Skip to content

Releases: cilium/cilium

1.13.10

14 Dec 02:44
@nebril nebril
v1.13.10
This tag was signed with the committer’s verified signature.
nebril Maciej Kwiek
GPG key ID: 436B9694E3F0E75D
Learn about vigilant mode.
b773bc2
Compare
Choose a tag to compare
1.13.10

We are pleased to release Cilium v1.13.10.

This release include expanded SA credential and resource limit related configuration parameters for the Agent DaemonSet, fixes to an issue where stale nodes would appear in the cilium_node_connectivity_* metrics, enhancements to the detail shown by the IPsec CLI subcommands, a fix to a datapath fix for SNAT running behind multiple network interfaces, and a fix to NAT entry GC when DSR enabled. In addition, there are performance enhancements to concurrency techniques used in policy generation and the selectorcache read/write path.

Summary of Changes

Minor Changes:

Bugfixes:

  • Avoid missed tail calls due to inserting policy programs too early during endpoint regeneration (#29309, @ti-mo)
  • ctmap: consider CT entry's .dsr flag in PurgeOrphanNATEntries() (Backport PR #29640, Upstream PR #29098, @julianwiedmann)
  • datapath: Fix ENI egress routing table for cilium_host IP (Backport PR #29391, Upstream PR #29335, @gandro)
  • Fix bug where deleted nodes would reappear in the cilium_node_connectivity_* metrics (Backport PR #29640, Upstream PR #29566, @christarazi)
  • Handle non-AEAD IPsec keys in cilium encrypt status. (Backport PR #29640, Upstream PR #29182, @viktor-kurchenko)
  • Replace Cilium's base image from ubuntu:22.04 with Cilium's Runtime image (also ubuntu:22.04 based). (Backport PR #29709, Upstream PR #29340, @aanm)
  • Support downgrade path for XDP attachments from Cilium 1.15 (#29105, @ti-mo)
  • When using stacked network interfaces (such as br0 -> eth0) in the egress path, ensure that BPF SNAT checks are applied on all interfaces. (Backport PR #29475, Upstream PR #29160, @julianwiedmann)

CI Changes:

  • ci-ipsec-upgrade: Check for errors (Backport PR #29272, Upstream PR #29189, @brb)
  • ci-ipsec-upgrade: Fix upgrade/downgrade path and add missed tail calls check to upgrade (Backport PR #29003, Upstream PR #29072, @brb)
  • CI: Let actions/cilium-config use Chart.yaml-specified image by default (Backport PR #29003, Upstream PR #28016, @jschwinger233)
  • Clean up tests-ipsec-upgrade workflow (Backport PR #29003, Upstream PR #27977, @michi-covalent)
  • gha: align ci-ipsec-e2e workflow name to main (#29687, @giorio94)
  • Test upgrade/downgrade to patch release for IPsec (Backport PR #29003, Upstream PR #28815, @qmonnet)
  • Wait for downgrade images to be ready in GHA clustermesh upgrade/downgrade test (Backport PR #29475, Upstream PR #29409, @giorio94)
  • workflows: Add debug info to IPsec key rotation test (Backport PR #29475, Upstream PR #29353, @pchaigno)

Misc Changes:

  • .github: use GitHub workflow from the same branch (#29256, @aanm)
  • chore(deps): update actions/checkout action to v4 (v1.13) (#29287, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.13) (minor) (#29286, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.13) (patch) (#29139, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.13) (patch) (#29150, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.13) (patch) (#29419, @renovate[bot])
  • chore(deps): update docker.io/library/golang docker tag to v1.20.12 (v1.13) (#29661, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.20.11 docker digest to 77e4e42 (v1.13) (#29285, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 2b7412e (v1.13) (#29138, @renovate[bot])
  • chore(deps): update hubble cli to v0.12.3 (v1.13) (patch) (#29747, @renovate[bot])
  • chore(deps): update myrotvorets/set-commit-status-action action to v2 (v1.13) (#29289, @renovate[bot])
  • ci-ipsec-upgrade: Do not run conn tests after installing Cilium (Backport PR #29192, Upstream PR #29178, @brb)
  • Docs: Adds Webhook Limitation to EKS Install Doc (Backport PR #29640, Upstream PR #29497, @danehans)
  • examples: update guestbook example with new image registry (Backport PR #29640, Upstream PR #29603, @mhofstetter)
  • Fix bug preventing endpoint-related debug logs from being emitted (Backport PR #29700, Upstream PR #29495, @learnitall)
  • images: bump cni plugins to v1.4.0 (Backport PR #29723, Upstream PR #29622, @squeed)
  • ipsec: Small refactorings on key loading and state creation (Backport PR #29475, Upstream PR #29352, @pchaigno)
  • Update the logrus dependency to address a security issue. (#29672, @rolinh)

Other Changes:

  • [1.13] Address selectorcache concurrent read/write (#29186, @tklauser)
  • [v1.13] Let renovatebot update Go toolchain version in a single PR (#29743, @tklauser)
  • envoy: Bump cilium-envoy with golang 1.21.5 (#29655, @sayboras)
  • envoy: Bump envoy container image with golang 1.21 and latest grpc package (#29384, @sayboras)
  • install: Update image digests for v1.13.9 (#29136, @nathanjsweet)
  • Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. (#29206, @thorn3r)
  • v1.13: ariane: Run ci-ipsec-upgrade when testing backports (#29227, @brb)

Contributors

gandro, brb, and 22 other contributors
Assets 2

1.12.17

14 Dec 02:37
@nebril nebril
v1.12.17
This tag was signed with the committer’s verified signature.
nebril Maciej Kwiek
GPG key ID: 436B9694E3F0E75D
Learn about vigilant mode.
4ceb82a
Compare
Choose a tag to compare
1.12.17

We are pleased to release Cilium v1.12.17.

This release include expanded SA credential and resource limit related configuration parameters for the Agent DaemonSet, fixes to an issue where stale nodes would appear in the cilium_node_connectivity_* metrics, enhancements to the detail shown by the IPsec CLI subcommands, and a datapath fix for SNAT running behind multiple network interfaces. In addition, there are performance enhancements to concurrency techniques used in policy generation and the selectorcache read/write path.

Summary of Changes

Minor Changes:

Bugfixes:

  • datapath: Fix ENI egress routing table for cilium_host IP (Backport PR #29392, Upstream PR #29335, @gandro)
  • Fix bug where deleted nodes would reappear in the cilium_node_connectivity_* metrics (Backport PR #29639, Upstream PR #29566, @christarazi)
  • Handle non-AEAD IPsec keys in cilium encrypt status. (Backport PR #29639, Upstream PR #29182, @viktor-kurchenko)
  • Replace Cilium's base image from ubuntu:22.04 with Cilium's Runtime image (also ubuntu:22.04 based). (Backport PR #29708, Upstream PR #29340, @aanm)
  • When using stacked network interfaces (such as br0 -> eth0) in the egress path, ensure that BPF SNAT checks are applied on all interfaces. (Backport PR #29474, Upstream PR #29160, @julianwiedmann)

CI Changes:

  • ci-ipsec-upgrade: Check for errors (Backport PR #29274, Upstream PR #29189, @brb)
  • ci-ipsec-upgrade: Fix upgrade/downgrade path and add missed tail calls check to upgrade (Backport PR #29005, Upstream PR #29072, @brb)
  • CI: Let actions/cilium-config use Chart.yaml-specified image by default (Backport PR #29005, Upstream PR #28016, @jschwinger233)
  • ci: remove empty github workflow file tests-nightly.yaml (#29601, @mhofstetter)
  • Clean up tests-ipsec-upgrade workflow (Backport PR #29005, Upstream PR #27977, @michi-covalent)
  • gha: align ci-ipsec-e2e workflow name to main (#29686, @giorio94)
  • Test upgrade/downgrade to patch release for IPsec (Backport PR #29005, Upstream PR #28815, @qmonnet)
  • Wait for downgrade images to be ready in GHA clustermesh upgrade/downgrade test (Backport PR #29474, Upstream PR #29409, @giorio94)
  • workflows: Add debug info to IPsec key rotation test (Backport PR #29474, Upstream PR #29353, @pchaigno)

Misc Changes:

  • chore(deps): update actions/checkout action to v4 (v1.12) (#29296, @renovate[bot])
  • chore(deps): update actions/github-script action to v7 (v1.12) (#29297, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.12) (minor) (#29295, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.12) (patch) (#29293, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.12) (patch) (#29294, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.12) (patch) (#29421, @renovate[bot])
  • chore(deps): update docker.io/library/golang docker tag to v1.20.12 (v1.12) (#29662, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:20.04 docker digest to ed4a422 (v1.12) (#29292, @renovate[bot])
  • chore(deps): update docker/dockerfile docker tag to v1.6 (v1.12) (#29253, @renovate[bot])
  • chore(deps): update docker/dockerfile docker tag to v1.6 (v1.12) (#29254, @renovate[bot])
  • chore(deps): update docker/dockerfile docker tag to v1.6 (v1.12) (#29255, @renovate[bot])
  • chore(deps): update hubble cli to v0.12.3 (v1.12) (patch) (#29748, @renovate[bot])
  • chore(deps): update myrotvorets/set-commit-status-action action to v2 (v1.12) (#29298, @renovate[bot])
  • ci-ipsec-upgrade: Do not run conn tests after installing Cilium (Backport PR #29193, Upstream PR #29178, @brb)
  • endpoint: don't hold the endpoint lock while generating policy (Backport PR #29408, Upstream PR #26242, @squeed)
  • images: bump cni plugins to v1.4.0 (Backport PR #29722, Upstream PR #29622, @squeed)
  • ipsec: Small refactorings on key loading and state creation (Backport PR #29474, Upstream PR #29352, @pchaigno)
  • Update the logrus dependency to address a security issue. (#29673, @rolinh)

Other Changes:

  • [1.12] Address selectorcache concurrent read/write (#29167, @bimmlerd)
  • [v1.12] Author Backport of 29603 (examples: update guestbook example & test with new image registry) (#29600, @mhofstetter)
  • [v1.12] ctmap: consider CT entry's .dsr flag in PurgeOrphanNATEntries() (#29683, @julianwiedmann)
  • envoy: Bump cilium-envoy with golang 1.21.5 (#29654, @sayboras)
  • envoy: Bump envoy container image with golang 1.21 and latest grpc package (#29385, @sayboras)
  • install: Update image digests for v1.12.16 (#29137, @nathanjsweet)
  • Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. (#29209, @thorn3r)
  • v1.12: ariane: Run ci-ipsec-upgrade when testing backports (#29228, @brb)

Contributors

gandro, brb, and 19 other contributors
Assets 2

1.14.5

14 Dec 02:52
@nebril nebril
v1.14.5
This tag was signed with the committer’s verified signature.
nebril Maciej Kwiek
GPG key ID: 436B9694E3F0E75D
Learn about vigilant mode.
85db28b
Compare
Choose a tag to compare
1.14.5

We are pleased to release Cilium v1.14.5.

This release include expanded credential and resource limit related configuration parameters for the Agent DaemonSet and SPIRE agent, fixes to an issue where stale nodes would appear in the cilium_node_connectivity_* metrics, enhancements to the detail shown by the IPsec CLI subcommands, a fix to a datapath fix for SNAT running behind multiple network interfaces, a fix to NAT entry GC when DSR enabled, a fix for endpoint label changes during the re-init restoration, and a variety of other stability enhancements. Also included are performance enhancements to concurrency techniques used in policy generation and the selectorcache read/write path.

Summary of Changes

Minor Changes:

  • Adds affinity, nodeSelector, podSecurityContext and securityContext to the SPIRE agent deployment values (Backport PR #29187, Upstream PR #29077, @meyskens)
  • helm: Add missing SA automount configuration (Backport PR #29689, Upstream PR #29511, @ayuspin)
  • helm: Allow setting resources for the agent init containers (Backport PR #29689, Upstream PR #29610, @ayuspin)
  • Network policies for reserved:ingress identity are now enforced by Cilium Ingress and Gateway API. (Backport PR #29447, Upstream PR #28126, @jrajahalme)

Bugfixes:

  • "envoy-admin" cluster is renamed as "/envoy-admin", requiring all references in CEC/CCEC to be updated. (Backport PR #29477, Upstream PR #29020, @jrajahalme)
  • Avoid missed tail calls due to inserting policy programs too early during endpoint regeneration (#29308, @ti-mo)
  • bpf: Fix drop of IPv6 reply traffic when 1) pod-originating connection is SNATed by iptables, and 2) Host Firewall is enabled. (Backport PR #29477, Upstream PR #28813, @oblazek)
  • bpf: xdp: don't support GENEVE passthrough with DSR-Hybrid (Backport PR #29187, Upstream PR #28959, @julianwiedmann)
  • ctmap: consider CT entry's .dsr flag in PurgeOrphanNATEntries() (Backport PR #29641, Upstream PR #29098, @julianwiedmann)
  • datapath: Fix ENI egress routing table for cilium_host IP (Backport PR #29390, Upstream PR #29335, @gandro)
  • Do not skip FIB lookup when running in BPF Host Routing when Endpoint Routes enabled (Backport PR #29187, Upstream PR #28264, @aspsk)
  • endpoint: fix panic in RunMetadataResolver due to send on closed channel (Backport PR #29251, Upstream PR #29615, @mhofstetter)
  • endpointmanager: unmap ip for lookup (Backport PR #29641, Upstream PR #29554, @tklauser)
  • Fix bug where deleted nodes would reappear in the cilium_node_connectivity_* metrics (Backport PR #29641, Upstream PR #29566, @christarazi)
  • Fix external workloads not working with non-default ClusterID (Backport PR #29477, Upstream PR #29378, @giorio94)
  • Fix possible disruption of long running, cross-cluster, pod to node traffic on agent restart (Backport PR #29641, Upstream PR #29613, @giorio94)
  • Fix routing delegation to AWS-VPC-CNI when using the security groups feature. (Backport PR #29641, Upstream PR #29111, @Alex-Waring)
  • Fix the Created timestamps in cilium bpf nat list that used to display the same values. (Backport PR #29187, Upstream PR #27062, @gentoo-root)
  • Fixed label synchronization issues in Cilium, ensuring accurate representation of endpoint labels during restoration and addressing out-of-sync problems caused by label changes while the Cilium agent is down. (Backport PR #29251, Upstream PR #29248, @aanm)
  • gateway-api: add watch for reference grant in TLSRoute reconciler (Backport PR #29187, Upstream PR #29007, @mhofstetter)
  • gateway-api: Avoid redirect loop when the same host name is used for http and https listeners (Backport PR #29442, Upstream PR #29115, @sayboras)
  • gateway: Ignore loadbalancer class for Gateway service (Backport PR #29641, Upstream PR #29547, @sayboras)
  • Handle non-AEAD IPsec keys in cilium encrypt status. (Backport PR #29641, Upstream PR #29182, @viktor-kurchenko)
  • ingress: fix foreground deletion of Ingress (Backport PR #29477, Upstream PR #29367, @mhofstetter)
  • Install loopback CNI atomically to protect against aborted copy (Backport PR #29641, Upstream PR #29462, @akhilles)
  • ipam: Fix bug where IP lease did not expire (Backport PR #29641, Upstream PR #29443, @gandro)
  • ipam: Fix bug where IP lease did not expire (Backport PR #29652, Upstream PR #29443, @gandro)
  • iptables: remove logic to control non-existent net.ipv6.ip_early_demux (Backport PR #29477, Upstream PR #29310, @julianwiedmann)
  • metrics: fix potential conflict on metrics registration (Backport PR #29270, Upstream PR #27007, @ysksuzuki)
  • metrics: fix potential conflict on metrics registration (Backport PR #29477, Upstream PR #27007, @ysksuzuki)
  • Replace Cilium's base image from ubuntu:22.04 with Cilium's Runtime image (also ubuntu:22.04 based). (Backport PR #29364, Upstream PR #29340, @aanm)
  • Support downgrade path for XDP attachments from Cilium 1.15 (#29104, @ti-mo)
  • When using stacked network interfaces (such as br0 -> eth0) in the egress path, ensure that BPF SNAT checks are applied on all interfaces. (Backport PR #29477, Upstream PR #29160, @julianwiedmann)

CI Changes:

  • bpf: complexity-tests: add HAVE_FIB_NEIGH (Backport PR #29477, Upstream PR #29348, @julianwiedmann)
  • ci-ipsec-upgrade: Check for errors (Backport PR #29270, Upstream PR #29189, @brb)
  • ci-ipsec-upgrade: Check for errors (Backport PR #29477, Upstream PR #29189, @brb)
  • ci-ipsec-upgrade: Drop no-missed-tail-calls exclusion (Backport PR #29477, Upstream PR #29325, @brb)
  • ci-ipsec-upgrade: Fix upgrade/downgrade path and add missed tail calls check to upgrade (Backport PR #28876, Upstream PR #29072, @brb)
  • CI: Let actions/cilium-config use Chart.yaml-specified image by default (Backport PR #28876, Upstream PR #28016, @jschwinger233)
  • Clean up tests-ipsec-upgrade workflow (Backport PR #28876, Upstream PR #27977, @michi-covalent)
  • Test upgrade/downgrade to patch release for IPsec (Backport PR #28876, Upstream PR #28815, @qmonnet)
  • Wait for downgrade images to be ready in GHA clustermesh upgrade/downgrade test (Backport PR #29477, Upstream PR #29409, @giorio94)
  • workflows: Add debug info to IPsec key rotation test (Backport PR #29477, Upstream PR #29353, @pchaigno)

Misc Changes:

  • .github: use GitHub workflow from the same branch (#29252, @aanm)
  • [v1.14] CI: fix broken BPF complexity tests (#29553, @lmb)
  • Add workqueue.(delayingType).waitingLoop to goleak exception list (Backport PR #29187, Upstream PR #28557, @dylandreimerink)
  • chore(deps): update actions/checkout action to v4 (v1.14) (#29595, @renovate[bot])
  • chore(deps): update actions/github-script action to v7 (v1.14) (#29149, @renovate[bot])
  • chore(deps): update actions/setup-python action to v4.8.0 (v1.14) (#29579, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.14) (#29121, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.14) (minor) (#29265, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.14) (patch) (#29282, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.14) (patch) (#29576, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.14) (patch) (#29417, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.14) (patch) (#29577, @renovate[bot])
  • chore(deps): update cilium/cilium digest to d42be92 (v1.14) (#29133, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.13 (v1.14) (#29123, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.14 (v1.14) (#29283, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.16 (v1.14) (#29465, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.17 (v1.14) (#29729, @renovate[bot])
  • chore(deps): update docker.io/library/alpine docker tag to v3.18.5 (v1.14) (#29578, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.20.11 docker digest to 4e4a34f (v1.14) (#29416, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.20.11 docker digest to 77e4e42 (v1.14) (#29281, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 8eab65d (v1.14) (#29575, @renovate[bot])
  • chore(deps): update go to v1.20.12 (v1.14) (patch) (#29660, @renovate[bot])
  • chore(deps): update google-github-actions/auth action to v2 (v1.14) (#29598, @renovate[bot])
  • chore(deps): update hubble cli to v0.12.3 (v1.14) (patch) (#29746, @renovate[bot])
  • chore(deps): update module github.com/go-jose/go-jose/v3 to v3.0.1 [security] (v1.14) (#29320, @renovate[bot])
  • chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231113.012843 (v1.14) (#29129, @renovate[bot])
  • chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231120.012927 (v1.14) (#29284, @renovate[bot])
  • ci-ipsec-upgrade: Do not run conn tests after installing Cilium (Backport PR #29270, Upstream PR #29178, @brb)
  • ci-ipsec-upgrade: Do not run conn tests after installing Cilium (Backport PR #29477, Upstream PR #29178, @brb)
  • Docs: Adds Webhook Limitation to EKS Install Doc (Backport PR #29641, Upstream PR #29497, @danehans)
  • docs: bump required Helm version (Backport PR #29477, Upstream PR #29273, @nebril)
  • examples: update guestbook example with new image registry (Backport PR #29641, Upstream PR #29603, @mhofstetter)
  • images: bump cni plugins to v1.4.0 (Backport PR #29724, Upstream PR #29622, @squeed)
  • ipsec: Small refactorings on key loading and state creation (Backport PR #29477, Upstream PR #29352, @pchaigno)

Other Changes:

  • [v1.14] Author Backport of 28896 (k8s ingress & gateway api: qualify envoy clusters and their references) (#29218, @mhofstetter)
  • [v1.14] bgpv1: Fix BGP component tests using the same VirtualRouter config (#29453, @rastislavs)
  • [v1.14] bpf: Fix identity determination in bpf_overlay.c (#29606, @ysksuzuki)
  • [v1.14] bpf: use bpf_xdp_load_bytes() / bpf_xdp_s...
Read more

Contributors

gandro, brb, and 30 other contributors
Assets 2

1.15.0-pre.3

04 Dec 15:10
@aanm aanm
v1.15.0-pre.3
This tag was signed with the committer’s verified signature.
aanm André Martins
GPG key ID: A38D2FBA880D16AB
Learn about vigilant mode.
ab99077
Compare
Choose a tag to compare
1.15.0-pre.3 Pre-release
Pre-release

Summary of Changes

Major Changes:

  • Add dynamic flowlog exporters configured by yaml file (configmap) without a need of agent restart. (#28873, @marqc)
  • Add support for extending ClusterMesh to 511 clusters
    By setting the flag --max-connected-clusters=511, a new cluster will be able to connect to a ClusterMesh with up to 511 clusters. If enabled, the number of possible cluster-local identities will be reduced to 32,768. This feature can only be enabled on new clusters, and all clusters in the ClusterMesh must share the same configuration. (#27520, @thorn3r)
  • Add support for Gateway API v1.0 (#28836, @sayboras)
  • k8s: add support for k8s 1.29.0 (#29473, @aanm)

Minor Changes:

  • Add a mode where routing is delegated to another CNI plugin. This enables support for using AWS security groups when chaining Cilium on top of AWS VPC CNI. (#29111, @Alex-Waring)
  • Add lbipam support for shared ips (#28806, @usiegl00)
  • Adds "best-effort" mode for XDP to skip interfaces without driver support (#28666, @poblahblahblah)
  • Adds affinity, nodeSelector, podSecurityContext and securityContext to the SPIRE agent deployment values (#29077, @meyskens)
  • Adds the CiliumPodIPPool selector type to BGP CP AdvertisedPathAttributes to match CiliumPodIPPool custom resources. Path attributes apply to routes announced for selected CiliumPodIPPools. (#28310, @danehans)
  • api, cli: Show srv6 status in cilium status (#28700, @husnialhamdani)
  • bgpv1: Add cilium-dbg bgp route-policies command & include it in the bugtool (#28973, @rastislavs)
  • bgpv1: Use kube-system namespace by default for MD5 secret (#29478, @YutaroHayakawa)
  • bpf: use bpf_xdp_load_bytes() / bpf_xdp_store_bytes() helpers when available (#29377, @julianwiedmann)
  • Cilium DNS proxy now uses the original pod's address as the source address towards the DNS servers. (#28928, @jrajahalme)
  • cilium-dbg: Add statedb query support and commands to inspect statedb tables devices, routes and l2-announce. (#28872, @joamaki)
  • ciliumidentity resiliency improvement (#28912, @tommyp1ckles)
  • cmd/watchdogs: add health reporter to watchdog controller. (#29038, @tommyp1ckles)
  • Config option to customize the default IP Pool when using MultiPool (#28818, @chaunceyjiang)
  • Default client-go QPS and burst in agent and operator have been increased to 10 and 20 respectively for k8s versions 1.27+ (#29445, @marseel)
  • Deprecated helm options enableK8sEventHandover/enableCnpStatusUpdates were removed.
    Corresponding flag "enable-k8s-event-handover" in Agent and "cnp-status-update-interval" in operator were removed. (#29395, @marseel)
  • FQDN: transition to asynchronous IPCache APIs (#29036, @squeed)
  • gateway-api: Add support for gateway.infrastructure attribute (#29122, @sayboras)
  • gateway-api: Add supported features in GatewayClass status (#29116, @sayboras)
  • gateway-api: Check for required CRDs upon startup (#28982, @sayboras)
  • Handle IPv4 fragments in SNAT flows correctly. (#25340, @gentoo-root)
  • Hide empty columns by default in "kubectl get ciliumendpoints" output (#28744, @Iiqbal2000)
  • hubble-relay: Add support for peers joining during requests (#29326, @glrf)
  • Hubble: add option to filter for pods and services in any namespace (#28921, @glrf)
  • hubble: Add Support for filtering on HTTP headers (#28851, @ChrsMark)
  • hubble: Conditionally redact user info present in URLs in (L7) HTTP flows (#28848, @ioandr)
  • Improve Hubble Relay Kubernetes Readiness/Liveness check (#28765, @glrf)
  • init: Poll CRD synchronization times have been lowered from 1 second to 50ms. (#28954, @howardjohn)
  • Merge clustermesh-apiserver and kvstoremesh into a single image (#27888, @giorio94)
  • metric: provide way to declare labels. (#27835, @tommyp1ckles)
  • mutual-auth: Bump spire image version (#29101, @sayboras)
  • Named ports in DNS policies are now resolved correctly. (#29023, @jrajahalme)
  • pkg/datapath: Remove defunct --single-cluster-route flag (#29221, @gandro)
  • policy: Cilium will not process or enforce network policies with port ranges or Kubernetes network policies that use "EndPort". (#28704, @nathanjsweet)
  • Propagate prefixed labels from Ingress resource to LB service (#28598, @log1cb0mb)
  • Remove deprecated tunnel option, and corresponding helm values setting (#29053, @giorio94)
  • Replace etcd init script used for clustermesh with a Go equivalent.
    Upgrade etcd to v3.5.10. (#29109, @JamesLaverack)
  • Replace metricsmap-bpf-prom-sync with Prometheus Collector pattern (#27370, @carnerito)
  • Respond with ICMP reply for traffic to services without backends (#28157, @dylandreimerink)
  • show DSR-dispatch mode in cilium-dbg status (#29217, @chaunceyjiang)
  • When tunneling is enabled, a packet will be encapsulated by Cilium's tunnel netdev before encrypting with WireGuard. (#29000, @brb)

Bugfixes:

  • "envoy-admin" cluster is renamed as "/envoy-admin", requiring all references in CEC/CCEC to be updated. (#29020, @jrajahalme)
  • ImplementationSpecific Ingress paths (which for Cilium Ingress means regex path matches) are now sorted correctly in between Exact and Prefix matches. (#29381, @youngnick)
  • Avoid missed tail calls due to inserting policy programs too early during endpoint regeneration (#29307, @ti-mo)
  • bpf: Add TC_ACT_REDIRECT check for nodeport (#28927, @sayboras)
  • bpf: Fix drop of IPv6 reply traffic when 1) pod-originating connection is SNATed by iptables, and 2) Host Firewall is enabled. (#28813, @oblazek)
  • bpf: xdp: don't support GENEVE passthrough with DSR-Hybrid (#28959, @julianwiedmann)
  • Conntrack entries for Service connections are now printed in the canonical "source -> destination" format when using the "bpf ct list" command. (#28913, @julianwiedmann)
  • ctmap: consider CT entry's .dsr flag in PurgeOrphanNATEntries() (#29098, @julianwiedmann)
  • datapath: Fix ENI egress routing table for cilium_host IP (#29335, @gandro)
  • datapath: Fix primary flag in NodeAddress (#29483, @joamaki)
  • Do not skip FIB lookup when running in BPF Host Routing when Endpoint Routes enabled (#28264, @aspsk)
  • egressgateway: Use UID to identify CiliumEndpoints in epDataStore (#29124, @rastislavs)
  • egressgw: Fix the issue that an iptables SNAT rule in the host netns interferes packets to egress gw and bypass the egress GW policy (#29379, @ysksuzuki)
  • endpointmanager: fix bpf policy pressure getting stuck. (#28185, @tommyp1ckles)
  • endpointmanager: unmap ip for lookup (#29554, @tklauser)
  • Fix external workloads not working with non-default ClusterID (#29378, @giorio94)
  • Fix rendering helm operator-dashboard annotations (#29106, @Zariel)
  • Fix source identity determination for DSR with Geneve-dispatch, by looking it up from the ipcache. (#29155, @chez-shanpu)
  • Fix the Created timestamps in cilium bpf nat list that used to display the same values. (#27062, @gentoo-root)
  • Fixed label synchronization issues in Cilium, ensuring accurate representation of endpoint labels during restoration and addressing out-of-sync problems caused by label changes while the Cilium agent is down. (#29248, @aanm)
  • Fixes an L7 proxy issue by re-introducing 2005 route table. (#29530, @jschwinger233)
  • gateway-api: add watch for reference grant in TLSRoute reconciler (#29007, @mhofstetter)
  • gateway-api: Avoid redirect loop when the same host name is used for http and https listeners (#29115, @sayboras)
  • gateway: Ignore loadbalancer class for Gateway service (#29547, @sayboras)
  • Handle non-AEAD IPsec keys in cilium encrypt status. (#29182, @viktor-kurchenko)
  • ingress: cleanup resources on changed ingress class field (#28886, @mhofstetter)
  • ingress: fix foreground deletion of Ingress (#29367, @mhofstetter)
  • Install loopback CNI atomically to protect against aborted copy (#29462, @akhilles)
  • ipam: Fix bug where IP lease did not expire (#29443, @gandro)
  • iptables: remove logic to control non-existent net.ipv6.ip_early_demux (#29310, @julianwiedmann)
  • k8s ingress & gateway api: fix unintentional deletion of shared envoy cluster resource (#28896, @mhofstetter)
  • l2announcer: Leases are only created for services that are being announced. (#29446, @f1ko)
  • lbipam: Fix off-by-one error in LBIPAM range allocation (#29425, @YutaroHayakawa)
  • neigh: Install neighbor entries only on devices where routes exist (#28782, @ysksuzuki)
  • Policy revert used in rare error cases has been corrected. (#29162, @jrajahalme)
  • Replace Cilium's base image from ubuntu:22.04 with Cilium's Runtime image (also ubuntu:22.04 based). (#29340, @aanm)
  • Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. (#29202, @thorn3r)
  • statedb: Fix termination of string and IP keys (#29368, @joamaki)
  • When using stacked network interfaces (such as br0 -> eth0) in the egress path, ensure that BPF SNAT checks are applied on all interfaces. (#29160, @julianwiedmann)

CI Changes:

Read more

Contributors

Zariel, derailed, and 78 other contributors
Assets 2

1.14.4

14 Nov 13:38
@nathanjsweet nathanjsweet
v1.14.4
This tag was signed with the committer’s verified signature.
nathanjsweet Nathan Sweet
GPG key ID: 12A8E6DA82970B15
Learn about vigilant mode.
87dd2b6
Compare
Choose a tag to compare
1.14.4

We are pleased to release Cilium v1.14.4. This release includes several network policy performance improvements, improvements and fixes for IPSec, and numerous bug fixes and architectural improvements.

Summary of Changes

Minor Changes:

  • certmanager: solve CannotRegenerateKey (Backport PR #29030, Upstream PR #28787, @universam1)
  • Cilium DNS proxy now uses the original pod's address as the source address towards the DNS servers. (Backport PR #29086, Upstream PR #28928, @jrajahalme)
  • Cilium now properly deletes stale (deleted) nodes from the node_connectivity_status and node_connectivity_latency_seconds metrics, reducing metric cardinality. (Backport PR #28980, Upstream PR #28382, @derailed)
  • Display interfaces used for IPsec decryption in cilium encrypt status. (Backport PR #28759, Upstream PR #28640, @pchaigno)
  • helm: delete AWS iptables in all deployments aside from AWS CNI chaining environments (Backport PR #28870, Upstream PR #28697, @nebril)
  • ipsec: New Prometheus metrics for XFRM configs (Backport PR #28759, Upstream PR #28400, @pchaigno)
  • policy: Cilium will not process or enforce network policies with port ranges or Kubernetes network policies that use "EndPort". (Backport PR #29030, Upstream PR #28704, @nathanjsweet)
  • policy: Fixed a bug that incorrectly omitted port-protocol policy rules that omitted the "protocol" field. An omitted "protocol" field now, correctly, is the same as using the "ANY" protocol. (Backport PR #28759, Upstream PR #28703, @nathanjsweet)
  • v1.14: WG tunneling (#28917, @brb)

Bugfixes:

  • bpf: Add TC_ACT_REDIRECT check for nodeport (Backport PR #29030, Upstream PR #28927, @sayboras)
  • Don't bind a /64 address to cilium_host to avoid misrouting cross-node traffic (Backport PR #28759, Upstream PR #28633, @CallMeFoxie)
  • envoy: fix lb backend endpoint calculation (Backport PR #28870, Upstream PR #27923, @mhofstetter)
  • Fix CIDR labels computation (Backport PR #28870, Upstream PR #28788, @pippolo84)
  • Fix concurrency issue when changing labels on pods started before Cilium setup their network. Cilium will now process pod labels modified while setting up the pod network. (Backport PR #28870, Upstream PR #28789, @aanm)
  • Fix false positives of 'Key allocation attempt failed' in CRD mode (Backport PR #29064, Upstream PR #28810, @aanm)
  • Fix incorrect logic used by the Ingress Controller to sync Cilium's IngressClass on startup. (Backport PR #28870, Upstream PR #28663, @learnitall)
  • Fix IPsec error logs to always have all information needed to identify the XFRM configuration on which the error happened. (Backport PR #29030, Upstream PR #28642, @pchaigno)
  • Fix issue causing KVStoreMesh metrics to be included in the dedicated Service/ServiceMonitor when KVStoreMesh is disabled (Backport PR #28759, Upstream PR #28481, @giorio94)
  • fix: Correct spire labels identation in helm chart (Backport PR #28759, Upstream PR #28610, @sayboras)
  • fixed cilium-operator delete CEC cilium-ingress when other ingressclass resources are created (Backport PR #28759, Upstream PR #28638, @chaunceyjiang)
  • Improved event handling for pod events by removing an unnecessary early return, allowing unrelated components to execute correctly, while enhancing ipcache error logging. (Backport PR #29030, Upstream PR #28840, @aanm)
  • ingress: cleanup resources on changed ingress class field (Backport PR #29030, Upstream PR #28886, @mhofstetter)
  • Print full labelset for all identities in 'cilium ip list' output (Backport PR #28759, Upstream PR #28425, @joestringer)
  • Remove AWS-CONNMARK-CHAIN iptable rules when running in ENI mode. (Backport PR #28759, Upstream PR #28676, @nebril)
  • spire: add scheduling configurations to helm-chart (Backport PR #28759, Upstream PR #27229, @tvonhacht-apple)
  • When the CT entry for a DSR connection is garbage-collected, the corresponding SNAT entry is now also removed. (Backport PR #28870, Upstream PR #28857, @julianwiedmann)

CI Changes:

  • [v1.14] Use pull_request_target in Update Backport Label workflow (#29009, @pippolo84)
  • ci: disable envoy tracing in multi-pool workflow (Backport PR #29030, Upstream PR #28966, @tklauser)
  • gh/workflows: Dump Cilium LB node logs in case of failure (Backport PR #29030, Upstream PR #28808, @brb)
  • Test both VXLAN and GENEVE tunneling as part of the Conformance Cluster Mesh workflow (Backport PR #28870, Upstream PR #28767, @giorio94)

Misc Changes:

  • bpf: lb: fix missing drop reason in reverse_map_l4_port() (Backport PR #29030, Upstream PR #28884, @julianwiedmann)
  • bpf: lxc: remove stale ENABLE_IDENTITY_MARK ifdefs (Backport PR #28759, Upstream PR #28391, @julianwiedmann)
  • bugtool: Collect XFRM error counters twice (Backport PR #28870, Upstream PR #28790, @pchaigno)
  • chore(deps): update all github action dependencies (v1.14) (minor) (#29010, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.14) (patch) (#28733, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.14) (patch) (#28734, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.14) (patch) (#28867, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.11 (v1.14) (#28735, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.12 (v1.14) (#28998, @renovate[bot])
  • chore(deps): update docker.io/library/alpine docker tag to v3.18.4 (v1.14) (#28739, @renovate[bot])
  • chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 91ca472 (v1.14) (#28731, @renovate[bot])
  • chore(deps): update go to v1.20.11 (v1.14) (patch) (#29044, @renovate[bot])
  • chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231106.012832 (v1.14) (#28999, @renovate[bot])
  • ci: Bump timeout on ci-runtime privileged worksflow (Backport PR #29030, Upstream PR #28923, @jrajahalme)
  • datapath: Move linuxNodeHandler IPsec functions to their own file (Backport PR #29030, Upstream PR #28941, @pchaigno)
  • doc: Add roadmap for mutual authentication (Backport PR #29030, Upstream PR #29006, @tgraf)
  • docs: Clarify BPF Map Pressure Metric (Backport PR #28759, Upstream PR #28682, @nathanjsweet)
  • docs: Update IPsec key rotation command (Backport PR #28759, Upstream PR #28141, @jschwinger233)
  • go.mod, vendor: use github.com/cilium/dns fork directly (Backport PR #29086, Upstream PR #27582, @tklauser)
  • Improve deletion of stale backends associated with non-global services, without waiting for full Cluster Mesh synchronization (Backport PR #29030, Upstream PR #28745, @giorio94)
  • ipsec: Improve encrypt flush command (Backport PR #29030, Upstream PR #28795, @pchaigno)
  • ipsec: Remove dead code for IPsec node encryption (Backport PR #29030, Upstream PR #28898, @pchaigno)
  • labels/cidr: Memoize labels for already seen prefixes (Backport PR #28870, Upstream PR #28465, @pippolo84)
  • labels/cidr: On the fly char replacement for IPv6 (Backport PR #29021, Upstream PR #28647, @pippolo84)
  • labels: Use slices.Sort instead of sort.Strings (Backport PR #29021, Upstream PR #28649, @pippolo84)
  • pkg/allocator: store key in variable for error message (Backport PR #29064, Upstream PR #29076, @aanm)
  • Update the clustermesh troubleshooting guide (Backport PR #28759, Upstream PR #26798, @giorio94)

Other Changes:

Contributors

derailed, brb, and 21 other contributors
Assets 2

1.13.9

14 Nov 13:35
@nathanjsweet nathanjsweet
v1.13.9
This tag was signed with the committer’s verified signature.
nathanjsweet Nathan Sweet
GPG key ID: 12A8E6DA82970B15
Learn about vigilant mode.
cde7f96
Compare
Choose a tag to compare
1.13.9

We are pleased to release Cilium v1.13.9. This release includes several network policy performance improvements, improvements and fixes for IPSec, and numerous bug fixes and architectural improvements.

Summary of Changes

Minor Changes:

  • Cilium DNS proxy now uses the original pod's address as the source address towards the DNS servers. (Backport PR #29089, Upstream PR #28928, @jrajahalme)
  • Cilium now properly deletes stale (deleted) nodes from the node_connectivity_status and node_connectivity_latency_seconds metrics, reducing metric cardinality. (Backport PR #28932, Upstream PR #28382, @derailed)
  • Display interfaces used for IPsec decryption in cilium encrypt status. (Backport PR #28761, Upstream PR #28640, @pchaigno)
  • ipsec: New Prometheus metrics for XFRM configs (Backport PR #28761, Upstream PR #28400, @pchaigno)
  • policy: Fixed a bug that incorrectly omitted port-protocol policy rules that omitted the "protocol" field. An omitted "protocol" field now, correctly, is the same as using the "ANY" protocol. (Backport PR #28761, Upstream PR #28703, @nathanjsweet)

Bugfixes:

  • [v1.13] Remove remote-node labels from ipcache on node delete (#28972, @tklauser)
  • bpf: Add TC_ACT_REDIRECT check for nodeport (Backport PR #29034, Upstream PR #28927, @sayboras)
  • envoy: fix lb backend endpoint calculation (Backport PR #28877, Upstream PR #27923, @mhofstetter)
  • Fix CIDR labels computation (Backport PR #28877, Upstream PR #28788, @pippolo84)
  • Fix IPsec error logs to always have all information needed to identify the XFRM configuration on which the error happened. (Backport PR #29034, Upstream PR #28642, @pchaigno)
  • When the CT entry for a DSR connection is garbage-collected, the corresponding SNAT entry is now also removed. (Backport PR #28877, Upstream PR #28857, @julianwiedmann)

CI Changes:

  • [v1.13] Use pull_request_target in Update Backport Label workflow (#29011, @pippolo84)
  • gh/workflows: Dump Cilium LB node logs in case of failure (Backport PR #29034, Upstream PR #28808, @brb)
  • Test both VXLAN and GENEVE tunneling as part of the Conformance Cluster Mesh workflow (Backport PR #28877, Upstream PR #28767, @giorio94)

Misc Changes:

Other Changes:

Contributors

derailed, brb, and 12 other contributors
Assets 2

1.12.16

14 Nov 13:34
@nathanjsweet nathanjsweet
v1.12.16
This tag was signed with the committer’s verified signature.
nathanjsweet Nathan Sweet
GPG key ID: 12A8E6DA82970B15
Learn about vigilant mode.
6b7226a
Compare
Choose a tag to compare
1.12.16

We are pleased to release Cilium v1.12.16. This release includes several network policy performance improvements, improvements and fixes for IPSec, and numerous bug fixes and architectural improvements.

Summary of Changes

Minor Changes:

  • Cilium DNS proxy now uses the original pod's address as the source address towards the DNS servers. (Backport PR #29090, Upstream PR #28928, @jrajahalme)
  • Cilium now properly deletes stale (deleted) nodes from the node_connectivity_status and node_connectivity_latency_seconds metrics, reducing metric cardinality. (Backport PR #28977, Upstream PR #28382, @derailed)
  • Display interfaces used for IPsec decryption in cilium encrypt status. (Backport PR #28762, Upstream PR #28640, @pchaigno)
  • ipsec: New Prometheus metrics for XFRM configs (Backport PR #28762, Upstream PR #28400, @pchaigno)
  • policy: Fixed a bug that incorrectly omitted port-protocol policy rules that omitted the "protocol" field. An omitted "protocol" field now, correctly, is the same as using the "ANY" protocol. (Backport PR #28762, Upstream PR #28703, @nathanjsweet)

Bugfixes:

  • bpf: Add TC_ACT_REDIRECT check for nodeport (Backport PR #29035, Upstream PR #28927, @sayboras)
  • Fix CIDR labels computation (Backport PR #28893, Upstream PR #28788, @pippolo84)
  • Fix IPsec error logs to always have all information needed to identify the XFRM configuration on which the error happened. (Backport PR #29035, Upstream PR #28642, @pchaigno)

CI Changes:

  • [v1.12] Use pull_request_target in Update Backport Label workflow (#29012, @pippolo84)
  • gh/workflows: Dump Cilium LB node logs in case of failure (Backport PR #29035, Upstream PR #28808, @brb)
  • Test both VXLAN and GENEVE tunneling as part of the Conformance Cluster Mesh workflow (Backport PR #28893, Upstream PR #28767, @giorio94)

Misc Changes:

Other Changes:

Contributors

derailed, brb, and 10 other contributors
Assets 2

1.15.0-pre.2

31 Oct 17:13
@aanm aanm
v1.15.0-pre.2
This tag was signed with the committer’s verified signature.
aanm André Martins
GPG key ID: A38D2FBA880D16AB
Learn about vigilant mode.
91bc81c
Compare
Choose a tag to compare
1.15.0-pre.2 Pre-release
Pre-release

Summary of Changes

Major Changes:

  • Support BGP passwords in the Go BGP implementation. (#23759, @dgl)

Minor Changes:

  • Add flows per second information to Hubble status (#28205, @glrf)
  • add Ingress controller proxy protocol support (#28194, @zetaab)
  • Add option to redact http headers (#26724, @ChrsMark)
  • Added cilium_kvstoremesh_kvstore_sync_errors_counter, cilium_clustermesh_apiserver_kvstore_sync_errors_counter and kvstore_sync_errors_counter metrics that capture data synchronization errors to kvstore. (#28419, @marseel)
  • Added hubble_relay_pool_peer_connection_status metric for measuring the connection status of all peers. Metric keeps track of number of peers for each possible connectiion status. (#28217, @siwiutki)
  • Added new ingress.cilium.io/ssl-passthrough annoation for Ingress objects (#28751, @youngnick)
  • Adds optional configurable jobLabel to cilium-agent, cilium-operator, and hubble serviceMonitors (#28125, @rbankston)
  • Auth map garbage collection will trigger if last local endpoint of a security identity was removed (#27697, @meyskens)
  • BGPv1: Set R-bit in graceful restart capability negotiation. (#28293, @ArsenyBelorukov)
  • bpf: static data: use inline asm to access static data (#27589, @ti-mo)
  • certmanager: solve CannotRegenerateKey (#28787, @universam1)
  • cilium ingress should have an option to set the number of trusted loadbalancer hops (#27952, @chaunceyjiang)
  • Cilium now properly deletes stale (deleted) nodes from the node_connectivity_status and node_connectivity_latency_seconds metrics, reducing metric cardinality. (#28382, @derailed)
  • cmd: Disable local node routes when endpoint routes are enabled (#28324, @gandro)
  • Display interfaces used for IPsec decryption in cilium encrypt status. (#28640, @pchaigno)
  • docs: remove annotations-based l7 visibility (#28449, @networkop)
  • EgressGW: interface selection is now done with BPF, using --install-egress-gateway-routes is no longer needed. (#26215, @jibi)
  • ENI: fix calculateExcessIPs excessive calculate of excess ip (#28467, @wu0407)
  • envoy: Bump envoy version to v1.27.1 (#28531, @sayboras)
  • envoy: Bump envoy version to v1.27.2 (#28671, @mhofstetter)
  • fix: Preserve OwnerReferences when updating Ingresses with Load Balancer in shared mode (#28452, @bittermandel)
  • gateaway-api: Support GRPCRoute resource (#28654, @sayboras)
  • gateway-api: Add support for multiple request mirrors (#28342, @sayboras)
  • gateway-api: Bump the version to v1.0.0-rc1 (#28757, @sayboras)
  • helm: delete AWS iptables in all deployments aside from AWS CNI chaining environments (#28697, @nebril)
  • Ignore Indexed Job-specific label by default for CID creation:
  • batch.kubernetes.io/job-completion-index. (#28897, @tosi3k)
  • Improve cilium-agent bootstrap time when using cluster-pool ipam. (#28354, @marseel)
  • Improve helm validation for clustermesh, and allow creating the clustermesh configuration also in kvstore mode (#28763, @giorio94)
  • Improve the usability of the cilium policy selectors command by including the policy name and namespace in order to easily understand which selector comes from what policy (#27838, @christarazi)
  • ipam/multipool: Introduce specific ip family annotations for specifying ip pools (#28244, @hargrovee)
  • ipsec: New Prometheus metrics for XFRM configs (#28400, @pchaigno)
  • metrics: add bpf_map_capacity metric which provides max size of maps (#28146, @tommyp1ckles)
  • metrics: Add map pressure metric for auth map (#28357, @sayboras)
  • Network policies for reserved:ingress identity are now enforced by Cilium Ingress and Gateway API. (#28126, @jrajahalme)
  • pkg/labels: print all leaf CIDRs, not just the last one. (#28224, @squeed)
  • policy: Fixed a bug that incorrectly omitted port-protocol policy rules that omitted the "protocol" field. An omitted "protocol" field now, correctly, is the same as using the "ANY" protocol. (#28703, @nathanjsweet)
  • Reduce "stale identity observed" warnings (#27894, @leblowl)
  • Remove deprecated policy_import_errors_total metric (#28423, @tklauser)
  • Rename the CLI for local Cilium API access to 'cilium-dbg' (#28085, @joestringer)
  • Replace LB-IPAM IP allocator to remove limitations and enable additional features (#26488, @dylandreimerink)
  • Structured Health Reporter + EndpointManager Modular Health Checks (#27522, @tommyp1ckles)

Bugfixes:

  • Always replace the cilium_call_* tail call map during upgrade/restart to avoid "Missed tail call" errors (#28740, @ti-mo)
  • backporting: Revert changes until the new workflow will be in place (#28371, @pippolo84)
  • bpf: fixes an issue where inserting inner maps into an outer may fail with EINVAL due to flags mismatch (#28710, @ldelossa)
  • bpf: overlay: fix missing DBG_DECAP for Inter-Cluster-SNAT (#28466, @julianwiedmann)
  • Don't bind a /64 address to cilium_host to avoid misrouting cross-node traffic (#28633, @CallMeFoxie)
  • Don't orphan CEPs when node IPV6 is preferred at dual stack k8s config (#28142, @rawmind0)
  • envoy: fix lb backend endpoint calculation (#27923, @mhofstetter)
  • Fix a bug that causes pod-to-pod traffic between nodes to be dropped when IPsec is enabled and kube-proxy installed rules in both iptables-nft and iptables-legacy. (#28258, @pchaigno)
  • Fix CIDR labels computation (#28788, @pippolo84)
  • Fix concurrency issue when changing labels on pods started before Cilium setup their network. Cilium will now process pod labels modified while setting up the pod network. (#28789, @aanm)
  • Fix Helm rendering for dashboards.enabled=true (#28542, @bakito)
  • Fix incorrect logic used by the Ingress Controller to sync Cilium's IngressClass on startup. (#28663, @learnitall)
  • Fix issue causing KVStoreMesh metrics to be included in the dedicated Service/ServiceMonitor when KVStoreMesh is disabled (#28481, @giorio94)
  • Fix wrong host and router IP being used for some IPv6 deployments, which was causing various connectivity problems. (#28417, @ti-mo)
  • Fix wrong host and router IP being used for some IPv6 deployments, which was causing various connectivity problems. (Backport PR #28500, Upstream PR #28417, @ti-mo)
  • fix: Correct spire labels identation in helm chart (#28610, @sayboras)
  • Fix: Gateway API double slash while stripping path prefix (#28294, @nxy7)
  • fixed cilium-operator delete CEC cilium-ingress when other ingressclass resources are created (#28638, @chaunceyjiang)
  • gateway-api: fix empty URI when removing path prefix (#28606, @dddddai)
  • helm: Correct command for initContainer config (#28613, @sayboras)
  • Improved event handling for pod events by removing an unnecessary early return, allowing unrelated components to execute correctly, while enhancing ipcache error logging. (#28840, @aanm)
  • ipcache: fix flapping labels in SelectorCache when reserved:host identity has multiple IPs (#28332, @squeed)
  • pkg/k8s: use a deep copy of CNP in UpdateStatus to avoid race condition (#28364, @aanm)
  • Print full labelset for all identities in 'cilium ip list' output (#28425, @joestringer)
  • Remove AWS-CONNMARK-CHAIN iptable rules when running in ENI mode. (#28676, @nebril)
  • resource: Fix race condition in handling of Kubernetes object delete event retrying. In the very rare case when an object was created, deleted and re-created with the same name and the handling of the first deletion failed, the handling of delete event may have been retried even though the object was re-created. Only affected features using the Resource-library (LB IPAM, Mutual Auth and ClusterMesh). (#27340, @joamaki)
  • srv6: modify h.encap location in the datapath to avoid incompatibility with IPv4Masq (#28817, @ldelossa)
  • When the CT entry for a DSR connection is garbage-collected, the corresponding SNAT entry is now also removed. (#28857, @julianwiedmann)

CI Changes:

  • .github: bump k8s version from v1.28.0 -> v1.28.2. (#28664, @tommyp1ckles)
  • .github: re-use common helm values from a single action (#28180, @aanm)
  • Add initial, in-progress workflow for automated scale testing (#28362, @learnitall)
  • Add time wrapper to test agent delays in CI (#27253, @joestringer)
  • bgpv1,ci: Fix BGP component tests reusing the same VirtualRouter config (#28420, @rastislavs)
  • ci: Add a workflow to update labels of backported PRs (#27875, @pippolo84)
  • ci: Avoid using deprecated "tunnel" flag (#28323, @gandro)
  • ci: Enable link checker to ensure that all links in documentation are valid (#27116, @vipul-21)
  • ci: use renovate to upgrade Helm in ginkgo tests (#28777, @nebril)
  • Correctly use cli installer action in ipv4/6 smoke (#28661, @bleggett)
  • Do not hardcode the AWS VPC CNI plugin version in the conformance-aws-cni GHA workflow (#28392, @giorio94)
  • gateway-api: Disable HTTPRouteRequestMultipleMirrors again (#28524, @sayboras)
  • gateway-api: Enable CI for multiple mirror feature (#28838, @sayboras)
  • GHA: Add clustermesh upgrade and downgrade tests (#27232, @giorio94)
  • GHA: correctly test kvstoremesh in conformance-clustermesh (#28434, @giorio94)
  • gha: Disable HTTPRouteRequestMultipleMirrors test (#28396, @sayboras)
  • gha: explicit branch and trigger in ariane-scheduled workflow (#28432, @giorio94)
  • Setup Renovate for SPIRE deployment (#27708, @meyskens)
  • Test both VXLAN and GENEVE tunneling as part of the Conformance Cluster Mesh workflow (#28767, @giorio94)
  • workflows: cilium-config: parametrize egressgw helm values (#28389, @jibi)

Misc Changes:

Read more

Contributors

derailed, dgl, and 80 other contributors
Assets 2

1.14.3

18 Oct 20:21
@jrajahalme jrajahalme
v1.14.3
This tag was signed with the committer’s verified signature.
jrajahalme Jarno Rajahalme
GPG key ID: 263F7D984804D3FE
Learn about vigilant mode.
252a99e
Compare
Choose a tag to compare
1.14.3

We are pleased to release Cilium v1.14.3. This is bug fix release addressing the recent HTTP/2 Stream Cancellation Attack (CVE-2023-44487) and other bugs:

Summary of Changes

Minor Changes:

  • bump grpc dependency to 1.56.3 to fix security vulnerability GHSA-qppj-fm5r-hxr3 (#28527, @aanm)
  • Cut Cilium's initialization time for clusters with a large number of Kubernetes and Cilium Network Policies by 90% (Backport PR #28282, Upstream PR #28173, @aanm)
  • endpoint: Only perform the full policy map synchronization periodically (every 15 minutes) to reduce overhead with large endpoint policy maps (Backport PR #28095, Upstream PR #27693, @joamaki)
  • ipam: report IP owner of non-default pool IPs in multi-pool IPAM (Backport PR #28095, Upstream PR #27968, @tklauser)
  • metrics: add a metric for max observed endpoint ifindex (Backport PR #28282, Upstream PR #27953, @asauber)
  • metrics: Add map pressure metric for auth map (Backport PR #28442, Upstream PR #28357, @sayboras)
  • vendor, azure: Bump Azure SDK to Aug 2021 (Backport PR #28330, Upstream PR #28311, @christarazi)

Bugfixes:

  • bpf: lxc: support Pod->Service->Pod hairpinning with endpoint routes (Backport PR #28123, Upstream PR #27798, @ti-mo)
  • bpf: overlay: fix missing DBG_DECAP for Inter-Cluster-SNAT (Backport PR #28494, Upstream PR #28466, @julianwiedmann)
  • Change routing-mode and tunnel-protocol based on .Values.tunnel and .Values.routingMode (Backport PR #28282, Upstream PR #27841, @macmiranda)
  • datapath: fix NodePort to remote hostns backend with tunnel config (Backport PR #28494, Upstream PR #27323, @michaelasp)
  • envoy: Sync supported resources to fix not found issue (Backport PR #28349, Upstream PR #28272, @sayboras)
  • Fix a bug that causes pod-to-pod traffic between nodes to be dropped when IPsec is enabled and kube-proxy installed rules in both iptables-nft and iptables-legacy. (Backport PR #28442, Upstream PR #28258, @pchaigno)
  • fix bug: pull skb data in cil_from_netdev path for HIGH_SCALE_IPCACHE mode (Backport PR #28095, Upstream PR #27913, @sofat1989)
  • Fix Gateway API HttpRoute cannot strip path prefix. (Backport PR #28282, Upstream PR #28018, @chaunceyjiang)
  • Fix hubble metric labeling when only directed Source/Destination Ingress/Egress options are specified. (Backport PR #28095, Upstream PR #27792, @marqc)
  • Fix minor bug where the previous Cilium proxy port was not reused (Backport PR #28127, Upstream PR #27634, @christarazi)
  • Fix the trace notification for hairpinned reply traffic, to indicate the correct security identity for the client. (Backport PR #28282, Upstream PR #28133, @julianwiedmann)
  • Fix wrong host and router IP being used for some IPv6 deployments, which was causing various connectivity problems. (Backport PR #28435, Upstream PR #28417, @ti-mo)
  • Fix: Gateway API double slash while stripping path prefix (Backport PR #28442, Upstream PR #28294, @nxy7)
  • Fixes a bug causing panic when counting IPsec keys number via "cilium encrypt status". (Backport PR #28282, Upstream PR #27996, @jschwinger233)
  • fqdn proxy: fix data race by using separate sessionUDPFactories (Backport PR #28282, Upstream PR #28163, @mhofstetter)
  • ipam/multipool: Fix bug where allocator was unable to update CiliumNode (Backport PR #28095, Upstream PR #27963, @gandro)
  • ipcache: fix flapping labels in SelectorCache when reserved:host identity has multiple IPs (Backport PR #28418, Upstream PR #28332, @squeed)
  • Must have port for Service reference (Backport PR #28282, Upstream PR #27959, @chaunceyjiang)
  • pkg/k8s: use a deep copy of CNP in UpdateStatus to avoid race condition (Backport PR #28494, Upstream PR #28364, @aanm)
  • pkg/node: Updates GetIPv6AllocCIDRs() to Properly Return Secondary CIDRs (Backport PR #28095, Upstream PR #27855, @danehans)
  • resource: Fix race condition in handling of Kubernetes object delete event retrying. In the very rare case when an object was created, deleted and re-created with the same name and the handling of the first deletion failed, the handling of delete event may have been retried even though the object was re-created. Only affected features using the Resource-library (LB IPAM, Mutual Auth and ClusterMesh). (Backport PR #28494, Upstream PR #27340, @joamaki)
  • Restore host-stack bypass for pod-to-pod traffic in a configuration with kube-proxy, tunnel routing and per-endpoint routes. (Backport PR #28095, Upstream PR #27908, @julianwiedmann)

CI Changes:

Misc Changes:

  • [Docs] Clarify ClusterMesh troubleshooting steps when KVStoreMesh is enabled (Backport PR #28282, Upstream PR #27691, @weizhoublue)
  • Add option conntrackGCMaxInterval to allow limiting the maximum connection tracking GC interval. By default the automatic interval calculation may increase the interval up to 12 hours, which may incur an unreasonable delay to releasing of CIDR identities created from ToFQDN policies. Setting this option will limit the interval and ensure such identities are marked unused earlier and removed. (Backport PR #28282, Upstream PR #27870, @joamaki)
  • bugtool: various updates to BPF map dump (Backport PR #28282, Upstream PR #28065, @julianwiedmann)
  • bump k8s dependencies to 1.27.6 (#28560, @aanm)
  • chore(deps): update actions/checkout action to v4 (v1.14) (#27944, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.14) (minor) (#27776, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.14) (patch) (#28078, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.14) (patch) (#28209, @renovate[bot])
  • chore(deps): update all github action dependencies to v3 (v1.14) (major) (#28101, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.14) (patch) (#27942, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.14) (patch) (#28210, @renovate[bot])
  • chore(deps): update aws-actions/configure-aws-credentials action to v4 (v1.14) (#28102, @renovate[bot])
  • chore(deps): update cilium/cilium digest to 6c12a0f (v1.14) (#28075, @renovate[bot])
  • chore(deps): update cilium/cilium digest to 8b7844d (v1.14) (#28196, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.8 (v1.14) (#28211, @renovate[bot])
  • chore(deps): update dependency cilium/hubble to v0.12.1 (v1.14) (#28521, @renovate[bot])
  • chore(deps): update dependency cilium/hubble to v0.12.2 (v1.14) (#28566, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.20.10 docker digest to 098d628 (v1.14) (#28623, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.20.8 docker digest to 6e1a67e (v1.14) (#28197, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 2b7412e (v1.14) (#28630, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 990350f (v1.14) (#28579, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 9b8dec3 (v1.14) (#28384, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to aabed32 (v1.14) (#28076, @renovate[bot])
  • chore(deps): update docker/build-push-action action to v5 (v1.14) (#28093, @renovate[bot])
  • chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 92d40ee (v1.14) (#27941, @renovate[bot])
  • chore(deps): update go to v1.20.10 (v1.14) (patch) (#28515, @renovate[bot])
  • chore(deps): update myrotvorets/set-commit-status-action action to v2 (v1.14) (#28082, @renovate[bot])
  • chore(deps): update quay.io/cilium/hubble docker tag to v0.12.1 (v1.14) (#28538, @renovate[bot])
  • chore(deps): update quay.io/cilium/hubble docker tag to v0.12.2 (v1.14) (#28569, @renovate[bot])
  • chore(deps): update sigstore/cosign-installer action to v3.1.2 (v1.14) (#27943, @renovate[bot])
  • ci: fix AWS EKS K8s versions comment (Backport PR #28282, Upstream PR #28249, @nbusseneau)
  • docs: Add instructions for running LVH against custom kernel (Backport PR #28349, Upstream PR #28305, @brb)
  • docs: Add Makefile and documentation for "fast" development targets (Backport PR #28095, Upstream PR #27931, @aanm)
  • docs: Add more details for the Cluster Mesh key rotation (Backport PR #28282, Upstream PR #28145, @margamanterola)
  • docs: egressgw: document incompatibility with Clustermesh (Backport PR #28095, Upstream PR #27918, @julianwiedmann)
  • docs: Makefile, check-build.sh clean-ups and perf improvements (Backport PR #28282, Upstream PR #28161, @qmonnet)
  • docs: Mention RouteTableInterfacesOffset in system requiremen...
Read more

Contributors

gandro, brb, and 34 other contributors
Assets 2

1.13.8

17 Oct 11:49
@jrajahalme jrajahalme
v1.13.8
This tag was signed with the committer’s verified signature.
jrajahalme Jarno Rajahalme
GPG key ID: 263F7D984804D3FE
Learn about vigilant mode.
96f0558
Compare
Choose a tag to compare
1.13.8

We are pleased to release Cilium v1.13.8. This is bug fix release addressing the recent HTTP/2 Stream Cancellation Attack (CVE-2023-44487) and other bugs:

Summary of Changes

Minor Changes:

Bugfixes:

  • Add drop notifications from various error paths in the BPF datapath. (Backport PR #28443, Upstream PR #26956, @julianwiedmann)
  • envoy: Sync supported resources to fix not found issue (Backport PR #28350, Upstream PR #28272, @sayboras)
  • Fix a bug that causes pod-to-pod traffic between nodes to be dropped when IPsec is enabled and kube-proxy installed rules in both iptables-nft and iptables-legacy. (Backport PR #28443, Upstream PR #28258, @pchaigno)
  • Fix the trace notification for hairpinned reply traffic, to indicate the correct security identity for the client. (Backport PR #28251, Upstream PR #28133, @julianwiedmann)
  • Fixes a bug causing panic when counting IPsec keys number via "cilium encrypt status". (Backport PR #28251, Upstream PR #27996, @jschwinger233)
  • ipcache: fix flapping labels in SelectorCache when reserved:host identity has multiple IPs (Backport PR #28416, Upstream PR #28332, @squeed)
  • pkg/k8s: use a deep copy of CNP in UpdateStatus to avoid race condition (Backport PR #28519, Upstream PR #28364, @aanm)
  • pkg/node: Updates GetIPv6AllocCIDRs() to Properly Return Secondary CIDRs (Backport PR #28103, Upstream PR #27855, @danehans)

CI Changes:

Misc Changes:

  • Add option conntrackGCMaxInterval to allow limiting the maximum connection tracking GC interval. By default the automatic interval calculation may increase the interval up to 12 hours, which may incur an unreasonable delay to releasing of CIDR identities created from ToFQDN policies. Setting this option will limit the interval and ensure such identities are marked unused earlier and removed. (Backport PR #28251, Upstream PR #27870, @joamaki)
  • bump k8s dependencies to 1.26.9 (#28559, @aanm)
  • chore(deps): update all github action dependencies (v1.13) (patch) (#28106, @renovate[bot])
  • chore(deps): update all github action dependencies to v3 (v1.13) (major) (#28109, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.13) (patch) (#28107, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.13) (patch) (#28213, @renovate[bot])
  • chore(deps): update aws-actions/configure-aws-credentials action to v4 (v1.13) (#28110, @renovate[bot])
  • chore(deps): update dependency cilium/hubble to v0.12.1 (v1.13) (#28525, @renovate[bot])
  • chore(deps): update dependency cilium/hubble to v0.12.2 (v1.13) (#28567, @renovate[bot])
  • chore(deps): update docker.io/library/golang docker tag to v1.20.10 (v1.13) (#28516, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.20.8 docker digest to 6b29720 (v1.13) (#28212, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.20.8 docker digest to 700d726 (v1.13) (#28083, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 9b8dec3 (v1.13) (#28385, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to a903800 (v1.13) (#28581, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to aabed32 (v1.13) (#27897, @renovate[bot])
  • chore(deps): update docker/build-push-action action to v5 (v1.13) (#28111, @renovate[bot])
  • chore(deps): update github/codeql-action action to v2.21.7 (v1.13) (#28214, @renovate[bot])
  • chore(deps): update myrotvorets/set-commit-status-action action to v2 (v1.13) (#28112, @renovate[bot])
  • chore(deps): update quay.io/cilium/hubble docker tag to v0.12.1 (v1.13) (#28543, @renovate[bot])
  • chore(deps): update quay.io/cilium/hubble docker tag to v0.12.2 (v1.13) (#28572, @renovate[bot])
  • ci: fix AWS EKS K8s versions comment (Backport PR #28350, Upstream PR #28249, @nbusseneau)
  • docs: Add more details for the Cluster Mesh key rotation (Backport PR #28251, Upstream PR #28145, @margamanterola)
  • docs: egressgw: document incompatibility with Clustermesh (Backport PR #28103, Upstream PR #27918, @julianwiedmann)
  • docs: Makefile, check-build.sh clean-ups and perf improvements (Backport PR #28251, Upstream PR #28161, @qmonnet)
  • docs: Mention RouteTableInterfacesOffset in system requirements (Backport PR #28443, Upstream PR #28358, @gandro)
  • docs: rephrasing the hubble intro doc (Backport PR #28103, Upstream PR #27712, @vipul-21)
  • docs: Update Sphinx and its dependencies, Cilium theme (Backport PR #28251, Upstream PR #28172, @qmonnet)
  • Fix potential nil pointer dereference in SelectorManager implementation (Backport PR #28103, Upstream PR #27805, @learnitall)
  • fix(deps): update module golang.org/x/net to v0.17.0 [security] (#28551, @aanm)
  • hubble: Remove spammy debug log message on lost events (Backport PR #28103, Upstream PR #25321, @pchaigno)
  • install/kubernetes: add the cilium/values.yaml target to .PHONY (Backport PR #28350, Upstream PR #28225, @nbusseneau)
  • ipsec: Atomically upgrade XFRM states with new output-mark (Backport PR #28519, Upstream PR #28485, @pchaigno)
  • Update docs theme (Backport PR #28443, Upstream PR #28403, @raphink)
  • Update Hubble UI from v0.11.0 to v0.12.1 (#28534, @rolinh)

Other Changes:

Contributors

gandro, brb, and 22 other contributors
Assets 2