Skip to content

Releases: cilium/cilium

1.13.14

26 Mar 21:16
@jrajahalme jrajahalme
v1.13.14
This tag was signed with the committer’s verified signature.
jrajahalme Jarno Rajahalme
GPG key ID: 263F7D984804D3FE
Learn about vigilant mode.
514c397
Compare
Choose a tag to compare
1.13.14

We are pleased to release Cilium v1.13.14.

Security Advisories

This release addresses a security vulnerability. For more information, see GHSA-pwqm-x5x6-5586.

Summary of Changes

Minor Changes:

  • cni: use default logger with timestamps. (Backport PR #31309, Upstream PR #31014, @tommyp1ckles)
  • Introduce cilium-dbg encrypt flush --stale flag to remove XFRM states and policies with stale node IDs. (Backport PR #31309, Upstream PR #31159, @pchaigno)

Bugfixes:

  • Fix a bug where pod label updates are not reflected in endpoint labels in presence of filtered labels. (Backport PR #31476, Upstream PR #31395, @tklauser)
  • Fix bug leading to missed ipcache updates for the CiliumInternalIP when --enable-remote-node-identity=false, and unnecessary ipcache_errors_total metric increase if Cilium operates in kvstore mode. (#31396, @giorio94)
  • gateway-api: Retrieve LB service from same namespace (Backport PR #31496, Upstream PR #31271, @sayboras)
  • Handle InvalidParameterValue as well for PD fallback (Backport PR #31496, Upstream PR #31016, @hemanthmalla)
  • Hubble: fix traffic direction and is reply when IPSec is enabled (Backport PR #31496, Upstream PR #31211, @kaworu)
  • k8s/utils: correctly filter out labels in StripPodSpecialLabels (Backport PR #31476, Upstream PR #31421, @tklauser)

CI Changes:

Misc Changes:

  • Add monitor aggregation for all events related to packets ingressing to the network-facing device. (Backport PR #31309, Upstream PR #31015, @learnitall)
  • chore(deps): update all github action dependencies (v1.13) (#31485, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.13) (#31584, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.21.8 docker digest to 8560736 (v1.13) (#31484, @renovate[bot])
  • cilium-dbg: listing load-balancing configurations displays L7LB proxy port (Backport PR #31570, Upstream PR #31503, @mhofstetter)
  • doc: Clarified GwAPI KPR prerequisites (Backport PR #31496, Upstream PR #31366, @PhilipSchmid)
  • docs: Warn on key rotations during upgrades (Backport PR #31496, Upstream PR #31437, @pchaigno)

Other Changes:

Contributors

kaworu, tklauser, and 13 other contributors
Assets 2

1.14.8

15 Mar 16:14
@michi-covalent michi-covalent
v1.14.8
cf6e022
Compare
Choose a tag to compare
1.14.8

We are pleased to release Cilium v1.14.8.

Security Advisories

This patch release addresses security vulnerabilities. See the following security advisories
for details.

IPsec

This patch release includes significant changes for the IPsec stack, to resolve issues for connections that are selected by a L7 Network Policy or a DNS Policy.

Such connections may experience disruption during the upgrade, in particular in configurations with overlay routing mode.

Summary of Changes

Minor Changes:

  • Enhance trace events from the outbound SNAT path, to report the pre-SNAT IP address and the interface index of the egress interface. (Backport PR #30835, Upstream PR #28723, @julianwiedmann)
  • Fixes a bug where ToFQDN IPs may be garbage collected too early, disrupting existing connections. (Backport PR #31337, Upstream PR #31205, @squeed)

Bugfixes:

  • endpoint: fix inability to create endpoint with labels in a single API call (Backport PR #31000, Upstream PR #30170, @oblazek)
  • Fix bug prevented endpoints from sending or receiving network traffic due to the 'reserved:init' label persisting after initialization. (Backport PR #31048, Upstream PR #30909, @aanm)
  • Fixes an IPv6 issue that cilium doesn't respond to Neighbor Solicitation targeting the pods on same node. (Backport PR #31186, Upstream PR #30837, @jschwinger233)
  • Fixes an L7 proxy issue by re-introducing 2005 route table. (Backport PR #31160, Upstream PR #29530, @jschwinger233)
  • Fixes proxy issues by opting out from SNAT for L7 + Tunnel. (Backport PR #31160, Upstream PR #29594, @jschwinger233)
  • Fixes proxy issues in egress direction (Backport PR #31160, Upstream PR #30095, @jschwinger233)
  • helm: Probe Envoy DaemonSet localhost IP directly (Backport PR #31000, Upstream PR #30970, @iandrewt)
  • Policy revert used in rare error cases has been corrected. (Backport PR #30882, Upstream PR #29162, @jrajahalme)
  • srv6: Fix packet drop with GSO type mismatch (Backport PR #30800, Upstream PR #30732, @YutaroHayakawa)
  • xds: Avoid xds timeout due to agent restart in envoy DS mode (Backport PR #31156, Upstream PR #31061, @sayboras)

CI Changes:

  • Align again conformance clustermesh matrix entries with main as the interoperability issue has been fixed (#30912, @giorio94)
  • ci-e2e: restore 6.1 kernels (#30862, @lmb)
  • ci/ipsec: Fix downgrade version retrieval (Backport PR #31048, Upstream PR #30742, @qmonnet)
  • ci: Enhance test execution security by restricting permissions to the 'organization-members' team (Backport PR #30864, Upstream PR #30790, @brlbil)
  • CI: Update tested K8S versions across all cloud providers (Backport PR #30864, Upstream PR #30795, @brlbil)
  • Fix datapath mode in Network Performance CI test (Backport PR #30864, Upstream PR #30756, @marseel)
  • workflows: Clean IPsec test output (Backport PR #30800, Upstream PR #30759, @pchaigno)

Misc Changes:

Other Changes:

Contributors

brb, lmb, and 22 other contributors
Assets 2

1.13.13

15 Mar 16:14
@michi-covalent michi-covalent
v1.13.13
ca1af73
Compare
Choose a tag to compare
1.13.13

We are pleased to release Cilium v1.13.13.

Security Advisories

This patch release addresses security vulnerabilities. See the following security advisories
for details.

IPsec

This patch release includes significant changes for the IPsec stack, to resolve issues for connections that are selected by a L7 Network Policy or a DNS Policy.

Such connections may experience disruption during the upgrade, in particular in configurations with overlay routing mode.

Summary of Changes

Bugfixes:

CI Changes:

  • ci/ipsec: Fix downgrade version retrieval (Backport PR #31049, Upstream PR #30742, @qmonnet)
  • ci: Enhance test execution security by restricting permissions to the 'organization-members' team (Backport PR #30865, Upstream PR #30790, @brlbil)
  • CI: Update tested K8S versions across all cloud providers (Backport PR #30865, Upstream PR #30795, @brlbil)
  • Fix datapath mode in Network Performance CI test (Backport PR #30865, Upstream PR #30756, @marseel)
  • k8s_install.sh: specify the CNI version (Backport PR #31246, Upstream PR #31182, @aanm)
  • workflows: Clean IPsec test output (Backport PR #30801, Upstream PR #30759, @pchaigno)

Misc Changes:

  • bpf: host: skip from-proxy handling in from-netdev (Backport PR #31161, Upstream PR #29962, @julianwiedmann)
  • bpf: l3: restore MARK_MAGIC_PROXY_INGRESS for from-proxy traffic (Backport PR #31161, Upstream PR #29721, @julianwiedmann)
  • bugtool: Capture memory fragmentation info from /proc (Backport PR #31157, Upstream PR #30966, @pchaigno)
  • Bump google.golang.org/protobuf (v1.13) (#31312, @ferozsalam)
  • Change ariane config CODEOWNERS (Backport PR #30865, Upstream PR #30803, @brlbil)
  • chore(deps): update all github action dependencies (v1.13) (#30957, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.13) (#31115, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.13) (#31298, @renovate[bot])
  • chore(deps): update all github action dependencies to v4 (v1.13) (major) (#30783, @renovate[bot])
  • chore(deps): update all-dependencies (v1.13) (#30955, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 77906da (v1.13) (#31295, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to e9569c2 (v1.13) (#30737, @renovate[bot])
  • chore(deps): update go to v1.21.7 (v1.13) (#30956, @renovate[bot])
  • chore(deps): update go to v1.21.8 (v1.13) (#31185, @renovate[bot])
  • chore(deps): update hubble cli to v0.13.2 (v1.13) (#31340, @renovate[bot])
  • chore(deps): update kindest/node docker tag to v1.27.11 (v1.13) (#31141, @renovate[bot])
  • chore(deps): update quay.io/lvh-images/kind docker tag to v6.6-20240221.111541 (v1.13) (#30982, @renovate[bot])
  • chore(deps): update stable lvh-images (v1.13) (patch) (#30812, @renovate[bot])
  • chore(deps): update stable lvh-images (v1.13) (patch) (#31142, @renovate[bot])
  • chore(deps): update stable lvh-images (v1.13) (patch) (#31296, @renovate[bot])
  • docs: Document XfrmInStateInvalid errors (Backport PR #30801, Upstream PR #30151, @pchaigno)
  • docs: Fix 'kubectl exec' invocations (quotes, double dash separator) in example script kafka-sw-gen-traffic.sh (Backport PR #31157, Upstream PR #30462, @saintdle)
  • images: bump cni plugins to v1.4.1 (#31350, @aanm)
  • pkg: proxy: only install from-proxy rules/routes for native routing (Backport PR #31161, Upstream PR #29761, @julianwiedmann)

Other Changes:

Contributors

ferozsalam, pchaigno, and 10 other contributors
Assets 2

1.15.2

13 Mar 17:39
@jrajahalme jrajahalme
v1.15.2
This tag was signed with the committer’s verified signature.
jrajahalme Jarno Rajahalme
GPG key ID: 263F7D984804D3FE
Learn about vigilant mode.
7cf5782
Compare
Choose a tag to compare
1.15.2

We are pleased to release Cilium v1.15.2. This release contains various bug fixes and improvements.

Security Advisories

This patch release addresses security vulnerabilities. See the following security advisories
for details.

IPsec

This patch release includes significant changes for the IPsec stack, to resolve issues for connections that are selected by a L7 Network Policy or a DNS Policy.

Such connections may experience disruption during the upgrade, in particular in configurations with overlay routing mode.

Summary of Changes

Minor Changes:

  • Add default divisor for GOMEMLIMIT to satisfy Argo CD diff (Backport PR #30997, Upstream PR #30635, @jdmcmahan)
  • Fixes a bug where ToFQDN IPs may be garbage collected too early, disrupting existing connections. (Backport PR #31318, Upstream PR #31205, @squeed)
  • Gateway API BackendRef filters support (Backport PR #30997, Upstream PR #30090, @chaunceyjiang)

Bugfixes:

  • Cilium allows selecting 'lo' as a device again. (Backport PR #31206, Upstream PR #31200, @bimmlerd)
  • endpoint: fix inability to create endpoint with labels in a single API call (Backport PR #30997, Upstream PR #30170, @oblazek)
  • Fix bug in the VTEP feature which caused all traffic from the VTEP to be dropped with "Incorrect VNI from VTEP" (Backport PR #31154, Upstream PR #31039, @joestringer)
  • Fix bug prevented endpoints from sending or receiving network traffic due to the 'reserved:init' label persisting after initialization. (Backport PR #31047, Upstream PR #30909, @aanm)
  • Fix GC interval calculation by taking into account the actual time passed between GC runs. (Backport PR #31154, Upstream PR #28657, @gentoo-root)
  • Fix host firewall policy enforcement for pod to node traffic when tunneling is enabled and KPR is disabled (Backport PR #30997, Upstream PR #30818, @giorio94)
  • Fix the referenced interface in iptables rules (eni+ instead of lxc+) when --enable-endpoint-routes=true and --cni-chaining-mode="aws-cni" (Backport PR #31154, Upstream PR #30766, @pippolo84)
  • Fixes an IPv6 issue that cilium doesn't respond to Neighbor Solicitation targeting the pods on same node. (Backport PR #31155, Upstream PR #30837, @jschwinger233)
  • Fixes proxy issues by opting out from SNAT for L7 + Tunnel. (Backport PR #31158, Upstream PR #29594, @jschwinger233)
  • Fixes proxy issues in egress direction (Backport PR #31158, Upstream PR #30095, @jschwinger233)
  • Fixes some valid GC entries being removed at agent restart (Backport PR #30863, Upstream PR #29696, @rsafonseca)
  • gateway-api: Correct the null check for GRPRRoute Match (Backport PR #31154, Upstream PR #31052, @sayboras)
  • helm: Probe Envoy DaemonSet localhost IP directly (Backport PR #30997, Upstream PR #30970, @iandrewt)
  • hubble: fix parsing of invalid HTTP URLs (Backport PR #31154, Upstream PR #31100, @kaworu)
  • srv6: Fix packet drop with GSO type mismatch (Backport PR #30799, Upstream PR #30732, @YutaroHayakawa)
  • statedb: Fix race between Observable and DB stopping (Backport PR #30863, Upstream PR #30816, @joamaki)
  • xds: Avoid xds timeout due to agent restart in envoy DS mode (Backport PR #31154, Upstream PR #31061, @sayboras)

CI Changes:

  • ci/ipsec: Fix downgrade version retrieval (Backport PR #31047, Upstream PR #30742, @qmonnet)
  • ci: Enhance test execution security by restricting permissions to the 'organization-members' team (Backport PR #30863, Upstream PR #30790, @brlbil)
  • CI: Update tested K8S versions across all cloud providers (Backport PR #30863, Upstream PR #30795, @brlbil)
  • Fix datapath mode in Network Performance CI test (Backport PR #30863, Upstream PR #30756, @marseel)
  • Prevent E2E tests from failing on a known-ok warning log of temporary CRD failure (Backport PR #31154, Upstream PR #30778, @learnitall)

Misc Changes:

Other Changes:

Contributors

kaworu, brb, and 29 other contributors
Assets 2

1.16.0-pre.0

04 Mar 13:57
@aanm aanm
v1.16.0-pre.0
This tag was signed with the committer’s verified signature.
aanm André Martins
GPG key ID: A38D2FBA880D16AB
Learn about vigilant mode.
e206ef0
Compare
Choose a tag to compare
1.16.0-pre.0 Pre-release
Pre-release

Summary of Changes

Major Changes:

  • Add support for matching CiliumCIDRGroups in Egress policy rules (#30624, @chaunceyjiang)
  • api: Promote field_mask from experimental to stable, deprecating experimental option (#30133, @chancez)
  • bpf: initial multicast datapath support (#29469, @ldelossa)
  • identity: Allow nodes to be selectable by their labels instead of CIDR and/or remote-node entity. (#26924, @oblazek)
  • This change introduces the BGP control-plane operator. (#28846, @harsimran-pabla)

Minor Changes:

  • Add a description to the default GatewayClass. (#30041, @chaunceyjiang)
  • Add a new option to exclude unwanted k8s node labels from CiliumNode (#28290, @hemanthmalla)
  • Add a simple node IPAM to allow using LoadBalancer Service type on "uncontrolled" networks (#30038, @MrFreezeex)
  • Add flag --policy-accounting to enable/disable per-policy packet and byte accounting (default true) (#28749, @Jack-R-lantern)
  • Add Hubble metrics HTTP endpoint status metrics. Two metrics are introduced: hubble_metrics_http_handler_requests_total, which counts requests made to the endpoint, grouped by HTTP status code, and hubble_metrics_http_handler_request_duration_seconds, also grouped by HTTP status code, which tracks duration of requests made to the endpoint. (#30648, @siwiutki)
  • Add metrics count for dir=CT_SERVICE and disable conntrack metrics by default (#27527, @wenlxie)
  • add readinessProbe to clustermesh-apiserver indicating kvstore sync status (#29643, @thorn3r)
  • Add ServiceImport support in Cilium Gateway API (#28769, @MrFreezeex)
  • Add support for the cni.cilium.io/mac-address annotation on Pod resources to control the L2 address used for Pod communication. (#29360, @chaunceyjiang)
  • bgpv1: Allow specifying well-known BGP standard communities using their names (#30440, @rastislavs)
  • bgpv2 - adding preflight and neighbor reconciler using CiliumBGPNodeConfig resource. (#30108, @harsimran-pabla)
  • bpf, ctmap: Implement map pressure metric for CT maps (#28183, @christarazi)
  • bpf: do not invoke llc from Makefiles (#29459, @lmb)
  • bpf: xdp: use bpf_xdp_get_buff_len() when available (#29472, @julianwiedmann)
  • Check sysctl values before writes to avoid errors on potentially read-only filesystem (#30519, @chaunceyjiang)
  • Cilium Network Policy can now redirect to different listeners on the same destination port depending on the destination. (#28555, @jrajahalme)
  • Cilium should accepts any value that is not "disabled" for svc topology mode (#30113, @BSWANG)
  • Cilium-agent option --endpoint-status and helm option endpointStatus were removed. (#30761, @marseel)
  • ciliumenvoyconfig: introduce NodeSelector (#30470, @mhofstetter)
  • cleanup: Remove cilium_isitio sidecar configuration (#30130, @sayboras)
  • envoy: Bump envoy minor version to v1.28.0 (#29820, @sayboras)
  • envoy: Bump envoy version to v1.28.1 (#30697, @sayboras)
  • envoy: Default to daemon set deployment from 1.16 (#30034, @sayboras)
  • Expose bpf_map_pressure metric for egress_gw_policy_v4 (#29943, @ysksuzuki)
  • gateway-api: Add support for proxy protocol (#30567, @chaunceyjiang)
  • gateway-api: Bump to latest version from upstream (#31005, @sayboras)
  • helm: Allow configuration of Envoy --base-id for Envoy DaemonSet (#30466, @cpu601)
  • helm: Remove deprecated flags proxy.prometheus.{enabled,port} (#30598, @sayboras)
  • helm: Remove deprecated values encryption.* (#30613, @sayboras)
  • Hubble now has an option to emit v1.Events related to pods on detection of packet drops. (#29565, @robinelfrink)
  • ICMP: Introduce ICMP type name in ICMPField (#30330, @Shunpoco)
  • Increase the minimum required kernel version to v5.4 / RHEL 8.6. (#30869, @lmb)
  • ingress/gateway-api: expose listeners on host network (#30840, @mhofstetter)
  • ingress: Add check for kpr and nodeport (#30592, @sayboras)
  • lb-ipam: Add annotation alias with lbipam.cilium.io prefix (#30169, @sayboras)
  • lbipam: allow cross namespace IP sharing (#30055, @rissson)
  • NodePort service frontends are now automatically updated when node's IP addresses change. This may have an impact to NodePort services manually added via the cilium-dbg tool if the used frontend IP is not assigned on the node. (#30374, @joamaki)
  • policy: Do not select any identity with empty slices (#29608, @pippolo84)
  • Rename the cilium cleanup command (#30471, @littlejo)
  • Restore health IPs from local ciliumnode resource (#30383, @haozhangami)
  • Small refactor in datapath/linux/node.go (#28849, @derailed)
  • Support ingress.cilium.io/force-https annotation (functionally equivalent to nginx.ingress.kubernetes.io/force-ssl-redirect) (#30616, @youngnick)
  • Supports for dynamic CES Controller throttling configuration based on the number of nodes (#29861, @alan-kut)
  • Trim clustermesh-apiserver ClusterRole permissions when external workloads support is disabled (#30743, @giorio94)
  • Update deprecated Prometheus Metrics (#30632, @karojohn)

Bugfixes:

  • Bandwidth limits are now enforced also for network devices added after Cilium agent has started (e.g. for new ENI devices). (#30419, @joamaki)
  • Datasource error fixed for Hubble DNS and Network dashboards (#30580, @Pionerd)
  • envoy: Avoid duplicated upstream callback (#30945, @sayboras)
  • Fix an issue where cilium is unable to allocate IP addresses when it is running on newly launched AWS instances (#30308, @AnishShah)
  • Fix bug in the VTEP feature which caused all traffic from the VTEP to be dropped with "Incorrect VNI from VTEP" (#31039, @joestringer)
  • Fix Hubble label selector parsing for labels with dots (#30411, @glrf)
  • Fix nodeipam cell not registered (#30250, @MrFreezeex)
  • Fix the referenced interface in iptables rules (eni+ instead of lxc+) when --enable-endpoint-routes=true and --cni-chaining-mode="aws-cni" (#30766, @pippolo84)
  • Fixes an IPv6 issue that cilium doesn't respond to Neighbor Solicitation targeting the pods on same node. (#30837, @jschwinger233)
  • Fixes proxy issues by opting out from SNAT for L7 + Tunnel. (#29594, @jschwinger233)
  • Fixes proxy issues in egress direction (#30095, @jschwinger233)
  • gateway-api: Correct the null check for GRPRRoute Match (#31052, @sayboras)
  • Handle InvalidParameterValue as well for PD fallback (#31016, @hemanthmalla)
  • helm: Fix Prometheus metrics annotations for Hubble Relay (#30501, @chaunceyjiang)
  • If source address is remote node then we should treat it as ouside traffic. (#30240, @kvaster)
  • tables: Sort node addresses also by public vs private IP (#30579, @joamaki)
  • xds: Avoid xds timeout due to agent restart in envoy DS mode (#31061, @sayboras)

CI Changes:

Read more

Contributors

derailed, gandro, and 91 other contributors
Assets 2

1.15.1

15 Feb 01:16
@michi-covalent michi-covalent
v1.15.1
a368c8f
Compare
Choose a tag to compare
1.15.1

We are pleased to release Cilium v1.15.1. This release contains various bug fixes and improvements, including a fix for a regression where veth devices were incorrectly getting classified as native devices (#30762).

Summary of Changes

Minor Changes:

  • Enhance trace events from the outbound SNAT path, to report the pre-SNAT IP address and the interface index of the egress interface. (Backport PR #30704, Upstream PR #28723, @julianwiedmann)
  • ui: release v0.13.0 (Backport PR #30727, Upstream PR #30711, @geakstr)

Bugfixes:

  • envoy: Change socket option from 'STATE_LISTENING' to 'STATE_PREBIND' (Backport PR #30681, Upstream PR #30543, @chaunceyjiang)
  • Fix bug in indexing of routes that lead to veth devices being considered native devices, which caused the wrong BPF program to be loaded onto them. (Backport PR #30767, Upstream PR #30762, @dylandreimerink)
  • fix edge case in node addressing logic which could result in a panic (Backport PR #30767, Upstream PR #30757, @dylandreimerink)
  • hive: Fix start hook log output (Backport PR #30727, Upstream PR #30712, @joamaki)
  • Updating ENI prefix delegation fallback to use dedicated error codes (Backport PR #30681, Upstream PR #30536, @hemanthmalla)

CI Changes:

Misc Changes:

Other Changes:

  • [v1.15] ci/ipsec: Fix downgrade version for release preparation commits (#30718, @qmonnet)
  • envoy: Bump envoy version to v1.27.3 (#30696, @sayboras)
  • install: Update image digests for v1.15.0 (#30559, @aanm)

v1.15.0

Docker Manifests

Contributors

tklauser, ferozsalam, and 17 other contributors
Assets 2

1.14.7

14 Feb 23:26
@michi-covalent michi-covalent
v1.14.7
91b461c
Compare
Choose a tag to compare
1.14.7

We are pleased to release Cilium v1.14.7. This release contains various bug fixes and performance / usability improvements, including a fix for performance regression for pod-to-pod traffic WireGuard and tunneling (#30329).

Summary of Changes

Minor Changes:

  • api/cli: Encryption status now includes rendering IPsec status in JSON. (Backport PR #30554, Upstream PR #30167, @viktor-kurchenko)
  • Envoy running inside the Cilium Agent may now be scraped by Prometheus when using Prometheus' ServiceMonitor objects. (Backport PR #30355, Upstream PR #30126, @youngnick)
  • helm: Add extraVolumeMounts to cilium config init container (Backport PR #30355, Upstream PR #30131, @ayuspin)
  • ui: release v0.13.0 (Backport PR #30724, Upstream PR #30711, @geakstr)

Bugfixes:

  • envoy: Change socket option from 'STATE_LISTENING' to 'STATE_PREBIND' (Backport PR #30680, Upstream PR #30543, @chaunceyjiang)
  • Fix all packet drops due to missed tail calls, enable zero tolerance for these errors in CI (Backport PR #30323, Upstream PR #30248, @ti-mo)
  • Fix cilium-envoy ServiceMonitor port name (Backport PR #30554, Upstream PR #27207, @pixiono)
  • Fix error when using multiple allowRoutes namespaces in gateway (#30551, @mhofstetter)
  • Fix error when using multiple allowRoutes namespaces in gateway (Backport PR #30554, Upstream PR #30100, @chaunceyjiang)
  • Fix issue where agent attempting to restore local node information (such as cilium_host ip) would fail on k8s fallback method. (Backport PR #30355, Upstream PR #29460, @tommyp1ckles)
  • Fix nodeinit issue causing NotReady state in Kubernetes nodes when laying down an incorrect CNI config (Backport PR #30554, Upstream PR #30399, @tlcowling)
  • Fix performance regression for pod-to-pod traffic WireGuard and tunneling. (Backport PR #30554, Upstream PR #30329, @3u13r)
  • Fix rare bug possibly causing connection disruption and/or agent panic due to node events processing before full initialization. (Backport PR #30554, Upstream PR #30282, @giorio94)
  • hive: Fix start hook log output (Backport PR #30724, Upstream PR #30712, @joamaki)
  • init well-known identity before new policy repository to fix the fqdn policy issue when enable well-known identity. (Backport PR #30554, Upstream PR #30052, @yingnanzhang666)
  • L2 announcements retry getting lease after losing it (Backport PR #30355, Upstream PR #30340, @dylandreimerink)
  • node/wireguard: Fix node-to-node encryption inconsistencies in kvstore mode (Backport PR #30534, Upstream PR #30423, @gandro)
  • Updating ENI prefix delegation fallback to use dedicated error codes (Backport PR #30680, Upstream PR #30536, @hemanthmalla)

CI Changes:

  • ci datapath-verifier: add connectivity test (Backport PR #30371, Upstream PR #29633, @mhofstetter)
  • ci/ipsec: Fix version retrieval for downgrades to closest patch release (Backport PR #30554, Upstream PR #30503, @qmonnet)
  • ci: add trigger phrase to Gateway API conformance test workflow name (Backport PR #30680, Upstream PR #30525, @tklauser)
  • ci: Bump timeout of ci-runtime (Backport PR #30554, Upstream PR #29317, @YutaroHayakawa)
  • ci: bypass proxy.golang.org in Go toolchain installation (Backport PR #30371, Upstream PR #29549, @tklauser)
  • CI: Change cloud regions (Backport PR #30680, Upstream PR #30378, @brlbil)
  • ci: disable cgo when installing Go toolchain (Backport PR #30371, Upstream PR #27869, @tklauser)
  • ci: run verifier tests with proper Go toolchain version (Backport PR #30371, Upstream PR #27857, @tklauser)
  • Extend the clustermesh workflows to additionally cover the external kvstore case (Backport PR #30355, Upstream PR #29983, @giorio94)
  • gh: ci-verifier: use lvh-images/complexity-test as renovate dependency (Backport PR #30680, Upstream PR #30520, @julianwiedmann)
  • gha: additionally cover BPF masquerade in clustermesh E2E tests (Backport PR #30680, Upstream PR #30321, @giorio94)
  • gha: explicilty specify beefier runner type for clustermesh workflows (Backport PR #30355, Upstream PR #30335, @giorio94)
  • gha: make runner type for clustermesh workflows configurable (Backport PR #30680, Upstream PR #30496, @giorio94)
  • Improve Conformance Cluster Mesh workflow coverage (Backport PR #30355, Upstream PR #29926, @giorio94)
  • Network performance (Backport PR #30554, Upstream PR #30247, @marseel)
  • Rework GHA workflows to checkout the untrusted context in a separate directory for increased separation (Backport PR #30355, Upstream PR #30207, @giorio94)
  • Update GitHub upload-artifact action (Backport PR #30554, Upstream PR #30443, @brlbil)

Misc Changes:

  • Added Last page Edit on Documentation (Backport PR #30680, Upstream PR #30612, @gailsuccess)
  • bpf: fib: fix issues with L2 resolution (Backport PR #30372, Upstream PR #30128, @julianwiedmann)
  • bpf: lb: return drop reasons from __lb4_rev_nat() (Backport PR #30554, Upstream PR #30410, @julianwiedmann)
  • bpf: overlay: restore bpf_clear_meta() in from-overlay (Backport PR #30355, Upstream PR #30343, @julianwiedmann)
  • build(deps): bump jinja2 from 3.1.2 to 3.1.3 in /Documentation (Backport PR #30554, Upstream PR #30219, @dependabot[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.20 (v1.14) (#30144, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.21 (v1.14) (#30571, @renovate[bot])
  • chore(deps): update dependency go to v1.21.6 (v1.14) (#30174, @renovate[bot])
  • chore(deps): update dependency go to v1.21.6 (v1.14) (#30640, @renovate[bot])
  • chore(deps): update docker.io/library/alpine docker tag to v3.18.6 (v1.14) (#30641, @renovate[bot])
  • chore(deps): update go to v1.21.6 (v1.14) (minor) (#30145, @renovate[bot])
  • chore(deps): update hubble cli to v0.13.0 (v1.14) (minor) (#30274, @renovate[bot])
  • chore(deps): update stable lvh-images (v1.14) (patch) (#30492, @renovate[bot])
  • chore(deps): update stable lvh-images (v1.14) (patch) (#30575, @renovate[bot])
  • doc: Add Azure CNI Powered by cilium as external installer (Backport PR #30355, Upstream PR #28286, @tamilmani1989)
  • docs: Add Egress Gateway Policy warning on egressIP and interface being mutually exclusive in the egressGateway spec. (Backport PR #30554, Upstream PR #30236, @soggiest)
  • docs: warn users that IPsec and KPR are mutual exclusive (Backport PR #30554, Upstream PR #30403, @f1ko)
  • hive: Fix hive hook output and move lifecycle to cell package (Backport PR #30554, Upstream PR #30416, @joamaki)
  • hubble-ui: release v0.12.3 (Backport PR #30554, Upstream PR #30422, @geakstr)
  • ipcache: Skip conflict logging for tunnelpeer if native routing (Backport PR #30355, Upstream PR #27331, @christarazi)
  • loader, bpf: remove context cancellation check, lower pending map removal Warning to Info (Backport PR #30323, Upstream PR #30214, @ti-mo)
  • Rename egress_policies.h to srv6.h and add SRv6 related trace reasons. (Backport PR #30680, Upstream PR #30154, @ldelossa)
  • Rerun go mod tidy to fix missing entry (#30358, @giorio94)

Other Changes:

Contributors

gandro, tklauser, and 32 other contributors
Assets 2

1.13.12

14 Feb 23:29
@michi-covalent michi-covalent
v1.13.12
0077555
Compare
Choose a tag to compare
1.13.12

We are pleased to release Cilium v1.13.12. This release contains various bug fixes and performance / usability improvements.

Summary of Changes

Minor Changes:

Bugfixes:

  • Add specific drop reason for missing tail calls if the host datapath is not ready yet (Backport PR #30315, Upstream PR #29482, @ti-mo)
  • Fix all packet drops due to missed tail calls, enable zero tolerance for these errors in CI (Backport PR #30315, Upstream PR #30248, @ti-mo)
  • Fix nodeinit issue causing NotReady state in Kubernetes nodes when laying down an incorrect CNI config (Backport PR #30522, Upstream PR #30399, @tlcowling)
  • Updating ENI prefix delegation fallback to use dedicated error codes (Backport PR #30679, Upstream PR #30536, @hemanthmalla)

CI Changes:

  • [v1.13] backport Go version check fixes in preparation for Go 1.21 update (#30417, @tklauser)
  • ci/ipsec: Fix version retrieval for downgrades to closest patch release (Backport PR #30522, Upstream PR #30503, @qmonnet)
  • ci: add trigger phrase to Gateway API conformance test workflow name (Backport PR #30679, Upstream PR #30525, @tklauser)
  • CI: Change cloud regions (Backport PR #30679, Upstream PR #30378, @brlbil)
  • gha: explicilty specify beefier runner type for clustermesh workflows (Backport PR #30386, Upstream PR #30335, @giorio94)
  • gha: make runner type for clustermesh workflows configurable (Backport PR #30679, Upstream PR #30496, @giorio94)
  • Network performance (Backport PR #30679, Upstream PR #30247, @marseel)
  • Rework GHA workflows to checkout the untrusted context in a separate directory for increased separation (Backport PR #30386, Upstream PR #30207, @giorio94)
  • Update GitHub upload-artifact action (Backport PR #30522, Upstream PR #30443, @brlbil)

Misc Changes:

  • Added Last page Edit on Documentation (Backport PR #30679, Upstream PR #30612, @gailsuccess)
  • bpf: lb: return drop reasons from __lb4_rev_nat() (Backport PR #30522, Upstream PR #30410, @julianwiedmann)
  • build(deps): bump jinja2 from 3.1.2 to 3.1.3 in /Documentation (Backport PR #30522, Upstream PR #30219, @dependabot[bot])
  • chore(deps): update go to v1.20.13 (v1.13) (patch) (#30186, @renovate[bot])
  • chore(deps): update go to v1.21.6 (v1.13) (minor) (#29817, @renovate[bot])
  • chore(deps): update hubble cli to v0.13.0 (v1.13) (minor) (#30275, @renovate[bot])
  • chore(deps): update stable lvh-images (v1.13) (patch) (#30493, @renovate[bot])
  • doc: Add Azure CNI Powered by cilium as external installer (Backport PR #30386, Upstream PR #28286, @tamilmani1989)
  • docs: warn users that IPsec and KPR are mutual exclusive (Backport PR #30522, Upstream PR #30403, @f1ko)
  • hubble-ui: release v0.12.3 (Backport PR #30522, Upstream PR #30422, @geakstr)
  • loader, bpf: remove context cancellation check, lower pending map removal Warning to Info (Backport PR #30315, Upstream PR #30214, @ti-mo)

Other Changes:

  • [1.13] Ignore ct buffer drops on minor release downgrades only (#30270, @rgo3)
  • [v1.13] ci/ipsec: Fix downgrade version for release preparation commits (#30715, @qmonnet)
  • [v1.13] ci/ipsec: Re-enable node-to-node-encryption check (#30402, @qmonnet)
  • [v1.13] pkg/allocator: Improve 'Key allocation attempt failed' handling for CRD mode (#30120, @antonipp)
  • bpf: l3: fix-up kube-proxy workaround in l3_local_delivery() to bpf_overlay (#30313, @julianwiedmann)
  • envoy: Bump envoy version for x/net library (#30516, @sayboras)
  • envoy: Bump envoy version to v1.26.7 (#30694, @sayboras)
  • install: Update image digests for v1.13.11 (#30317, @gentoo-root)

Contributors

tklauser, gentoo-root, and 19 other contributors
Assets 2

1.12.19

14 Feb 23:33
@michi-covalent michi-covalent
v1.12.19
a1d7fbd
Compare
Choose a tag to compare
1.12.19

We are pleased to release Cilium v1.12.19. This release contains various bug fixes and CI / usability improvements.

Summary of Changes

Minor Changes:

CI Changes:

  • ci/ipsec: Fix version retrieval for downgrades to closest patch release (Backport PR #30678, Upstream PR #30503, @qmonnet)
  • gha: explicilty specify beefier runner type for clustermesh workflows (Backport PR #30390, Upstream PR #30335, @giorio94)
  • gha: make runner type for clustermesh workflows configurable (Backport PR #30678, Upstream PR #30496, @giorio94)
  • Rework GHA workflows to checkout the untrusted context in a separate directory for increased separation (Backport PR #30390, Upstream PR #30207, @giorio94)

Misc Changes:

  • bpf: lb: return drop reasons from __lb4_rev_nat() (Backport PR #30511, Upstream PR #30410, @julianwiedmann)
  • chore(deps): update docker.io/library/golang docker tag to v1.21.6 (v1.12) (#30243, @renovate[bot])
  • chore(deps): update hubble cli to v0.13.0 (v1.12) (minor) (#30276, @renovate[bot])
  • doc: Add Azure CNI Powered by cilium as external installer (Backport PR #30390, Upstream PR #28286, @tamilmani1989)
  • docs: warn users that IPsec and KPR are mutual exclusive (Backport PR #30511, Upstream PR #30403, @f1ko)

Other Changes:

Contributors

gentoo-root, tamilmani1989, and 7 other contributors
Assets 2

1.15.0

31 Jan 20:07
@aanm aanm
v1.15.0
This tag was signed with the committer’s verified signature.
aanm André Martins
GPG key ID: A38D2FBA880D16AB
Learn about vigilant mode.
2db45c4
Compare
Choose a tag to compare
1.15.0

Changelog

The Cilium core team are excited to announce the Cilium 1.15 release. 🎉

Summary of Changes

Major Changes:

  • Add dynamic flowlog exporters configured by yaml file (configmap) without a need of agent restart. (#28873, @marqc)
  • Add support for extending ClusterMesh to 511 clusters
    By setting the flag --max-connected-clusters=511, a new cluster will be able to connect to a ClusterMesh with up to 511 clusters. If enabled, the number of possible cluster-local identities will be reduced to 32,768. This feature can only be enabled on new clusters, and all clusters in the ClusterMesh must share the same configuration. (#27520, @thorn3r)
  • Add support for Gateway API v1.0 (#28836, @sayboras)
  • Add support for k8s 1.28 (#27361, @aanm)
  • Allow selecting nodes by CIDR policy (#27464, @squeed)
  • bgpv1: Add bgp/routes API endpoint and cilium bgp routes CLI command (#27182, @rastislavs)
  • gateway-api: Support GRPCRoute resource (#28654, @sayboras)
  • k8s: add support for k8s 1.29.0 (#29473, @aanm)
  • Module Health: Node Manager: First Iteration (#25994, @tommyp1ckles)
  • Support BGP passwords in the Go BGP implementation. (#23759, @dgl)

Minor Changes:

  • *_kvstore_operations_duration_seconds metrics do not include client-side rate-limiting latency anymore. (#27396, @marseel)
  • io.cilium.podippool.namespace: <CiliumPodIPPool_NAMESPACE> and io.cilium.podippool.name: <CiliumPodIPPool_NAME> selectors can be specified for a PodIPPoolSelector of a CiliumBGPPeeringPolicy to select a CiliumPodIPPool by namespaced name instead of labels. (#28314, @danehans)
  • Add cilium bpf auth flush command for debugging purposes (#27216, @meyskens)
  • Add an option to Cilium to set the persistent keepalive for cilium_wg0 (#27932, @chaunceyjiang)
  • Add an option to specify a filters and field mask for hubble-exporter (#26379, @AwesomePatrol)
  • Add documentation of Hubble exporter - an option to save Hubble flows to a file (#27610, @AwesomePatrol)
  • Add flows per second information to Hubble status (#28205, @glrf)
  • Add Hubble Grafana dashboards: Network and DNS overview (#27751, @lambdanis)
  • add Ingress controller proxy protocol support (#28194, @zetaab)
  • Add lbipam support for shared ips (#28806, @usiegl00)
  • Add option to pass api-rate-limit via Helm values (#28239, @ungureanuvladvictor)
  • Add option to redact http headers (#26724, @ChrsMark)
  • Add per-controller success/failure count metrics and a config option for these (#26850, @asauber)
  • Add Prometheus map pressure metrics for NAT maps (#27001, @derailed)
  • Add securityContext for spire pod in helm chart (#27363, @ishuar)
  • Add source and destination workload_kind context labels (Hubble). (#27350, @marqc)
  • Add strict mode for WireGuard Pod2Pod encryption (#21856, @3u13r)
  • Add support for filtering on HTTP URLs in Hubble (#28275, @glrf)
  • Added cilium_kvstoremesh_kvstore_sync_errors_counter, cilium_clustermesh_apiserver_kvstore_sync_errors_counter and kvstore_sync_errors_counter metrics that capture data synchronization errors to kvstore. (#28419, @marseel)
  • Added hubble_relay_pool_peer_connection_status metric for measuring the connection status of all peers. Metric keeps track of number of peers for each possible connectiion status. (#28217, @siwiutki)
  • Added new ingress.cilium.io/ssl-passthrough annotation for Ingress objects (#28751, @youngnick)
  • Added the EnableHealthCheckLoadBalancerIP flag to address health checks on LoadBalancerIP in Google Cloud Platform using KubeProxyReplacement. (#26728, @nberlee)
  • Adds "best-effort" mode for XDP to skip interfaces without driver support (#28666, @poblahblahblah)
  • Adds optional configurable jobLabel to cilium-agent, cilium-operator, and hubble serviceMonitors (#28125, @rbankston)
  • Adds the CiliumPodIPPool selector type to BGP CP AdvertisedPathAttributes to match CiliumPodIPPool custom resources. Path attributes apply to routes announced for selected CiliumPodIPPools. (#28310, @danehans)
  • Allow case-insensitive name for CNI chaining mode (#28050, @asauber)
  • api, cli: Show srv6 status in cilium status (#28700, @husnialhamdani)
  • api/cli: Encryption status now includes rendering IPsec status in JSON. (Backport PR #30529, Upstream PR #30167, @viktor-kurchenko)
  • api: Add extensions field to observer.GetFlowsRequest and flow.Flows types (#27577, @chancez)
  • Augments cilium status CLI to report on agent modules health status. (#25714, @derailed)
  • Auth map garbage collection will trigger if last local endpoint of a security identity was removed (#27697, @meyskens)
  • bgpv1: Add cilium-dbg bgp route-policies command & include it in the bugtool (#28973, @rastislavs)
  • bgpv1: Enable cilium-dbg bgp routes advertised command without specifying a peer (Backport PR #30230, Upstream PR #30033, @rastislavs)
  • BGPv1: Set R-bit in graceful restart capability negotiation. (#28293, @ArsenyBelorukov)
  • bgpv1: Use kube-system namespace by default for MD5 secret (#29478, @YutaroHayakawa)
  • bpf: allow overriding Makefile variables (#27492, @lmb)
  • bpf: compile test ENABLE_EGRESS_GATEWAY_COMMON (#27515, @lmb)
  • bpf: gate egressgw datapath on separate defines (#27189, @lmb)
  • bpf: static data: use inline asm to access static data (#27589, @ti-mo)
  • bpgv1: move the internal BGP signaler to a cell and allow other cells to depend on it. (#26745, @ldelossa)
  • can create the directory for the customized cni conf and remove the cni conf file in cleanup command (#27933, @sofat1989)
  • Change the Helm values configuration for SPIRE to match other images in the Helm charts (#27621, @weizhoublue)
  • cilium ingress should have an option to set the number of trusted loadbalancer hops (#27952, @chaunceyjiang)
  • cilium-agent: Remove the obsolete --bpf-lb-dev-ip-addr-inherit option (Backport PR #30264, Upstream PR #29963, @joamaki)
  • cilium-dbg: Add statedb query support and commands to inspect statedb tables devices, routes and l2-announce. (#28872, @joamaki)
  • Cilium-operator and clustermesh's kvstore metrics are now enabled by default in Helm. (#27653, @marseel)
  • cilium/cmd: make output of 'cilium policy selectors' sorted. (#27803, @tommyp1ckles)
  • cilium: export intermediate cobra.Commands (#26265, @lmb)
  • cilium: use absolute path to include Makefile.defs (#27054, @lmb)
  • CiliumL2AnnouncementPolicy will only select Services that do not specify a LoadBalancerClass or specify a LoadBalancerClass of "io.cilium/l2-announcer". (#27976, @danehans)
  • cli: Update cilium policy import to allow policy replacement by label (#27103, @deverton-godaddy)
  • clustermesh-apiserver deployment support lifecycle and terminationGracePeriodSeconds. (#26945, @acgs771126)
  • cmd/watchdogs: add health reporter to watchdog controller. (#29038, @tommyp1ckles)
  • cmd: Disable local node routes when endpoint routes are enabled (#28324, @gandro)
  • Config option to customize the default IP Pool when using MultiPool (#28818, @chaunceyjiang)
  • Correlate flows with CiliumNetworkPolicies (#27854, @chancez)
  • daemon: Do not require native routing CIDR if ipmasq-agent is enabled (#27747, @gandro)
  • daemon: don't wait for presence of unused CiliumNodeConfig CRD (#27684, @akhilles)
  • daemon: The option "EnableRemoteNodeIdentity" is now deprecated and will be removed from the v1.16 release. (#28300, @nathanjsweet)
  • Default client-go QPS and burst in agent and operator have been increased to 10 and 20 respectively for k8s versions 1.27+ (#29445, @marseel)
  • Delete auth map entries for removed Security IDs in SPIRE (#27663, @meyskens)
  • Deprecated helm options enableK8sEventHandover/enableCnpStatusUpdates were removed.
    Corresponding flag "enable-k8s-event-handover" in Agent and "cnp-status-update-interval" in operator were removed. (#29395, @marseel)
  • docs, cilium: Remove cilium endpoint regenerate command (#27326, @christarazi)
  • docs: remove annotations-based l7 visibility (#28449, @networkop)
  • Don't automatically infer ClusterID and ClusterName for external workloads. (#27886, @giorio94)
  • egressgw: inject datapath config via hive (#27414, @lmb)
  • EgressGW: interface selection is now done with BPF, using --install-egress-gateway-routes is no longer needed. (#26215, @jibi)
  • egressgw: refactor check for conflicting egress IPs (#27491, @lmb)
  • egressgw: reject config with CiliumEndpointSlice (#27984, @julianwiedmann)
  • egressgw: tidy up Config handling (#27221, @lmb)
  • endpoint, endpointmanager: Publish max policymap size as metric (#27367, @christarazi)
  • ENI: fix calculateExcessIPs excessive calculate of excess ip (#28467, @wu0407)
  • Envoy running inside the Cilium Agent may now be scraped by Prometheus when using Prometheus' ServiceMonitor objects. (Backport PR #30349, Upstream PR #30126, @youngnick)
  • envoy: Bump envoy to 1.26.2 (#26851, @sayboras)
  • envoy: Bump envoy version to v1.26.4 (#27104, @sayboras)
  • envoy: Bump envoy version to v1.27.1 (#28531, @sayboras)
  • envoy: Bump envoy version to v1.27.2 (#28671, @mhofstetter)
  • envoy: Update envoy version to the latest build (#27819, @jrajahalme)
  • Extend AWS metadata-based policy enforcement to work with any VPC-enabled service. (#27071, @spacepants)
  • Fix inaccurate calculation for bootstrap stats of restore (#27983, @PlatformLC)
  • fix: Preserve OwnerReferences when updating Ingresses with Load Balancer in shared mode (#28452, @bittermandel)
  • Fixes name used for disabling KVStoreMesh metrics. (#27680, @marseel)
  • FQDN: transition to asynchronous IPCache APIs (#29036, @squeed)
  • gateway-api: Add support for gateway.infrastructure attribute (#29122, @sayboras)
  • gateway-api: Add support for multiple request mirrors (#28342, @sayboras)
  • gateway-api: Add supported features in GatewayClass status (#29116, @sayboras)
  • gateway-api: Bump the version to v0.8.1 (#28195, @sayboras)
  • gateway-api: Bump the version to v1.0.0-rc1 (#28757, @sayboras)
  • gateway-api: Bump version to v0.8.0...
Read more

Contributors

Zariel, derailed, and 175 other contributors
Assets 2