Releases: cilium/cilium
1.14.0-rc.0
Summary of Changes
Minor Changes:
- Add a new set of flags for CES work queue limit and burst rates,
CESWriteQPSLimit
toand
CESWriteQPSBurst`. (#24675, @dlapcevic)
The processed work queue items always trigger a single CES create, update or write request to the kube-apiserver.
The work queue rate limiting effectively limits the rate of writes to the kube-apiserver for CES api objects. - Set the default
CESWriteQPSLimit
to10
andCESWriteQPSBurst
to20
. (#24675, @dlapcevic) - Set the maximums for qps
50
and burst100
. These values cannot be exceeded regardless of any configuration. (#24675, @dlapcevic) - Unhide
CESMaxCEPsInCES
andCESSlicingMode
flags from appearing in logs whenCES
is enabled. (#24675, @dlapcevic) - agent/helm: Deprecate --kpr=partial|strict|disabled and use --kpr=true|false instead (#26036, @brb)
- Allow to use a Secret for the caBundle (#25728, @farcaller)
- BGPv1: Set N-bit in graceful restart capability negotiation. (#26325, @harsimran-pabla)
- Cilium now waits longer before returning a failure in the event of a pod creation burst. (#25805, @squeed)
- envoy: Use embedded proxylib from cilium-proxy image (#26101, @sayboras)
- metrics: Add k8s client rate limiter latency metric (#25555, @ysksuzuki)
- Retire Cilium-Integrated Istio documentation (#25722, @networkop)
- Revert "Revert agent/helm: Deprecate --kpr=partial|strict|disabled and use --kpr=true|false instead" (#26496, @brb)
Bugfixes:
- bpf: ct: fix CT-based packet tracing for IPv6 (#26476, @julianwiedmann)
- Bypassing policy check for IPv6 NDP to fix broken pod-to-pod connectivity when per-endpoint route is enabled with policy. (#24919, @jschwinger233)
- CIDRGroup reference metric will not count nonexistent CIDRGroups (#26133, @akstron)
- datapath: bigtcp: Fix the IPv4 BIG TCP may not work (#26336, @haiyuewa)
- Fix a bug where datapath option DisableSipVerification can no longer be used. (#25533, @oblazek)
- Fix bug in AlibabaCloud where instance type limits could not be determined (#25387, @haozhangami)
- Fix bug where CNI gets installed even if cni.install=false (#26278, @joestringer)
- Fix compilation error when enabling Wireguard and XDP (#25734, @ysksuzuki)
- Fix crash of cilium-agent happening when a remote node without node IP addresses is removed. (#25851, @cyclinder)
- Fix: Return "Content-Type" and "X-Content-Type-Options" headers from Health Check Node Port (#26458, @cezarygerard)
- Handles nodeIP changes when CEPs are checkpointed to tmpfs and the nodeIP changes across a reboot. (#26281, @bprashanth)
- ipsec: Split removeStaleXFRMOnce to fix deprioritization issue (#26113, @jschwinger233)
- iptables: Fix wrong use of podCIDR in cluster node NAT exclusion (#26397, @gandro)
- Keep sync on deployed proxy ports when retrying proxy redirect creation. (#26343, @jrajahalme)
- nat: fix usage in nat.h of csum.h module (#25576, @sahid)
- test/controlplane: Disable endpoint GC (#26383, @pippolo84)
- test: bigtcp: Update the BIG TCP checking message (#26377, @haiyuewa)
- Updates TransformXXX Functions in k8s pkg (#26244, @danehans)
CI Changes:
- .github/workflows: let renovate update kind in ingress workflow (#26390, @tklauser)
- Add BPF unit tests for IPsec (#25699, @jschwinger233)
- Add container image scanning to Cilium images. (#26489, @ferozsalam)
- bpf: egressgw: refactor unit tests (#26376, @jibi)
- bpf: tests: pktgen infra for tunneling + GENEVE-DSR test (#26301, @julianwiedmann)
- CI Workflow: Add all AWS supported k8s versions (#26361, @brlbil)
- CI Workflow: Add all Azure supported k8s versions (#26356, @brlbil)
- CI Workflow: Add all GKE supported k8s version (#26364, @brlbil)
- CI Workflows: Fix matrix generation (#26406, @brlbil)
- CI Workflows: Fix sysdump file creation (#26402, @brlbil)
- CI Workflows: Fix sysdump name typo (#26415, @brlbil)
- ci-aks, ci-external-workloads: Use cilium-cli Helm mode (#26382, @michi-covalent)
- ci-e2e: Bump CLI version to v0.14.8 (#26475, @brb)
- ci-verifier: run verifier tests directly on VM instead of containerized (#26509, @ti-mo)
- ci: Add workflow for testing multi-pool IPAM (#26175, @gandro)
- CI: run integration-tests on test changes in PRs (#26405, @marseel)
- docs: Run rstcheck on the README.rst (#26454, @qmonnet)
- gateway-api: Add tests for standard CRD (#26372, @sayboras)
- gateway-api: Enable HTTPRouteListenerHostnameMatching test (#26226, @sayboras)
- gha: enable debug logs in conformance-clustermesh workflows (#26186, @giorio94)
- gha: test kvstoremesh in conformance-clustermesh (#26223, @giorio94)
- gha: test the different auth modes in conformance-clustermesh (#26252, @giorio94)
- Make CI test resources unique for retries. (#25990, @viktor-kurchenko)
- renovate: ignore ginkgo updates (#26423, @tklauser)
- Set CILIUM_CLI_MODE env variable at the top level (#26387, @michi-covalent)
- Set CILIUM_CLI_MODE env variable at the top level (#26404, @michi-covalent)
- test: Fix the attempted fix for the hostfw flake (#26362, @pchaigno)
Misc Changes:
- Add Back Market in the USERS list (#26413, @NitriKx)
- Add cilium bpf nodeid list to bugtool and print nodeid in hex in ipcache dump (#26130, @brb)
- Add documentation about kvstoremesh (#26348, @giorio94)
- Adding an AWS architecture diagram for AWS FTR review (#26016, @amitmavgupta)
- auth: delete cache-entry on ErrKeyNotExist (#26342, @mhofstetter)
- auth: display textual representation of auth type in authKey.String() (#26525, @mhofstetter)
- backporting: Fix pattern to handle commit subjects that begin with a space (#25653, @gentoo-root)
- BGP CP: Adds Intro to Docs (#26195, @danehans)
- bgpv1: pass router state to gobgp (#26194, @harsimran-pabla)
- bgpv1: skip invalid node selector config in policy selection (#26365, @harsimran-pabla)
- bpf: add new macro __section_entry (#26123, @Jack-R-lantern)
- bpf: nat: fix build error in snat_v6_prepare_state() (#26510, @julianwiedmann)
- bpf: remove unused type ProgType and ProgType* consts (#26360, @tklauser)
- bpf: Update IPv6 BPF masquerading code to bring it closer to IPv4's, fix SNAT for packets from local endpoints, for overlay (#26236, @qmonnet)
- Calling out support for Single-Region, Multi-Region, Multi-AZ for EKS (#26015, @amitmavgupta)
- Change wording on toServices limitations (see #20067) (#25796, @atykhyy)
- chore(deps): update actions/setup-go action to v4.0.1 (main) (#26313, @renovate[bot])
- chore(deps): update all github action dependencies (main) (minor) (#26306, @renovate[bot])
- chore(deps): update all github action dependencies (main) (patch) (#26425, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.14.8 (main) (#26482, @renovate[bot])
- chore(deps): update dependency kubernetes-sigs/kind to v0.20.0 (main) (#26428, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.18.2 (main) (#26297, @renovate[bot])
- chore(deps): update docker.io/library/golang docker tag to v1.20.5 (main) (#26304, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.20.5 docker digest to 8f958bf (main) (#26283, @renovate[bot])
- chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 9ecc53c (main) (#26285, @renovate[bot])
- cilium statedb dump command & bugtool (#26256, @joamaki)
- cilium, bigtcp: Add max gso/gro rates to sysdump (#26392, @borkmann)
- cilium, bigtcp: Make probing for GRO/GSO max size more graceful (#26385, @borkmann)
- cilium: enable bpf host routing with per endpoint routes for IPv6 as well (#26205, @borkmann)
- cilium: Repoint netlink lib back to upstream. (#26359, @borkmann)
- clustermesh: fix broken test due to merge race (#26389, @giorio94)
- clustermesh: improve reliability of TestClusterMesh (#26370, @giorio94)
- cni-plugin: Clean up code (#26505, @gandro)
- daemon: fix spelling in ipam-multi-pool-pre-allocation flag usage (#26529, @tklauser)
- datapath: Introduce helpers for __ctx_is checks (#23820, @spacewander)
- docs: clarify that L3 DNS policies require L7 proxy enabled (#26180, @wedaly)
- docs: Fix the cilium-cli default branch name (#26461, @michi-covalent)
- docs: Fix the cilium/proxy default branch name (#26464, @learnitall)
- docs: Mark IPv6 BPF masquerading as beta (#26499, @qmonnet)
- docs: reword incorrect L7 policy description (#26092, @peterj)
- docs: Update kvstore documentation with potential circular dependency. (#26353, @marseel)
- docu: add section about envoy daemonset deployment (#26033, @mhofstetter)
- Document multi-pool IPAM mode (#26308, @tklauser)
- Documentation: Add graceful restart section in BGP documentation (#26354, @harsimran-pabla)
- endpoint: don't hold the endpoint lock while generating policy (#26242, @squeed)
- envoy: Re-organize supported envoy resource import (#26469, @sayboras)
- etcd: start the status checker only after establishing the initial session (#26363, @giorio94)
- Fix some map handling logic as well as some issues with CLI commands related to ip-masq-agent, introduced with IPv6 support (#26435, @qmonnet)
- fix(deps): update all go dependencies main (main) (minor) (#26429, @renovate[bot])
- fix(deps): update all go dependencies main (main) (patch) (#26056, @renovate[bot])
- fix(deps): update all go dependencies main (main) (patch) (#26427, @renovate[bot])
- fix(deps): update module github.com/prometheus/procfs to v0.11.0 (main) (#26319, @renovate[bot])
- helm: add .extraEnv to cilium-agents config init container (#26408, @nberlee)
- identity: Make identity allocations observable (#26373, @mhofstetter)
- Improve reliability of kvstore-related tests (#26347, @giorio94)
- kafka: remove unused package (#26523, @tklauser)
- kvstore: share etcd client logger to reduce memory usage (#26485, @giorio94)
- kvstoremesh: mark the cilium-kvstoremesh secret as optional in the clustermesh-apiserver volume definition (#26318, @giorio94)
- Log error me...
1.14.0-snapshot.4
Summary of Changes
Major Changes:
- Add support for Kubernetes v1.27 (#25602, @nathanjsweet)
- Added L2 announcement feature (#25471, @dylandreimerink)
- cilium: IPv4 BIG TCP support (#26172, @borkmann)
- Implement BPF-based masquerading for IPv6 (#23165, @qmonnet)
- Introduce kvstoremesh, a clustermesh-apiserver companion component allowing to cache remote cluster information in the local kvstore for increased scalability and separation. (#26083, @giorio94)
- Module Health: Add Health Provider/Reporter (#25662, @tommyp1ckles)
Minor Changes:
- Add agent flag
enable-ipsec-key-watcher
to allow users to disable the IPsec key watcher and thus require an agent restart for the key rotation to take effect. (#25893, @pchaigno) - Add helm value
envoyConfig.enabled
that can be used to enable CiliumEnvoyConfig CRD independently of Cilium Ingress controller. (#26005, @jrajahalme) - Add option to remove query from HTTP flows (#25746, @ChrsMark)
- Add support for BGP graceful restart configuration via CiliumBGPPeeringPolicy CRD (#25660, @harsimran-pabla)
- Add support for eBGP-multihop configuration for CiliumBGPNeighbor in CiliumBGPPeeringPolicy CRD (#25708, @rastislavs)
- Add support for Hybrid mode when using DSR with Geneve dispatch. (#25553, @julianwiedmann)
- Add support for load-balancing encapsulated requests in a configuration with high-scale ipcache. (#25854, @julianwiedmann)
- Add support for load-balancing unencapsulated requests in a configuration with high-scale ipcache. (#25745, @julianwiedmann)
- Added Gratuitous ARP Pod Announcements (#25482, @markpash)
- Adds
peerPort
field to CiliumBGPPeeringPolicy for specifying the port of a BGP neighbor. If unspecified, port 179 is used. (#25809, @danehans) - Allow devices from local route table to be used for datapath programs. (#24608, @oblazek)
- bgpv1: Consolidate CRD API to follow K8s API Conventions (#26040, @rastislavs)
- clustermesh-apiserver: expose information about completion of initial synchronization through etcd (#25905, @giorio94)
- daemon: don't allow egress gateway with KV store identity allocation (#26189, @jibi)
- Deprecate CNP Node status updates. (#24464, @marseel)
- envoy: Bump envoy version to v1.25.7 (#25882, @mhofstetter)
- etcd: extend rate limiting to consider the number of inflight requests (#25817, @giorio94)
- Extend the Helm chart to allow configuring kvstoremesh. (#26109, @giorio94)
- hubble: Add GetNamespaces to observer API (#25563, @chancez)
- ingress: Default TLS certificate for ingress (#26065, @sathieu)
- ipam: Add ability to automatically create
CiliumPodIPPool
resources in multi-pool IPAM mode (#25991, @gandro) - ipmasq: Add support for ip-masq-agent with IPv6 (#23219, @qmonnet)
- mutual-auth: Avoid confusion on mTLS wording (#25761, @sayboras)
- mutual-auth: Support spire k8s service dns resolution (#26031, @sayboras)
- operator: Fix default API server addr in metrics subcommand (#26132, @pippolo84)
- Report the kernel error code in case of packet drops due to failures to create NAT map entries. (#25883, @julianwiedmann)
- Set BGP IdleHoldTimeAfterReset to 5 seconds, session reset can happen on BGP peer configuration change. (#26001, @harsimran-pabla)
- spire: Add identity GC capability (#25867, @sayboras)
- Support defining IPAM pools using CiliumPodIPPool CRD (#25824, @tklauser)
- Support externalTrafficPolicy=local for BGP CPlane service VIP advertisement (#25477, @YutaroHayakawa)
- Support Gateway API v0.7.0 (#25711, @meyskens)
- The deprecated pod-short context option in Hubble metrics is now removed (#26125, @lambdanis)
Bugfixes:
- bpf: fix error handling for invoke_tailcall_if() (#26118, @julianwiedmann)
- bpf: lxc: fix one missing drop notification in CT lookup tail calls (#26115, @julianwiedmann)
- bpf: nodeport: don't reset aggregate ID when revDNAT is called by bpf_lxc (#25929, @julianwiedmann)
- Envoy resource namespacing (#26037, @jrajahalme)
- Fix a bug that would cause connectivity drops of type XfrmOutPolBlock on upgrade when IPsec is enabled. (#25735, @pchaigno)
- Fix bug with
toServices
policy where service backend churn left stale CIDR identities (#25687, @christarazi) - Fix false error log message when IPsec is enabled with IPAM modes ENI or Azure and a remote node is deleted. (#26093, @pchaigno)
- Fix for Identities that can be deleted before CESs are reconciled (#25001, @dlapcevic)
- Fix issue where Cilium ServiceAPI would ignore backend changes to services with backends that were used in several services and updated at least once (#24474, @strudelPi)
- Fix leak of IPsec XFRM FWD policies in IPAM modes
cluster-pool
,kubernetes
, andcrd
when nodes are deleted.
Fix incorrect catch-all default-drop XFRM OUT policy for IPsec IPv6 traffic that could lead to leaking plain-text IPv6 traffic if combined with some other bug. (#25953, @pchaigno) - Fix missed deletion events when reconnecting to/disconnecting from remote clusters (identities) (#25677, @giorio94)
- Fix missed deletion events when reconnecting to/disconnecting from remote clusters (ipcache entries) (#25675, @giorio94)
- Fix panic due to nil-map assignment in l2announcer (#26315, @dylandreimerink)
- Fix three issues in the bug fix to attach IPsec BPF programs to ENI interfaces: do not fatal if loading unexpectedly fails (which may happen if the device is suddenly deleted), ignore veth device changes in order not to reinitialize when new endpoints appear and wait 1 second for further device state changes between reinitializations. (#25936, @joamaki)
- Fixed Cilium agent crash when policy refers to a non-existing Envoy listener. (#25969, @jrajahalme)
- Fixes an issue where SRv6 encapsulated packets are forwarded to the wrong layer 2 next hop. (#26136, @ldelossa)
CI Changes:
- .github/workflows: add JUnit tag on workflows that have JUnits (#25930, @aanm)
- .github/workflows: let renovate update kind (#26312, @tklauser)
- .github: add cilium sysdump to test artifacts (#26143, @aanm)
- .github: add missing job to check for code changes (#25926, @aanm)
- .github: Fail if print-chart-version.sh fails or does not exist (#26086, @chancez)
- .github: simplify conformance-runtime workflow (#25955, @aanm)
- Add checker to verify if comments from ginkgo GH workflows are in sync (#25971, @aanm)
- Add schema validation for configuration-matrix files (#26081, @aanm)
- bgp,test: Properly wait for FRR container to be ready (#25777, @YutaroHayakawa)
- bgpv1: Avoid ports from common ip_local_port_range in unit tests (#26174, @rastislavs)
- bgpv1: Extend the timeout for the Test_NeighborAddDel test (#25970, @rastislavs)
- bpf unit tests: Run tests on changes to pks/bpf/** (#25911, @qmonnet)
- bpf: test: fix pktgen for IPv6 NEXTHDR_DEST option (#26151, @julianwiedmann)
- bpf: tests: test EgressGW reply path with native routing (#25932, @julianwiedmann)
- CI: Add JUnit reports upload (#25801, @brlbil)
- ci: github actions job to run kubernetes upstream conformance tests (#25913, @aojea)
- CI: Stabilize ConformanceKindEnvoyDaemonSet (#26260, @mhofstetter)
- CI: Verifier tests: Keep generated object files and logs on test failure (#25862, @qmonnet)
- CI: wait for cilium to become ready in conformance-{aks,gke} before port forward relay (#25839, @learnitall)
- conformance-k8s-kind: Use Helm mode cilium-cli (#25916, @michi-covalent)
- conformance-runtime: Bump timeout to wait for images (#25947, @michi-covalent)
- datapath/linux/ethtool: deflake TestIsVirtualDriver (#26027, @tklauser)
- docs: add documentation for Ginkgo-based GHA (#26055, @aanm)
- Drop the GKE-based multicluster GitHub actions workflow in favor of the kind-based ones (stable branches) (#26188, @giorio94)
- egressgw: switch to Cilium CLI connectivity tests (#25719, @jibi)
- gha: Increase Ingress status wait time (#26219, @sayboras)
- gha: Move to helm mode for aws-cni, eks, gke (#25820, @sayboras)
- gha: use Cilium CLI Helm mode for conformance-clustermesh (#25834, @giorio94)
- Improved reliability of pkg/hive/job timer double trigger unit test (#26022, @dylandreimerink)
- Run all ginkgo tests on GitHub actions (#25713, @aanm)
- test/nat46x64: silence curl output (#26024, @tklauser)
- test: Cleanup ginkgo test artifacts (#25833, @pchaigno)
Misc Changes:
- .github: add dedicated job to wait for images (#26184, @aanm)
- .github: Push Helm charts for hotfixes (#25836, @joestringer)
- .github: rebuild ginkgo tests in case of cache miss (#26263, @aanm)
- .github: refactor job matrix generation into YAML files (#26019, @aanm)
- Add detailed panic messages for slim ObjectMeta and ListMeta (#25107, @hemanthmalla)
- Add kvstoremesh Dockerfile and build images through the CI (#26106, @giorio94)
- Add microsoft as user to cilium (#25838, @tamilmani1989)
- Add Zero Hash to Cilium users (#25987, @eugenestarchenko)
- Added gARP capability to L2 announcer feature (#25933, @dylandreimerink)
- Added metrics for pkg/k8s/resource (#26269, @dylandreimerink)
- Adding Eficode to USERS.md (#25931, @punasusi)
- Agent: add support for watching kvstoremesh prefixes (#26154, @giorio94)
- Auth Map: Initial Garbage Collection (#25754, @mhofstetter)
- auth: add missing config values to helm values (#25973, @mhofstetter)
- auth: add missing stream package import (#26018, @giorio94)
- auth: feature flag for authentication (#26208, @mhofstetter)
- auth: fix initial k8s events sync in auth map gc (#26059, @mhofstetter)
- auth: implement re-authentication in case of rotated certificates (#25927, @mhofstetter)
- auth: policy based auth map GC (#26068, @mhofstetter)
- auth: streamline logging (#25965, @mhofstetter)
- auth: temporarily disable node-based auth gc (#26073, @mhofstetter)
- AWS CNI v1.12 Cilium install fixed. (#26084, @viktor-kurchenko)
- BGP CP: Updates docs for PeerPort (#25876, @danehans)
- bgpv1: Documentation update to reflect current architecture (#...
1.13.4
We are pleased to release Cilium v1.13.4.
This release addresses the following security issue:
It aslso contains fixes related to IPsec, datapath drop notifications, CPU overhead, downgrade path, RevSNAT for ICMPv6, as well as a range of other regular bugfixes.
See the notes below for a full description of the changes.
⚠️ Warning - IPsec ⚠️
Do NOT upgrade to this release if you are using IPsec.
Summary of Changes
Minor Changes:
- Add agent flag
enable-ipsec-key-watcher
to allow users to disable the IPsec key watcher and thus require an agent restart for the key rotation to take effect. (Backport PR #25977, Upstream PR #25893, @pchaigno) - Updating documentation helm values now works also on arm64. (Backport PR #25731, Upstream PR #25422, @jrajahalme)
Bugfixes:
- Add drop notifications for various error paths in the datapath. (Backport PR #25503, Upstream PR #25183, @julianwiedmann)
- bpf,datapath: read jiffies from /proc/schedstat (Backport PR #25855, Upstream PR #25795, @ti-mo)
- Compare annotations before discarding CiliumNode updates. (Backport PR #25588, Upstream PR #25465, @LynneD)
- CPU overhead regression introduced in v1.13 is fixed. (#25548, @jrajahalme)
- Fix a bug due to which we would leak Linux XFRM policies, potentially leading to increased CPU consumption, when IPsec is enabled with Azure or ENI IPAM. (Backport PR #25897, Upstream PR #25784, @pchaigno)
- Fix a bug that would cause connectivity drops of type XfrmInNoStates on upgrade when IPsec is enabled with ENI or Azure IPAM mode. (Backport PR #25897, Upstream PR #25724, @pchaigno)
- Fix a bug that would cause connectivity drops of type XfrmOutPolBlock on upgrade when IPsec is enabled. (Backport PR #25897, Upstream PR #25735, @pchaigno)
- Fix a possible deadlock when using WireGuard transparent encryption. (Backport PR #25923, Upstream PR #25419, @bimmlerd)
- Fix bug affecting EKS installations with IPsec encryption enabled, where Cilium wouldn't attach its IPsec BPF program to new ENI interfaces, resulting in connectivity loss between pods on remote nodes. (Backport PR #25897, Upstream PR #25744, @joamaki)
- Fix downgrade path from 1.14 to 1.13 due to stale IPAM-allocated IPv6 on cilium_host (#25962, @jschwinger233)
- Fix false error log message when IPsec is enabled with IPAM modes ENI or Azure and a remote node is deleted. (Backport PR #26160, Upstream PR #26093, @pchaigno)
- Fix incorrect hubble flow data when HTTP requests contain an
x-forwarded-for
header by adding an explicituse_remote_address: true
config to Envoy HTTP configuration to always use the actual remote address of the incoming connection rather than the value ofx-forwarded-for
header, which may originate from an untrusted source. This change has no effect on Cilium policy enforcement where the source security identity is always resolved before HTTP headers are parsed. Previous Cilium behavior of not addingx-forwarded-for
headers is retained via an explicitskip_xff_append: true
config setting, except for Cilium Ingress where the source IP address is now appended tox-forwarded-for
header. (Backport PR #25731, Upstream PR #25674, @jrajahalme) - Fix leak of IPsec XFRM FWD policies in IPAM modes
cluster-pool
,kubernetes
, andcrd
when nodes are deleted. Fix incorrect catch-all default-drop XFRM OUT policy for IPsec IPv6 traffic that could lead to leaking plain-text IPv6 traffic if combined with some other bug. (Backport PR #26079, Upstream PR #25953, @pchaigno) - Fix missing drop notifications on conntrack lookup failures when IPv4 and IPv6 are both enabled or socket-level load balancing is disabled. (Backport PR #25588, Upstream PR #25426, @bleggett)
- Fix RevSNAT for ICMPv6 packets. (Backport PR #25503, Upstream PR #25306, @julianwiedmann)
- Fix three issues in the bug fix to attach IPsec BPF programs to ENI interfaces: do not fatal if loading unexpectedly fails (which may happen if the device is suddenly deleted), ignore veth device changes in order not to reinitialize when new endpoints appear and wait 1 second for further device state changes between reinitializations. (Backport PR #25977, Upstream PR #25936, @joamaki)
- Fixed Cilium agent crash when policy refers to a non-existing Envoy listener. (Backport PR #26079, Upstream PR #25969, @jrajahalme)
- gateway-api: Race condition between routes and Gateway (Backport PR #25731, Upstream PR #25573, @sayboras)
- gateway-api: Skip reconciliation for non-matching controller routes (Backport PR #25731, Upstream PR #25549, @sayboras)
- helm: Correct typo in Ingress validation (Backport PR #25731, Upstream PR #25570, @sayboras)
- Reject incorrect configuration enable-host-legacy-routing=false kube-proxy-replacement=partial. (Backport PR #25855, Upstream PR #25803, @pchaigno)
CI Changes:
- [v1.13 backport] test: Switch target FQDN (#25584, @nbusseneau)
- Add github workflow to push development helm charts to quay.io (Backport PR #26087, Upstream PR #25205, @chancez)
- hostfw tests flake workaround (Backport PR #25588, Upstream PR #25323, @tommyp1ckles)
- Pick up the latest startup-script image (Backport PR #25855, Upstream PR #25774, @michi-covalent)
- test/k8s: add host firewall workaround for svc host policy test. (Backport PR #25588, Upstream PR #25461, @tommyp1ckles)
- test/k8s: for services test, wait for all applied manifests to delete (Backport PR #25503, Upstream PR #25341, @tommyp1ckles)
- test/k8s: quarantine K8sDatapathServicesTest (Backport PR #25731, Upstream PR #25670, @aanm)
- test/k8s: update host policies for firewall tests. (Backport PR #25503, Upstream PR #25374, @tommyp1ckles)
- test: delete ginkgo test "NodePort with L7 Policy from outside" (Backport PR #25731, Upstream PR #25702, @jschwinger233)
- test: prevent panic on k8s services host fw test on some runs. (Backport PR #25855, Upstream PR #25747, @tommyp1ckles)
Misc Changes:
- backport (v1.13): docs: Promote Deny Policies out of Beta (#26147, @nathanjsweet)
- bpf: dsr: fix typo in tail_nodeport_dsr_ingress_ipv4() (Backport PR #25855, Upstream PR #25742, @julianwiedmann)
- chore(deps): update all github action dependencies (v1.13) (patch) (#25704, @renovate[bot])
- chore(deps): update cilium/actions-app-token action to v0.21.1 (v1.13) (#25865, @renovate[bot])
- chore(deps): update dependency cilium/hubble to v0.11.6 (v1.13) (#26042, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.17.3 (v1.13) (#25852, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.17.3 (v1.13) (#25853, @renovate[bot])
- chore(deps): update docker.io/library/golang docker tag to v1.19.10 (v1.13) (#25857, @renovate[bot])
- chore(deps): update docker.io/library/ubuntu:22.04 docker digest to ac58ff7 (v1.13) (#25547, @renovate[bot])
- chore(deps): update quay.io/cilium/hubble docker tag to v0.11.6 (v1.13) (#25997, @renovate[bot])
- ctmap: right-shift kernel jiffies by BPF_MONO_SCALER (Backport PR #26200, Upstream PR #26197, @ti-mo)
- docs: Add Bottlerocket OS to validated distros (Backport PR #25503, Upstream PR #25390, @nebril)
- docs: document missing entity 'ingress' (Backport PR #25731, Upstream PR #25665, @mhofstetter)
- docs: Fix broken link to backends leak issue (Backport PR #25503, Upstream PR #25278, @akhilles)
- docs: Improve BGP Control Plane page (Backport PR #25731, Upstream PR #23939, @krouma)
- gateway-api: Remove unused function check (#26058, @ferozsalam)
- install: Fail helm if kube-proxy-replacement is not valid (Backport PR #25977, Upstream PR #25907, @jrajahalme)
- ipsec: Fix cleanup of XFRM states and policies (Backport PR #26079, Upstream PR #26072, @pchaigno)
- Slim down Node handler interface (Backport PR #25923, Upstream PR #25450, @bimmlerd)
- test/provision/compile.sh: Make usable from dev VM (Backport PR #25503, Upstream PR #25352, @jrajahalme)
- Update network attacker sections of the threat model (Backport PR #25977, Upstream PR #25640, @ferozsalam)
Other Changes:
- envoy: Bump envoy version to v1.23.10 (#25884, @mhofstetter)
- install: Update image digests for v1.13.3 (#25726, @thorn3r)
- wireguard: Always unset fwMark (#25858, @brb)
Docker Manifests
cilium
docker.io/cilium/cilium:v1.13.4@sha256:bde8800d61aaad8b8451b10e247ac7bdeb7af187bb698f83d40ad75a38c1ee6b
quay.io/cilium/cilium:v1.13.4@sha256:bde8800d61aaad8b8451b10e247ac7bdeb7af187bb698f83d40ad75a38c1ee6b
docker.io/cilium/cilium:stable@sha256:bde8800d61aaad8b8451b10e247ac7bdeb7af187bb698f83d40ad75a38c1ee6b
quay.io/cilium/cilium:stable@sha256:bde8800d61aaad8b8451b10e247ac7bdeb7af187bb698f83d40ad75a38c1ee6b
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.13.4@sha256:3f2bb561ddcf45bd7c598b6846439518c6f4fc735a08e518587da8849496235a
quay.io/cilium/clustermesh-apiserver:v1.13.4@sha256:3f2bb561ddcf45bd7c598b6846439518c6f4fc735a08e518587da8849496235a
docker.io/cilium/clustermesh-apiserver:stable@sha256:3f2bb561ddcf45bd7c598b6846439518c6f4fc735a08e518587da8849496235a
quay.io/cilium/clustermesh-apiserver:stable@sha256:3f2bb561ddcf45bd7c598b6846439518c6f4fc735a08e518587da8849496235a
docker-plugin
docker.io/cilium/docker-plugin:v1.13.4@sha256:1a11d2f643b92ff4ece29adf7c945795c3faacbc9a47e0089bf6fb6e944c0ae1
quay.io/cilium/docker-plugin:v1.13.4@sha256:1a11d2f643b92ff4ece29adf7c945795c3faacbc9a47e0089bf6fb6e944c0ae1
docker.io/cilium/docker-plugin:stable@sha256:1a11d2f643b92ff4ece29adf7c945795c3faacbc9a47e0089bf6fb6e944c0ae1
quay.io/cilium/docker-plugin:stable@sha256:1a11d2f643b92ff4ece29adf7c945795c3faacbc9a47e0089bf6fb6e944c0ae1
hubble-relay
docker.io/cilium/hubble-relay:v1.13.4@sha256:bac057a5130cf75adf5bc363292b1f2642c0c460ac9ff018fcae3daf64873871
`quay.io/cilium/hubble-relay:v1...
1.12.11
We are pleased to release Cilium v1.12.11. This release promotes Deny Policies from beta to stable. It contains fixes related to IPsec, WireGuard, Hubble flow data, as well as a range of other regular bugfixes.
See the notes below for a full description of the changes.
⚠️ Warning - IPsec ⚠️
Do NOT upgrade to this release if you are using IPsec.
Summary of Changes
Major Changes:
- policy: Promote Deny Policies from Beta to Stable (#25491, @nathanjsweet)
Minor Changes:
- Add agent flag
enable-ipsec-key-watcher
to allow users to disable the IPsec key watcher and thus require an agent restart for the key rotation to take effect. (Backport PR #26006, Upstream PR #25893, @pchaigno) - Updating documentation helm values now works also on arm64. (Backport PR #25732, Upstream PR #25422, @jrajahalme)
Bugfixes:
- Fix a bug due to which we would leak Linux XFRM policies, potentially leading to increased CPU consumption, when IPsec is enabled with Azure or ENI IPAM. (Backport PR #25896, Upstream PR #25784, @pchaigno)
- Fix a bug that would cause connectivity drops of type XfrmInNoStates on upgrade when IPsec is enabled with ENI or Azure IPAM mode. (Backport PR #25896, Upstream PR #25724, @pchaigno)
- Fix a bug that would cause connectivity drops of type XfrmOutPolBlock on upgrade when IPsec is enabled. (Backport PR #25896, Upstream PR #25735, @pchaigno)
- Fix a possible deadlock when using WireGuard transparent encryption. (Backport PR #25928, Upstream PR #25419, @bimmlerd)
- Fix bug affecting EKS installations with IPsec encryption enabled, where Cilium wouldn't attach its IPsec BPF program to new ENI interfaces, resulting in connectivity loss between pods on remote nodes. (Backport PR #25896, Upstream PR #25744, @joamaki)
- Fix false error log message when IPsec is enabled with IPAM modes ENI or Azure and a remote node is deleted. (Backport PR #26161, Upstream PR #26093, @pchaigno)
- Fix incorrect hubble flow data when HTTP requests contain an
x-forwarded-for
header by adding an explicituse_remote_address: true
config to Envoy HTTP configuration to always use the actual remote address of the incoming connection rather than the value ofx-forwarded-for
header, which may originate from an untrusted source. This change has no effect on Cilium policy enforcement where the source security identity is always resolved before HTTP headers are parsed. Previous Cilium behavior of not addingx-forwarded-for
headers is retained via an explicitskip_xff_append: true
config setting, except for Cilium Ingress where the source IP address is now appended tox-forwarded-for
header. (Backport PR #25732, Upstream PR #25674, @jrajahalme) - Fix leak of IPsec XFRM FWD policies in IPAM modes
cluster-pool
,kubernetes
, andcrd
when nodes are deleted. Fix incorrect catch-all default-drop XFRM OUT policy for IPsec IPv6 traffic that could lead to leaking plain-text IPv6 traffic if combined with some other bug. (Backport PR #26117, Upstream PR #25953, @pchaigno) - Fix the bug when long-living connections using egress gateway may be reset. (Backport PR #25678, Upstream PR #24905, @gentoo-root)
- Fix three issues in the bug fix to attach IPsec BPF programs to ENI interfaces: do not fatal if loading unexpectedly fails (which may happen if the device is suddenly deleted), ignore veth device changes in order not to reinitialize when new endpoints appear and wait 1 second for further device state changes between reinitializations. (Backport PR #26006, Upstream PR #25936, @joamaki)
- helm: Correct typo in Ingress validation (Backport PR #25732, Upstream PR #25570, @sayboras)
CI Changes:
- [v1.12 backport] test: Switch target FQDN (#25585, @nbusseneau)
- Add github workflow to push development helm charts to quay.io (Backport PR #26088, Upstream PR #25205, @chancez)
- hostfw tests flake workaround (Backport PR #25587, Upstream PR #25323, @tommyp1ckles)
- Pick up the latest startup-script image (Backport PR #25919, Upstream PR #25774, @michi-covalent)
- test: Collect sysdump as part of artifacts (Backport PR #25919, Upstream PR #25079, @pchaigno)
Misc Changes:
- Add helm-toolbox image for helm docs, lint (Backport PR #25452, Upstream PR #20236, @joestringer)
- backport (v1.12): docs: Promote Deny Policies out of Beta (#26148, @nathanjsweet)
- chore(deps): update dependency cilium/hubble to v0.11.6 (v1.12) (#26043, @renovate[bot])
- chore(deps): update quay.io/cilium/hubble docker tag to v0.11.6 (v1.12) (#25999, @renovate[bot])
- docs: document missing entity 'ingress' (Backport PR #25732, Upstream PR #25665, @mhofstetter)
- docs: Fix broken link to backends leak issue (Backport PR #25587, Upstream PR #25278, @akhilles)
- install: Fail helm if kube-proxy-replacement is not valid (Backport PR #26006, Upstream PR #25907, @jrajahalme)
- ipsec: Fix cleanup of XFRM states and policies (Backport PR #26117, Upstream PR #26072, @pchaigno)
- Slim down Node handler interface (Backport PR #25928, Upstream PR #25450, @bimmlerd)
- test/provision/compile.sh: Make usable from dev VM (Backport PR #25452, Upstream PR #25352, @jrajahalme)
Other Changes:
- envoy: Bump envoy version to v1.23.10 (#25889, @mhofstetter)
- install: Update image digests for v1.12.10 (#25534, @thorn3r)
- v1.12: Fix L4LB GHA (#25523, @brb)
Docker Manifests
cilium
docker.io/cilium/cilium:v1.12.11@sha256:3fd8d9a6130783c245d90658ca379a7db88f249ec69464450fb53490cfbd7c55
quay.io/cilium/cilium:v1.12.11@sha256:3fd8d9a6130783c245d90658ca379a7db88f249ec69464450fb53490cfbd7c55
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.12.11@sha256:f52391e0b74ac019a1ba22a19c0f4c979aa00f582332a3162af2a1fca3206371
quay.io/cilium/clustermesh-apiserver:v1.12.11@sha256:f52391e0b74ac019a1ba22a19c0f4c979aa00f582332a3162af2a1fca3206371
docker-plugin
docker.io/cilium/docker-plugin:v1.12.11@sha256:bbfb63b99655e0f3f2fc63ef4b49161d7454fdf127d62347162b4ee577a273fb
quay.io/cilium/docker-plugin:v1.12.11@sha256:bbfb63b99655e0f3f2fc63ef4b49161d7454fdf127d62347162b4ee577a273fb
hubble-relay
docker.io/cilium/hubble-relay:v1.12.11@sha256:f52db09b652fd60d9d2bbebafd3befa9be0abecac923dd21d0f7052cd585270e
quay.io/cilium/hubble-relay:v1.12.11@sha256:f52db09b652fd60d9d2bbebafd3befa9be0abecac923dd21d0f7052cd585270e
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.12.11@sha256:66ad7b1f2a39f336aade25b688e5b05da7df345b33c50a92f3e21dc949281507
quay.io/cilium/operator-alibabacloud:v1.12.11@sha256:66ad7b1f2a39f336aade25b688e5b05da7df345b33c50a92f3e21dc949281507
operator-aws
docker.io/cilium/operator-aws:v1.12.11@sha256:30dfe79131766c7ba992c9e5abe6dcb0d2d8e2021514dc56a4b89321dde45472
quay.io/cilium/operator-aws:v1.12.11@sha256:30dfe79131766c7ba992c9e5abe6dcb0d2d8e2021514dc56a4b89321dde45472
operator-azure
docker.io/cilium/operator-azure:v1.12.11@sha256:7753588ef3c038af47576feabeffd8a8a04f1a0911009c9752ee303658152d2d
quay.io/cilium/operator-azure:v1.12.11@sha256:7753588ef3c038af47576feabeffd8a8a04f1a0911009c9752ee303658152d2d
operator-generic
docker.io/cilium/operator-generic:v1.12.11@sha256:8fad1da87c9f308c21ad54784c91c0fc92dc620e2781561473e2c8e4f871eb29
quay.io/cilium/operator-generic:v1.12.11@sha256:8fad1da87c9f308c21ad54784c91c0fc92dc620e2781561473e2c8e4f871eb29
operator
docker.io/cilium/operator:v1.12.11@sha256:966056e8a05eca5fb2f9eb6c099e5a465e048d1351fbabf88406c53f2425990c
quay.io/cilium/operator:v1.12.11@sha256:966056e8a05eca5fb2f9eb6c099e5a465e048d1351fbabf88406c53f2425990c
1.11.18
We are pleased to release Cilium v1.11.18. This release promotes Deny Policies from beta to stable. It contains fixes related to IPsec, WireGuard, Hubble flow data, as well as a range of other regular bugfixes.
See the notes below for a full description of the changes.
⚠️ Warning - IPsec ⚠️
Do NOT upgrade to this release if you are using IPsec.
Summary of Changes
Major Changes:
- policy: Promote Deny Policies from Beta to Stable (#25496, @nathanjsweet)
Minor Changes:
- Add agent flag
enable-ipsec-key-watcher
to allow users to disable the IPsec key watcher and thus require an agent restart for the key rotation to take effect. (Backport PR #26007, Upstream PR #25893, @pchaigno) - docs: fix wording for the upgrade guide (#26164, @aspsk)
Bugfixes:
- Fix a bug due to which we would leak Linux XFRM policies, potentially leading to increased CPU consumption, when IPsec is enabled with Azure or ENI IPAM. (Backport PR #26021, Upstream PR #25784, @pchaigno)
- Fix a bug that would cause connectivity drops of type XfrmInNoStates on upgrade when IPsec is enabled with ENI or Azure IPAM mode. (Backport PR #26021, Upstream PR #25724, @pchaigno)
- Fix a bug that would cause connectivity drops of type XfrmOutPolBlock on upgrade when IPsec is enabled. (Backport PR #26021, Upstream PR #25735, @pchaigno)
- Fix a possible deadlock when using WireGuard transparent encryption. (Backport PR #25935, Upstream PR #25419, @bimmlerd)
- Fix bug affecting EKS installations with IPsec encryption enabled, where Cilium wouldn't attach its IPsec BPF program to new ENI interfaces, resulting in connectivity loss between pods on remote nodes. (Backport PR #26021, Upstream PR #25744, @joamaki)
- Fix false error log message when IPsec is enabled with IPAM modes ENI or Azure and a remote node is deleted. (Backport PR #26021, Upstream PR #26093, @pchaigno)
- Fix incorrect hubble flow data when HTTP requests contain an
x-forwarded-for
header by adding an explicituse_remote_address: true
config to Envoy HTTP configuration to always use the actual remote address of the incoming connection rather than the value ofx-forwarded-for
header, which may originate from an untrusted source. This change has no effect on Cilium policy enforcement where the source security identity is always resolved before HTTP headers are parsed. Previous Cilium behavior of not addingx-forwarded-for
headers is retained via an explicitskip_xff_append: true
config setting, except for Cilium Ingress where the source IP address is now appended tox-forwarded-for
header. (Backport PR #25733, Upstream PR #25674, @jrajahalme) - Fix leak of IPsec XFRM FWD policies in IPAM modes
cluster-pool
,kubernetes
, andcrd
when nodes are deleted. Fix incorrect catch-all default-drop XFRM OUT policy for IPsec IPv6 traffic that could lead to leaking plain-text IPv6 traffic if combined with some other bug. (Backport PR #26021, Upstream PR #25953, @pchaigno) - Fix three issues in the bug fix to attach IPsec BPF programs to ENI interfaces: do not fatal if loading unexpectedly fails (which may happen if the device is suddenly deleted), ignore veth device changes in order not to reinitialize when new endpoints appear and wait 1 second for further device state changes between reinitializations. (Backport PR #26021, Upstream PR #25936, @joamaki)
CI Changes:
- [v1.11 backport] test: Switch target FQDN (#25586, @nbusseneau)
- Add github workflow to push development helm charts to quay.io (Backport PR #26089, Upstream PR #25205, @chancez)
- Pick up the latest startup-script image (Backport PR #25920, Upstream PR #25774, @michi-covalent)
- Re-enable the smoke test and the conformance-kind test for the CI. (#26153, @aspsk)
- Temporarily disable part of the conformance-kind test. (#25983, @aspsk)
- test: Collect sysdump as part of artifacts (Backport PR #25920, Upstream PR #25079, @pchaigno)
Misc Changes:
- backport (v1.11): docs: Promote Deny Policies out of Beta (#26149, @nathanjsweet)
- chore(deps): update dependency cilium/hubble to v0.11.6 (v1.11) (#26044, @renovate[bot])
- chore(deps): update quay.io/cilium/hubble docker tag to v0.11.6 (v1.11) (#26000, @renovate[bot])
- install: Fail helm if kube-proxy-replacement is not valid (Backport PR #26007, Upstream PR #25907, @jrajahalme)
- ipsec: Fix cleanup of XFRM states and policies (Backport PR #26021, Upstream PR #26072, @pchaigno)
- Slim down Node handler interface (Backport PR #25935, Upstream PR #25450, @bimmlerd)
Other Changes:
- install: Update image digests for v0.11.17 (#25515, @jrajahalme)
- Reduce complexity of bpf_lxc by splitting per-packet lb to its own tail call (#25993, @aspsk)
- v1.11: Fix L4LB GHA (#25528, @brb)
Docker Manifests
cilium
docker.io/cilium/cilium:v1.11.18@sha256:dda94072012c328fe0d00838f2f7d8ead071019d1d1950ecf44060640bf93cae
quay.io/cilium/cilium:v1.11.18@sha256:dda94072012c328fe0d00838f2f7d8ead071019d1d1950ecf44060640bf93cae
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.11.18@sha256:b3e8de4e56c5e16ab8f4482cebf3a12bb12826ba3da3e5890de1ecdc2b34a3ed
quay.io/cilium/clustermesh-apiserver:v1.11.18@sha256:b3e8de4e56c5e16ab8f4482cebf3a12bb12826ba3da3e5890de1ecdc2b34a3ed
docker-plugin
docker.io/cilium/docker-plugin:v1.11.18@sha256:b086fc1ec24b9b2b0bc5f7f525ef76ff608c26dc1bdd76d46729871cbbfb4b08
quay.io/cilium/docker-plugin:v1.11.18@sha256:b086fc1ec24b9b2b0bc5f7f525ef76ff608c26dc1bdd76d46729871cbbfb4b08
hubble-relay
docker.io/cilium/hubble-relay:v1.11.18@sha256:4899d8a98c05ccb7bb3d0b54e18dc72147995b2e8a18db19805d15933ec6e45d
quay.io/cilium/hubble-relay:v1.11.18@sha256:4899d8a98c05ccb7bb3d0b54e18dc72147995b2e8a18db19805d15933ec6e45d
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.11.18@sha256:590062c3797c0d0732d848b8fa09cd5aaf5ce2cbbbc5f5fc860bde79d27c743c
quay.io/cilium/operator-alibabacloud:v1.11.18@sha256:590062c3797c0d0732d848b8fa09cd5aaf5ce2cbbbc5f5fc860bde79d27c743c
operator-aws
docker.io/cilium/operator-aws:v1.11.18@sha256:4b3aeeb5d0de096d68ab249845c4c53c7c595735d529a13a81540597a6b29bb5
quay.io/cilium/operator-aws:v1.11.18@sha256:4b3aeeb5d0de096d68ab249845c4c53c7c595735d529a13a81540597a6b29bb5
operator-azure
docker.io/cilium/operator-azure:v1.11.18@sha256:c833cd215dafcb9a73dc1d435d984038fc46ebd9a0b3d50ceeb8f8c4c7e9ac3d
quay.io/cilium/operator-azure:v1.11.18@sha256:c833cd215dafcb9a73dc1d435d984038fc46ebd9a0b3d50ceeb8f8c4c7e9ac3d
operator-generic
docker.io/cilium/operator-generic:v1.11.18@sha256:bccdcc3036b38581fd44bf7154255956a58d7d13006aae44f419378911dec986
quay.io/cilium/operator-generic:v1.11.18@sha256:bccdcc3036b38581fd44bf7154255956a58d7d13006aae44f419378911dec986
operator
docker.io/cilium/operator:v1.11.18@sha256:0c09e5188d5d8899e7b037fafcc1928a68872f1e48e5f7a128799594c99f8282
quay.io/cilium/operator:v1.11.18@sha256:0c09e5188d5d8899e7b037fafcc1928a68872f1e48e5f7a128799594c99f8282
1.14.0-snapshot.3
Summary of Changes
Major Changes:
- Add TLSRoute support to GatewayAPI (#25106, @meyskens)
- New high-scale ipcache mode to support clustermeshes with millions of pods. (#25148, @pchaigno)
- Support for deploying Cilium L7 Proxy (Envoy) independently as a separate DaemonSet for availability, performance, and security benefits. (#25081, @mhofstetter)
Minor Changes:
- add native tunnel encapsulation support for the XDP Loadbalancer (#24422, @julianwiedmann)
- Add Prometheus metrics support to clustermesh-apiserver (#25316, @giorio94)
- Add support for allocating PodCIDRs from multiple IPAM pools (#22762, @gandro)
- Add support for paginated lists in etcd, and propagate config options (#25469, @giorio94)
- Add support for setting BGP timer parameters in CiliumBGPNeighbor CRD (#25408, @rastislavs)
- Allow to disable external workloads support in clustermesh-apiserver to improve performance when not needed. (#25259, @giorio94)
- Cilium now supports chaining with arbitrary CNI plugins. To use, set the Helm value cni.chainingTarget. (#24956, @squeed)
- clustermesh-apiserver: expose information about completion of initial synchronization through etcd (#25388, @giorio94)
- clustermesh-apiserver: rework services synchronization to improve performance (#25260, @giorio94)
- cmd/cleanup: add socketlb program cleanup (#25136, @rgo3)
- DNS Proxy binds to loopback interfaces only (#25309, @mhofstetter)
- dns proxy: Only reuse DNS proxy port when it's free (#25466, @anfernee)
- envoy: Add idle timeout configuration option (#25214, @sayboras)
- Fix CIDR json tag in CNP CIDRRule (#25617, @pippolo84)
- Fixed incorrectly rendered chart when specified both configMap and customConf (#25200, @marseel)
- helm: Bump default spire image version (#25444, @sayboras)
- helm: deprecate clustermesh CA configuration in favor of the global CA configuration (#25010, @giorio94)
- helm: Improve spire template (#25589, @sayboras)
- High-Scale IPcache: Chapter 3 (#25438, @pchaigno)
- identity/cache: fix panic when re-init of cache after close. (#25269, @tommyp1ckles)
- multi-pool: Determine IP pool based on
ipam.cilium.io/ip-pool
annotation (#25511, @gandro) - operator/ipam/metrics: Add new, more accurate, per-node available/used/needed metrics to deprecated existing ipam_ips metric. (#24776, @tommyp1ckles)
- Replace wait-for-it in SPIRE setup with a busybox script (#24959, @meyskens)
- Significantly reduce Hubble flow traffic by transmitting only requested information (#23198, @AwesomePatrol)
- Support
enable-endpoint-routes
withenable-high-scale-ipcache
. (#25601, @pchaigno) - Support GENEVE encapsulation with high-scale ipcache. (#25591, @pchaigno)
- Update CNI (loopback) to 1.3.0 (#25400, @anfernee)
- Updating documentation helm values now works also on arm64. (#25422, @jrajahalme)
- Use BGP Control Plane annotations from Node Resource for creation of CiliumNode Resource (#24914, @margau)
Bugfixes:
- Add drop notifications for various error paths in the datapath. (#25183, @julianwiedmann)
- Added validation to ensure that enabling Ingress or Gateway API support while l7proxy is disabled will fail, as this is an incompatible configuration. (#25215, @youngnick)
- Avoid dropping short packets (that don't have their L3 header in linear data) in the to-netdev and from-host paths. (#25159, @julianwiedmann)
- bpf,datapath: read jiffies from /proc/schedstat (#25795, @ti-mo)
- bpf/nat: fix current behavior that is silently ignoring errors in a revSNAT context (#19753, @sahid)
- bpf: lb: deal with stale rev_nat_index after svc lookup in fallback path (#24757, @julianwiedmann)
- Compare annotations before discarding CiliumNode updates. (#25465, @LynneD)
- datapath: Fix double SNAT (#25189, @brb)
- DNS proxy now always updates the proxy policy to avoid intermittent policy drops. (#25147, @jrajahalme)
- Fix a bug due to which we would leak Linux XFRM policies, potentially leading to increased CPU consumption, when IPsec is enabled with Azure or ENI IPAM. (#25784, @pchaigno)
- Fix a bug that would cause connectivity drops of type XfrmInNoStates on upgrade when IPsec is enabled with ENI or Azure IPAM mode. (#25724, @pchaigno)
- Fix a possible deadlock when using WireGuard transparent encryption. (#25419, @bimmlerd)
- Fix a regression in which link-local addresses were not treated with the "host" identity in some circumstances. (#25298, @asauber)
- Fix broken IPv6 access to native node devices due to wrong source IPv6 of NA response. (#25329, @jschwinger233)
- Fix bug affecting EKS installations with IPsec encryption enabled, where Cilium wouldn't attach its IPsec BPF program to new ENI interfaces, resulting in connectivity loss between pods on remote nodes. (#25744, @joamaki)
- Fix data race affecting the preferred mark in backends, e.g. backends selected by service with affinity set to local. In very rare cases a backend might be missing its preferred status and a non-local backend might be selected. (#25087, @joamaki)
- Fix incorrect hubble flow data when HTTP requests contain an
x-forwarded-for
header by adding an explicituse_remote_address: true
config to Envoy HTTP configuration to always use the actual remote address of the incoming connection rather than the value ofx-forwarded-for
header, which may originate from an untrusted source. This change has no effect on Cilium policy enforcement where the source security identity is always resolved before HTTP headers are parsed. Previous Cilium behavior of not addingx-forwarded-for
headers is retained via an explicitskip_xff_append: true
config setting, except for Cilium Ingress where the source IP address is now appended tox-forwarded-for
header. (#25674, @jrajahalme) - Fix missed deletion events when reconnecting to/disconnecting from remote clusters (nodes and services) (#25499, @giorio94)
- Fix missing drop notifications on conntrack lookup failures when IPv4 and IPv6 are both enabled or socket-level load balancing is disabled. (#25426, @bleggett)
- Fix operator shutdown hanging when kvstore is enabled (#24979, @giorio94)
- Fix path asymmetry when using pod-to-pod encryption with IPsec and tunnel mode. (#25440, @pchaigno)
- Fix permission issue when copying cni plugins onto host path (#24891, @JohnJAS)
- Fix RevSNAT for ICMPv6 packets. (#25306, @julianwiedmann)
- Fix spurious errors containing "Failed to map node IP address to allocated ID". (#25222, @bimmlerd)
- Fix syncing of relevant node annotations into CiliumNode (#25307, @meyskens)
- Fixes issue in BGP reconciler when multiple pod cidr withdrawals are done. (#25320, @harsimran-pabla)
- gateway-api: Race condition between routes and Gateway (#25573, @sayboras)
- gateway-api: Skip reconciliation for non-matching controller routes (#25549, @sayboras)
- helm: Correct typo in Ingress validation (#25570, @sayboras)
- Reject incorrect configuration enable-host-legacy-routing=false kube-proxy-replacement=partial. (#25803, @pchaigno)
- Track reply packets in long-living egress gateway connections and SNATed host-local connections. (#25112, @gentoo-root)
CI Changes:
- .github/workflows: add missing GH action version annotations (#25369, @tklauser)
- .github: Fix chart push on forks (#25274, @chancez)
- .github: run scruffy for cilium/cilium only (#25772, @aanm)
- Add github workflow to push development helm charts to quay.io (#25205, @chancez)
- Add improvements in Conformance Runtime (#25797, @aanm)
- bgpv1: Exercise HoldTime in Test_NeighborAddDel (#25760, @rastislavs)
- bgpv1: Retry peer checks in NeighborAddDel test to avoid flakes (#25641, @rastislavs)
- bpf: Cover high-scale IPcache in complexity tests (#25592, @pchaigno)
- bpf: test: add some IPv6 DSR integration tests (#25443, @julianwiedmann)
- ci-e2e-v1.13: Fix workflow (#25412, @brb)
- ci-e2e: backport changes in conformance-e2e into v1.13 tests (#25386, @brb)
- ci-e2e: Bump cilium-cli v0.1.4.5 (#25672, @brb)
- ci-e2e: Enable --debug when running with EGW (#25789, @brb)
- ci-e2e: Increase hubble buffer capacity (#25710, @brb)
- ci-e2e: Run cilium-cli in Helm mode (#25780, @brb)
- ci-l4lb-v1.1{1,2}: Remove helm charts (#25529, @brb)
- ci: fix Cilium CLI install in ConformanceKindEnvoyDaemonSet (#25459, @nbusseneau)
- ci: fix gke network starvation (#25597, @brlbil)
- CODEOWNERS: Add sig-foundations (#24976, @joamaki)
- Delete "Cilium monitor verbose mode" test (#25212, @michi-covalent)
- Fix external-contribution-label workflow renovate tag (#25429, @chancez)
- Fix verifier issues in IPv6 BPF tests (#25191, @dylandreimerink)
- Fixed flake in pkg/hive/job tests. (#25293, @dylandreimerink)
- Fixed TestTimer_ExitOnCloseFnCtx channel close panic (#25211, @dylandreimerink)
- fuzzing: modify oss-fuzz build script (#24262, @AdamKorcz)
- gh/workflow: change multicluster GKE cluster provisioning to none blocking mode (#25394, @brlbil)
- gh/workflow: Reintroduce running GKE workflows in matrix strategy (#25654, @brlbil)
- gh/workflow: Run GKE workflow in matrix strategy (#25364, @brlbil)
- gh/workflows: Remove conformance-kind (#25707, @brb)
- gh/workflows: Rename ci-datapath to ci-e2e (#25164, @brb)
- gh/workflows: Use 20230420.212204 LVH images (#25681, @brb)
- gh/workflows: Use cilium-cli GHA to install CLI exec (#25228, @brb)
- gha: Clean-up Ingress job configuration (#25311, @sayboras)
- gha: Move to helm install mode for Gateway API jobs (#25608, @sayboras)
- hostfw tests flake workaround (#25323, @tommyp1ckles)
- Improve golangci-lint usage (#25157, @joestringer)
- inctimer: fix test flake where timer does not fire within time. (#25219, @tommyp1ckles)
- kvstore: fix TestWorkqueueSyncStoreMetrics flake (#25706, @giorio94)
- Make it easier to migrate off of gopkg.in/check.v1 (#25484, @lmb)
- mirror: Only run on cilium/cilium (#25179, @michi-covalent)
- NONE (#25258, @aojea)
- Pick up the latest startup-script image (#25774, @...
1.13.3
We are pleased to release Cilium v1.13.3. This release fixes bugs in ipsec and policy implementations and is recommended for all users.
Summary of Changes
Major Changes:
- Assume Ingress identity for cluster internal traffic through Cilium Ingress for policy enforcement. (Backport PR #25019, Upstream PR #24826, @jrajahalme)
- policy: Promote Deny Policies from Beta to Stable (#25427, @nathanjsweet)
Minor Changes:
- Drop traffic matching an egress gateway policy when no gateway are found (Backport PR #24999, Upstream PR #24835, @MrFreezeex)
- ingress: Add ownerReferences for shared mode (Backport PR #25013, Upstream PR #24942, @sayboras)
- sysdump: Added Kubernetes CNI logs to sysdump. (Backport PR #25346, Upstream PR #23937, @marseel)
- Update CNI (loopback) to 1.3.0 (Backport PR #25454, Upstream PR #25400, @anfernee)
- Use BGP Control Plane annotations from Node Resource for creation of CiliumNode Resource (Backport PR #25346, Upstream PR #24914, @margau)
Bugfixes:
- Add support for builtin kernel modules (Backport PR #25137, Upstream PR #23953, @TheAifam5)
- Address cilium-agent startup performance regression. (Backport PR #25185, Upstream PR #25007, @bimmlerd)
- cmd/cleanup: Fix cleanup of generic XDP programs (Backport PR #25184, Upstream PR #25117, @pchaigno)
- datapath: Fix double SNAT (Backport PR #25223, Upstream PR #25189, @brb)
- DNS proxy now always updates the proxy policy to avoid intermittent policy drops. (Backport PR #25346, Upstream PR #25147, @jrajahalme)
- Filter ipv6 advertisements when using metallb as BGP speaker. (Backport PR #25137, Upstream PR #25043, @harsimran-pabla)
- Fix a regression in which link-local addresses were not treated with the "host" identity in some circumstances. (Backport PR #25368, Upstream PR #25298, @asauber)
- Fix broken IPv4 connectivity from outside to NodePort service when using L7 ingress policy, by removing PROXY_RT route table. (Backport PR #25086, Upstream PR #24807, @jschwinger233)
- Fix bug that caused ToCIDR netpols matching kube-apiserver IPs (when external to the cluster) to not reliably allow connectivity. (#25241, @giorio94)
- Fix bug that causes enforcement of host policies on reply IPv6 pod traffic. (Backport PR #25137, Upstream PR #25024, @pchaigno)
- Fix bug where Cilium configurations running with tunneling disabled, BPF-masq disabled, but with masquerading enabled, do not clean up ipset configuration when a node IP changes. This can lead to a lack of masquerading on those node IPs. (Backport PR #25013, Upstream PR #24825, @christarazi)
- Fix connectivity issue if nodes share the same name across the clustermesh and wireguard is enabled (Backport PR #25013, Upstream PR #24785, @giorio94)
- Fix data race affecting the preferred mark in backends, e.g. backends selected by service with affinity set to local. In very rare cases a backend might be missing its preferred status and a non-local backend might be selected. (Backport PR #25346, Upstream PR #25087, @joamaki)
- Fix incorrect network policy ebpf setup that may lead to incorrect packets denies when CEP is present in multiple CES (Backport PR #25184, Upstream PR #24838, @alan-kut)
- Fix operator shutdown hanging when kvstore is enabled (Backport PR #25223, Upstream PR #24979, @giorio94)
- Fix operator startup delay caused by leader election lease not being released correctly (Backport PR #25137, Upstream PR #24978, @giorio94)
- Fix panic due to assignment to nil BGP service announcements map. (Backport PR #25013, Upstream PR #24985, @harsimran-pabla)
- Fix permission issue when copying cni plugins onto host path (Backport PR #25346, Upstream PR #24891, @JohnJAS)
- Fix security-group-tags not working in ENI (Backport PR #25013, Upstream PR #24951, @aanm)
- Fix spurious errors containing "Failed to map node IP address to allocated ID". (Backport PR #25346, Upstream PR #25222, @bimmlerd)
- Fix syncing of relevant node annotations into CiliumNode (Backport PR #25368, Upstream PR #25307, @meyskens)
- Fix the bug when long-living connections using egress gateway may be reset. (Backport PR #25346, Upstream PR #24905, @gentoo-root)
- ipcache don't short-circuit InjectLabels if source differs (Backport PR #25077, Upstream PR #24875, @squeed)
- pkg/kvstore: Fix for deadlock in etcd status checker (Backport PR #25013, Upstream PR #24786, @hemanthmalla)
- Track reply packets in long-living egress gateway connections and SNATed host-local connections. (Backport PR #25424, Upstream PR #25112, @gentoo-root)
- When using KPR Nodeport with DSR, support backends in hostNetwork or with L7 policies. (Backport PR #24795, Upstream PR #22978, @julianwiedmann)
CI Changes:
- Always use the 8.8.8.8 DNS resolver in kind (Backport PR #25409, Upstream PR #24713, @aspsk)
- ci: remove
STATUS
commands from upstream tests' Jenkinsfile (Backport PR #25137, Upstream PR #25046, @nbusseneau) - Delete "Cilium monitor verbose mode" test (Backport PR #25346, Upstream PR #25212, @michi-covalent)
- Enable testing of BPF programs requiring XDP_TX in CI (Backport PR #25409, Upstream PR #24250, @lmb)
- inctimer: fix test flake where timer does not fire within time. (Backport PR #25346, Upstream PR #25219, @tommyp1ckles)
- jenkinsfiles: Fix order of ginkgo tests (Backport PR #25137, Upstream PR #25002, @pchaigno)
- mlh: update Jenkins jobs following removal of kernel 4.9 support (#24955, @nbusseneau)
- test: Unquarantine host firewall + nodeport test (Backport PR #25184, Upstream PR #25025, @pchaigno)
Misc Changes:
- bpf: dsr: don't track L2 addresses for DSR traffic (Backport PR #24795, Upstream PR #24524, @julianwiedmann)
- bpf: dsr: restore CB_SRC_LABEL across DSR-INGRESS tail-call (Backport PR #24795, Upstream PR #24794, @julianwiedmann)
- bpf: lb: introduce an optimized CT lookup (Backport PR #24795, Upstream PR #22936, @julianwiedmann)
- bpf: minor CT cleanups (Backport PR #24795, Upstream PR #23718, @julianwiedmann)
- bpf: nodeport: minor DSR improvements (Backport PR #24795, Upstream PR #23326, @julianwiedmann)
- chore(deps): update docker.io/library/golang:1.19.8 docker digest to 9f2dd04 (v1.13) (#25421, @renovate[bot])
- chore(deps): update hubble cli to v0.11.5 (v1.13) (patch) (#25125, @renovate[bot])
- daemon: Mark CES feature as beta in agent flag (Backport PR #25013, Upstream PR #24850, @pchaigno)
- docs:
socketLB.hostNamespaceOnly
also needed for gVisor (Backport PR #25346, Upstream PR #25322, @pchaigno) - docs: Add matrix version between envoy and cilium (Backport PR #25223, Upstream PR #25109, @sayboras)
- docs: Add platform support to docs (Backport PR #25223, Upstream PR #25174, @joestringer)
- docs: small fixes for k8s upgrade guide (Backport PR #25013, Upstream PR #24869, @tklauser)
- Documentation: add migration document (Backport PR #25013, Upstream PR #23751, @squeed)
- documentation: move policy warning to v1.13.2 section (#24997, @squeed)
- envoy: Debug log remote IDs for Envoy policies (Backport PR #25013, Upstream PR #24939, @jrajahalme)
- Fix missed clustermesh config change race condition with back-to-back changes (Backport PR #25013, Upstream PR #24993, @giorio94)
- Fix possible panic in the ipcache when removing the prefix labels for an unknown resource ID (Backport PR #25346, Upstream PR #25230, @giorio94)
- Fixed documentation regarding cilium versioning scheme and support (Backport PR #25223, Upstream PR #25171, @ayesha-kr)
- gha: Add retry mechanism in http test (Backport PR #25346, Upstream PR #25244, @sayboras)
- helm: add clustermesh nodeport config warning about known bug #24692 (Backport PR #25223, Upstream PR #25033, @giorio94)
- hive: Don't log interrupt signal as error (Backport PR #25013, Upstream PR #23880, @joamaki)
- ipsec: Install default-drop XFRM policy sooner (Backport PR #25346, Upstream PR #25257, @pchaigno)
- Makefile: use a specific template for mktemp files (Backport PR #25223, Upstream PR #25192, @kaworu)
- node/manager: Only remove old IPs if they weren't already added (Backport PR #25013, Upstream PR #25067, @christarazi)
- pkg/service: Backends leak follow ups with revised fixes, debugging improvements and unit tests (Backport PR #25223, Upstream PR #24770, @aditighag)
- Remote node identities are enabled by default in the Cilium agent. They have already been enabled by default in the Helm charts since Cilium version 1.7. (Backport PR #25013, Upstream PR #24874, @tklauser)
- Update the documentation for required IAM policy rights needed for Cilium to work in EKS. (Backport PR #25137, Upstream PR #25078, @toredash)
- Update threat model (Backport PR #25013, Upstream PR #24760, @ferozsalam)
Other Changes:
- [v1.13] contrib/backporting: Fix main branch reference (#25091, @joestringer)
- envoy: Upgrade to v1.23.9 (#25208, @sayboras)
- install: Update image digests for v1.13.2 (#24952, @gentoo-root)
- v1.13: docs: Document upgrade impact for IPsec (#24963, @pchaigno)
- v1.13: docs: Fix typo in IPsec upgrade note (#24973, @pchaigno)
Docker Manifests
cilium
docker.io/cilium/cilium:v1.13.3@sha256:77176464a1e11ea7e89e984ac7db365e7af39851507e94f137dcf56c87746314
quay.io/cilium/cilium:v1.13.3@sha256:77176464a1e11ea7e89e984ac7db365e7af39851507e94f137dcf56c87746314
docker.io/cilium/cilium:stable@sha256:77176464a1e11ea7e89e984ac7db365e7af39851507e94f137dcf56c87746314
quay.io/cilium/cilium:stable@sha256:77176464a1e11ea7e89e984ac7db365e7af39851507e94f137dcf56c87746314
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.13.3@sha256:5ad8e9dc17f5677d1d75b53a4e80ec2e5c4fcf4973ced8b30f8ad53933c6969a
quay.io/cilium/clustermesh-apiserver:v1.13.3@sha256:5ad8e9dc17f5677d1d75b53a4e80ec2e5c4fcf4973ced8b30f8ad53933c6969a
docker.io/cilium/clustermesh-apiserver:stable@sha256:5ad8e9dc17f5677d1d75b53a4e80ec2e5c4fcf4973ced8b30f8ad53933c6969a
`quay.io/cilium/clustermesh-apiserver:stable@sha256:5ad8e9dc17f5677d1...
1.12.10
We are pleased to release Cilium v1.12.10. This release fixes bugs in ipsec and policy implementations and is recommended for all users.
Summary of Changes
Minor Changes:
- sysdump: Added Kubernetes CNI logs to sysdump. (Backport PR #25348, Upstream PR #23937, @marseel)
- Update CNI (loopback) to 1.3.0 (Backport PR #25433, Upstream PR #25400, @anfernee)
Bugfixes:
- Address cilium-agent startup performance regression. (Backport PR #25190, Upstream PR #25007, @bimmlerd)
- datapath: Fix double SNAT (Backport PR #25248, Upstream PR #25189, @brb)
- DNS proxy now always updates the proxy policy to avoid intermittent policy drops. (Backport PR #25348, Upstream PR #25147, @jrajahalme)
- Filter ipv6 advertisements when using metallb as BGP speaker. (Backport PR #25138, Upstream PR #25043, @harsimran-pabla)
- Fix bug where Cilium configurations running with tunneling disabled, BPF-masq disabled, but with masquerading enabled, do not clean up ipset configuration when a node IP changes. This can lead to a lack of masquerading on those node IPs. (Backport PR #25012, Upstream PR #24825, @christarazi)
- Fix connectivity issue if nodes share the same name across the clustermesh and wireguard is enabled (Backport PR #25012, Upstream PR #24785, @giorio94)
- Fix data race affecting the preferred mark in backends, e.g. backends selected by service with affinity set to local. In very rare cases a backend might be missing its preferred status and a non-local backend might be selected. (Backport PR #25348, Upstream PR #25087, @joamaki)
- Fix incorrect network policy ebpf setup that may lead to incorrect packets denies when CEP is present in multiple CES (Backport PR #25188, Upstream PR #24838, @alan-kut)
- Fix spurious errors containing "Failed to map node IP address to allocated ID". (Backport PR #25348, Upstream PR #25222, @bimmlerd)
- ipsec: Fix packet mark for FWD XFRM policy (Backport PR #25348, Upstream PR #23254, @pchaigno)
- pkg/kvstore: Fix for deadlock in etcd status checker (Backport PR #25012, Upstream PR #24786, @hemanthmalla)
CI Changes:
- ci: remove
STATUS
commands from upstream tests' Jenkinsfile (Backport PR #25138, Upstream PR #25046, @nbusseneau) - ci: remove
STATUS
commands from upstream tests' Jenkinsfile (Backport PR #25248, Upstream PR #25046, @nbusseneau) - Delete "Cilium monitor verbose mode" test (Backport PR #25348, Upstream PR #25212, @michi-covalent)
- inctimer: fix test flake where timer does not fire within time. (Backport PR #25248, Upstream PR #25219, @tommyp1ckles)
Misc Changes:
- chore(deps): update hubble cli to v0.11.5 (v1.12) (patch) (#25126, @renovate[bot])
- daemon: Mark CES feature as beta in agent flag (Backport PR #25012, Upstream PR #24850, @pchaigno)
- docs: Add matrix version between envoy and cilium (Backport PR #25248, Upstream PR #25109, @sayboras)
- docs: Add platform support to docs (Backport PR #25248, Upstream PR #25174, @joestringer)
- docs: small fixes for k8s upgrade guide (Backport PR #25012, Upstream PR #24869, @tklauser)
- envoy: Debug log remote IDs for Envoy policies (Backport PR #25012, Upstream PR #24939, @jrajahalme)
- helm: add clustermesh nodeport config warning about known bug #24692 (Backport PR #25248, Upstream PR #25033, @giorio94)
- ipsec: Install default-drop XFRM policy sooner (Backport PR #25348, Upstream PR #25257, @pchaigno)
- Makefile: use a specific template for mktemp files (Backport PR #25248, Upstream PR #25192, @kaworu)
- node/manager: Only remove old IPs if they weren't already added (Backport PR #25012, Upstream PR #25067, @christarazi)
- pkg/service: Backends leak follow ups with revised fixes, debugging improvements and unit tests (Backport PR #25248, Upstream PR #24770, @aditighag)
Other Changes:
- [v1.12] contrib/backporting: Fix main branch reference (#25092, @joestringer)
- contrib/backporting: Fix main branch reference (#25140, @sayboras)
- envoy: Upgrade to v1.23.9 (#25209, @sayboras)
- install: Update image digests for v1.12.9 (#24953, @gentoo-root)
- v1.12: docs: Document upgrade impact for IPsec (#24972, @pchaigno)
Docker Manifests
cilium
docker.io/cilium/cilium:v1.12.10@sha256:2cbfdf737b349c2733643f1943c7a263df63fbb86852f267f64c49cb5dfbb230
quay.io/cilium/cilium:v1.12.10@sha256:2cbfdf737b349c2733643f1943c7a263df63fbb86852f267f64c49cb5dfbb230
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.12.10@sha256:fe4cd08942a2f1abf8e2cbdb204099a9fcc60f6b764203277c1b674489899ef1
quay.io/cilium/clustermesh-apiserver:v1.12.10@sha256:fe4cd08942a2f1abf8e2cbdb204099a9fcc60f6b764203277c1b674489899ef1
docker-plugin
docker.io/cilium/docker-plugin:v1.12.10@sha256:9ebb46b9d56f2cdcb9db76a54ab2c13c06cd689239bd86eabc50564bc8a4d581
quay.io/cilium/docker-plugin:v1.12.10@sha256:9ebb46b9d56f2cdcb9db76a54ab2c13c06cd689239bd86eabc50564bc8a4d581
hubble-relay
docker.io/cilium/hubble-relay:v1.12.10@sha256:d2556aed3cc2d9b8fb5803f589fcc549f6471bbf42943a2c2f6d277ad69c59b3
quay.io/cilium/hubble-relay:v1.12.10@sha256:d2556aed3cc2d9b8fb5803f589fcc549f6471bbf42943a2c2f6d277ad69c59b3
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.12.10@sha256:fdc9f961e8d21706dc1b7d8e9606a21f63d20c8c88b06664de7c5ba2f2e2dca9
quay.io/cilium/operator-alibabacloud:v1.12.10@sha256:fdc9f961e8d21706dc1b7d8e9606a21f63d20c8c88b06664de7c5ba2f2e2dca9
operator-aws
docker.io/cilium/operator-aws:v1.12.10@sha256:d3fa57eddb0fd7fde35175d0d8977d5921307a7072f750de98c9a73f6a114dda
quay.io/cilium/operator-aws:v1.12.10@sha256:d3fa57eddb0fd7fde35175d0d8977d5921307a7072f750de98c9a73f6a114dda
operator-azure
docker.io/cilium/operator-azure:v1.12.10@sha256:26898987d01134a060810e51b1b6f41adcf226e175489bffebd7b3ebd1703b8a
quay.io/cilium/operator-azure:v1.12.10@sha256:26898987d01134a060810e51b1b6f41adcf226e175489bffebd7b3ebd1703b8a
operator-generic
docker.io/cilium/operator-generic:v1.12.10@sha256:1d78da0fcbf7ccfb32eb31f8b3b361628e91ab5f42d17ff437a82969c773fa1e
quay.io/cilium/operator-generic:v1.12.10@sha256:1d78da0fcbf7ccfb32eb31f8b3b361628e91ab5f42d17ff437a82969c773fa1e
operator
docker.io/cilium/operator:v1.12.10@sha256:a3a09a76a0bce021eea01ffc0ae587dce7c1a0c64d5612ba418505f82bab0955
quay.io/cilium/operator:v1.12.10@sha256:a3a09a76a0bce021eea01ffc0ae587dce7c1a0c64d5612ba418505f82bab0955
1.11.17
We are pleased to release Cilium v1.11.17. This release fixes bugs in ipsec and policy implementations and is recommended for all users.
Summary of Changes
Bugfixes:
- Filter ipv6 advertisements when using metallb as BGP speaker. (Backport PR #25139, Upstream PR #25043, @harsimran-pabla)
- Fix connectivity issue if nodes share the same name across the clustermesh and wireguard is enabled (Backport PR #25011, Upstream PR #24785, @giorio94)
- Fix incorrect network policy ebpf setup that may lead to incorrect packets denies when CEP is present in multiple CES (Backport PR #25382, Upstream PR #24838, @alan-kut)
- Fix spurious errors containing "Failed to map node IP address to allocated ID". (Backport PR #25382, Upstream PR #25222, @bimmlerd)
- helm chart: restore setting nodeSelector and tolerations on hubble-ui deployment via
values.yaml
(#25182, @BryanStenson-okta) - ipsec: Fix packet mark for FWD XFRM policy (Backport PR #25382, Upstream PR #23254, @pchaigno)
- pkg/kvstore: Fix for deadlock in etcd status checker (Backport PR #25011, Upstream PR #24786, @hemanthmalla)
CI Changes:
- ci: remove
STATUS
commands from upstream tests' Jenkinsfile (Backport PR #25139, Upstream PR #25046, @nbusseneau) - Delete "Cilium monitor verbose mode" test (Backport PR #25382, Upstream PR #25212, @michi-covalent)
- inctimer: fix test flake where timer does not fire within time. (Backport PR #25349, Upstream PR #25219, @tommyp1ckles)
- jenkins: bump timeout to 210 minutes (#24938, @aanm)
- vagrant: Bump 4.9 Vagrant box (Linux 4.9.326, to fix a kernel bug) (Backport PR #25247, Upstream PR #21106, @qmonnet)
Misc Changes:
- chore(deps): update hubble cli to v0.11.5 (v1.11) (patch) (#25127, @renovate[bot])
- daemon: Mark CES feature as beta in agent flag (Backport PR #25011, Upstream PR #24850, @pchaigno)
- docs: Add matrix version between envoy and cilium (Backport PR #25349, Upstream PR #25109, @sayboras)
- docs: Add platform support to docs (Backport PR #25349, Upstream PR #25174, @joestringer)
- helm: add clustermesh nodeport config warning about known bug #24692 (Backport PR #25349, Upstream PR #25033, @giorio94)
- ipsec: Install default-drop XFRM policy sooner (Backport PR #25382, Upstream PR #25257, @pchaigno)
- Makefile: use a specific template for mktemp files (Backport PR #25349, Upstream PR #25192, @kaworu)
- Misc Makefile improvements for quiet mode V=0 (Backport PR #25011, Upstream PR #20031, @joestringer)
- Update CNI to 1.3.0 (#25441, @jrajahalme)
Other Changes:
- [backport-v1.11] agent: dump stack on stale probes (#24977, @squeed)
- [v1.11] contrib/backporting: Fix main branch reference (#25093, @joestringer)
- Add helm-toolbox image for helm docs, lint (#25420, @jrajahalme)
- contrib/backporting: Fix main branch reference (#25141, @sayboras)
- envoy: Upgrade to v1.23.9 (#25210, @sayboras)
- install: Update image digests for v1.11.16 (#24954, @gentoo-root)
- v1.11: docs: Document upgrade impact for IPsec (#24974, @pchaigno)
Docker Manifests
cilium
docker.io/cilium/cilium:v1.11.17@sha256:6c3132e34e66734752de798eb8519dafa77b9f0da1033e9bed7f7be30ce10358
quay.io/cilium/cilium:v1.11.17@sha256:6c3132e34e66734752de798eb8519dafa77b9f0da1033e9bed7f7be30ce10358
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.11.17@sha256:022f8b23f9e977a74b8da25ac98fbeed65bd9c132362797681264bd13abc0349
quay.io/cilium/clustermesh-apiserver:v1.11.17@sha256:022f8b23f9e977a74b8da25ac98fbeed65bd9c132362797681264bd13abc0349
docker-plugin
docker.io/cilium/docker-plugin:v1.11.17@sha256:ed49556f92b95ff339e99938bbd5649d5dc90e8378cb67a820df6bac1979ffa2
quay.io/cilium/docker-plugin:v1.11.17@sha256:ed49556f92b95ff339e99938bbd5649d5dc90e8378cb67a820df6bac1979ffa2
hubble-relay
docker.io/cilium/hubble-relay:v1.11.17@sha256:d880ee0184f1ca0fffbd73374424ae2c4d1c26af14005a58103ef695816a78ff
quay.io/cilium/hubble-relay:v1.11.17@sha256:d880ee0184f1ca0fffbd73374424ae2c4d1c26af14005a58103ef695816a78ff
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.11.17@sha256:36999e2fefb8f1ce3a791f60c61055b3bdde350dff5128ce3f4a5fbe31c6f341
quay.io/cilium/operator-alibabacloud:v1.11.17@sha256:36999e2fefb8f1ce3a791f60c61055b3bdde350dff5128ce3f4a5fbe31c6f341
operator-aws
docker.io/cilium/operator-aws:v1.11.17@sha256:e96a7d34ed9386a00b0c7d73946f92872280f84addcc951780c42a56dfaeae9c
quay.io/cilium/operator-aws:v1.11.17@sha256:e96a7d34ed9386a00b0c7d73946f92872280f84addcc951780c42a56dfaeae9c
operator-azure
docker.io/cilium/operator-azure:v1.11.17@sha256:20cf49d57fdccc599cfefc5a6ab0ed152dac52d45d8a2339fd3ad19415aaebba
quay.io/cilium/operator-azure:v1.11.17@sha256:20cf49d57fdccc599cfefc5a6ab0ed152dac52d45d8a2339fd3ad19415aaebba
operator-generic
docker.io/cilium/operator-generic:v1.11.17@sha256:f77cf55ebc47174fb64fd8ffd030015e55817ed9a6bfab46d0ee917a7ed198e5
quay.io/cilium/operator-generic:v1.11.17@sha256:f77cf55ebc47174fb64fd8ffd030015e55817ed9a6bfab46d0ee917a7ed198e5
operator
docker.io/cilium/operator:v1.11.17@sha256:c1cad3137dfa80c1d415dff43f064b91992158ce56899b093b0294382ae57289
quay.io/cilium/operator:v1.11.17@sha256:c1cad3137dfa80c1d415dff43f064b91992158ce56899b093b0294382ae57289
v1.14.0-snapshot.2
We are pleased to release Cilium v1.14.0-snapshot.2.
Summary of Changes
Major Changes:
- Add support for references to CiliumCIDRGroup inside FromCIDRSet for ingress rules in CNPs (#24638, @pippolo84)
- Assume Ingress identity for cluster internal traffic through Cilium Ingress for policy enforcement. (#24826, @jrajahalme)
- Support DSR with Geneve dispatch in CNI mode (#23890, @ysksuzuki)
Minor Changes:
- Add
--hubble-monitor-events
flag, to control the event types that get to the hubble subsystem. (#24828, @epk) - Add a mechanism for the SPIRE server to signal rotated certificates for re-authenticating connections (#24300, @meyskens)
- Add flag to administratively enable APIs on bootstrap (#25009, @joestringer)
- Add network policy auth method "always-fail" (#24609, @meyskens)
- Add new logging format option, 'json-ts', for JSON formatted logs with timestamps (#24307, @learnitall)
- auth: Add spire identity registration for CiliumIdentity (#24471, @sayboras)
- Change cilium_host IPv6 address, use node router IPv6 instead of native node IPv6, and fixed several relative IPv6 issues. (#24208, @jschwinger233)
- Cilium L7 Proxy: Envoy config dump contains Cilium network policies (#25028, @mhofstetter)
- cmd: Add NodeEncryption status to the cilium status command (#24399, @romanspb80)
- daemon: remove deprecated force-local-policy-eval-at-source option (#24727, @tklauser)
- Deprecate
--tunnel
in favor of--routing-mode
and--tunnel-protocol
. (#24561, @pchaigno) - Drop traffic matching an egress gateway policy when no gateway are found (#24835, @MrFreezeex)
- Enable endpoint routes + veth fast redirect support (#22006, @aspsk)
- Enable update-ec2-adapter-limit-via-api by default (#24564, @christarazi)
- Enabled cilium_bpf_map_pressure metric by default (#24721, @vishal-chdhry)
- endpoint: omit pre-1.11 compatibility restoration symlink (#24730, @tklauser)
- envoy: Bump envoy to v1.25.4 (#24649, @sayboras)
- envoy: Bump envoy version to v1.25.5 (#24893, @sayboras)
- envoy: Bump envoy version to v1.25.6 (#25165, @mhofstetter)
- Expose Cilium agent go runtime scheduler latency prometheus metric
go_sched_latencies_seconds
(#24745, @derailed) - Fix broken IPv6 connectivity from outside to NodePort service when L7 ingress policy applied by removing PROXY_RT route table. (#24882, @jschwinger233)
- helm: Add CPU panel to Hubble L7 HTTP Workload dashboard (#24934, @chancez)
- helm: Add SA to nodeinit ds (#24836, @darox)
- Helm: Clean up deprecated values (#24214, @qmonnet)
- ingress: Add ownerReferences for shared mode (#24942, @sayboras)
- Introduce the support for specifying a CA bundle in the helm chart (#24862, @giorio94)
- ipsec, option: Make the IPsec key rotation delay configurable (#24811, @pchaigno)
- mtls: SPIRE server and agent installation (#24765, @sayboras)
- Provides operational state of BGP peers via CLI 'cilium bgp peers' (#24612, @harsimran-pabla)
- Remove sockops-enable and friends (#23606, @mohit-marathe)
- Rename the
sec_label
field in remote_endpoint_info structure tosec_identity
(#25057, @ldelossa) - Report the kernel error code in case of packet drops due to failures to create conntrack map entries. (#24716, @gentoo-root)
- Supports IPv4 ICMP "fragmentation needed" in egress SNAT (#25054, @liuyuan10)
- The Cilium agent now manages the CNI configuration file. This will allow for faster startup times when injecting Cilium as a chained plugin, such as with aws-cni. (#24389, @squeed)
Bugfixes:
- Address cilium-agent startup performance regression. (#25007, @bimmlerd)
- bpf: dsr: fix parsing of IPv6 AUTH extension header (#24792, @julianwiedmann)
- bpf: nodeport: fix up trace point in to-overlay NAT paths (#24886, @julianwiedmann)
- bpf: policy: fix handling of ICMPv6 packet with extension headers (#24797, @julianwiedmann)
- Bugfix: Invert
--hubble-monitor-events
logic to be an allowlist (#25167, @epk) - cmd/cleanup: Fix cleanup of generic XDP programs (#25117, @pchaigno)
- Filter ipv6 advertisements when using metallb as BGP speaker. (#25043, @harsimran-pabla)
- Fix broken IPv4 connectivity from outside to NodePort service when using L7 ingress policy, by removing PROXY_RT route table. (#24807, @jschwinger233)
- Fix bug that causes enforcement of host policies on reply IPv6 pod traffic. (#25024, @pchaigno)
- Fix bug where Cilium configurations running with tunneling disabled, BPF-masq disabled, but with masquerading enabled, do not clean up ipset configuration when a node IP changes. This can lead to a lack of masquerading on those node IPs. (#24825, @christarazi)
- Fix connectivity issue if nodes share the same name across the clustermesh and wireguard is enabled (#24785, @giorio94)
- Fix incorrect network policy ebpf setup that may lead to incorrect packets denies when CEP is present in multiple CES (#24838, @alan-kut)
- Fix issues that caused SPIRE not to install properly (#25160, @meyskens)
- Fix operator startup delay caused by leader election lease not being released correctly (#24978, @giorio94)
- Fix panic due to assignment to nil BGP service announcements map. (#24985, @harsimran-pabla)
- Fix security-group-tags not working in ENI (#24951, @aanm)
- Fix the bug when long-living connections using egress gateway may be reset. (#24905, @gentoo-root)
- Fixed bug where L7 rules would be incorrectly merged between rules for the same (remote) endpoint. This bug could have caused L7 rules to be bypassed via a wildcard header rule being improperly appended to the set of HTTP rules when both a policy with HTTP header rules applying to multiple endpoints and an allow-all rule for only one of those endpoints are specified. (#24788, @jrajahalme)
- gateway-api: Re-queue gateway for namespace change (#24624, @sayboras)
- Handle leaked service backends that may lead to filling up of
lb4_backends
map and thereby connectivity issues. (#24681, @aditighag) - helm: mandate issuer configuration when using cert-manager to generate certificates (#24666, @giorio94)
- ipcache don't short-circuit InjectLabels if source differs (#24875, @squeed)
- ipsec: Clean up stale XFRM policies and states (#24773, @pchaigno)
- pkg/kvstore: Fix for deadlock in etcd status checker (#24786, @hemanthmalla)
- Prevent egress gateway from adding and then immediately removing BPF policy entries for policies that don't match any gateway node (#24646, @MrFreezeex)
- Solve control-plane deadlock issues leading to outages. A typical log line indicative of this issue is
probe=l7-proxy msg="No response from probe within 15 seconds"
(#24672, @bimmlerd) - The operator now reconciles duplicate entries in a CiliumEndpointSlice on startup. (#24596, @alan-kut)
CI Changes:
- Always use the 8.8.8.8 DNS resolver in kind (#24713, @aspsk)
- bpf: inline test functions with ctx as input (#24662, @anfernee)
- CI / Kind enhancements (#24714, @aanm)
- ci-datapath: Enable IPV6 masquerading when KPR=off (#25111, @brb)
- ci-datapath: Fix issue where test were wrongly reported as passing (#24813, @gandro)
- ci-datapath: Use QUAY_ORGANIZATION_DEV for Quay org name (#25052, @michi-covalent)
- ci: Disable wireguard in v1.13 conformance datapath (#24804, @pippolo84)
- ci: fix clustermesh worfklows on stable branches (#25089, @nbusseneau)
- ci: fix status reporting in the ci-multicluster test (#24784, @giorio94)
- ci: Mark skipped matrix workflows as successful (#24922, @gandro)
- ci: move 4.19 complexity tests to tests-datapath-verifier GHA workflow (#24517, @tklauser)
- ci: remove
STATUS
commands from upstream tests' Jenkinsfile (#25046, @nbusseneau) - conformance-k8s-kind: disable kindnet, enable log dumping (#24982, @squeed)
- Drop the GKE-based multicluster GitHub actions workflow in favor of the kind-based one (#24996, @giorio94)
- Enable loadBalancer.acceleration=testing-only in some datapath conformance cases (#24738, @lmb)
- Enable previously disabled encryption tests on GKE (#24603, @brlbil)
- github/workflows: Enable DSR with WireGuard in ci-dp (#25039, @brb)
- jenkinsfiles: Fix order of ginkgo tests (#25002, @pchaigno)
- kind: Bump k8s version to 1.27.0 (#24841, @sayboras)
- Let renovatebot update Go toolchain version in a single PR (#24895, @tklauser)
- Mitigate GKE workflow flake (#24755, @brlbil)
- mlh: update Jenkins jobs following 1.27 support (#24983, @nbusseneau)
- mlh: update Jenkins jobs names (
master
>main
) (#24958, @nbusseneau) - Port verifier tests to Go (#24538, @ti-mo)
- renovate: Add explicit gitAuthor (#24739, @gandro)
- renovate: add packageRule group for cilium-cli (#24725, @tklauser)
- renovate: Update builder and runtime images once a week (#24846, @michi-covalent)
- renovate: Update Dockerfiles that use golang image weekly (#24877, @michi-covalent)
- Replace integration_tests build tag with INTEGRATION_TESTS env (#24925, @ti-mo)
- test/k8s: remove istio.go test (#24894, @aanm)
- test/Updates: Explicit error message on failure (#24920, @pchaigno)
- test: Avoid spamming logs in monitor aggregation test (#25152, @pchaigno)
- test: Block HubbleObserveFollow until ready (#25090, @pchaigno)
- test: Enable IPv6 masq for IPsec (#24885, @jschwinger233)
- test: Fix and unquarantine
Skip conntrack
test (#25038, @pchaigno) - test: Fix consistent failure in IPv6 masquerading test (#25036, @pchaigno)
- test: Unquarantine host firewall + nodeport test (#25025, @pchaigno)
- test: Unquarantine IPv6 masquerading test (#25149, @pchaigno)
- tests: add exceptions for lease errors due to etcd (#24723, @jibi)
- tests: small fixups for the GENEVE-DSR e2e tests (#25062, @julianwiedmann)
- travis: Run on main branch (#25108, @pchaigno)
- Update EKS conformance tests to use both amd64 and arm64 hosts. (#24853, @chancez)
- Use cilium-cli latest stable version in conformance-datapath workflows (#24809, @pippolo84)
- vagrant: Bump Vagrant box versions (#24984, @pchaigno)
- vagra...