e2e (Backport PR #26915, Upstream PR #26856, @brb)
  • gha: uniform the final sysdump names in conformance clustermesh (#26686, @giorio94)
  • test: Fix and unquarantine Skip conntrack test (Backport PR #27036, Upstream PR #25038, @pchaigno)
  • v1.13: ci: use Ariane to trigger workflows (#26580, @nbusseneau)

Misc Changes:

  • Add cilium bpf nodeid list to bugtool and print nodeid in hex in ipcache dump (Backport PR #26421, Upstream PR #26130, @brb)
  • Adding an AWS architecture diagram for AWS FTR review (Backport PR #26421, Upstream PR #26016, @amitmavgupta)
  • bpf: add drop reason for TTL exceeded (Backport PR #27036, Upstream PR #26884, @julianwiedmann)
  • bpf: nodeport: wire up trace struct for IPv6 RevDNAT (Backport PR #26421, Upstream PR #26047, @julianwiedmann)
  • bpf: Use "fallthrough;", compile with -Wimplicit-fallthrough (Backport PR #26421, Upstream PR #26211, @qmonnet)
  • build(deps): bump github.com/docker/distribution from 2.8.1+incompatible to 2.8.2+incompatible (Backport PR #26737, Upstream PR #25393, @dependabot[bot])
  • Calling out support for Single-Region, Multi-Region, Multi-AZ for EKS (Backport PR #26421, Upstream PR #26015, @amitmavgupta)
  • certloader: Correctly support RequestClientCert in WatchedClientConfig (Backport PR #26915, Upstream PR #26812, @chancez)
  • chore(deps): update actions/setup-go action to v4 (v1.13) (#26320, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.13) (minor) (#26440, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.13) (patch) (#26702, @renovate[bot])
  • chore(deps): update docker.io/library/alpine docker tag to v3.17.4 (v1.13) (#26436, @renovate[bot])
  • chore(deps): update docker.io/library/alpine docker tag to v3.17.4 (v1.13) (#26437, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.19.10 docker digest to 405b708 (v1.13) (#26422, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.19.10 docker digest to 6fb612a (v1.13) (#26249, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 0bced47 (v1.13) (#26701, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 2a357c4 (v1.13) (#26317, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 6120be6 (v1.13) (#26433, @renovate[bot])
  • chore(deps): update docker/setup-buildx-action action to v2.8.0 (v1.13) (#26572, @renovate[bot])
  • chore(deps): update docker/setup-buildx-action action to v2.9.0 (v1.13) (#26703, @renovate[bot])
  • chore(deps): update hubble cli to v0.12.0 (v1.13) (minor) (#26765, @renovate[bot])
  • chore(deps): update sigstore/cosign-installer action to v3 (v1.13) (#26441, @renovate[bot])
  • chore(deps): update sigstore/cosign-installer action to v3 (v1.13) (#26704, @renovate[bot])
  • doc: Documented incompatibility of EgressGW and kvstore (Backport PR #26637, Upstream PR #26139, @PhilipSchmid)
  • docker: Detect default "desktop-linux" builder (Backport PR #26421, Upstream PR #25908, @jrajahalme)
  • docs/ipsec: Clarify limitation on number of nodes (Backport PR #26861, Upstream PR #26810, @pchaigno)
  • docs/ipsec: Document RSS limitation (Backport PR #27036, Upstream PR #26979, @pchaigno)
  • docs/ipsec: Extend troubleshooting section (Backport PR #27036, Upstream PR #26808, @pchaigno)
  • docs/upgrading: note that policy bug was fixed in v1.13.3 (#26661, @squeed)
  • docs: clarify that L3 DNS policies require L7 proxy enabled (Backport PR #26421, Upstream PR #26180, @wedaly)
  • docs: Pick up PyYAML 6.0.1 (Backport PR #26915, Upstream PR #26883, @michi-covalent)
  • docs: remove no-longer-valid known policy issue (Backport PR #26861, Upstream PR #26660, @squeed)
  • docs: reword incorrect L7 policy description (Backport PR #26421, Upstream PR #26092, @peterj)
  • docs: Specify Helm chart version in "cilium install" commands (Backport PR #27036, Upstream PR #26934, @michi-covalent)
  • Document that the install-egress-gateway-routes flag is only for EKS's ENI mode in egress gateway guide (Backport PR #26861, Upstream PR #23616, @deepeshaburse)
  • Document that upgrades to 1.13.4 may experience interruptions of existing connections, while upgrades from 1.13.4 may encounter lingering connections. (#27048, @margamanterola)
  • Dump maps and events for all lb4/6 v3 backends (Backport PR #26421, Upstream PR #26108, @ti-mo)
  • Fix "make -C Documentation builder-image" (Backport PR #26915, Upstream PR #26874, @michi-covalent)
  • fix(deps): update module github.com/docker/docker to v24 (main) (Backport PR #26737, Upstream PR #26316, @renovate[bot])
  • helm: Add flag to disable CRD check for mass server-side apply (Backport PR #26421, Upstream PR #25956, @jcpunk)
  • vendor: Update go-restful (Backport PR #26576, Upstream PR #26560, @ferozsalam)

Other Changes:

Read more

Contributors

jibi, brb, and 34 other contributors
Assets 2

1.12.12

27 Jul 22:23
@nathanjsweet nathanjsweet
v1.12.12
This tag was signed with the committer’s verified signature.
nathanjsweet Nathan Sweet
GPG key ID: 12A8E6DA82970B15
Learn about vigilant mode.
9a5da0b
Compare
Choose a tag to compare
1.12.12

We are pleased to release Cilium v1.12.12.

This release addresses the following security issues:

This release includes a security fix for Envoy, as well as numerous improvements to Network Policies and BGP.

See the notes below for a full description of the changes.

⚠️ Warning - IPsec ⚠️

Do NOT upgrade to this release if you are using IPsec.

Summary of Changes

Minor Changes:

  • daemon: don't allow egress gateway with KV store identity allocation (Backport PR #26420, Upstream PR #26189, @jibi)

Bugfixes:

  • bgpv1: Unconditionally select node when empty nodeSelector is given (Backport PR #26746, Upstream PR #26590, @YutaroHayakawa)
  • client, health/client: set dummy host header on unix:// local communication (Backport PR #26916, Upstream PR #26800, @tklauser)
  • Fix bug that caused transient IPsec packet drops on upgrades when tunneling is enabled. (Backport PR #26859, Upstream PR #26708, @pchaigno)
  • Fix bug where CNI gets installed even if cni.install=false (Backport PR #26420, Upstream PR #26278, @joestringer)
  • Fix path asymmetry when using pod-to-pod encryption with IPsec and tunnel mode. (Backport PR #26859, Upstream PR #25440, @pchaigno)
  • Fixed Cilium agent crash when policy refers to a non-existing Envoy listener. (Backport PR #26420, Upstream PR #25969, @jrajahalme)
  • Fixed proxy redirect policy implementation when any deny rule prevents them. (Backport PR #26750, Upstream PR #26344, @jrajahalme)
  • ingress: Delay secret sync if not available (Backport PR #26994, Upstream PR #26988, @sayboras)
  • ipsec: Split removeStaleXFRMOnce to fix deprioritization issue (Backport PR #26420, Upstream PR #26113, @jschwinger233)

CI Changes:

Misc Changes:

  • Add cilium bpf nodeid list to bugtool and print nodeid in hex in ipcache dump (Backport PR #26420, Upstream PR #26130, @brb)
  • Adding an AWS architecture diagram for AWS FTR review (Backport PR #26420, Upstream PR #26016, @amitmavgupta)
  • Calling out support for Single-Region, Multi-Region, Multi-AZ for EKS (Backport PR #26420, Upstream PR #26015, @amitmavgupta)
  • chore(deps): update actions/setup-go action to v4 (v1.12) (#26447, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.12) (minor) (#26446, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.12) (patch) (#26443, @renovate[bot])
  • chore(deps): update docker.io/library/alpine docker tag to v3.16.6 (v1.12) (#26444, @renovate[bot])
  • chore(deps): update docker.io/library/alpine docker tag to v3.16.6 (v1.12) (#26445, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:20.04 docker digest to c9820a4 (v1.12) (#26705, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:20.04 docker digest to f8f6584 (v1.12) (#26442, @renovate[bot])
  • chore(deps): update docker/setup-buildx-action action to v2.9.1 (v1.12) (#26829, @renovate[bot])
  • chore(deps): update hubble cli to v0.12.0 (v1.12) (minor) (#26766, @renovate[bot])
  • doc: Documented incompatibility of EgressGW and kvstore (Backport PR #26659, Upstream PR #26139, @PhilipSchmid)
  • docker: Detect default "desktop-linux" builder (Backport PR #26420, Upstream PR #25908, @jrajahalme)
  • docs/ipsec: Clarify limitation on number of nodes (Backport PR #26859, Upstream PR #26810, @pchaigno)
  • docs: Bump Sphinx and sphinx-tabs version. (Backport PR #27059, Upstream PR #20997, @qmonnet)
  • docs: clarify that L3 DNS policies require L7 proxy enabled (Backport PR #26420, Upstream PR #26180, @wedaly)
  • docs: fixed search for every page (Backport PR #27059, Upstream PR #26892, @geakstr)
  • docs: Ignore Helm values, update spelling list (Backport PR #27059, Upstream PR #26759, @qmonnet)
  • docs: Pick up PyYAML 6.0.1 (Backport PR #26916, Upstream PR #26883, @michi-covalent)
  • docs: Revert Python version in docs-builder image to 3.7.9, downgrade sphinxcontrib-applehelp, to fix builds on Read The Docs (Backport PR #27059, Upstream PR #24099, @qmonnet)
  • docs: reword incorrect L7 policy description (Backport PR #26420, Upstream PR #26092, @peterj)
  • docs: Rework requirements.txt: Generate from minimal list (Backport PR #27059, Upstream PR #20978, @qmonnet)
  • docs: Update dependencies for documentation build system (Sphinx, add-ons etc.) (Backport PR #27059, Upstream PR #24014, @qmonnet)
  • Documentation: enable parallel builds (Backport PR #27059, Upstream PR #23752, @squeed)
  • Fix "make -C Documentation builder-image" (Backport PR #26916, Upstream PR #26874, @michi-covalent)

Other Changes:

Docker Manifests

cilium

docker.io/cilium/cilium:v1.12.12@sha256:3cafa76253881a77c3613ed2967776b83b81fcdffcd2a90dae13b175297b92dd
quay.io/cilium/cilium:v1.12.12@sha256:3cafa76253881a77c3613ed2967776b83b81fcdffcd2a90dae13b175297b92dd

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.12.12@sha256:1d5e050510034b4e2c66b7f57b410b7ebf52ec2efc9c82e16dff4361eac6058d
quay.io/cilium/clustermesh-apiserver:v1.12.12@sha256:1d5e050510034b4e2c66b7f57b410b7ebf52ec2efc9c82e16dff4361eac6058d

docker-plugin

docker.io/cilium/docker-plugin:v1.12.12@sha256:b0a41e75101176145ff3933bd975968c90166d823d42cbef3babe16a7545b78d
quay.io/cilium/docker-plugin:v1.12.12@sha256:b0a41e75101176145ff3933bd975968c90166d823d42cbef3babe16a7545b78d

hubble-relay

docker.io/cilium/hubble-relay:v1.12.12@sha256:7a9265feccf24a4c49eb244cbbafe9d0ddf41dc9e6705494b4a12db6e5d3a8d8
quay.io/cilium/hubble-relay:v1.12.12@sha256:7a9265feccf24a4c49eb244cbbafe9d0ddf41dc9e6705494b4a12db6e5d3a8d8

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.12.12@sha256:d0c0189f5dd35d9e4002795ba3e5a3af26ae9e617b51b97dce06f887d1f7dbf3
quay.io/cilium/operator-alibabacloud:v1.12.12@sha256:d0c0189f5dd35d9e4002795ba3e5a3af26ae9e617b51b97dce06f887d1f7dbf3

operator-aws

docker.io/cilium/operator-aws:v1.12.12@sha256:71e08d8b92dfe2ef40e771e4e4ef0ea2d4984c1a978cf6050853673f9428adca
quay.io/cilium/operator-aws:v1.12.12@sha256:71e08d8b92dfe2ef40e771e4e4ef0ea2d4984c1a978cf6050853673f9428adca

operator-azure

docker.io/cilium/operator-azure:v1.12.12@sha256:e75189f338868acf6c65038e88ef470cbc46ae4a0ead899727519e4569aac533
quay.io/cilium/operator-azure:v1.12.12@sha256:e75189f338868acf6c65038e88ef470cbc46ae4a0ead899727519e4569aac533

operator-generic

docker.io/cilium/operator-generic:v1.12.12@sha256:fb2b1ef65fda0f102ef533f354a5cc462076bd70b281ce0eee71fc34badf551a
quay.io/cilium/operator-generic:v1.12.12@sha256:fb2b1ef65fda0f102ef533f354a5cc462076bd70b281ce0eee71fc34badf551a

operator

docker.io/cilium/operator:v1.12.12@sha256:a461487e70ada9c3577ed905df3e50d8c1d3ad8688bbfa9bedbf6f89c9bcb354
quay.io/cilium/operator:v1.12.12@sha256:a461487e70ada9c3577ed905df3e50d8c1d3ad8688bbfa9bedbf6f89c9bcb354

Contributors

jibi, brb, and 18 other contributors
Assets 2

1.11.19

27 Jul 22:23
@nathanjsweet nathanjsweet
v1.11.19
This tag was signed with the committer’s verified signature.
nathanjsweet Nathan Sweet
GPG key ID: 12A8E6DA82970B15
Learn about vigilant mode.
06915ce
Compare
Choose a tag to compare
1.11.19

We are pleased to release Cilium v1.11.19.

This release addresses the following security issues:

This release includes a security fix for Envoy and improvements to Network Policies.

See the notes below for a full description of the changes.

⚠️ Warning - IPsec ⚠️

Do NOT upgrade to this release if you are using IPsec.

Summary of Changes

Bugfixes:

  • client, health/client: set dummy host header on unix:// local communication (Backport PR #26917, Upstream PR #26800, @tklauser)
  • Fix bug that caused transient IPsec packet drops on upgrades when tunneling is enabled. (Backport PR #26872, Upstream PR #26708, @pchaigno)
  • Fix bug where CNI gets installed even if cni.install=false (Backport PR #26419, Upstream PR #26278, @joestringer)
  • Fix path asymmetry when using pod-to-pod encryption with IPsec and tunnel mode. (Backport PR #26872, Upstream PR #25440, @pchaigno)
  • Fixed Cilium agent crash when policy refers to a non-existing Envoy listener. (Backport PR #26419, Upstream PR #25969, @jrajahalme)
  • Fixed proxy redirect policy implementation when any deny rule prevents them. (Backport PR #26752, Upstream PR #26344, @jrajahalme)
  • ipsec: Split removeStaleXFRMOnce to fix deprioritization issue (Backport PR #26419, Upstream PR #26113, @jschwinger233)

CI Changes:

Misc Changes:

  • Add cilium bpf nodeid list to bugtool and print nodeid in hex in ipcache dump (Backport PR #26419, Upstream PR #26130, @brb)
  • chore(deps): update actions/setup-go action to v4 (v1.11) (#26391, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.11) (minor) (#26452, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.11) (patch) (#26449, @renovate[bot])
  • chore(deps): update docker.io/library/alpine docker tag to v3.16.6 (v1.11) (#26450, @renovate[bot])
  • chore(deps): update docker.io/library/alpine docker tag to v3.16.6 (v1.11) (#26451, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:20.04 docker digest to c9820a4 (v1.11) (#26448, @renovate[bot])
  • chore(deps): update hubble cli to v0.12.0 (v1.11) (minor) (#26769, @renovate[bot])
  • docker: Detect default "desktop-linux" builder (Backport PR #26419, Upstream PR #25908, @jrajahalme)
  • docs/ipsec: Clarify limitation on number of nodes (Backport PR #26872, Upstream PR #26810, @pchaigno)
  • docs/ipsec: Document RSS limitation (Backport PR #27030, Upstream PR #26979, @pchaigno)
  • docs/ipsec: Extend troubleshooting section (Backport PR #27030, Upstream PR #26808, @pchaigno)
  • docs: clarify that L3 DNS policies require L7 proxy enabled (Backport PR #26419, Upstream PR #26180, @wedaly)
  • docs: Pick up PyYAML 6.0.1 (Backport PR #26917, Upstream PR #26883, @michi-covalent)
  • docs: reword incorrect L7 policy description (Backport PR #26419, Upstream PR #26092, @peterj)
  • docs: Specify Helm chart version in "cilium install" commands (Backport PR #27030, Upstream PR #26934, @michi-covalent)
  • Fix "make -C Documentation builder-image" (Backport PR #26917, Upstream PR #26874, @michi-covalent)
  • test/provision/compile.sh: Make usable from dev VM (Backport PR #25557, Upstream PR #25352, @jrajahalme)

Other Changes:

Docker Manifests

cilium

docker.io/cilium/cilium:v1.11.19@sha256:f71c973a9159158704012e1a065a3d484353ff4c2b4e05e10a03382f055adad4
quay.io/cilium/cilium:v1.11.19@sha256:f71c973a9159158704012e1a065a3d484353ff4c2b4e05e10a03382f055adad4

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.11.19@sha256:9346b296322036d2df98bd0ebdc721f4fafd5449030c7fd5dc53b20103758eee
quay.io/cilium/clustermesh-apiserver:v1.11.19@sha256:9346b296322036d2df98bd0ebdc721f4fafd5449030c7fd5dc53b20103758eee

docker-plugin

docker.io/cilium/docker-plugin:v1.11.19@sha256:dc5eb50a89ef4fc31596f922fb63149f1e2d68a563ae5844cd83b61d7da7c04e
quay.io/cilium/docker-plugin:v1.11.19@sha256:dc5eb50a89ef4fc31596f922fb63149f1e2d68a563ae5844cd83b61d7da7c04e

hubble-relay

docker.io/cilium/hubble-relay:v1.11.19@sha256:8c1032dfb03359e0576061502196e06eefb8ef12743d602e075e7f97f56667e4
quay.io/cilium/hubble-relay:v1.11.19@sha256:8c1032dfb03359e0576061502196e06eefb8ef12743d602e075e7f97f56667e4

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.11.19@sha256:9cb60d9362a362b58bb33da6b7a4b73f7882d0bc580af74c91c50d3112a74e2e
quay.io/cilium/operator-alibabacloud:v1.11.19@sha256:9cb60d9362a362b58bb33da6b7a4b73f7882d0bc580af74c91c50d3112a74e2e

operator-aws

docker.io/cilium/operator-aws:v1.11.19@sha256:b121c72160abc99112bf155d05f3c09fca266a3ea026143d86da7376654f708b
quay.io/cilium/operator-aws:v1.11.19@sha256:b121c72160abc99112bf155d05f3c09fca266a3ea026143d86da7376654f708b

operator-azure

docker.io/cilium/operator-azure:v1.11.19@sha256:13c1030a90f38c483ae5b0696e0597c4129697f3af81e1eeb238d7d5a04e326e
quay.io/cilium/operator-azure:v1.11.19@sha256:13c1030a90f38c483ae5b0696e0597c4129697f3af81e1eeb238d7d5a04e326e

operator-generic

docker.io/cilium/operator-generic:v1.11.19@sha256:79b622067205037489dcfc3280a2b9a19b0ede9a1c83eb5b3064926fa6af6a23
quay.io/cilium/operator-generic:v1.11.19@sha256:79b622067205037489dcfc3280a2b9a19b0ede9a1c83eb5b3064926fa6af6a23

operator

docker.io/cilium/operator:v1.11.19@sha256:26f479a21f3079eb0da4700b9ffd012dfce9b38d635486998bbe352b8f8df740
quay.io/cilium/operator:v1.11.19@sha256:26f479a21f3079eb0da4700b9ffd012dfce9b38d635486998bbe352b8f8df740

Contributors

brb, tklauser, and 13 other contributors
Assets 2

1.14.0-rc.1

17 Jul 15:11
@joestringer joestringer
v1.14.0-rc.1
This tag was signed with the committer’s verified signature.
joestringer Joe Stringer
SSH Key Fingerprint: up2UNiGoKPJzKD6RD0wAbZjD7U0m/YpqXK1sjpCgLQI Learn about vigilant mode.
53f97a7
Compare
Choose a tag to compare
1.14.0-rc.1 Pre-release
Pre-release

Summary of Changes

Minor Changes:

  • Add tls-server-enforce-mtls flag to hubble-relay to enforce mTLS connection with clients. (Backport PR #26636, Upstream PR #25582, @marqc)
  • BPF NodePort is now enabled by default if CiliumEnvoyConfig is configured. (Backport PR #26636, Upstream PR #25901, @jrajahalme)
  • Fix endpoint slices filtering to ensure we filter out headless services and continue to support older k8s versions where service labels are not propagated to endpoint slices (Backport PR #26799, Upstream PR #25351, @odinuge)
  • helm: Allow node port allocation for Ingress LB service (Backport PR #26799, Upstream PR #26502, @sayboras)

Bugfixes:

  • Add host-side interface info to cni.Result, which allows bandwidth CNI to work with Cilium (Backport PR #26636, Upstream PR #26518, @nayihz)
  • auth: Switch to observing identity changes (Backport PR #26636, Upstream PR #26375, @mhofstetter)
  • bgpv1: Unconditionally select node when empty nodeSelector is given (Backport PR #26734, Upstream PR #26590, @YutaroHayakawa)
  • client, health/client: set dummy host header on unix:// local communication (Backport PR #26838, Upstream PR #26800, @tklauser)
  • egressgw: retry getIdentityLabels on failure (Backport PR #26734, Upstream PR #26457, @jibi)
  • Fix bug where bpf map entries may not be reliably dumped or garbage collected when the map is actively being updated. (Backport PR #26838, Upstream PR #26583, @tommyp1ckles)
  • Fix error propagation issue in clustermesh which prevented retrying on certain validation errors (Backport PR #26799, Upstream PR #26613, @giorio94)
  • Fix SNAT by the N/S load-balancer for fragmented IPv4 requests. (Backport PR #26636, Upstream PR #26550, @julianwiedmann)
  • Fixed double metric accounting for k8s events (Backport PR #26636, Upstream PR #26349, @dylandreimerink)
  • Fixed proxy redirect policy implementation when any deny rule prevents them. (Backport PR #26813, Upstream PR #26344, @jrajahalme)
  • Implement OnAddNode handlers for CiliumNodeUpdater and EndpointManager (Backport PR #26734, Upstream PR #26484, @pippolo84)
  • Policy auth precedence fix (Backport PR #26813, Upstream PR #26331, @jrajahalme)
  • Validate "ownership" of hostPort service being deleted (Backport PR #26734, Upstream PR #22587, @yasz24)

CI Changes:

Misc Changes:

Docker Manifests

cilium

docker.io/cilium/cilium:v1.14.0-rc.1@sha256:47c403975508dcf0f53f801f1fd0cf0804d4dc656ee01a136bd3805ed2ec14bb
quay.io/cilium/cilium:v1.14.0-rc.1@sha256:47c403975508dcf0f53f801f1fd0cf0804d4dc656ee01a136bd3805ed2ec14bb

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.14.0-rc.1@sha256:5dff8cba7b230294cbfe284222b1963e9c2e0d93baef19f0e565b957dac7749a
quay.io/cilium/clustermesh-apiserver:v1.14.0-rc.1@sha256:5dff8cba7b230294cbfe284222b1963e9c2e0d93baef19f0e565b957dac7749a

docker-plugin

docker.io/cilium/docker-plugin:v1.14.0-rc.1@sha256:ae6beb99ec85a2ccba9f96fe07ce8c0ca0d7d6a1aac696cd9d3c5f005c74279a
quay.io/cilium/docker-plugin:v1.14.0-rc.1@sha256:ae6beb99ec85a2ccba9f96fe07ce8c0ca0d7d6a1aac696cd9d3c5f005c74279a

hubble-relay

docker.io/cilium/hubble-relay:v1.14.0-rc.1@sha256:51627988e5df034e2b7a6291ed06593d0bc12a54f01549a2f5c7db46adc1ecfe
quay.io/cilium/hubble-relay:v1.14.0-rc.1@sha256:51627988e5df034e2b7a6291ed06593d0bc12a54f01549a2f5c7db46adc1ecfe

kvstoremesh

docker.io/cilium/kvstoremesh:v1.14.0-rc.1@sha256:69b385338771696036e2edce22626b98b84df63739bb56287f992ff169fa75c0
quay.io/cilium/kvstoremesh:v1.14.0-rc.1@sha256:69b385338771696036e2edce22626b98b84df63739bb56287f992ff169fa75c0

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.14.0-rc.1@sha256:c0840b26aaff7eb65415e05644cbcefbc47cdc67a35fabe37cc19dc72127d878
quay.io/cilium/operator-alibabacloud:v1.14.0-rc.1@sha256:c0840b26aaff7eb65415e05644cbcefbc47cdc67a35fabe37cc19dc72127d878

operator-aws

docker.io/cilium/operator-aws:v1.14.0-rc.1@sha256:32e6bd6863984be27433c3405f6e41074cc72a3a40cc3bf9d7bc1241552776a5
`quay.io/cilium/operator-aws:v1.14.0-rc.1...

Read more

Contributors

gandro, jibi, and 36 other contributors
Assets 2