Skip to content

Releases: cilium/cilium

1.14.0-rc.0

29 Jun 00:04
@joestringer joestringer
v1.14.0-rc.0
This tag was signed with the committer’s verified signature.
joestringer Joe Stringer
SSH Key Fingerprint: up2UNiGoKPJzKD6RD0wAbZjD7U0m/YpqXK1sjpCgLQI Learn about vigilant mode.
08239f5
Compare
Choose a tag to compare
1.14.0-rc.0 Pre-release
Pre-release

Summary of Changes

Minor Changes:

  • Add a new set of flags for CES work queue limit and burst rates, CESWriteQPSLimit to andCESWriteQPSBurst`. (#24675, @dlapcevic)
    The processed work queue items always trigger a single CES create, update or write request to the kube-apiserver.
    The work queue rate limiting effectively limits the rate of writes to the kube-apiserver for CES api objects.
  • Set the default CESWriteQPSLimit to 10 and CESWriteQPSBurst to 20. (#24675, @dlapcevic)
  • Set the maximums for qps 50 and burst 100. These values cannot be exceeded regardless of any configuration. (#24675, @dlapcevic)
  • Unhide CESMaxCEPsInCES and CESSlicingMode flags from appearing in logs when CES is enabled. (#24675, @dlapcevic)
  • agent/helm: Deprecate --kpr=partial|strict|disabled and use --kpr=true|false instead (#26036, @brb)
  • Allow to use a Secret for the caBundle (#25728, @farcaller)
  • BGPv1: Set N-bit in graceful restart capability negotiation. (#26325, @harsimran-pabla)
  • Cilium now waits longer before returning a failure in the event of a pod creation burst. (#25805, @squeed)
  • envoy: Use embedded proxylib from cilium-proxy image (#26101, @sayboras)
  • metrics: Add k8s client rate limiter latency metric (#25555, @ysksuzuki)
  • Retire Cilium-Integrated Istio documentation (#25722, @networkop)
  • Revert "Revert agent/helm: Deprecate --kpr=partial|strict|disabled and use --kpr=true|false instead" (#26496, @brb)

Bugfixes:

  • bpf: ct: fix CT-based packet tracing for IPv6 (#26476, @julianwiedmann)
  • Bypassing policy check for IPv6 NDP to fix broken pod-to-pod connectivity when per-endpoint route is enabled with policy. (#24919, @jschwinger233)
  • CIDRGroup reference metric will not count nonexistent CIDRGroups (#26133, @akstron)
  • datapath: bigtcp: Fix the IPv4 BIG TCP may not work (#26336, @haiyuewa)
  • Fix a bug where datapath option DisableSipVerification can no longer be used. (#25533, @oblazek)
  • Fix bug in AlibabaCloud where instance type limits could not be determined (#25387, @haozhangami)
  • Fix bug where CNI gets installed even if cni.install=false (#26278, @joestringer)
  • Fix compilation error when enabling Wireguard and XDP (#25734, @ysksuzuki)
  • Fix crash of cilium-agent happening when a remote node without node IP addresses is removed. (#25851, @cyclinder)
  • Fix: Return "Content-Type" and "X-Content-Type-Options" headers from Health Check Node Port (#26458, @cezarygerard)
  • Handles nodeIP changes when CEPs are checkpointed to tmpfs and the nodeIP changes across a reboot. (#26281, @bprashanth)
  • ipsec: Split removeStaleXFRMOnce to fix deprioritization issue (#26113, @jschwinger233)
  • iptables: Fix wrong use of podCIDR in cluster node NAT exclusion (#26397, @gandro)
  • Keep sync on deployed proxy ports when retrying proxy redirect creation. (#26343, @jrajahalme)
  • nat: fix usage in nat.h of csum.h module (#25576, @sahid)
  • test/controlplane: Disable endpoint GC (#26383, @pippolo84)
  • test: bigtcp: Update the BIG TCP checking message (#26377, @haiyuewa)
  • Updates TransformXXX Functions in k8s pkg (#26244, @danehans)

CI Changes:

Misc Changes:

  • Add Back Market in the USERS list (#26413, @NitriKx)
  • Add cilium bpf nodeid list to bugtool and print nodeid in hex in ipcache dump (#26130, @brb)
  • Add documentation about kvstoremesh (#26348, @giorio94)
  • Adding an AWS architecture diagram for AWS FTR review (#26016, @amitmavgupta)
  • auth: delete cache-entry on ErrKeyNotExist (#26342, @mhofstetter)
  • auth: display textual representation of auth type in authKey.String() (#26525, @mhofstetter)
  • backporting: Fix pattern to handle commit subjects that begin with a space (#25653, @gentoo-root)
  • BGP CP: Adds Intro to Docs (#26195, @danehans)
  • bgpv1: pass router state to gobgp (#26194, @harsimran-pabla)
  • bgpv1: skip invalid node selector config in policy selection (#26365, @harsimran-pabla)
  • bpf: add new macro __section_entry (#26123, @Jack-R-lantern)
  • bpf: nat: fix build error in snat_v6_prepare_state() (#26510, @julianwiedmann)
  • bpf: remove unused type ProgType and ProgType* consts (#26360, @tklauser)
  • bpf: Update IPv6 BPF masquerading code to bring it closer to IPv4's, fix SNAT for packets from local endpoints, for overlay (#26236, @qmonnet)
  • Calling out support for Single-Region, Multi-Region, Multi-AZ for EKS (#26015, @amitmavgupta)
  • Change wording on toServices limitations (see #20067) (#25796, @atykhyy)
  • chore(deps): update actions/setup-go action to v4.0.1 (main) (#26313, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (minor) (#26306, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (patch) (#26425, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.14.8 (main) (#26482, @renovate[bot])
  • chore(deps): update dependency kubernetes-sigs/kind to v0.20.0 (main) (#26428, @renovate[bot])
  • chore(deps): update docker.io/library/alpine docker tag to v3.18.2 (main) (#26297, @renovate[bot])
  • chore(deps): update docker.io/library/golang docker tag to v1.20.5 (main) (#26304, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.20.5 docker digest to 8f958bf (main) (#26283, @renovate[bot])
  • chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 9ecc53c (main) (#26285, @renovate[bot])
  • cilium statedb dump command & bugtool (#26256, @joamaki)
  • cilium, bigtcp: Add max gso/gro rates to sysdump (#26392, @borkmann)
  • cilium, bigtcp: Make probing for GRO/GSO max size more graceful (#26385, @borkmann)
  • cilium: enable bpf host routing with per endpoint routes for IPv6 as well (#26205, @borkmann)
  • cilium: Repoint netlink lib back to upstream. (#26359, @borkmann)
  • clustermesh: fix broken test due to merge race (#26389, @giorio94)
  • clustermesh: improve reliability of TestClusterMesh (#26370, @giorio94)
  • cni-plugin: Clean up code (#26505, @gandro)
  • daemon: fix spelling in ipam-multi-pool-pre-allocation flag usage (#26529, @tklauser)
  • datapath: Introduce helpers for __ctx_is checks (#23820, @spacewander)
  • docs: clarify that L3 DNS policies require L7 proxy enabled (#26180, @wedaly)
  • docs: Fix the cilium-cli default branch name (#26461, @michi-covalent)
  • docs: Fix the cilium/proxy default branch name (#26464, @learnitall)
  • docs: Mark IPv6 BPF masquerading as beta (#26499, @qmonnet)
  • docs: reword incorrect L7 policy description (#26092, @peterj)
  • docs: Update kvstore documentation with potential circular dependency. (#26353, @marseel)
  • docu: add section about envoy daemonset deployment (#26033, @mhofstetter)
  • Document multi-pool IPAM mode (#26308, @tklauser)
  • Documentation: Add graceful restart section in BGP documentation (#26354, @harsimran-pabla)
  • endpoint: don't hold the endpoint lock while generating policy (#26242, @squeed)
  • envoy: Re-organize supported envoy resource import (#26469, @sayboras)
  • etcd: start the status checker only after establishing the initial session (#26363, @giorio94)
  • Fix some map handling logic as well as some issues with CLI commands related to ip-masq-agent, introduced with IPv6 support (#26435, @qmonnet)
  • fix(deps): update all go dependencies main (main) (minor) (#26429, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (patch) (#26056, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (patch) (#26427, @renovate[bot])
  • fix(deps): update module github.com/prometheus/procfs to v0.11.0 (main) (#26319, @renovate[bot])
  • helm: add .extraEnv to cilium-agents config init container (#26408, @nberlee)
  • identity: Make identity allocations observable (#26373, @mhofstetter)
  • Improve reliability of kvstore-related tests (#26347, @giorio94)
  • kafka: remove unused package (#26523, @tklauser)
  • kvstore: share etcd client logger to reduce memory usage (#26485, @giorio94)
  • kvstoremesh: mark the cilium-kvstoremesh secret as optional in the clustermesh-apiserver volume definition (#26318, @giorio94)
  • Log error me...
Read more

Contributors

farcaller, gandro, and 50 other contributors
Assets 2

1.14.0-snapshot.4

16 Jun 20:47
@joestringer joestringer
v1.14.0-snapshot.4
This tag was signed with the committer’s verified signature.
joestringer Joe Stringer
SSH Key Fingerprint: up2UNiGoKPJzKD6RD0wAbZjD7U0m/YpqXK1sjpCgLQI Learn about vigilant mode.
6c8db75
Compare
Choose a tag to compare
1.14.0-snapshot.4 Pre-release
Pre-release

Summary of Changes

Major Changes:

Minor Changes:

  • Add agent flag enable-ipsec-key-watcher to allow users to disable the IPsec key watcher and thus require an agent restart for the key rotation to take effect. (#25893, @pchaigno)
  • Add helm value envoyConfig.enabled that can be used to enable CiliumEnvoyConfig CRD independently of Cilium Ingress controller. (#26005, @jrajahalme)
  • Add option to remove query from HTTP flows (#25746, @ChrsMark)
  • Add support for BGP graceful restart configuration via CiliumBGPPeeringPolicy CRD (#25660, @harsimran-pabla)
  • Add support for eBGP-multihop configuration for CiliumBGPNeighbor in CiliumBGPPeeringPolicy CRD (#25708, @rastislavs)
  • Add support for Hybrid mode when using DSR with Geneve dispatch. (#25553, @julianwiedmann)
  • Add support for load-balancing encapsulated requests in a configuration with high-scale ipcache. (#25854, @julianwiedmann)
  • Add support for load-balancing unencapsulated requests in a configuration with high-scale ipcache. (#25745, @julianwiedmann)
  • Added Gratuitous ARP Pod Announcements (#25482, @markpash)
  • Adds peerPort field to CiliumBGPPeeringPolicy for specifying the port of a BGP neighbor. If unspecified, port 179 is used. (#25809, @danehans)
  • Allow devices from local route table to be used for datapath programs. (#24608, @oblazek)
  • bgpv1: Consolidate CRD API to follow K8s API Conventions (#26040, @rastislavs)
  • clustermesh-apiserver: expose information about completion of initial synchronization through etcd (#25905, @giorio94)
  • daemon: don't allow egress gateway with KV store identity allocation (#26189, @jibi)
  • Deprecate CNP Node status updates. (#24464, @marseel)
  • envoy: Bump envoy version to v1.25.7 (#25882, @mhofstetter)
  • etcd: extend rate limiting to consider the number of inflight requests (#25817, @giorio94)
  • Extend the Helm chart to allow configuring kvstoremesh. (#26109, @giorio94)
  • hubble: Add GetNamespaces to observer API (#25563, @chancez)
  • ingress: Default TLS certificate for ingress (#26065, @sathieu)
  • ipam: Add ability to automatically create CiliumPodIPPool resources in multi-pool IPAM mode (#25991, @gandro)
  • ipmasq: Add support for ip-masq-agent with IPv6 (#23219, @qmonnet)
  • mutual-auth: Avoid confusion on mTLS wording (#25761, @sayboras)
  • mutual-auth: Support spire k8s service dns resolution (#26031, @sayboras)
  • operator: Fix default API server addr in metrics subcommand (#26132, @pippolo84)
  • Report the kernel error code in case of packet drops due to failures to create NAT map entries. (#25883, @julianwiedmann)
  • Set BGP IdleHoldTimeAfterReset to 5 seconds, session reset can happen on BGP peer configuration change. (#26001, @harsimran-pabla)
  • spire: Add identity GC capability (#25867, @sayboras)
  • Support defining IPAM pools using CiliumPodIPPool CRD (#25824, @tklauser)
  • Support externalTrafficPolicy=local for BGP CPlane service VIP advertisement (#25477, @YutaroHayakawa)
  • Support Gateway API v0.7.0 (#25711, @meyskens)
  • The deprecated pod-short context option in Hubble metrics is now removed (#26125, @lambdanis)

Bugfixes:

  • bpf: fix error handling for invoke_tailcall_if() (#26118, @julianwiedmann)
  • bpf: lxc: fix one missing drop notification in CT lookup tail calls (#26115, @julianwiedmann)
  • bpf: nodeport: don't reset aggregate ID when revDNAT is called by bpf_lxc (#25929, @julianwiedmann)
  • Envoy resource namespacing (#26037, @jrajahalme)
  • Fix a bug that would cause connectivity drops of type XfrmOutPolBlock on upgrade when IPsec is enabled. (#25735, @pchaigno)
  • Fix bug with toServices policy where service backend churn left stale CIDR identities (#25687, @christarazi)
  • Fix false error log message when IPsec is enabled with IPAM modes ENI or Azure and a remote node is deleted. (#26093, @pchaigno)
  • Fix for Identities that can be deleted before CESs are reconciled (#25001, @dlapcevic)
  • Fix issue where Cilium ServiceAPI would ignore backend changes to services with backends that were used in several services and updated at least once (#24474, @strudelPi)
  • Fix leak of IPsec XFRM FWD policies in IPAM modes cluster-pool, kubernetes, and crd when nodes are deleted.
    Fix incorrect catch-all default-drop XFRM OUT policy for IPsec IPv6 traffic that could lead to leaking plain-text IPv6 traffic if combined with some other bug. (#25953, @pchaigno)
  • Fix missed deletion events when reconnecting to/disconnecting from remote clusters (identities) (#25677, @giorio94)
  • Fix missed deletion events when reconnecting to/disconnecting from remote clusters (ipcache entries) (#25675, @giorio94)
  • Fix panic due to nil-map assignment in l2announcer (#26315, @dylandreimerink)
  • Fix three issues in the bug fix to attach IPsec BPF programs to ENI interfaces: do not fatal if loading unexpectedly fails (which may happen if the device is suddenly deleted), ignore veth device changes in order not to reinitialize when new endpoints appear and wait 1 second for further device state changes between reinitializations. (#25936, @joamaki)
  • Fixed Cilium agent crash when policy refers to a non-existing Envoy listener. (#25969, @jrajahalme)
  • Fixes an issue where SRv6 encapsulated packets are forwarded to the wrong layer 2 next hop. (#26136, @ldelossa)

CI Changes:

Misc Changes:

Read more

Contributors

gandro, jibi, and 58 other contributors
Assets 2

1.13.4

15 Jun 16:15
@qmonnet qmonnet
v1.13.4
This tag was signed with the committer’s verified signature.
qmonnet Quentin Monnet
GPG key ID: 59224A6AED728D75
Learn about vigilant mode.
4061cdf
Compare
Choose a tag to compare
1.13.4

We are pleased to release Cilium v1.13.4.

This release addresses the following security issue:

It aslso contains fixes related to IPsec, datapath drop notifications, CPU overhead, downgrade path, RevSNAT for ICMPv6, as well as a range of other regular bugfixes.

See the notes below for a full description of the changes.

⚠️ Warning - IPsec ⚠️

Do NOT upgrade to this release if you are using IPsec.

Summary of Changes

Minor Changes:

  • Add agent flag enable-ipsec-key-watcher to allow users to disable the IPsec key watcher and thus require an agent restart for the key rotation to take effect. (Backport PR #25977, Upstream PR #25893, @pchaigno)
  • Updating documentation helm values now works also on arm64. (Backport PR #25731, Upstream PR #25422, @jrajahalme)

Bugfixes:

  • Add drop notifications for various error paths in the datapath. (Backport PR #25503, Upstream PR #25183, @julianwiedmann)
  • bpf,datapath: read jiffies from /proc/schedstat (Backport PR #25855, Upstream PR #25795, @ti-mo)
  • Compare annotations before discarding CiliumNode updates. (Backport PR #25588, Upstream PR #25465, @LynneD)
  • CPU overhead regression introduced in v1.13 is fixed. (#25548, @jrajahalme)
  • Fix a bug due to which we would leak Linux XFRM policies, potentially leading to increased CPU consumption, when IPsec is enabled with Azure or ENI IPAM. (Backport PR #25897, Upstream PR #25784, @pchaigno)
  • Fix a bug that would cause connectivity drops of type XfrmInNoStates on upgrade when IPsec is enabled with ENI or Azure IPAM mode. (Backport PR #25897, Upstream PR #25724, @pchaigno)
  • Fix a bug that would cause connectivity drops of type XfrmOutPolBlock on upgrade when IPsec is enabled. (Backport PR #25897, Upstream PR #25735, @pchaigno)
  • Fix a possible deadlock when using WireGuard transparent encryption. (Backport PR #25923, Upstream PR #25419, @bimmlerd)
  • Fix bug affecting EKS installations with IPsec encryption enabled, where Cilium wouldn't attach its IPsec BPF program to new ENI interfaces, resulting in connectivity loss between pods on remote nodes. (Backport PR #25897, Upstream PR #25744, @joamaki)
  • Fix downgrade path from 1.14 to 1.13 due to stale IPAM-allocated IPv6 on cilium_host (#25962, @jschwinger233)
  • Fix false error log message when IPsec is enabled with IPAM modes ENI or Azure and a remote node is deleted. (Backport PR #26160, Upstream PR #26093, @pchaigno)
  • Fix incorrect hubble flow data when HTTP requests contain an x-forwarded-for header by adding an explicit use_remote_address: true config to Envoy HTTP configuration to always use the actual remote address of the incoming connection rather than the value of x-forwarded-for header, which may originate from an untrusted source. This change has no effect on Cilium policy enforcement where the source security identity is always resolved before HTTP headers are parsed. Previous Cilium behavior of not adding x-forwarded-for headers is retained via an explicit skip_xff_append: true config setting, except for Cilium Ingress where the source IP address is now appended to x-forwarded-for header. (Backport PR #25731, Upstream PR #25674, @jrajahalme)
  • Fix leak of IPsec XFRM FWD policies in IPAM modes cluster-pool, kubernetes, and crd when nodes are deleted. Fix incorrect catch-all default-drop XFRM OUT policy for IPsec IPv6 traffic that could lead to leaking plain-text IPv6 traffic if combined with some other bug. (Backport PR #26079, Upstream PR #25953, @pchaigno)
  • Fix missing drop notifications on conntrack lookup failures when IPv4 and IPv6 are both enabled or socket-level load balancing is disabled. (Backport PR #25588, Upstream PR #25426, @bleggett)
  • Fix RevSNAT for ICMPv6 packets. (Backport PR #25503, Upstream PR #25306, @julianwiedmann)
  • Fix three issues in the bug fix to attach IPsec BPF programs to ENI interfaces: do not fatal if loading unexpectedly fails (which may happen if the device is suddenly deleted), ignore veth device changes in order not to reinitialize when new endpoints appear and wait 1 second for further device state changes between reinitializations. (Backport PR #25977, Upstream PR #25936, @joamaki)
  • Fixed Cilium agent crash when policy refers to a non-existing Envoy listener. (Backport PR #26079, Upstream PR #25969, @jrajahalme)
  • gateway-api: Race condition between routes and Gateway (Backport PR #25731, Upstream PR #25573, @sayboras)
  • gateway-api: Skip reconciliation for non-matching controller routes (Backport PR #25731, Upstream PR #25549, @sayboras)
  • helm: Correct typo in Ingress validation (Backport PR #25731, Upstream PR #25570, @sayboras)
  • Reject incorrect configuration enable-host-legacy-routing=false kube-proxy-replacement=partial. (Backport PR #25855, Upstream PR #25803, @pchaigno)

CI Changes:

Misc Changes:

  • backport (v1.13): docs: Promote Deny Policies out of Beta (#26147, @nathanjsweet)
  • bpf: dsr: fix typo in tail_nodeport_dsr_ingress_ipv4() (Backport PR #25855, Upstream PR #25742, @julianwiedmann)
  • chore(deps): update all github action dependencies (v1.13) (patch) (#25704, @renovate[bot])
  • chore(deps): update cilium/actions-app-token action to v0.21.1 (v1.13) (#25865, @renovate[bot])
  • chore(deps): update dependency cilium/hubble to v0.11.6 (v1.13) (#26042, @renovate[bot])
  • chore(deps): update docker.io/library/alpine docker tag to v3.17.3 (v1.13) (#25852, @renovate[bot])
  • chore(deps): update docker.io/library/alpine docker tag to v3.17.3 (v1.13) (#25853, @renovate[bot])
  • chore(deps): update docker.io/library/golang docker tag to v1.19.10 (v1.13) (#25857, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to ac58ff7 (v1.13) (#25547, @renovate[bot])
  • chore(deps): update quay.io/cilium/hubble docker tag to v0.11.6 (v1.13) (#25997, @renovate[bot])
  • ctmap: right-shift kernel jiffies by BPF_MONO_SCALER (Backport PR #26200, Upstream PR #26197, @ti-mo)
  • docs: Add Bottlerocket OS to validated distros (Backport PR #25503, Upstream PR #25390, @nebril)
  • docs: document missing entity 'ingress' (Backport PR #25731, Upstream PR #25665, @mhofstetter)
  • docs: Fix broken link to backends leak issue (Backport PR #25503, Upstream PR #25278, @akhilles)
  • docs: Improve BGP Control Plane page (Backport PR #25731, Upstream PR #23939, @krouma)
  • gateway-api: Remove unused function check (#26058, @ferozsalam)
  • install: Fail helm if kube-proxy-replacement is not valid (Backport PR #25977, Upstream PR #25907, @jrajahalme)
  • ipsec: Fix cleanup of XFRM states and policies (Backport PR #26079, Upstream PR #26072, @pchaigno)
  • Slim down Node handler interface (Backport PR #25923, Upstream PR #25450, @bimmlerd)
  • test/provision/compile.sh: Make usable from dev VM (Backport PR #25503, Upstream PR #25352, @jrajahalme)
  • Update network attacker sections of the threat model (Backport PR #25977, Upstream PR #25640, @ferozsalam)

Other Changes:

Docker Manifests

cilium

docker.io/cilium/cilium:v1.13.4@sha256:bde8800d61aaad8b8451b10e247ac7bdeb7af187bb698f83d40ad75a38c1ee6b
quay.io/cilium/cilium:v1.13.4@sha256:bde8800d61aaad8b8451b10e247ac7bdeb7af187bb698f83d40ad75a38c1ee6b
docker.io/cilium/cilium:stable@sha256:bde8800d61aaad8b8451b10e247ac7bdeb7af187bb698f83d40ad75a38c1ee6b
quay.io/cilium/cilium:stable@sha256:bde8800d61aaad8b8451b10e247ac7bdeb7af187bb698f83d40ad75a38c1ee6b

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.13.4@sha256:3f2bb561ddcf45bd7c598b6846439518c6f4fc735a08e518587da8849496235a
quay.io/cilium/clustermesh-apiserver:v1.13.4@sha256:3f2bb561ddcf45bd7c598b6846439518c6f4fc735a08e518587da8849496235a
docker.io/cilium/clustermesh-apiserver:stable@sha256:3f2bb561ddcf45bd7c598b6846439518c6f4fc735a08e518587da8849496235a
quay.io/cilium/clustermesh-apiserver:stable@sha256:3f2bb561ddcf45bd7c598b6846439518c6f4fc735a08e518587da8849496235a

docker-plugin

docker.io/cilium/docker-plugin:v1.13.4@sha256:1a11d2f643b92ff4ece29adf7c945795c3faacbc9a47e0089bf6fb6e944c0ae1
quay.io/cilium/docker-plugin:v1.13.4@sha256:1a11d2f643b92ff4ece29adf7c945795c3faacbc9a47e0089bf6fb6e944c0ae1
docker.io/cilium/docker-plugin:stable@sha256:1a11d2f643b92ff4ece29adf7c945795c3faacbc9a47e0089bf6fb6e944c0ae1
quay.io/cilium/docker-plugin:stable@sha256:1a11d2f643b92ff4ece29adf7c945795c3faacbc9a47e0089bf6fb6e944c0ae1

hubble-relay

docker.io/cilium/hubble-relay:v1.13.4@sha256:bac057a5130cf75adf5bc363292b1f2642c0c460ac9ff018fcae3daf64873871
`quay.io/cilium/hubble-relay:v1...

Read more

Contributors

brb, nathanjsweet, and 22 other contributors
Assets 2

1.12.11

15 Jun 16:14
@qmonnet qmonnet
v1.12.11
This tag was signed with the committer’s verified signature.
qmonnet Quentin Monnet
GPG key ID: 59224A6AED728D75
Learn about vigilant mode.
6511094
Compare
Choose a tag to compare
1.12.11

We are pleased to release Cilium v1.12.11. This release promotes Deny Policies from beta to stable. It contains fixes related to IPsec, WireGuard, Hubble flow data, as well as a range of other regular bugfixes.

See the notes below for a full description of the changes.

⚠️ Warning - IPsec ⚠️

Do NOT upgrade to this release if you are using IPsec.

Summary of Changes

Major Changes:

Minor Changes:

  • Add agent flag enable-ipsec-key-watcher to allow users to disable the IPsec key watcher and thus require an agent restart for the key rotation to take effect. (Backport PR #26006, Upstream PR #25893, @pchaigno)
  • Updating documentation helm values now works also on arm64. (Backport PR #25732, Upstream PR #25422, @jrajahalme)

Bugfixes:

  • Fix a bug due to which we would leak Linux XFRM policies, potentially leading to increased CPU consumption, when IPsec is enabled with Azure or ENI IPAM. (Backport PR #25896, Upstream PR #25784, @pchaigno)
  • Fix a bug that would cause connectivity drops of type XfrmInNoStates on upgrade when IPsec is enabled with ENI or Azure IPAM mode. (Backport PR #25896, Upstream PR #25724, @pchaigno)
  • Fix a bug that would cause connectivity drops of type XfrmOutPolBlock on upgrade when IPsec is enabled. (Backport PR #25896, Upstream PR #25735, @pchaigno)
  • Fix a possible deadlock when using WireGuard transparent encryption. (Backport PR #25928, Upstream PR #25419, @bimmlerd)
  • Fix bug affecting EKS installations with IPsec encryption enabled, where Cilium wouldn't attach its IPsec BPF program to new ENI interfaces, resulting in connectivity loss between pods on remote nodes. (Backport PR #25896, Upstream PR #25744, @joamaki)
  • Fix false error log message when IPsec is enabled with IPAM modes ENI or Azure and a remote node is deleted. (Backport PR #26161, Upstream PR #26093, @pchaigno)
  • Fix incorrect hubble flow data when HTTP requests contain an x-forwarded-for header by adding an explicit use_remote_address: true config to Envoy HTTP configuration to always use the actual remote address of the incoming connection rather than the value of x-forwarded-for header, which may originate from an untrusted source. This change has no effect on Cilium policy enforcement where the source security identity is always resolved before HTTP headers are parsed. Previous Cilium behavior of not adding x-forwarded-for headers is retained via an explicit skip_xff_append: true config setting, except for Cilium Ingress where the source IP address is now appended to x-forwarded-for header. (Backport PR #25732, Upstream PR #25674, @jrajahalme)
  • Fix leak of IPsec XFRM FWD policies in IPAM modes cluster-pool, kubernetes, and crd when nodes are deleted. Fix incorrect catch-all default-drop XFRM OUT policy for IPsec IPv6 traffic that could lead to leaking plain-text IPv6 traffic if combined with some other bug. (Backport PR #26117, Upstream PR #25953, @pchaigno)
  • Fix the bug when long-living connections using egress gateway may be reset. (Backport PR #25678, Upstream PR #24905, @gentoo-root)
  • Fix three issues in the bug fix to attach IPsec BPF programs to ENI interfaces: do not fatal if loading unexpectedly fails (which may happen if the device is suddenly deleted), ignore veth device changes in order not to reinitialize when new endpoints appear and wait 1 second for further device state changes between reinitializations. (Backport PR #26006, Upstream PR #25936, @joamaki)
  • helm: Correct typo in Ingress validation (Backport PR #25732, Upstream PR #25570, @sayboras)

CI Changes:

Misc Changes:

Other Changes:

Docker Manifests

cilium

docker.io/cilium/cilium:v1.12.11@sha256:3fd8d9a6130783c245d90658ca379a7db88f249ec69464450fb53490cfbd7c55
quay.io/cilium/cilium:v1.12.11@sha256:3fd8d9a6130783c245d90658ca379a7db88f249ec69464450fb53490cfbd7c55

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.12.11@sha256:f52391e0b74ac019a1ba22a19c0f4c979aa00f582332a3162af2a1fca3206371
quay.io/cilium/clustermesh-apiserver:v1.12.11@sha256:f52391e0b74ac019a1ba22a19c0f4c979aa00f582332a3162af2a1fca3206371

docker-plugin

docker.io/cilium/docker-plugin:v1.12.11@sha256:bbfb63b99655e0f3f2fc63ef4b49161d7454fdf127d62347162b4ee577a273fb
quay.io/cilium/docker-plugin:v1.12.11@sha256:bbfb63b99655e0f3f2fc63ef4b49161d7454fdf127d62347162b4ee577a273fb

hubble-relay

docker.io/cilium/hubble-relay:v1.12.11@sha256:f52db09b652fd60d9d2bbebafd3befa9be0abecac923dd21d0f7052cd585270e
quay.io/cilium/hubble-relay:v1.12.11@sha256:f52db09b652fd60d9d2bbebafd3befa9be0abecac923dd21d0f7052cd585270e

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.12.11@sha256:66ad7b1f2a39f336aade25b688e5b05da7df345b33c50a92f3e21dc949281507
quay.io/cilium/operator-alibabacloud:v1.12.11@sha256:66ad7b1f2a39f336aade25b688e5b05da7df345b33c50a92f3e21dc949281507

operator-aws

docker.io/cilium/operator-aws:v1.12.11@sha256:30dfe79131766c7ba992c9e5abe6dcb0d2d8e2021514dc56a4b89321dde45472
quay.io/cilium/operator-aws:v1.12.11@sha256:30dfe79131766c7ba992c9e5abe6dcb0d2d8e2021514dc56a4b89321dde45472

operator-azure

docker.io/cilium/operator-azure:v1.12.11@sha256:7753588ef3c038af47576feabeffd8a8a04f1a0911009c9752ee303658152d2d
quay.io/cilium/operator-azure:v1.12.11@sha256:7753588ef3c038af47576feabeffd8a8a04f1a0911009c9752ee303658152d2d

operator-generic

docker.io/cilium/operator-generic:v1.12.11@sha256:8fad1da87c9f308c21ad54784c91c0fc92dc620e2781561473e2c8e4f871eb29
quay.io/cilium/operator-generic:v1.12.11@sha256:8fad1da87c9f308c21ad54784c91c0fc92dc620e2781561473e2c8e4f871eb29

operator

docker.io/cilium/operator:v1.12.11@sha256:966056e8a05eca5fb2f9eb6c099e5a465e048d1351fbabf88406c53f2425990c
quay.io/cilium/operator:v1.12.11@sha256:966056e8a05eca5fb2f9eb6c099e5a465e048d1351fbabf88406c53f2425990c

Contributors

brb, nathanjsweet, and 15 other contributors
Assets 2

1.11.18

15 Jun 16:14
@qmonnet qmonnet
v1.11.18
This tag was signed with the committer’s verified signature.
qmonnet Quentin Monnet
GPG key ID: 59224A6AED728D75
Learn about vigilant mode.
f5d7e2d
Compare
Choose a tag to compare
1.11.18

We are pleased to release Cilium v1.11.18. This release promotes Deny Policies from beta to stable. It contains fixes related to IPsec, WireGuard, Hubble flow data, as well as a range of other regular bugfixes.

See the notes below for a full description of the changes.

⚠️ Warning - IPsec ⚠️

Do NOT upgrade to this release if you are using IPsec.

Summary of Changes

Major Changes:

Minor Changes:

  • Add agent flag enable-ipsec-key-watcher to allow users to disable the IPsec key watcher and thus require an agent restart for the key rotation to take effect. (Backport PR #26007, Upstream PR #25893, @pchaigno)
  • docs: fix wording for the upgrade guide (#26164, @aspsk)

Bugfixes:

  • Fix a bug due to which we would leak Linux XFRM policies, potentially leading to increased CPU consumption, when IPsec is enabled with Azure or ENI IPAM. (Backport PR #26021, Upstream PR #25784, @pchaigno)
  • Fix a bug that would cause connectivity drops of type XfrmInNoStates on upgrade when IPsec is enabled with ENI or Azure IPAM mode. (Backport PR #26021, Upstream PR #25724, @pchaigno)
  • Fix a bug that would cause connectivity drops of type XfrmOutPolBlock on upgrade when IPsec is enabled. (Backport PR #26021, Upstream PR #25735, @pchaigno)
  • Fix a possible deadlock when using WireGuard transparent encryption. (Backport PR #25935, Upstream PR #25419, @bimmlerd)
  • Fix bug affecting EKS installations with IPsec encryption enabled, where Cilium wouldn't attach its IPsec BPF program to new ENI interfaces, resulting in connectivity loss between pods on remote nodes. (Backport PR #26021, Upstream PR #25744, @joamaki)
  • Fix false error log message when IPsec is enabled with IPAM modes ENI or Azure and a remote node is deleted. (Backport PR #26021, Upstream PR #26093, @pchaigno)
  • Fix incorrect hubble flow data when HTTP requests contain an x-forwarded-for header by adding an explicit use_remote_address: true config to Envoy HTTP configuration to always use the actual remote address of the incoming connection rather than the value of x-forwarded-for header, which may originate from an untrusted source. This change has no effect on Cilium policy enforcement where the source security identity is always resolved before HTTP headers are parsed. Previous Cilium behavior of not adding x-forwarded-for headers is retained via an explicit skip_xff_append: true config setting, except for Cilium Ingress where the source IP address is now appended to x-forwarded-for header. (Backport PR #25733, Upstream PR #25674, @jrajahalme)
  • Fix leak of IPsec XFRM FWD policies in IPAM modes cluster-pool, kubernetes, and crd when nodes are deleted. Fix incorrect catch-all default-drop XFRM OUT policy for IPsec IPv6 traffic that could lead to leaking plain-text IPv6 traffic if combined with some other bug. (Backport PR #26021, Upstream PR #25953, @pchaigno)
  • Fix three issues in the bug fix to attach IPsec BPF programs to ENI interfaces: do not fatal if loading unexpectedly fails (which may happen if the device is suddenly deleted), ignore veth device changes in order not to reinitialize when new endpoints appear and wait 1 second for further device state changes between reinitializations. (Backport PR #26021, Upstream PR #25936, @joamaki)

CI Changes:

Misc Changes:

Other Changes:

  • install: Update image digests for v0.11.17 (#25515, @jrajahalme)
  • Reduce complexity of bpf_lxc by splitting per-packet lb to its own tail call (#25993, @aspsk)
  • v1.11: Fix L4LB GHA (#25528, @brb)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.11.18@sha256:dda94072012c328fe0d00838f2f7d8ead071019d1d1950ecf44060640bf93cae
quay.io/cilium/cilium:v1.11.18@sha256:dda94072012c328fe0d00838f2f7d8ead071019d1d1950ecf44060640bf93cae

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.11.18@sha256:b3e8de4e56c5e16ab8f4482cebf3a12bb12826ba3da3e5890de1ecdc2b34a3ed
quay.io/cilium/clustermesh-apiserver:v1.11.18@sha256:b3e8de4e56c5e16ab8f4482cebf3a12bb12826ba3da3e5890de1ecdc2b34a3ed

docker-plugin

docker.io/cilium/docker-plugin:v1.11.18@sha256:b086fc1ec24b9b2b0bc5f7f525ef76ff608c26dc1bdd76d46729871cbbfb4b08
quay.io/cilium/docker-plugin:v1.11.18@sha256:b086fc1ec24b9b2b0bc5f7f525ef76ff608c26dc1bdd76d46729871cbbfb4b08

hubble-relay

docker.io/cilium/hubble-relay:v1.11.18@sha256:4899d8a98c05ccb7bb3d0b54e18dc72147995b2e8a18db19805d15933ec6e45d
quay.io/cilium/hubble-relay:v1.11.18@sha256:4899d8a98c05ccb7bb3d0b54e18dc72147995b2e8a18db19805d15933ec6e45d

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.11.18@sha256:590062c3797c0d0732d848b8fa09cd5aaf5ce2cbbbc5f5fc860bde79d27c743c
quay.io/cilium/operator-alibabacloud:v1.11.18@sha256:590062c3797c0d0732d848b8fa09cd5aaf5ce2cbbbc5f5fc860bde79d27c743c

operator-aws

docker.io/cilium/operator-aws:v1.11.18@sha256:4b3aeeb5d0de096d68ab249845c4c53c7c595735d529a13a81540597a6b29bb5
quay.io/cilium/operator-aws:v1.11.18@sha256:4b3aeeb5d0de096d68ab249845c4c53c7c595735d529a13a81540597a6b29bb5

operator-azure

docker.io/cilium/operator-azure:v1.11.18@sha256:c833cd215dafcb9a73dc1d435d984038fc46ebd9a0b3d50ceeb8f8c4c7e9ac3d
quay.io/cilium/operator-azure:v1.11.18@sha256:c833cd215dafcb9a73dc1d435d984038fc46ebd9a0b3d50ceeb8f8c4c7e9ac3d

operator-generic

docker.io/cilium/operator-generic:v1.11.18@sha256:bccdcc3036b38581fd44bf7154255956a58d7d13006aae44f419378911dec986
quay.io/cilium/operator-generic:v1.11.18@sha256:bccdcc3036b38581fd44bf7154255956a58d7d13006aae44f419378911dec986

operator

docker.io/cilium/operator:v1.11.18@sha256:0c09e5188d5d8899e7b037fafcc1928a68872f1e48e5f7a128799594c99f8282
quay.io/cilium/operator:v1.11.18@sha256:0c09e5188d5d8899e7b037fafcc1928a68872f1e48e5f7a128799594c99f8282

Contributors

brb, nathanjsweet, and 9 other contributors
Assets 2

1.14.0-snapshot.3

01 Jun 22:41
@aanm aanm
v1.14.0-snapshot.3
This tag was signed with the committer’s verified signature.
aanm André Martins
GPG key ID: A38D2FBA880D16AB
Learn about vigilant mode.
722fc1a
Compare
Choose a tag to compare
1.14.0-snapshot.3 Pre-release
Pre-release

Summary of Changes

Major Changes:

  • Add TLSRoute support to GatewayAPI (#25106, @meyskens)
  • New high-scale ipcache mode to support clustermeshes with millions of pods. (#25148, @pchaigno)
  • Support for deploying Cilium L7 Proxy (Envoy) independently as a separate DaemonSet for availability, performance, and security benefits. (#25081, @mhofstetter)

Minor Changes:

  • add native tunnel encapsulation support for the XDP Loadbalancer (#24422, @julianwiedmann)
  • Add Prometheus metrics support to clustermesh-apiserver (#25316, @giorio94)
  • Add support for allocating PodCIDRs from multiple IPAM pools (#22762, @gandro)
  • Add support for paginated lists in etcd, and propagate config options (#25469, @giorio94)
  • Add support for setting BGP timer parameters in CiliumBGPNeighbor CRD (#25408, @rastislavs)
  • Allow to disable external workloads support in clustermesh-apiserver to improve performance when not needed. (#25259, @giorio94)
  • Cilium now supports chaining with arbitrary CNI plugins. To use, set the Helm value cni.chainingTarget. (#24956, @squeed)
  • clustermesh-apiserver: expose information about completion of initial synchronization through etcd (#25388, @giorio94)
  • clustermesh-apiserver: rework services synchronization to improve performance (#25260, @giorio94)
  • cmd/cleanup: add socketlb program cleanup (#25136, @rgo3)
  • DNS Proxy binds to loopback interfaces only (#25309, @mhofstetter)
  • dns proxy: Only reuse DNS proxy port when it's free (#25466, @anfernee)
  • envoy: Add idle timeout configuration option (#25214, @sayboras)
  • Fix CIDR json tag in CNP CIDRRule (#25617, @pippolo84)
  • Fixed incorrectly rendered chart when specified both configMap and customConf (#25200, @marseel)
  • helm: Bump default spire image version (#25444, @sayboras)
  • helm: deprecate clustermesh CA configuration in favor of the global CA configuration (#25010, @giorio94)
  • helm: Improve spire template (#25589, @sayboras)
  • High-Scale IPcache: Chapter 3 (#25438, @pchaigno)
  • identity/cache: fix panic when re-init of cache after close. (#25269, @tommyp1ckles)
  • multi-pool: Determine IP pool based on ipam.cilium.io/ip-pool annotation (#25511, @gandro)
  • operator/ipam/metrics: Add new, more accurate, per-node available/used/needed metrics to deprecated existing ipam_ips metric. (#24776, @tommyp1ckles)
  • Replace wait-for-it in SPIRE setup with a busybox script (#24959, @meyskens)
  • Significantly reduce Hubble flow traffic by transmitting only requested information (#23198, @AwesomePatrol)
  • Support enable-endpoint-routes with enable-high-scale-ipcache. (#25601, @pchaigno)
  • Support GENEVE encapsulation with high-scale ipcache. (#25591, @pchaigno)
  • Update CNI (loopback) to 1.3.0 (#25400, @anfernee)
  • Updating documentation helm values now works also on arm64. (#25422, @jrajahalme)
  • Use BGP Control Plane annotations from Node Resource for creation of CiliumNode Resource (#24914, @margau)

Bugfixes:

  • Add drop notifications for various error paths in the datapath. (#25183, @julianwiedmann)
  • Added validation to ensure that enabling Ingress or Gateway API support while l7proxy is disabled will fail, as this is an incompatible configuration. (#25215, @youngnick)
  • Avoid dropping short packets (that don't have their L3 header in linear data) in the to-netdev and from-host paths. (#25159, @julianwiedmann)
  • bpf,datapath: read jiffies from /proc/schedstat (#25795, @ti-mo)
  • bpf/nat: fix current behavior that is silently ignoring errors in a revSNAT context (#19753, @sahid)
  • bpf: lb: deal with stale rev_nat_index after svc lookup in fallback path (#24757, @julianwiedmann)
  • Compare annotations before discarding CiliumNode updates. (#25465, @LynneD)
  • datapath: Fix double SNAT (#25189, @brb)
  • DNS proxy now always updates the proxy policy to avoid intermittent policy drops. (#25147, @jrajahalme)
  • Fix a bug due to which we would leak Linux XFRM policies, potentially leading to increased CPU consumption, when IPsec is enabled with Azure or ENI IPAM. (#25784, @pchaigno)
  • Fix a bug that would cause connectivity drops of type XfrmInNoStates on upgrade when IPsec is enabled with ENI or Azure IPAM mode. (#25724, @pchaigno)
  • Fix a possible deadlock when using WireGuard transparent encryption. (#25419, @bimmlerd)
  • Fix a regression in which link-local addresses were not treated with the "host" identity in some circumstances. (#25298, @asauber)
  • Fix broken IPv6 access to native node devices due to wrong source IPv6 of NA response. (#25329, @jschwinger233)
  • Fix bug affecting EKS installations with IPsec encryption enabled, where Cilium wouldn't attach its IPsec BPF program to new ENI interfaces, resulting in connectivity loss between pods on remote nodes. (#25744, @joamaki)
  • Fix data race affecting the preferred mark in backends, e.g. backends selected by service with affinity set to local. In very rare cases a backend might be missing its preferred status and a non-local backend might be selected. (#25087, @joamaki)
  • Fix incorrect hubble flow data when HTTP requests contain an x-forwarded-for header by adding an explicit use_remote_address: true config to Envoy HTTP configuration to always use the actual remote address of the incoming connection rather than the value of x-forwarded-for header, which may originate from an untrusted source. This change has no effect on Cilium policy enforcement where the source security identity is always resolved before HTTP headers are parsed. Previous Cilium behavior of not adding x-forwarded-for headers is retained via an explicit skip_xff_append: true config setting, except for Cilium Ingress where the source IP address is now appended to x-forwarded-for header. (#25674, @jrajahalme)
  • Fix missed deletion events when reconnecting to/disconnecting from remote clusters (nodes and services) (#25499, @giorio94)
  • Fix missing drop notifications on conntrack lookup failures when IPv4 and IPv6 are both enabled or socket-level load balancing is disabled. (#25426, @bleggett)
  • Fix operator shutdown hanging when kvstore is enabled (#24979, @giorio94)
  • Fix path asymmetry when using pod-to-pod encryption with IPsec and tunnel mode. (#25440, @pchaigno)
  • Fix permission issue when copying cni plugins onto host path (#24891, @JohnJAS)
  • Fix RevSNAT for ICMPv6 packets. (#25306, @julianwiedmann)
  • Fix spurious errors containing "Failed to map node IP address to allocated ID". (#25222, @bimmlerd)
  • Fix syncing of relevant node annotations into CiliumNode (#25307, @meyskens)
  • Fixes issue in BGP reconciler when multiple pod cidr withdrawals are done. (#25320, @harsimran-pabla)
  • gateway-api: Race condition between routes and Gateway (#25573, @sayboras)
  • gateway-api: Skip reconciliation for non-matching controller routes (#25549, @sayboras)
  • helm: Correct typo in Ingress validation (#25570, @sayboras)
  • Reject incorrect configuration enable-host-legacy-routing=false kube-proxy-replacement=partial. (#25803, @pchaigno)
  • Track reply packets in long-living egress gateway connections and SNATed host-local connections. (#25112, @gentoo-root)

CI Changes:

Read more

Contributors

gandro, sahid, and 71 other contributors
Assets 2

1.13.3

26 May 21:11
@thorn3r thorn3r
v1.13.3
This tag was signed with the committer’s verified signature.
joestringer Joe Stringer
SSH Key Fingerprint: up2UNiGoKPJzKD6RD0wAbZjD7U0m/YpqXK1sjpCgLQI Learn about vigilant mode.
36cb0ee
Compare
Choose a tag to compare
1.13.3

We are pleased to release Cilium v1.13.3. This release fixes bugs in ipsec and policy implementations and is recommended for all users.

Summary of Changes

Major Changes:

  • Assume Ingress identity for cluster internal traffic through Cilium Ingress for policy enforcement. (Backport PR #25019, Upstream PR #24826, @jrajahalme)
  • policy: Promote Deny Policies from Beta to Stable (#25427, @nathanjsweet)

Minor Changes:

  • Drop traffic matching an egress gateway policy when no gateway are found (Backport PR #24999, Upstream PR #24835, @MrFreezeex)
  • ingress: Add ownerReferences for shared mode (Backport PR #25013, Upstream PR #24942, @sayboras)
  • sysdump: Added Kubernetes CNI logs to sysdump. (Backport PR #25346, Upstream PR #23937, @marseel)
  • Update CNI (loopback) to 1.3.0 (Backport PR #25454, Upstream PR #25400, @anfernee)
  • Use BGP Control Plane annotations from Node Resource for creation of CiliumNode Resource (Backport PR #25346, Upstream PR #24914, @margau)

Bugfixes:

  • Add support for builtin kernel modules (Backport PR #25137, Upstream PR #23953, @TheAifam5)
  • Address cilium-agent startup performance regression. (Backport PR #25185, Upstream PR #25007, @bimmlerd)
  • cmd/cleanup: Fix cleanup of generic XDP programs (Backport PR #25184, Upstream PR #25117, @pchaigno)
  • datapath: Fix double SNAT (Backport PR #25223, Upstream PR #25189, @brb)
  • DNS proxy now always updates the proxy policy to avoid intermittent policy drops. (Backport PR #25346, Upstream PR #25147, @jrajahalme)
  • Filter ipv6 advertisements when using metallb as BGP speaker. (Backport PR #25137, Upstream PR #25043, @harsimran-pabla)
  • Fix a regression in which link-local addresses were not treated with the "host" identity in some circumstances. (Backport PR #25368, Upstream PR #25298, @asauber)
  • Fix broken IPv4 connectivity from outside to NodePort service when using L7 ingress policy, by removing PROXY_RT route table. (Backport PR #25086, Upstream PR #24807, @jschwinger233)
  • Fix bug that caused ToCIDR netpols matching kube-apiserver IPs (when external to the cluster) to not reliably allow connectivity. (#25241, @giorio94)
  • Fix bug that causes enforcement of host policies on reply IPv6 pod traffic. (Backport PR #25137, Upstream PR #25024, @pchaigno)
  • Fix bug where Cilium configurations running with tunneling disabled, BPF-masq disabled, but with masquerading enabled, do not clean up ipset configuration when a node IP changes. This can lead to a lack of masquerading on those node IPs. (Backport PR #25013, Upstream PR #24825, @christarazi)
  • Fix connectivity issue if nodes share the same name across the clustermesh and wireguard is enabled (Backport PR #25013, Upstream PR #24785, @giorio94)
  • Fix data race affecting the preferred mark in backends, e.g. backends selected by service with affinity set to local. In very rare cases a backend might be missing its preferred status and a non-local backend might be selected. (Backport PR #25346, Upstream PR #25087, @joamaki)
  • Fix incorrect network policy ebpf setup that may lead to incorrect packets denies when CEP is present in multiple CES (Backport PR #25184, Upstream PR #24838, @alan-kut)
  • Fix operator shutdown hanging when kvstore is enabled (Backport PR #25223, Upstream PR #24979, @giorio94)
  • Fix operator startup delay caused by leader election lease not being released correctly (Backport PR #25137, Upstream PR #24978, @giorio94)
  • Fix panic due to assignment to nil BGP service announcements map. (Backport PR #25013, Upstream PR #24985, @harsimran-pabla)
  • Fix permission issue when copying cni plugins onto host path (Backport PR #25346, Upstream PR #24891, @JohnJAS)
  • Fix security-group-tags not working in ENI (Backport PR #25013, Upstream PR #24951, @aanm)
  • Fix spurious errors containing "Failed to map node IP address to allocated ID". (Backport PR #25346, Upstream PR #25222, @bimmlerd)
  • Fix syncing of relevant node annotations into CiliumNode (Backport PR #25368, Upstream PR #25307, @meyskens)
  • Fix the bug when long-living connections using egress gateway may be reset. (Backport PR #25346, Upstream PR #24905, @gentoo-root)
  • ipcache don't short-circuit InjectLabels if source differs (Backport PR #25077, Upstream PR #24875, @squeed)
  • pkg/kvstore: Fix for deadlock in etcd status checker (Backport PR #25013, Upstream PR #24786, @hemanthmalla)
  • Track reply packets in long-living egress gateway connections and SNATed host-local connections. (Backport PR #25424, Upstream PR #25112, @gentoo-root)
  • When using KPR Nodeport with DSR, support backends in hostNetwork or with L7 policies. (Backport PR #24795, Upstream PR #22978, @julianwiedmann)

CI Changes:

Misc Changes:

Other Changes:

Docker Manifests

cilium

docker.io/cilium/cilium:v1.13.3@sha256:77176464a1e11ea7e89e984ac7db365e7af39851507e94f137dcf56c87746314
quay.io/cilium/cilium:v1.13.3@sha256:77176464a1e11ea7e89e984ac7db365e7af39851507e94f137dcf56c87746314
docker.io/cilium/cilium:stable@sha256:77176464a1e11ea7e89e984ac7db365e7af39851507e94f137dcf56c87746314
quay.io/cilium/cilium:stable@sha256:77176464a1e11ea7e89e984ac7db365e7af39851507e94f137dcf56c87746314

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.13.3@sha256:5ad8e9dc17f5677d1d75b53a4e80ec2e5c4fcf4973ced8b30f8ad53933c6969a
quay.io/cilium/clustermesh-apiserver:v1.13.3@sha256:5ad8e9dc17f5677d1d75b53a4e80ec2e5c4fcf4973ced8b30f8ad53933c6969a
docker.io/cilium/clustermesh-apiserver:stable@sha256:5ad8e9dc17f5677d1d75b53a4e80ec2e5c4fcf4973ced8b30f8ad53933c6969a
`quay.io/cilium/clustermesh-apiserver:stable@sha256:5ad8e9dc17f5677d1...

Read more

Contributors

kaworu, brb, and 36 other contributors
Assets 2

1.12.10

22 May 16:14
@thorn3r thorn3r
v1.12.10
This tag was signed with the committer’s verified signature.
joestringer Joe Stringer
SSH Key Fingerprint: up2UNiGoKPJzKD6RD0wAbZjD7U0m/YpqXK1sjpCgLQI Learn about vigilant mode.
628b520
Compare
Choose a tag to compare
1.12.10

We are pleased to release Cilium v1.12.10. This release fixes bugs in ipsec and policy implementations and is recommended for all users.

Summary of Changes

Minor Changes:

Bugfixes:

  • Address cilium-agent startup performance regression. (Backport PR #25190, Upstream PR #25007, @bimmlerd)
  • datapath: Fix double SNAT (Backport PR #25248, Upstream PR #25189, @brb)
  • DNS proxy now always updates the proxy policy to avoid intermittent policy drops. (Backport PR #25348, Upstream PR #25147, @jrajahalme)
  • Filter ipv6 advertisements when using metallb as BGP speaker. (Backport PR #25138, Upstream PR #25043, @harsimran-pabla)
  • Fix bug where Cilium configurations running with tunneling disabled, BPF-masq disabled, but with masquerading enabled, do not clean up ipset configuration when a node IP changes. This can lead to a lack of masquerading on those node IPs. (Backport PR #25012, Upstream PR #24825, @christarazi)
  • Fix connectivity issue if nodes share the same name across the clustermesh and wireguard is enabled (Backport PR #25012, Upstream PR #24785, @giorio94)
  • Fix data race affecting the preferred mark in backends, e.g. backends selected by service with affinity set to local. In very rare cases a backend might be missing its preferred status and a non-local backend might be selected. (Backport PR #25348, Upstream PR #25087, @joamaki)
  • Fix incorrect network policy ebpf setup that may lead to incorrect packets denies when CEP is present in multiple CES (Backport PR #25188, Upstream PR #24838, @alan-kut)
  • Fix spurious errors containing "Failed to map node IP address to allocated ID". (Backport PR #25348, Upstream PR #25222, @bimmlerd)
  • ipsec: Fix packet mark for FWD XFRM policy (Backport PR #25348, Upstream PR #23254, @pchaigno)
  • pkg/kvstore: Fix for deadlock in etcd status checker (Backport PR #25012, Upstream PR #24786, @hemanthmalla)

CI Changes:

Misc Changes:

Other Changes:

Docker Manifests

cilium

docker.io/cilium/cilium:v1.12.10@sha256:2cbfdf737b349c2733643f1943c7a263df63fbb86852f267f64c49cb5dfbb230
quay.io/cilium/cilium:v1.12.10@sha256:2cbfdf737b349c2733643f1943c7a263df63fbb86852f267f64c49cb5dfbb230

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.12.10@sha256:fe4cd08942a2f1abf8e2cbdb204099a9fcc60f6b764203277c1b674489899ef1
quay.io/cilium/clustermesh-apiserver:v1.12.10@sha256:fe4cd08942a2f1abf8e2cbdb204099a9fcc60f6b764203277c1b674489899ef1

docker-plugin

docker.io/cilium/docker-plugin:v1.12.10@sha256:9ebb46b9d56f2cdcb9db76a54ab2c13c06cd689239bd86eabc50564bc8a4d581
quay.io/cilium/docker-plugin:v1.12.10@sha256:9ebb46b9d56f2cdcb9db76a54ab2c13c06cd689239bd86eabc50564bc8a4d581

hubble-relay

docker.io/cilium/hubble-relay:v1.12.10@sha256:d2556aed3cc2d9b8fb5803f589fcc549f6471bbf42943a2c2f6d277ad69c59b3
quay.io/cilium/hubble-relay:v1.12.10@sha256:d2556aed3cc2d9b8fb5803f589fcc549f6471bbf42943a2c2f6d277ad69c59b3

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.12.10@sha256:fdc9f961e8d21706dc1b7d8e9606a21f63d20c8c88b06664de7c5ba2f2e2dca9
quay.io/cilium/operator-alibabacloud:v1.12.10@sha256:fdc9f961e8d21706dc1b7d8e9606a21f63d20c8c88b06664de7c5ba2f2e2dca9

operator-aws

docker.io/cilium/operator-aws:v1.12.10@sha256:d3fa57eddb0fd7fde35175d0d8977d5921307a7072f750de98c9a73f6a114dda
quay.io/cilium/operator-aws:v1.12.10@sha256:d3fa57eddb0fd7fde35175d0d8977d5921307a7072f750de98c9a73f6a114dda

operator-azure

docker.io/cilium/operator-azure:v1.12.10@sha256:26898987d01134a060810e51b1b6f41adcf226e175489bffebd7b3ebd1703b8a
quay.io/cilium/operator-azure:v1.12.10@sha256:26898987d01134a060810e51b1b6f41adcf226e175489bffebd7b3ebd1703b8a

operator-generic

docker.io/cilium/operator-generic:v1.12.10@sha256:1d78da0fcbf7ccfb32eb31f8b3b361628e91ab5f42d17ff437a82969c773fa1e
quay.io/cilium/operator-generic:v1.12.10@sha256:1d78da0fcbf7ccfb32eb31f8b3b361628e91ab5f42d17ff437a82969c773fa1e

operator

docker.io/cilium/operator:v1.12.10@sha256:a3a09a76a0bce021eea01ffc0ae587dce7c1a0c64d5612ba418505f82bab0955
quay.io/cilium/operator:v1.12.10@sha256:a3a09a76a0bce021eea01ffc0ae587dce7c1a0c64d5612ba418505f82bab0955

Contributors

kaworu, brb, and 20 other contributors
Assets 2

1.11.17

17 May 19:17
@jrajahalme jrajahalme
v1.11.17
This tag was signed with the committer’s verified signature.
jrajahalme Jarno Rajahalme
GPG key ID: 263F7D984804D3FE
Learn about vigilant mode.
e86fde3
Compare
Choose a tag to compare
1.11.17

We are pleased to release Cilium v1.11.17. This release fixes bugs in ipsec and policy implementations and is recommended for all users.

Summary of Changes

Bugfixes:

  • Filter ipv6 advertisements when using metallb as BGP speaker. (Backport PR #25139, Upstream PR #25043, @harsimran-pabla)
  • Fix connectivity issue if nodes share the same name across the clustermesh and wireguard is enabled (Backport PR #25011, Upstream PR #24785, @giorio94)
  • Fix incorrect network policy ebpf setup that may lead to incorrect packets denies when CEP is present in multiple CES (Backport PR #25382, Upstream PR #24838, @alan-kut)
  • Fix spurious errors containing "Failed to map node IP address to allocated ID". (Backport PR #25382, Upstream PR #25222, @bimmlerd)
  • helm chart: restore setting nodeSelector and tolerations on hubble-ui deployment via values.yaml (#25182, @BryanStenson-okta)
  • ipsec: Fix packet mark for FWD XFRM policy (Backport PR #25382, Upstream PR #23254, @pchaigno)
  • pkg/kvstore: Fix for deadlock in etcd status checker (Backport PR #25011, Upstream PR #24786, @hemanthmalla)

CI Changes:

Misc Changes:

Other Changes:

Docker Manifests

cilium

docker.io/cilium/cilium:v1.11.17@sha256:6c3132e34e66734752de798eb8519dafa77b9f0da1033e9bed7f7be30ce10358
quay.io/cilium/cilium:v1.11.17@sha256:6c3132e34e66734752de798eb8519dafa77b9f0da1033e9bed7f7be30ce10358

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.11.17@sha256:022f8b23f9e977a74b8da25ac98fbeed65bd9c132362797681264bd13abc0349
quay.io/cilium/clustermesh-apiserver:v1.11.17@sha256:022f8b23f9e977a74b8da25ac98fbeed65bd9c132362797681264bd13abc0349

docker-plugin

docker.io/cilium/docker-plugin:v1.11.17@sha256:ed49556f92b95ff339e99938bbd5649d5dc90e8378cb67a820df6bac1979ffa2
quay.io/cilium/docker-plugin:v1.11.17@sha256:ed49556f92b95ff339e99938bbd5649d5dc90e8378cb67a820df6bac1979ffa2

hubble-relay

docker.io/cilium/hubble-relay:v1.11.17@sha256:d880ee0184f1ca0fffbd73374424ae2c4d1c26af14005a58103ef695816a78ff
quay.io/cilium/hubble-relay:v1.11.17@sha256:d880ee0184f1ca0fffbd73374424ae2c4d1c26af14005a58103ef695816a78ff

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.11.17@sha256:36999e2fefb8f1ce3a791f60c61055b3bdde350dff5128ce3f4a5fbe31c6f341
quay.io/cilium/operator-alibabacloud:v1.11.17@sha256:36999e2fefb8f1ce3a791f60c61055b3bdde350dff5128ce3f4a5fbe31c6f341

operator-aws

docker.io/cilium/operator-aws:v1.11.17@sha256:e96a7d34ed9386a00b0c7d73946f92872280f84addcc951780c42a56dfaeae9c
quay.io/cilium/operator-aws:v1.11.17@sha256:e96a7d34ed9386a00b0c7d73946f92872280f84addcc951780c42a56dfaeae9c

operator-azure

docker.io/cilium/operator-azure:v1.11.17@sha256:20cf49d57fdccc599cfefc5a6ab0ed152dac52d45d8a2339fd3ad19415aaebba
quay.io/cilium/operator-azure:v1.11.17@sha256:20cf49d57fdccc599cfefc5a6ab0ed152dac52d45d8a2339fd3ad19415aaebba

operator-generic

docker.io/cilium/operator-generic:v1.11.17@sha256:f77cf55ebc47174fb64fd8ffd030015e55817ed9a6bfab46d0ee917a7ed198e5
quay.io/cilium/operator-generic:v1.11.17@sha256:f77cf55ebc47174fb64fd8ffd030015e55817ed9a6bfab46d0ee917a7ed198e5

operator

docker.io/cilium/operator:v1.11.17@sha256:c1cad3137dfa80c1d415dff43f064b91992158ce56899b093b0294382ae57289
quay.io/cilium/operator:v1.11.17@sha256:c1cad3137dfa80c1d415dff43f064b91992158ce56899b093b0294382ae57289

Contributors

kaworu, squeed, and 17 other contributors
Assets 2

v1.14.0-snapshot.2

28 Apr 22:20
@joestringer joestringer
v1.14.0-snapshot.2
This tag was signed with the committer’s verified signature.
joestringer Joe Stringer
SSH Key Fingerprint: up2UNiGoKPJzKD6RD0wAbZjD7U0m/YpqXK1sjpCgLQI Learn about vigilant mode.
5d3899f
Compare
Choose a tag to compare
v1.14.0-snapshot.2 Pre-release
Pre-release

We are pleased to release Cilium v1.14.0-snapshot.2.

Summary of Changes

Major Changes:

  • Add support for references to CiliumCIDRGroup inside FromCIDRSet for ingress rules in CNPs (#24638, @pippolo84)
  • Assume Ingress identity for cluster internal traffic through Cilium Ingress for policy enforcement. (#24826, @jrajahalme)
  • Support DSR with Geneve dispatch in CNI mode (#23890, @ysksuzuki)

Minor Changes:

  • Add --hubble-monitor-events flag, to control the event types that get to the hubble subsystem. (#24828, @epk)
  • Add a mechanism for the SPIRE server to signal rotated certificates for re-authenticating connections (#24300, @meyskens)
  • Add flag to administratively enable APIs on bootstrap (#25009, @joestringer)
  • Add network policy auth method "always-fail" (#24609, @meyskens)
  • Add new logging format option, 'json-ts', for JSON formatted logs with timestamps (#24307, @learnitall)
  • auth: Add spire identity registration for CiliumIdentity (#24471, @sayboras)
  • Change cilium_host IPv6 address, use node router IPv6 instead of native node IPv6, and fixed several relative IPv6 issues. (#24208, @jschwinger233)
  • Cilium L7 Proxy: Envoy config dump contains Cilium network policies (#25028, @mhofstetter)
  • cmd: Add NodeEncryption status to the cilium status command (#24399, @romanspb80)
  • daemon: remove deprecated force-local-policy-eval-at-source option (#24727, @tklauser)
  • Deprecate --tunnel in favor of --routing-mode and --tunnel-protocol. (#24561, @pchaigno)
  • Drop traffic matching an egress gateway policy when no gateway are found (#24835, @MrFreezeex)
  • Enable endpoint routes + veth fast redirect support (#22006, @aspsk)
  • Enable update-ec2-adapter-limit-via-api by default (#24564, @christarazi)
  • Enabled cilium_bpf_map_pressure metric by default (#24721, @vishal-chdhry)
  • endpoint: omit pre-1.11 compatibility restoration symlink (#24730, @tklauser)
  • envoy: Bump envoy to v1.25.4 (#24649, @sayboras)
  • envoy: Bump envoy version to v1.25.5 (#24893, @sayboras)
  • envoy: Bump envoy version to v1.25.6 (#25165, @mhofstetter)
  • Expose Cilium agent go runtime scheduler latency prometheus metric go_sched_latencies_seconds (#24745, @derailed)
  • Fix broken IPv6 connectivity from outside to NodePort service when L7 ingress policy applied by removing PROXY_RT route table. (#24882, @jschwinger233)
  • helm: Add CPU panel to Hubble L7 HTTP Workload dashboard (#24934, @chancez)
  • helm: Add SA to nodeinit ds (#24836, @darox)
  • Helm: Clean up deprecated values (#24214, @qmonnet)
  • ingress: Add ownerReferences for shared mode (#24942, @sayboras)
  • Introduce the support for specifying a CA bundle in the helm chart (#24862, @giorio94)
  • ipsec, option: Make the IPsec key rotation delay configurable (#24811, @pchaigno)
  • mtls: SPIRE server and agent installation (#24765, @sayboras)
  • Provides operational state of BGP peers via CLI 'cilium bgp peers' (#24612, @harsimran-pabla)
  • Remove sockops-enable and friends (#23606, @mohit-marathe)
  • Rename the sec_label field in remote_endpoint_info structure to sec_identity (#25057, @ldelossa)
  • Report the kernel error code in case of packet drops due to failures to create conntrack map entries. (#24716, @gentoo-root)
  • Supports IPv4 ICMP "fragmentation needed" in egress SNAT (#25054, @liuyuan10)
  • The Cilium agent now manages the CNI configuration file. This will allow for faster startup times when injecting Cilium as a chained plugin, such as with aws-cni. (#24389, @squeed)

Bugfixes:

  • Address cilium-agent startup performance regression. (#25007, @bimmlerd)
  • bpf: dsr: fix parsing of IPv6 AUTH extension header (#24792, @julianwiedmann)
  • bpf: nodeport: fix up trace point in to-overlay NAT paths (#24886, @julianwiedmann)
  • bpf: policy: fix handling of ICMPv6 packet with extension headers (#24797, @julianwiedmann)
  • Bugfix: Invert --hubble-monitor-events logic to be an allowlist (#25167, @epk)
  • cmd/cleanup: Fix cleanup of generic XDP programs (#25117, @pchaigno)
  • Filter ipv6 advertisements when using metallb as BGP speaker. (#25043, @harsimran-pabla)
  • Fix broken IPv4 connectivity from outside to NodePort service when using L7 ingress policy, by removing PROXY_RT route table. (#24807, @jschwinger233)
  • Fix bug that causes enforcement of host policies on reply IPv6 pod traffic. (#25024, @pchaigno)
  • Fix bug where Cilium configurations running with tunneling disabled, BPF-masq disabled, but with masquerading enabled, do not clean up ipset configuration when a node IP changes. This can lead to a lack of masquerading on those node IPs. (#24825, @christarazi)
  • Fix connectivity issue if nodes share the same name across the clustermesh and wireguard is enabled (#24785, @giorio94)
  • Fix incorrect network policy ebpf setup that may lead to incorrect packets denies when CEP is present in multiple CES (#24838, @alan-kut)
  • Fix issues that caused SPIRE not to install properly (#25160, @meyskens)
  • Fix operator startup delay caused by leader election lease not being released correctly (#24978, @giorio94)
  • Fix panic due to assignment to nil BGP service announcements map. (#24985, @harsimran-pabla)
  • Fix security-group-tags not working in ENI (#24951, @aanm)
  • Fix the bug when long-living connections using egress gateway may be reset. (#24905, @gentoo-root)
  • Fixed bug where L7 rules would be incorrectly merged between rules for the same (remote) endpoint. This bug could have caused L7 rules to be bypassed via a wildcard header rule being improperly appended to the set of HTTP rules when both a policy with HTTP header rules applying to multiple endpoints and an allow-all rule for only one of those endpoints are specified. (#24788, @jrajahalme)
  • gateway-api: Re-queue gateway for namespace change (#24624, @sayboras)
  • Handle leaked service backends that may lead to filling up of lb4_backends map and thereby connectivity issues. (#24681, @aditighag)
  • helm: mandate issuer configuration when using cert-manager to generate certificates (#24666, @giorio94)
  • ipcache don't short-circuit InjectLabels if source differs (#24875, @squeed)
  • ipsec: Clean up stale XFRM policies and states (#24773, @pchaigno)
  • pkg/kvstore: Fix for deadlock in etcd status checker (#24786, @hemanthmalla)
  • Prevent egress gateway from adding and then immediately removing BPF policy entries for policies that don't match any gateway node (#24646, @MrFreezeex)
  • Solve control-plane deadlock issues leading to outages. A typical log line indicative of this issue is probe=l7-proxy msg="No response from probe within 15 seconds" (#24672, @bimmlerd)
  • The operator now reconciles duplicate entries in a CiliumEndpointSlice on startup. (#24596, @alan-kut)

CI Changes:

Read more

Contributors

derailed, gandro, and 61 other contributors
Assets 2