Releases: cilium/cilium
1.15.5
We are pleased to announce the release of Cilium v1.15.5.
This release fixes a lot of bugs, including fixes for conflicting ports with DNS proxy, clustermesh startup issues, and StatefulSet handling.
Security Advisories
This release addresses following security vulnerabilities:
Summary of Changes
Minor Changes:
- envoy: Bump go version to 1.22.3 (#32413, @sayboras)
- labels: Add controller-uid into default ignore list (Backport PR #32103, Upstream PR #31964, @sayboras)
Bugfixes:
- Agent: add kubeconfigPath to initContainers (Backport PR #32230, Upstream PR #32008, @darox)
- Avoids drops with "No mapping for NAT masquerade" for ICMP messages by local service backends. (Backport PR #32384, Upstream PR #32155, @julianwiedmann)
- cilium-cni: Reserve ports that can conflict with transparent DNS proxy (Backport PR #32418, Upstream PR #32128, @gandro)
- cni: Use correct route MTU when ENI, Azure or Alibaba Cloud IPAM is enabled (Backport PR #32384, Upstream PR #32244, @learnitall)
- dnsproxy: Fix bug where DNS request timed out too soon (Backport PR #32230, Upstream PR #31999, @gandro)
- Envoy upstream connections are now unique for each downstream connection when using the original source address of a source pod. (Backport PR #32312, Upstream PR #32270, @jrajahalme)
- envoy: pass idle timeout configuration option to cilium configmap (Backport PR #32230, Upstream PR #32203, @mhofstetter)
- Fix failing service connections, when the service requests are transported via cilium's overlay network. (Backport PR #32230, Upstream PR #32116, @julianwiedmann)
- Fix issue causing clustermesh-apiserver/kvstoremesh to not start when run with a non-root user (Backport PR #31879, Upstream PR #31539, @giorio94)
- Fix service connection to terminating backend, when the service has no more backends available. (Backport PR #32092, Upstream PR #31840, @julianwiedmann)
- Fix various bugs related to restart of StatefulSet pods that may result in connectivity issues (Backport PR #32432, Upstream PR #31605, @christarazi)
- Fixes a bug where Cilium in chained mode removed the
agent-not-ready
taint too early if the primary network is slow in deploying. (Backport PR #32230, Upstream PR #32168, @squeed) - Fixes an (unlikely) bug where HostFirewall policies may miss updates to a node's labels. (Backport PR #32384, Upstream PR #30548, @squeed)
- fqdn: fix memory leak in transparent mode when there was a moderately high number of parallel DNS requests (>100). (Backport PR #32103, Upstream PR #31959, @marseel)
- Ingress/Gateway API: merge Envoy listeners for HTTP(S) and TLS passthrough (Backport PR #32178, Upstream PR #31646, @mhofstetter)
- ipam: retry netlink.LinkList call when setting up ENI devices (Backport PR #32230, Upstream PR #32099, @jasonaliyetti)
- loader: sanitize bpffs directory strings for netdevs (Backport PR #32103, Upstream PR #32090, @rgo3)
- Prevent Cilium agents from incorrectly restarting an etcd watch against a different etcd instance. (#32005, @giorio94)
- tables: Sort node addresses also by public vs private IP (Backport PR #32103, Upstream PR #30579, @joamaki)
CI Changes:
- alibabacloud/eni: avoid racing node mgr in test (Backport PR #31967, Upstream PR #31877, @bimmlerd)
- ci: Filter supported versions of AKS (Backport PR #32384, Upstream PR #32303, @marseel)
- ci: Increase timeout for images for l4lb test (Backport PR #32230, Upstream PR #32201, @marseel)
- ci: Set hubble.relay.retryTimeout=5s (Backport PR #32230, Upstream PR #32066, @chancez)
- enable kube cache mutation detector (Backport PR #32230, Upstream PR #32069, @aanm)
- gha: bump post-upgrade timeout in clustermesh upgrade/downgrade tests (Backport PR #32384, Upstream PR #32347, @giorio94)
- gha: configure fully-qualified DNS names as external targets (Backport PR #32103, Upstream PR #31510, @giorio94)
- gha: drop double installation of Cilium CLI in conformance-eks (Backport PR #32103, Upstream PR #32042, @giorio94)
- Miscellaneous improvements to the clustermesh upgrade/downgrade test (Backport PR #32103, Upstream PR #31958, @giorio94)
- route: dedicated net ns for each subtest of runListRules (Backport PR #32230, Upstream PR #29916, @mhofstetter)
- test: De-flake xds server_e2e_test (Backport PR #32103, Upstream PR #32004, @jrajahalme)
- workflows: Fix CI jobs for push events on private forks (Backport PR #32230, Upstream PR #32085, @pchaigno)
Misc Changes:
- bpf: host: simplify MARK_MAGIC_PROXY_EGRESS_EPID handling (Backport PR #32384, Upstream PR #29803, @julianwiedmann)
- build(deps): bump pydantic from 2.3.0 to 2.4.0 in /Documentation (Backport PR #32230, Upstream PR #32176, @dependabot[bot])
- chore(deps): update all github action dependencies (v1.15) (#31954, @renovate[bot])
- chore(deps): update all github action dependencies (v1.15) (#32107, @renovate[bot])
- chore(deps): update all github action dependencies (v1.15) (#32366, @renovate[bot])
- chore(deps): update all-dependencies (v1.15) (#31993, @renovate[bot])
- chore(deps): update all-dependencies (v1.15) (#32238, @renovate[bot])
- chore(deps): update azure/login action to v2.1.0 (v1.15) (#31994, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.16.6 (v1.15) (#32365, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.21.9 docker digest to 81811f8 (v1.15) (#31953, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.21.9 docker digest to d83472f (v1.15) (#32257, @renovate[bot])
- chore(deps): update docker.io/library/ubuntu:22.04 docker digest to a6d2b38 (v1.15) (#32364, @renovate[bot])
- chore(deps): update go to v1.21.10 (v1.15) (#32417, @renovate[bot])
- chore(deps): update golangci/golangci-lint-action action to v6 (v1.15) (#32396, @renovate[bot])
- chore(deps): update hubble cli to v0.13.3 (v1.15) (#32108, @renovate[bot])
- chore(deps): update stable lvh-images (v1.15) (patch) (#31821, @renovate[bot])
- CI: bump default FQDN datapath timeout from 100 to 250ms (Backport PR #32230, Upstream PR #31866, @squeed)
- clustermesh: fix panic if the etcd client cannot be created (Backport PR #32384, Upstream PR #32225, @giorio94)
- docs: Add annotation for Ingress endpoint (Backport PR #32384, Upstream PR #32284, @sayboras)
- docs: add link to sig-policy meeting (Backport PR #32384, Upstream PR #32340, @squeed)
- docs: Clean-up Host Firewall documentation, list known issues (Backport PR #32384, Upstream PR #32267, @qmonnet)
- docs: Fix prometheus port regex (Backport PR #32230, Upstream PR #32030, @JBodkin-Amphora)
- Docs: mark Tetragon as Stable (Backport PR #31967, Upstream PR #31886, @sharlns)
- Document Cluster Mesh global services limitations when KPR=false (Backport PR #31967, Upstream PR #31798, @giorio94)
- endpoint: Skip build queue warning log is context is canceled (Backport PR #32230, Upstream PR #32132, @jrajahalme)
- Fix helm chart incompatible types for comparison (Backport PR #32230, Upstream PR #32025, @lou-lan)
- fqdn: Change error log to warning (Backport PR #32384, Upstream PR #32333, @jrajahalme)
- fqdn: Fix Upgrade Issue Between PortProto Versions (Backport PR #32384, Upstream PR #32325, @nathanjsweet)
- golangci: Enable errorlint (Backport PR #31783, Upstream PR #31458, @jrajahalme)
- images: Update bpftool, checkpatch images (Backport PR #31896, Upstream PR #31753, @qmonnet)
- Improve release organization page (Backport PR #32103, Upstream PR #31970, @joestringer)
- install/kubernetes: add AppArmor profile to Cilium Daemonset (Backport PR #32384, Upstream PR #32199, @aanm)
- install/kubernetes: update nodeinit image to latest version (Backport PR #32230, Upstream PR #32181, @tklauser)
- ipsec: Debug info for transient IPsec upgrade drops (Backport PR #32384, Upstream PR #32240, @pchaigno)
- l7 policy: add possibility to configure Envoy proxy xff-num-trusted-hops (Backport PR #32260, Upstream PR #32200, @mhofstetter)
- Remove aks-preview from AKS workflows (Backport PR #32230, Upstream PR #32118, @marseel)
- Seamlessly downgrade bpf attachments from tcx to tc (Backport PR #32337, Upstream PR #32228, @ti-mo)
Other Changes:
- [1.15] images: update cilium-{runtime,builder} (#32444, @nebril)
- [v1.15-backport] Introduce fromEgressProxyRule (#31922, @jschwinger233)
- [v1.15] cilium-dbg: remove section with unknown health status. (#31905, @tommyp1ckles)
- [v1.15] proxy: skip rule removal if address family is not supported (#32007, @rgo3)
- envoy: Bump envoy version to v1.27.5 (#32077, @sayboras)
- envoy: Update envoy 1.27.x to 1.28.3 (#32149, @sayboras)
- fix k8s versions tested in CI (#31965, @nbusseneau)
- install: Update image digests for v1.15.4 (#31915, @asauber)
v1.15.5
Docker Manifests
cilium
quay.io/cilium/cilium:v1.15.5@sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40
quay.io/cilium/cilium:stable@sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.15.5@sha256:914549caf4376a844b5e7696019182dd2a655b89d6a3cad10f9d0f9821759fd7
quay.io/cilium/clustermesh-apiserver:stable@sha256:914549caf4376a844b5e7696019182dd2a655b89d6a3cad10f9d0f9821759fd7
docker-plugin
quay.io/cilium/docker-plugin:v1.15.5@sha256:c301dc000eff2940a82fc51f4a937793fa3a7212d77000a5aa06ae6116032437
quay.io/cilium/docker-plugin:stable@sha256:c301dc000eff2940a82fc51f4a937793fa3a7212d77000a5aa06ae6116032437
##...
1.14.11
We are pleased to release Cilium v1.14.11.
This release brings us reducing pressure on the BPF connection tracking and NAT maps, as well as fixes for failing service connections, HostFirewall policy updates and many more.
Security Advisories
This release addresses following security vulnerabilities:
Summary of Changes
Minor Changes:
- envoy: Bump go version to 1.21.10 (#32414, @sayboras)
- Skip overlay traffic in the BPF SNAT processing, and thus reduce pressure on the BPF Connection tracking and NAT maps. (Backport PR #31797, Upstream PR #31082, @julianwiedmann)
Bugfixes:
- Agent: add kubeconfigPath to initContainers (Backport PR #32251, Upstream PR #32008, @darox)
- cilium-cni: Reserve ports that can conflict with transparent DNS proxy (Backport PR #32419, Upstream PR #32128, @gandro)
- cni: Use correct route MTU when ENI, Azure or Alibaba Cloud IPAM is enabled (Backport PR #32385, Upstream PR #32244, @learnitall)
- dnsproxy: Fix bug where DNS request timed out too soon (Backport PR #32251, Upstream PR #31999, @gandro)
- Envoy upstream connections are now unique for each downstream connection when using the original source address of a source pod. (Backport PR #32314, Upstream PR #32270, @jrajahalme)
- envoy: pass idle timeout configuration option to cilium configmap (Backport PR #32251, Upstream PR #32203, @mhofstetter)
- Fix failing service connections, when the service requests are transported via cilium's overlay network. (Backport PR #31797, Upstream PR #32116, @julianwiedmann)
- Fixes a bug where Cilium in chained mode removed the
agent-not-ready
taint too early if the primary network is slow in deploying. (Backport PR #32251, Upstream PR #32168, @squeed) - Fixes an (unlikely) bug where HostFirewall policies may miss updates to a node's labels. (Backport PR #32385, Upstream PR #30548, @squeed)
- fqdn: fix memory leak in transparent mode when there was a moderately high number of parallel DNS requests (>100). (Backport PR #32104, Upstream PR #31959, @marseel)
- ipam: retry netlink.LinkList call when setting up ENI devices (Backport PR #32251, Upstream PR #32099, @jasonaliyetti)
- operator: fix errors/warnings metric. (Backport PR #31907, Upstream PR #31214, @tommyp1ckles)
CI Changes:
- alibabacloud/eni: avoid racing node mgr in test (Backport PR #31987, Upstream PR #31877, @bimmlerd)
- ci: Filter supported versions of AKS (Backport PR #32385, Upstream PR #32303, @marseel)
- ci: Increase timeout for images for l4lb test (Backport PR #32251, Upstream PR #32201, @marseel)
- gha: configure fully-qualified DNS names as external targets (Backport PR #32104, Upstream PR #31510, @giorio94)
- gha: drop double installation of Cilium CLI in conformance-eks (Backport PR #32104, Upstream PR #32042, @giorio94)
- Miscellaneous improvements to the clustermesh upgrade/downgrade test (Backport PR #32104, Upstream PR #31958, @giorio94)
- test: De-flake xds server_e2e_test (Backport PR #32104, Upstream PR #32004, @jrajahalme)
- workflows: Fix CI jobs for push events on private forks (Backport PR #32251, Upstream PR #32085, @pchaigno)
Misc Changes:
- bpf: host: restore HostFW for overlay traffic in to-netdev (Backport PR #31797, Upstream PR #31818, @julianwiedmann)
- bpf: tests: don't define HAVE_ENCAP in IPsec tests (Backport PR #31797, Upstream PR #31737, @julianwiedmann)
- build(deps): bump pydantic from 2.3.0 to 2.4.0 in /Documentation (Backport PR #32251, Upstream PR #32176, @dependabot[bot])
- chore(deps): update all github action dependencies (v1.14) (#31997, @renovate[bot])
- chore(deps): update all github action dependencies (v1.14) (#32109, @renovate[bot])
- chore(deps): update all github action dependencies (v1.14) (#32373, @renovate[bot])
- chore(deps): update all-dependencies (v1.14) (#31996, @renovate[bot])
- chore(deps): update cilium/cilium-cli action to v0.16.4 (v1.14) (#32110, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.16.6 (v1.14) (#32370, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.21.9 docker digest to 81811f8 (v1.14) (#31995, @renovate[bot])
- chore(deps): update go to v1.21.10 (v1.14) (#32368, @renovate[bot])
- chore(deps): update golangci/golangci-lint-action action to v6 (v1.14) (#32397, @renovate[bot])
- chore(deps): update hubble cli to v0.13.3 (v1.14) (#32111, @renovate[bot])
- chore(deps): update stable lvh-images (v1.14) (patch) (#31823, @renovate[bot])
- CI: bump default FQDN datapath timeout from 100 to 250ms (Backport PR #32251, Upstream PR #31866, @squeed)
- docs: Add annotation for Ingress endpoint (Backport PR #32385, Upstream PR #32284, @sayboras)
- docs: Fix prometheus port regex (Backport PR #32251, Upstream PR #32030, @JBodkin-Amphora)
- Docs: mark Tetragon as Stable (Backport PR #31987, Upstream PR #31886, @sharlns)
- Document Cluster Mesh global services limitations when KPR=false (Backport PR #31987, Upstream PR #31798, @giorio94)
- endpoint: Skip build queue warning log is context is canceled (Backport PR #32251, Upstream PR #32132, @jrajahalme)
- fqdn: Change error log to warning (Backport PR #32385, Upstream PR #32333, @jrajahalme)
- fqdn: Fix Upgrade Issue Between PortProto Versions (Backport PR #32385, Upstream PR #32325, @nathanjsweet)
- golangci: Enable errorlint (Backport PR #31793, Upstream PR #31458, @jrajahalme)
- Improve release organization page (Backport PR #31987, Upstream PR #31970, @joestringer)
- install/kubernetes: update nodeinit image to latest version (Backport PR #32251, Upstream PR #32181, @tklauser)
- ipsec: Debug info for transient IPsec upgrade drops (Backport PR #32385, Upstream PR #32240, @pchaigno)
- l7 policy: add possibility to configure Envoy proxy xff-num-trusted-hops (Backport PR #32265, Upstream PR #32200, @mhofstetter)
- Remove aks-preview from AKS workflows (Backport PR #32251, Upstream PR #32118, @marseel)
- Remove cilium/build from codeowners (#32146, @joestringer)
Other Changes:
- [1.14] images: update cilium-{runtime,builder} (#32443, @nebril)
- [1.14] operator: propagate CiliumClusterConfig when in kvstore mode (#32349, @hemanthmalla)
- [v1.14-backport] Introduce fromEgressProxyRule (#31926, @jschwinger233)
- ci: no longer suppported v1.25 in GKE (#32183, @marseel)
- envoy: Bump envoy version to v1.27.5 (#32078, @sayboras)
- fix k8s versions tested in CI (#31969, @nbusseneau)
- install: Update image digests for v1.14.10 (#31914, @asauber)
1.13.16
We are pleased to release Cilium v1.13.16.
This release comes with hubble metrics in bugtool, fix for DNS message timeout in proxy, patched memory leak and many more!
Security Advisories
This release addresses following security vulnerabilities:
Summary of Changes
Minor Changes:
- bugtool: Collect hubble metrics (Backport PR #31887, Upstream PR #31533, @chancez)
- envoy: Bump go version to 1.21.10 (#32415, @sayboras)
- Fix overlapping keys in agent-side service BPF map cache used for retries. In rare cases this bug may have caused retrying of a failed BPF map update for a services entry to be skipped leading to a missing entry. This may have, for example, adversely affected recovering from a full BPF service map after excess services were removed. (Backport PR #31887, Upstream PR #29581, @xyz-li)
Bugfixes:
- Agent: add kubeconfigPath to initContainers (Backport PR #32252, Upstream PR #32008, @darox)
- cilium-cni: Reserve ports that can conflict with transparent DNS proxy (Backport PR #32420, Upstream PR #32128, @gandro)
- cni: Allow text-ts log format value (Backport PR #31887, Upstream PR #31686, @sayboras)
- cni: Use correct route MTU when ENI, Azure or Alibaba Cloud IPAM is enabled (Backport PR #32386, Upstream PR #32244, @learnitall)
- dnsproxy: Fix bug where DNS request timed out too soon (Backport PR #32252, Upstream PR #31999, @gandro)
- Envoy upstream connections are now unique for each downstream connection when using the original source address of a source pod. (Backport PR #32330, Upstream PR #32270, @jrajahalme)
- Fixes an (unlikely) bug where HostFirewall policies may miss updates to a node's labels. (Backport PR #32386, Upstream PR #30548, @squeed)
- fqdn: fix memory leak in transparent mode when there was a moderately high number of parallel DNS requests (>100). (Backport PR #32053, Upstream PR #31959, @marseel)
- ipam: retry netlink.LinkList call when setting up ENI devices (Backport PR #32252, Upstream PR #32099, @jasonaliyetti)
- xds: Avoid xds timeout due to agent restart in envoy DS mode (Backport PR #32053, Upstream PR #31061, @sayboras)
CI Changes:
- [v1.13] Go linter fix backport (#31983, @tklauser)
- ci: Filter supported versions of AKS (Backport PR #32386, Upstream PR #32303, @marseel)
- ci: Increase timeout for images for l4lb test (Backport PR #32252, Upstream PR #32201, @marseel)
- Miscellaneous improvements to the clustermesh upgrade/downgrade test (Backport PR #32053, Upstream PR #31958, @giorio94)
- test: De-flake xds server_e2e_test (Backport PR #32053, Upstream PR #32004, @jrajahalme)
- vagrant: bump box versions to pick up Go 1.20.1 (Backport PR #31796, Upstream PR #23983, @tklauser)
- workflows: Fix CI jobs for push events on private forks (Backport PR #32252, Upstream PR #32085, @pchaigno)
Misc Changes:
- [v.13] test: Fix Endpoint Test (#32197, @nathanjsweet)
- [v1.13] endpoint: Fix Endpoint Integration Tests (#32171, @nathanjsweet)
- build(deps): bump pydantic from 2.3.0 to 2.4.0 in /Documentation (Backport PR #32252, Upstream PR #32176, @dependabot[bot])
- chore(deps): update all github action dependencies (v1.13) (#32380, @renovate[bot])
- chore(deps): update dependency cilium/hubble to v0.13.3 (v1.13) (#32446, @renovate[bot])
- chore(deps): update go to v1.21.10 (v1.13) (#32374, @renovate[bot])
- chore(deps): update quay.io/cilium/hubble docker tag to v0.13.3 (v1.13) (#32379, @renovate[bot])
- chore(deps): update stable lvh-images (v1.13) (patch) (#31831, @renovate[bot])
- cilium-dbg: avoid leaking file resources (Backport PR #31887, Upstream PR #31750, @tklauser)
- command/exec: remove unused (*Cmd).WithFilters method (Backport PR #31887, Upstream PR #25642, @tklauser)
- docs: Fix prometheus port regex (Backport PR #32252, Upstream PR #32030, @JBodkin-Amphora)
- Docs: mark Tetragon as Stable (Backport PR #32053, Upstream PR #31886, @sharlns)
- endpoint: Skip build queue warning log is context is canceled (Backport PR #32252, Upstream PR #32132, @jrajahalme)
- Fix spelling in DNS-based proxy info (Backport PR #31887, Upstream PR #31728, @saintdle)
- fqdn: Change error log to warning (Backport PR #32386, Upstream PR #32333, @jrajahalme)
- fqdn: Fix Upgrade Issue Between PortProto Versions (Backport PR #32386, Upstream PR #32325, @nathanjsweet)
- golangci: Enable errorlint (Backport PR #31796, Upstream PR #31458, @jrajahalme)
- Improve release organization page (Backport PR #32053, Upstream PR #31970, @joestringer)
- install/kubernetes: update nodeinit image to latest version (Backport PR #32252, Upstream PR #32181, @tklauser)
- ipsec: Debug info for transient IPsec upgrade drops (Backport PR #32386, Upstream PR #32240, @pchaigno)
- Move governance docs to the Cilium community repo (Backport PR #31887, Upstream PR #31692, @katiestruthers)
- Remove aks-preview from AKS workflows (Backport PR #32252, Upstream PR #32118, @marseel)
- Remove Hubble-OTel from the roadmap (Backport PR #31887, Upstream PR #31847, @xmulligan)
Other Changes:
- [v1.13-backport] Introduce fromEgressProxyRule (#31928, @jschwinger233)
- ci: no longer suppported v1.25 in GKE (#32182, @marseel)
- envoy: Bump envoy version to v1.27.5 (#32079, @sayboras)
- fix k8s versions tested in CI (#31968, @nbusseneau)
- install: Update image digests for v1.13.15 (#31913, @asauber)
1.16.0-pre.2
Summary of Changes
Major Changes:
- Add Kubernetes EndpointSlice synchronization from Cilium clustermesh (#28440, @MrFreezeex)
- iptables: Add rules runtime reconciliation (#31372, @pippolo84)
- k8s: Add support for Kubernetes 1.30.0 (#31687, @christarazi)
- Support CEL expressions in hubble flow filters (#31070, @chancez)
Minor Changes:
- "cilium-dbg map get ..." can now be called on BPF maps without cache (#31620, @AwesomePatrol)
- Add clustermesh hostname endpointslice synchronization (#31814, @MrFreezeex)
- Add option to automatically discover k8sServiceHost and k8sServicePort info (kubeadm clusters only) (#31885, @kreeuwijk)
- Add option to disable ExternalIP mitigation (CVE-2020-8554). (#31513, @kvaster)
- Add support for deploying clustermesh-apiserver with multiple replicas for high availability. (#31677, @thorn3r)
- Added source pod metadata to generated L7 DNS visibility policies. (#32166, @nebril)
- Adds
IPv6Pool
field to the spec of CiliumNodes CRD to list of IPv6 addresses available to the node for allocation.
AddsIPv6Used
field to the status of CiliumNodes CRD to list all IPv6 addresses fromciliumnodes.spec.ipam.ipv6pool
which have been allocated and are in use. (#31143, @danehans) - Adds
service_implementation_delay
metric accounting the duration in seconds to propagate the data plane programming of a service, its network and endpoints from the time the service or the service pod was changed excluding the event queue latency (#32055, @ovidiutirla) - bpf: WireGuard: detect tunnel traffic in native-routing mode (#31586, @julianwiedmann)
- Configure restrictive security contexts by default for clustermesh-apiserver containers (#31540, @giorio94)
- daemon: Do not require NodePort for WireGuard (#32249, @brb)
- datapath: Move WG skb mark check to to-netdev (#31751, @brb)
- egressgw: remove deprecated install-egress-gateway-routes option (#32105, @julianwiedmann)
- envoy: Bump envoy image for golang 1.22.2 (#31774, @sayboras)
- envoy: Bump envoy minor version to v1.29.x (#31571, @sayboras)
- envoy: Bump envoy version to v1.28.2 (#31810, @sayboras)
- envoy: Update envoy 1.29.x to v1.29.4 (#32137, @sayboras)
- Expose clustermesh-apiserver version through a dedicated command, and as part of logs (#32165, @giorio94)
- Feat add nodePort.addresses value to set nodeport-addresses in the cilium configmap (#31672, @eyenx)
- Fix LRP error cases where node-local redirection was erroneously skipped. Extend LRP spec in order for users to explicitly skip node-local redirection from LRP selected backend pods. (#26144, @aditighag)
- Forcefully terminate stale sockets in the host netns connected to deleted LRP backends when socket-lb is enabled, and allow applications to re-connect to active LRP backends. (#32074, @aditighag)
- gateway-api: appProtocol support (GEP-1911) (#31310, @rauanmayemir)
- gateway-api: Sync up with upstream (#31806, @sayboras)
- helm: Cleanup old k8s version check and deprecated atributes (#31940, @sayboras)
- Helm: possibility to install operator as standalone app (#32019, @balous)
- helm: Remove deprecated option containerRuntime.integration (#31942, @sayboras)
- hubble/correlation: Support deny policies (#31544, @gandro)
- Hubble: add possibility to export flows to container logs (#31422, @siegmund-heiss-ich)
- hubble: add trace reason support in hubble flows (#31226, @kaworu)
- hubble: support drop_reason_desc in flow filter (#32135, @chaunceyjiang)
- install/kubernetes: add extraInitContainers (#32245, @bewing)
- ipset: Rework the reconciler to use batch ops (#31638, @pippolo84)
- labels: Add controller-uid into default ignore list (#31964, @sayboras)
- loader: attach programs using tcx (#30103, @rgo3)
- Make endpointslice clustermesh syncing opt-out for headless services (#32021, @MrFreezeex)
- Skip overlay traffic in the BPF SNAT processing, and thus reduce pressure on the BPF Connection tracking and NAT maps. (#31082, @julianwiedmann)
- StateDB based Health (#30925, @tommyp1ckles)
- Support configuring TLS for hubble metrics server (#31973, @chancez)
- WireGuard: Deprecate userspace fallback (#31867, @gandro)
Bugfixes:
- Agent: add kubeconfigPath to initContainers (#32008, @darox)
- Avoid drops with "CT: Unknown L4 protocol" for non-ICMP/TCP/UDP traffic, caused by an error check in the BPF NAT engine. (#31820, @julianwiedmann)
- daemon: Run conntrack GC after Endpoint Restore (#32012, @joestringer)
- dnsproxy: Fix bug where DNS request timed out too soon (#31999, @gandro)
- Envoy upstream connections are now unique for each downstream connection when using the original source address of a source pod. (#32270, @jrajahalme)
- envoy: pass idle timeout configuration option to cilium configmap (#32203, @mhofstetter)
- Fix azure ipam flake caused by instance resync race condition. (#31580, @tommyp1ckles)
- Fix bpf_sock compilation for ipv6-only (#30553, @alexferenets)
- Fix failing service connections, when the service requests are transported via cilium's overlay network. (#32116, @julianwiedmann)
- Fix incorrect reporting of the number of etcd lock leases in cilium-dbg status. (#31781, @giorio94)
- Fix issue causing clustermesh-apiserver/kvstoremesh to not start when run with a non-root user (#31539, @giorio94)
- Fix service connection to terminating backend, when the service has no more backends available. (#31840, @julianwiedmann)
- Fix synchronization of CiliumEndpointSlices when running the Cilium Operator in identity-based slicing mode. (#32239, @thorn3r)
- Fixed a race condition in service updates for L7 LB. (#31744, @jrajahalme)
- Fixes a bug where Cilium in chained mode removed the
agent-not-ready
taint too early if the primary network is slow in deploying. (#32168, @squeed) - Fixes a route installing issue which may cause troubles for cilium downgrade. (#31716, @jschwinger233)
- Fixes an (unlikely) bug where HostFirewall policies may miss updates to a node's labels. (#30548, @squeed)
- fqdn: fix memory leak in transparent mode when there was a moderately high number of parallel DNS requests (>100). (#31959, @marseel)
- fqdn: Fix minor restore bug that causes false negative checks against a restored DNS IP map. (#31784, @nathanjsweet)
- Ingress/Gateway API: merge Envoy listeners for HTTP(S) and TLS passthrough (#31646, @mhofstetter)
- ingress: Set the default value for max_stream_timeout (#31514, @tskinn)
- Introduce fromEgressProxyRule (#31923, @jschwinger233)
- ipam: retry netlink.LinkList call when setting up ENI devices (#32099, @jasonaliyetti)
- loader: sanitize bpffs directory strings for netdevs (#32090, @rgo3)
- Only read the relevant parts of secrets for originatingTLS (ca.crt) and terminatingTLS (tls.crt, tls.key) blocks in Cilium L7 policies. Fixes a bug where a ca.crt key in a secret passed to terminatingTLS incorrectly configures Envoy to require a client certificate on TLS connections from pods. Previous behavior can be restored with the --use-full-tls-context=true agent flag. (#31903, @JamesLaverack)
CI Changes:
- .github: Add workflow telemetry (#32037, @joestringer)
- .github: Pretty-print gateway API test results (#32039, @joestringer)
- alibabacloud/eni: avoid racing node mgr in test (#31877, @bimmlerd)
- ariane: Fix detection of changes to nat46x64 tests (#32070, @joestringer)
- ci-e2e-upgrade: Disable ingress-controller and bpf.tproxy=true (#31917, @brb)
- ci-e2e-upgrade: Make it stable (#31895, @brb)
- ci-l4lb: Remove unnecessary untrusted checkout (#32071, @joestringer)
- ci: Add matrix for bpf.tproxy and ingress-controller (#31875, @sayboras)
- ci: Filter supported versions of AKS (#32303, @marseel)
- ci: Fix typo on "Ginkgo" (#32317, @qmonnet)
- ci: Increase timeout for images for l4lb test (#32201, @marseel)
- ci: only install llvm/clang and gingko for gingko test suite changes (#32309, @tklauser)
- ci: remove build artifacts in integration tests to prevent space issues (#32050, @giorio94)
- ci: run privileged unit tests only once (#31779, @tklauser)
- ci: Set hubble.relay.retryTimeout=5s (#32066, @chancez)
- ci: use base and head SHAs from context in lint-build-commits workflow (#32140, @tklauser)
- CODEOWNERS: Remove the catch-all rule (#32174, @michi-covalent)
- Don't cache LLVM in the CI to resolve disk space issues. (#32045, @gentoo-root)
- enable kube cache mutation detector (#32069, @aanm)
- Fix ipset reconciler unit tests (#31836, @pippolo84)
- fix k8s versions tested in CI (#31966, @nbusseneau)
- Fix node throughput (#31825, @marseel)
- Fix sysctl reconciler unit tests (#31833, @pippolo84)
- gha: configure fully-qualified DNS names as external targets (#31510, @giorio94)
- gha: drop double installation of Cilium CLI in conformance-eks (#32042, @giorio94)
- Miscellaneous improvements to the clustermesh upgrade/downgrade test (#31958, @giorio94)
- Modify GitHub Actions Workflows to echo the inputs they are given when triggered by a
workflow_dispatch
event. (#31424, @learnitall) - Move cilium/hubble code to cilium/cilium repo (#31893, @michi-covalent)
- Remove ariane scheduled workflows for 1.12 (#32126, @marseel)
- Revert "test: Disable hostfw in monitor aggregation test" (#32315, @qmonnet)
- Scrape pprofs in 100 node scale test workflow for extra debugging information (#32056, @learnitall)
- Simplify NAT46x64,recorder tests (#32068, @joestringer)
- Spread ariane-scheduled workflows over multiple hours (#32142, @marseel)
- Test endpoint slice synchronization as part of the Conformance Cluster Mesh workflow (#31551, @giorio94)
- Test IPsec + KPR (#31760, @pchaigno)
- test/helpers: Skip CiliumUninstall if not installed (#32272, @joestringer)
- test: De-flake xds server_e2e_test (#32004, @jrajahalme)
- test: Remove redundant IPsec test (#31759, @pchaigno)
- test: remove unused assertion helpers (#32157, @tklauser)
- Use Clang from cilium-builder image to build BPF code in CI (#3...
1.15.4
We are pleased to announce the release of Cilium v1.15.4.
This release includes the option to configure Node map size, additional detail when using cilium-dbg bpf metrics list
, a fix to an issue with overlapping keys that may have affected the ability to recover from a full Service map, and performance improvements to the Connection Tracking implementation. Bugfixes include improved behavior for overlapping and restored DNS policies, a fix to a race condition in Service updates for L7 LB, and a fix to the retry logic in the cilium health controllers.
Security Advisories
This release addresses a security vulnerability. For more information, see GHSA-j654-3ccm-vfmm
Summary of Changes
Minor Changes:
- Add "node-map-max" to allow configuring nodemap size. (Backport PR #31727, Upstream PR #31407, @tommyp1ckles)
- Add line numbers and file names to all metrics in 'cilium-dbg bpf metrics list' (Backport PR #31558, Upstream PR #30972, @ti-mo)
- bugtool: Collect hubble metrics (Backport PR #31890, Upstream PR #31533, @chancez)
- feat: Add the http return code to metric api_processed_total (Backport PR #31890, Upstream PR #31227, @vipul-21)
- Fix overlapping keys in agent-side service BPF map cache used for retries. In rare cases this bug may have caused retrying of a failed BPF map update for a services entry to be skipped leading to a missing entry. This may have, for example, adversely affected recovering from a full BPF service map after excess services were removed. (Backport PR #31890, Upstream PR #29581, @xyz-li)
- Skip overlay traffic in the BPF SNAT processing, and thus reduce pressure on the BPF Connection tracking and NAT maps. (Backport PR #31785, Upstream PR #31082, @julianwiedmann)
Bugfixes:
- Avoid drops with "CT: Unknown L4 protocol" for non-ICMP/TCP/UDP traffic, caused by an error check in the BPF NAT engine. (Backport PR #31890, Upstream PR #31820, @julianwiedmann)
- cilium-health: Fix broken retry loop in
cilium-health-ep
controller (Backport PR #31727, Upstream PR #31622, @gandro) - cni: Allow text-ts log format value (Backport PR #31890, Upstream PR #31686, @sayboras)
- Fix a bug that could cause local packet delivery to be skipped, leading to lower performance, when IPsec was enabled and
--devices
provided. (Backport PR #31601, Upstream PR #31345, @pchaigno) - Fix incorrect reporting of the number of etcd lock leases in cilium-dbg status. (Backport PR #31890, Upstream PR #31781, @giorio94)
- fix: Delegated ipam not configure ipv6 if ipv6 disabled in agent (Backport PR #31727, Upstream PR #31104, @tamilmani1989)
- Fixed a race condition in service updates for L7 LB. (Backport PR #31860, Upstream PR #31744, @jrajahalme)
- fqdn: Fix minor restore bug that causes false negative checks against a restored DNS IP map. (#31870, @nathanjsweet)
- fqdn: Fixed bug that caused DNS Proxy to be overly restrictive on allowed DNS selectors. (Backport PR #31727, Upstream PR #31328, @nathanjsweet)
- gateway-api: Ensure hostname check when set on both the HTTPRoute and the Gateway Listener (Backport PR #31769, Upstream PR #30686, @cjvirtucio87)
- gateway-api: fixed RequestRedirect picks wrong port with multiple listeners (Backport PR #31769, Upstream PR #31361, @chaunceyjiang)
- gateway-api: shorten the length of the value of the svc's label. (Backport PR #31769, Upstream PR #31292, @chaunceyjiang)
- ingress/gateway-api: sort virtual hosts in CEC (Backport PR #31739, Upstream PR #31493, @mhofstetter)
- ingress/gateway-api: stable envoy listener filterchain sort-order (Backport PR #31601, Upstream PR #31572, @mhofstetter)
- metric: Avoid memory leak/increase in cilium-agent (Backport PR #31890, Upstream PR #31714, @sayboras)
CI Changes:
- ci-e2e: Add e2e test with WireGuard + Host Firewall (Backport PR #31727, Upstream PR #31594, @qmonnet)
- ci/ipsec: Print more info to debug credentials removal check failures (Backport PR #31727, Upstream PR #31652, @qmonnet)
- deflake endpointmanager tests (Backport PR #31601, Upstream PR #31488, @bimmlerd)
- gh/workflows: Add IPsec key rotation action and use it in ci-eks / ci-ipsec-e2e (Backport PR #31428, Upstream PR #29704, @brb)
- Make BPF unit tests reproducible (Backport PR #31663, Upstream PR #31526, @ti-mo)
- Make testdata build output more stable by reducing header includes (Backport PR #31663, Upstream PR #31644, @ti-mo)
- update azure k8s versions (Backport PR #31890, Upstream PR #31220, @brlbil)
- workflows: Debug info for key rotations (Backport PR #31727, Upstream PR #31627, @pchaigno)
- workflows: ipsec-e2e: add missing key types for some configs (Backport PR #31727, Upstream PR #31636, @julianwiedmann)
Misc Changes:
- bitlpm: Document and Fix Descendants Bug (Backport PR #31890, Upstream PR #31851, @nathanjsweet)
- bpf: host: restore HostFW for overlay traffic in to-netdev (Backport PR #31785, Upstream PR #31818, @julianwiedmann)
- bpf: tests: don't define HAVE_ENCAP in IPsec tests (Backport PR #31785, Upstream PR #31737, @julianwiedmann)
- chore(deps): update all github action dependencies (v1.15) (#31822, @renovate[bot])
- chore(deps): update all-dependencies (v1.15) (#31698, @renovate[bot])
- chore(deps): update cilium/little-vm-helper action to v0.0.17 (v1.15) (#31703, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.16.4 (v1.15) (#31674, @renovate[bot])
- chore(deps): update docker/setup-buildx-action action to v3.3.0 (v1.15) (#31828, @renovate[bot])
- chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to f41b84c (v1.15) (#31747, @renovate[bot])
- chore(deps): update go to v1.21.9 (v1.15) (#31764, @renovate[bot])
- chore(deps): update stable lvh-images (v1.15) (patch) (#31704, @renovate[bot])
- cilium-dbg: avoid leaking file resources (Backport PR #31890, Upstream PR #31750, @tklauser)
- docs: Document
No node ID found
drops in case of remote node deletion (Backport PR #31727, Upstream PR #31635, @pchaigno) - docs: ipsec: document native-routing + Egress proxy case (Backport PR #31727, Upstream PR #31478, @julianwiedmann)
- Fix spelling in DNS-based proxy info (Backport PR #31890, Upstream PR #31728, @saintdle)
- helm: update nodeinit image using renovate (Backport PR #31727, Upstream PR #31641, @tklauser)
- ingress: sort all shared ingresses during model generation (Backport PR #31727, Upstream PR #31494, @mhofstetter)
- loader: refactor/cleanup replaceNetworkDatapath (Backport PR #31663, Upstream PR #29825, @rgo3)
- Move governance docs to the Cilium community repo (Backport PR #31890, Upstream PR #31692, @katiestruthers)
- Remove Hubble-OTel from the roadmap (Backport PR #31890, Upstream PR #31847, @xmulligan)
- Remove tcx links created by Cilium 1.16 onwards (Backport PR #31663, Upstream PR #31553, @ti-mo)
- Restructure OpenShift installation instructions to point to Red Hat Ecosystem Catalog (Backport PR #31727, Upstream PR #29300, @learnitall)
- v1.15: update cilium/certgen to v0.1.11 (#31882, @rolinh)
Other Changes:
- [v1.15] envoy: Bump envoy image for golang 1.21.9 (#31770, @sayboras)
- [v1.15] Multicast Datapath Backport (#31668, @ldelossa)
- [v1.15] route: Specify "proto kernel" for ip routes and rules (#31777, @jschwinger233)
- envoy: Bump envoy version to v1.27.4 (#31807, @sayboras)
- install: Update image digests for v1.15.3 (#31623, @jrajahalme)
Docker Manifests
cilium
quay.io/cilium/cilium:v1.15.4@sha256:b760a4831f5aab71c711f7537a107b751d0d0ce90dd32d8b358df3c5da385426
quay.io/cilium/cilium:stable@sha256:b760a4831f5aab71c711f7537a107b751d0d0ce90dd32d8b358df3c5da385426
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.15.4@sha256:3fadf85d2aa0ecec09152e7e2d57648bda7e35bdc161b25ab54066dd4c3b299c
quay.io/cilium/clustermesh-apiserver:stable@sha256:3fadf85d2aa0ecec09152e7e2d57648bda7e35bdc161b25ab54066dd4c3b299c
docker-plugin
quay.io/cilium/docker-plugin:v1.15.4@sha256:af22e26e927ec01633526b3d2fd5e15f2c7f3aab9d8c399081eeb746a4e0db47
quay.io/cilium/docker-plugin:stable@sha256:af22e26e927ec01633526b3d2fd5e15f2c7f3aab9d8c399081eeb746a4e0db47
hubble-relay
quay.io/cilium/hubble-relay:v1.15.4@sha256:03ad857feaf52f1b4774c29614f42a50b370680eb7d0bfbc1ae065df84b1070a
quay.io/cilium/hubble-relay:stable@sha256:03ad857feaf52f1b4774c29614f42a50b370680eb7d0bfbc1ae065df84b1070a
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.15.4@sha256:7c0e5346483a517e18a8951f4d4399337fb47020f2d9225e2ceaa8c5d9a45a5f
quay.io/cilium/operator-alibabacloud:stable@sha256:7c0e5346483a517e18a8951f4d4399337fb47020f2d9225e2ceaa8c5d9a45a5f
operator-aws
quay.io/cilium/operator-aws:v1.15.4@sha256:8675486ce8938333390c37302af162ebd12aaebc08eeeaf383bfb73128143fa9
quay.io/cilium/operator-aws:stable@sha256:8675486ce8938333390c37302af162ebd12aaebc08eeeaf383bfb73128143fa9
operator-azure
quay.io/cilium/operator-azure:v1.15.4@sha256:4c1a31502931681fa18a41ead2a3904b97d47172a92b7a7b205026bd1e715207
quay.io/cilium/operator-azure:stable@sha256:4c1a31502931681fa18a41ead2a3904b97d47172a92b7a7b205026bd1e715207
operator-generic
quay.io/cilium/operator-generic:v1.15.4@sha256:404890a83cca3f28829eb7e54c1564bb6904708cdb7be04ebe69c2b60f164e9a
quay.io/cilium/operator-generic:stable@sha256:404890a83cca3f28829eb7e54c1564bb6904708cdb7be04ebe69c2b60f164e9a
operator
quay.io/cilium/operator:v1.15.4@sha256:4e42b867d816808f10b38f555d6ae50065ebdc6ddc4549635f2fe50ed6dc8d7f
quay.io/cilium/operator:stable@sha256:4e42b867d816808f10b38f555d6ae50065ebdc6ddc4549635f2fe50ed6dc8d7f
1.14.10
We are pleased to announce the release of Cilium v1.14.10.
This release includes hubble metrics when using cilium sysdump
, and a fix to an issue with overlapping keys that may have affected the ability to recover from a full Service map. Bugfixes include improved behavior for overlapping and restored DNS policies, a fix to a race condition in Service updates for L7 LB, and a fix to the retry logic in the cilium health controllers.
Security Advisories
This release addresses a security vulnerability. For more information, see GHSA-j654-3ccm-vfmm
Summary of Changes
Minor Changes:
- bugtool: Collect hubble metrics (Backport PR #31888, Upstream PR #31533, @chancez)
- Fix overlapping keys in agent-side service BPF map cache used for retries. In rare cases this bug may have caused retrying of a failed BPF map update for a services entry to be skipped leading to a missing entry. This may have, for example, adversely affected recovering from a full BPF service map after excess services were removed. (Backport PR #31888, Upstream PR #29581, @xyz-li)
- Update to Envoy 1.27.0, run cilium-envoy process without any privileges. (Backport PR #31007, Upstream PR #27498, @jrajahalme)
Bugfixes:
- cilium-health: Fix broken retry loop in
cilium-health-ep
controller (Backport PR #31724, Upstream PR #31622, @gandro) - cni: Allow text-ts log format value (Backport PR #31888, Upstream PR #31686, @sayboras)
- fix: Delegated ipam not configure ipv6 if ipv6 disabled in agent (Backport PR #31724, Upstream PR #31104, @tamilmani1989)
- Fixed a race condition in service updates for L7 LB. (Backport PR #31861, Upstream PR #31744, @jrajahalme)
- Fixed issue with assigning 0 nodeID when corresponding bpf map run out of space.
Potentially it could have impacted connectivity in large clusters (>4k nodes) with IPSec or Mutual Auth enabled.
Otherwise, it was merely generating unnecessary error log messages. (Backport PR #31656, Upstream PR #31380, @marseel) - fqdn: Fix minor restore bug that causes false negative checks against a restored DNS IP map. (#31871, @nathanjsweet)
- fqdn: Fixed bug that caused DNS Proxy to be overly restrictive on allowed DNS selectors. (#31801, @nathanjsweet)
- metric: Avoid memory leak/increase in cilium-agent (Backport PR #31888, Upstream PR #31714, @sayboras)
CI Changes:
- ci-e2e: Add e2e test with WireGuard + Host Firewall (Backport PR #31724, Upstream PR #31594, @qmonnet)
- ci-e2e: Enable Ingress Controller test for more setup (Backport PR #31658, Upstream PR #30657, @sayboras)
- ci-ipsec-e2e: Misc refactor + more keys (Backport PR #31429, Upstream PR #29592, @brb)
- ci/ipsec: Print more info to debug credentials removal check failures (Backport PR #31724, Upstream PR #31652, @qmonnet)
- deflake endpointmanager tests (Backport PR #31724, Upstream PR #31488, @bimmlerd)
- gh/workflows: Add IPsec key rotation action and use it in ci-eks / ci-ipsec-e2e (Backport PR #31429, Upstream PR #29704, @brb)
- gha: Enable Ingress Controller tests in conformance-e2e (Backport PR #31658, Upstream PR #29130, @sayboras)
- workflows: Debug info for key rotations (Backport PR #31724, Upstream PR #31627, @pchaigno)
Misc Changes:
- bitlpm: Document and Fix Descendants Bug (Backport PR #31888, Upstream PR #31851, @nathanjsweet)
- Bump go-jose to v3.0.3 (v1.14) (#31881, @ferozsalam)
- chore(deps): update all github action dependencies (v1.14) (#31824, @renovate[bot])
- chore(deps): update cilium/little-vm-helper action to v0.0.17 (v1.14) (#31707, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.16.4 (v1.14) (#31675, @renovate[bot])
- chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to f41b84c (v1.14) (#31748, @renovate[bot])
- chore(deps): update go to v1.21.9 (v1.14) (#31765, @renovate[bot])
- chore(deps): update stable lvh-images (v1.14) (patch) (#31708, @renovate[bot])
- cilium-dbg: avoid leaking file resources (Backport PR #31888, Upstream PR #31750, @tklauser)
- docs: Document
No node ID found
drops in case of remote node deletion (Backport PR #31724, Upstream PR #31635, @pchaigno) - docs: ipsec: document native-routing + Egress proxy case (Backport PR #31724, Upstream PR #31478, @julianwiedmann)
- Fix spelling in DNS-based proxy info (Backport PR #31888, Upstream PR #31728, @saintdle)
- helm: update nodeinit image using renovate (Backport PR #31724, Upstream PR #31641, @tklauser)
- Move governance docs to the Cilium community repo (Backport PR #31888, Upstream PR #31692, @katiestruthers)
- Remove Hubble-OTel from the roadmap (Backport PR #31888, Upstream PR #31847, @xmulligan)
- Restructure OpenShift installation instructions to point to Red Hat Ecosystem Catalog (Backport PR #31724, Upstream PR #29300, @learnitall)
- Support for batch deletion of endpoints (Backport PR #31585, Upstream PR #27351, @tklauser)
- v1.14: update cilium/certgen to v0.1.11 (#31883, @rolinh)
Other Changes:
- [v1.14] envoy: Bump envoy image for golang 1.21.9 (#31771, @sayboras)
- [v1.14] fix unsupported aws region (#31742, @brlbil)
- [v1.15] envoy: Bump golang version to 1.21.8 (Backport PR #31007, Upstream PR #31221, @sayboras)
- CI: Remove unsupported k8s version (#31829, @brlbil)
- envoy: Bump envoy version to v1.27.4 (#31808, @sayboras)
- install: Update image digests for v1.14.9 (#31629, @jrajahalme)
Docker Manifests
cilium
docker.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031
quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.14.10@sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798
quay.io/cilium/clustermesh-apiserver:v1.14.10@sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798
docker-plugin
docker.io/cilium/docker-plugin:v1.14.10@sha256:8aa57cb38a30dbe56345b5d549054beaea96a210c15a1e4ca5224b4f858cdcda
quay.io/cilium/docker-plugin:v1.14.10@sha256:8aa57cb38a30dbe56345b5d549054beaea96a210c15a1e4ca5224b4f858cdcda
hubble-relay
docker.io/cilium/hubble-relay:v1.14.10@sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0
quay.io/cilium/hubble-relay:v1.14.10@sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.14.10@sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14
quay.io/cilium/operator-alibabacloud:v1.14.10@sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14
operator-aws
docker.io/cilium/operator-aws:v1.14.10@sha256:72440aa4cb8a42dddb05cfc74c6fba0a18d0902b1e434f5dcde8dca0354a8be6
quay.io/cilium/operator-aws:v1.14.10@sha256:72440aa4cb8a42dddb05cfc74c6fba0a18d0902b1e434f5dcde8dca0354a8be6
operator-azure
docker.io/cilium/operator-azure:v1.14.10@sha256:404a46bb0a232c7d5ab7ab97a1d1a55635cdf0e334529a18d1ddb50f4aad71b4
quay.io/cilium/operator-azure:v1.14.10@sha256:404a46bb0a232c7d5ab7ab97a1d1a55635cdf0e334529a18d1ddb50f4aad71b4
operator-generic
docker.io/cilium/operator-generic:v1.14.10@sha256:415b7f0bb0e7339c6231d4b9ee74a6a513b2865acfccec884dbc806ecc3dd909
quay.io/cilium/operator-generic:v1.14.10@sha256:415b7f0bb0e7339c6231d4b9ee74a6a513b2865acfccec884dbc806ecc3dd909
operator
docker.io/cilium/operator:v1.14.10@sha256:20cadfbc68b37766b5747ca21f1cbfe8dec518c26232852f6c655f76999a8f92
quay.io/cilium/operator:v1.14.10@sha256:20cadfbc68b37766b5747ca21f1cbfe8dec518c26232852f6c655f76999a8f92
1.13.15
We are pleased to announce the release of Cilium v1.13.15.
This release includes a fix to the retry logic in the cilium health controllers, a fix to a race condition when updating L7 LB Services, and a fix for Node ID assignment in BPF maps for very large clusters. In addition, there were a variety of testing enhancements and documentation updates.
Security Advisories
This release addresses a security vulnerability. For more information, see GHSA-j654-3ccm-vfmm
Summary of Changes
Minor Changes:
Bugfixes:
- cilium-health: Fix broken retry loop in
cilium-health-ep
controller (Backport PR #31722, Upstream PR #31622, @gandro) - Fixed a race condition in service updates for L7 LB. (Backport PR #31862, Upstream PR #31744, @jrajahalme)
- Fixed issue with assigning 0 nodeID when corresponding bpf map run out of space.
Potentially it could have impacted connectivity in large clusters (>4k nodes) with IPSec or Mutual Auth enabled.
Otherwise, it was merely generating unnecessary error log messages. (Backport PR #31657, Upstream PR #31380, @marseel)
CI Changes:
- ci/ipsec: Print more info to debug credentials removal check failures (Backport PR #31722, Upstream PR #31652, @qmonnet)
- controlplane: fix mechanism for ensuring watchers (Backport PR #31587, Upstream PR #31030, @bimmlerd)
- deflake endpointmanager tests (Backport PR #31722, Upstream PR #31488, @bimmlerd)
- Reduce flakiness of controlplane tests (Backport PR #31587, Upstream PR #30906, @bimmlerd)
- workflows: Debug info for key rotations (Backport PR #31722, Upstream PR #31627, @pchaigno)
Misc Changes:
- chore(deps): update all github action dependencies (v1.13) (#31835, @renovate[bot])
- chore(deps): update cilium/little-vm-helper action to v0.0.17 (v1.13) (#31709, @renovate[bot])
- chore(deps): update go to v1.21.9 (v1.13) (#31766, @renovate[bot])
- chore(deps): update stable lvh-images (v1.13) (patch) (#31710, @renovate[bot])
- docs: Document
No node ID found
drops in case of remote node deletion (Backport PR #31722, Upstream PR #31635, @pchaigno) - docs: ipsec: document native-routing + Egress proxy case (Backport PR #31722, Upstream PR #31478, @julianwiedmann)
- helm: update nodeinit image using renovate (Backport PR #31722, Upstream PR #31641, @tklauser)
- Restructure OpenShift installation instructions to point to Red Hat Ecosystem Catalog (Backport PR #31722, Upstream PR #29300, @learnitall)
- v1.13: update cilium/certgen to v0.1.11 (#31884, @rolinh)
Other Changes:
- [v1.13] envoy: Bump envoy image for golang 1.21.9 (#31772, @sayboras)
- [v1.13] fix aws region being used twice (#31740, @brlbil)
- [v1.13] workflows: ipsec-e2e: clean up escaping artifacts (#31630, @julianwiedmann)
- Bump google.golang.org/grpc to v1.63.2 (v1.13) (#31878, @ferozsalam)
- CI: Remove no longer supported k8s v1.24 (#31830, @brlbil)
- envoy: Bump envoy version to v1.27.4 (#31809, @sayboras)
- fqdn: Fix minor restore bug that causes false negative checks against a restored DNS IP map. (#31872, @nathanjsweet)
- fqdn: Fixed bug that caused DNS Proxy to be overly restrictive on allowed DNS selectors. (#31713, @nathanjsweet)
- Update image digests for v1.13.14 (#31631, @thorn3r)
Docker Manifests
cilium
docker.io/cilium/cilium:v1.13.15@sha256:3d77d6e463ccc462c7574399fe22f6177a6e484bc5c149c76b7d597163253eed
quay.io/cilium/cilium:v1.13.15@sha256:3d77d6e463ccc462c7574399fe22f6177a6e484bc5c149c76b7d597163253eed
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.13.15@sha256:9cfdc40a689fc087d19aff4944657ca98df7795ba1836744400f6b77e59e1e5c
quay.io/cilium/clustermesh-apiserver:v1.13.15@sha256:9cfdc40a689fc087d19aff4944657ca98df7795ba1836744400f6b77e59e1e5c
docker-plugin
docker.io/cilium/docker-plugin:v1.13.15@sha256:485857b80cb4c726aba7e8c41536db97b0558f05f22dce6f97c8db2c1792cf75
quay.io/cilium/docker-plugin:v1.13.15@sha256:485857b80cb4c726aba7e8c41536db97b0558f05f22dce6f97c8db2c1792cf75
hubble-relay
docker.io/cilium/hubble-relay:v1.13.15@sha256:40135c6b0e2034c9f06abfe0c85f7f088ac6ba2c619d5354d4af6179d33b9a1e
quay.io/cilium/hubble-relay:v1.13.15@sha256:40135c6b0e2034c9f06abfe0c85f7f088ac6ba2c619d5354d4af6179d33b9a1e
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.13.15@sha256:99c124f199f3cb48c41d43a423144bd9638d68705f347ec2326b34af50291a05
quay.io/cilium/operator-alibabacloud:v1.13.15@sha256:99c124f199f3cb48c41d43a423144bd9638d68705f347ec2326b34af50291a05
operator-aws
docker.io/cilium/operator-aws:v1.13.15@sha256:e09044b516be9ce9936253469411618d6790791dbe501829e6062244a24e815a
quay.io/cilium/operator-aws:v1.13.15@sha256:e09044b516be9ce9936253469411618d6790791dbe501829e6062244a24e815a
operator-azure
docker.io/cilium/operator-azure:v1.13.15@sha256:ea05ba909b573b4a52731aec36b91a0a582781a48c2ade7719dfbae05c21d268
quay.io/cilium/operator-azure:v1.13.15@sha256:ea05ba909b573b4a52731aec36b91a0a582781a48c2ade7719dfbae05c21d268
operator-generic
docker.io/cilium/operator-generic:v1.13.15@sha256:21f6707e99722b41a24e9bf4e24b7e4d00597cc7dbaef6e7588dedbf3b270101
quay.io/cilium/operator-generic:v1.13.15@sha256:21f6707e99722b41a24e9bf4e24b7e4d00597cc7dbaef6e7588dedbf3b270101
operator
docker.io/cilium/operator:v1.13.15@sha256:971c9b6294216df668881917132a4a41fcc43fba64315e91ed632f62eab9eac9
quay.io/cilium/operator:v1.13.15@sha256:971c9b6294216df668881917132a4a41fcc43fba64315e91ed632f62eab9eac9
1.16.0-pre.1
Summary of Changes
Major Changes:
- Add a readinessProbe to the kvstoremesh container that reports initial synchronization status to support configuring a separate, initial rate-limit to be used while synchronizing. Both clustermesh-apiserver and kvstoremesh now use a high initial rate-limit to decrease start time. (#30361, @thorn3r)
- bpf: introduce encrypted overlay datapath support (#31073, @ldelossa)
- multicast: add CLIs to manage multicast BPF maps (#31355, @harsimran-pabla)
- policy/k8s: Add support for CIDRGroupRef in IngressDeny and EgressDeny (#30933, @pippolo84)
- This adds a new policy field, EnableDefaultDeny, which permits the creation of network polices that do not drop non-matching traffic. (#30572, @squeed)
Minor Changes:
- Add "node-map-max" to allow configuring nodemap size. (#31407, @tommyp1ckles)
- Add helm values.schema.json file for validating supplied values for correct type. (#30631, @ubergesundheit)
- Add line numbers and file names to all metrics in 'cilium-dbg bpf metrics list' (#30972, @ti-mo)
- Add support for ClusterIP service advertisement with BGP Control Plane (#30963, @chaunceyjiang)
- Add support for ExternalIP service advertisement with BGP Control Plane (#31245, @chaunceyjiang)
- agent: add several new flags to control Cilium's datapath events notifications (#30063, @mvisonneau)
- Allow the Host Firewall and IPv6 BPF masquerading to be used together. (#31511, @qmonnet)
- Allows for using AWS SGs in the ingress section of rules. (#30708, @Alex-Waring)
- bgpv1: Add Local internalTrafficPolicy support for ClusterIP advertisements (#31442, @chaunceyjiang)
- bgpv1: BGP Control Plane metrics (#31469, @YutaroHayakawa)
- bugtool: Collect hubble metrics (#31533, @chancez)
- Change Node IPAM to select all nodes if externalTrafficPolicy=Cluster and add
nodeipam.cilium.io/match-node-labels
annotation (#31406, @MrFreezeex) - cleanup: Remove deprecated values for KPR (#31286, @sayboras)
- cni: use default logger with timestamps. (#31014, @tommyp1ckles)
- envoy: Add support for exposing Envoy Admin API (#30655, @sayboras)
- feat: Add the http return code to metric api_processed_total (#31227, @vipul-21)
- Fix Cilium default values for EKS when Cilium clustermesh-apiserver LoadBalancer fails to create NLB with AWS Load Balancer Controller with syntax error. (#31329, @oshangalwaduge)
- Fixes a bug where ToFQDN IPs may be garbage collected too early, disrupting existing connections. (#31205, @squeed)
- fqdn: avoid expensive sort/unique of names during GC (#30920, @tklauser)
- GatewayAPI supports to setting the number of trusted loadbalancer hops (#30662, @chaunceyjiang)
- helm: Bump minimum k8s version to v1.21+ (#31648, @sayboras)
- ingress: Allow strict kube-proxy-replacement (#31284, @sayboras)
- Introduce
cilium-dbg encrypt flush --stale
flag to remove XFRM states and policies with stale node IDs. (#31159, @pchaigno) - labelsfilter: Always apply Cluster entity specific identity-relevant label (#31178, @soggiest)
- Only detach Cilium-owned legacy XDP programs when XDP is disabled (#31654, @ti-mo)
- pkg/kvstore/allocator: Standardize usage of logfields (#30526, @antonipp)
- Remove helm option
enable-remote-node-identity
after being deprecated in v1.15. (#31228, @doniacld) - Support IPv4 fragmentation for service backends. (#31364, @julianwiedmann)
- This allows the initialDelaySeconds option to be configured. This allows users running larger clusters to extend the time it takes for preflight to become ready. (#30495, @chaunceyjiang)
- WG: Improve L7 checks (#31299, @brb)
Bugfixes:
- bpf: use
bpf_htons
instead of using shift (#31247, @chez-shanpu) - Cilium allows selecting 'lo' as a device again. (#31200, @bimmlerd)
- cilium-health: Fix broken retry loop in
cilium-health-ep
controller (#31622, @gandro) - cni: Allow text-ts log format value (#31686, @sayboras)
- cni: Use batch endpoint deletion API in chaining plugin (#31456, @sayboras)
- envoy: register secret syncer even if only CEC is enabled (#31447, @mhofstetter)
- Fix a bug in the StateDB library that may have caused stale read after write. This may have potentially affected the L2 announcements feature and the node address selection. (#31164, @joamaki)
- Fix a bug that could cause local packet delivery to be skipped, leading to lower performance, when IPsec was enabled and
--devices
provided. (#31345, @pchaigno) - Fix a bug where pod label updates are not reflected in endpoint labels in presence of filtered labels. (#31395, @tklauser)
- Fix the logic of the api-server connectivity check for the kubernetes probe (#31019, @tkna)
- fix: Delegated ipam not configure ipv6 if ipv6 disabled in agent (#31104, @tamilmani1989)
- Fixed issue when updated nodes were being reported with unknown connectivity status in health report (#30917, @marseel)
- Fixed issue with assigning 0 nodeID when corresponding bpf map run out of space.
Potentially it could have impacted connectivity in large clusters (>4k nodes) with IPSec or Mutual Auth enabled.
Otherwise, it was merely generating unnecessary error log messages. (#31380, @marseel) - fqdn: Fixed bug that caused DNS Proxy to be overly restrictive on allowed DNS selectors. (#31328, @nathanjsweet)
- gateway-api: Ensure hostname check when set on both the HTTPRoute and the Gateway Listener (#30686, @cjvirtucio87)
- gateway-api: fixed RequestRedirect picks wrong port with multiple listeners (#31361, @chaunceyjiang)
- gateway-api: Retrieve LB service from same namespace (#31271, @sayboras)
- gateway-api: shorten the length of the value of the svc's label. (#31292, @chaunceyjiang)
- helm: Update pod affinity for cilium-envoy (#31150, @sayboras)
- hubble/relay: Fix certificate reloading in PeerManager (#31376, @glrf)
- hubble: fix parsing of invalid HTTP URLs (#31100, @kaworu)
- Hubble: fix traffic direction and is reply when IPSec is enabled (#31211, @kaworu)
- ingress/gateway-api: sort virtual hosts in CEC (#31493, @mhofstetter)
- ingress/gateway-api: stable envoy listener filterchain sort-order (#31572, @mhofstetter)
- k8s/utils: correctly filter out labels in StripPodSpecialLabels (#31421, @tklauser)
- metric: Avoid memory leak/increase in cilium-agent (#31714, @sayboras)
- metrics: Disable prometheus metrics by default (#31144, @joestringer)
- operator: fix errors/warnings metric. (#31214, @tommyp1ckles)
- Updated Kernel parsing to handle single and double digit kernel version as well (#30699, @MeherRushi)
CI Changes:
- Additionally test host firewall + KPR disabled in E2E tests (#30914, @giorio94)
- AKS: avoid overlapping pod and service CIDRs (#31504, @bimmlerd)
- bgpv1: avoid object tracker vs informer race (#31010, @bimmlerd)
- bgpv1: fix Test_PodIPPoolAdvert flakiness (#31365, @rastislavs)
- bgpv2/ci: added watch reactor for bgp cluster config (#31381, @harsimran-pabla)
- bpf: fix go testdata check in ci (#31419, @mhofstetter)
- Checkout the target branch, instead of the default one, on pull_request based GHA test workflows (#31198, @giorio94)
- ci-e2e: Add e2e test with WireGuard + Host Firewall (#31594, @qmonnet)
- ci-e2e: Add matrix for bpf.tproxy and ingress-controller (#31272, @sayboras)
- ci/ipsec: Print more info to debug credentials removal check failures (#31652, @qmonnet)
- ci: Bump lvh-kind ssh-startup-wait-retries (#31387, @YutaroHayakawa)
- ci: check license of third party Go dependencies (#31129, @rolinh)
- ci: fail container scans on vulnerability scan results (#31092, @ferozsalam)
- contrib/scripts: Remove false positives from check-go-testdata.sh (#31089, @dylandreimerink)
- deflake endpointmanager tests (#31488, @bimmlerd)
- Drop legacy and superseded test from the Ginkgo suite (#31411, @giorio94)
- Drop the remaining references to the CILIUM_CLI_MODE environment variable in GHA workflows. (#31199, @giorio94)
- gateway-api: Enable GRPCRoute conformance tests (#31055, @sayboras)
- gh/workflows: Add IPsec key rotation action and use it in ci-eks / ci-ipsec-e2e (#29704, @brb)
- gh: workflows: clarify reference to issue #23283 (#31118, @julianwiedmann)
- gha: disable fail-fast on integration tests (#31420, @giorio94)
- gha: fix coredns logs retrieval in conformance-clustermesh (#31509, @giorio94)
- gha: Remove manual device setting (#31435, @sayboras)
- gha: retrieve additional coredns-related troubleshooting info (#31384, @giorio94)
- introduce ARM github workflows (#31196, @aanm)
- ipam: deepcopy interface resource correctly. (#26998, @tommyp1ckles)
- k8s_install.sh: specify the CNI version (#31182, @aanm)
- loader: fix issue where errors cancelled compile cause error logs. (#30988, @tommyp1ckles)
- Make BPF unit tests reproducible (#31526, @ti-mo)
- Make testdata build output more stable by reducing header includes (#31644, @ti-mo)
- renovate: temporarily do not update GoBGP (#31123, @rastislavs)
- slices: don't modify missed input slice in test (#31119, @bimmlerd)
- test/verifier: Keep existing environment when running make (#31632, @gentoo-root)
- test/verifier: Sort BPF program names for stable output (#31617, @gentoo-root)
- test: Update KPR value in ipsec upgrade jobs (#31649, @sayboras)
- update azure k8s versions (#31220, @brlbil)
- workflows: Cover IPsec encrypted overlay mode in end-to-end tests (#31637, @pchaigno)
- workflows: Debug info for key rotations (#31627, @pchaigno)
- workflows: ipsec-e2e: add missing key types for some configs (#31636, @julianwiedmann)
Misc Changes:
- Add monitor aggregation for all events related to packets ingressing to the network-facing device. (#31015, @learnitall)
- Add the documentation for using
serviceAdvertisements
(#31331, @chaunceyjiang) - agent: Remove redundant pod spec checks (#31105, @aditighag)
- agent: Wrap propagating errors from proxy wait group (#31398, @aditighag)
- all: remove repetitive words (#31566, @deterclosed)
- api: Upgrade go-swagge...
1.15.3
We are pleased to release Cilium v1.15.3.
Security Advisories
This release addresses a security vulnerability. For more information, see GHSA-pwqm-x5x6-5586.
Summary of Changes
Minor Changes:
- bgpv1: BGP Control Plane metrics (Backport PR #31568, Upstream PR #31469, @YutaroHayakawa)
- cni: use default logger with timestamps. (Backport PR #31342, Upstream PR #31014, @tommyp1ckles)
- Introduce
cilium-dbg encrypt flush --stale
flag to remove XFRM states and policies with stale node IDs. (Backport PR #31342, Upstream PR #31159, @pchaigno)
Bugfixes:
- [v1.15 - Author backport] envoy: enable k8s secret watch even if only CEC is enabled (#31451, @mhofstetter)
- cni: Use batch endpoint deletion API in chaining plugin (Backport PR #31515, Upstream PR #31456, @sayboras)
- Fix a bug in the StateDB library that may have caused stale read after write. This may have potentially affected the L2 announcements feature and the node address selection. (Backport PR #31342, Upstream PR #31164, @joamaki)
- Fix a bug where pod label updates are not reflected in endpoint labels in presence of filtered labels. (Backport PR #31473, Upstream PR #31395, @tklauser)
- Fixed issue with assigning 0 nodeID when corresponding bpf map run out of space.
Potentially it could have impacted connectivity in large clusters (>4k nodes) with IPSec or Mutual Auth enabled.
Otherwise, it was merely generating unnecessary error log messages. (Backport PR #31490, Upstream PR #31380, @marseel) - gateway-api: Retrieve LB service from same namespace (Backport PR #31490, Upstream PR #31271, @sayboras)
- Handle InvalidParameterValue as well for PD fallback (Backport PR #31490, Upstream PR #31016, @hemanthmalla)
- helm: Update pod affinity for cilium-envoy (Backport PR #31490, Upstream PR #31150, @sayboras)
- hubble/relay: Fix certificate reloading in PeerManager (Backport PR #31568, Upstream PR #31376, @glrf)
- Hubble: fix traffic direction and is reply when IPSec is enabled (Backport PR #31568, Upstream PR #31211, @kaworu)
- k8s/utils: correctly filter out labels in StripPodSpecialLabels (Backport PR #31473, Upstream PR #31421, @tklauser)
- metrics: Disable prometheus metrics by default (Backport PR #31342, Upstream PR #31144, @joestringer)
- operator: fix errors/warnings metric. (Backport PR #31490, Upstream PR #31214, @tommyp1ckles)
CI Changes:
- [v1.15] test: Remove duplicate Cilium deployments in some datapath config tests (#31520, @qmonnet)
- Additionally test host firewall + KPR disabled in E2E tests (Backport PR #31342, Upstream PR #30914, @giorio94)
- AKS: avoid overlapping pod and service CIDRs (Backport PR #31568, Upstream PR #31504, @bimmlerd)
- bgpv1: avoid object tracker vs informer race (Backport PR #31490, Upstream PR #31010, @bimmlerd)
- bgpv1: fix Test_PodIPPoolAdvert flakiness (Backport PR #31490, Upstream PR #31365, @rastislavs)
- bpf: fix go testdata check in ci (Backport PR #31554, Upstream PR #31419, @mhofstetter)
- Centralize configuration of kind version/image in GitHub Action workflows (Backport PR #31191, Upstream PR #30916, @giorio94)
- Checkout the target branch, instead of the default one, on pull_request based GHA test workflows (Backport PR #31191, Upstream PR #31198, @giorio94)
- ci-e2e: Add matrix for bpf.tproxy and ingress-controller (Backport PR #31490, Upstream PR #31272, @sayboras)
- ci: Bump lvh-kind ssh-startup-wait-retries (Backport PR #31490, Upstream PR #31387, @YutaroHayakawa)
- controlplane: fix mechanism for ensuring watchers (Backport PR #31490, Upstream PR #31030, @bimmlerd)
- Fix bug preventing consistent symbols between ELF and BTF for eBPF unit tests. (Backport PR #31342, Upstream PR #30610, @learnitall)
- gateway-api: Enable GRPCRoute conformance tests (Backport PR #31342, Upstream PR #31055, @sayboras)
- gha: disable fail-fast on integration tests (Backport PR #31490, Upstream PR #31420, @giorio94)
- gha: drop unused check_url environment variable (Backport PR #31191, Upstream PR #30928, @giorio94)
- introduce ARM github workflows (Backport PR #31342, Upstream PR #31196, @aanm)
- ipam: deepcopy interface resource correctly. (Backport PR #31490, Upstream PR #26998, @tommyp1ckles)
- k8s_install.sh: specify the CNI version (Backport PR #31342, Upstream PR #31182, @aanm)
- loader: fix issue where errors cancelled compile cause error logs. (Backport PR #31342, Upstream PR #30988, @tommyp1ckles)
- Reduce flakiness of controlplane tests (Backport PR #31490, Upstream PR #30906, @bimmlerd)
- slices: don't modify missed input slice in test (Backport PR #31490, Upstream PR #31119, @bimmlerd)
Misc Changes:
- Add monitor aggregation for all events related to packets ingressing to the network-facing device. (Backport PR #31342, Upstream PR #31015, @learnitall)
- Address race condition in TestGetIdentity (Backport PR #31541, Upstream PR #30885, @bimmlerd)
- bgpv1: Adjust ConnectionRetryTimeSeconds to 1 in component tests (Backport PR #31342, Upstream PR #31218, @YutaroHayakawa)
- chore(deps): update all github action dependencies (v1.15) (#31480, @renovate[bot])
- chore(deps): update all github action dependencies (v1.15) (#31582, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.16.3 (v1.15) (#31464, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.21.8 docker digest to 8560736 (v1.15) (#31450, @renovate[bot])
- chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 55c6361 (v1.15) (#31453, @renovate[bot])
- chore: update json-mock image source in examples (Backport PR #31568, Upstream PR #31373, @loomkoom)
- cilium-dbg: listing load-balancing configurations displays L7LB proxy port (Backport PR #31568, Upstream PR #31503, @mhofstetter)
- datapath, bpf: Remove unnecessary IPsec code (Backport PR #31490, Upstream PR #31344, @pchaigno)
- doc: Clarified GwAPI KPR prerequisites (Backport PR #31490, Upstream PR #31366, @PhilipSchmid)
- docs: Warn on key rotations during upgrades (Backport PR #31490, Upstream PR #31437, @pchaigno)
- Don't emit an error message on namespace termination due to Ingress reconciliation (Backport PR #31342, Upstream PR #30808, @giorio94)
- Downgrade L2 Neighbor Discovery failure log to Debug (Backport PR #31342, Upstream PR #31179, @YutaroHayakawa)
- endpointmanager: Improve health reporter messages when stopped (Backport PR #31342, Upstream PR #31231, @christarazi)
- hive/cell/health: don't warn when reporting on stopped reporter. (Backport PR #31490, Upstream PR #31262, @tommyp1ckles)
- ingress: Update docs with network policy example (Backport PR #31342, Upstream PR #31060, @sayboras)
- job: avoid a race condition in TestTimer_ExitOnCloseFnCtx (Backport PR #31490, Upstream PR #30929, @bimmlerd)
- loader: add message if error is ENOTSUP (Backport PR #31490, Upstream PR #31413, @kkourt)
- policy: Fix missing labels from SelectorCache selectors (Backport PR #31490, Upstream PR #31358, @christarazi)
- Replaced
declare_tailcall_if
with logic in the loader (Backport PR #31554, Upstream PR #30467, @dylandreimerink)
Other Changes:
- install: Update image digests for v1.15.2 (#31378, @jrajahalme)
- v1.15: IPsec Fixes (#31610, @pchaigno)
1.14.9
We are pleased to release Cilium v1.14.9.
Security Advisories
This release addresses a security vulnerability. For more information, see GHSA-pwqm-x5x6-5586.
Summary of Changes
Minor Changes:
- bgpv1: BGP Control Plane metrics (Backport PR #31569, Upstream PR #31469, @YutaroHayakawa)
- cni: use default logger with timestamps. (Backport PR #31335, Upstream PR #31014, @tommyp1ckles)
- Introduce
cilium-dbg encrypt flush --stale
flag to remove XFRM states and policies with stale node IDs. (Backport PR #31335, Upstream PR #31159, @pchaigno)
Bugfixes:
- [v1.14 - Author backport] envoy: enable k8s secret watch even if only CEC is enabled (#31452, @mhofstetter)
- Fix a bug where pod label updates are not reflected in endpoint labels in presence of filtered labels. (Backport PR #31474, Upstream PR #31395, @tklauser)
- gateway-api: Retrieve LB service from same namespace (Backport PR #31495, Upstream PR #31271, @sayboras)
- Handle InvalidParameterValue as well for PD fallback (Backport PR #31495, Upstream PR #31016, @hemanthmalla)
- helm: Update pod affinity for cilium-envoy (Backport PR #31495, Upstream PR #31150, @sayboras)
- Hubble: fix traffic direction and is reply when IPSec is enabled (Backport PR #31569, Upstream PR #31211, @kaworu)
- k8s/utils: correctly filter out labels in StripPodSpecialLabels (Backport PR #31474, Upstream PR #31421, @tklauser)
CI Changes:
- [v1.14] test: Remove duplicate Cilium deployments in some datapath config tests (#31521, @qmonnet)
- AKS: avoid overlapping pod and service CIDRs (Backport PR #31569, Upstream PR #31504, @bimmlerd)
- Centralize configuration of kind version/image in GitHub Action workflows (Backport PR #31192, Upstream PR #30916, @giorio94)
- Checkout the target branch, instead of the default one, on pull_request based GHA test workflows (Backport PR #31192, Upstream PR #31198, @giorio94)
- ci: Bump lvh-kind ssh-startup-wait-retries (Backport PR #31495, Upstream PR #31387, @YutaroHayakawa)
- ci: fix checking
github.event.pull_request.head.sha
(Backport PR #31495, Upstream PR #26775, @mhofstetter) - controlplane: fix mechanism for ensuring watchers (Backport PR #31542, Upstream PR #31030, @bimmlerd)
- gha: checkout target branch in multi pool workflow (#31545, @giorio94)
- gha: disable fail-fast on integration tests (Backport PR #31495, Upstream PR #31420, @giorio94)
- gha: drop unused check_url environment variable (Backport PR #31192, Upstream PR #30928, @giorio94)
- introduce ARM github workflows (Backport PR #31335, Upstream PR #31196, @aanm)
- ipam: deepcopy interface resource correctly. (Backport PR #31495, Upstream PR #26998, @tommyp1ckles)
- k8s_install.sh: specify the CNI version (Backport PR #31335, Upstream PR #31182, @aanm)
- loader: fix issue where errors cancelled compile cause error logs. (Backport PR #31335, Upstream PR #30988, @tommyp1ckles)
- Reduce flakiness of controlplane tests (Backport PR #31542, Upstream PR #30906, @bimmlerd)
- slices: don't modify missed input slice in test (Backport PR #31495, Upstream PR #31119, @bimmlerd)
Misc Changes:
- Add monitor aggregation for all events related to packets ingressing to the network-facing device. (Backport PR #31335, Upstream PR #31015, @learnitall)
- Address race condition in TestGetIdentity (Backport PR #31542, Upstream PR #30885, @bimmlerd)
- bgpv1: Adjust ConnectionRetryTimeSeconds to 1 in component tests (Backport PR #31335, Upstream PR #31218, @YutaroHayakawa)
- chore(deps): update all github action dependencies (v1.14) (#31483, @renovate[bot])
- chore(deps): update all github action dependencies (v1.14) (#31583, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.16.3 (v1.14) (#31465, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.21.8 docker digest to 8560736 (v1.14) (#31481, @renovate[bot])
- chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 55c6361 (v1.14) (#31482, @renovate[bot])
- cilium-dbg: listing load-balancing configurations displays L7LB proxy port (Backport PR #31569, Upstream PR #31503, @mhofstetter)
- doc: Clarified GwAPI KPR prerequisites (Backport PR #31495, Upstream PR #31366, @PhilipSchmid)
- docs: Warn on key rotations during upgrades (Backport PR #31495, Upstream PR #31437, @pchaigno)
- Downgrade L2 Neighbor Discovery failure log to Debug (Backport PR #31335, Upstream PR #31179, @YutaroHayakawa)
- ingress: Update docs with network policy example (Backport PR #31335, Upstream PR #31060, @sayboras)
Other Changes: