Skip to content

Releases: cilium/cilium

v1.14.0-snapshot.2

28 Apr 22:20
@joestringer joestringer
v1.14.0-snapshot.2
This tag was signed with the committer’s verified signature.
joestringer Joe Stringer
SSH Key Fingerprint: up2UNiGoKPJzKD6RD0wAbZjD7U0m/YpqXK1sjpCgLQI Learn about vigilant mode.
5d3899f
Compare
Choose a tag to compare
v1.14.0-snapshot.2 Pre-release
Pre-release

We are pleased to release Cilium v1.14.0-snapshot.2.

Summary of Changes

Major Changes:

  • Add support for references to CiliumCIDRGroup inside FromCIDRSet for ingress rules in CNPs (#24638, @pippolo84)
  • Assume Ingress identity for cluster internal traffic through Cilium Ingress for policy enforcement. (#24826, @jrajahalme)
  • Support DSR with Geneve dispatch in CNI mode (#23890, @ysksuzuki)

Minor Changes:

  • Add --hubble-monitor-events flag, to control the event types that get to the hubble subsystem. (#24828, @epk)
  • Add a mechanism for the SPIRE server to signal rotated certificates for re-authenticating connections (#24300, @meyskens)
  • Add flag to administratively enable APIs on bootstrap (#25009, @joestringer)
  • Add network policy auth method "always-fail" (#24609, @meyskens)
  • Add new logging format option, 'json-ts', for JSON formatted logs with timestamps (#24307, @learnitall)
  • auth: Add spire identity registration for CiliumIdentity (#24471, @sayboras)
  • Change cilium_host IPv6 address, use node router IPv6 instead of native node IPv6, and fixed several relative IPv6 issues. (#24208, @jschwinger233)
  • Cilium L7 Proxy: Envoy config dump contains Cilium network policies (#25028, @mhofstetter)
  • cmd: Add NodeEncryption status to the cilium status command (#24399, @romanspb80)
  • daemon: remove deprecated force-local-policy-eval-at-source option (#24727, @tklauser)
  • Deprecate --tunnel in favor of --routing-mode and --tunnel-protocol. (#24561, @pchaigno)
  • Drop traffic matching an egress gateway policy when no gateway are found (#24835, @MrFreezeex)
  • Enable endpoint routes + veth fast redirect support (#22006, @aspsk)
  • Enable update-ec2-adapter-limit-via-api by default (#24564, @christarazi)
  • Enabled cilium_bpf_map_pressure metric by default (#24721, @vishal-chdhry)
  • endpoint: omit pre-1.11 compatibility restoration symlink (#24730, @tklauser)
  • envoy: Bump envoy to v1.25.4 (#24649, @sayboras)
  • envoy: Bump envoy version to v1.25.5 (#24893, @sayboras)
  • envoy: Bump envoy version to v1.25.6 (#25165, @mhofstetter)
  • Expose Cilium agent go runtime scheduler latency prometheus metric go_sched_latencies_seconds (#24745, @derailed)
  • Fix broken IPv6 connectivity from outside to NodePort service when L7 ingress policy applied by removing PROXY_RT route table. (#24882, @jschwinger233)
  • helm: Add CPU panel to Hubble L7 HTTP Workload dashboard (#24934, @chancez)
  • helm: Add SA to nodeinit ds (#24836, @darox)
  • Helm: Clean up deprecated values (#24214, @qmonnet)
  • ingress: Add ownerReferences for shared mode (#24942, @sayboras)
  • Introduce the support for specifying a CA bundle in the helm chart (#24862, @giorio94)
  • ipsec, option: Make the IPsec key rotation delay configurable (#24811, @pchaigno)
  • mtls: SPIRE server and agent installation (#24765, @sayboras)
  • Provides operational state of BGP peers via CLI 'cilium bgp peers' (#24612, @harsimran-pabla)
  • Remove sockops-enable and friends (#23606, @mohit-marathe)
  • Rename the sec_label field in remote_endpoint_info structure to sec_identity (#25057, @ldelossa)
  • Report the kernel error code in case of packet drops due to failures to create conntrack map entries. (#24716, @gentoo-root)
  • Supports IPv4 ICMP "fragmentation needed" in egress SNAT (#25054, @liuyuan10)
  • The Cilium agent now manages the CNI configuration file. This will allow for faster startup times when injecting Cilium as a chained plugin, such as with aws-cni. (#24389, @squeed)

Bugfixes:

  • Address cilium-agent startup performance regression. (#25007, @bimmlerd)
  • bpf: dsr: fix parsing of IPv6 AUTH extension header (#24792, @julianwiedmann)
  • bpf: nodeport: fix up trace point in to-overlay NAT paths (#24886, @julianwiedmann)
  • bpf: policy: fix handling of ICMPv6 packet with extension headers (#24797, @julianwiedmann)
  • Bugfix: Invert --hubble-monitor-events logic to be an allowlist (#25167, @epk)
  • cmd/cleanup: Fix cleanup of generic XDP programs (#25117, @pchaigno)
  • Filter ipv6 advertisements when using metallb as BGP speaker. (#25043, @harsimran-pabla)
  • Fix broken IPv4 connectivity from outside to NodePort service when using L7 ingress policy, by removing PROXY_RT route table. (#24807, @jschwinger233)
  • Fix bug that causes enforcement of host policies on reply IPv6 pod traffic. (#25024, @pchaigno)
  • Fix bug where Cilium configurations running with tunneling disabled, BPF-masq disabled, but with masquerading enabled, do not clean up ipset configuration when a node IP changes. This can lead to a lack of masquerading on those node IPs. (#24825, @christarazi)
  • Fix connectivity issue if nodes share the same name across the clustermesh and wireguard is enabled (#24785, @giorio94)
  • Fix incorrect network policy ebpf setup that may lead to incorrect packets denies when CEP is present in multiple CES (#24838, @alan-kut)
  • Fix issues that caused SPIRE not to install properly (#25160, @meyskens)
  • Fix operator startup delay caused by leader election lease not being released correctly (#24978, @giorio94)
  • Fix panic due to assignment to nil BGP service announcements map. (#24985, @harsimran-pabla)
  • Fix security-group-tags not working in ENI (#24951, @aanm)
  • Fix the bug when long-living connections using egress gateway may be reset. (#24905, @gentoo-root)
  • Fixed bug where L7 rules would be incorrectly merged between rules for the same (remote) endpoint. This bug could have caused L7 rules to be bypassed via a wildcard header rule being improperly appended to the set of HTTP rules when both a policy with HTTP header rules applying to multiple endpoints and an allow-all rule for only one of those endpoints are specified. (#24788, @jrajahalme)
  • gateway-api: Re-queue gateway for namespace change (#24624, @sayboras)
  • Handle leaked service backends that may lead to filling up of lb4_backends map and thereby connectivity issues. (#24681, @aditighag)
  • helm: mandate issuer configuration when using cert-manager to generate certificates (#24666, @giorio94)
  • ipcache don't short-circuit InjectLabels if source differs (#24875, @squeed)
  • ipsec: Clean up stale XFRM policies and states (#24773, @pchaigno)
  • pkg/kvstore: Fix for deadlock in etcd status checker (#24786, @hemanthmalla)
  • Prevent egress gateway from adding and then immediately removing BPF policy entries for policies that don't match any gateway node (#24646, @MrFreezeex)
  • Solve control-plane deadlock issues leading to outages. A typical log line indicative of this issue is probe=l7-proxy msg="No response from probe within 15 seconds" (#24672, @bimmlerd)
  • The operator now reconciles duplicate entries in a CiliumEndpointSlice on startup. (#24596, @alan-kut)

CI Changes:

Read more

Contributors

derailed, gandro, and 61 other contributors
Assets 2

1.13.2

18 Apr 17:41
@gentoo-root gentoo-root
v1.13.2
This tag was signed with the committer’s verified signature. The key has expired.
gentoo-root Maxim Mikityanskiy
GPG key ID: AA6B3C2FC97158FC
Expired
Learn about vigilant mode.
8cb94c7
Compare
Choose a tag to compare
1.13.2

We are pleased to release Cilium v1.13.2.

This release addresses the following security issue:

Note: When updating to this release, make sure that you are using new helm chart version.

Summary of Changes

Known Issues:

  • There is a known issue (#24502) with CiliumNetworkPolicies that makes the kube-apiserver entity unreliable. Until this is resolved, it is recommended to remain on Cilium v1.12 or earlier if you are using the kube-apiserver entity in your CiliumNetworkPolicies.

Minor Changes:

Bugfixes:

  • agent: rework clustermesh config watcher for increased robustness (Backport PR #24547, Upstream PR #24163, @giorio94)
  • bpf: dsr: fix parsing of IPv6 AUTH extension header (Backport PR #24821, Upstream PR #24792, @julianwiedmann)
  • bpf: fix ipv6 extension header parsing error (Backport PR #24706, Upstream PR #24309, @chenyuezhou)
  • bpf: policy: fix handling of ICMPv6 packet with extension headers (Backport PR #24821, Upstream PR #24797, @julianwiedmann)
  • Correctly configure extra SANs for the clustermesh API server certificate when generated through certgen (Backport PR #24607, Upstream PR #24339, @giorio94)
  • daemon: initialize datapath before compiling sockops programs (Backport PR #24547, Upstream PR #24140, @jibi)
  • egressgw: update all internal caches once k8s state is synced (Backport PR #24706, Upstream PR #24034, @jibi)
  • endpoint: fix k8sNamespace log field when ep gets deleted (Backport PR #24706, Upstream PR #24575, @mhofstetter)
  • Fix a bug where users are unable to change a wrong remote etcd configuration (Backport PR #24547, Upstream PR #24046, @oblazek)
  • Fix a memory leak in the service cache, and possible missed service updates on scale to zero events in rare circumstances (Backport PR #24706, Upstream PR #24619, @giorio94)
  • Fix bug in BGP CP where changing the route-id of an existing router would cause announcements to disappear (Backport PR #24547, Upstream PR #24304, @dylandreimerink)
  • Fix bug where ingress policies for remote-note identities are not applied correctly new nodes join the cluster, specifically when the nodes joining the cluster had IP addresses specified in CIDR policies (Backport PR #24547, Upstream PR #23764, @christarazi)
  • Fix Cilium Operator from crashing when encountering empty node pools on Azure (Backport PR #24547, Upstream PR #24189, @forgems)
  • Fix for disabled cloud provider rate limiting (Backport PR #24547, Upstream PR #24413, @hemanthmalla)
  • Fix missing delete events on informer re-lists to ensure all delete events are correctly emitted and using the latest known object state, so that all event handlers and stores always reflect the actual apiserver state as best as possible (#24870, @aanm)
  • Fixed bug where L7 rules would be incorrectly merged between rules for the same (remote) endpoint. This bug could have caused L7 rules to be bypassed via a wildcard header rule being improperly appended to the set of HTTP rules when both a policy with HTTP header rules applying to multiple endpoints and an allow-all rule for only one of those endpoints are specified. (Backport PR #24843, Upstream PR #24788, @jrajahalme)
  • gateway-api: Re-queue gateway for namespace change (Backport PR #24758, Upstream PR #24624, @sayboras)
  • Handle leaked service backends that may lead to filling up of lb4_backends map and thereby connectivity issues. (Backport PR #24758, Upstream PR #24681, @aditighag)
  • helm: mandate issuer configuration when using cert-manager to generate certificates (Backport PR #24821, Upstream PR #24666, @giorio94)
  • ipsec: Clean up stale XFRM policies and states (Backport PR #24821, Upstream PR #24773, @pchaigno)
  • Prevent egress gateway from adding and then immediately removing BPF policy entries for policies that don't match any gateway node (Backport PR #24706, Upstream PR #24646, @MrFreezeex)
  • Services backends with publishNotReadyAddresses are able to receive traffic independently if they are Terminating, since is the user intent to make them reachable despite its state. (Backport PR #24547, Upstream PR #24174, @aojea)
  • Set user-agent for k8s client with Cilium's version (Backport PR #24547, Upstream PR #24275, @aanm)
  • Solve control-plane deadlock issues leading to outages. A typical log line indicative of this issue is probe=l7-proxy msg="No response from probe within 15 seconds" (Backport PR #24814, Upstream PR #24672, @bimmlerd)

CI Changes:

  • bpf/test: Add unit test to check whether netpol drops result in metric counter increament (Backport PR #24607, Upstream PR #24469, @brb)
  • bpf/tests: fix mac addresses definitions in egressgw test (Backport PR #24607, Upstream PR #23351, @jibi)
  • datapath/linux/route: fix CI expectations for rule string format (Backport PR #24607, Upstream PR #24577, @NikAleksandrov)
  • Fix race conditions when deleting CNP / CCNP in e2e tests (Backport PR #24706, Upstream PR #24484, @jschwinger233)
  • Fixed flake in the TestRequestIPWithMismatchedLabel LB-IPAM tests. (Backport PR #24547, Upstream PR #23297, @dylandreimerink)
  • gha: Clean-up Ingress/GatewayAPI Conformance tests (Backport PR #24441, Upstream PR #24025, @sayboras)
  • Increase timeout waiting for resources in Ingress conformance test (Backport PR #24441, Upstream PR #24388, @meyskens)
  • Port verifier tests to Go (Backport PR #24706, Upstream PR #24538, @ti-mo)
  • renovate: Fix Hubble release digest regex (Backport PR #24547, Upstream PR #24477, @gandro)
  • test: Enable conformance tests for non-SCTP traffic in conjunction with SCTP policies (Backport PR #24547, Upstream PR #24144, @joestringer)
  • test: Remove some {DP,Services} Ginkgo test cases (Backport PR #24547, Upstream PR #24223, @brb)
  • test: Update 1.26 k8s version (Backport PR #24607, Upstream PR #24569, @sayboras)
  • tests: add exceptions for lease errors due to etcd (Backport PR #24758, Upstream PR #24723, @jibi)

Misc Changes:

  • Avoid clearing objects in CiliumEndpoint conversion funcs (Backport PR #24929, Upstream PR #24928, @aanm)
  • Avoid clearing objects in conversion funcs (Backport PR #24929, Upstream PR #24241, @odinuge)
  • bgp: extract exportPodCIDRReconciler logic into a generic function (Backport PR #24607, Upstream PR #24546, @jibi)
  • bpf: Remove fib_redirect's BPF_FIB_LOOKUP_DIRECT (Backport PR #24547, Upstream PR #24271, @borkmann)
  • bpf_test: use bpf.LoadCollection, print full verifier error logs (Backport PR #24607, Upstream PR #23281, @ti-mo)
  • checker: Fix incorrect checker for ExportedEqual() (Backport PR #24547, Upstream PR #24373, @christarazi)
  • chore(deps): update base-images (v1.13) (#24467, @renovate[bot])
  • chore(deps): update dependency cilium/hubble to v0.11.3 (v1.13) (#24799, @renovate[bot])
  • chore(deps): update docker.io/library/golang docker tag to v1.19.7 (v1.13) (#24233, @renovate[bot])
  • chore(deps): update docker.io/library/golang docker tag to v1.19.7 (v1.13) (#24234, @renovate[bot])
  • chore(deps): update docker.io/library/golang docker tag to v1.19.8 (v1.13) (#24800, @renovate[bot])
  • chore(deps): update docker.io/library/golang docker tag to v1.19.8 (v1.13) (#24802, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.19.7 docker digest to d2078d2 (v1.13) (#24550, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.19.8 docker digest to 31a2f92 (v1.13) (#24831, @renovate[bot])
  • chore(deps): update quay.io/cilium/hubble docker tag to v0.11.3 (v1.13) (#24472, @renovate[bot])
  • cilium, docs: Move sig-datapath meeting to on-demand only (Backport PR #24547, Upstream PR #24205, @borkmann)
  • doc: Fixed CiliumNode CRD fields for cluster-pool doc (Backport PR #24547, Upstream PR #24428, @PhilipSchmid)
  • doc: kubeProxyReplacement=strict / kube-proxy co-existence (Backport PR #24547, Upstream PR #24407, @PhilipSchmid)
  • docs: add note that there are two Cilium CLIs (Backport PR #24547, Upstream PR #24435, @lizrice)
  • docs: Cleanup and update list of supported drivers for XDP (Backport PR #24547, Upstream PR #24398, @pchaigno)
  • docs: Document the threat model for Cilium (Backport PR #24706, Upstream PR #24497, @ferozsalam)
  • docs: fix typo in operations/troubleshooting.rst (Backport PR #24547, Upstream PR #24460, @NikAleksandrov)
  • docs: Fix upgradeCompatibility references (Backport PR #24758, Upstream PR #24711, @joestringer)
  • docs: Update Cluster Mesh requirements to mention node InternalIP explicitly (Backport PR #24547, Upstream PR #24164, @jspaleta)
  • docs: Update egress gateway limitations (Backport PR #24547, Upstream PR #24244, @pchaigno)
  • docs: Update the documentation for the --conntrack-gc-interval flag (Backport PR #24547, Upstream PR #24400, @pchaigno)
  • egressgw: change special values for gatewayIP (Backport PR #24849, Upstream PR #24449, @MrFreezeex)
  • Emit full verifier logs to agent logs and verifier.log in the endpoint directory (Backport PR #24706, Upstream PR #24506, @ti-mo)
  • endpoint: correctly log IPv6 addresses (Backport PR #24547, Upstream PR #24255, @tklauser)
  • Expose bpf-lb-sock-hostns-only in cilium status (Backport PR #24758, Upstream PR #24570, @romanspb80)
  • Fix duplicated logs for test-output.log (Backport PR #24547, Upstream PR #24171, @romanspb80)
  • Fixed BPF tests which would fail on older kernels (<=5.8) due to unsupported program loading (Backport PR #24607, Upstream PR #22980, @dylandreimerink)
  • gha:...
Read more

Contributors

jspaleta, gandro, and 38 other contributors
Assets 2

1.12.9

18 Apr 17:41
@gentoo-root gentoo-root
v1.12.9
This tag was signed with the committer’s verified signature. The key has expired.
gentoo-root Maxim Mikityanskiy
GPG key ID: AA6B3C2FC97158FC
Expired
Learn about vigilant mode.
e0bb30a
Compare
Choose a tag to compare
1.12.9

We are pleased to release Cilium v1.12.9.

This release addresses the following security issue:

Note: When updating to this release, make sure that you are using new helm chart version.

Summary of Changes

Minor Changes:

Bugfixes:

  • Add missing xfrm-no-track rules for IPv6 IPSec. This fixes a connectivity issue for IPv6 IPSec with externalTrafficPolicy=local. (Backport PR #24605, Upstream PR #24557, @jschwinger233)
  • bpf: policy: fix handling of ICMPv6 packet with extension headers (Backport PR #24822, Upstream PR #24797, @julianwiedmann)
  • endpoint: fix k8sNamespace log field when ep gets deleted (Backport PR #24709, Upstream PR #24575, @mhofstetter)
  • Fix bug in BGP CP where changing the route-id of an existing router would cause announcements to disappear (Backport PR #24462, Upstream PR #24304, @dylandreimerink)
  • Fix Cilium Operator from crashing when encountering empty node pools on Azure (Backport PR #24462, Upstream PR #24189, @forgems)
  • Fix for disabled cloud provider rate limiting (Backport PR #24462, Upstream PR #24413, @hemanthmalla)
  • Fix missing delete events on informer re-lists to ensure all delete events are correctly emitted and using the latest known object state, so that all event handlers and stores always reflect the actual apiserver state as best as possible (#24871, @aanm)
  • Fixed bug where L7 rules would be incorrectly merged between rules for the same (remote) endpoint. This bug could have caused L7 rules to be bypassed via a wildcard header rule being improperly appended to the set of HTTP rules when both a policy with HTTP header rules applying to multiple endpoints and an allow-all rule for only one of those endpoints are specified. (Backport PR #24851, Upstream PR #24788, @jrajahalme)
  • Handle leaked service backends that may lead to filling up of lb4_backends map and thereby connectivity issues. (Backport PR #24761, Upstream PR #24681, @aditighag)
  • helm: mandate issuer configuration when using cert-manager to generate certificates (Backport PR #24822, Upstream PR #24666, @giorio94)
  • ipsec: Clean up stale XFRM policies and states (Backport PR #24822, Upstream PR #24773, @pchaigno)
  • Solve control-plane deadlock issues leading to outages. A typical log line indicative of this issue is probe=l7-proxy msg="No response from probe within 15 seconds" (Backport PR #24669, Upstream PR #24672, @bimmlerd)

CI Changes:

Misc Changes:

  • Avoid clearing objects in CiliumEndpoint conversion funcs (Backport PR #24930, Upstream PR #24928, @aanm)
  • Avoid clearing objects in conversion funcs (Backport PR #24930, Upstream PR #24241, @odinuge)
  • bpf: Remove fib_redirect's BPF_FIB_LOOKUP_DIRECT (Backport PR #24462, Upstream PR #24271, @borkmann)
  • checker: Fix incorrect checker for ExportedEqual() (Backport PR #24462, Upstream PR #24373, @christarazi)
  • chore(deps): update dependency cilium/hubble to v0.11.3 (v1.12) (#24819, @renovate[bot])
  • chore(deps): update docker.io/library/alpine docker tag to v3.16.5 (v1.12) (#24640, @renovate[bot])
  • chore(deps): update docker.io/library/alpine:3.16.4 docker digest to 2cf17aa (v1.12) (#24479, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 24a0df4 (v1.12) (#24480, @renovate[bot])
  • chore(deps): update quay.io/cilium/hubble docker tag to v0.11.3 (v1.12) (#24492, @renovate[bot])
  • doc: Fixed CiliumNode CRD fields for cluster-pool doc (Backport PR #24605, Upstream PR #24428, @PhilipSchmid)
  • docs: add note that there are two Cilium CLIs (Backport PR #24605, Upstream PR #24435, @lizrice)
  • docs: fix typo in operations/troubleshooting.rst (Backport PR #24605, Upstream PR #24460, @NikAleksandrov)
  • docs: Fix upgradeCompatibility references (Backport PR #24761, Upstream PR #24711, @joestringer)
  • docs: Update Cluster Mesh requirements to mention node InternalIP explicitly (Backport PR #24462, Upstream PR #24164, @jspaleta)
  • docs: Update the documentation for the --conntrack-gc-interval flag (Backport PR #24462, Upstream PR #24400, @pchaigno)
  • Expose bpf-lb-sock-hostns-only in cilium status (Backport PR #24761, Upstream PR #24570, @romanspb80)
  • Fix duplicated logs for test-output.log (Backport PR #24462, Upstream PR #24171, @romanspb80)
  • hubble-ui: allow ingress from non root / urls (Backport PR #24605, Upstream PR #23631, @geakstr)
  • loader: Don't compile .asm files by default (Backport PR #24822, Upstream PR #24769, @pchaigno)
  • pkg/bandwidth: add error for bandwidth manager not being enabled (Backport PR #24761, Upstream PR #24715, @aanm)
  • pkg/service: Extend unit test cases (Backport PR #24822, Upstream PR #24742, @aditighag)
  • proxylib: Downgrade noisy log msg to debug level (Backport PR #24462, Upstream PR #22848, @christarazi)

Other Changes:

  • Add IPSec remark for upgrade to v1.12.8 (#24630, @darox)
  • Add note about fixed regression in ConfigMap values that were being prioritized over flags in Cilium agent (#24744, @aanm)
  • install: Update image digests for v1.12.8 (#24426, @nebril)
  • Prepare for release v1.12.9 (#24879, @michi-covalent)
  • v1.12: docs: Fix mitigation for IPsec upgrade issue (#24702, @pchaigno)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.12.9@sha256:677e7a906506b8a13fecb6f0f783ed647b36036786c8c640ff98e25ec2f2ab1f
quay.io/cilium/cilium:v1.12.9@sha256:677e7a906506b8a13fecb6f0f783ed647b36036786c8c640ff98e25ec2f2ab1f

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.12.9@sha256:51ac1cd2b9ff753e5e8e4881e2777095879f3c91b4366ce1c43b329c1eeeb5fa
quay.io/cilium/clustermesh-apiserver:v1.12.9@sha256:51ac1cd2b9ff753e5e8e4881e2777095879f3c91b4366ce1c43b329c1eeeb5fa

docker-plugin

docker.io/cilium/docker-plugin:v1.12.9@sha256:8d758033584cdae93ca14479e2bc93bf9cbd89bc489755121b1155713148199e
quay.io/cilium/docker-plugin:v1.12.9@sha256:8d758033584cdae93ca14479e2bc93bf9cbd89bc489755121b1155713148199e

hubble-relay

docker.io/cilium/hubble-relay:v1.12.9@sha256:ec6cf2f48b9d2dec73a24eca1e881d9792c2ca6d6beb4c23b5ab97255feb3eb5
quay.io/cilium/hubble-relay:v1.12.9@sha256:ec6cf2f48b9d2dec73a24eca1e881d9792c2ca6d6beb4c23b5ab97255feb3eb5

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.12.9@sha256:eb64357e4f130152e60ba02f83424e434aad1cf07efabaeb9f4b9da71b51cb78
quay.io/cilium/operator-alibabacloud:v1.12.9@sha256:eb64357e4f130152e60ba02f83424e434aad1cf07efabaeb9f4b9da71b51cb78

operator-aws

docker.io/cilium/operator-aws:v1.12.9@sha256:e09f06655437f62e2c332a4951798a56cf5e09f46e795e2ad9f5d4b8e8c48393
quay.io/cilium/operator-aws:v1.12.9@sha256:e09f06655437f62e2c332a4951798a56cf5e09f46e795e2ad9f5d4b8e8c48393

operator-azure

docker.io/cilium/operator-azure:v1.12.9@sha256:601321b0cadd218f369fb2d636f15d17a4ab0871047dee8a3bcfdb7abe897404
quay.io/cilium/operator-azure:v1.12.9@sha256:601321b0cadd218f369fb2d636f15d17a4ab0871047dee8a3bcfdb7abe897404

operator-generic

docker.io/cilium/operator-generic:v1.12.9@sha256:cc8d7b222f63812c691a685b32fedab8a805d243da720653cdc2ff0c4a562673
quay.io/cilium/operator-generic:v1.12.9@sha256:cc8d7b222f63812c691a685b32fedab8a805d243da720653cdc2ff0c4a562673

operator

docker.io/cilium/operator:v1.12.9@sha256:a2f69a499881873494bfdef8f3ae48dd8739fecd3e8e85b1fa88ae20f53a75b6
quay.io/cilium/operator:v1.12.9@sha256:a2f69a499881873494bfdef8f3ae48dd8739fecd3e8e85b1fa88ae20f53a75b6

Contributors

jspaleta, gandro, and 27 other contributors
Assets 2

1.11.16

18 Apr 17:42
@gentoo-root gentoo-root
v1.11.16
This tag was signed with the committer’s verified signature. The key has expired.
gentoo-root Maxim Mikityanskiy
GPG key ID: AA6B3C2FC97158FC
Expired
Learn about vigilant mode.
9ce6d64
Compare
Choose a tag to compare
1.11.16

We are pleased to release Cilium v1.11.16.

This release addresses the following security issue:

Note: When updating to this release, make sure that you are using new helm chart version.

Summary of Changes

Minor Changes:

Bugfixes:

  • Add missing xfrm-no-track rules for IPv6 IPSec. This fixes a connectivity issue for IPv6 IPSec with externalTrafficPolicy=local. (Backport PR #24604, Upstream PR #24557, @jschwinger233)
  • Fix for disabled cloud provider rate limiting (Backport PR #24458, Upstream PR #24413, @hemanthmalla)
  • Fix missing delete events on informer re-lists to ensure all delete events are correctly emitted and using the latest known object state, so that all event handlers and stores always reflect the actual apiserver state as best as possible (#24872, @aanm)
  • Fixed bug where L7 rules would be incorrectly merged between rules for the same (remote) endpoint. This bug could have caused L7 rules to be bypassed via a wildcard header rule being improperly appended to the set of HTTP rules when both a policy with HTTP header rules applying to multiple endpoints and an allow-all rule for only one of those endpoints are specified. (Backport PR #24852, Upstream PR #24788, @jrajahalme)
  • Handle leaked service backends that may lead to filling up of lb4_backends map and thereby connectivity issues. (Backport PR #24823, Upstream PR #24681, @aditighag)
  • ipsec: Clean up stale XFRM policies and states (Backport PR #24823, Upstream PR #24773, @pchaigno)

CI Changes:

Misc Changes:

  • Avoid clearing objects in CiliumEndpoint conversion funcs (Backport PR #24931, Upstream PR #24928, @aanm)
  • Avoid clearing objects in conversion funcs (Backport PR #24931, Upstream PR #24241, @odinuge)
  • checker: Fix incorrect checker for ExportedEqual() (Backport PR #24458, Upstream PR #24373, @christarazi)
  • chore(deps): update dependency cilium/hubble to v0.11.3 (v1.11) (#24820, @renovate[bot])
  • chore(deps): update docker.io/library/alpine docker tag to v3.16.5 (v1.11) (#24644, @renovate[bot])
  • chore(deps): update docker.io/library/alpine:3.16.4 docker digest to 2cf17aa (v1.11) (#24493, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 24a0df4 (v1.11) (#24498, @renovate[bot])
  • chore(deps): update quay.io/cilium/hubble docker tag to v0.11.3 (v1.11) (#24499, @renovate[bot])
  • docs: add note that there are two Cilium CLIs (Backport PR #24604, Upstream PR #24435, @lizrice)
  • docs: fix typo in operations/troubleshooting.rst (Backport PR #24604, Upstream PR #24460, @NikAleksandrov)
  • docs: Fix upgradeCompatibility references (Backport PR #24823, Upstream PR #24711, @joestringer)
  • docs: Update Cluster Mesh requirements to mention node InternalIP explicitly (Backport PR #24458, Upstream PR #24164, @jspaleta)
  • docs: Update the documentation for the --conntrack-gc-interval flag (Backport PR #24458, Upstream PR #24400, @pchaigno)
  • Fix duplicated logs for test-output.log (Backport PR #24458, Upstream PR #24171, @romanspb80)
  • hubble-ui: allow ingress from non root / urls (Backport PR #24604, Upstream PR #23631, @geakstr)
  • loader: Don't compile .asm files by default (Backport PR #24823, Upstream PR #24769, @pchaigno)
  • pkg/bandwidth: add error for bandwidth manager not being enabled (Backport PR #24823, Upstream PR #24715, @aanm)

Other Changes:

Docker Manifests

cilium

docker.io/cilium/cilium:v1.11.16@sha256:d2f2632c997a027ee4e540432edb4d8594e78e33315427e7ec3c06b473ec1e4e
quay.io/cilium/cilium:v1.11.16@sha256:d2f2632c997a027ee4e540432edb4d8594e78e33315427e7ec3c06b473ec1e4e

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.11.16@sha256:67a051ef38ae113bcf7dc27ebb23a1137ece961ce86f087226ff5a0046099106
quay.io/cilium/clustermesh-apiserver:v1.11.16@sha256:67a051ef38ae113bcf7dc27ebb23a1137ece961ce86f087226ff5a0046099106

docker-plugin

docker.io/cilium/docker-plugin:v1.11.16@sha256:1ee1bae0c2299d94ff162fc2847f9827823ff3d8e055e07da06e4ca28efe9391
quay.io/cilium/docker-plugin:v1.11.16@sha256:1ee1bae0c2299d94ff162fc2847f9827823ff3d8e055e07da06e4ca28efe9391

hubble-relay

docker.io/cilium/hubble-relay:v1.11.16@sha256:c4c12759ba628e64a0f3fada99d2632627e5391ae0b49c3f35da51c3ba9eac9f
quay.io/cilium/hubble-relay:v1.11.16@sha256:c4c12759ba628e64a0f3fada99d2632627e5391ae0b49c3f35da51c3ba9eac9f

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.11.16@sha256:d60aedfabf0957da1d975ee54779172f990366e9fb8bf55184ac31a0d77adc65
quay.io/cilium/operator-alibabacloud:v1.11.16@sha256:d60aedfabf0957da1d975ee54779172f990366e9fb8bf55184ac31a0d77adc65

operator-aws

docker.io/cilium/operator-aws:v1.11.16@sha256:526dab3bee6231f71da44d14f25c17dfb53afba876bfc99374a11c0fb4278e36
quay.io/cilium/operator-aws:v1.11.16@sha256:526dab3bee6231f71da44d14f25c17dfb53afba876bfc99374a11c0fb4278e36

operator-azure

docker.io/cilium/operator-azure:v1.11.16@sha256:0c2da6adf29f521f6d2ffe92794ad598fc99231eba2814b80cf608362cc14a3c
quay.io/cilium/operator-azure:v1.11.16@sha256:0c2da6adf29f521f6d2ffe92794ad598fc99231eba2814b80cf608362cc14a3c

operator-generic

docker.io/cilium/operator-generic:v1.11.16@sha256:ea3fbe5ab65efc41228d716a64804b6fca9e2299835c3d39ae1cb248c1594c55
quay.io/cilium/operator-generic:v1.11.16@sha256:ea3fbe5ab65efc41228d716a64804b6fca9e2299835c3d39ae1cb248c1594c55

operator

docker.io/cilium/operator:v1.11.16@sha256:44fb99adbba82605702aa9c41380c1c79ad5565bbd3c9d961f9aab55387be586
quay.io/cilium/operator:v1.11.16@sha256:44fb99adbba82605702aa9c41380c1c79ad5565bbd3c9d961f9aab55387be586

Contributors

jspaleta, gandro, and 20 other contributors
Assets 2

1.14.0-snapshot.1

03 Apr 14:53
@aanm aanm
v1.14.0-snapshot.1
This tag was signed with the committer’s verified signature.
aanm André Martins
GPG key ID: A38D2FBA880D16AB
Learn about vigilant mode.
9f5a7f4
Compare
Choose a tag to compare
1.14.0-snapshot.1 Pre-release
Pre-release

We are pleased to release Cilium v1.14.0-snapshot.1.

Summary of Changes

Major Changes:

  • Add mtls-spiffe as auth mode in the CiliumNetworkPolicy (#24263, @meyskens)
  • cilium: fib lookup consolidation (#23884, @borkmann)
  • The Cilium operator now taints nodes where Cilium is scheduled to run but is not running.
    This prevents pods from being scheduled on nodes without Cilium.
    The CNI configuration file is no longer removed on agent shutdown.
    This means that pod deletion will always succeed; previously it would fail if Cilium was down for an upgrade.
    This should help prevent nodes accidentally entering an unmanageable state.
    It also means that nodes are not removed from cloud LoadBalancer backends during Cilium upgrades. (#23486, @squeed)

Minor Changes:

  • [SNAT] add "need to frag" ICMP support (#18414, @sahid)
  • Add a SPIRE delegate API client to receive SPIFFE certificates for mTLS (#23968, @meyskens)
  • Add hubble_lost_events_total metric for the number of events lost by Hubble. (#22865, @lambdanis)
  • bpf, ipcache: unconditionally assume support for LPM trie maps (#24258, @tklauser)
  • clustermesh: enable per-cluster RBAC in etcd server (#24284, @giorio94)
  • cmd/service: unify service list/get output (#24136, @oblazek)
  • Disable by default CNP Node Status GC in cilium-operator. (#24390, @marseel)
  • dns: Set --tofqdns-min-ttl to zero by default (#21439, @michi-covalent)
  • envoy: Bump envoy to 1.24.3 (#24148, @sayboras)
  • feat: optional bpf mount (#24161, @frezbo)
  • helm: simplify TLS configuration of clustermesh peers (#24222, @giorio94)
  • Hide --install-iptables-rules agent flag and remove installIptablesRules Helm flag (#24081, @pchaigno)
  • hubble: traffic direction filter (#24120, @kaworu)
  • Improve cilium monitor output for dropped packets: display source file names instead of numerical ids (#24143, @aspsk)
  • Increase the default CiliumEndpointSlice sync time from 0 to 500ms (#23615, @dlapcevic)
  • Integration of sample dashboards with Helm chart (#23794, @jcpunk)
  • Make Envoy sockets for tproxy and the xDS API and bind to localhost only (#24011, @meyskens)
  • Move poststart eni script to agent pod from nodeinit pod (#24134, @nebril)
  • policy: Derivative policies (policies for cloud provider-specific identities) for egress deny rules were not being generated, this has now been fixed. (#23927, @rockc2020)
  • Prepare Cilium API for IPAM pools (#24248, @tklauser)
  • Support L2-less devices with fast forward (bpf-based host routing) (#23935, @jschwinger233)

Bugfixes:

  • Add missing xfrm-no-track rules for IPv6 IPSec. This fixes a connectivity issue for IPv6 IPSec with externalTrafficPolicy=local. (#24557, @jschwinger233)
  • Add support for builtin kernel modules (#23953, @TheAifam5)
  • Add the option to preserve CNI configuration file on agent shutdown. This can help prevent issues where pods can no longer be deleted. This may cause some transient error messages to be displayed if a pod is scheduled while Cilium is being upgraded. (#24009, @squeed)
  • agent: rework clustermesh config watcher for increased robustness (#24163, @giorio94)
  • Avoid k8s CiliumNode initialization problems when Cilium connects to the KVStore (#24156, @aanm)
  • bpf: fix ipv6 extension header parsing error (#24309, @chenyuezhou)
  • bpf: nodeport: fix handling of stale CT entry with CT_REPLY (#23894, @julianwiedmann)
  • Correctly configure extra SANs for the clustermesh API server certificate when generated through certgen (#24339, @giorio94)
  • daemon: fix panic when running with etcd with endpoint crd disabled (#24085, @tommyp1ckles)
  • daemon: initialize datapath before compiling sockops programs (#24140, @jibi)
  • endpoint: fix k8sNamespace log field when ep gets deleted (#24575, @mhofstetter)
  • Fix a bug where users are unable to change a wrong remote etcd configuration (#24046, @oblazek)
  • Fix a memory leak in the service cache, and possible missed service updates on scale to zero events in rare circumstances (#24619, @giorio94)
  • Fix bug in BGP CP where changing the route-id of an existing router would cause announcements to disappear (#24304, @dylandreimerink)
  • Fix bug that would prevent IPsec from working with GENEVE encapsulation. (#24116, @borkmann)
  • Fix bug where ingress policies for remote-note identities are not applied correctly new nodes join the cluster, specifically when the nodes joining the cluster had IP addresses specified in CIDR policies (#23764, @christarazi)
  • Fix Cilium crash during network policy computation (#24322, @joestringer)
  • Fix Cilium Operator from crashing when encountering empty node pools on Azure (#24189, @forgems)
  • Fix deadlock in cilium-operator when using CiliumEndpointSlices (#24343, @alan-kut)
  • Fix enable-stale-cilium-endpoint-cleanup flag not actually disabling the cleanup init set when set to false. This provides a workaround for an existing panic that can occur when running using etcd kvstore. (#23874, @sjdot)
  • Fix failure to load the datapath for new pods on latest kernel when (almost) all datapath features are enabled. (#24405, @borkmann)
  • Fix FIB lookup for traffic to a L7 service backend, when BPF host-routing is enabled and multiple external devices are configured. (#24182, @julianwiedmann)
  • Fix for disabled cloud provider rate limiting (#24413, @hemanthmalla)
  • Fix incorrectly dropping in-cluster traffic for L7 ingress resources (#23984, @sayboras)
  • Fix IPv6 policy enforcement for SNATed traffic from the Host (#24132, @ysksuzuki)
  • Fix panic in hubble http v2 metrics (#24350, @chancez)
  • Fix Pod connectivity interruption during agent restart (#24336, @ti-mo)
  • Fix some test failures for bpf_nat_test.c (#24534, @YutaroHayakawa)
  • init.sh: fix cgroup program detachment and detach multiple progs with retry (#24118, @ti-mo)
  • install: don't render role / rolebinding when agent disabled (#23877, @squeed)
  • Services backends with publishNotReadyAddresses are able to receive traffic independently if they are Terminating, since is the user intent to make them reachable despite its state. (#24174, @aojea)
  • Set user-agent for k8s client with Cilium's version (#24275, @aanm)
  • Solved an issue failing to forward traffic to Services if the Endpoint Slices had the same Address on different Slices (#24202, @aojea)
  • When using KPR Nodeport with DSR, support backends in hostNetwork or with L7 policies. (#22978, @julianwiedmann)

CI Changes:

Misc Changes:

  • .gitatt...
Read more

Contributors

jspaleta, gandro, and 84 other contributors
Assets 2

1.13.1

17 Mar 12:18
@nebril nebril
v1.13.1
This tag was signed with the committer’s verified signature.
nebril Maciej Kwiek
GPG key ID: 436B9694E3F0E75D
Learn about vigilant mode.
a6be57e
Compare
Choose a tag to compare
1.13.1

We are pleased to release Cilium v1.13.1. This is the first patch release in 1.13 series and it contains a lot of good stuff! We improved docs, fixed memory leaks and deadlocks, improved helm charts and did so much more! Full list below.

This release addresses following security issues:

Note: When updating to this release, make sure that you are using new helm chart version.

Summary of Changes

Minor Changes:

  • Add CLI command to dump cgroups metadata (Backport PR #23834, Upstream PR #23641, @alexkats)
  • Add pod-name hubble metrics context for pod name label without namespace (Backport PR #24058, Upstream PR #23199, @chancez)
  • envoy: Bump envoy to 1.23.4 (Backport PR #23956, Upstream PR #23800, @sayboras)
  • helm: Add pod and container security context (Backport PR #24086, Upstream PR #23443, @sayboras)
  • helm: Add SA automount configuration (Backport PR #24086, Upstream PR #23441, @sayboras)
  • helm: Add support of annotations in hubble ui service (Backport PR #23834, Upstream PR #23709, @brnck)
  • Hide --install-iptables-rules agent flag and remove installIptablesRules Helm flag (Backport PR #24200, Upstream PR #24081, @pchaigno)

Bugfixes:

  • [EKS] Fix deadlock causing network connectivity outages when kube-apiservers scale down (Backport PR #23956, Upstream PR #23836, @christarazi)
  • Add the option to preserve CNI configuration file on agent shutdown. This can help prevent issues where pods can no longer be deleted. This may cause some transient error messages to be displayed if a pod is scheduled while Cilium is being upgraded. (Backport PR #24200, Upstream PR #24009, @squeed)
  • agent: fix incorrect deletion of veth host interfaces on bootstrap (Backport PR #23956, Upstream PR #23787, @giorio94)
  • Avoid k8s CiliumNode initialization problems when Cilium connects to the KVStore (Backport PR #24200, Upstream PR #24156, @aanm)
  • bpf: Fix broken remote-node identity classification (Backport PR #23956, Upstream PR #23091, @ysksuzuki)
  • clustermesh: fix cluster synchronization wait group increment (Backport PR #24058, Upstream PR #23741, @giorio94)
  • clustermesh: fix services cache bloat due to incorrect deletion (Backport PR #24058, Upstream PR #23947, @giorio94)
  • envoy: Avoid empty typeURL for all resources (Backport PR #23860, Upstream PR #23763, @sayboras)
  • Fix bug that would prevent IPsec from working with GENEVE encapsulation. (Backport PR #24200, Upstream PR #24116, @borkmann)
  • Fix bug that would prevent SRv6 decapsulation when BPF Host Routing was disabled. (Backport PR #23834, Upstream PR #23825, @ldelossa)
  • Fix connectivity issue upon agent restart in case of ipv6 + direct routing + KPR replacement (Backport PR #23956, Upstream PR #23857, @giorio94)
  • Fix enable-stale-cilium-endpoint-cleanup flag not actually disabling the cleanup init set when set to false. This provides a workaround for an existing panic that can occur when running using etcd kvstore. (Backport PR #24311, Upstream PR #23874, @sjdot)
  • Fix incorrectly dropping in-cluster traffic for L7 ingress resources (Backport PR #24200, Upstream PR #23984, @sayboras)
  • Fix memory leak caused on clustermesh reconnect. (Backport PR #24086, Upstream PR #23785, @oblazek)
  • Fix operator crash race condition for CES identity map concurrent read/write (Backport PR #24086, Upstream PR #23605, @dlapcevic)
  • Fix restoreServicesLocked() potential nil pointer panic (Backport PR #23834, Upstream PR #23446, @dlapcevic)
  • fix(helm): add missing updateStrategy to hubble-ui deployment (Backport PR #24058, Upstream PR #23975, @mhulscher)
  • Fixes a bug where the Helm value cni.configMap no longer worked. (Backport PR #23834, Upstream PR #23743, @squeed)
  • Fixes a memory leak and (possible) source of stale data for Clustermesh whenever the connection to the remote cluster is disrupted or restarted. (Backport PR #23834, Upstream PR #23532, @squeed)
  • gateway-api: Combine metrics registry with operator (Backport PR #23834, Upstream PR #23501, @sayboras)
  • helm: Fix duplicate enable-envoy-config flag when enabling L7LB, Ingress Controller, or GatewayAPI simultaneously (Backport PR #23956, Upstream PR #23866, @DWSR)
  • Hubble Relay: fix reported uptime (Backport PR #24058, Upstream PR #23966, @rolinh)
  • install: don't render role / rolebinding when agent disabled (Backport PR #24200, Upstream PR #23877, @squeed)
  • ipam/crd: Fix panic due to concurrent map read and map write (Backport PR #23834, Upstream PR #23713, @gandro)
  • k8s: Handle EndpointSlice AddressType field properly (Backport PR #23956, Upstream PR #23803, @YutaroHayakawa)
  • kvstore: prevent deletion delay for node-unrelated events (Backport PR #24086, Upstream PR #23745, @giorio94)
  • node: require ipv4 address when wireguard is enabled (#23552, @giorio94)
  • watchers: endpointsync can manage already owned CiliumEndpoints. (Backport PR #24086, Upstream PR #23499, @tommyp1ckles)

CI Changes:

Misc Changes:

Other Changes:

Docker Manifests

cilium

docker.io/cilium/cilium:v1.13.1@sha256:428a09552707cc90228b7ff48c6e7a33dc0a97fe1dd93311ca672834be25beda
quay.io/cilium/cilium:v1.13.1@sha256:428a09552707cc90228b7ff48c6e7a33dc0a97fe1dd93311ca672834be25beda
docker.io/cilium/cilium:stable@sha256:428a09552707cc90228b7ff48c6e7a33dc0a97fe1dd93311ca672834be25beda
`quay.io/cilium/cilium:stable@sha256:428a09552707cc90228b7ff48c6e7a33dc0a97fe1dd93311ca672834be25be...

Read more

Contributors

DWSR, gandro, and 39 other contributors
Assets 2

1.12.8

17 Mar 12:19
@nebril nebril
v1.12.8
This tag was signed with the committer’s verified signature.
nebril Maciej Kwiek
GPG key ID: 436B9694E3F0E75D
Learn about vigilant mode.
87d8561
Compare
Choose a tag to compare
1.12.8

We are pleased to release Cilium v1.12.8. This release includes helm charts improvements, many bugfixes (including fixed deadlock on EKS and operator crashes) and CI improvements.

This release addresses following security issues:

Note: When updating to this release, make sure that you are using new helm chart version.

Summary of Changes

Minor Changes:

Bugfixes:

  • [EKS] Fix deadlock causing network connectivity outages when kube-apiservers scale down (Backport PR #23957, Upstream PR #23836, @christarazi)
  • Add the option to preserve CNI configuration file on agent shutdown. This can help prevent issues where pods can no longer be deleted. This may cause some transient error messages to be displayed if a pod is scheduled while Cilium is being upgraded. (Backport PR #24197, Upstream PR #24009, @squeed)
  • agent: fix incorrect deletion of veth host interfaces on bootstrap (Backport PR #23957, Upstream PR #23787, @giorio94)
  • Avoid k8s CiliumNode initialization problems when Cilium connects to the KVStore (Backport PR #24197, Upstream PR #24156, @aanm)
  • cilium-health status: fix endpoint reachability in succinct view (Backport PR #23779, Upstream PR #23506, @giorio94)
  • clustermesh: fix services cache bloat due to incorrect deletion (Backport PR #24083, Upstream PR #23947, @giorio94)
  • envoy: Avoid empty typeURL for all resources (Backport PR #23861, Upstream PR #23763, @sayboras)
  • Fix connectivity issue upon agent restart in case of ipv6 + direct routing + KPR replacement (Backport PR #23957, Upstream PR #23857, @giorio94)
  • Fix enable-stale-cilium-endpoint-cleanup flag not actually disabling the cleanup init set when set to false. This provides a workaround for an existing panic that can occur when running using etcd kvstore. (Backport PR #24310, Upstream PR #23874, @sjdot)
  • Fix operator crash race condition for CES identity map concurrent read/write (Backport PR #24197, Upstream PR #23605, @dlapcevic)
  • ipam/crd: Fix panic due to concurrent map read and map write (Backport PR #23779, Upstream PR #23713, @gandro)
  • node: require ipv4 address when wireguard is enabled (Backport PR #24039, Upstream PR #23552, @giorio94)
  • watchers: endpointsync can manage already owned CiliumEndpoints. (Backport PR #24083, Upstream PR #23499, @tommyp1ckles)

CI Changes:

Misc Changes:

  • .github: remove stable tags (#23830, @aanm)
  • Add leader requirement to watch from Etcd. (Backport PR #24083, Upstream PR #23590, @marseel)
  • bpf: Fix usage of tunnel map structs (Backport PR #24083, Upstream PR #23469, @pchaigno)
  • bugtool: Add ingress/egress tc filter dump (Backport PR #24197, Upstream PR #24057, @joestringer)
  • bugtool: Dump envoy metrics for troubleshooting (Backport PR #23779, Upstream PR #22797, @sayboras)
  • chore(deps): update actions/checkout action to v3.3.0 (v1.12) (#23994, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.12) (patch) (#23993, @renovate[bot])
  • chore(deps): update dependency cilium/hubble to v0.11.2 (v1.12) (#23909, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 4a45212 (v1.12) (#23693, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 9fa30fc (v1.12) (#24137, @renovate[bot])
  • chore(deps): update quay.io/cilium/hubble docker tag to v0.11.2 (v1.12) (#23923, @renovate[bot])
  • clustermesh, kvstore: consistently pass controller context to kvstore operations (Backport PR #23779, Upstream PR #23333, @tklauser)
  • docs: correct Prometheus port (Backport PR #23779, Upstream PR #23404, @lizrice)
  • docs: Document CONFIG_PERF_EVENTS requirement (Backport PR #24197, Upstream PR #24055, @joestringer)
  • docs: Drop sphinxcontrib-openapi fork, switch back to upstream (Backport PR #23779, Upstream PR #23118, @qmonnet)
  • docs: Fix the dead link to Mellanox performance tuning guide (Backport PR #24083, Upstream PR #24012, @gentoo-root)
  • docs: Mark Git repository as safe, at runtime, if in a container (Backport PR #24067, Upstream PR #21069, @qmonnet)
  • docs: replace usage of api.twitter.com (Backport PR #23779, Upstream PR #23669, @kaworu)
  • Enable Google Analytics 4 (Backport PR #24067, Upstream PR #22220, @chalin)
  • fix(deps): update module golang.org/x/net to v0.7.0 [security] (master) (Backport PR #23957, Upstream PR #23904, @renovate[bot])
  • Fixed link to broken anchor in RKE doc (Backport PR #23779, Upstream PR #23706, @raphink)
  • Introduce node IDs in the datapath and the agent, so datapath can later use them to identify remote nodes (Backport PR #23779, Upstream PR #23202, @pchaigno)
  • IPsec: Remove IP_POOLS logic (Backport PR #24083, Upstream PR #24030, @pchaigno)
  • Node ID restoration (Backport PR #23779, Upstream PR #23578, @pchaigno)
  • Remove / in RKE doc link as it causes redirect bug (Backport PR #23779, Upstream PR #23728, @raphink)
  • workflow: fixes LLVM, Clang cache and install path (Backport PR #23779, Upstream PR #23740, @brlbil)

Other Changes:

Docker Manifests

cilium

docker.io/cilium/cilium:v1.12.8@sha256:b6c3c48b380334b8f08dba6e0c28d906c0d722b8c2beb0d506b3cea27f66f78d
quay.io/cilium/cilium:v1.12.8@sha256:b6c3c48b380334b8f08dba6e0c28d906c0d722b8c2beb0d506b3cea27f66f78d

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.12.8@sha256:acb4727cb2ccde4ecd372c459c4da53823e00d36b470f80339a237fbe5127a0b
quay.io/cilium/clustermesh-apiserver:v1.12.8@sha256:acb4727cb2ccde4ecd372c459c4da53823e00d36b470f80339a237fbe5127a0b

docker-plugin

docker.io/cilium/docker-plugin:v1.12.8@sha256:8c4dd43fea669b3e0b63c0d7abae06b1f61a6ad7365f69ebc65e0b5c916e6468
quay.io/cilium/docker-plugin:v1.12.8@sha256:8c4dd43fea669b3e0b63c0d7abae06b1f61a6ad7365f69ebc65e0b5c916e6468

hubble-relay

docker.io/cilium/hubble-relay:v1.12.8@sha256:508cf85bb1a11c13abd995e3c5fd18ed3c2f1d26cbf463a97297e8b8c9149f13
quay.io/cilium/hubble-relay:v1.12.8@sha256:508cf85bb1a11c13abd995e3c5fd18ed3c2f1d26cbf463a97297e8b8c9149f13

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.12.8@sha256:d9a4a9c4f5d5969cb3bbfdbe773a182858de53c3b3d88dd39e80f89b97f1c7b2
quay.io/cilium/operator-alibabacloud:v1.12.8@sha256:d9a4a9c4f5d5969cb3bbfdbe773a182858de53c3b3d88dd39e80f89b97f1c7b2

operator-aws

docker.io/cilium/operator-aws:v1.12.8@sha256:6177a5f6ab05dedfc93268ab7aa02da37e2a96c6a4c75243cb1b33aecc1c68ad
quay.io/cilium/operator-aws:v1.12.8@sha256:6177a5f6ab05dedfc93268ab7aa02da37e2a96c6a4c75243cb1b33aecc1c68ad

operator-azure

docker.io/cilium/operator-azure:v1.12.8@sha256:da3ff887535d7687564afeb4108046069de14ed2fee368908adf9e467238ff7e
quay.io/cilium/operator-azure:v1.12.8@sha256:da3ff887535d7687564afeb4108046069de14ed2fee368908adf9e467238ff7e

operator-generic

docker.io/cilium/operator-generic:v1.12.8@sha256:7431f0c2001fb875b1a8901e103825394c38cd6c63a1435a3273ed20ae0e7578
quay.io/cilium/operator-generic:v1.12.8@sha256:7431f0c2001fb875b1a8901e103825394c38cd6c63a1435a3273ed20ae0e7578

operator

docker.io/cilium/operator:v1.12.8@sha256:1d3f32b112034dc0a7b83cde55850f00cf3adca9ae7f51aff42f2f8228998c8b
quay.io/cilium/operator:v1.12.8@sha256:1d3f32b112034dc0a7b83cde55850f00cf3adca9ae7f51aff42f2f8228998c8b

Contributors

gandro, jibi, and 26 other contributors
Assets 2

1.11.15

17 Mar 12:19
@nebril nebril
v1.11.15
This tag was signed with the committer’s verified signature.
nebril Maciej Kwiek
GPG key ID: 436B9694E3F0E75D
Learn about vigilant mode.
c5577e8
Compare
Choose a tag to compare
1.11.15

We are pleased to release Cilium v1.11.15. This release contains several bugfixes, including (but not limited to) fixing a bootstrapping issue, and fixing enable-stale-cilium-endpoint-cleanup flag. We also made several improvements around helm charts.

It also addresses for following security issues:

Note: When updating to this release, make sure that you are using new helm chart version.

Summary of Changes

Minor Changes:

Bugfixes:

  • Add the option to preserve CNI configuration file on agent shutdown. This can help prevent issues where pods can no longer be deleted. This may cause some transient error messages to be displayed if a pod is scheduled while Cilium is being upgraded. (Backport PR #24198, Upstream PR #24009, @squeed)
  • agent: fix incorrect deletion of veth host interfaces on bootstrap (Backport PR #23958, Upstream PR #23787, @giorio94)
  • clustermesh: fix services cache bloat due to incorrect deletion (Backport PR #24089, Upstream PR #23947, @giorio94)
  • envoy: Avoid empty typeURL for all resources (Backport PR #23862, Upstream PR #23763, @sayboras)
  • Fix connectivity issue upon agent restart in case of ipv6 + direct routing + KPR replacement (Backport PR #23958, Upstream PR #23857, @giorio94)
  • Fix enable-stale-cilium-endpoint-cleanup flag not actually disabling the cleanup init set when set to false. This provides a workaround for an existing panic that can occur when running using etcd kvstore. (Backport PR #24308, Upstream PR #23874, @sjdot)
  • Fix leaking service backend entries when services with terminating backends were deleted. (#23858, @aditighag)
  • ipam/crd: Fix panic due to concurrent map read and map write (Backport PR #23958, Upstream PR #23713, @gandro)
  • node: require ipv4 address when wireguard is enabled (Backport PR #24040, Upstream PR #23552, @giorio94)

Misc Changes:

Other Changes:

Docker Manifests

cilium

docker.io/cilium/cilium:v1.11.15@sha256:434ea1ff40b8db76c2be6cabfa1bbd2b887eaabe42e757651ea14757468e3bf4
quay.io/cilium/cilium:v1.11.15@sha256:434ea1ff40b8db76c2be6cabfa1bbd2b887eaabe42e757651ea14757468e3bf4

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.11.15@sha256:66071d67f0249909c81cc3f94ad1dd2ae51e1451c400183a9337c04b9c1e076f
quay.io/cilium/clustermesh-apiserver:v1.11.15@sha256:66071d67f0249909c81cc3f94ad1dd2ae51e1451c400183a9337c04b9c1e076f

docker-plugin

docker.io/cilium/docker-plugin:v1.11.15@sha256:e2d10187f4e31a00fd751b6e5ac56bd3698ab6bd3c404cff06b7b2740d4327df
quay.io/cilium/docker-plugin:v1.11.15@sha256:e2d10187f4e31a00fd751b6e5ac56bd3698ab6bd3c404cff06b7b2740d4327df

hubble-relay

docker.io/cilium/hubble-relay:v1.11.15@sha256:352a65dde7c324ace5d6442f626f82c19550dd581e17f8f7e7aba30325c96d9e
quay.io/cilium/hubble-relay:v1.11.15@sha256:352a65dde7c324ace5d6442f626f82c19550dd581e17f8f7e7aba30325c96d9e

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.11.15@sha256:712972b46f592bd80a8e4c66e9b5cdcc73705740bf2cea84a6df131107a01699
quay.io/cilium/operator-alibabacloud:v1.11.15@sha256:712972b46f592bd80a8e4c66e9b5cdcc73705740bf2cea84a6df131107a01699

operator-aws

docker.io/cilium/operator-aws:v1.11.15@sha256:3aa776003eee064a6896b6ad712f55293d4e045defbe14d3768d224ce254d5c3
quay.io/cilium/operator-aws:v1.11.15@sha256:3aa776003eee064a6896b6ad712f55293d4e045defbe14d3768d224ce254d5c3

operator-azure

docker.io/cilium/operator-azure:v1.11.15@sha256:81e5168c977806a7f310aa57cca74c908fe6ea323518804e15c48bc786b99271
quay.io/cilium/operator-azure:v1.11.15@sha256:81e5168c977806a7f310aa57cca74c908fe6ea323518804e15c48bc786b99271

operator-generic

docker.io/cilium/operator-generic:v1.11.15@sha256:1feed1b895b39c7bdcbfe6232536e26edba9beb41c160c66d539de4358275a2e
quay.io/cilium/operator-generic:v1.11.15@sha256:1feed1b895b39c7bdcbfe6232536e26edba9beb41c160c66d539de4358275a2e

operator

docker.io/cilium/operator:v1.11.15@sha256:97e6df665e10a08b2fbb5aefb183564debe0a0a4108b371a2f4d95f38c56f56c
quay.io/cilium/operator:v1.11.15@sha256:97e6df665e10a08b2fbb5aefb183564debe0a0a4108b371a2f4d95f38c56f56c

Contributors

gandro, kaworu, and 16 other contributors
Assets 2

1.14.0-snapshot.0

01 Mar 05:36
@joestringer joestringer
v1.14.0-snapshot.0
This tag was signed with the committer’s verified signature.
joestringer Joe Stringer
SSH Key Fingerprint: up2UNiGoKPJzKD6RD0wAbZjD7U0m/YpqXK1sjpCgLQI Learn about vigilant mode.
f917a79
Compare
Choose a tag to compare
1.14.0-snapshot.0 Pre-release
Pre-release

Summary of Changes

Major Changes:

Minor Changes:

  • Add CLI command to dump cgroups metadata (#23641, @alexkats)
  • Add flag to configure the size of the egress gateway policy map (#23019, @cyclinder)
  • Add pod-asymmetric context labeling that either uses pod or pod-short based on traffic direction. (#22731, @marqc)
  • Add pod-name hubble metrics context for pod name label without namespace (#23199, @chancez)
  • Add support for the ingressclass.kubernetes.io/is-default-class annotation on Cilium's IngressClass (#23719, @meyskens)
  • alibabacloud: Support selecting subnet by IDs (#23131, @jaffcheng)
  • Align selection of IP addresses used for masquerading and NodePort SNAT with Linux kernel behavior, by preferring addresses assigned to the interface earlier and filtering out secondary addresses. (#22866, @akhilles)
  • Allow Cilium Operator to restart any unmanaged pods via --pod-restart-selector, rather than just kube-dns pods (#22911, @lvyanru8200)
  • cilium/cmd: Remove deprecated policy_trace command (#23550, @sayboras)
  • egressgw: add support for excludedCIDRs (#23448, @jibi)
  • Enable configuration of the source IP verification per endpoint (#23985, @pchaigno)
  • envoy: Bump envoy to 1.24.2 (#23940, @sayboras)
  • Expand agent metric Policy Import Errors to count all policy changes (#23349, @dlapcevic)
  • Fix docker-cilium-image target for DOCKER_FLAGS=--push (#23679, @pippolo84)
  • gateway-api: Bump version to v0.6.0 (#22680, @sayboras)
  • helm: Add pod and container security context (#23443, @sayboras)
  • helm: Add SA automount configuration (#23441, @sayboras)
  • helm: Add support of annotations in hubble ui service (#23709, @brnck)
  • helm: use Helm hooks instead of Job unique name (#23102, @sathieu)
  • hubble-relay: deprecate peer svc through local unix domain socket (#23407, @kaworu)
  • ingress: Add loadBalancerIP and loadBalancerClass (#22670, @oliver-ni)
  • install/kubernetes: make image digests for all components optional & configurable (#22732, @rastislavs)
  • ipam/crd: Add new flag for configuring CiliumNode update rate (#23017, @jaffcheng)
  • metrics: support toggle bootstrap times metric via daemon config (#22643, @ArthurChiao)
  • Modify operator metric CES errors sync to count all CES sync events (#23335, @dlapcevic)
  • operator: proper rolling update (#23589, @mhofstetter)
  • option,helm: Add a flag to opt out from support for Kubernetes NetworkPolicy in Cilium (#23127, @ChengyuanLiCY)
  • Return better error codes from hooked syscalls, such as connect() and bind(). (#22965, @gentoo-root)
  • sysdump: Added Kubernetes CNI logs to sysdump. (#23937, @marseel)

Bugfixes:

  • bpf: Fix broken remote-node identity classification (#23091, @ysksuzuki)
  • clustermesh: fix cluster synchronization wait group increment (#23741, @giorio94)
  • clustermesh: fix services cache bloat due to incorrect deletion (#23947, @giorio94)
  • datapath: Do not send ICMP6 NA over cilium_wg0 (#23969, @brb)
  • datapath: Fix L7 reply to outside when endpoint routes disabled (#21980, @brb)
  • egressgw: update all internal caches once k8s state is synced (#24034, @jibi)
  • Fix bug that would prevent SRv6 decapsulation when BPF Host Routing was disabled. (#23825, @ldelossa)
  • Fix memory leak caused on clustermesh reconnect. (#23785, @oblazek)
  • Fix operator crash race condition for CES identity map concurrent read/write (#23605, @dlapcevic)
  • Fix restoreServicesLocked() potential nil pointer panic (#23446, @dlapcevic)
  • fix(helm): add missing updateStrategy to hubble-ui deployment (#23975, @mhulscher)
  • Fixes a bug where the Helm value cni.configMap no longer worked. (#23743, @squeed)
  • Fixes a memory leak and (possible) source of stale data for Clustermesh whenever the connection to the remote cluster is disrupted or restarted. (#23532, @squeed)
  • gateway-api: Combine metrics registry with operator (#23501, @sayboras)
  • Hubble Relay: fix reported uptime (#23966, @rolinh)
  • ipam/crd: Fix panic due to concurrent map read and map write (#23713, @gandro)
  • kvstore: prevent deletion delay for node-unrelated events (#23745, @giorio94)
  • Parses the IP addr passed as CIDR from the delegated IPAM and then use the IP addr from the parsed prefix. (#22918, @vipul-21)
  • Removed unnecessary updates to service status by MetalLB (#23210, @ysksuzuki)
  • Revert "datapath: Remove 2005 route table" (#23346, @brb)
  • Support IPv4 DSR for packets with IP options. (#23810, @julianwiedmann)
  • watchers: endpointsync can manage already owned CiliumEndpoints. (#23499, @tommyp1ckles)

CI Changes:

Misc Changes:

Read more

Contributors

twpayne, madhusudancs, and 89 other contributors
Assets 2

1.13.0

15 Feb 15:57
@aanm aanm
v1.13.0
This tag was signed with the committer’s verified signature.
aanm André Martins
GPG key ID: A38D2FBA880D16AB
Learn about vigilant mode.
c9723a8
Compare
Choose a tag to compare
1.13.0

Changelog

The Cilium core team are excited to announce the Cilium 1.13 release. 🎉

v1.13.0

Summary of Changes

Major Changes:

Minor Changes:

  • [v1.13] hubble-relay: deprecate peer svc through local unix domain socket (#23442, @kaworu)
  • add nonMasqueradeCIDRs configuration to the ipMasqAgent section in Helm Chart values. (#20137, @cyclinder)
  • Add "cilium map events " command that lists bpf map operation events" (#21235, @tommyp1ckles)
  • Add --source-ranges option to cilium bpf lb list (#19705, @julianwiedmann)
  • Add ability to specify topologySpreadConstraints on all parts using kind Deployment.

This helps users to correctly spread the pods across failure-domains such as
regions, zones, nodes, and other user-defined topology domains to achieve
maximum high availability (HA) and efficient resource utilization. (#20046, @mkilchhofer)

  • add an option to wait for kube-proxy (#20517, @michi-covalent)
  • add helm option configuredMTU to overwrite auto-detected MTU and tunnelPort helm document (#20639, @vincentmli)
  • Add metric on number of requests rejected by DNS Proxy semaphore (#20491, @rahulkjoshi)
  • Add new ENI IPAM metrics for allocation, release (#20755, @wu0407)
  • Add option to configure the resources of the cgroups automount init Container in the Cilium Agent DaemonSet. (#22384, @shaardie)
  • Add Prometheus gRPC metrics for hubble and hubble-relay (#20376, @chancez)
  • Add support for disabling ENI PD at node level (#20308, @hemanthmalla)
  • add support for k8s 1.25.0 (#20995, @aanm)
  • Add support to fallback from ENI PD if subnet is out of /28 prefixes (#20822, @hemanthmalla)
  • Add the additional print columns CiliumInternalIP and InternalIP for kubectl get ciliumnode command. (#21258, @bavarianbidi)
  • Add TraceID field to Hubble flow and populate it from L7/HTTP flow. (#21456, @rolinh)
  • Add workload name and kind into L7 flows (#21039, @chancez)
  • Added 'envoy.filters.http.jwt_authn' and 'envoy.filters.http.oauth2' to the build to be used in CiliumEnvoyConfig resources. (#22562, @jrajahalme)
  • Added hubble.ui.frontend.server.ipv6.enabled helm flag to control nginx server ipv6 listener (#21127, @geakstr)
  • Adjust CES bucket sizes for metrics (#21860, @AwesomePatrol)
  • Allow users to specify hostports with localhost hostIP (#21366, @aspsk)
  • Automatically adjust bpf-policy-map-max if the maximum value is exceeded (#22129, @vishal-chdhry)
  • bpf/tests: fix redundant usage of variable offset (#22390, @sahid)
  • bpf: Add missing identity to TRACE_TO_STACK packet traces (#21403, @pchaigno)
  • bpf: Implement Segment Routing Header (SRH) support (#20764, @pchaigno)
  • bpf: nat: fix usage of ipv6_hdrlen() with unhandled Extension headers (#22544, @julianwiedmann)
  • Bugtool: add flag to exclude object for endpoints (#22370, @tbalthazar)
  • Bump Linux minimum version to 4.19.57 (or equivalent) (Backport PR #23232, Upstream PR #23124, @joestringer)
  • CA certificates in Envoy TLS validation contexts are supported via k8s Secrets with 'ca.crt' key. (#20458, @jrajahalme)
  • Cilium Istio integration is updated to Istio release 1.10.6 (#18384, @jrajahalme)
  • Cilium Network Policy can now have TLS termination and/or origination without L7 rules. (#21808, @jrajahalme)
  • cilium, bwm: Disable slow start after idle under pacing (#21356, @borkmann)
  • cilium: Add deprecation warning for service ids (Backport PR #22822, Upstream PR #22700, @joamaki)
  • cilium: Remove attached bpf_xdp upon "cilium cleanup" (#19735, @zhanghe9702)
  • clarify some docs around the kubeProxyReplacement=partial mode (#19831, @aecay)
  • clustermesh: Add an infrastructure to connect time parameter exchange and capability negotiation (Backport PR #22822, Upstream PR #22553, @YutaroHayakawa)
  • ctmap: add support for GC of DSR orphaned entries (#21626, @jibi)
  • daemon: Deprecate SockOps (Backport PR #23687, Upstream PR #23555, @brb)
  • daemon: Don't auto disable session affinity (#16179, @brb)
  • daemon: Rename host-reachable services to socket LB (#20369, @brb)
  • Default NodesGCInterval in CLI is 5m (0s before) to align with default helm value. (#20671, @hemslo)
  • Disable and deprecate force-local-policy-eval-at-source (#22190, @pchaigno)
  • Disable eBPF host routing in cni chaining mode (#22044, @smwyzi)
  • DNS proxy: forward the original security identity (#20711, @aspsk)
  • DNS Proxy: pass original security identity (#20859, @aspsk)
  • dnsproxy: stop serving DNS traffic before agent shutdown (#20795, @nebril)
  • docs: refactor AKS installation instructions (Backport PR #23687, Upstream PR #23304, @nbusseneau)
  • document ipv4/ipv6 native routing cidr helm option missing in Documentation and helm reference (#21195, @vincentmli)
  • egressgw: drop support for CiliumEgressNATPolicy (#21874, @julianwiedmann)
  • Enable icmp error replies with enable-pmtu-discovery flag (#21825, @nnbu)
  • Enable operator operation without kubernetes. (#21344, @pruiz)
  • eni: Add garbage collector for leaked ENIs (#21409, @gandro)
  • envoy: Bump envoy version to 1.21.5 (#20771, @sayboras)
  • envoy: Bump envoy version to 1.22.7 (Backport PR #23644, Upstream PR #23502, @sayboras)
  • envoy: Support LB capability for existing k8s Service (Backport PR #22835, Upstream PR #21244, @sayboras)
  • Fatal when enabling DSR and tunneling on KubeProxyReplacement (#22031, @Shunpoco)
  • feat(helm): allow adding extra containers to the cilium daemonset (#20343, @mhulscher)
  • feat(hubble): add L7 verdicts to hubble_policy_verdicts_total metric (Backport PR #23147, Upstream PR #22622, @raphink)
  • Fix behavior where packets leave node if there are no backends (#21539, @michaelasp)
  • Fix crash of CES queue delay metric when CESTracker is nil (Backport PR #23147, Upstream PR #22884, @dlapcevic)
  • fix empty message when tunnel and socketLB service missing in switch case (#21314, @vincentmli)
  • fqdn/metrics: Fix ProxyUpstreamTime error=timeout (#20752, @joestringer)
  • Get rid of KPR=probe and socket-LB protocols (#22083, @brb)
  • helm: Add node-role.kubernetes.io/control-plane key (Backport PR #23001, Upstream PR #22893, @my-git9)
  • helm: Add validation for Ingress Controller (#21550, @sayboras)
  • helm: Document debug.verbose option (Backport PR #23284, Upstream PR #23178, @sayboras)
  • Helm: optionally use less permissive linux capabilities. (#21506, @jonkerj)
  • helm: Properly support passing subnet-tags/subnet-ids/instance-tags filters as a list (#21297, @slayer321)
  • helm: Remove chart fields planned for removal in 1.12 (#21881, @my-git9)
  • helm: Remove duplicated key hostAliases (#20278, @sayboras)
  • helm: Set Linux nodeSelector for nodeinit and preflight (#20216, @gandro)
  • helm: Support configuring Cilium shared Ingress Service type and nodePorts (#22583, @chancez)
  • hubble/filter: add a new endpoint workload filter (#21296, @kaworu)
  • hubble/metrics: Add source_ip/destination_ip labels to contextLabels (#21322, @chancez)
  • hubble/metrics: Add workload-name and app options to sourceContext and destinationContext (#21320, @chancez)
  • hubble: Add hubble_policy_verdicts_total metric (#20470, @michi-covalent)
  • hubble: Add kafka metrics (#21318, @chancez)
  • hubble: Add reserved-identity metric context (#20474, @michi-covalent)
  • hubble: add support for filtering by trace ID (#21551, @rolinh)
  • hubble: Add support for SockLB tracing (#21685, @gandro)
  • hubble: Extract traceIDs into exemplars in HTTP metrics (#21599, @chancez)
  • image: Bump base image to ubuntu 22.04 (#20943, @sayboras)
  • image: Upgrade ubuntu base image to 22.04 (#21097, @sayboras)
  • Improve policy deletion overhead by about 50% in large environments with a large number of policy rules (#22153, @odinuge)
  • Improve verbosity of drop notification messages. (#20387, @aspsk)
  • Improve verbosity of drop notification messages. (#20827, @aspsk)
  • In ENI IPAM mode, try to allocate new ENIs in the same subnet as the primary ENI instead of the subnet with the most available addresses. (#22000, @bimmlerd)
  • ingress: add websockets configuration (#20814, @nikhiljha)
  • ingress: Follow-up items for shared LB mode (#21493, @sayboras)
  • ingress: Propagate required annotations from Ingress to LB Service (#20860, @NikhilSharmaWe)
  • ingress: Rename LB annotation to annotation prefixes (#21222, @sayboras)
  • ingress: Support NodePort for dedicated Ingress (Backport PR #23284, Upstream PR #22974, @sayboras)
  • install/kubernetes: make securityContext SELinux options configurable (Backport PR #22822, Upstream PR #22721, @tklauser)
  • install: add TerminationMessagePolicy to cilium pods (#21012, @squeed)
  • Introduce Hubble HTTP v2 metrics an...
Read more

Contributors

tbalthazar, gandro, and 71 other contributors
Assets 2