Cilium Versions Save

eBPF-based Networking, Security, and Observability

v1.16.0-pre.0

3 weeks ago

Summary of Changes

Major Changes:

  • Add support for matching CiliumCIDRGroups in Egress policy rules (#30624, @chaunceyjiang)
  • api: Promote field_mask from experimental to stable, deprecating experimental option (#30133, @chancez)
  • bpf: initial multicast datapath support (#29469, @ldelossa)
  • identity: Allow nodes to be selectable by their labels instead of CIDR and/or remote-node entity. (#26924, @oblazek)
  • This change introduces the BGP control-plane operator. (#28846, @harsimran-pabla)

Minor Changes:

  • Add a description to the default GatewayClass. (#30041, @chaunceyjiang)
  • Add a new option to exclude unwanted k8s node labels from CiliumNode (#28290, @hemanthmalla)
  • Add a simple node IPAM to allow using LoadBalancer Service type on "uncontrolled" networks (#30038, @MrFreezeex)
  • Add flag --policy-accounting to enable/disable per-policy packet and byte accounting (default true) (#28749, @Jack-R-lantern)
  • Add Hubble metrics HTTP endpoint status metrics. Two metrics are introduced: hubble_metrics_http_handler_requests_total, which counts requests made to the endpoint, grouped by HTTP status code, and hubble_metrics_http_handler_request_duration_seconds, also grouped by HTTP status code, which tracks duration of requests made to the endpoint. (#30648, @siwiutki)
  • Add metrics count for dir=CT_SERVICE and disable conntrack metrics by default (#27527, @wenlxie)
  • add readinessProbe to clustermesh-apiserver indicating kvstore sync status (#29643, @thorn3r)
  • Add ServiceImport support in Cilium Gateway API (#28769, @MrFreezeex)
  • Add support for the cni.cilium.io/mac-address annotation on Pod resources to control the L2 address used for Pod communication. (#29360, @chaunceyjiang)
  • bgpv1: Allow specifying well-known BGP standard communities using their names (#30440, @rastislavs)
  • bgpv2 - adding preflight and neighbor reconciler using CiliumBGPNodeConfig resource. (#30108, @harsimran-pabla)
  • bpf, ctmap: Implement map pressure metric for CT maps (#28183, @christarazi)
  • bpf: do not invoke llc from Makefiles (#29459, @lmb)
  • bpf: xdp: use bpf_xdp_get_buff_len() when available (#29472, @julianwiedmann)
  • Check sysctl values before writes to avoid errors on potentially read-only filesystem (#30519, @chaunceyjiang)
  • Cilium Network Policy can now redirect to different listeners on the same destination port depending on the destination. (#28555, @jrajahalme)
  • Cilium should accepts any value that is not "disabled" for svc topology mode (#30113, @BSWANG)
  • Cilium-agent option --endpoint-status and helm option endpointStatus were removed. (#30761, @marseel)
  • ciliumenvoyconfig: introduce NodeSelector (#30470, @mhofstetter)
  • cleanup: Remove cilium_isitio sidecar configuration (#30130, @sayboras)
  • envoy: Bump envoy minor version to v1.28.0 (#29820, @sayboras)
  • envoy: Bump envoy version to v1.28.1 (#30697, @sayboras)
  • envoy: Default to daemon set deployment from 1.16 (#30034, @sayboras)
  • Expose bpf_map_pressure metric for egress_gw_policy_v4 (#29943, @ysksuzuki)
  • gateway-api: Add support for proxy protocol (#30567, @chaunceyjiang)
  • gateway-api: Bump to latest version from upstream (#31005, @sayboras)
  • helm: Allow configuration of Envoy --base-id for Envoy DaemonSet (#30466, @cpu601)
  • helm: Remove deprecated flags proxy.prometheus.{enabled,port} (#30598, @sayboras)
  • helm: Remove deprecated values encryption.* (#30613, @sayboras)
  • Hubble now has an option to emit v1.Events related to pods on detection of packet drops. (#29565, @robinelfrink)
  • ICMP: Introduce ICMP type name in ICMPField (#30330, @Shunpoco)
  • Increase the minimum required kernel version to v5.4 / RHEL 8.6. (#30869, @lmb)
  • ingress/gateway-api: expose listeners on host network (#30840, @mhofstetter)
  • ingress: Add check for kpr and nodeport (#30592, @sayboras)
  • lb-ipam: Add annotation alias with lbipam.cilium.io prefix (#30169, @sayboras)
  • lbipam: allow cross namespace IP sharing (#30055, @rissson)
  • NodePort service frontends are now automatically updated when node's IP addresses change. This may have an impact to NodePort services manually added via the cilium-dbg tool if the used frontend IP is not assigned on the node. (#30374, @joamaki)
  • policy: Do not select any identity with empty slices (#29608, @pippolo84)
  • Rename the cilium cleanup command (#30471, @littlejo)
  • Restore health IPs from local ciliumnode resource (#30383, @haozhangami)
  • Small refactor in datapath/linux/node.go (#28849, @derailed)
  • Support ingress.cilium.io/force-https annotation (functionally equivalent to nginx.ingress.kubernetes.io/force-ssl-redirect) (#30616, @youngnick)
  • Supports for dynamic CES Controller throttling configuration based on the number of nodes (#29861, @alan-kut)
  • Trim clustermesh-apiserver ClusterRole permissions when external workloads support is disabled (#30743, @giorio94)
  • Update deprecated Prometheus Metrics (#30632, @karojohn)

Bugfixes:

  • Bandwidth limits are now enforced also for network devices added after Cilium agent has started (e.g. for new ENI devices). (#30419, @joamaki)
  • Datasource error fixed for Hubble DNS and Network dashboards (#30580, @Pionerd)
  • envoy: Avoid duplicated upstream callback (#30945, @sayboras)
  • Fix an issue where cilium is unable to allocate IP addresses when it is running on newly launched AWS instances (#30308, @AnishShah)
  • Fix bug in the VTEP feature which caused all traffic from the VTEP to be dropped with "Incorrect VNI from VTEP" (#31039, @joestringer)
  • Fix Hubble label selector parsing for labels with dots (#30411, @glrf)
  • Fix nodeipam cell not registered (#30250, @MrFreezeex)
  • Fix the referenced interface in iptables rules (eni+ instead of lxc+) when --enable-endpoint-routes=true and --cni-chaining-mode="aws-cni" (#30766, @pippolo84)
  • Fixes an IPv6 issue that cilium doesn't respond to Neighbor Solicitation targeting the pods on same node. (#30837, @jschwinger233)
  • Fixes proxy issues by opting out from SNAT for L7 + Tunnel. (#29594, @jschwinger233)
  • Fixes proxy issues in egress direction (#30095, @jschwinger233)
  • gateway-api: Correct the null check for GRPRRoute Match (#31052, @sayboras)
  • Handle InvalidParameterValue as well for PD fallback (#31016, @hemanthmalla)
  • helm: Fix Prometheus metrics annotations for Hubble Relay (#30501, @chaunceyjiang)
  • If source address is remote node then we should treat it as ouside traffic. (#30240, @kvaster)
  • tables: Sort node addresses also by public vs private IP (#30579, @joamaki)
  • xds: Avoid xds timeout due to agent restart in envoy DS mode (#31061, @sayboras)

CI Changes:

  • .github: Don't update LVH bpf-next images on stable branches (#29835, @joestringer)
  • .github: Fix LVH image bump for main branch (#30284, @joestringer)
  • [Kind] ipfamily should be set by platform configuration. (#30332, @fujitatomoya)
  • Add RHEL8 kernel to CI (#30421, @lmb)
  • Always update lvh in tandem with lvh-images (#30596, @lmb)
  • bgpv2: use different ports in unit tests (#30528, @harsimran-pabla)
  • Centralize configuration of kind version/image in GitHub Action workflows (#30916, @giorio94)
  • ci conformance e2e: increase request timeout from 10s to 30s. (#30192, @tommyp1ckles)
  • ci-e2e: Enable Ingress Controller test for more setup (#30657, @sayboras)
  • ci: check kvstoremesh for vulnerabilities only on v1.14 (#29918, @mhofstetter)
  • ci: continue container scanning on error (#29921, @ferozsalam)
  • CI: Fix Artifact Creation Failure Due to Invalid Character in Name (#29884, @brlbil)
  • ci: fix conformance gateway-api & ingress sysdump gathering & upload (#29960, @mhofstetter)
  • ci: fix eks image pull flake (#30030, @brlbil)
  • ci: increase conformance-aks timeout (#30438, @brlbil)
  • cli: Replace --cluster-name with --helm-set cluster.name (#31095, @michi-covalent)
  • clustermesh up/downgrade: test maxConnectedCluster (#30446, @thorn3r)
  • controlplane: fix mechanism for ensuring watchers (#31030, @bimmlerd)
  • Fix bug preventing consistent symbols between ELF and BTF for eBPF unit tests. (#30610, @learnitall)
  • gateway: Sync up the experimental conformance test (#31017, @sayboras)
  • GCP OIDC instead of SA creds. (#30809, @viktor-kurchenko)
  • GCP performance OIDC auth. (#30844, @viktor-kurchenko)
  • gha: Avoid the warning for kind-action (#30601, @sayboras)
  • gha: drop unused check_url environment variable (#30928, @giorio94)
  • gha: Re-purpose Conformance Kind proxy test (#31074, @sayboras)
  • golangci-lint: Fix goimports local prefix (#31106, @michi-covalent)
  • identity: deflake test TestGetIdentity - part 2 (#30190, @mhofstetter)
  • iptables: Fix New port number case in TestAddProxyRules{v4,v6} (#30555, @pippolo84)
  • Prevent E2E tests from failing on a known-ok warning log of temporary CRD failure (#30778, @learnitall)
  • Re-enable LRP and K8sSpecificMACAddressTests tests that were incorrectly skipped on non-AKS platforms due to a regression. (#30939, @aditighag)
  • Reduce flakiness of controlplane tests (#30906, @bimmlerd)
  • Remove remaining references to v4.19 (#30890, @lmb)
  • removing reference to Metal LB in GHA now that MetalLB has been replaced with Cilium L2 Announcement (https://github.com/cilium/cilium/pull/28926) (#29854, @nvibert)
  • renovate: add lvh-kind action (#30663, @lmb)
  • Replace v4.19 with RHEL 8.6 in CI (#30872, @lmb)
  • route: dedicated net ns for each subtest of runListRules (#29916, @mhofstetter)
  • Scale tests improvements (#29859, @marseel)
  • statedb/reflector: fix race condition in test (#30971, @bimmlerd)
  • test: add standalone l4lb test to verify that traffic works even when cilium agent is restarted (#30114, @oblazek)
  • test: verify that traffic to services work when agent (l4lb) is restarted (#30930, @oblazek)
  • tests: check for pending maps after network policy tests finish (#30188, @lmb)
  • Use AWS OIDC instead of access key for CI (#30713, @viktor-kurchenko)
  • workflows: conformance-eks: use env.QUAY_ORGANIZATION_DEV (#30263, @julianwiedmann)

Misc Changes:

  • .github: switch kind images back to kind (#30659, @aanm)
  • [operator] Refactor - export CiliumEndpointSlice test utils (#30577, @dlapcevic)
  • add a fast make target for kind-clustermesh (#29910, @thorn3r)
  • Add a new flag to endpoints in the IPCache to allow for overriding tunnel configuration (#29796, @learnitall)
  • add how to clean up the e2e connectivity test. (#30428, @fujitatomoya)
  • Add NetBird to the Cilium user list (#30645, @braginini)
  • Add OpenVEX document (#30768, @ferozsalam)
  • Add support for infinite retries for OneShot jobs (#30376, @dylandreimerink)
  • Add support for skipping encapsulation for host-to-pod traffic (#30819, @learnitall)
  • Add support for skipping encapsulation of nodeport-related traffic (#30608, @learnitall)
  • add users doc to bug report template (#30603, @xmulligan)
  • Added sysctl setting reconciliation (#30439, @dylandreimerink)
  • Address race condition in TestGetIdentity (#30885, @bimmlerd)
  • Adds NETWAYS Web Services to USERS.md (#30505, @mocdaniel)
  • Allow packets leaving containers to skip encapsulation. (#30427, @learnitall)
  • bandwidth: test: don't unlock OS thread too early (#30932, @bimmlerd)
  • bgpv1: Modularize test fixtures (#30234, @rastislavs)
  • bgpv1: Some test coverage improvements for bgpv1/agent (#30096, @YutaroHayakawa)
  • bgpv2: Add service options to advertisement CRD (#30902, @harsimran-pabla)
  • bgpv2: setting gobgp configuration based on new BGP APIs (#29988, @harsimran-pabla)
  • bitlpm: Factor out common code (#31026, @jrajahalme)
  • bpf: add ext_err for more callers of tail_call_internal() (#30023, @julianwiedmann)
  • bpf: add improved helper for program-internal tail-call (#30001, @julianwiedmann)
  • bpf: alignchecker: add encrypt_config and world_cidrs_key4 (#29886, @julianwiedmann)
  • bpf: convert ep_tail_call() to tail_call_internal() (#30288, @julianwiedmann)
  • bpf: ct: allow CT entry creation / lookup without detailed information (#30344, @julianwiedmann)
  • bpf: explicitly pass map to policy_can_{in,e}gress{4,6} (#31053, @jibi)
  • bpf: host: simplify MARK_MAGIC_PROXY_EGRESS_EPID handling (#29803, @julianwiedmann)
  • bpf: host: skip from-proxy handling in from-netdev (#29962, @julianwiedmann)
  • bpf: introduce ctx_load_and_clear_meta() (#30245, @julianwiedmann)
  • bpf: ipv6: optimize ipv6_addr_copy() (#30029, @julianwiedmann)
  • bpf: lb: clean up REV_NAT_F_TUPLE_SADDR parts in RevDNAT logic (#30701, @julianwiedmann)
  • bpf: lb: small improvements to CT logic (#30950, @julianwiedmann)
  • bpf: lxc: remove CB_FROM_TUNNEL upgrade toleration for IPv6 (#30244, @julianwiedmann)
  • bpf: nat: pass back ipv4_load_l4_ports()'s actual drop reason (#29837, @julianwiedmann)
  • bpf: nodeport: fix check to forward identity in nodeport_lb4 (#31085, @jibi)
  • bpf: nodeport: remove TC_INDEX_F_SKIP_RECIRCULATION logic (#30435, @julianwiedmann)
  • bpf: proxy: add IPv4 fragmentation support in ctx_redirect_to_proxy_first() (#29760, @julianwiedmann)
  • bpf: test: future-proof some kernel version checks (#30127, @julianwiedmann)
  • bpf: xdp: clean up xdp_adjust_hroom() (#30325, @julianwiedmann)
  • Bump allowed Golang version to v1.21 (#30084, @ferozsalam)
  • Bump readme, MLH for v1.15.0-rc.0 (#29909, @joestringer)
  • Bump release versions references by readme, stable.txt, and MLH (#29879, @asauber)
  • CEC: Extract CiliumEnvoyConfig from global k8s watcher (#30298, @mhofstetter)
  • CEC: Move resource parser and envoy l7lb backend syncer to /pkg/ciliumenvoyconfig (#30290, @mhofstetter)
  • cec: remove label break by extracting function to inject L7 filter (#30062, @mhofstetter)
  • cec: timerbased reconcile job as fallback (#30866, @mhofstetter)
  • check-sources.sh: move file lists to env variables (#30600, @jibi)
  • chore(deps): update actions/download-artifact action to v4.1.3 (main) (#30985, @renovate[bot])
  • chore(deps): update actions/setup-go action to v5 (main) (#29952, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (#30618, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (#30898, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (#30948, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (#31109, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (minor) (#29948, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (minor) (#30394, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (patch) (#30392, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (patch) (#30478, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (patch) (#30779, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (patch) (#30830, @renovate[bot])
  • chore(deps): update all github action dependencies to v3 (main) (major) (#30485, @renovate[bot])
  • chore(deps): update all github action dependencies to v4 (main) (major) (#30048, @renovate[bot])
  • chore(deps): update all kind-images main (main) (#30828, @renovate[bot])
  • chore(deps): update all kind-images main (main) (patch) (#30621, @renovate[bot])
  • chore(deps): update all lvh-images main (main) (#30974, @renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (#29945, @renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (#30044, @renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (#30805, @renovate[bot])
  • chore(deps): update all lvh-images main to bpf-next-20240204.012837 (main) (patch) (#30460, @renovate[bot])
  • chore(deps): update alpine-images (main) (patch) (#30479, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.20 (main) (#30200, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.21 (main) (#30569, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.22 (main) (#30622, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.23 (main) (#30832, @renovate[bot])
  • chore(deps): update dependency eksctl-io/eksctl to v0.167.0 (main) (#30046, @renovate[bot])
  • chore(deps): update dependency kubernetes-sigs/kind to v0.22.0 (main) (#30826, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.21.5 docker digest to 672a228 (main) (#30043, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.21.6 docker digest to 76aadd9 (main) (#30242, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.21.6 docker digest to 7b575fe (main) (#30619, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 6042500 (main) (#29939, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to e6173d4 (main) (#30391, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to f9d633f (main) (#30620, @renovate[bot])
  • chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 112a87f (main) (#29940, @renovate[bot])
  • chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 49af061 (main) (#30946, @renovate[bot])
  • chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 6a3500b (main) (#30829, @renovate[bot])
  • chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.12 (main) (#30623, @renovate[bot])
  • chore(deps): update go to v1.21.6 (main) (patch) (#30172, @renovate[bot])
  • chore(deps): update go to v1.22.0 (main) (minor) (#30673, @renovate[bot])
  • chore(deps): update golangci/golangci-lint docker tag to v1.56.2 (main) (#30839, @renovate[bot])
  • chore(deps): update golangci/golangci-lint-action action to v4 (main) (#30849, @renovate[bot])
  • chore(deps): update hubble cli to v0.13.0 (main) (minor) (#30272, @renovate[bot])
  • chore(deps): update nick-invision/retry action to v3 (main) (#30628, @renovate[bot])
  • chore: provide OSSF security insight (#30448, @mmorel-35)
  • ci: fix typo in generate-k8s-api workflow (#30824, @chaunceyjiang)
  • cilium, tests: Temporary disable agent restart test in l4lb (#30710, @borkmann)
  • ciliumenvoyconfig: always inject Envoy Cilium filters (Network & L7) for L7 loadbalancing (#30546, @mhofstetter)
  • CODEOWNERS: pull in sig-wireguard for wireguard-related files (#30380, @julianwiedmann)
  • CODEOWNERS: sig-scalability owns scalability-specific GH workflows (#29819, @marseel)
  • Consolidate network namespace handling (#29993, @bleggett)
  • contrib: Autodetect GITHUB_TOKEN during release (#29901, @joestringer)
  • contrib: Fix post-release.sh for branch candidates (#29907, @joestringer)
  • Correct Istio Integration Documentation for Cilium CLI Flag Usage (#30152, @rootsongjc)
  • daemon/hive: No longer make WireGuard an optional dependency (#30544, @gandro)
  • daemon: inline lookupIPsBySecID (#30919, @tklauser)
  • daemon: Refactor syncHostIPs (#30373, @joamaki)
  • datapath/fake: Move commonly imported types to fake/types package (#30523, @gandro)
  • datapath: add more nat/overlay/nodeport hooks (#30888, @jibi)
  • datapath: Enable N/S LB for overlapping pod CIDR (#30348, @jibi)
  • Defines the cilium-envoy image used in the build Dockerfile using ARG to allow overrides. (#29638, @EricMountain)
  • Doc fix: Correct hubble exporter config lines (#30424, @saintdle)
  • doc,bgpv1: Add documentation about the address family option (#30455, @YutaroHayakawa)
  • doc,bgpv1: Bootstrap BGP Control Plane troubleshooting doc (#30506, @YutaroHayakawa)
  • doc,bgpv1: Refresh BGP Control Plane document structure (#30345, @YutaroHayakawa)
  • doc: Installation guide for Talos (#30388, @PhilipSchmid)
  • doc: Rework the AKS tabs so that only instructions for BYOCNI remain. (#28933, @tamilmani1989)
  • doc: Updated RKE/Rancher guides (#30178, @PhilipSchmid)
  • docs: Add command hints in make kind output (#30564, @sayboras)
  • Docs: add note on matchExpressions for cnp and ccnp (#30811, @darox)
  • docs: Add reference to BGP Control Plane from Multi-Pool IPAM page (#30748, @rastislavs)
  • docs: Add stubs for v1.16 upgrade notes (#29903, @joestringer)
  • docs: add Veepee as cilium USERS (#30913, @nerzhul)
  • Docs: Adds IPv6 Tunneling Caveat to Networking Concepts (#30364, @danehans)
  • docs: Document NodePort BPF and iptables SNAT port collision (#30858, @brb)
  • Docs: restructure Cluster Mesh scaling section (#30582, @thorn3r)
  • docs: update note on WireGuard with tunnel routing (#31083, @julianwiedmann)
  • docs: Updating Azure CNI chaining as Legacy approach (#28571, @vipul-21)
  • Document supported upgrade and rollback paths (#30408, @lmb)
  • Don't emit an error message on namespace termination due to Ingress reconciliation (#30808, @giorio94)
  • Drop broken and superseded CiliumInternalIP restoration logic (#30436, @giorio94)
  • Drop gopsutil dependecy (#30222, @nickolaev)
  • egressgw: remove deleteStaleIPRulesAndRoutes() (#30025, @julianwiedmann)
  • egressgw: remove nodeDataStore map from Manager (#30500, @markpash)
  • endpoint: move locking into getProxyStatistics (#30414, @tklauser)
  • endpoint: pause policymap-sync controller during regeneration (#30232, @squeed)
  • endpoint: use PropertyCEP{Owner,Name} as CEP owner/name if set (#31021, @jibi)
  • Ensure wireguard.h includes the correct headers (#30539, @ldelossa)
  • Envoy: Extract Secret Sync from global k8swatcher (#30418, @mhofstetter)
  • Expose Cilium operator go runtime scheduler latency prometheus metric go_sched_latencies_seconds (#29245, @derailed)
  • Extend kind-clustermesh Makefile target to create dual stack clusters (#30129, @giorio94)
  • Fix renovate config for grpc_health_probe (#30675, @glrf)
  • Fix unnecessary warning by adding cilium_per_cluster_snat to the list of ignored ELF prefixes (#30998, @giorio94)
  • fix(deps): update all go dependencies main (main) (#29941, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (#30199, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (#30947, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (minor) (#30047, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (minor) (#30122, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (minor) (#30385, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (minor) (#30482, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (minor) (#30626, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (minor) (#30848, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (patch) (#29947, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (patch) (#30045, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (patch) (#30077, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (patch) (#30140, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (patch) (#30393, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (patch) (#30625, @renovate[bot])
  • fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.681 (main) (#30976, @renovate[bot])
  • fix(deps): update module github.com/docker/docker to v25 (main) (#30395, @renovate[bot])
  • fix(deps): update module github.com/go-openapi/runtime to v0.27.1 (main) (#30481, @renovate[bot])
  • fix(deps): update module github.com/tidwall/gjson to v1.17.1 (main) (#30836, @renovate[bot])
  • fix(deps): update module golang.org/x/crypto to v0.20.0 (main) (#30987, @renovate[bot])
  • fix: Adding the fatal error for ipv6 cilium config on a single stack node (#28953, @vipul-21)
  • fswatcher: fix goroutine leak and refactor tests (#30734, @lmb)
  • gateway-api: Bump to the latest version from upstream (#30537, @sayboras)
  • gh: template: query whether the bug is a regression (#30842, @julianwiedmann)
  • go.mod: Bump controller-tools fork version to v0.8.0-2 to allow XValidation kubebuilder markers (#30362, @rastislavs)
  • Helm: additional info for mtu value (#30175, @darox)
  • helm: Bump helm-toolbox version (#30148, @sayboras)
  • helm: don't create remote-users ConfigMap when the clustermesh-apiserver is not enabled (#30008, @giorio94)
  • helm: Permit selection of datasources in UI (#30161, @jcpunk)
  • hive: Add post-start log message to record duration (#30521, @joamaki)
  • hive: Fix the ineffectual SetEnvPrefix (#30489, @joamaki)
  • hubble: Add an interface for Parser struct (#29876, @anubhabMajumdar)
  • images: support release branches when updating envoy image (#30463, @mhofstetter)
  • ingress/gatewayapi: move construction of translators into hive cells (#30606, @mhofstetter)
  • ingress: Copy LB IPAM related annotation by default (#30487, @sayboras)
  • ingress: pass enforcedHttps from config (cell) to reconciler (#30804, @mhofstetter)
  • ingress: remove unused annotations (#30733, @mhofstetter)
  • Introducing stylecheck linter to detect duplicate package imports in Go code (#30215, @nickolaev)
  • ipam/crd: remove redundant len and nil check (#30183, @Juneezee)
  • iptables: early skip proxy rules install if BPF tproxy enabled (#30347, @mhofstetter)
  • job: avoid a race condition in TestTimer_ExitOnCloseFnCtx (#30929, @bimmlerd)
  • k8s: Fix envoyConfig description on CNP/CCNP CRDs (#29507, @hmonsalv)
  • k8s: Migrate policy watchers to Cell + Resource (#30322, @gandro)
  • k8s: Update to final v1.29.0 (#29873, @christarazi)
  • L7LB: Extract Envoy related logic and dependencies from ServiceManager (#30184, @mhofstetter)
  • l7lb: log service ns and name when upserting endpoints (#30502, @mhofstetter)
  • Loader modularization (#30280, @dylandreimerink)
  • loader: also populate NATIVE_DEV_IFINDEX for cilium_overlay (#31025, @julianwiedmann)
  • loader: move Loader interface into separate package (#30876, @jibi)
  • loader: refactor/cleanup replaceNetworkDatapath (#29825, @rgo3)
  • loader: simplify template cache invalidation (#29449, @lmb)
  • LRP: Use hive cell infra (#30923, @aditighag)
  • MAINTAINERS: Add Yutaro (#29982, @pchaigno)
  • make cilium/loader owner of pkg/elf (#29915, @lmb)
  • Makefile: Move kind targets to dedicated Makefile.kind (#29920, @qmonnet)
  • Makefile: Refactor hubble-relay target (#29867, @chancez)
  • Modify gitignore to ignore direnv-related files (#30366, @learnitall)
  • monitor/payload: remove bitrotted benchmark (#29728, @lmb)
  • operator/identitygc: remove unused GC.allocationCfg (#30197, @tklauser)
  • operator: Implement cache to be used for Cilium Identity management (#30649, @dlapcevic)
  • optimize kind setup (#29758, @weizhoublue)
  • Overall improvements in modularity (#30381, @aanm)
  • pkg/ipcache: Updates IPListEntrySlice.Less() to Use netip Pkg (#30191, @danehans)
  • pkg/service: Add backends as managed neighbor entry (#31003, @borkmann)
  • Post release for 1.15.0 (#30560, @aanm)
  • Prepare for v1.16 development cycle (#29802, @joestringer)
  • proxy / envoy: Cleanup dependencies to XDSServer & Proxy (#29892, @mhofstetter)
  • proxy: remove unused interface IPCacheManager (#30171, @mhofstetter)
  • README: Update releases (#30389, @gentoo-root)
  • README: Update releases (#30784, @michi-covalent)
  • Refactor clustermesh global service cache to prepare for the endpoint slice clustermesh synchronization (#30883, @MrFreezeex)
  • Refactor getEnvoyHTTPRouteConfiguration test (#30022, @youngnick)
  • Refactor: remove config interface (#29506, @AwesomePatrol)
  • release/bump-readme.sh: Don't overwrite latest -rc with older -pre tag (#30412, @qmonnet)
  • Remove skip-cnp-status-startup-clean (#30508, @chaunceyjiang)
  • Remove unused functions in pkg/comparator (#30075, @pippolo84)
  • Remove unused kvstore methods to unclutter the backend interface (#30012, @giorio94)
  • renovate: don't separate minor/patch updates of Go modules (#30195, @tklauser)
  • renovate: match rhel8 lvh image updates (#30891, @tklauser)
  • renovate: try to group dependency updates on single PR (#30874, @aanm)
  • Replaced declare_tailcall_if with logic in the loader (#30467, @dylandreimerink)
  • Require dead code elimination support (#30814, @dylandreimerink)
  • require large instruction limit (#30896, @lmb)
  • Restructure OpenShift installation instructions to point to Red Hat Ecosystem Catalog (#29300, @learnitall)
  • Revert "renovate: don't separate minor/patch updates of Go modules" (#30210, @tklauser)
  • Revert "workflow: yaml change - change "cosign attach" to "cosign attest"" (#30827, @aanm)
  • statedb/reflector: Add Kubernetes to StateDB reflector (#30527, @joamaki)
  • statedb: Reconciler utility (#30303, @joamaki)
  • statedb: Add ServeHTTP and Iterate method (#30499, @joamaki)
  • statedb: Derive, Observable and Map (#30246, @joamaki)
  • stream: Add Buffer operator (#30444, @joamaki)
  • Support extending hubble-relay as a downstream packager (#30357, @chancez)
  • Unconditionally add NodeInternalIPs to the allowed IPs for WireGuard peers (#30975, @giorio94)
  • Update AUTHORS (#29905, @joestringer)
  • Update readme with v1.15.0-rc.1 (#30279, @aanm)
  • Update XDP drivers support list in BPF docs (#30658, @janvi01)
  • Updating Rancher Desktop Install instructions (#29911, @divya-mohan0209)
  • Use Resource[T] to implement CiliumNode watcher (#29222, @pippolo84)
  • USERS.md: Add Santa Claus to the list of users (#30083, @qmonnet)
  • USERS.md: Add Sealos to the list of users (#30369, @yangchuansheng)
  • users.md: sphere doesn't exist anymore, 👋 datadog (#29927, @mvisonneau)
  • workflow: yaml change - change "cosign attach" to "cosign attest" (#30823, @umesh3034)
  • xds: Move MockStream to stream_test.go (#30943, @sayboras)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.0-pre.0@sha256:77c3157afed1397e33bd0d60465d9236bdc53e18e45a3b880477540f322be0c8

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.0-pre.0@sha256:fd6360fe5ebd575187637857b3745fead00fe70ad6a470c7701a549a1ae7f194

docker-plugin

quay.io/cilium/docker-plugin:v1.16.0-pre.0@sha256:54a9bd7234015019c455b069637a370dc23eb9e7d4827127580eaabad2e88827

hubble-relay

quay.io/cilium/hubble-relay:v1.16.0-pre.0@sha256:a75580f561b6b554c0b153c82e70ea927b3e1c73ba534844d381b9dc426a54be

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.0-pre.0@sha256:660ec968ae61438766a6ef09e2c56b09f1e12b9b91c9b75c6a4638602e2bcd80

operator-aws

quay.io/cilium/operator-aws:v1.16.0-pre.0@sha256:17f47450e2b2aacd44852ee9ab798fc3fa822b50c271c6ec0d96302fdc657a7b

operator-azure

quay.io/cilium/operator-azure:v1.16.0-pre.0@sha256:b14c7f8d0816fc9a39088f3244e9ac0765f448fcd5296b22dcf1886f1aa13a22

operator-generic

quay.io/cilium/operator-generic:v1.16.0-pre.0@sha256:94d216972dfe0da98937de7dec75bc15df220d862ee50687ae91ffe8d49daddd

operator

quay.io/cilium/operator:v1.16.0-pre.0@sha256:d8a0c0f638f004b5413031c744ebd148804a037c9fdb73006e361ba9487b29ab

v1.15.1

1 month ago

We are pleased to release Cilium v1.15.1. This release contains various bug fixes and improvements, including a fix for a regression where veth devices were incorrectly getting classified as native devices (https://github.com/cilium/cilium/pull/30762).

Summary of Changes

Minor Changes:

  • Enhance trace events from the outbound SNAT path, to report the pre-SNAT IP address and the interface index of the egress interface. (Backport PR #30704, Upstream PR #28723, @julianwiedmann)
  • ui: release v0.13.0 (Backport PR #30727, Upstream PR #30711, @geakstr)

Bugfixes:

  • envoy: Change socket option from 'STATE_LISTENING' to 'STATE_PREBIND' (Backport PR #30681, Upstream PR #30543, @chaunceyjiang)
  • Fix bug in indexing of routes that lead to veth devices being considered native devices, which caused the wrong BPF program to be loaded onto them. (Backport PR #30767, Upstream PR #30762, @dylandreimerink)
  • fix edge case in node addressing logic which could result in a panic (Backport PR #30767, Upstream PR #30757, @dylandreimerink)
  • hive: Fix start hook log output (Backport PR #30727, Upstream PR #30712, @joamaki)
  • Updating ENI prefix delegation fallback to use dedicated error codes (Backport PR #30681, Upstream PR #30536, @hemanthmalla)

CI Changes:

  • ci: add trigger phrase to Gateway API conformance test workflow name (Backport PR #30681, Upstream PR #30525, @tklauser)
  • CI: Change cloud regions (Backport PR #30681, Upstream PR #30378, @brlbil)
  • ci: Fix PR labels parsing in update label workflow (Backport PR #30681, Upstream PR #30507, @pippolo84)
  • gh: ci-verifier: use lvh-images/complexity-test as renovate dependency (Backport PR #30681, Upstream PR #30520, @julianwiedmann)
  • gha: additionally cover BPF masquerade in clustermesh E2E tests (Backport PR #30681, Upstream PR #30321, @giorio94)
  • gha: make runner type for clustermesh workflows configurable (Backport PR #30681, Upstream PR #30496, @giorio94)
  • Update GitHub upload-artifact action (Backport PR #30681, Upstream PR #30443, @brlbil)
  • workflows: Clean IPsec test output (Backport PR #30767, Upstream PR #30759, @pchaigno)

Misc Changes:

  • Added Last page Edit on Documentation (Backport PR #30681, Upstream PR #30612, @gailsuccess)
  • bgpv1: remove BGP Controller from daemon cell (Backport PR #30767, Upstream PR #30561, @harsimran-pabla)
  • chore(deps): update all github action dependencies (v1.15) (patch) (#30486, @renovate[bot])
  • chore(deps): update all kind-images main (v1.15) (patch) (#30670, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.21 (v1.15) (#30570, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.22 (v1.15) (#30671, @renovate[bot])
  • chore(deps): update stable lvh-images (v1.15) (patch) (#30574, @renovate[bot])
  • dep: Bump grpc_health_probe to v0.4.24 (Backport PR #30704, Upstream PR #30643, @ferozsalam)
  • docs: Document XfrmInStateInvalid errors (Backport PR #30767, Upstream PR #30151, @pchaigno)
  • egressgw: improvements for FIB-driven redirect path (Backport PR #30681, Upstream PR #30576, @julianwiedmann)
  • Fix failure in FuzzDenyPreferredInsert test (Backport PR #30681, Upstream PR #30368, @christarazi)

Other Changes:

  • [v1.15] ci/ipsec: Fix downgrade version for release preparation commits (#30718, @qmonnet)
  • envoy: Bump envoy version to v1.27.3 (#30696, @sayboras)
  • install: Update image digests for v1.15.0 (#30559, @aanm)

v1.15.0

Docker Manifests

v1.12.19

1 month ago

We are pleased to release Cilium v1.12.19. This release contains various bug fixes and CI / usability improvements.

Summary of Changes

Minor Changes:

  • api/cli: Encryption status now includes rendering IPsec status in JSON. (Backport PR #30390, Upstream PR #30167, @viktor-kurchenko)

CI Changes:

  • ci/ipsec: Fix version retrieval for downgrades to closest patch release (Backport PR #30678, Upstream PR #30503, @qmonnet)
  • gha: explicilty specify beefier runner type for clustermesh workflows (Backport PR #30390, Upstream PR #30335, @giorio94)
  • gha: make runner type for clustermesh workflows configurable (Backport PR #30678, Upstream PR #30496, @giorio94)
  • Rework GHA workflows to checkout the untrusted context in a separate directory for increased separation (Backport PR #30390, Upstream PR #30207, @giorio94)

Misc Changes:

  • bpf: lb: return drop reasons from __lb4_rev_nat() (Backport PR #30511, Upstream PR #30410, @julianwiedmann)
  • chore(deps): update docker.io/library/golang docker tag to v1.21.6 (v1.12) (#30243, @renovate[bot])
  • chore(deps): update hubble cli to v0.13.0 (v1.12) (minor) (#30276, @renovate[bot])
  • doc: Add Azure CNI Powered by cilium as external installer (Backport PR #30390, Upstream PR #28286, @tamilmani1989)
  • docs: warn users that IPsec and KPR are mutual exclusive (Backport PR #30511, Upstream PR #30403, @f1ko)

Other Changes:

  • [v1.12] ci/ipsec: Fix downgrade version for release preparation commits (#30714, @qmonnet)
  • envoy: Bump envoy version to v1.26.7 (#30695, @sayboras)
  • gke: Bump gke minimum versions (#30676, @sayboras)
  • install: Update image digests for v1.12.18 (#30316, @gentoo-root)

v1.13.12

1 month ago

We are pleased to release Cilium v1.13.12. This release contains various bug fixes and performance / usability improvements.

Summary of Changes

Minor Changes:

  • api/cli: Encryption status now includes rendering IPsec status in JSON. (Backport PR #30386, Upstream PR #30167, @viktor-kurchenko)
  • helm: Add extraVolumeMounts to cilium config init container (Backport PR #30386, Upstream PR #30131, @ayuspin)
  • ui: release v0.13.0 (Backport PR #30723, Upstream PR #30711, @geakstr)

Bugfixes:

  • Add specific drop reason for missing tail calls if the host datapath is not ready yet (Backport PR #30315, Upstream PR #29482, @ti-mo)
  • Fix all packet drops due to missed tail calls, enable zero tolerance for these errors in CI (Backport PR #30315, Upstream PR #30248, @ti-mo)
  • Fix nodeinit issue causing NotReady state in Kubernetes nodes when laying down an incorrect CNI config (Backport PR #30522, Upstream PR #30399, @tlcowling)
  • Updating ENI prefix delegation fallback to use dedicated error codes (Backport PR #30679, Upstream PR #30536, @hemanthmalla)

CI Changes:

  • [v1.13] backport Go version check fixes in preparation for Go 1.21 update (#30417, @tklauser)
  • ci/ipsec: Fix version retrieval for downgrades to closest patch release (Backport PR #30522, Upstream PR #30503, @qmonnet)
  • ci: add trigger phrase to Gateway API conformance test workflow name (Backport PR #30679, Upstream PR #30525, @tklauser)
  • CI: Change cloud regions (Backport PR #30679, Upstream PR #30378, @brlbil)
  • gha: explicilty specify beefier runner type for clustermesh workflows (Backport PR #30386, Upstream PR #30335, @giorio94)
  • gha: make runner type for clustermesh workflows configurable (Backport PR #30679, Upstream PR #30496, @giorio94)
  • Network performance (Backport PR #30679, Upstream PR #30247, @marseel)
  • Rework GHA workflows to checkout the untrusted context in a separate directory for increased separation (Backport PR #30386, Upstream PR #30207, @giorio94)
  • Update GitHub upload-artifact action (Backport PR #30522, Upstream PR #30443, @brlbil)

Misc Changes:

  • Added Last page Edit on Documentation (Backport PR #30679, Upstream PR #30612, @gailsuccess)
  • bpf: lb: return drop reasons from __lb4_rev_nat() (Backport PR #30522, Upstream PR #30410, @julianwiedmann)
  • build(deps): bump jinja2 from 3.1.2 to 3.1.3 in /Documentation (Backport PR #30522, Upstream PR #30219, @dependabot[bot])
  • chore(deps): update go to v1.20.13 (v1.13) (patch) (#30186, @renovate[bot])
  • chore(deps): update go to v1.21.6 (v1.13) (minor) (#29817, @renovate[bot])
  • chore(deps): update hubble cli to v0.13.0 (v1.13) (minor) (#30275, @renovate[bot])
  • chore(deps): update stable lvh-images (v1.13) (patch) (#30493, @renovate[bot])
  • doc: Add Azure CNI Powered by cilium as external installer (Backport PR #30386, Upstream PR #28286, @tamilmani1989)
  • docs: warn users that IPsec and KPR are mutual exclusive (Backport PR #30522, Upstream PR #30403, @f1ko)
  • hubble-ui: release v0.12.3 (Backport PR #30522, Upstream PR #30422, @geakstr)
  • loader, bpf: remove context cancellation check, lower pending map removal Warning to Info (Backport PR #30315, Upstream PR #30214, @ti-mo)

Other Changes:

  • [1.13] Ignore ct buffer drops on minor release downgrades only (#30270, @rgo3)
  • [v1.13] ci/ipsec: Fix downgrade version for release preparation commits (#30715, @qmonnet)
  • [v1.13] ci/ipsec: Re-enable node-to-node-encryption check (#30402, @qmonnet)
  • [v1.13] pkg/allocator: Improve 'Key allocation attempt failed' handling for CRD mode (#30120, @antonipp)
  • bpf: l3: fix-up kube-proxy workaround in l3_local_delivery() to bpf_overlay (#30313, @julianwiedmann)
  • envoy: Bump envoy version for x/net library (#30516, @sayboras)
  • envoy: Bump envoy version to v1.26.7 (#30694, @sayboras)
  • install: Update image digests for v1.13.11 (#30317, @gentoo-root)

v1.14.7

1 month ago

We are pleased to release Cilium v1.14.7. This release contains various bug fixes and performance / usability improvements, including a fix for performance regression for pod-to-pod traffic WireGuard and tunneling (https://github.com/cilium/cilium/pull/30329).

Summary of Changes

Minor Changes:

  • api/cli: Encryption status now includes rendering IPsec status in JSON. (Backport PR #30554, Upstream PR #30167, @viktor-kurchenko)
  • Envoy running inside the Cilium Agent may now be scraped by Prometheus when using Prometheus' ServiceMonitor objects. (Backport PR #30355, Upstream PR #30126, @youngnick)
  • helm: Add extraVolumeMounts to cilium config init container (Backport PR #30355, Upstream PR #30131, @ayuspin)
  • ui: release v0.13.0 (Backport PR #30724, Upstream PR #30711, @geakstr)

Bugfixes:

  • envoy: Change socket option from 'STATE_LISTENING' to 'STATE_PREBIND' (Backport PR #30680, Upstream PR #30543, @chaunceyjiang)
  • Fix all packet drops due to missed tail calls, enable zero tolerance for these errors in CI (Backport PR #30323, Upstream PR #30248, @ti-mo)
  • Fix cilium-envoy ServiceMonitor port name (Backport PR #30554, Upstream PR #27207, @pixiono)
  • Fix error when using multiple allowRoutes namespaces in gateway (#30551, @mhofstetter)
  • Fix error when using multiple allowRoutes namespaces in gateway (Backport PR #30554, Upstream PR #30100, @chaunceyjiang)
  • Fix issue where agent attempting to restore local node information (such as cilium_host ip) would fail on k8s fallback method. (Backport PR #30355, Upstream PR #29460, @tommyp1ckles)
  • Fix nodeinit issue causing NotReady state in Kubernetes nodes when laying down an incorrect CNI config (Backport PR #30554, Upstream PR #30399, @tlcowling)
  • Fix performance regression for pod-to-pod traffic WireGuard and tunneling. (Backport PR #30554, Upstream PR #30329, @3u13r)
  • Fix rare bug possibly causing connection disruption and/or agent panic due to node events processing before full initialization. (Backport PR #30554, Upstream PR #30282, @giorio94)
  • hive: Fix start hook log output (Backport PR #30724, Upstream PR #30712, @joamaki)
  • init well-known identity before new policy repository to fix the fqdn policy issue when enable well-known identity. (Backport PR #30554, Upstream PR #30052, @yingnanzhang666)
  • L2 announcements retry getting lease after losing it (Backport PR #30355, Upstream PR #30340, @dylandreimerink)
  • node/wireguard: Fix node-to-node encryption inconsistencies in kvstore mode (Backport PR #30534, Upstream PR #30423, @gandro)
  • Updating ENI prefix delegation fallback to use dedicated error codes (Backport PR #30680, Upstream PR #30536, @hemanthmalla)

CI Changes:

  • ci datapath-verifier: add connectivity test (Backport PR #30371, Upstream PR #29633, @mhofstetter)
  • ci/ipsec: Fix version retrieval for downgrades to closest patch release (Backport PR #30554, Upstream PR #30503, @qmonnet)
  • ci: add trigger phrase to Gateway API conformance test workflow name (Backport PR #30680, Upstream PR #30525, @tklauser)
  • ci: Bump timeout of ci-runtime (Backport PR #30554, Upstream PR #29317, @YutaroHayakawa)
  • ci: bypass proxy.golang.org in Go toolchain installation (Backport PR #30371, Upstream PR #29549, @tklauser)
  • CI: Change cloud regions (Backport PR #30680, Upstream PR #30378, @brlbil)
  • ci: disable cgo when installing Go toolchain (Backport PR #30371, Upstream PR #27869, @tklauser)
  • ci: run verifier tests with proper Go toolchain version (Backport PR #30371, Upstream PR #27857, @tklauser)
  • Extend the clustermesh workflows to additionally cover the external kvstore case (Backport PR #30355, Upstream PR #29983, @giorio94)
  • gh: ci-verifier: use lvh-images/complexity-test as renovate dependency (Backport PR #30680, Upstream PR #30520, @julianwiedmann)
  • gha: additionally cover BPF masquerade in clustermesh E2E tests (Backport PR #30680, Upstream PR #30321, @giorio94)
  • gha: explicilty specify beefier runner type for clustermesh workflows (Backport PR #30355, Upstream PR #30335, @giorio94)
  • gha: make runner type for clustermesh workflows configurable (Backport PR #30680, Upstream PR #30496, @giorio94)
  • Improve Conformance Cluster Mesh workflow coverage (Backport PR #30355, Upstream PR #29926, @giorio94)
  • Network performance (Backport PR #30554, Upstream PR #30247, @marseel)
  • Rework GHA workflows to checkout the untrusted context in a separate directory for increased separation (Backport PR #30355, Upstream PR #30207, @giorio94)
  • Update GitHub upload-artifact action (Backport PR #30554, Upstream PR #30443, @brlbil)

Misc Changes:

  • Added Last page Edit on Documentation (Backport PR #30680, Upstream PR #30612, @gailsuccess)
  • bpf: fib: fix issues with L2 resolution (Backport PR #30372, Upstream PR #30128, @julianwiedmann)
  • bpf: lb: return drop reasons from __lb4_rev_nat() (Backport PR #30554, Upstream PR #30410, @julianwiedmann)
  • bpf: overlay: restore bpf_clear_meta() in from-overlay (Backport PR #30355, Upstream PR #30343, @julianwiedmann)
  • build(deps): bump jinja2 from 3.1.2 to 3.1.3 in /Documentation (Backport PR #30554, Upstream PR #30219, @dependabot[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.20 (v1.14) (#30144, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.21 (v1.14) (#30571, @renovate[bot])
  • chore(deps): update dependency go to v1.21.6 (v1.14) (#30174, @renovate[bot])
  • chore(deps): update dependency go to v1.21.6 (v1.14) (#30640, @renovate[bot])
  • chore(deps): update docker.io/library/alpine docker tag to v3.18.6 (v1.14) (#30641, @renovate[bot])
  • chore(deps): update go to v1.21.6 (v1.14) (minor) (#30145, @renovate[bot])
  • chore(deps): update hubble cli to v0.13.0 (v1.14) (minor) (#30274, @renovate[bot])
  • chore(deps): update stable lvh-images (v1.14) (patch) (#30492, @renovate[bot])
  • chore(deps): update stable lvh-images (v1.14) (patch) (#30575, @renovate[bot])
  • doc: Add Azure CNI Powered by cilium as external installer (Backport PR #30355, Upstream PR #28286, @tamilmani1989)
  • docs: Add Egress Gateway Policy warning on egressIP and interface being mutually exclusive in the egressGateway spec. (Backport PR #30554, Upstream PR #30236, @soggiest)
  • docs: warn users that IPsec and KPR are mutual exclusive (Backport PR #30554, Upstream PR #30403, @f1ko)
  • hive: Fix hive hook output and move lifecycle to cell package (Backport PR #30554, Upstream PR #30416, @joamaki)
  • hubble-ui: release v0.12.3 (Backport PR #30554, Upstream PR #30422, @geakstr)
  • ipcache: Skip conflict logging for tunnelpeer if native routing (Backport PR #30355, Upstream PR #27331, @christarazi)
  • loader, bpf: remove context cancellation check, lower pending map removal Warning to Info (Backport PR #30323, Upstream PR #30214, @ti-mo)
  • Rename egress_policies.h to srv6.h and add SRv6 related trace reasons. (Backport PR #30680, Upstream PR #30154, @ldelossa)
  • Rerun go mod tidy to fix missing entry (#30358, @giorio94)

Other Changes:

  • [v1.14] ci/ipsec: Fix downgrade version for release preparation commits (#30716, @qmonnet)
  • [v1.14] ci/ipsec: Re-enable node-to-node-encryption check (#30401, @qmonnet)
  • envoy: Bump envoy version for x/net library (#30515, @sayboras)
  • envoy: Bump envoy version to v1.26.7 (#30693, @sayboras)
  • install: Update image digests for v1.14.6 (#30318, @gentoo-root)
  • remove stable tags from 1.14 releases (#30557, @aanm)

v1.15.0

1 month ago

v1.14.6

2 months ago

We are pleased to release Cilium v1.14.6.

This release includes various bugfixes and performance enhancements. The amount of trace events is reduced when monitor aggregation is enabled, allowing to improve pod-to-pod performance with tunneling and IPsec. An inconsistency in the node manager is fixed, which led to incorrect masquerading of traffic to node internal IP addresses. Other fixes include fixes for mTLS, DNS proxy, datapath, etc.

Summary of Changes

Minor Changes:

  • Add Proxy l7 metrics proxy_type label and and Cleanup (Backport PR #29703, Upstream PR #27863, @tommyp1ckles)
  • Reduce "stale identity observed" warnings (Backport PR #29863, Upstream PR #27894, @leblowl)

Bugfixes:

  • [1.14] ingress: fix ingress class reconciliation (#29810, @mhofstetter)
  • Add default toleration for SPIRE agent on control plane nodes (Backport PR #30198, Upstream PR #28947, @meyskens)
  • Cilium DNS proxy can now use the original pod's address as the source address towards the DNS servers (--dnsproxy-enable-transparent-mode). (Backport PR #30213, Upstream PR #29239, @jrajahalme)
  • cilium-preflight: use the k8s node name instead of relying on hostname (Backport PR #29996, Upstream PR #29809, @marseel)
  • Do not attempt an mTLS handshake between reserved identities in Mutual Auth, as they would always fail (Backport PR #30265, Upstream PR #29400, @meyskens)
  • Fix a bug that may cause traffic to the node internal IP addresses to be incorrectly masqueraded when node encryption and remote node identities are both disabled, due to an inconsistency in the node manager when handling ipset entries insertions and deletions on node updates. (Backport PR #30221, Upstream PR #29986, @qmonnet)
  • Fix and prevent future bugs limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #29996, Upstream PR #29616, @learnitall)
  • Fix cleanup of AWS-related leftover iptables chains (Backport PR #29863, Upstream PR #29448, @giorio94)
  • helm: Fix envoy servicemonitor annotations (Backport PR #30198, Upstream PR #30017, @pmcgrath)
  • metrics: fix issue where logging err/warn metric is never updated. (Backport PR #29863, Upstream PR #29201, @tommyp1ckles)
  • nodediscovery: Fix bug where CiliumInternalIP was flapping (Backport PR #29972, Upstream PR #29964, @gandro)
  • policy: Fix mapstate changes error in entry change comparison (Backport PR #29996, Upstream PR #29815, @jrajahalme)
  • Remove non fatal errors from SPIRE client in the operator (Backport PR #30265, Upstream PR #28698, @meyskens)
  • Unify parsing of StringSlice flags and allow splitting by commas (preferably) or by spaces. This fixes parsing of 'prometheus.metrics'. (Backport PR #30080, Upstream PR #29848, @joamaki)

CI Changes:

  • bpf: fix test configuration for 5.10 and 6.1 kernels (Backport PR #30198, Upstream PR #29999, @julianwiedmann)
  • ci-ipsec-upgrade: Add vxlan w/ no EP routes (Backport PR #29703, Upstream PR #29653, @brb)
  • ci-ipsec-{e2e,upgrade}: Use lvh-kind (Backport PR #29966, Upstream PR #29514, @brb)
  • ci/ipsec: Skip waiting for images when skipping upgrade/dowgrade (Backport PR #29966, Upstream PR #29793, @qmonnet)
  • ci: add nameserver 1.1.1.1 to conformance-runtime test LVM (Backport PR #29863, Upstream PR #29455, @mhofstetter)
  • ci: always use full matrix for scheduled cloud-provider workflows (Backport PR #29863, Upstream PR #29694, @mhofstetter)
  • ci: fix dns issue when pulling cilium-docker-plugin in ci-runtime (Backport PR #29863, Upstream PR #29502, @mhofstetter)
  • ci: increase disk size for GKE clusters (ci-gke & ci-external-workloads) (Backport PR #30198, Upstream PR #29528, @mhofstetter)
  • Conformance AKS: wait for cilium-test namespace deletion during uninstallation (Backport PR #30198, Upstream PR #29893, @giorio94)
  • datapath: Cover subnet encryption in XFRM leak test (Backport PR #30080, Upstream PR #27212, @pchaigno)
  • datapath: Fix TestNodeChurnXFRMLeaks (Backport PR #30080, Upstream PR #27274, @brb)
  • Fix collecting of verifier logs in ci-verifier (Backport PR #29863, Upstream PR #29752, @lmb)
  • gh/workflows: Add lvh-kind action and use it in ci-e2e (Backport PR #29966, Upstream PR #29485, @brb)
  • gha: add step to ensure presence/absence of the AWS iptables chains (Backport PR #29863, Upstream PR #29670, @giorio94)
  • gha: enable IPv6 in clustermesh upgrade/downgrade workflow (Backport PR #29863, Upstream PR #29675, @giorio94)
  • node: Integration test for XFRM leaks on node churn (Backport PR #30080, Upstream PR #27187, @pchaigno)
  • workflows: Increase IPsec e2e test's timeout (Backport PR #30265, Upstream PR #30194, @julianwiedmann)
  • workflows: Increase IPsec upgrade test's timeout (Backport PR #30080, Upstream PR #29934, @pchaigno)
  • workflows: Make the conn-disrupt test more sensitive (Backport PR #29703, Upstream PR #29623, @pchaigno)
  • workflows: move cilium_cli_version definition to set-env-variables action (Backport PR #30198, Upstream PR #29237, @jibi)

Misc Changes:

  • bgpv1: set running flag in manager (Backport PR #30080, Upstream PR #30013, @harsimran-pabla)
  • bpf: ipv4: always return drop reason from ipv4_handle_fragmentation() (Backport PR #29996, Upstream PR #29880, @julianwiedmann)
  • chore(deps): update all github action dependencies to v5 (v1.14) (major) (#29784, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.14) (patch) (#29781, @renovate[bot])
  • chore(deps): update github/codeql-action action to v2.22.9 (v1.14) (#29783, @renovate[bot])
  • doc: Update recommended way for installing cilium on AKS (Backport PR #30198, Upstream PR #28910, @tamilmani1989)
  • docs: fix chained veth plugin example (Backport PR #30265, Upstream PR #30209, @squeed)
  • docs: Fix keyid derivation in IPsec docs (Backport PR #30080, Upstream PR #30000, @brb)
  • Fix bug preventing endpoint-related debug logs from being emitted (Backport PR #29829, Upstream PR #29495, @learnitall)
  • Fix cilium-envoy ServiceMonitor template typo (Backport PR #30198, Upstream PR #29976, @cornfeedhobo)
  • Fix log error in clustermesh-apiserver when connecting external workloads (Backport PR #29919, Upstream PR #29896, @giorio94)
  • fix(deps): update module golang.org/x/crypto to v0.17.0 [security] (main) (Backport PR #30198, Upstream PR #29971, @renovate[bot])
  • fix: remove help message in build config failure (Backport PR #30265, Upstream PR #28974, @vipul-21)
  • Helm: enforce routing mode when either gke.enabled or aksbyocni.enabled are set (Backport PR #30080, Upstream PR #29674, @giorio94)
  • hubble: Reduce "stale identities observed" debug messages even more (Backport PR #29996, Upstream PR #29957, @gandro)
  • k8s: Bump CRD schema version to 1.27.x (#29908, @joestringer)
  • Modularize iptables manager (Backport PR #30221, Upstream PR #28746, @pippolo84)
  • resource: Fix flaky TestResource_RepeatedDelete (Backport PR #29996, Upstream PR #28588, @joamaki)
  • Revert "cilium: Ensure xfrm state is initialized for route IP before … (Backport PR #29868, Upstream PR #29801, @jrfastab)

Other Changes:

  • [1.14] loader: fix obsolete XDP program removal (#30229, @rgo3)
  • [v1.14] ci: In conn-disrupt-test action, disable node-to-node-encryption check (#29742, @qmonnet)
  • Add specific drop reason for missing tail calls if the host datapath is not ready yet (#30204, @ti-mo)
  • bgpv1: Add bgp/routes API endpoint and cilium bgp routes CLI command & integrate it in the bugtool (#30205, @rastislavs)
  • install: Update image digests for v1.14.5 (#29806, @nebril)
  • v1.14: update dependency cilium/cilium-cli to v0.15.19 (#30135, @pchaigno)

v1.13.11

2 months ago

We are pleased to release Cilium v1.13.11.

This release includes various bugfixes and performance enhancements. The amount of trace events is reduced when monitor aggregation is enabled, allowing to improve pod-to-pod performance with tunneling and IPsec. Other fixes include fixes for DNS proxy, datapath, etc.

Summary of Changes

Minor Changes:

  • Reduce "stale identity observed" warnings (Backport PR #29997, Upstream PR #27894, @leblowl)

Bugfixes:

  • Cilium DNS proxy can now use the original pod's address as the source address towards the DNS servers (--dnsproxy-enable-transparent-mode). (Backport PR #30216, Upstream PR #29239, @jrajahalme)
  • cilium-preflight: use the k8s node name instead of relying on hostname (Backport PR #29997, Upstream PR #29809, @marseel)
  • Fix and prevent future bugs limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #29997, Upstream PR #29616, @learnitall)
  • iptables: remove logic to control non-existent net.ipv6.ip_early_demux (Backport PR #30182, Upstream PR #29310, @julianwiedmann)
  • nodediscovery: Fix bug where CiliumInternalIP was flapping (Backport PR #29974, Upstream PR #29964, @gandro)
  • Restore host-stack bypass for pod-to-pod traffic in a configuration with kube-proxy, tunnel routing and per-endpoint routes. (Backport PR #30182, Upstream PR #27908, @julianwiedmann)

CI Changes:

  • Add secondary iface to KIND network (Backport PR #30010, Upstream PR #26338, @ysksuzuki)
  • ci-ipsec-upgrade: Add vxlan w/ no EP routes (Backport PR #29702, Upstream PR #29653, @brb)
  • ci-ipsec-{e2e,upgrade}: Use lvh-kind (Backport PR #30010, Upstream PR #29514, @brb)
  • ci/ipsec: Skip waiting for images when skipping upgrade/dowgrade (Backport PR #30010, Upstream PR #29793, @qmonnet)
  • ci: add nameserver 1.1.1.1 to conformance-runtime test LVM (Backport PR #29847, Upstream PR #29455, @mhofstetter)
  • ci: always use full matrix for scheduled cloud-provider workflows (Backport PR #29847, Upstream PR #29694, @mhofstetter)
  • datapath: Cover subnet encryption in XFRM leak test (Backport PR #30081, Upstream PR #27212, @pchaigno)
  • datapath: Fix TestNodeChurnXFRMLeaks (Backport PR #30081, Upstream PR #27274, @brb)
  • gh/workflows: Add lvh-kind action and use it in ci-e2e (Backport PR #30010, Upstream PR #29485, @brb)
  • gha: enable IPv6 in clustermesh upgrade/downgrade workflow (Backport PR #29847, Upstream PR #29675, @giorio94)
  • node: Integration test for XFRM leaks on node churn (Backport PR #30081, Upstream PR #27187, @pchaigno)
  • workflows: Increase IPsec e2e test's timeout (Backport PR #30267, Upstream PR #30194, @julianwiedmann)
  • workflows: Increase IPsec upgrade test's timeout (Backport PR #30081, Upstream PR #29934, @pchaigno)
  • workflows: Make the conn-disrupt test more sensitive (Backport PR #29702, Upstream PR #29623, @pchaigno)

Misc Changes:

  • bpf: ipv4: always return drop reason from ipv4_handle_fragmentation() (Backport PR #29997, Upstream PR #29880, @julianwiedmann)
  • chore(deps): update all github action dependencies (v1.13) (patch) (#29850, @renovate[bot])
  • chore(deps): update go (v1.13) (patch) (#30143, @renovate[bot])
  • doc: Update recommended way for installing cilium on AKS (Backport PR #30182, Upstream PR #28910, @tamilmani1989)
  • docs: Fix keyid derivation in IPsec docs (Backport PR #30081, Upstream PR #30000, @brb)
  • Fix kind.sh development scripts on MacOS (Backport PR #30010, Upstream PR #25317, @chancez)
  • fix(deps): update module golang.org/x/crypto to v0.17.0 [security] (main) (Backport PR #30182, Upstream PR #29971, @renovate[bot])
  • hubble: Reduce "stale identities observed" debug messages even more (Backport PR #29997, Upstream PR #29957, @gandro)
  • Revert "cilium: Ensure xfrm state is initialized for route IP before … (Backport PR #29869, Upstream PR #29801, @jrfastab)

Other Changes:

  • [1.13] Ignore packet drops of type Failed to update or lookup TC buffer (#30249, @rgo3)
  • [1.13] loader: fix obsolete XDP program removal (#30231, @rgo3)
  • [v1.13] ci: In conn-disrupt-test action, disable node-to-node-encryption check (#29741, @qmonnet)
  • [v1.13] go.mod: bump Go to 1.20 (#29818, @tklauser)
  • [v1.13] node: Fix IP removal from ipset on node updates (#29898, @qmonnet)
  • install: Update image digests for v1.13.10 (#29807, @nebril)
  • v1.13: ipam: Fix invalid PodCIDR in CiliumNode in ENI/Azure/MultiPool mode (#30137, @pchaigno)
  • v1.13: update dependency cilium/cilium-cli to v0.15.19 (#30136, @pchaigno)

v1.12.18

2 months ago

We are pleased to release Cilium v1.12.18.

This release includes various bugfixes and performance enhancements. The amount of trace events is reduced when monitor aggregation is enabled, allowing to improve pod-to-pod performance with tunneling and IPsec. Other fixes include fixes for DNS proxy, datapath, etc.

Summary of Changes

Minor Changes:

  • Add option to configure the resources of the cgroups automount init Container in the Cilium Agent DaemonSet. (Backport PR #30004, Upstream PR #22384, @shaardie)

Bugfixes:

  • Cilium DNS proxy can now use the original pod's address as the source address towards the DNS servers (--dnsproxy-enable-transparent-mode). (Backport PR #30217, Upstream PR #29239, @jrajahalme)
  • cilium-preflight: use the k8s node name instead of relying on hostname (Backport PR #30004, Upstream PR #29809, @marseel)
  • Fix and prevent future bugs limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #30004, Upstream PR #29616, @learnitall)
  • iptables: remove logic to control non-existent net.ipv6.ip_early_demux (Backport PR #30181, Upstream PR #29310, @julianwiedmann)
  • nodediscovery: Fix bug where CiliumInternalIP was flapping (Backport PR #29979, Upstream PR #29964, @gandro)

CI Changes:

  • ci-ipsec-upgrade: Add vxlan w/ no EP routes (Backport PR #29701, Upstream PR #29653, @brb)
  • ci: always use full matrix for scheduled cloud-provider workflows (Backport PR #29842, Upstream PR #29694, @mhofstetter)
  • datapath: Cover subnet encryption in XFRM leak test (Backport PR #30082, Upstream PR #27212, @pchaigno)
  • datapath: Fix TestNodeChurnXFRMLeaks (Backport PR #30082, Upstream PR #27274, @brb)
  • gha: enable IPv6 in clustermesh upgrade/downgrade workflow (Backport PR #29842, Upstream PR #29675, @giorio94)
  • node: Integration test for XFRM leaks on node churn (Backport PR #30082, Upstream PR #27187, @pchaigno)
  • workflows: Increase IPsec e2e test's timeout (Backport PR #30268, Upstream PR #30194, @julianwiedmann)
  • workflows: Increase IPsec upgrade test's timeout (Backport PR #30082, Upstream PR #29934, @pchaigno)
  • workflows: Make the conn-disrupt test more sensitive (Backport PR #29701, Upstream PR #29623, @pchaigno)

Misc Changes:

  • bpf: ipv4: always return drop reason from ipv4_handle_fragmentation() (Backport PR #30004, Upstream PR #29880, @julianwiedmann)
  • docs: Fix keyid derivation in IPsec docs (Backport PR #30082, Upstream PR #30000, @brb)
  • fix(deps): update module golang.org/x/crypto to v0.17.0 [security] (main) (Backport PR #30181, Upstream PR #29971, @renovate[bot])
  • Revert "cilium: Ensure xfrm state is initialized for route IP before … (Backport PR #29871, Upstream PR #29801, @jrfastab)

Other Changes:

  • install: Update image digests for v1.12.17 (#29808, @nebril)
  • v1.12: Ignore packet drops of type Failed to update or lookup TC buffer (#30202, @pchaigno)
  • v1.12: ipam: Fix invalid PodCIDR in CiliumNode in ENI/Azure/MultiPool mode (#30147, @pchaigno)
  • v1.12: update dependency cilium/cilium-cli to v0.15.19 (#30146, @pchaigno)
  • v1.12: workflow/ipsec-e2e: bump CLI to v0.15.19 (#30239, @pchaigno)

v1.15.0-rc.1

2 months ago

Summary of Changes

Minor Changes:

  • bgpv1: Enable cilium-dbg bgp routes advertised command without specifying a peer (Backport PR #30230, Upstream PR #30033, @rastislavs)
  • cilium-agent: Remove the obsolete --bpf-lb-dev-ip-addr-inherit option (Backport PR #30264, Upstream PR #29963, @joamaki)

Bugfixes:

  • Add default toleration for SPIRE agent on control plane nodes (Backport PR #30230, Upstream PR #28947, @meyskens)
  • Avoid panic during BPF program compilation when clang command fails to start (Backport PR #30264, Upstream PR #30009, @ti-mo)
  • bgpv1: Avoid creating resource.Store in Start() hive hooks of BGP CP to ensure proper BGP CP initialization. (Backport PR #30079, Upstream PR #29954, @rastislavs)
  • bpf: fix wrong loopback address mask value (Backport PR #30230, Upstream PR #29946, @haiyuewa)
  • Cilium DNS proxy can now use the original pod's address as the source address towards the DNS servers (--dnsproxy-enable-transparent-mode). (Backport PR #30212, Upstream PR #29239, @jrajahalme)
  • daemon: Fail init if requirements for BPF masquerade are not met (Backport PR #30230, Upstream PR #29778, @pippolo84)
  • Do not attempt an mTLS handshake between reserved identities in Mutual Auth, as they would always fail (Backport PR #30230, Upstream PR #29400, @meyskens)
  • Due to a race condition in the experimental runtime device detection, Cilium could fail to make a newly added device available for node port services. (Backport PR #30230, Upstream PR #29917, @bimmlerd)
  • Fix a bug that may cause traffic to the node internal IP addresses to be incorrectly masqueraded when node encryption and remote node identities are both disabled, due to an inconsistency in the node manager when handling ipset entries insertions and deletions on node updates. (Backport PR #30230, Upstream PR #29986, @qmonnet)
  • Fix and prevent future bugs limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #30079, Upstream PR #29616, @learnitall)
  • Fix bugs in health-server that cause the state in the prober's cache to drift and allow nodes with empty IP addresses to be added. (Backport PR #30230, Upstream PR #29745, @thorn3r)
  • Fix instances of leaked health reporter updates. (Backport PR #30230, Upstream PR #30134, @tommyp1ckles)
  • gateway-api: fix status reconcile error handling (Backport PR #30230, Upstream PR #29894, @mhofstetter)
  • gateway-api: Requeue Gateway for owning GRPCRoute (Backport PR #30230, Upstream PR #30124, @sayboras)
  • gateway: Add GRPCRoute support for status changed predicate (Backport PR #30230, Upstream PR #30176, @sayboras)
  • helm: Fix envoy servicemonitor annotations (Backport PR #30230, Upstream PR #30017, @pmcgrath)
  • l7lb: Fix bug where not all relevant ports of a Service were synchronized to Envoy (Backport PR #30264, Upstream PR #30107, @mhofstetter)
  • maps/metricspath: protect against concurrent access in Collect (Backport PR #30230, Upstream PR #30104, @buroa)
  • nodediscovery: Fix bug where CiliumInternalIP was flapping (Backport PR #29973, Upstream PR #29964, @gandro)
  • policy: Fix mapstate changes error in entry change comparison (Backport PR #30079, Upstream PR #29815, @jrajahalme)
  • Remove non fatal errors from SPIRE client in the operator (Backport PR #30230, Upstream PR #28698, @meyskens)
  • Unify parsing of StringSlice flags and allow splitting by commas (preferably) or by spaces. This fixes parsing of 'prometheus.metrics'. (Backport PR #30079, Upstream PR #29848, @joamaki)

CI Changes:

  • bpf: fix test configuration for 5.10 and 6.1 kernels (Backport PR #30230, Upstream PR #29999, @julianwiedmann)
  • ci-clustermesh-upgrade: Adjust name of test to run, to match cilium-cli's renaming (Backport PR #30264, Upstream PR #30211, @qmonnet)
  • ci: Add a call to the update label backport action (Backport PR #30264, Upstream PR #29902, @joestringer)
  • Conformance AKS: wait for cilium-test namespace deletion during uninstallation (Backport PR #30230, Upstream PR #29893, @giorio94)
  • identity: deflake test TestGetIdentity (Backport PR #30079, Upstream PR #29720, @mhofstetter)
  • workflows: Increase IPsec e2e test's timeout (Backport PR #30230, Upstream PR #30194, @julianwiedmann)
  • workflows: Increase IPsec upgrade test's timeout (Backport PR #30079, Upstream PR #29934, @pchaigno)

Misc Changes:

  • [v1.15] docs: add deprecation notice for enable-remote-node-identity for v1.15 (#30208, @tklauser)
  • bgpv1: set running flag in manager (Backport PR #30079, Upstream PR #30013, @harsimran-pabla)
  • bpf: ipv4: always return drop reason from ipv4_handle_fragmentation() (Backport PR #30079, Upstream PR #29880, @julianwiedmann)
  • chore(deps): update actions/setup-go action to v5 (v1.15) (#30142, @renovate[bot])
  • chore(deps): update all lvh-images main (v1.15) (patch) (#30225, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.19 (main) (Backport PR #30230, Upstream PR #29942, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.19 (v1.15) (#30141, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.20 (v1.15) (#30201, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.21.6 docker digest to 6fbd2d3 (v1.15) (#30050, @renovate[bot])
  • chore(deps): update go to v1.21.6 (v1.15) (patch) (#30173, @renovate[bot])
  • doc: Update recommended way for installing cilium on AKS (Backport PR #30230, Upstream PR #28910, @tamilmani1989)
  • docs: Document renovate testing strategy (Backport PR #30230, Upstream PR #30166, @joestringer)
  • docs: fix chained veth plugin example (Backport PR #30230, Upstream PR #30209, @squeed)
  • docs: Fix keyid derivation in IPsec docs (Backport PR #30079, Upstream PR #30000, @brb)
  • docs: Update Gateway API version in example (Backport PR #30230, Upstream PR #30115, @sayboras)
  • endpoint: Use resolved named port also in the proxy stats (Backport PR #30079, Upstream PR #29813, @jrajahalme)
  • Fix cilium-envoy ServiceMonitor template typo (Backport PR #30230, Upstream PR #29976, @cornfeedhobo)
  • Fix log error in clustermesh-apiserver when connecting external workloads (Backport PR #30079, Upstream PR #29896, @giorio94)
  • Fix regression causing a 10x increase in the duration of endpoint integration tests (Backport PR #30079, Upstream PR #29826, @giorio94)
  • fix(deps): update module golang.org/x/crypto to v0.17.0 [security] (main) (Backport PR #30230, Upstream PR #29971, @renovate[bot])
  • fix: remove help message in build config failure (Backport PR #30230, Upstream PR #28974, @vipul-21)
  • fqdn: serialize requests per-name (Backport PR #30230, Upstream PR #30109, @squeed)
  • fqdn: skip ipcache insertion for names without fqdn selectors (Backport PR #30230, Upstream PR #30110, @squeed)
  • Helm: enforce routing mode when either gke.enabled or aksbyocni.enabled are set (Backport PR #30079, Upstream PR #29674, @giorio94)
  • hubble: Reduce "stale identities observed" debug messages even more (Backport PR #30079, Upstream PR #29957, @gandro)
  • identity: stop double-update of selector cache and regenerate when a local identity is allocated (Backport PR #30079, Upstream PR #29865, @squeed)
  • k8s/slim: Clarify instructions for updating slim files (Backport PR #30230, Upstream PR #29877, @christarazi)
  • labels: small optimization in NewFrom and various cleanups (Backport PR #30230, Upstream PR #30006, @tklauser)
  • metrics: revert changes to pre-init kubernetes events metrics + improve metric logs (Backport PR #30079, Upstream PR #29343, @tommyp1ckles)
  • Modularize stale endpoint gc in an independent cell (Backport PR #30079, Upstream PR #29246, @pippolo84)
  • policy: expand "world" entity selector to select all address families (Backport PR #29961, Upstream PR #29958, @squeed)
  • policy: Fix MapState.Equals() (Backport PR #30264, Upstream PR #30233, @jrajahalme)
  • updated docs to reflect Envoy as a DS option (Backport PR #30230, Upstream PR #29518, @nvibert)
  • Use Resource[T] to implement CEP and CES watchers (Backport PR #30230, Upstream PR #29249, @pippolo84)

Other Changes:

  • [1.15] loader: fix obsolete XDP program removal (#30224, @rgo3)
  • Add specific drop reason for missing tail calls if the host datapath is not ready yet (#30203, @ti-mo)
  • install: Update image digests for v1.15.0-rc.0 (#29906, @joestringer)

v1.15.0-rc.0

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.0-rc.1@sha256:53e4473bc10a04ffe86e8de5b3e2b5cce6a72954b29ae50f329753820f46261b

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.0-rc.1@sha256:dede7d9d56156f284d0a993e18b3a97901aa19b8ea63898b0c26cda46f0593fb

docker-plugin

quay.io/cilium/docker-plugin:v1.15.0-rc.1@sha256:3993c08f20bfb441223122f80a94fc5f940119cc70226ca279888673ae0ff3f7

hubble-relay

quay.io/cilium/hubble-relay:v1.15.0-rc.1@sha256:137fc854260d59127d10234ec8ed2c389382bdd0c62911398e083cd7d0cdabec

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.0-rc.1@sha256:ddefe38b20d9f352685b486897a77787202b9f855d0679496792864c4fa59500

operator-aws

quay.io/cilium/operator-aws:v1.15.0-rc.1@sha256:7d4b7b931d15a14048cbcdf4ff9fdd432dbc03d12128e5c0e12d215631cade28

operator-azure

quay.io/cilium/operator-azure:v1.15.0-rc.1@sha256:fcffa96ffcd271419933b127cfccd51c45a3d5ecbc92858f505a2b4e2d84c0f7

operator-generic

quay.io/cilium/operator-generic:v1.15.0-rc.1@sha256:a85e9ce2ca1c337050f4a2eab60255aaaeb386415de8a3810298a4a88dedf7b8

operator

quay.io/cilium/operator:v1.15.0-rc.1@sha256:c7f989c98b0be42a993d5ad425f1346d1f7d671edcc502b88ecd20a979d8db33