Releases: cilium/cilium
v1.14.0-snapshot.2
We are pleased to release Cilium v1.14.0-snapshot.2.
Summary of Changes
Major Changes:
- Add support for references to CiliumCIDRGroup inside FromCIDRSet for ingress rules in CNPs (#24638, @pippolo84)
- Assume Ingress identity for cluster internal traffic through Cilium Ingress for policy enforcement. (#24826, @jrajahalme)
- Support DSR with Geneve dispatch in CNI mode (#23890, @ysksuzuki)
Minor Changes:
- Add
--hubble-monitor-events
flag, to control the event types that get to the hubble subsystem. (#24828, @epk) - Add a mechanism for the SPIRE server to signal rotated certificates for re-authenticating connections (#24300, @meyskens)
- Add flag to administratively enable APIs on bootstrap (#25009, @joestringer)
- Add network policy auth method "always-fail" (#24609, @meyskens)
- Add new logging format option, 'json-ts', for JSON formatted logs with timestamps (#24307, @learnitall)
- auth: Add spire identity registration for CiliumIdentity (#24471, @sayboras)
- Change cilium_host IPv6 address, use node router IPv6 instead of native node IPv6, and fixed several relative IPv6 issues. (#24208, @jschwinger233)
- Cilium L7 Proxy: Envoy config dump contains Cilium network policies (#25028, @mhofstetter)
- cmd: Add NodeEncryption status to the cilium status command (#24399, @romanspb80)
- daemon: remove deprecated force-local-policy-eval-at-source option (#24727, @tklauser)
- Deprecate
--tunnel
in favor of--routing-mode
and--tunnel-protocol
. (#24561, @pchaigno) - Drop traffic matching an egress gateway policy when no gateway are found (#24835, @MrFreezeex)
- Enable endpoint routes + veth fast redirect support (#22006, @aspsk)
- Enable update-ec2-adapter-limit-via-api by default (#24564, @christarazi)
- Enabled cilium_bpf_map_pressure metric by default (#24721, @vishal-chdhry)
- endpoint: omit pre-1.11 compatibility restoration symlink (#24730, @tklauser)
- envoy: Bump envoy to v1.25.4 (#24649, @sayboras)
- envoy: Bump envoy version to v1.25.5 (#24893, @sayboras)
- envoy: Bump envoy version to v1.25.6 (#25165, @mhofstetter)
- Expose Cilium agent go runtime scheduler latency prometheus metric
go_sched_latencies_seconds
(#24745, @derailed) - Fix broken IPv6 connectivity from outside to NodePort service when L7 ingress policy applied by removing PROXY_RT route table. (#24882, @jschwinger233)
- helm: Add CPU panel to Hubble L7 HTTP Workload dashboard (#24934, @chancez)
- helm: Add SA to nodeinit ds (#24836, @darox)
- Helm: Clean up deprecated values (#24214, @qmonnet)
- ingress: Add ownerReferences for shared mode (#24942, @sayboras)
- Introduce the support for specifying a CA bundle in the helm chart (#24862, @giorio94)
- ipsec, option: Make the IPsec key rotation delay configurable (#24811, @pchaigno)
- mtls: SPIRE server and agent installation (#24765, @sayboras)
- Provides operational state of BGP peers via CLI 'cilium bgp peers' (#24612, @harsimran-pabla)
- Remove sockops-enable and friends (#23606, @mohit-marathe)
- Rename the
sec_label
field in remote_endpoint_info structure tosec_identity
(#25057, @ldelossa) - Report the kernel error code in case of packet drops due to failures to create conntrack map entries. (#24716, @gentoo-root)
- Supports IPv4 ICMP "fragmentation needed" in egress SNAT (#25054, @liuyuan10)
- The Cilium agent now manages the CNI configuration file. This will allow for faster startup times when injecting Cilium as a chained plugin, such as with aws-cni. (#24389, @squeed)
Bugfixes:
- Address cilium-agent startup performance regression. (#25007, @bimmlerd)
- bpf: dsr: fix parsing of IPv6 AUTH extension header (#24792, @julianwiedmann)
- bpf: nodeport: fix up trace point in to-overlay NAT paths (#24886, @julianwiedmann)
- bpf: policy: fix handling of ICMPv6 packet with extension headers (#24797, @julianwiedmann)
- Bugfix: Invert
--hubble-monitor-events
logic to be an allowlist (#25167, @epk) - cmd/cleanup: Fix cleanup of generic XDP programs (#25117, @pchaigno)
- Filter ipv6 advertisements when using metallb as BGP speaker. (#25043, @harsimran-pabla)
- Fix broken IPv4 connectivity from outside to NodePort service when using L7 ingress policy, by removing PROXY_RT route table. (#24807, @jschwinger233)
- Fix bug that causes enforcement of host policies on reply IPv6 pod traffic. (#25024, @pchaigno)
- Fix bug where Cilium configurations running with tunneling disabled, BPF-masq disabled, but with masquerading enabled, do not clean up ipset configuration when a node IP changes. This can lead to a lack of masquerading on those node IPs. (#24825, @christarazi)
- Fix connectivity issue if nodes share the same name across the clustermesh and wireguard is enabled (#24785, @giorio94)
- Fix incorrect network policy ebpf setup that may lead to incorrect packets denies when CEP is present in multiple CES (#24838, @alan-kut)
- Fix issues that caused SPIRE not to install properly (#25160, @meyskens)
- Fix operator startup delay caused by leader election lease not being released correctly (#24978, @giorio94)
- Fix panic due to assignment to nil BGP service announcements map. (#24985, @harsimran-pabla)
- Fix security-group-tags not working in ENI (#24951, @aanm)
- Fix the bug when long-living connections using egress gateway may be reset. (#24905, @gentoo-root)
- Fixed bug where L7 rules would be incorrectly merged between rules for the same (remote) endpoint. This bug could have caused L7 rules to be bypassed via a wildcard header rule being improperly appended to the set of HTTP rules when both a policy with HTTP header rules applying to multiple endpoints and an allow-all rule for only one of those endpoints are specified. (#24788, @jrajahalme)
- gateway-api: Re-queue gateway for namespace change (#24624, @sayboras)
- Handle leaked service backends that may lead to filling up of
lb4_backends
map and thereby connectivity issues. (#24681, @aditighag) - helm: mandate issuer configuration when using cert-manager to generate certificates (#24666, @giorio94)
- ipcache don't short-circuit InjectLabels if source differs (#24875, @squeed)
- ipsec: Clean up stale XFRM policies and states (#24773, @pchaigno)
- pkg/kvstore: Fix for deadlock in etcd status checker (#24786, @hemanthmalla)
- Prevent egress gateway from adding and then immediately removing BPF policy entries for policies that don't match any gateway node (#24646, @MrFreezeex)
- Solve control-plane deadlock issues leading to outages. A typical log line indicative of this issue is
probe=l7-proxy msg="No response from probe within 15 seconds"
(#24672, @bimmlerd) - The operator now reconciles duplicate entries in a CiliumEndpointSlice on startup. (#24596, @alan-kut)
CI Changes:
- Always use the 8.8.8.8 DNS resolver in kind (#24713, @aspsk)
- bpf: inline test functions with ctx as input (#24662, @anfernee)
- CI / Kind enhancements (#24714, @aanm)
- ci-datapath: Enable IPV6 masquerading when KPR=off (#25111, @brb)
- ci-datapath: Fix issue where test were wrongly reported as passing (#24813, @gandro)
- ci-datapath: Use QUAY_ORGANIZATION_DEV for Quay org name (#25052, @michi-covalent)
- ci: Disable wireguard in v1.13 conformance datapath (#24804, @pippolo84)
- ci: fix clustermesh worfklows on stable branches (#25089, @nbusseneau)
- ci: fix status reporting in the ci-multicluster test (#24784, @giorio94)
- ci: Mark skipped matrix workflows as successful (#24922, @gandro)
- ci: move 4.19 complexity tests to tests-datapath-verifier GHA workflow (#24517, @tklauser)
- ci: remove
STATUS
commands from upstream tests' Jenkinsfile (#25046, @nbusseneau) - conformance-k8s-kind: disable kindnet, enable log dumping (#24982, @squeed)
- Drop the GKE-based multicluster GitHub actions workflow in favor of the kind-based one (#24996, @giorio94)
- Enable loadBalancer.acceleration=testing-only in some datapath conformance cases (#24738, @lmb)
- Enable previously disabled encryption tests on GKE (#24603, @brlbil)
- github/workflows: Enable DSR with WireGuard in ci-dp (#25039, @brb)
- jenkinsfiles: Fix order of ginkgo tests (#25002, @pchaigno)
- kind: Bump k8s version to 1.27.0 (#24841, @sayboras)
- Let renovatebot update Go toolchain version in a single PR (#24895, @tklauser)
- Mitigate GKE workflow flake (#24755, @brlbil)
- mlh: update Jenkins jobs following 1.27 support (#24983, @nbusseneau)
- mlh: update Jenkins jobs names (
master
>main
) (#24958, @nbusseneau) - Port verifier tests to Go (#24538, @ti-mo)
- renovate: Add explicit gitAuthor (#24739, @gandro)
- renovate: add packageRule group for cilium-cli (#24725, @tklauser)
- renovate: Update builder and runtime images once a week (#24846, @michi-covalent)
- renovate: Update Dockerfiles that use golang image weekly (#24877, @michi-covalent)
- Replace integration_tests build tag with INTEGRATION_TESTS env (#24925, @ti-mo)
- test/k8s: remove istio.go test (#24894, @aanm)
- test/Updates: Explicit error message on failure (#24920, @pchaigno)
- test: Avoid spamming logs in monitor aggregation test (#25152, @pchaigno)
- test: Block HubbleObserveFollow until ready (#25090, @pchaigno)
- test: Enable IPv6 masq for IPsec (#24885, @jschwinger233)
- test: Fix and unquarantine
Skip conntrack
test (#25038, @pchaigno) - test: Fix consistent failure in IPv6 masquerading test (#25036, @pchaigno)
- test: Unquarantine host firewall + nodeport test (#25025, @pchaigno)
- test: Unquarantine IPv6 masquerading test (#25149, @pchaigno)
- tests: add exceptions for lease errors due to etcd (#24723, @jibi)
- tests: small fixups for the GENEVE-DSR e2e tests (#25062, @julianwiedmann)
- travis: Run on main branch (#25108, @pchaigno)
- Update EKS conformance tests to use both amd64 and arm64 hosts. (#24853, @chancez)
- Use cilium-cli latest stable version in conformance-datapath workflows (#24809, @pippolo84)
- vagrant: Bump Vagrant box versions (#24984, @pchaigno)
- vagra...
1.13.2
We are pleased to release Cilium v1.13.2.
This release addresses the following security issue:
Note: When updating to this release, make sure that you are using new helm chart version.
Summary of Changes
Known Issues:
- There is a known issue (#24502) with CiliumNetworkPolicies that makes the
kube-apiserver
entity unreliable. Until this is resolved, it is recommended to remain on Cilium v1.12 or earlier if you are using thekube-apiserver
entity in your CiliumNetworkPolicies.
Minor Changes:
- envoy: Bump envoy to v1.23.8 (#24909, @sayboras)
- envoy: Bump envoy version to v1.23.7 (#24746, @sayboras)
- Move poststart eni script to agent pod from nodeinit pod (Backport PR #24547, Upstream PR #24134, @nebril)
- Provides operational state of BGP peers via CLI 'cilium bgp peers' (Backport PR #24821, Upstream PR #24612, @harsimran-pabla)
- Support L2-less devices with fast forward (bpf-based host routing) (Backport PR #24706, Upstream PR #23935, @jschwinger233)
Bugfixes:
- agent: rework clustermesh config watcher for increased robustness (Backport PR #24547, Upstream PR #24163, @giorio94)
- bpf: dsr: fix parsing of IPv6 AUTH extension header (Backport PR #24821, Upstream PR #24792, @julianwiedmann)
- bpf: fix ipv6 extension header parsing error (Backport PR #24706, Upstream PR #24309, @chenyuezhou)
- bpf: policy: fix handling of ICMPv6 packet with extension headers (Backport PR #24821, Upstream PR #24797, @julianwiedmann)
- Correctly configure extra SANs for the clustermesh API server certificate when generated through certgen (Backport PR #24607, Upstream PR #24339, @giorio94)
- daemon: initialize datapath before compiling sockops programs (Backport PR #24547, Upstream PR #24140, @jibi)
- egressgw: update all internal caches once k8s state is synced (Backport PR #24706, Upstream PR #24034, @jibi)
- endpoint: fix k8sNamespace log field when ep gets deleted (Backport PR #24706, Upstream PR #24575, @mhofstetter)
- Fix a bug where users are unable to change a wrong remote etcd configuration (Backport PR #24547, Upstream PR #24046, @oblazek)
- Fix a memory leak in the service cache, and possible missed service updates on scale to zero events in rare circumstances (Backport PR #24706, Upstream PR #24619, @giorio94)
- Fix bug in BGP CP where changing the route-id of an existing router would cause announcements to disappear (Backport PR #24547, Upstream PR #24304, @dylandreimerink)
- Fix bug where ingress policies for remote-note identities are not applied correctly new nodes join the cluster, specifically when the nodes joining the cluster had IP addresses specified in CIDR policies (Backport PR #24547, Upstream PR #23764, @christarazi)
- Fix Cilium Operator from crashing when encountering empty node pools on Azure (Backport PR #24547, Upstream PR #24189, @forgems)
- Fix for disabled cloud provider rate limiting (Backport PR #24547, Upstream PR #24413, @hemanthmalla)
- Fix missing delete events on informer re-lists to ensure all delete events are correctly emitted and using the latest known object state, so that all event handlers and stores always reflect the actual apiserver state as best as possible (#24870, @aanm)
- Fixed bug where L7 rules would be incorrectly merged between rules for the same (remote) endpoint. This bug could have caused L7 rules to be bypassed via a wildcard header rule being improperly appended to the set of HTTP rules when both a policy with HTTP header rules applying to multiple endpoints and an allow-all rule for only one of those endpoints are specified. (Backport PR #24843, Upstream PR #24788, @jrajahalme)
- gateway-api: Re-queue gateway for namespace change (Backport PR #24758, Upstream PR #24624, @sayboras)
- Handle leaked service backends that may lead to filling up of
lb4_backends
map and thereby connectivity issues. (Backport PR #24758, Upstream PR #24681, @aditighag) - helm: mandate issuer configuration when using cert-manager to generate certificates (Backport PR #24821, Upstream PR #24666, @giorio94)
- ipsec: Clean up stale XFRM policies and states (Backport PR #24821, Upstream PR #24773, @pchaigno)
- Prevent egress gateway from adding and then immediately removing BPF policy entries for policies that don't match any gateway node (Backport PR #24706, Upstream PR #24646, @MrFreezeex)
- Services backends with publishNotReadyAddresses are able to receive traffic independently if they are Terminating, since is the user intent to make them reachable despite its state. (Backport PR #24547, Upstream PR #24174, @aojea)
- Set user-agent for k8s client with Cilium's version (Backport PR #24547, Upstream PR #24275, @aanm)
- Solve control-plane deadlock issues leading to outages. A typical log line indicative of this issue is
probe=l7-proxy msg="No response from probe within 15 seconds"
(Backport PR #24814, Upstream PR #24672, @bimmlerd)
CI Changes:
- bpf/test: Add unit test to check whether netpol drops result in metric counter increament (Backport PR #24607, Upstream PR #24469, @brb)
- bpf/tests: fix mac addresses definitions in egressgw test (Backport PR #24607, Upstream PR #23351, @jibi)
- datapath/linux/route: fix CI expectations for rule string format (Backport PR #24607, Upstream PR #24577, @NikAleksandrov)
- Fix race conditions when deleting CNP / CCNP in e2e tests (Backport PR #24706, Upstream PR #24484, @jschwinger233)
- Fixed flake in the
TestRequestIPWithMismatchedLabel
LB-IPAM tests. (Backport PR #24547, Upstream PR #23297, @dylandreimerink) - gha: Clean-up Ingress/GatewayAPI Conformance tests (Backport PR #24441, Upstream PR #24025, @sayboras)
- Increase timeout waiting for resources in Ingress conformance test (Backport PR #24441, Upstream PR #24388, @meyskens)
- Port verifier tests to Go (Backport PR #24706, Upstream PR #24538, @ti-mo)
- renovate: Fix Hubble release digest regex (Backport PR #24547, Upstream PR #24477, @gandro)
- test: Enable conformance tests for non-SCTP traffic in conjunction with SCTP policies (Backport PR #24547, Upstream PR #24144, @joestringer)
- test: Remove some {DP,Services} Ginkgo test cases (Backport PR #24547, Upstream PR #24223, @brb)
- test: Update 1.26 k8s version (Backport PR #24607, Upstream PR #24569, @sayboras)
- tests: add exceptions for lease errors due to etcd (Backport PR #24758, Upstream PR #24723, @jibi)
Misc Changes:
- Avoid clearing objects in CiliumEndpoint conversion funcs (Backport PR #24929, Upstream PR #24928, @aanm)
- Avoid clearing objects in conversion funcs (Backport PR #24929, Upstream PR #24241, @odinuge)
- bgp: extract exportPodCIDRReconciler logic into a generic function (Backport PR #24607, Upstream PR #24546, @jibi)
- bpf: Remove fib_redirect's BPF_FIB_LOOKUP_DIRECT (Backport PR #24547, Upstream PR #24271, @borkmann)
- bpf_test: use bpf.LoadCollection, print full verifier error logs (Backport PR #24607, Upstream PR #23281, @ti-mo)
- checker: Fix incorrect checker for ExportedEqual() (Backport PR #24547, Upstream PR #24373, @christarazi)
- chore(deps): update base-images (v1.13) (#24467, @renovate[bot])
- chore(deps): update dependency cilium/hubble to v0.11.3 (v1.13) (#24799, @renovate[bot])
- chore(deps): update docker.io/library/golang docker tag to v1.19.7 (v1.13) (#24233, @renovate[bot])
- chore(deps): update docker.io/library/golang docker tag to v1.19.7 (v1.13) (#24234, @renovate[bot])
- chore(deps): update docker.io/library/golang docker tag to v1.19.8 (v1.13) (#24800, @renovate[bot])
- chore(deps): update docker.io/library/golang docker tag to v1.19.8 (v1.13) (#24802, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.19.7 docker digest to d2078d2 (v1.13) (#24550, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.19.8 docker digest to 31a2f92 (v1.13) (#24831, @renovate[bot])
- chore(deps): update quay.io/cilium/hubble docker tag to v0.11.3 (v1.13) (#24472, @renovate[bot])
- cilium, docs: Move sig-datapath meeting to on-demand only (Backport PR #24547, Upstream PR #24205, @borkmann)
- doc: Fixed CiliumNode CRD fields for cluster-pool doc (Backport PR #24547, Upstream PR #24428, @PhilipSchmid)
- doc: kubeProxyReplacement=strict / kube-proxy co-existence (Backport PR #24547, Upstream PR #24407, @PhilipSchmid)
- docs: add note that there are two Cilium CLIs (Backport PR #24547, Upstream PR #24435, @lizrice)
- docs: Cleanup and update list of supported drivers for XDP (Backport PR #24547, Upstream PR #24398, @pchaigno)
- docs: Document the threat model for Cilium (Backport PR #24706, Upstream PR #24497, @ferozsalam)
- docs: fix typo in operations/troubleshooting.rst (Backport PR #24547, Upstream PR #24460, @NikAleksandrov)
- docs: Fix upgradeCompatibility references (Backport PR #24758, Upstream PR #24711, @joestringer)
- docs: Update Cluster Mesh requirements to mention node InternalIP explicitly (Backport PR #24547, Upstream PR #24164, @jspaleta)
- docs: Update egress gateway limitations (Backport PR #24547, Upstream PR #24244, @pchaigno)
- docs: Update the documentation for the
--conntrack-gc-interval
flag (Backport PR #24547, Upstream PR #24400, @pchaigno) - egressgw: change special values for gatewayIP (Backport PR #24849, Upstream PR #24449, @MrFreezeex)
- Emit full verifier logs to agent logs and verifier.log in the endpoint directory (Backport PR #24706, Upstream PR #24506, @ti-mo)
- endpoint: correctly log IPv6 addresses (Backport PR #24547, Upstream PR #24255, @tklauser)
- Expose bpf-lb-sock-hostns-only in cilium status (Backport PR #24758, Upstream PR #24570, @romanspb80)
- Fix duplicated logs for test-output.log (Backport PR #24547, Upstream PR #24171, @romanspb80)
- Fixed BPF tests which would fail on older kernels (<=5.8) due to unsupported program loading (Backport PR #24607, Upstream PR #22980, @dylandreimerink)
- gha:...
1.12.9
We are pleased to release Cilium v1.12.9.
This release addresses the following security issue:
Note: When updating to this release, make sure that you are using new helm chart version.
Summary of Changes
Minor Changes:
- envoy: Bump envoy to v1.23.8 (#24910, @sayboras)
- envoy: Bump envoy version to v1.23.7 (#24747, @sayboras)
Bugfixes:
- Add missing xfrm-no-track rules for IPv6 IPSec. This fixes a connectivity issue for IPv6 IPSec with externalTrafficPolicy=local. (Backport PR #24605, Upstream PR #24557, @jschwinger233)
- bpf: policy: fix handling of ICMPv6 packet with extension headers (Backport PR #24822, Upstream PR #24797, @julianwiedmann)
- endpoint: fix k8sNamespace log field when ep gets deleted (Backport PR #24709, Upstream PR #24575, @mhofstetter)
- Fix bug in BGP CP where changing the route-id of an existing router would cause announcements to disappear (Backport PR #24462, Upstream PR #24304, @dylandreimerink)
- Fix Cilium Operator from crashing when encountering empty node pools on Azure (Backport PR #24462, Upstream PR #24189, @forgems)
- Fix for disabled cloud provider rate limiting (Backport PR #24462, Upstream PR #24413, @hemanthmalla)
- Fix missing delete events on informer re-lists to ensure all delete events are correctly emitted and using the latest known object state, so that all event handlers and stores always reflect the actual apiserver state as best as possible (#24871, @aanm)
- Fixed bug where L7 rules would be incorrectly merged between rules for the same (remote) endpoint. This bug could have caused L7 rules to be bypassed via a wildcard header rule being improperly appended to the set of HTTP rules when both a policy with HTTP header rules applying to multiple endpoints and an allow-all rule for only one of those endpoints are specified. (Backport PR #24851, Upstream PR #24788, @jrajahalme)
- Handle leaked service backends that may lead to filling up of
lb4_backends
map and thereby connectivity issues. (Backport PR #24761, Upstream PR #24681, @aditighag) - helm: mandate issuer configuration when using cert-manager to generate certificates (Backport PR #24822, Upstream PR #24666, @giorio94)
- ipsec: Clean up stale XFRM policies and states (Backport PR #24822, Upstream PR #24773, @pchaigno)
- Solve control-plane deadlock issues leading to outages. A typical log line indicative of this issue is
probe=l7-proxy msg="No response from probe within 15 seconds"
(Backport PR #24669, Upstream PR #24672, @bimmlerd)
CI Changes:
- Fix race conditions when deleting CNP / CCNP in e2e tests (Backport PR #24709, Upstream PR #24484, @jschwinger233)
- renovate: Fix Hubble release digest regex (Backport PR #24605, Upstream PR #24477, @gandro)
- tests: add exceptions for lease errors due to etcd (Backport PR #24761, Upstream PR #24723, @jibi)
Misc Changes:
- Avoid clearing objects in CiliumEndpoint conversion funcs (Backport PR #24930, Upstream PR #24928, @aanm)
- Avoid clearing objects in conversion funcs (Backport PR #24930, Upstream PR #24241, @odinuge)
- bpf: Remove fib_redirect's BPF_FIB_LOOKUP_DIRECT (Backport PR #24462, Upstream PR #24271, @borkmann)
- checker: Fix incorrect checker for ExportedEqual() (Backport PR #24462, Upstream PR #24373, @christarazi)
- chore(deps): update dependency cilium/hubble to v0.11.3 (v1.12) (#24819, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.16.5 (v1.12) (#24640, @renovate[bot])
- chore(deps): update docker.io/library/alpine:3.16.4 docker digest to 2cf17aa (v1.12) (#24479, @renovate[bot])
- chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 24a0df4 (v1.12) (#24480, @renovate[bot])
- chore(deps): update quay.io/cilium/hubble docker tag to v0.11.3 (v1.12) (#24492, @renovate[bot])
- doc: Fixed CiliumNode CRD fields for cluster-pool doc (Backport PR #24605, Upstream PR #24428, @PhilipSchmid)
- docs: add note that there are two Cilium CLIs (Backport PR #24605, Upstream PR #24435, @lizrice)
- docs: fix typo in operations/troubleshooting.rst (Backport PR #24605, Upstream PR #24460, @NikAleksandrov)
- docs: Fix upgradeCompatibility references (Backport PR #24761, Upstream PR #24711, @joestringer)
- docs: Update Cluster Mesh requirements to mention node InternalIP explicitly (Backport PR #24462, Upstream PR #24164, @jspaleta)
- docs: Update the documentation for the
--conntrack-gc-interval
flag (Backport PR #24462, Upstream PR #24400, @pchaigno) - Expose bpf-lb-sock-hostns-only in cilium status (Backport PR #24761, Upstream PR #24570, @romanspb80)
- Fix duplicated logs for test-output.log (Backport PR #24462, Upstream PR #24171, @romanspb80)
- hubble-ui: allow ingress from non root
/
urls (Backport PR #24605, Upstream PR #23631, @geakstr) - loader: Don't compile
.asm
files by default (Backport PR #24822, Upstream PR #24769, @pchaigno) - pkg/bandwidth: add error for bandwidth manager not being enabled (Backport PR #24761, Upstream PR #24715, @aanm)
- pkg/service: Extend unit test cases (Backport PR #24822, Upstream PR #24742, @aditighag)
- proxylib: Downgrade noisy log msg to debug level (Backport PR #24462, Upstream PR #22848, @christarazi)
Other Changes:
- Add IPSec remark for upgrade to v1.12.8 (#24630, @darox)
- Add note about fixed regression in ConfigMap values that were being prioritized over flags in Cilium agent (#24744, @aanm)
- install: Update image digests for v1.12.8 (#24426, @nebril)
- Prepare for release v1.12.9 (#24879, @michi-covalent)
- v1.12: docs: Fix mitigation for IPsec upgrade issue (#24702, @pchaigno)
Docker Manifests
cilium
docker.io/cilium/cilium:v1.12.9@sha256:677e7a906506b8a13fecb6f0f783ed647b36036786c8c640ff98e25ec2f2ab1f
quay.io/cilium/cilium:v1.12.9@sha256:677e7a906506b8a13fecb6f0f783ed647b36036786c8c640ff98e25ec2f2ab1f
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.12.9@sha256:51ac1cd2b9ff753e5e8e4881e2777095879f3c91b4366ce1c43b329c1eeeb5fa
quay.io/cilium/clustermesh-apiserver:v1.12.9@sha256:51ac1cd2b9ff753e5e8e4881e2777095879f3c91b4366ce1c43b329c1eeeb5fa
docker-plugin
docker.io/cilium/docker-plugin:v1.12.9@sha256:8d758033584cdae93ca14479e2bc93bf9cbd89bc489755121b1155713148199e
quay.io/cilium/docker-plugin:v1.12.9@sha256:8d758033584cdae93ca14479e2bc93bf9cbd89bc489755121b1155713148199e
hubble-relay
docker.io/cilium/hubble-relay:v1.12.9@sha256:ec6cf2f48b9d2dec73a24eca1e881d9792c2ca6d6beb4c23b5ab97255feb3eb5
quay.io/cilium/hubble-relay:v1.12.9@sha256:ec6cf2f48b9d2dec73a24eca1e881d9792c2ca6d6beb4c23b5ab97255feb3eb5
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.12.9@sha256:eb64357e4f130152e60ba02f83424e434aad1cf07efabaeb9f4b9da71b51cb78
quay.io/cilium/operator-alibabacloud:v1.12.9@sha256:eb64357e4f130152e60ba02f83424e434aad1cf07efabaeb9f4b9da71b51cb78
operator-aws
docker.io/cilium/operator-aws:v1.12.9@sha256:e09f06655437f62e2c332a4951798a56cf5e09f46e795e2ad9f5d4b8e8c48393
quay.io/cilium/operator-aws:v1.12.9@sha256:e09f06655437f62e2c332a4951798a56cf5e09f46e795e2ad9f5d4b8e8c48393
operator-azure
docker.io/cilium/operator-azure:v1.12.9@sha256:601321b0cadd218f369fb2d636f15d17a4ab0871047dee8a3bcfdb7abe897404
quay.io/cilium/operator-azure:v1.12.9@sha256:601321b0cadd218f369fb2d636f15d17a4ab0871047dee8a3bcfdb7abe897404
operator-generic
docker.io/cilium/operator-generic:v1.12.9@sha256:cc8d7b222f63812c691a685b32fedab8a805d243da720653cdc2ff0c4a562673
quay.io/cilium/operator-generic:v1.12.9@sha256:cc8d7b222f63812c691a685b32fedab8a805d243da720653cdc2ff0c4a562673
operator
docker.io/cilium/operator:v1.12.9@sha256:a2f69a499881873494bfdef8f3ae48dd8739fecd3e8e85b1fa88ae20f53a75b6
quay.io/cilium/operator:v1.12.9@sha256:a2f69a499881873494bfdef8f3ae48dd8739fecd3e8e85b1fa88ae20f53a75b6
1.11.16
We are pleased to release Cilium v1.11.16.
This release addresses the following security issue:
Note: When updating to this release, make sure that you are using new helm chart version.
Summary of Changes
Minor Changes:
- envoy: Bump envoy to v1.23.8 (#24911, @sayboras)
- envoy: Bump envoy version to v1.23.7 (#24748, @sayboras)
Bugfixes:
- Add missing xfrm-no-track rules for IPv6 IPSec. This fixes a connectivity issue for IPv6 IPSec with externalTrafficPolicy=local. (Backport PR #24604, Upstream PR #24557, @jschwinger233)
- Fix for disabled cloud provider rate limiting (Backport PR #24458, Upstream PR #24413, @hemanthmalla)
- Fix missing delete events on informer re-lists to ensure all delete events are correctly emitted and using the latest known object state, so that all event handlers and stores always reflect the actual apiserver state as best as possible (#24872, @aanm)
- Fixed bug where L7 rules would be incorrectly merged between rules for the same (remote) endpoint. This bug could have caused L7 rules to be bypassed via a wildcard header rule being improperly appended to the set of HTTP rules when both a policy with HTTP header rules applying to multiple endpoints and an allow-all rule for only one of those endpoints are specified. (Backport PR #24852, Upstream PR #24788, @jrajahalme)
- Handle leaked service backends that may lead to filling up of
lb4_backends
map and thereby connectivity issues. (Backport PR #24823, Upstream PR #24681, @aditighag) - ipsec: Clean up stale XFRM policies and states (Backport PR #24823, Upstream PR #24773, @pchaigno)
CI Changes:
- Fix race conditions when deleting CNP / CCNP in e2e tests (Backport PR #24710, Upstream PR #24484, @jschwinger233)
- renovate: Fix Hubble release digest regex (Backport PR #24604, Upstream PR #24477, @gandro)
- tests: add exceptions for lease errors due to etcd (Backport PR #24823, Upstream PR #24723, @jibi)
Misc Changes:
- Avoid clearing objects in CiliumEndpoint conversion funcs (Backport PR #24931, Upstream PR #24928, @aanm)
- Avoid clearing objects in conversion funcs (Backport PR #24931, Upstream PR #24241, @odinuge)
- checker: Fix incorrect checker for ExportedEqual() (Backport PR #24458, Upstream PR #24373, @christarazi)
- chore(deps): update dependency cilium/hubble to v0.11.3 (v1.11) (#24820, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.16.5 (v1.11) (#24644, @renovate[bot])
- chore(deps): update docker.io/library/alpine:3.16.4 docker digest to 2cf17aa (v1.11) (#24493, @renovate[bot])
- chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 24a0df4 (v1.11) (#24498, @renovate[bot])
- chore(deps): update quay.io/cilium/hubble docker tag to v0.11.3 (v1.11) (#24499, @renovate[bot])
- docs: add note that there are two Cilium CLIs (Backport PR #24604, Upstream PR #24435, @lizrice)
- docs: fix typo in operations/troubleshooting.rst (Backport PR #24604, Upstream PR #24460, @NikAleksandrov)
- docs: Fix upgradeCompatibility references (Backport PR #24823, Upstream PR #24711, @joestringer)
- docs: Update Cluster Mesh requirements to mention node InternalIP explicitly (Backport PR #24458, Upstream PR #24164, @jspaleta)
- docs: Update the documentation for the
--conntrack-gc-interval
flag (Backport PR #24458, Upstream PR #24400, @pchaigno) - Fix duplicated logs for test-output.log (Backport PR #24458, Upstream PR #24171, @romanspb80)
- hubble-ui: allow ingress from non root
/
urls (Backport PR #24604, Upstream PR #23631, @geakstr) - loader: Don't compile
.asm
files by default (Backport PR #24823, Upstream PR #24769, @pchaigno) - pkg/bandwidth: add error for bandwidth manager not being enabled (Backport PR #24823, Upstream PR #24715, @aanm)
Other Changes:
- Add IPSec remark for upgrade to v1.11.15 (#24632, @darox)
- Add note about known regression in ConfigMap values prioritized over flags in Cilium agent (#24743, @aanm)
- In service recovery, don't skip if one of the service recovery fails (#23922, @jaredledvina)
- install: Update image digests for v1.11.15 (#24425, @nebril)
- Prepare for release v1.11.16 (#24880, @michi-covalent)
- v1.11: docs: Document IPsec upgrade issue on v1.11.15 (#24704, @pchaigno)
Docker Manifests
cilium
docker.io/cilium/cilium:v1.11.16@sha256:d2f2632c997a027ee4e540432edb4d8594e78e33315427e7ec3c06b473ec1e4e
quay.io/cilium/cilium:v1.11.16@sha256:d2f2632c997a027ee4e540432edb4d8594e78e33315427e7ec3c06b473ec1e4e
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.11.16@sha256:67a051ef38ae113bcf7dc27ebb23a1137ece961ce86f087226ff5a0046099106
quay.io/cilium/clustermesh-apiserver:v1.11.16@sha256:67a051ef38ae113bcf7dc27ebb23a1137ece961ce86f087226ff5a0046099106
docker-plugin
docker.io/cilium/docker-plugin:v1.11.16@sha256:1ee1bae0c2299d94ff162fc2847f9827823ff3d8e055e07da06e4ca28efe9391
quay.io/cilium/docker-plugin:v1.11.16@sha256:1ee1bae0c2299d94ff162fc2847f9827823ff3d8e055e07da06e4ca28efe9391
hubble-relay
docker.io/cilium/hubble-relay:v1.11.16@sha256:c4c12759ba628e64a0f3fada99d2632627e5391ae0b49c3f35da51c3ba9eac9f
quay.io/cilium/hubble-relay:v1.11.16@sha256:c4c12759ba628e64a0f3fada99d2632627e5391ae0b49c3f35da51c3ba9eac9f
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.11.16@sha256:d60aedfabf0957da1d975ee54779172f990366e9fb8bf55184ac31a0d77adc65
quay.io/cilium/operator-alibabacloud:v1.11.16@sha256:d60aedfabf0957da1d975ee54779172f990366e9fb8bf55184ac31a0d77adc65
operator-aws
docker.io/cilium/operator-aws:v1.11.16@sha256:526dab3bee6231f71da44d14f25c17dfb53afba876bfc99374a11c0fb4278e36
quay.io/cilium/operator-aws:v1.11.16@sha256:526dab3bee6231f71da44d14f25c17dfb53afba876bfc99374a11c0fb4278e36
operator-azure
docker.io/cilium/operator-azure:v1.11.16@sha256:0c2da6adf29f521f6d2ffe92794ad598fc99231eba2814b80cf608362cc14a3c
quay.io/cilium/operator-azure:v1.11.16@sha256:0c2da6adf29f521f6d2ffe92794ad598fc99231eba2814b80cf608362cc14a3c
operator-generic
docker.io/cilium/operator-generic:v1.11.16@sha256:ea3fbe5ab65efc41228d716a64804b6fca9e2299835c3d39ae1cb248c1594c55
quay.io/cilium/operator-generic:v1.11.16@sha256:ea3fbe5ab65efc41228d716a64804b6fca9e2299835c3d39ae1cb248c1594c55
operator
docker.io/cilium/operator:v1.11.16@sha256:44fb99adbba82605702aa9c41380c1c79ad5565bbd3c9d961f9aab55387be586
quay.io/cilium/operator:v1.11.16@sha256:44fb99adbba82605702aa9c41380c1c79ad5565bbd3c9d961f9aab55387be586
1.14.0-snapshot.1
We are pleased to release Cilium v1.14.0-snapshot.1.
Summary of Changes
Major Changes:
- Add mtls-spiffe as auth mode in the CiliumNetworkPolicy (#24263, @meyskens)
- cilium: fib lookup consolidation (#23884, @borkmann)
- The Cilium operator now taints nodes where Cilium is scheduled to run but is not running.
This prevents pods from being scheduled on nodes without Cilium.
The CNI configuration file is no longer removed on agent shutdown.
This means that pod deletion will always succeed; previously it would fail if Cilium was down for an upgrade.
This should help prevent nodes accidentally entering an unmanageable state.
It also means that nodes are not removed from cloud LoadBalancer backends during Cilium upgrades. (#23486, @squeed)
Minor Changes:
- [SNAT] add "need to frag" ICMP support (#18414, @sahid)
- Add a SPIRE delegate API client to receive SPIFFE certificates for mTLS (#23968, @meyskens)
- Add hubble_lost_events_total metric for the number of events lost by Hubble. (#22865, @lambdanis)
- bpf, ipcache: unconditionally assume support for LPM trie maps (#24258, @tklauser)
- clustermesh: enable per-cluster RBAC in etcd server (#24284, @giorio94)
- cmd/service: unify service list/get output (#24136, @oblazek)
- Disable by default CNP Node Status GC in cilium-operator. (#24390, @marseel)
- dns: Set --tofqdns-min-ttl to zero by default (#21439, @michi-covalent)
- envoy: Bump envoy to 1.24.3 (#24148, @sayboras)
- feat: optional bpf mount (#24161, @frezbo)
- helm: simplify TLS configuration of clustermesh peers (#24222, @giorio94)
- Hide
--install-iptables-rules
agent flag and removeinstallIptablesRules
Helm flag (#24081, @pchaigno) - hubble: traffic direction filter (#24120, @kaworu)
- Improve cilium monitor output for dropped packets: display source file names instead of numerical ids (#24143, @aspsk)
- Increase the default CiliumEndpointSlice sync time from 0 to 500ms (#23615, @dlapcevic)
- Integration of sample dashboards with Helm chart (#23794, @jcpunk)
- Make Envoy sockets for tproxy and the xDS API and bind to localhost only (#24011, @meyskens)
- Move poststart eni script to agent pod from nodeinit pod (#24134, @nebril)
- policy: Derivative policies (policies for cloud provider-specific identities) for egress deny rules were not being generated, this has now been fixed. (#23927, @rockc2020)
- Prepare Cilium API for IPAM pools (#24248, @tklauser)
- Support L2-less devices with fast forward (bpf-based host routing) (#23935, @jschwinger233)
Bugfixes:
- Add missing xfrm-no-track rules for IPv6 IPSec. This fixes a connectivity issue for IPv6 IPSec with externalTrafficPolicy=local. (#24557, @jschwinger233)
- Add support for builtin kernel modules (#23953, @TheAifam5)
- Add the option to preserve CNI configuration file on agent shutdown. This can help prevent issues where pods can no longer be deleted. This may cause some transient error messages to be displayed if a pod is scheduled while Cilium is being upgraded. (#24009, @squeed)
- agent: rework clustermesh config watcher for increased robustness (#24163, @giorio94)
- Avoid k8s CiliumNode initialization problems when Cilium connects to the KVStore (#24156, @aanm)
- bpf: fix ipv6 extension header parsing error (#24309, @chenyuezhou)
- bpf: nodeport: fix handling of stale CT entry with CT_REPLY (#23894, @julianwiedmann)
- Correctly configure extra SANs for the clustermesh API server certificate when generated through certgen (#24339, @giorio94)
- daemon: fix panic when running with etcd with endpoint crd disabled (#24085, @tommyp1ckles)
- daemon: initialize datapath before compiling sockops programs (#24140, @jibi)
- endpoint: fix k8sNamespace log field when ep gets deleted (#24575, @mhofstetter)
- Fix a bug where users are unable to change a wrong remote etcd configuration (#24046, @oblazek)
- Fix a memory leak in the service cache, and possible missed service updates on scale to zero events in rare circumstances (#24619, @giorio94)
- Fix bug in BGP CP where changing the route-id of an existing router would cause announcements to disappear (#24304, @dylandreimerink)
- Fix bug that would prevent IPsec from working with GENEVE encapsulation. (#24116, @borkmann)
- Fix bug where ingress policies for remote-note identities are not applied correctly new nodes join the cluster, specifically when the nodes joining the cluster had IP addresses specified in CIDR policies (#23764, @christarazi)
- Fix Cilium crash during network policy computation (#24322, @joestringer)
- Fix Cilium Operator from crashing when encountering empty node pools on Azure (#24189, @forgems)
- Fix deadlock in cilium-operator when using CiliumEndpointSlices (#24343, @alan-kut)
- Fix enable-stale-cilium-endpoint-cleanup flag not actually disabling the cleanup init set when set to false. This provides a workaround for an existing panic that can occur when running using etcd kvstore. (#23874, @sjdot)
- Fix failure to load the datapath for new pods on latest kernel when (almost) all datapath features are enabled. (#24405, @borkmann)
- Fix FIB lookup for traffic to a L7 service backend, when BPF host-routing is enabled and multiple external devices are configured. (#24182, @julianwiedmann)
- Fix for disabled cloud provider rate limiting (#24413, @hemanthmalla)
- Fix incorrectly dropping in-cluster traffic for L7 ingress resources (#23984, @sayboras)
- Fix IPv6 policy enforcement for SNATed traffic from the Host (#24132, @ysksuzuki)
- Fix panic in hubble http v2 metrics (#24350, @chancez)
- Fix Pod connectivity interruption during agent restart (#24336, @ti-mo)
- Fix some test failures for bpf_nat_test.c (#24534, @YutaroHayakawa)
- init.sh: fix cgroup program detachment and detach multiple progs with retry (#24118, @ti-mo)
- install: don't render role / rolebinding when agent disabled (#23877, @squeed)
- Services backends with publishNotReadyAddresses are able to receive traffic independently if they are Terminating, since is the user intent to make them reachable despite its state. (#24174, @aojea)
- Set user-agent for k8s client with Cilium's version (#24275, @aanm)
- Solved an issue failing to forward traffic to Services if the Endpoint Slices had the same Address on different Slices (#24202, @aojea)
- When using KPR Nodeport with DSR, support backends in hostNetwork or with L7 policies. (#22978, @julianwiedmann)
CI Changes:
- .github/workflows: re-enable coverage in BPF tests (#23291, @tklauser)
- .github/workflows: run datapath complexity tests directly in VM (#24117, @tklauser)
- .github: Rename failure step in actions (#24437, @joestringer)
- Add 1.13 conformance test (#24033, @aanm)
- bpf,test: Add an option to disable coverage report per file (#24338, @YutaroHayakawa)
- bpf/Makefile: Cover VTEP in compile tests (#24106, @pchaigno)
- bpf/test: Add unit test to check whether netpol drops result in metric counter increament (#24469, @brb)
- bpf: Update checkpatch image (#24215, @qmonnet)
- bpf: Various fixes for
MAX_*_OPTIONS
and support for 5.10 (#24122, @pchaigno) - ci: don't use ./contrib/scripts/kind.sh --xdp in 1.13 workflow (#24611, @tklauser)
- ci: fix datapath complexity workflow (#24528, @tklauser)
- ci: fix missing timeout in Cyclonus test (#24529, @nbusseneau)
- ci: quarantine
K8sAgentIstioTest
(#24476, @nbusseneau) - cocci: Fix Python path for coccilib (#24430, @qmonnet)
- contrib/kind: no longer create local docker registry (#24541, @squeed)
- datapath/linux/route: fix CI expectations for rule string format (#24577, @NikAleksandrov)
- drop v1.10 support for eks tests (#24037, @aanm)
- egressgw: test: switch to WaitForEgressPolicyEntries (#24097, @jibi)
- Enable egress gateway in datapath CI (#24210, @lmb)
- Enable testing of BPF programs requiring XDP_TX in CI (#24250, @lmb)
- Fix broken target_url for conformance-clustermesh (#24315, @YutaroHayakawa)
- Fix execution of coccinelle checks (#24392, @qmonnet)
- Fix race conditions when deleting CNP / CCNP in e2e tests (#24484, @jschwinger233)
- Fixed flake in the
TestRequestIPWithMismatchedLabel
LB-IPAM tests. (#23297, @dylandreimerink) - gateway-api: Fix flaky conformance tests (#24317, @sayboras)
- gh/workflows: Enable Host FW in ci-dp (#24429, @brb)
- gh/workflows: Split ci-dp encrypt tests into separate matrix configs (#24296, @brb)
- gha: Clean-up Ingress/GatewayAPI Conformance tests (#24025, @sayboras)
- gha: Run kubernetes Conformance and SIG-network tests (#24209, @aojea)
- Increase timeout waiting for resources in Ingress conformance test (#24388, @meyskens)
- Migrate L7 TLS Ginkgo tests to cilium-cli (#24414, @meyskens)
- renovate: Add packageRule group for Hubble CLI (#24637, @gandro)
- renovate: automate golangci-lint upgrades (#24664, @mhofstetter)
- renovate: Fix Hubble release digest regex (#24477, @gandro)
- Revert ".github/workflows: run datapath complexity tests directly in VM" (#24535, @tklauser)
- Run latest fuzzers in OSS-Fuzz (#22580, @AdamKorcz)
- test/k8s: remove k8s agent health tests (#24433, @tklauser)
- test/verifier: Fix compilation command (#24412, @pchaigno)
- test: add cluster mesh conformance tests with Kind (#23496, @giorio94)
- test: Enable conformance tests for non-SCTP traffic in conjunction with SCTP policies (#24144, @joestringer)
- test: gather containerd logs on failure (#24133, @squeed)
- test: Remove RuntimeDatapathLB (#24245, @brb)
- test: Remove some {DP,Services} Ginkgo test cases (#24223, @brb)
- test: Update 1.26 k8s version (#24569, @sayboras)
- workflow: enable pod-to-cidr tests (#23986, @brlbil)
- workflows/externalworkload: Avoid using
--config
when unnecessary (#24567, @pchaigno) - workflows: Cover IPsec + GENEVE (#24125, @pchaigno)
- workflows: l4lb/verifier: fix skip-test-run job (#24072, @jibi)
- workflows: l4lb/verifier: replace tabs with spaces (#24108, @jibi)
Misc Changes:
- .gitatt...
1.13.1
We are pleased to release Cilium v1.13.1. This is the first patch release in 1.13 series and it contains a lot of good stuff! We improved docs, fixed memory leaks and deadlocks, improved helm charts and did so much more! Full list below.
This release addresses following security issues:
Note: When updating to this release, make sure that you are using new helm chart version.
Summary of Changes
Minor Changes:
- Add CLI command to dump cgroups metadata (Backport PR #23834, Upstream PR #23641, @alexkats)
- Add pod-name hubble metrics context for pod name label without namespace (Backport PR #24058, Upstream PR #23199, @chancez)
- envoy: Bump envoy to 1.23.4 (Backport PR #23956, Upstream PR #23800, @sayboras)
- helm: Add pod and container security context (Backport PR #24086, Upstream PR #23443, @sayboras)
- helm: Add SA automount configuration (Backport PR #24086, Upstream PR #23441, @sayboras)
- helm: Add support of annotations in hubble ui service (Backport PR #23834, Upstream PR #23709, @brnck)
- Hide
--install-iptables-rules
agent flag and removeinstallIptablesRules
Helm flag (Backport PR #24200, Upstream PR #24081, @pchaigno)
Bugfixes:
- [EKS] Fix deadlock causing network connectivity outages when kube-apiservers scale down (Backport PR #23956, Upstream PR #23836, @christarazi)
- Add the option to preserve CNI configuration file on agent shutdown. This can help prevent issues where pods can no longer be deleted. This may cause some transient error messages to be displayed if a pod is scheduled while Cilium is being upgraded. (Backport PR #24200, Upstream PR #24009, @squeed)
- agent: fix incorrect deletion of veth host interfaces on bootstrap (Backport PR #23956, Upstream PR #23787, @giorio94)
- Avoid k8s CiliumNode initialization problems when Cilium connects to the KVStore (Backport PR #24200, Upstream PR #24156, @aanm)
- bpf: Fix broken remote-node identity classification (Backport PR #23956, Upstream PR #23091, @ysksuzuki)
- clustermesh: fix cluster synchronization wait group increment (Backport PR #24058, Upstream PR #23741, @giorio94)
- clustermesh: fix services cache bloat due to incorrect deletion (Backport PR #24058, Upstream PR #23947, @giorio94)
- envoy: Avoid empty typeURL for all resources (Backport PR #23860, Upstream PR #23763, @sayboras)
- Fix bug that would prevent IPsec from working with GENEVE encapsulation. (Backport PR #24200, Upstream PR #24116, @borkmann)
- Fix bug that would prevent SRv6 decapsulation when BPF Host Routing was disabled. (Backport PR #23834, Upstream PR #23825, @ldelossa)
- Fix connectivity issue upon agent restart in case of ipv6 + direct routing + KPR replacement (Backport PR #23956, Upstream PR #23857, @giorio94)
- Fix enable-stale-cilium-endpoint-cleanup flag not actually disabling the cleanup init set when set to false. This provides a workaround for an existing panic that can occur when running using etcd kvstore. (Backport PR #24311, Upstream PR #23874, @sjdot)
- Fix incorrectly dropping in-cluster traffic for L7 ingress resources (Backport PR #24200, Upstream PR #23984, @sayboras)
- Fix memory leak caused on clustermesh reconnect. (Backport PR #24086, Upstream PR #23785, @oblazek)
- Fix operator crash race condition for CES identity map concurrent read/write (Backport PR #24086, Upstream PR #23605, @dlapcevic)
- Fix restoreServicesLocked() potential nil pointer panic (Backport PR #23834, Upstream PR #23446, @dlapcevic)
- fix(helm): add missing updateStrategy to hubble-ui deployment (Backport PR #24058, Upstream PR #23975, @mhulscher)
- Fixes a bug where the Helm value
cni.configMap
no longer worked. (Backport PR #23834, Upstream PR #23743, @squeed) - Fixes a memory leak and (possible) source of stale data for Clustermesh whenever the connection to the remote cluster is disrupted or restarted. (Backport PR #23834, Upstream PR #23532, @squeed)
- gateway-api: Combine metrics registry with operator (Backport PR #23834, Upstream PR #23501, @sayboras)
- helm: Fix duplicate
enable-envoy-config
flag when enabling L7LB, Ingress Controller, or GatewayAPI simultaneously (Backport PR #23956, Upstream PR #23866, @DWSR) - Hubble Relay: fix reported uptime (Backport PR #24058, Upstream PR #23966, @rolinh)
- install: don't render role / rolebinding when agent disabled (Backport PR #24200, Upstream PR #23877, @squeed)
- ipam/crd: Fix panic due to concurrent map read and map write (Backport PR #23834, Upstream PR #23713, @gandro)
- k8s: Handle EndpointSlice AddressType field properly (Backport PR #23956, Upstream PR #23803, @YutaroHayakawa)
- kvstore: prevent deletion delay for node-unrelated events (Backport PR #24086, Upstream PR #23745, @giorio94)
- node: require ipv4 address when wireguard is enabled (#23552, @giorio94)
- watchers: endpointsync can manage already owned CiliumEndpoints. (Backport PR #24086, Upstream PR #23499, @tommyp1ckles)
CI Changes:
- bpf/Makefile: Cover VTEP in compile tests (Backport PR #24200, Upstream PR #24106, @pchaigno)
- CI: switch to registry.k8s.io (Backport PR #24058, Upstream PR #23821, @ameukam)
- test: Get rid of 4.9 pipeline (Backport PR #23834, Upstream PR #23343, @brb)
- test: Skip K8sPolicyTestExtended on the 4.19 (Backport PR #23956, Upstream PR #23934, @brb)
- test: Update policy for hairpin flow validation (Backport PR #23834, Upstream PR #23480, @aditighag)
Misc Changes:
- Add leader requirement to watch from Etcd. (Backport PR #24058, Upstream PR #23590, @marseel)
- agent: dump stack on stale probes (Backport PR #24086, Upstream PR #23915, @squeed)
- bpf,test: Define BPF_TEST macro for map-in-map/prog-map initialization (Backport PR #24200, Upstream PR #24127, @YutaroHayakawa)
- bpf: Fix usage of tunnel map structs (Backport PR #24086, Upstream PR #23469, @pchaigno)
- bugtool: Add ingress/egress tc filter dump (Backport PR #24200, Upstream PR #24057, @joestringer)
- chore(deps): update actions/checkout action to v3.3.0 (v1.13) (#23992, @renovate[bot])
- chore(deps): update all github action dependencies (v1.13) (patch) (#23991, @renovate[bot])
- chore(deps): update base-images (v1.13) (#24104, @renovate[bot])
- chore(deps): update dependency cilium/hubble to v0.11.2 (v1.13) (#23851, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.19.6 docker digest to 1a86aa6 (v1.13) (#24105, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.19.6 docker digest to 7ce31d1 (v1.13) (#23775, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.19.6 docker digest to 7ce31d1 (v1.13) (#23776, @renovate[bot])
- chore(deps): update quay.io/cilium/hubble docker tag to v0.11.2 (v1.13) (#23908, @renovate[bot])
- docs: Clarify basic kernel requirement (Backport PR #24058, Upstream PR #23951, @pchaigno)
- docs: Document CONFIG_PERF_EVENTS requirement (Backport PR #24200, Upstream PR #24055, @joestringer)
- docs: Document kernel requirement for L3 devices support (Backport PR #24200, Upstream PR #24101, @pchaigno)
- docs: Document upgrade behaviour for 1.13.x (#24364, @joestringer)
- docs: Fix missing disclaimer content to Ingress and Gateway API pages (Backport PR #23956, Upstream PR #23756, @kayceeDev)
- docs: Fix the dead link to Mellanox performance tuning guide (Backport PR #24086, Upstream PR #24012, @gentoo-root)
- docs: replace usage of api.twitter.com (Backport PR #23834, Upstream PR #23669, @kaworu)
- Document exemplars option for hubble httpV2 metrics (Backport PR #23834, Upstream PR #23620, @chancez)
- fix(deps): update module golang.org/x/net to v0.7.0 [security] (master) (Backport PR #23956, Upstream PR #23904, @renovate[bot])
- Fixed broken/deprecated links (Backport PR #24058, Upstream PR #23920, @PhilipSchmid)
- Fixed link to broken anchor in RKE doc (Backport PR #23834, Upstream PR #23706, @raphink)
- Fixes a flake in the kubectl wait part of the CI (Backport PR #23834, Upstream PR #23733, @meyskens)
- IPsec: Remove
IP_POOLS
logic (Backport PR #24086, Upstream PR #24030, @pchaigno) - kvstore: add clusterName suffix to session controllers (Backport PR #24086, Upstream PR #23928, @oblazek)
- Remove / in RKE doc link as it causes redirect bug (Backport PR #23834, Upstream PR #23728, @raphink)
- test/runtime: Set NO_COLOR for privileged tests (Backport PR #24058, Upstream PR #23151, @joestringer)
- Update CNI to 1.2.0 (#23319, @michi-covalent)
- Update signature verification docs for Sigstore 2.0 (Backport PR #24086, Upstream PR #24029, @jedsalazar)
- workflow: fixes LLVM, Clang cache and install path (Backport PR #23834, Upstream PR #23740, @brlbil)
Other Changes:
- .github: remove workflows that are not branch specific (#23842, @aanm)
- [v1.13] bpf: use skb->ifindex for FIB lookup in handle_*_from_lxc() (#24195, @julianwiedmann)
- gha: Bump timeout to 90 minutes for build commit. (#23959, @sayboras)
- install: Update image digests for v1.13.0 (#23783, @aanm)
- update images 1.13 (#24331, @nebril)
- v1.13 - Backport initContainer change (#24333, @ferozsalam)
- v1.13 backport: fix cgroup program detachment and 1.14 downgrade (#24184, @ti-mo)
- v1.13 Backports 2023-03-06 (#24179, @jibi)
- v1.13 Backports 2023-03-14 (#24370, @nebril)
- v1.13 Backports 2023-03-15 (#24387, @nebril)
Docker Manifests
cilium
docker.io/cilium/cilium:v1.13.1@sha256:428a09552707cc90228b7ff48c6e7a33dc0a97fe1dd93311ca672834be25beda
quay.io/cilium/cilium:v1.13.1@sha256:428a09552707cc90228b7ff48c6e7a33dc0a97fe1dd93311ca672834be25beda
docker.io/cilium/cilium:stable@sha256:428a09552707cc90228b7ff48c6e7a33dc0a97fe1dd93311ca672834be25beda
`quay.io/cilium/cilium:stable@sha256:428a09552707cc90228b7ff48c6e7a33dc0a97fe1dd93311ca672834be25be...
1.12.8
We are pleased to release Cilium v1.12.8. This release includes helm charts improvements, many bugfixes (including fixed deadlock on EKS and operator crashes) and CI improvements.
This release addresses following security issues:
Note: When updating to this release, make sure that you are using new helm chart version.
Summary of Changes
Minor Changes:
- envoy: Bump envoy to 1.23.4 (Backport PR #23957, Upstream PR #23800, @sayboras)
- helm: Add pod and container security context (Backport PR #24083, Upstream PR #23443, @sayboras)
- helm: Add SA automount configuration (Backport PR #24083, Upstream PR #23441, @sayboras)
- helm: Add support of annotations in hubble ui service (Backport PR #23779, Upstream PR #23709, @brnck)
Bugfixes:
- [EKS] Fix deadlock causing network connectivity outages when kube-apiservers scale down (Backport PR #23957, Upstream PR #23836, @christarazi)
- Add the option to preserve CNI configuration file on agent shutdown. This can help prevent issues where pods can no longer be deleted. This may cause some transient error messages to be displayed if a pod is scheduled while Cilium is being upgraded. (Backport PR #24197, Upstream PR #24009, @squeed)
- agent: fix incorrect deletion of veth host interfaces on bootstrap (Backport PR #23957, Upstream PR #23787, @giorio94)
- Avoid k8s CiliumNode initialization problems when Cilium connects to the KVStore (Backport PR #24197, Upstream PR #24156, @aanm)
- cilium-health status: fix endpoint reachability in succinct view (Backport PR #23779, Upstream PR #23506, @giorio94)
- clustermesh: fix services cache bloat due to incorrect deletion (Backport PR #24083, Upstream PR #23947, @giorio94)
- envoy: Avoid empty typeURL for all resources (Backport PR #23861, Upstream PR #23763, @sayboras)
- Fix connectivity issue upon agent restart in case of ipv6 + direct routing + KPR replacement (Backport PR #23957, Upstream PR #23857, @giorio94)
- Fix enable-stale-cilium-endpoint-cleanup flag not actually disabling the cleanup init set when set to false. This provides a workaround for an existing panic that can occur when running using etcd kvstore. (Backport PR #24310, Upstream PR #23874, @sjdot)
- Fix operator crash race condition for CES identity map concurrent read/write (Backport PR #24197, Upstream PR #23605, @dlapcevic)
- ipam/crd: Fix panic due to concurrent map read and map write (Backport PR #23779, Upstream PR #23713, @gandro)
- node: require ipv4 address when wireguard is enabled (Backport PR #24039, Upstream PR #23552, @giorio94)
- watchers: endpointsync can manage already owned CiliumEndpoints. (Backport PR #24083, Upstream PR #23499, @tommyp1ckles)
CI Changes:
- bpf/Makefile: Cover VTEP in compile tests (Backport PR #24197, Upstream PR #24106, @pchaigno)
- ci: Update docs-builder image for documentation workflow (Backport PR #24067, Upstream PR #21040, @qmonnet)
- test: Update policy for hairpin flow validation (Backport PR #23779, Upstream PR #23480, @aditighag)
- workflows: Bump timeout of ConformanceKind workflow (Backport PR #23957, Upstream PR #22072, @pchaigno)
Misc Changes:
- .github: remove stable tags (#23830, @aanm)
- Add leader requirement to watch from Etcd. (Backport PR #24083, Upstream PR #23590, @marseel)
- bpf: Fix usage of tunnel map structs (Backport PR #24083, Upstream PR #23469, @pchaigno)
- bugtool: Add ingress/egress tc filter dump (Backport PR #24197, Upstream PR #24057, @joestringer)
- bugtool: Dump envoy metrics for troubleshooting (Backport PR #23779, Upstream PR #22797, @sayboras)
- chore(deps): update actions/checkout action to v3.3.0 (v1.12) (#23994, @renovate[bot])
- chore(deps): update all github action dependencies (v1.12) (patch) (#23993, @renovate[bot])
- chore(deps): update dependency cilium/hubble to v0.11.2 (v1.12) (#23909, @renovate[bot])
- chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 4a45212 (v1.12) (#23693, @renovate[bot])
- chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 9fa30fc (v1.12) (#24137, @renovate[bot])
- chore(deps): update quay.io/cilium/hubble docker tag to v0.11.2 (v1.12) (#23923, @renovate[bot])
- clustermesh, kvstore: consistently pass controller context to kvstore operations (Backport PR #23779, Upstream PR #23333, @tklauser)
- docs: correct Prometheus port (Backport PR #23779, Upstream PR #23404, @lizrice)
- docs: Document CONFIG_PERF_EVENTS requirement (Backport PR #24197, Upstream PR #24055, @joestringer)
- docs: Drop sphinxcontrib-openapi fork, switch back to upstream (Backport PR #23779, Upstream PR #23118, @qmonnet)
- docs: Fix the dead link to Mellanox performance tuning guide (Backport PR #24083, Upstream PR #24012, @gentoo-root)
- docs: Mark Git repository as safe, at runtime, if in a container (Backport PR #24067, Upstream PR #21069, @qmonnet)
- docs: replace usage of api.twitter.com (Backport PR #23779, Upstream PR #23669, @kaworu)
- Enable Google Analytics 4 (Backport PR #24067, Upstream PR #22220, @chalin)
- fix(deps): update module golang.org/x/net to v0.7.0 [security] (master) (Backport PR #23957, Upstream PR #23904, @renovate[bot])
- Fixed link to broken anchor in RKE doc (Backport PR #23779, Upstream PR #23706, @raphink)
- Introduce node IDs in the datapath and the agent, so datapath can later use them to identify remote nodes (Backport PR #23779, Upstream PR #23202, @pchaigno)
- IPsec: Remove
IP_POOLS
logic (Backport PR #24083, Upstream PR #24030, @pchaigno) - Node ID restoration (Backport PR #23779, Upstream PR #23578, @pchaigno)
- Remove / in RKE doc link as it causes redirect bug (Backport PR #23779, Upstream PR #23728, @raphink)
- workflow: fixes LLVM, Clang cache and install path (Backport PR #23779, Upstream PR #23740, @brlbil)
Other Changes:
- agent: dump stack on stale probes [backport-1.12] (#24213, @squeed)
- docs: Add note for operator.extraEnv (#23843, @sayboras)
- install: Update image digests for v1.12.7 (#23738, @joestringer)
- Revert "Pick up etcd v3.5.7" (#23788, @michi-covalent)
- update images 1.12 (#24303, @nebril)
- v1.12 - Backport initContainer change (#24332, @ferozsalam)
- v1.12 backport: fix cgroup program detachment and 1.14 downgrade (#24183, @ti-mo)
- v1.12 Backports 2023-03-03 (#24155, @jibi)
- v1.12 Backports 2023-03-14 (#24369, @nebril)
- v1.12 Backports 2023-03-15 (#24386, @nebril)
Docker Manifests
cilium
docker.io/cilium/cilium:v1.12.8@sha256:b6c3c48b380334b8f08dba6e0c28d906c0d722b8c2beb0d506b3cea27f66f78d
quay.io/cilium/cilium:v1.12.8@sha256:b6c3c48b380334b8f08dba6e0c28d906c0d722b8c2beb0d506b3cea27f66f78d
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.12.8@sha256:acb4727cb2ccde4ecd372c459c4da53823e00d36b470f80339a237fbe5127a0b
quay.io/cilium/clustermesh-apiserver:v1.12.8@sha256:acb4727cb2ccde4ecd372c459c4da53823e00d36b470f80339a237fbe5127a0b
docker-plugin
docker.io/cilium/docker-plugin:v1.12.8@sha256:8c4dd43fea669b3e0b63c0d7abae06b1f61a6ad7365f69ebc65e0b5c916e6468
quay.io/cilium/docker-plugin:v1.12.8@sha256:8c4dd43fea669b3e0b63c0d7abae06b1f61a6ad7365f69ebc65e0b5c916e6468
hubble-relay
docker.io/cilium/hubble-relay:v1.12.8@sha256:508cf85bb1a11c13abd995e3c5fd18ed3c2f1d26cbf463a97297e8b8c9149f13
quay.io/cilium/hubble-relay:v1.12.8@sha256:508cf85bb1a11c13abd995e3c5fd18ed3c2f1d26cbf463a97297e8b8c9149f13
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.12.8@sha256:d9a4a9c4f5d5969cb3bbfdbe773a182858de53c3b3d88dd39e80f89b97f1c7b2
quay.io/cilium/operator-alibabacloud:v1.12.8@sha256:d9a4a9c4f5d5969cb3bbfdbe773a182858de53c3b3d88dd39e80f89b97f1c7b2
operator-aws
docker.io/cilium/operator-aws:v1.12.8@sha256:6177a5f6ab05dedfc93268ab7aa02da37e2a96c6a4c75243cb1b33aecc1c68ad
quay.io/cilium/operator-aws:v1.12.8@sha256:6177a5f6ab05dedfc93268ab7aa02da37e2a96c6a4c75243cb1b33aecc1c68ad
operator-azure
docker.io/cilium/operator-azure:v1.12.8@sha256:da3ff887535d7687564afeb4108046069de14ed2fee368908adf9e467238ff7e
quay.io/cilium/operator-azure:v1.12.8@sha256:da3ff887535d7687564afeb4108046069de14ed2fee368908adf9e467238ff7e
operator-generic
docker.io/cilium/operator-generic:v1.12.8@sha256:7431f0c2001fb875b1a8901e103825394c38cd6c63a1435a3273ed20ae0e7578
quay.io/cilium/operator-generic:v1.12.8@sha256:7431f0c2001fb875b1a8901e103825394c38cd6c63a1435a3273ed20ae0e7578
operator
docker.io/cilium/operator:v1.12.8@sha256:1d3f32b112034dc0a7b83cde55850f00cf3adca9ae7f51aff42f2f8228998c8b
quay.io/cilium/operator:v1.12.8@sha256:1d3f32b112034dc0a7b83cde55850f00cf3adca9ae7f51aff42f2f8228998c8b
1.11.15
We are pleased to release Cilium v1.11.15. This release contains several bugfixes, including (but not limited to) fixing a bootstrapping issue, and fixing enable-stale-cilium-endpoint-cleanup
flag. We also made several improvements around helm charts.
It also addresses for following security issues:
Note: When updating to this release, make sure that you are using new helm chart version.
Summary of Changes
Minor Changes:
- envoy: Bump envoy to 1.23.4 (Backport PR #23958, Upstream PR #23800, @sayboras)
- helm: Add pod and container security context (Backport PR #24089, Upstream PR #23443, @sayboras)
- helm: Add SA automount configuration (Backport PR #24089, Upstream PR #23441, @sayboras)
Bugfixes:
- Add the option to preserve CNI configuration file on agent shutdown. This can help prevent issues where pods can no longer be deleted. This may cause some transient error messages to be displayed if a pod is scheduled while Cilium is being upgraded. (Backport PR #24198, Upstream PR #24009, @squeed)
- agent: fix incorrect deletion of veth host interfaces on bootstrap (Backport PR #23958, Upstream PR #23787, @giorio94)
- clustermesh: fix services cache bloat due to incorrect deletion (Backport PR #24089, Upstream PR #23947, @giorio94)
- envoy: Avoid empty typeURL for all resources (Backport PR #23862, Upstream PR #23763, @sayboras)
- Fix connectivity issue upon agent restart in case of ipv6 + direct routing + KPR replacement (Backport PR #23958, Upstream PR #23857, @giorio94)
- Fix enable-stale-cilium-endpoint-cleanup flag not actually disabling the cleanup init set when set to false. This provides a workaround for an existing panic that can occur when running using etcd kvstore. (Backport PR #24308, Upstream PR #23874, @sjdot)
- Fix leaking service backend entries when services with terminating backends were deleted. (#23858, @aditighag)
- ipam/crd: Fix panic due to concurrent map read and map write (Backport PR #23958, Upstream PR #23713, @gandro)
- node: require ipv4 address when wireguard is enabled (Backport PR #24040, Upstream PR #23552, @giorio94)
Misc Changes:
- Add leader requirement to watch from Etcd. (Backport PR #24089, Upstream PR #23590, @marseel)
- bpf: Fix usage of tunnel map structs (Backport PR #24089, Upstream PR #23469, @pchaigno)
- bugtool: Add ingress/egress tc filter dump (Backport PR #24198, Upstream PR #24057, @joestringer)
- chore(deps): update all github action dependencies (v1.11) (minor) (#24004, @renovate[bot])
- chore(deps): update all github action dependencies (v1.11) (patch) (#23995, @renovate[bot])
- chore(deps): update dependency cilium/hubble to v0.11.2 (v1.11) (#23924, @renovate[bot])
- chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 9fa30fc (v1.11) (#24141, @renovate[bot])
- chore(deps): update quay.io/cilium/hubble docker tag to v0.11.2 (v1.11) (#23949, @renovate[bot])
- docs: Document CONFIG_PERF_EVENTS requirement (Backport PR #24198, Upstream PR #24055, @joestringer)
- docs: Fix the dead link to Mellanox performance tuning guide (Backport PR #24089, Upstream PR #24012, @gentoo-root)
- docs: replace usage of api.twitter.com (Backport PR #23958, Upstream PR #23669, @kaworu)
- fix(deps): update module golang.org/x/net to v0.7.0 [security] (master) (Backport PR #23958, Upstream PR #23904, @renovate[bot])
- Fixed link to broken anchor in RKE doc (Backport PR #23958, Upstream PR #23706, @raphink)
- IPsec: Remove
IP_POOLS
logic (Backport PR #24089, Upstream PR #24030, @pchaigno) - Node ID restoration (Backport PR #23686, Upstream PR #23578, @pchaigno)
- Remove / in RKE doc link as it causes redirect bug (Backport PR #23958, Upstream PR #23728, @raphink)
- workflow: fixes LLVM, Clang cache and install path (Backport PR #23958, Upstream PR #23740, @brlbil)
Other Changes:
- docs: Enable Google Analytics for v1.11 documentation (#24066, @qmonnet)
- images: update cilium-{runtime,builder} for 1.11 (#24302, @nebril)
- install: Update image digests for v1.11.14 (#23737, @joestringer)
- Revert "Pick up etcd v3.4.23" (#23789, @michi-covalent)
- v1.11 - Backport initContainer change (#24329, @ferozsalam)
- v1.11 Backports 2023-03-14 (#24368, @nebril)
- v1.11 Backports 2023-03-15 (#24385, @nebril)
Docker Manifests
cilium
docker.io/cilium/cilium:v1.11.15@sha256:434ea1ff40b8db76c2be6cabfa1bbd2b887eaabe42e757651ea14757468e3bf4
quay.io/cilium/cilium:v1.11.15@sha256:434ea1ff40b8db76c2be6cabfa1bbd2b887eaabe42e757651ea14757468e3bf4
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.11.15@sha256:66071d67f0249909c81cc3f94ad1dd2ae51e1451c400183a9337c04b9c1e076f
quay.io/cilium/clustermesh-apiserver:v1.11.15@sha256:66071d67f0249909c81cc3f94ad1dd2ae51e1451c400183a9337c04b9c1e076f
docker-plugin
docker.io/cilium/docker-plugin:v1.11.15@sha256:e2d10187f4e31a00fd751b6e5ac56bd3698ab6bd3c404cff06b7b2740d4327df
quay.io/cilium/docker-plugin:v1.11.15@sha256:e2d10187f4e31a00fd751b6e5ac56bd3698ab6bd3c404cff06b7b2740d4327df
hubble-relay
docker.io/cilium/hubble-relay:v1.11.15@sha256:352a65dde7c324ace5d6442f626f82c19550dd581e17f8f7e7aba30325c96d9e
quay.io/cilium/hubble-relay:v1.11.15@sha256:352a65dde7c324ace5d6442f626f82c19550dd581e17f8f7e7aba30325c96d9e
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.11.15@sha256:712972b46f592bd80a8e4c66e9b5cdcc73705740bf2cea84a6df131107a01699
quay.io/cilium/operator-alibabacloud:v1.11.15@sha256:712972b46f592bd80a8e4c66e9b5cdcc73705740bf2cea84a6df131107a01699
operator-aws
docker.io/cilium/operator-aws:v1.11.15@sha256:3aa776003eee064a6896b6ad712f55293d4e045defbe14d3768d224ce254d5c3
quay.io/cilium/operator-aws:v1.11.15@sha256:3aa776003eee064a6896b6ad712f55293d4e045defbe14d3768d224ce254d5c3
operator-azure
docker.io/cilium/operator-azure:v1.11.15@sha256:81e5168c977806a7f310aa57cca74c908fe6ea323518804e15c48bc786b99271
quay.io/cilium/operator-azure:v1.11.15@sha256:81e5168c977806a7f310aa57cca74c908fe6ea323518804e15c48bc786b99271
operator-generic
docker.io/cilium/operator-generic:v1.11.15@sha256:1feed1b895b39c7bdcbfe6232536e26edba9beb41c160c66d539de4358275a2e
quay.io/cilium/operator-generic:v1.11.15@sha256:1feed1b895b39c7bdcbfe6232536e26edba9beb41c160c66d539de4358275a2e
operator
docker.io/cilium/operator:v1.11.15@sha256:97e6df665e10a08b2fbb5aefb183564debe0a0a4108b371a2f4d95f38c56f56c
quay.io/cilium/operator:v1.11.15@sha256:97e6df665e10a08b2fbb5aefb183564debe0a0a4108b371a2f4d95f38c56f56c
1.14.0-snapshot.0
Summary of Changes
Major Changes:
- Add WireGuard host2host and LB encryption (#19401, @brb)
- policy: Promote Deny Policies from Beta to Stable (#22966, @nathanjsweet)
Minor Changes:
- Add CLI command to dump cgroups metadata (#23641, @alexkats)
- Add flag to configure the size of the egress gateway policy map (#23019, @cyclinder)
- Add pod-asymmetric context labeling that either uses pod or pod-short based on traffic direction. (#22731, @marqc)
- Add pod-name hubble metrics context for pod name label without namespace (#23199, @chancez)
- Add support for the
ingressclass.kubernetes.io/is-default-class
annotation on Cilium's IngressClass (#23719, @meyskens) - alibabacloud: Support selecting subnet by IDs (#23131, @jaffcheng)
- Align selection of IP addresses used for masquerading and NodePort SNAT with Linux kernel behavior, by preferring addresses assigned to the interface earlier and filtering out secondary addresses. (#22866, @akhilles)
- Allow Cilium Operator to restart any unmanaged pods via --pod-restart-selector, rather than just kube-dns pods (#22911, @lvyanru8200)
- cilium/cmd: Remove deprecated policy_trace command (#23550, @sayboras)
- egressgw: add support for excludedCIDRs (#23448, @jibi)
- Enable configuration of the source IP verification per endpoint (#23985, @pchaigno)
- envoy: Bump envoy to 1.24.2 (#23940, @sayboras)
- Expand agent metric Policy Import Errors to count all policy changes (#23349, @dlapcevic)
- Fix docker-cilium-image target for DOCKER_FLAGS=--push (#23679, @pippolo84)
- gateway-api: Bump version to v0.6.0 (#22680, @sayboras)
- helm: Add pod and container security context (#23443, @sayboras)
- helm: Add SA automount configuration (#23441, @sayboras)
- helm: Add support of annotations in hubble ui service (#23709, @brnck)
- helm: use Helm hooks instead of Job unique name (#23102, @sathieu)
- hubble-relay: deprecate peer svc through local unix domain socket (#23407, @kaworu)
- ingress: Add loadBalancerIP and loadBalancerClass (#22670, @oliver-ni)
- install/kubernetes: make image digests for all components optional & configurable (#22732, @rastislavs)
- ipam/crd: Add new flag for configuring CiliumNode update rate (#23017, @jaffcheng)
- metrics: support toggle bootstrap times metric via daemon config (#22643, @ArthurChiao)
- Modify operator metric CES errors sync to count all CES sync events (#23335, @dlapcevic)
- operator: proper rolling update (#23589, @mhofstetter)
- option,helm: Add a flag to opt out from support for Kubernetes NetworkPolicy in Cilium (#23127, @ChengyuanLiCY)
- Return better error codes from hooked syscalls, such as connect() and bind(). (#22965, @gentoo-root)
- sysdump: Added Kubernetes CNI logs to sysdump. (#23937, @marseel)
Bugfixes:
- bpf: Fix broken remote-node identity classification (#23091, @ysksuzuki)
- clustermesh: fix cluster synchronization wait group increment (#23741, @giorio94)
- clustermesh: fix services cache bloat due to incorrect deletion (#23947, @giorio94)
- datapath: Do not send ICMP6 NA over cilium_wg0 (#23969, @brb)
- datapath: Fix L7 reply to outside when endpoint routes disabled (#21980, @brb)
- egressgw: update all internal caches once k8s state is synced (#24034, @jibi)
- Fix bug that would prevent SRv6 decapsulation when BPF Host Routing was disabled. (#23825, @ldelossa)
- Fix memory leak caused on clustermesh reconnect. (#23785, @oblazek)
- Fix operator crash race condition for CES identity map concurrent read/write (#23605, @dlapcevic)
- Fix restoreServicesLocked() potential nil pointer panic (#23446, @dlapcevic)
- fix(helm): add missing updateStrategy to hubble-ui deployment (#23975, @mhulscher)
- Fixes a bug where the Helm value
cni.configMap
no longer worked. (#23743, @squeed) - Fixes a memory leak and (possible) source of stale data for Clustermesh whenever the connection to the remote cluster is disrupted or restarted. (#23532, @squeed)
- gateway-api: Combine metrics registry with operator (#23501, @sayboras)
- Hubble Relay: fix reported uptime (#23966, @rolinh)
- ipam/crd: Fix panic due to concurrent map read and map write (#23713, @gandro)
- kvstore: prevent deletion delay for node-unrelated events (#23745, @giorio94)
- Parses the IP addr passed as CIDR from the delegated IPAM and then use the IP addr from the parsed prefix. (#22918, @vipul-21)
- Removed unnecessary updates to service status by MetalLB (#23210, @ysksuzuki)
- Revert "datapath: Remove 2005 route table" (#23346, @brb)
- Support IPv4 DSR for packets with IP options. (#23810, @julianwiedmann)
- watchers: endpointsync can manage already owned CiliumEndpoints. (#23499, @tommyp1ckles)
CI Changes:
- .github: Clean up RBAC artifacts for v1.13 CI (#22823, @joestringer)
- .github: Pin docker buildx version to v0.9.1 (#23206, @joestringer)
- [UT]improve network_policy_test.go for apiversion (#22591, @my-git9)
- Add initial fuzz coverage of linux node handler. (#22577, @AdamKorcz)
- bpf/test: Get rid of 4.9 leftovers (#23399, @brb)
- bpf/tests: fix mac addresses definitions in egressgw test (#23351, @jibi)
- build: Generate SBOM during image release (#23221, @joestringer)
- ci/multicluster: Re-enable WireGuard testing (#22815, @gandro)
- ci: Disable WireGuard in ci-multicluster again (#23045, @gandro)
- ci: remove GKE from Jenkins jobs (#23826, @nbusseneau)
- ci: remove test namespace deletion workaround in GKE v1.12 workflow (#22655, @tklauser)
- ci: replace deprecated set-output command in integraton test workflow (#23633, @tklauser)
- CI: switch to registry.k8s.io (#23821, @ameukam)
- ci: update cilium-cli to v0.12.12 (#23030, @tklauser)
- Disable failing encryption connectivity tests on GKE (#23183, @brlbil)
- Fix k8s podCIDRs for vagrant deployment (#22786, @romanspb80)
- Fix potential panic logic for checker.go (#22354, @yanggangtony)
- gh/workflow: Remove specific GKE 1.24.5 version (#23164, @brlbil)
- gh/workflows: Fix encryption installation in ci-datapath (#23325, @brb)
- gha: Bump timeout to 90 minutes for build commit. (#23996, @sayboras)
- gha: Run integration tests in GHA (#22900, @sayboras)
- kludge: hardcode Google Cloud SDK key due to error 500 (#24045, @nbusseneau)
- lint: enable gosec G402 (minimum TLS version) (#23247, @kaworu)
- mlh: update Jenkins jobs following removal of kernel 4.9 support (#23822, @nbusseneau)
- Move datapath verifier tests into GH actions workflow (#22754, @tklauser)
- pin managed clusters' K8s version on stable branches (#22724, @nbusseneau)
- pkg/k8s: Clean-up: Remove duplicate package import in pkg/k8s/factory_functions_test.go (#23433, @my-git9)
- policy: add two more fuzzers (#22336, @AdamKorcz)
- Quarantine "K8sDatapathConfig Iptables Skip conntrack for pod traffic test. (#23824, @marseel)
- resource: Work around a rare race in initial sync (#23292, @joamaki)
- Revert "build: Generate SBOM during image release" (#23204, @ldelossa)
- Revert "Use workflow configuration variables for quay organization na… (#23169, @michi-covalent)
- test, jenkinsfile: Clean up natnetworks in CI after test run (#22704, @pchaigno)
- test/Vagrantfile: Debug information for natnetwork (#22675, @pchaigno)
- test/Vagrantfile: Don't hide natnetwork errors (#22702, @pchaigno)
- test: add comments for NFS's IP ranges on local CI VM scripts (#22934, @Shunpoco)
- test: Bump timeout of service plumbing check (#23439, @pchaigno)
- test: Dump VirtualBox version used in CI jobs (#22701, @pchaigno)
- test: Enable Envoy trace logs for TLS test (#22646, @jrajahalme)
- test: ensure cleanup in hubble "test L7 flow" (#23525, @giorio94)
- test: Exclude per-endpoint object files from artifacts (#23382, @pchaigno)
- test: Get rid of 4.9 pipeline (#23343, @brb)
- test: Remove unused
SkipGKEQuarantined
helper (#23354, @pchaigno) - test: Unquarantine K8sDatapathConfig Encapsulation (#22674, @pchaigno)
- test: Unquarantine tests for iptables-based masquerading (#23228, @pchaigno)
- test: Unquarantine working FQDN test (#23357, @pchaigno)
- test: Update policy for hairpin flow validation (#23480, @aditighag)
- Update image registry to quay.io (#23093, @obaranov1)
- Use workflow configuration variables for quay organization names (#23145, @michi-covalent)
- vagrant: bump box versions to pick up Go 1.20.1 (#23983, @tklauser)
- vagrant: Bump VM images to the latest versions (#22781, @pchaigno)
- workflow: Cover VXLAN + IPsec + endpoint routes in datapath tests (#23396, @pchaigno)
- workflow: Disable monitor aggregation in IPv6 smoke test (#23816, @pchaigno)
- workflow: enable pod-to-world tests (#23103, @brlbil)
- workflow: Reenable L7 tests on EKS + IPsec (#22617, @pchaigno)
- workflows: add trigger sentence in ci-verifier workflow file (#23587, @kaworu)
- workflows: Pin gke to 1.24.5 (#22798, @joamaki)
Misc Changes:
- .gitattributes: Highlight Jenkinsfiles as Groovy (#23435, @pchaigno)
- .gitattributes: Mark install/kubernetes/cilium/values.yaml as generated (#24007, @qmonnet)
- .github: fix renovate docker image update (#23229, @aanm)
- .github: fix renovate's config file (#23231, @aanm)
- @errordeveloper is no longer an active committer (#23293, @errordeveloper)
- [cilium cmd] fix wrong notes. (#22871, @yanggangtony)
- [cilium-cmd bpf-metrics-list] return first when []*metricsRow is nil. (#22873, @yanggangtony)
- [UT] k8s/utils/util.go ut enhancement (#23680, @my-git9)
- add CNCF Resources and Link CoC to Governance docs (#23689, @xmulligan)
- add Cosmonic to the Users file (#23290, @xmulligan)
- Add fuzzer for
pkg/fqdn
(#22519, @AdamKorcz) - Add information about securing access to Cilium pods and provide a single page security reference (#23599, @zacharysarah)
- Add leader requirement to watch from Etcd. (#23590, @marseel)
- add renovate support for go mod (#23864, @aanm)
- Add Robinhood Markets to Cilium USERS.md (#24026, @madhusudancs)
- Add S&P Global to Users (#23700, @xmu...
1.13.0
Changelog
The Cilium core team are excited to announce the Cilium 1.13 release. 🎉
v1.13.0
Summary of Changes
Major Changes:
- Add IPv6 BIG TCP support (#20349, @NikAleksandrov)
- Add LoadBalancer IP address management (LB-IPAM) (#21764, @dylandreimerink)
- Add partial support for SCTP (#20033, @DolceTriade)
- Add per-node configuration overrides. There is a new Kubernetes resource type, CiliumNodeConfig, which allows for fine-grained configuration of Nodes based on label selectors. (Backport PR #22822, Upstream PR #22656, @squeed)
- Add support for k8s 1.26 (#22270, @thorn3r)
- Add tracing for socket-based load balancing. (#20492, @aditighag)
- Added capability to announce LoadBalancer services via BGP Control Plane (#22397, @dylandreimerink)
- bpf: Add stateless RFC8215 NAT46/64 for standalone lb (#21777, @borkmann)
- cilium: completion of nat46/64 gateway (Backport PR #22948, Upstream PR #22421, @borkmann)
- CiliumNetworkPolicy now supports enforcement of SNI in TLS connections. (#22398, @jrajahalme)
- Datapath support for Cilium mTLS (#21822 , @jrajahalme)
- gateway-api: Add support for gateway-api v0.5.1 (#21749, @sayboras)
- ingress: Support shared load balancer mode (#21386, @sayboras)
- Sign Cilium container images using cosign (#21918, @sandipanpanda)
- Support Kubernetes v1.21 new field internalTrafficPolicy=Local. (Backport PR #23001, Upstream PR #21871, @gentoo-root)
Minor Changes:
- [v1.13] hubble-relay: deprecate peer svc through local unix domain socket (#23442, @kaworu)
- add
nonMasqueradeCIDRs
configuration to the ipMasqAgent section in Helm Chart values. (#20137, @cyclinder) - Add "cilium map events " command that lists bpf map operation events" (#21235, @tommyp1ckles)
- Add --source-ranges option to
cilium bpf lb list
(#19705, @julianwiedmann) - Add ability to specify topologySpreadConstraints on all parts using kind Deployment.
This helps users to correctly spread the pods across failure-domains such as
regions, zones, nodes, and other user-defined topology domains to achieve
maximum high availability (HA) and efficient resource utilization. (#20046, @mkilchhofer)
- add an option to wait for kube-proxy (#20517, @michi-covalent)
- add helm option configuredMTU to overwrite auto-detected MTU and tunnelPort helm document (#20639, @vincentmli)
- Add metric on number of requests rejected by DNS Proxy semaphore (#20491, @rahulkjoshi)
- Add new ENI IPAM metrics for allocation, release (#20755, @wu0407)
- Add option to configure the resources of the cgroups automount init Container in the Cilium Agent DaemonSet. (#22384, @shaardie)
- Add Prometheus gRPC metrics for hubble and hubble-relay (#20376, @chancez)
- Add support for disabling ENI PD at node level (#20308, @hemanthmalla)
- add support for k8s 1.25.0 (#20995, @aanm)
- Add support to fallback from ENI PD if subnet is out of /28 prefixes (#20822, @hemanthmalla)
- Add the additional print columns
CiliumInternalIP
andInternalIP
forkubectl get ciliumnode
command. (#21258, @bavarianbidi) - Add TraceID field to Hubble flow and populate it from L7/HTTP flow. (#21456, @rolinh)
- Add workload name and kind into L7 flows (#21039, @chancez)
- Added 'envoy.filters.http.jwt_authn' and 'envoy.filters.http.oauth2' to the build to be used in CiliumEnvoyConfig resources. (#22562, @jrajahalme)
- Added
hubble.ui.frontend.server.ipv6.enabled
helm flag to control nginx server ipv6 listener (#21127, @geakstr) - Adjust CES bucket sizes for metrics (#21860, @AwesomePatrol)
- Allow users to specify hostports with localhost hostIP (#21366, @aspsk)
- Automatically adjust
bpf-policy-map-max
if the maximum value is exceeded (#22129, @vishal-chdhry) - bpf/tests: fix redundant usage of variable offset (#22390, @sahid)
- bpf: Add missing identity to
TRACE_TO_STACK
packet traces (#21403, @pchaigno) - bpf: Implement Segment Routing Header (SRH) support (#20764, @pchaigno)
- bpf: nat: fix usage of ipv6_hdrlen() with unhandled Extension headers (#22544, @julianwiedmann)
- Bugtool: add flag to exclude object for endpoints (#22370, @tbalthazar)
- Bump Linux minimum version to 4.19.57 (or equivalent) (Backport PR #23232, Upstream PR #23124, @joestringer)
- CA certificates in Envoy TLS validation contexts are supported via k8s Secrets with 'ca.crt' key. (#20458, @jrajahalme)
- Cilium Istio integration is updated to Istio release 1.10.6 (#18384, @jrajahalme)
- Cilium Network Policy can now have TLS termination and/or origination without L7 rules. (#21808, @jrajahalme)
- cilium, bwm: Disable slow start after idle under pacing (#21356, @borkmann)
- cilium: Add deprecation warning for service ids (Backport PR #22822, Upstream PR #22700, @joamaki)
- cilium: Remove attached bpf_xdp upon "cilium cleanup" (#19735, @zhanghe9702)
- clarify some docs around the kubeProxyReplacement=partial mode (#19831, @aecay)
- clustermesh: Add an infrastructure to connect time parameter exchange and capability negotiation (Backport PR #22822, Upstream PR #22553, @YutaroHayakawa)
- ctmap: add support for GC of DSR orphaned entries (#21626, @jibi)
- daemon: Deprecate SockOps (Backport PR #23687, Upstream PR #23555, @brb)
- daemon: Don't auto disable session affinity (#16179, @brb)
- daemon: Rename host-reachable services to socket LB (#20369, @brb)
- Default
NodesGCInterval
in CLI is 5m (0s before) to align with default helm value. (#20671, @hemslo) - Disable and deprecate
force-local-policy-eval-at-source
(#22190, @pchaigno) - Disable eBPF host routing in cni chaining mode (#22044, @smwyzi)
- DNS proxy: forward the original security identity (#20711, @aspsk)
- DNS Proxy: pass original security identity (#20859, @aspsk)
- dnsproxy: stop serving DNS traffic before agent shutdown (#20795, @nebril)
- docs: refactor AKS installation instructions (Backport PR #23687, Upstream PR #23304, @nbusseneau)
- document ipv4/ipv6 native routing cidr helm option missing in Documentation and helm reference (#21195, @vincentmli)
- egressgw: drop support for CiliumEgressNATPolicy (#21874, @julianwiedmann)
- Enable icmp error replies with enable-pmtu-discovery flag (#21825, @nnbu)
- Enable operator operation without kubernetes. (#21344, @pruiz)
- eni: Add garbage collector for leaked ENIs (#21409, @gandro)
- envoy: Bump envoy version to 1.21.5 (#20771, @sayboras)
- envoy: Bump envoy version to 1.22.7 (Backport PR #23644, Upstream PR #23502, @sayboras)
- envoy: Support LB capability for existing k8s Service (Backport PR #22835, Upstream PR #21244, @sayboras)
- Fatal when enabling DSR and tunneling on KubeProxyReplacement (#22031, @Shunpoco)
- feat(helm): allow adding extra containers to the cilium daemonset (#20343, @mhulscher)
- feat(hubble): add L7 verdicts to hubble_policy_verdicts_total metric (Backport PR #23147, Upstream PR #22622, @raphink)
- Fix behavior where packets leave node if there are no backends (#21539, @michaelasp)
- Fix crash of CES queue delay metric when CESTracker is nil (Backport PR #23147, Upstream PR #22884, @dlapcevic)
- fix empty message when tunnel and socketLB service missing in switch case (#21314, @vincentmli)
- fqdn/metrics: Fix ProxyUpstreamTime error=timeout (#20752, @joestringer)
- Get rid of KPR=probe and socket-LB protocols (#22083, @brb)
- helm: Add
node-role.kubernetes.io/control-plane
key (Backport PR #23001, Upstream PR #22893, @my-git9) - helm: Add validation for Ingress Controller (#21550, @sayboras)
- helm: Document debug.verbose option (Backport PR #23284, Upstream PR #23178, @sayboras)
- Helm: optionally use less permissive linux capabilities. (#21506, @jonkerj)
- helm: Properly support passing subnet-tags/subnet-ids/instance-tags filters as a list (#21297, @slayer321)
- helm: Remove chart fields planned for removal in 1.12 (#21881, @my-git9)
- helm: Remove duplicated key hostAliases (#20278, @sayboras)
- helm: Set Linux nodeSelector for nodeinit and preflight (#20216, @gandro)
- helm: Support configuring Cilium shared Ingress Service type and nodePorts (#22583, @chancez)
- hubble/filter: add a new endpoint workload filter (#21296, @kaworu)
- hubble/metrics: Add source_ip/destination_ip labels to contextLabels (#21322, @chancez)
- hubble/metrics: Add workload-name and app options to sourceContext and destinationContext (#21320, @chancez)
- hubble: Add hubble_policy_verdicts_total metric (#20470, @michi-covalent)
- hubble: Add kafka metrics (#21318, @chancez)
- hubble: Add reserved-identity metric context (#20474, @michi-covalent)
- hubble: add support for filtering by trace ID (#21551, @rolinh)
- hubble: Add support for SockLB tracing (#21685, @gandro)
- hubble: Extract traceIDs into exemplars in HTTP metrics (#21599, @chancez)
- image: Bump base image to ubuntu 22.04 (#20943, @sayboras)
- image: Upgrade ubuntu base image to 22.04 (#21097, @sayboras)
- Improve policy deletion overhead by about 50% in large environments with a large number of policy rules (#22153, @odinuge)
- Improve verbosity of drop notification messages. (#20387, @aspsk)
- Improve verbosity of drop notification messages. (#20827, @aspsk)
- In ENI IPAM mode, try to allocate new ENIs in the same subnet as the primary ENI instead of the subnet with the most available addresses. (#22000, @bimmlerd)
- ingress: add websockets configuration (#20814, @nikhiljha)
- ingress: Follow-up items for shared LB mode (#21493, @sayboras)
- ingress: Propagate required annotations from Ingress to LB Service (#20860, @NikhilSharmaWe)
- ingress: Rename LB annotation to annotation prefixes (#21222, @sayboras)
- ingress: Support NodePort for dedicated Ingress (Backport PR #23284, Upstream PR #22974, @sayboras)
- install/kubernetes: make securityContext SELinux options configurable (Backport PR #22822, Upstream PR #22721, @tklauser)
- install: add TerminationMessagePolicy to cilium pods (#21012, @squeed)
- Introduce Hubble HTTP v2 metrics an...