Cilium Versions Save

eBPF-based Networking, Security, and Observability

v1.16.0-pre.2

1 week ago

Summary of Changes

Major Changes:

Add Kubernetes EndpointSlice synchronization from Cilium clustermesh (#28440, @MrFreezeex)
iptables: Add rules runtime reconciliation (#31372, @pippolo84)
k8s: Add support for Kubernetes 1.30.0 (#31687, @christarazi)
Support CEL expressions in hubble flow filters (#31070, @chancez)

Minor Changes:

"cilium-dbg map get ..." can now be called on BPF maps without cache (#31620, @AwesomePatrol)
Add clustermesh hostname endpointslice synchronization (#31814, @MrFreezeex)
Add option to automatically discover k8sServiceHost and k8sServicePort info (kubeadm clusters only) (#31885, @kreeuwijk)
Add option to disable ExternalIP mitigation (CVE-2020-8554). (#31513, @kvaster)
Add support for deploying clustermesh-apiserver with multiple replicas for high availability. (#31677, @thorn3r)
Added source pod metadata to generated L7 DNS visibility policies. (#32166, @nebril)
Adds IPv6Pool field to the spec of CiliumNodes CRD to list of IPv6 addresses available to the node for allocation. Adds IPv6Used field to the status of CiliumNodes CRD to list all IPv6 addresses from ciliumnodes.spec.ipam.ipv6pool which have been allocated and are in use. (#31143, @danehans)
Adds service_implementation_delay metric accounting the duration in seconds to propagate the data plane programming of a service, its network and endpoints from the time the service or the service pod was changed excluding the event queue latency (#32055, @ovidiutirla)
bpf: WireGuard: detect tunnel traffic in native-routing mode (#31586, @julianwiedmann)
Configure restrictive security contexts by default for clustermesh-apiserver containers (#31540, @giorio94)
daemon: Do not require NodePort for WireGuard (#32249, @brb)
datapath: Move WG skb mark check to to-netdev (#31751, @brb)
egressgw: remove deprecated install-egress-gateway-routes option (#32105, @julianwiedmann)
envoy: Bump envoy image for golang 1.22.2 (#31774, @sayboras)
envoy: Bump envoy minor version to v1.29.x (#31571, @sayboras)
envoy: Bump envoy version to v1.28.2 (#31810, @sayboras)
envoy: Update envoy 1.29.x to v1.29.4 (#32137, @sayboras)
Expose clustermesh-apiserver version through a dedicated command, and as part of logs (#32165, @giorio94)
Feat add nodePort.addresses value to set nodeport-addresses in the cilium configmap (#31672, @eyenx)
Fix LRP error cases where node-local redirection was erroneously skipped. Extend LRP spec in order for users to explicitly skip node-local redirection from LRP selected backend pods. (#26144, @aditighag)
Forcefully terminate stale sockets in the host netns connected to deleted LRP backends when socket-lb is enabled, and allow applications to re-connect to active LRP backends. (#32074, @aditighag)
gateway-api: appProtocol support (GEP-1911) (#31310, @rauanmayemir)
gateway-api: Sync up with upstream (#31806, @sayboras)
helm: Cleanup old k8s version check and deprecated atributes (#31940, @sayboras)
Helm: possibility to install operator as standalone app (#32019, @balous)
helm: Remove deprecated option containerRuntime.integration (#31942, @sayboras)
hubble/correlation: Support deny policies (#31544, @gandro)
Hubble: add possibility to export flows to container logs (#31422, @siegmund-heiss-ich)
hubble: add trace reason support in hubble flows (#31226, @kaworu)
hubble: support drop_reason_desc in flow filter (#32135, @chaunceyjiang)
install/kubernetes: add extraInitContainers (#32245, @bewing)
ipset: Rework the reconciler to use batch ops (#31638, @pippolo84)
labels: Add controller-uid into default ignore list (#31964, @sayboras)
loader: attach programs using tcx (#30103, @rgo3)
Make endpointslice clustermesh syncing opt-out for headless services (#32021, @MrFreezeex)
Skip overlay traffic in the BPF SNAT processing, and thus reduce pressure on the BPF Connection tracking and NAT maps. (#31082, @julianwiedmann)
StateDB based Health (#30925, @tommyp1ckles)
Support configuring TLS for hubble metrics server (#31973, @chancez)
WireGuard: Deprecate userspace fallback (#31867, @gandro)

Bugfixes:

Agent: add kubeconfigPath to initContainers (#32008, @darox)
Avoid drops with "CT: Unknown L4 protocol" for non-ICMP/TCP/UDP traffic, caused by an error check in the BPF NAT engine. (#31820, @julianwiedmann)
daemon: Run conntrack GC after Endpoint Restore (#32012, @joestringer)
dnsproxy: Fix bug where DNS request timed out too soon (#31999, @gandro)
Envoy upstream connections are now unique for each downstream connection when using the original source address of a source pod. (#32270, @jrajahalme)
envoy: pass idle timeout configuration option to cilium configmap (#32203, @mhofstetter)
Fix azure ipam flake caused by instance resync race condition. (#31580, @tommyp1ckles)
Fix bpf_sock compilation for ipv6-only (#30553, @alexferenets)
Fix failing service connections, when the service requests are transported via cilium's overlay network. (#32116, @julianwiedmann)
Fix incorrect reporting of the number of etcd lock leases in cilium-dbg status. (#31781, @giorio94)
Fix issue causing clustermesh-apiserver/kvstoremesh to not start when run with a non-root user (#31539, @giorio94)
Fix service connection to terminating backend, when the service has no more backends available. (#31840, @julianwiedmann)
Fix synchronization of CiliumEndpointSlices when running the Cilium Operator in identity-based slicing mode. (#32239, @thorn3r)
Fixed a race condition in service updates for L7 LB. (#31744, @jrajahalme)
Fixes a bug where Cilium in chained mode removed the agent-not-ready taint too early if the primary network is slow in deploying. (#32168, @squeed)
Fixes a route installing issue which may cause troubles for cilium downgrade. (#31716, @jschwinger233)
Fixes an (unlikely) bug where HostFirewall policies may miss updates to a node's labels. (#30548, @squeed)
fqdn: fix memory leak in transparent mode when there was a moderately high number of parallel DNS requests (>100). (#31959, @marseel)
fqdn: Fix minor restore bug that causes false negative checks against a restored DNS IP map. (#31784, @nathanjsweet)
Ingress/Gateway API: merge Envoy listeners for HTTP(S) and TLS passthrough (#31646, @mhofstetter)
ingress: Set the default value for max_stream_timeout (#31514, @tskinn)
Introduce fromEgressProxyRule (#31923, @jschwinger233)
ipam: retry netlink.LinkList call when setting up ENI devices (#32099, @jasonaliyetti)
loader: sanitize bpffs directory strings for netdevs (#32090, @rgo3)
Only read the relevant parts of secrets for originatingTLS (ca.crt) and terminatingTLS (tls.crt, tls.key) blocks in Cilium L7 policies. Fixes a bug where a ca.crt key in a secret passed to terminatingTLS incorrectly configures Envoy to require a client certificate on TLS connections from pods. Previous behavior can be restored with the --use-full-tls-context=true agent flag. (#31903, @JamesLaverack)

CI Changes:

.github: Add workflow telemetry (#32037, @joestringer)
.github: Pretty-print gateway API test results (#32039, @joestringer)
alibabacloud/eni: avoid racing node mgr in test (#31877, @bimmlerd)
ariane: Fix detection of changes to nat46x64 tests (#32070, @joestringer)
ci-e2e-upgrade: Disable ingress-controller and bpf.tproxy=true (#31917, @brb)
ci-e2e-upgrade: Make it stable (#31895, @brb)
ci-l4lb: Remove unnecessary untrusted checkout (#32071, @joestringer)
ci: Add matrix for bpf.tproxy and ingress-controller (#31875, @sayboras)
ci: Filter supported versions of AKS (#32303, @marseel)
ci: Fix typo on "Ginkgo" (#32317, @qmonnet)
ci: Increase timeout for images for l4lb test (#32201, @marseel)
ci: only install llvm/clang and gingko for gingko test suite changes (#32309, @tklauser)
ci: remove build artifacts in integration tests to prevent space issues (#32050, @giorio94)
ci: run privileged unit tests only once (#31779, @tklauser)
ci: Set hubble.relay.retryTimeout=5s (#32066, @chancez)
ci: use base and head SHAs from context in lint-build-commits workflow (#32140, @tklauser)
CODEOWNERS: Remove the catch-all rule (#32174, @michi-covalent)
Don't cache LLVM in the CI to resolve disk space issues. (#32045, @gentoo-root)
enable kube cache mutation detector (#32069, @aanm)
Fix ipset reconciler unit tests (#31836, @pippolo84)
fix k8s versions tested in CI (#31966, @nbusseneau)
Fix node throughput (#31825, @marseel)
Fix sysctl reconciler unit tests (#31833, @pippolo84)
gha: configure fully-qualified DNS names as external targets (#31510, @giorio94)
gha: drop double installation of Cilium CLI in conformance-eks (#32042, @giorio94)
Miscellaneous improvements to the clustermesh upgrade/downgrade test (#31958, @giorio94)
Modify GitHub Actions Workflows to echo the inputs they are given when triggered by a workflow_dispatch event. (#31424, @learnitall)
Move cilium/hubble code to cilium/cilium repo (#31893, @michi-covalent)
Remove ariane scheduled workflows for 1.12 (#32126, @marseel)
Revert "test: Disable hostfw in monitor aggregation test" (#32315, @qmonnet)
Scrape pprofs in 100 node scale test workflow for extra debugging information (#32056, @learnitall)
Simplify NAT46x64,recorder tests (#32068, @joestringer)
Spread ariane-scheduled workflows over multiple hours (#32142, @marseel)
Test endpoint slice synchronization as part of the Conformance Cluster Mesh workflow (#31551, @giorio94)
Test IPsec + KPR (#31760, @pchaigno)
test/helpers: Skip CiliumUninstall if not installed (#32272, @joestringer)
test: De-flake xds server_e2e_test (#32004, @jrajahalme)
test: Remove redundant IPsec test (#31759, @pchaigno)
test: remove unused assertion helpers (#32157, @tklauser)
Use Clang from cilium-builder image to build BPF code in CI (#31754, @gentoo-root)
workflows: Bump the timeout for Ginkgo tests (#31991, @pchaigno)
workflows: Fix CI jobs for push events on private forks (#32085, @pchaigno)
workflows: Remove stale CodeQL workflow (#32084, @pchaigno)

Misc Changes:

Accurately manage the teardown sequence of an Endpoint's BPF resources (#32167, @ti-mo)
Add Pod eviction warning in upgrade notes for Envoy DS (#31971, @learnitall)
Add Spectro Cloud to USERS.md (#32027, @kreeuwijk)
Add Syself to USERS.md (#32204, @lucasrattz)
agent: Replace gocheck with built-in go test (#32214, @sayboras)
bgpv1: check services for reconciliation if iTP=local (#31963, @harsimran-pabla)
bgpv2: introducing service reconciler in BGPv2 reconcilers (#31962, @harsimran-pabla)
BGPv2: Updates CiliumBGPNodeConfigOverride Type (#31598, @danehans)
bitlpm: Document and Fix Descendants Bug (#31851, @nathanjsweet)
bpf/test: Adjust mock function to reflect changes in tail_ipvX_policy (#31738, @jschwinger233)
bpf: Add BPF map operations for the StateDB reconciler (#32123, @joamaki)
bpf: add multicast in MAX_OVERLAY_OPTIONS (#32129, @harsimran-pabla)
bpf: ct: clean up redundant 0-initializiations for CT entry creation (#31788, @julianwiedmann)
bpf: hide dynamic/static variant for policy tail-call (#32299, @julianwiedmann)
bpf: host: restore HostFW for overlay traffic in to-netdev (#31818, @julianwiedmann)
bpf: lb: remove extra SVC lookup when backend lookup fails (#31595, @julianwiedmann)
bpf: minor tail-call cleanups (#31990, @julianwiedmann)
bpf: nodeport: avoid revalidation in nodeport_rev_dnat_ingress_ipv4() (#32044, @julianwiedmann)
bpf: nodeport: split off LB logic in nodeport_lb*() (#31590, @julianwiedmann)
bpf: tests: don't define HAVE_ENCAP in IPsec tests (#31737, @julianwiedmann)
bpf: update set_ipsec_encrypt to optionally fill SPI with node map value (#31804, @ldelossa)
bugtool: Dump raw node ID map (#31741, @pchaigno)
build(deps): bump github.com/docker/docker from 26.0.1+incompatible to 26.0.2+incompatible (#32072, @dependabot[bot])
build(deps): bump idna from 3.4 to 3.7 in /Documentation (#31916, @dependabot[bot])
build(deps): bump pydantic from 2.3.0 to 2.4.0 in /Documentation (#32176, @dependabot[bot])
build: golangci-lint: update go version configuration (#32191, @mhofstetter)
chore(deps): update all github action dependencies (main) (#31951, @renovate[bot])
chore(deps): update all github action dependencies (main) (#31992, @renovate[bot])
chore(deps): update all github action dependencies (main) (#32101, @renovate[bot])
chore(deps): update all github action dependencies (main) (#32237, @renovate[bot])
chore(deps): update all-dependencies (main) (#31694, @renovate[bot])
chore(deps): update all-dependencies (main) (#32242, @renovate[bot])
chore(deps): update cilium/cilium-cli action to v0.16.6 (main) (#32219, @renovate[bot])
chore(deps): update docker.io/library/golang:1.22.2 docker digest to 450e382 (main) (#31949, @renovate[bot])
chore(deps): update docker.io/library/golang:1.22.2 docker digest to d5302d4 (main) (#32218, @renovate[bot])
chore(deps): update docker/setup-buildx-action action to v3.3.0 (main) (#31832, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to f41b84c (main) (#31815, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to f41b84c (main) (#31950, @renovate[bot])
chore(deps): update github/codeql-action action to v3.24.10 (main) (#31816, @renovate[bot])
chore(deps): update go to v1.22.2 (main) (#31767, @renovate[bot])
chore(deps): update hubble cli to v0.13.3 (main) (#32102, @renovate[bot])
chore(deps): update kylemayes/install-llvm-action action to v2.0.1 (main) (#31746, @renovate[bot])
CI: bump default FQDN datapath timeout from 100 to 250ms (#31866, @squeed)
cilium-dbg: avoid leaking file resources (#31750, @tklauser)
cilium-dbg: Expose Cilium network routing status (#32036, @joestringer)
cilium-dbg: fix exported command name (#31606, @lmb)
cilium-health: Fix setting of disable_ipv6 sysctl (#32120, @joamaki)
cli: Replace gocheck with built-in go test (#32210, @sayboras)
cloud-provider: Replace gocheck with built-in go test (#32212, @sayboras)
clustermesh: fix panic if the etcd client cannot be created (#32225, @giorio94)
cmd, watchers: Populate ipcache in case of high-scale ipcache (#31848, @pchaigno)
cni: Improve logging with common fields (#31805, @sayboras)
contexthelpers: remove unused package (#31834, @tklauser)
controller: Remove unused function FakeManager() (#32011, @joestringer)
datapath/iptables: remove unused customChain.feederArgs (#31876, @tklauser)
datapath: report distinct drop reason for missed endpoint policy tailcall (#32151, @julianwiedmann)
Deactivated Grafana reporting in monitoring example yaml. (#31989, @mvtab)
dev: Clean-up development setup (#32277, @sayboras)
docs: Add annotation for Ingress endpoint (#32284, @sayboras)
docs: Add connectivity perf test introduction as a part of e2e tests. (#31731, @fujitatomoya)
docs: add EnableDefaultDeny documentation (#32097, @squeed)
docs: Add table for which pkts are encrypted with WG (#31557, @brb)
docs: clean up example yaml for L4 Deny Policy (#32015, @huntergregory)
docs: Correct name of "cert-manager" in tab groups (#31929, @JamesLaverack)
docs: Document build framework for docs (#32006, @qmonnet)
docs: Fix pep-8 style for conf.py (#32009, @joestringer)
docs: Fix prometheus port regex (#32030, @JBodkin-Amphora)
Docs: improve Flatcar section (#31986, @darox)
docs: Improve CiliumEndpointSlice documentation to prepare graduation to "Stable" (#31800, @antonipp)
docs: Make ICMP rules for the Host Firewall easier to read/search (#31900, @qmonnet)
Docs: mark Tetragon as Stable (#31886, @sharlns)
docs: Update LLVM requirement to LLVM 17 (#32236, @pchaigno)
Document Cluster Mesh global services limitations when KPR=false (#31798, @giorio94)
Don't expand CIDR labels, match smartly in Labels instead (#30897, @squeed)
Drop unused service-related test helpers (#32002, @giorio94)
egressgw: minor bpf refactors (#32094, @julianwiedmann)
egressgw: Miscellaneous minor fixes to the manager (#31869, @pippolo84)
egressgw: reject config with EnableIPv4Masquerade false (#32150, @ysksuzuki)
endpoint / ApplyPolicyMapChanges: fix incorrect comment (#31790, @squeed)
endpoint: clean up unused code (#32081, @tklauser)
endpoint: Skip build queue warning log is context is canceled (#32132, @jrajahalme)
endpoint: skip Envoy incremental updates if no Envoy redirects (#31454, @squeed)
endpoint: skip Envoy incremental updates if no Envoy redirects (try 2) (#31775, @squeed)
endpoint: store state in ep_config.json (#31559, @lmb)
envoy: add support to bind to privileged ports (#32158, @mhofstetter)
Fix helm chart incompatible types for comparison (#32025, @lou-lan)
Fix spelling in DNS-based proxy info (#31728, @saintdle)
fix(deps): update all go dependencies main (main) (#31578, @renovate[bot])
fix(deps): update all go dependencies main (main) (#31853, @renovate[bot])
fix(deps): update all go dependencies main (main) (#31952, @renovate[bot])
fix(deps): update all go dependencies main (main) (#32106, @renovate[bot])
fix(deps): update all go dependencies main (main) (#32222, @renovate[bot])
fix(deps): update all go dependencies main (main) (#32256, @renovate[bot])
fix: close verifier.log (#32018, @testwill)
fix: deduplicate ConfigMap key if ENI mode and endpointRoutes are enabled (#31891, @remi-gelinas)
Fixes redundant space on the introduction page (intro.rst) (#32206, @network-charles)
gh/actions: Bump CLI to v0.16.6 (#32271, @brb)
golangci: Enable errorlint (#31458, @jrajahalme)
helm: no operator hostPorts when hostNetwork is disabled (#32127, @balous)
hive: Rebase on cilium/hive (#32020, @bimmlerd)
hive: Reduce hive trace logs to debug level (#32033, @joestringer)
hubble: Support --cel-expression filter in hubble observe (#32147, @chancez)
images: Update bpftool, checkpatch images (#31753, @qmonnet)
images: Update LLVM to 17.0.6 (#31418, @gentoo-root)
Improve compatibility with LLVM 17. (#31849, @gentoo-root)
Improve dev-doctor version detection and error reporting (#32035, @joestringer)
Improve release organization page (#31970, @joestringer)
ingress: change hostnetwork default port to unprivileged 8080 (#32159, @mhofstetter)
ingress: move flag ingress-default-xff-num-trusted-hops to cell config (#32190, @mhofstetter)
ingress: remove json struct tags from internal ingress translation model (#31659, @mhofstetter)
install/kubernetes: add AppArmor profile to Cilium Daemonset (#32199, @aanm)
install/kubernetes: update nodeinit image to latest version (#32181, @tklauser)
ipcache: Replace gocheck with built-in go test (#32283, @sayboras)
ipsec: Debug info for transient IPsec upgrade drops (#32240, @pchaigno)
k8s: Replace gocheck with built-in go test (#32211, @sayboras)
kvstore: always use scoped logger to distinguish different client instances (#32087, @giorio94)
l2announcer: Use the device table to access devices (#31931, @joamaki)
l7 policy: add possibility to configure Envoy proxy xff-num-trusted-hops (#32200, @mhofstetter)
lb: Replace gocheck with built-in go test (#32282, @sayboras)
Loader reconciliation preparatory changes (#31773, @dylandreimerink)
loader: remove CompileAndLoad (#31792, @lmb)
loader: rewrite tests to remove gocheck dependency (#31841, @lmb)
Makefile: Run generate-k8s-api in builder image (#32063, @joestringer)
Misc BGP Control Plane documents (#31670, @YutaroHayakawa)
Move governance docs to the Cilium community repo (#31692, @katiestruthers)
multicast: check support for batch lookup (#31892, @harsimran-pabla)
operator: Replace gocheck with built-in go test (#32215, @sayboras)
pkg/bgp: Replace gocheck with built-in go test (#32263, @sayboras)
pkg/endpoint: Replace gocheck with built-in go test (#32262, @sayboras)
pkg/envoy: Replace gocheck with built-in go test (#32280, @sayboras)
pkg/ipam: Replace gocheck with built-in go test (#32227, @sayboras)
pkg/metrics: Replace gocheck with built-in go test (#32226, @sayboras)
policy/k8s: Fix bug where policy synchronization event was lost (#32028, @gandro)
policy: Remove unused allow-remotehost-ingress derivedFrom label (#32058, @gandro)
Prepare for release v1.16.0-pre.1 (#31733, @joestringer)
Print verbose verifier logs on verifier errors in socketlb (#31321, @gentoo-root)
README: Update releases (#31734, @joestringer)
Readme: Updates for release 1.15.4, 1.14.10, 1.13.15 (#32098, @asauber)
Refactor InitK8sSubsystem and adding unit tests (#31645, @anubhabMajumdar)
Remove aks-preview from AKS workflows (#32118, @marseel)
Remove CiliumOperatorName constant (#31597, @miono)
Remove hostPort dependency on BPF NodePort (#32046, @chaunceyjiang)
Remove Hubble-OTel from the roadmap (#31847, @xmulligan)
Remove superfluous nolint comments (#31743, @tklauser)
Remove v1.12 from Container Vulnerability Scan (#32114, @marseel)
Replace option.Config.{Get,Set,Append}Devices by table lookups (#30578, @bimmlerd)
Revert "Remove hostPort dependency on BPF NodePort" (#32160, @squeed)
route: Also compare ip rule mask for lookupRule (#31700, @jschwinger233)
Seamlessly downgrade bpf attachments from tcx to tc (#32228, @ti-mo)
Transition to NodeMapV2 which now includes SPI in its map values. (#31431, @ldelossa)
update cilium/certgen to v0.1.11 (#31863, @rolinh)
Update module health report for cilium status CLI (#30429, @derailed)
Update USERS.md - add Gcore info on supporting Cilium (#31763, @rzdebskiy)
WireGuard: remove cleanup for obsolete IP rules (#31874, @julianwiedmann)

Other Changes:

cli: make multicast subscriber list exportable (#31799, @harsimran-pabla)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.0-pre.2@sha256:79a6b5903407760a5df8eb14699ef5fa03f5bd4cd8da55b391c3f7cc374925fe

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.0-pre.2@sha256:4010e6cb28b12b88946c07016fadd4cfe954be1c19f41d24e3128961461856b9

docker-plugin

quay.io/cilium/docker-plugin:v1.16.0-pre.2@sha256:2106c0da543a50a38870a1418af2ab5d5fb6cb3eeda80b5335d6d70eb73b03dd

hubble-relay

quay.io/cilium/hubble-relay:v1.16.0-pre.2@sha256:a21e14356b3cb555de6f791f2b046750b8c10d79b487791d2e11042aef7ab51c

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.0-pre.2@sha256:a7aefa8359c3d929650e4fdc43bd1404a8a4f9f9bfd148889252515bde6cd3fe

operator-aws

quay.io/cilium/operator-aws:v1.16.0-pre.2@sha256:00d10995fdd7bb38a5491d993682f0c663a68d87d2fc0a6a281b8d23818b863c

operator-azure

quay.io/cilium/operator-azure:v1.16.0-pre.2@sha256:c118cb3c52ca80054b8b5929dc8c080807aca2e2a45dc465985d3c98473059a2

operator-generic

quay.io/cilium/operator-generic:v1.16.0-pre.2@sha256:be77aaf620dfe5030fa0f1911c2622ed9c9a069e66a0ee88722d441510d60a6c

operator

quay.io/cilium/operator:v1.16.0-pre.2@sha256:c947b1c55d4fdfff4a9a30b1175cd774eab91626fe006feba517ce61c2f43839

v1.13.15

3 weeks ago

We are pleased to announce the release of Cilium v1.13.15.

This release includes a fix to the retry logic in the cilium health controllers, a fix to a race condition when updating L7 LB Services, and a fix for Node ID assignment in BPF maps for very large clusters. In addition, there were a variety of testing enhancements and documentation updates.

Security Advisories

This release addresses a security vulnerability. For more information, see GHSA-j654-3ccm-vfmm

Summary of Changes

Minor Changes:

[v1.13] Bump envoy to v1.27.x (#31498, @sayboras)

Bugfixes:

cilium-health: Fix broken retry loop in cilium-health-ep controller (Backport PR #31722, Upstream PR #31622, @gandro)
Fixed a race condition in service updates for L7 LB. (Backport PR #31862, Upstream PR #31744, @jrajahalme)
Fixed issue with assigning 0 nodeID when corresponding bpf map run out of space. Potentially it could have impacted connectivity in large clusters (>4k nodes) with IPSec or Mutual Auth enabled. Otherwise, it was merely generating unnecessary error log messages. (Backport PR #31657, Upstream PR #31380, @marseel)

CI Changes:

ci/ipsec: Print more info to debug credentials removal check failures (Backport PR #31722, Upstream PR #31652, @qmonnet)
controlplane: fix mechanism for ensuring watchers (Backport PR #31587, Upstream PR #31030, @bimmlerd)
deflake endpointmanager tests (Backport PR #31722, Upstream PR #31488, @bimmlerd)
Reduce flakiness of controlplane tests (Backport PR #31587, Upstream PR #30906, @bimmlerd)
workflows: Debug info for key rotations (Backport PR #31722, Upstream PR #31627, @pchaigno)

Misc Changes:

chore(deps): update all github action dependencies (v1.13) (#31835, @renovate[bot])
chore(deps): update cilium/little-vm-helper action to v0.0.17 (v1.13) (#31709, @renovate[bot])
chore(deps): update go to v1.21.9 (v1.13) (#31766, @renovate[bot])
chore(deps): update stable lvh-images (v1.13) (patch) (#31710, @renovate[bot])
docs: Document No node ID found drops in case of remote node deletion (Backport PR #31722, Upstream PR #31635, @pchaigno)
docs: ipsec: document native-routing + Egress proxy case (Backport PR #31722, Upstream PR #31478, @julianwiedmann)
helm: update nodeinit image using renovate (Backport PR #31722, Upstream PR #31641, @tklauser)
Restructure OpenShift installation instructions to point to Red Hat Ecosystem Catalog (Backport PR #31722, Upstream PR #29300, @learnitall)
v1.13: update cilium/certgen to v0.1.11 (#31884, @rolinh)

Other Changes:

[v1.13] envoy: Bump envoy image for golang 1.21.9 (#31772, @sayboras)
[v1.13] fix aws region being used twice (#31740, @brlbil)
[v1.13] workflows: ipsec-e2e: clean up escaping artifacts (#31630, @julianwiedmann)
Bump google.golang.org/grpc to v1.63.2 (v1.13) (#31878, @ferozsalam)
CI: Remove no longer supported k8s v1.24 (#31830, @brlbil)
envoy: Bump envoy version to v1.27.4 (#31809, @sayboras)
fqdn: Fix minor restore bug that causes false negative checks against a restored DNS IP map. (#31872, @nathanjsweet)
fqdn: Fixed bug that caused DNS Proxy to be overly restrictive on allowed DNS selectors. (#31713, @nathanjsweet)
Update image digests for v1.13.14 (#31631, @thorn3r)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.13.15@sha256:3d77d6e463ccc462c7574399fe22f6177a6e484bc5c149c76b7d597163253eed quay.io/cilium/cilium:v1.13.15@sha256:3d77d6e463ccc462c7574399fe22f6177a6e484bc5c149c76b7d597163253eed

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.13.15@sha256:9cfdc40a689fc087d19aff4944657ca98df7795ba1836744400f6b77e59e1e5c quay.io/cilium/clustermesh-apiserver:v1.13.15@sha256:9cfdc40a689fc087d19aff4944657ca98df7795ba1836744400f6b77e59e1e5c

docker-plugin

docker.io/cilium/docker-plugin:v1.13.15@sha256:485857b80cb4c726aba7e8c41536db97b0558f05f22dce6f97c8db2c1792cf75 quay.io/cilium/docker-plugin:v1.13.15@sha256:485857b80cb4c726aba7e8c41536db97b0558f05f22dce6f97c8db2c1792cf75

hubble-relay

docker.io/cilium/hubble-relay:v1.13.15@sha256:40135c6b0e2034c9f06abfe0c85f7f088ac6ba2c619d5354d4af6179d33b9a1e quay.io/cilium/hubble-relay:v1.13.15@sha256:40135c6b0e2034c9f06abfe0c85f7f088ac6ba2c619d5354d4af6179d33b9a1e

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.13.15@sha256:99c124f199f3cb48c41d43a423144bd9638d68705f347ec2326b34af50291a05 quay.io/cilium/operator-alibabacloud:v1.13.15@sha256:99c124f199f3cb48c41d43a423144bd9638d68705f347ec2326b34af50291a05

operator-aws

docker.io/cilium/operator-aws:v1.13.15@sha256:e09044b516be9ce9936253469411618d6790791dbe501829e6062244a24e815a quay.io/cilium/operator-aws:v1.13.15@sha256:e09044b516be9ce9936253469411618d6790791dbe501829e6062244a24e815a

operator-azure

docker.io/cilium/operator-azure:v1.13.15@sha256:ea05ba909b573b4a52731aec36b91a0a582781a48c2ade7719dfbae05c21d268 quay.io/cilium/operator-azure:v1.13.15@sha256:ea05ba909b573b4a52731aec36b91a0a582781a48c2ade7719dfbae05c21d268

operator-generic

docker.io/cilium/operator-generic:v1.13.15@sha256:21f6707e99722b41a24e9bf4e24b7e4d00597cc7dbaef6e7588dedbf3b270101 quay.io/cilium/operator-generic:v1.13.15@sha256:21f6707e99722b41a24e9bf4e24b7e4d00597cc7dbaef6e7588dedbf3b270101

operator

docker.io/cilium/operator:v1.13.15@sha256:971c9b6294216df668881917132a4a41fcc43fba64315e91ed632f62eab9eac9 quay.io/cilium/operator:v1.13.15@sha256:971c9b6294216df668881917132a4a41fcc43fba64315e91ed632f62eab9eac9

v1.14.10

3 weeks ago

We are pleased to announce the release of Cilium v1.14.10.

This release includes hubble metrics when using cilium sysdump, and a fix to an issue with overlapping keys that may have affected the ability to recover from a full Service map. Bugfixes include improved behavior for overlapping and restored DNS policies, a fix to a race condition in Service updates for L7 LB, and a fix to the retry logic in the cilium health controllers.

Security Advisories

This release addresses a security vulnerability. For more information, see GHSA-j654-3ccm-vfmm

Summary of Changes

Minor Changes:

bugtool: Collect hubble metrics (Backport PR #31888, Upstream PR #31533, @chancez)
Fix overlapping keys in agent-side service BPF map cache used for retries. In rare cases this bug may have caused retrying of a failed BPF map update for a services entry to be skipped leading to a missing entry. This may have, for example, adversely affected recovering from a full BPF service map after excess services were removed. (Backport PR #31888, Upstream PR #29581, @xyz-li)
Update to Envoy 1.27.0, run cilium-envoy process without any privileges. (Backport PR #31007, Upstream PR #27498, @jrajahalme)

Bugfixes:

cilium-health: Fix broken retry loop in cilium-health-ep controller (Backport PR #31724, Upstream PR #31622, @gandro)
cni: Allow text-ts log format value (Backport PR #31888, Upstream PR #31686, @sayboras)
fix: Delegated ipam not configure ipv6 if ipv6 disabled in agent (Backport PR #31724, Upstream PR #31104, @tamilmani1989)
Fixed a race condition in service updates for L7 LB. (Backport PR #31861, Upstream PR #31744, @jrajahalme)
Fixed issue with assigning 0 nodeID when corresponding bpf map run out of space. Potentially it could have impacted connectivity in large clusters (>4k nodes) with IPSec or Mutual Auth enabled. Otherwise, it was merely generating unnecessary error log messages. (Backport PR #31656, Upstream PR #31380, @marseel)
fqdn: Fix minor restore bug that causes false negative checks against a restored DNS IP map. (#31871, @nathanjsweet)
fqdn: Fixed bug that caused DNS Proxy to be overly restrictive on allowed DNS selectors. (#31801, @nathanjsweet)
metric: Avoid memory leak/increase in cilium-agent (Backport PR #31888, Upstream PR #31714, @sayboras)

CI Changes:

ci-e2e: Add e2e test with WireGuard + Host Firewall (Backport PR #31724, Upstream PR #31594, @qmonnet)
ci-e2e: Enable Ingress Controller test for more setup (Backport PR #31658, Upstream PR #30657, @sayboras)
ci-ipsec-e2e: Misc refactor + more keys (Backport PR #31429, Upstream PR #29592, @brb)
ci/ipsec: Print more info to debug credentials removal check failures (Backport PR #31724, Upstream PR #31652, @qmonnet)
deflake endpointmanager tests (Backport PR #31724, Upstream PR #31488, @bimmlerd)
gh/workflows: Add IPsec key rotation action and use it in ci-eks / ci-ipsec-e2e (Backport PR #31429, Upstream PR #29704, @brb)
gha: Enable Ingress Controller tests in conformance-e2e (Backport PR #31658, Upstream PR #29130, @sayboras)
workflows: Debug info for key rotations (Backport PR #31724, Upstream PR #31627, @pchaigno)

Misc Changes:

bitlpm: Document and Fix Descendants Bug (Backport PR #31888, Upstream PR #31851, @nathanjsweet)
Bump go-jose to v3.0.3 (v1.14) (#31881, @ferozsalam)
chore(deps): update all github action dependencies (v1.14) (#31824, @renovate[bot])
chore(deps): update cilium/little-vm-helper action to v0.0.17 (v1.14) (#31707, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.16.4 (v1.14) (#31675, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to f41b84c (v1.14) (#31748, @renovate[bot])
chore(deps): update go to v1.21.9 (v1.14) (#31765, @renovate[bot])
chore(deps): update stable lvh-images (v1.14) (patch) (#31708, @renovate[bot])
cilium-dbg: avoid leaking file resources (Backport PR #31888, Upstream PR #31750, @tklauser)
docs: Document No node ID found drops in case of remote node deletion (Backport PR #31724, Upstream PR #31635, @pchaigno)
docs: ipsec: document native-routing + Egress proxy case (Backport PR #31724, Upstream PR #31478, @julianwiedmann)
Fix spelling in DNS-based proxy info (Backport PR #31888, Upstream PR #31728, @saintdle)
helm: update nodeinit image using renovate (Backport PR #31724, Upstream PR #31641, @tklauser)
Move governance docs to the Cilium community repo (Backport PR #31888, Upstream PR #31692, @katiestruthers)
Remove Hubble-OTel from the roadmap (Backport PR #31888, Upstream PR #31847, @xmulligan)
Restructure OpenShift installation instructions to point to Red Hat Ecosystem Catalog (Backport PR #31724, Upstream PR #29300, @learnitall)
Support for batch deletion of endpoints (Backport PR #31585, Upstream PR #27351, @tklauser)
v1.14: update cilium/certgen to v0.1.11 (#31883, @rolinh)

Other Changes:

[v1.14] envoy: Bump envoy image for golang 1.21.9 (#31771, @sayboras)
[v1.14] fix unsupported aws region (#31742, @brlbil)
[v1.15] envoy: Bump golang version to 1.21.8 (Backport PR #31007, Upstream PR #31221, @sayboras)
CI: Remove unsupported k8s version (#31829, @brlbil)
envoy: Bump envoy version to v1.27.4 (#31808, @sayboras)
install: Update image digests for v1.14.9 (#31629, @jrajahalme)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031 quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.14.10@sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798 quay.io/cilium/clustermesh-apiserver:v1.14.10@sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798

docker-plugin

docker.io/cilium/docker-plugin:v1.14.10@sha256:8aa57cb38a30dbe56345b5d549054beaea96a210c15a1e4ca5224b4f858cdcda quay.io/cilium/docker-plugin:v1.14.10@sha256:8aa57cb38a30dbe56345b5d549054beaea96a210c15a1e4ca5224b4f858cdcda

hubble-relay

docker.io/cilium/hubble-relay:v1.14.10@sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0 quay.io/cilium/hubble-relay:v1.14.10@sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.14.10@sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14 quay.io/cilium/operator-alibabacloud:v1.14.10@sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14

operator-aws

docker.io/cilium/operator-aws:v1.14.10@sha256:72440aa4cb8a42dddb05cfc74c6fba0a18d0902b1e434f5dcde8dca0354a8be6 quay.io/cilium/operator-aws:v1.14.10@sha256:72440aa4cb8a42dddb05cfc74c6fba0a18d0902b1e434f5dcde8dca0354a8be6

operator-azure

docker.io/cilium/operator-azure:v1.14.10@sha256:404a46bb0a232c7d5ab7ab97a1d1a55635cdf0e334529a18d1ddb50f4aad71b4 quay.io/cilium/operator-azure:v1.14.10@sha256:404a46bb0a232c7d5ab7ab97a1d1a55635cdf0e334529a18d1ddb50f4aad71b4

operator-generic

docker.io/cilium/operator-generic:v1.14.10@sha256:415b7f0bb0e7339c6231d4b9ee74a6a513b2865acfccec884dbc806ecc3dd909 quay.io/cilium/operator-generic:v1.14.10@sha256:415b7f0bb0e7339c6231d4b9ee74a6a513b2865acfccec884dbc806ecc3dd909

operator

docker.io/cilium/operator:v1.14.10@sha256:20cadfbc68b37766b5747ca21f1cbfe8dec518c26232852f6c655f76999a8f92 quay.io/cilium/operator:v1.14.10@sha256:20cadfbc68b37766b5747ca21f1cbfe8dec518c26232852f6c655f76999a8f92

v1.15.4

3 weeks ago

We are pleased to announce the release of Cilium v1.15.4.

This release includes the option to configure Node map size, additional detail when using cilium-dbg bpf metrics list, a fix to an issue with overlapping keys that may have affected the ability to recover from a full Service map, and performance improvements to the Connection Tracking implementation. Bugfixes include improved behavior for overlapping and restored DNS policies, a fix to a race condition in Service updates for L7 LB, and a fix to the retry logic in the cilium health controllers.

Security Advisories

This release addresses a security vulnerability. For more information, see GHSA-j654-3ccm-vfmm

Summary of Changes

Minor Changes:

Add "node-map-max" to allow configuring nodemap size. (Backport PR #31727, Upstream PR #31407, @tommyp1ckles)
Add line numbers and file names to all metrics in 'cilium-dbg bpf metrics list' (Backport PR #31558, Upstream PR #30972, @ti-mo)
bugtool: Collect hubble metrics (Backport PR #31890, Upstream PR #31533, @chancez)
feat: Add the http return code to metric api_processed_total (Backport PR #31890, Upstream PR #31227, @vipul-21)
Fix overlapping keys in agent-side service BPF map cache used for retries. In rare cases this bug may have caused retrying of a failed BPF map update for a services entry to be skipped leading to a missing entry. This may have, for example, adversely affected recovering from a full BPF service map after excess services were removed. (Backport PR #31890, Upstream PR #29581, @xyz-li)
Skip overlay traffic in the BPF SNAT processing, and thus reduce pressure on the BPF Connection tracking and NAT maps. (Backport PR #31785, Upstream PR #31082, @julianwiedmann)

Bugfixes:

Avoid drops with "CT: Unknown L4 protocol" for non-ICMP/TCP/UDP traffic, caused by an error check in the BPF NAT engine. (Backport PR #31890, Upstream PR #31820, @julianwiedmann)
cilium-health: Fix broken retry loop in cilium-health-ep controller (Backport PR #31727, Upstream PR #31622, @gandro)
cni: Allow text-ts log format value (Backport PR #31890, Upstream PR #31686, @sayboras)
Fix a bug that could cause local packet delivery to be skipped, leading to lower performance, when IPsec was enabled and --devices provided. (Backport PR #31601, Upstream PR #31345, @pchaigno)
Fix incorrect reporting of the number of etcd lock leases in cilium-dbg status. (Backport PR #31890, Upstream PR #31781, @giorio94)
fix: Delegated ipam not configure ipv6 if ipv6 disabled in agent (Backport PR #31727, Upstream PR #31104, @tamilmani1989)
Fixed a race condition in service updates for L7 LB. (Backport PR #31860, Upstream PR #31744, @jrajahalme)
fqdn: Fix minor restore bug that causes false negative checks against a restored DNS IP map. (#31870, @nathanjsweet)
fqdn: Fixed bug that caused DNS Proxy to be overly restrictive on allowed DNS selectors. (Backport PR #31727, Upstream PR #31328, @nathanjsweet)
gateway-api: Ensure hostname check when set on both the HTTPRoute and the Gateway Listener (Backport PR #31769, Upstream PR #30686, @cjvirtucio87)
gateway-api: fixed RequestRedirect picks wrong port with multiple listeners (Backport PR #31769, Upstream PR #31361, @chaunceyjiang)
gateway-api: shorten the length of the value of the svc's label. (Backport PR #31769, Upstream PR #31292, @chaunceyjiang)
ingress/gateway-api: sort virtual hosts in CEC (Backport PR #31739, Upstream PR #31493, @mhofstetter)
ingress/gateway-api: stable envoy listener filterchain sort-order (Backport PR #31601, Upstream PR #31572, @mhofstetter)
metric: Avoid memory leak/increase in cilium-agent (Backport PR #31890, Upstream PR #31714, @sayboras)

CI Changes:

ci-e2e: Add e2e test with WireGuard + Host Firewall (Backport PR #31727, Upstream PR #31594, @qmonnet)
ci/ipsec: Print more info to debug credentials removal check failures (Backport PR #31727, Upstream PR #31652, @qmonnet)
deflake endpointmanager tests (Backport PR #31601, Upstream PR #31488, @bimmlerd)
gh/workflows: Add IPsec key rotation action and use it in ci-eks / ci-ipsec-e2e (Backport PR #31428, Upstream PR #29704, @brb)
Make BPF unit tests reproducible (Backport PR #31663, Upstream PR #31526, @ti-mo)
Make testdata build output more stable by reducing header includes (Backport PR #31663, Upstream PR #31644, @ti-mo)
update azure k8s versions (Backport PR #31890, Upstream PR #31220, @brlbil)
workflows: Debug info for key rotations (Backport PR #31727, Upstream PR #31627, @pchaigno)
workflows: ipsec-e2e: add missing key types for some configs (Backport PR #31727, Upstream PR #31636, @julianwiedmann)

Misc Changes:

bitlpm: Document and Fix Descendants Bug (Backport PR #31890, Upstream PR #31851, @nathanjsweet)
bpf: host: restore HostFW for overlay traffic in to-netdev (Backport PR #31785, Upstream PR #31818, @julianwiedmann)
bpf: tests: don't define HAVE_ENCAP in IPsec tests (Backport PR #31785, Upstream PR #31737, @julianwiedmann)
chore(deps): update all github action dependencies (v1.15) (#31822, @renovate[bot])
chore(deps): update all-dependencies (v1.15) (#31698, @renovate[bot])
chore(deps): update cilium/little-vm-helper action to v0.0.17 (v1.15) (#31703, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.16.4 (v1.15) (#31674, @renovate[bot])
chore(deps): update docker/setup-buildx-action action to v3.3.0 (v1.15) (#31828, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to f41b84c (v1.15) (#31747, @renovate[bot])
chore(deps): update go to v1.21.9 (v1.15) (#31764, @renovate[bot])
chore(deps): update stable lvh-images (v1.15) (patch) (#31704, @renovate[bot])
cilium-dbg: avoid leaking file resources (Backport PR #31890, Upstream PR #31750, @tklauser)
docs: Document No node ID found drops in case of remote node deletion (Backport PR #31727, Upstream PR #31635, @pchaigno)
docs: ipsec: document native-routing + Egress proxy case (Backport PR #31727, Upstream PR #31478, @julianwiedmann)
Fix spelling in DNS-based proxy info (Backport PR #31890, Upstream PR #31728, @saintdle)
helm: update nodeinit image using renovate (Backport PR #31727, Upstream PR #31641, @tklauser)
ingress: sort all shared ingresses during model generation (Backport PR #31727, Upstream PR #31494, @mhofstetter)
loader: refactor/cleanup replaceNetworkDatapath (Backport PR #31663, Upstream PR #29825, @rgo3)
Move governance docs to the Cilium community repo (Backport PR #31890, Upstream PR #31692, @katiestruthers)
Remove Hubble-OTel from the roadmap (Backport PR #31890, Upstream PR #31847, @xmulligan)
Remove tcx links created by Cilium 1.16 onwards (Backport PR #31663, Upstream PR #31553, @ti-mo)
Restructure OpenShift installation instructions to point to Red Hat Ecosystem Catalog (Backport PR #31727, Upstream PR #29300, @learnitall)
v1.15: update cilium/certgen to v0.1.11 (#31882, @rolinh)

Other Changes:

[v1.15] envoy: Bump envoy image for golang 1.21.9 (#31770, @sayboras)
[v1.15] Multicast Datapath Backport (#31668, @ldelossa)
[v1.15] route: Specify "proto kernel" for ip routes and rules (#31777, @jschwinger233)
envoy: Bump envoy version to v1.27.4 (#31807, @sayboras)
install: Update image digests for v1.15.3 (#31623, @jrajahalme)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.4@sha256:b760a4831f5aab71c711f7537a107b751d0d0ce90dd32d8b358df3c5da385426 quay.io/cilium/cilium:stable@sha256:b760a4831f5aab71c711f7537a107b751d0d0ce90dd32d8b358df3c5da385426

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.4@sha256:3fadf85d2aa0ecec09152e7e2d57648bda7e35bdc161b25ab54066dd4c3b299c quay.io/cilium/clustermesh-apiserver:stable@sha256:3fadf85d2aa0ecec09152e7e2d57648bda7e35bdc161b25ab54066dd4c3b299c

docker-plugin

quay.io/cilium/docker-plugin:v1.15.4@sha256:af22e26e927ec01633526b3d2fd5e15f2c7f3aab9d8c399081eeb746a4e0db47 quay.io/cilium/docker-plugin:stable@sha256:af22e26e927ec01633526b3d2fd5e15f2c7f3aab9d8c399081eeb746a4e0db47

hubble-relay

quay.io/cilium/hubble-relay:v1.15.4@sha256:03ad857feaf52f1b4774c29614f42a50b370680eb7d0bfbc1ae065df84b1070a quay.io/cilium/hubble-relay:stable@sha256:03ad857feaf52f1b4774c29614f42a50b370680eb7d0bfbc1ae065df84b1070a

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.4@sha256:7c0e5346483a517e18a8951f4d4399337fb47020f2d9225e2ceaa8c5d9a45a5f quay.io/cilium/operator-alibabacloud:stable@sha256:7c0e5346483a517e18a8951f4d4399337fb47020f2d9225e2ceaa8c5d9a45a5f

operator-aws

quay.io/cilium/operator-aws:v1.15.4@sha256:8675486ce8938333390c37302af162ebd12aaebc08eeeaf383bfb73128143fa9 quay.io/cilium/operator-aws:stable@sha256:8675486ce8938333390c37302af162ebd12aaebc08eeeaf383bfb73128143fa9

operator-azure

quay.io/cilium/operator-azure:v1.15.4@sha256:4c1a31502931681fa18a41ead2a3904b97d47172a92b7a7b205026bd1e715207 quay.io/cilium/operator-azure:stable@sha256:4c1a31502931681fa18a41ead2a3904b97d47172a92b7a7b205026bd1e715207

operator-generic

quay.io/cilium/operator-generic:v1.15.4@sha256:404890a83cca3f28829eb7e54c1564bb6904708cdb7be04ebe69c2b60f164e9a quay.io/cilium/operator-generic:stable@sha256:404890a83cca3f28829eb7e54c1564bb6904708cdb7be04ebe69c2b60f164e9a

operator

quay.io/cilium/operator:v1.15.4@sha256:4e42b867d816808f10b38f555d6ae50065ebdc6ddc4549635f2fe50ed6dc8d7f quay.io/cilium/operator:stable@sha256:4e42b867d816808f10b38f555d6ae50065ebdc6ddc4549635f2fe50ed6dc8d7f

v1.16.0-pre.1

1 month ago

Summary of Changes

Major Changes:

Add a readinessProbe to the kvstoremesh container that reports initial synchronization status to support configuring a separate, initial rate-limit to be used while synchronizing. Both clustermesh-apiserver and kvstoremesh now use a high initial rate-limit to decrease start time. (#30361, @thorn3r)
bpf: introduce encrypted overlay datapath support (#31073, @ldelossa)
multicast: add CLIs to manage multicast BPF maps (#31355, @harsimran-pabla)
policy/k8s: Add support for CIDRGroupRef in IngressDeny and EgressDeny (#30933, @pippolo84)
This adds a new policy field, EnableDefaultDeny, which permits the creation of network polices that do not drop non-matching traffic. (#30572, @squeed)

Minor Changes:

Add "node-map-max" to allow configuring nodemap size. (#31407, @tommyp1ckles)
Add helm values.schema.json file for validating supplied values for correct type. (#30631, @ubergesundheit)
Add line numbers and file names to all metrics in 'cilium-dbg bpf metrics list' (#30972, @ti-mo)
Add support for ClusterIP service advertisement with BGP Control Plane (#30963, @chaunceyjiang)
Add support for ExternalIP service advertisement with BGP Control Plane (#31245, @chaunceyjiang)
agent: add several new flags to control Cilium's datapath events notifications (#30063, @mvisonneau)
Allow the Host Firewall and IPv6 BPF masquerading to be used together. (#31511, @qmonnet)
Allows for using AWS SGs in the ingress section of rules. (#30708, @Alex-Waring)
bgpv1: Add Local internalTrafficPolicy support for ClusterIP advertisements (#31442, @chaunceyjiang)
bgpv1: BGP Control Plane metrics (#31469, @YutaroHayakawa)
bugtool: Collect hubble metrics (#31533, @chancez)
Change Node IPAM to select all nodes if externalTrafficPolicy=Cluster and add nodeipam.cilium.io/match-node-labels annotation (#31406, @MrFreezeex)
cleanup: Remove deprecated values for KPR (#31286, @sayboras)
cni: use default logger with timestamps. (#31014, @tommyp1ckles)
envoy: Add support for exposing Envoy Admin API (#30655, @sayboras)
feat: Add the http return code to metric api_processed_total (#31227, @vipul-21)
Fix Cilium default values for EKS when Cilium clustermesh-apiserver LoadBalancer fails to create NLB with AWS Load Balancer Controller with syntax error. (#31329, @oshangalwaduge)
Fixes a bug where ToFQDN IPs may be garbage collected too early, disrupting existing connections. (#31205, @squeed)
fqdn: avoid expensive sort/unique of names during GC (#30920, @tklauser)
GatewayAPI supports to setting the number of trusted loadbalancer hops (#30662, @chaunceyjiang)
helm: Bump minimum k8s version to v1.21+ (#31648, @sayboras)
ingress: Allow strict kube-proxy-replacement (#31284, @sayboras)
Introduce cilium-dbg encrypt flush --stale flag to remove XFRM states and policies with stale node IDs. (#31159, @pchaigno)
labelsfilter: Always apply Cluster entity specific identity-relevant label (#31178, @soggiest)
Only detach Cilium-owned legacy XDP programs when XDP is disabled (#31654, @ti-mo)
pkg/kvstore/allocator: Standardize usage of logfields (#30526, @antonipp)
Remove helm option enable-remote-node-identity after being deprecated in v1.15. (#31228, @doniacld)
Support IPv4 fragmentation for service backends. (#31364, @julianwiedmann)
This allows the initialDelaySeconds option to be configured. This allows users running larger clusters to extend the time it takes for preflight to become ready. (#30495, @chaunceyjiang)
WG: Improve L7 checks (#31299, @brb)

Bugfixes:

bpf: use bpf_htons instead of using shift (#31247, @chez-shanpu)
Cilium allows selecting 'lo' as a device again. (#31200, @bimmlerd)
cilium-health: Fix broken retry loop in cilium-health-ep controller (#31622, @gandro)
cni: Allow text-ts log format value (#31686, @sayboras)
cni: Use batch endpoint deletion API in chaining plugin (#31456, @sayboras)
envoy: register secret syncer even if only CEC is enabled (#31447, @mhofstetter)
Fix a bug in the StateDB library that may have caused stale read after write. This may have potentially affected the L2 announcements feature and the node address selection. (#31164, @joamaki)
Fix a bug that could cause local packet delivery to be skipped, leading to lower performance, when IPsec was enabled and --devices provided. (#31345, @pchaigno)
Fix a bug where pod label updates are not reflected in endpoint labels in presence of filtered labels. (#31395, @tklauser)
Fix the logic of the api-server connectivity check for the kubernetes probe (#31019, @tkna)
fix: Delegated ipam not configure ipv6 if ipv6 disabled in agent (#31104, @tamilmani1989)
Fixed issue when updated nodes were being reported with unknown connectivity status in health report (#30917, @marseel)
Fixed issue with assigning 0 nodeID when corresponding bpf map run out of space. Potentially it could have impacted connectivity in large clusters (>4k nodes) with IPSec or Mutual Auth enabled. Otherwise, it was merely generating unnecessary error log messages. (#31380, @marseel)
fqdn: Fixed bug that caused DNS Proxy to be overly restrictive on allowed DNS selectors. (#31328, @nathanjsweet)
gateway-api: Ensure hostname check when set on both the HTTPRoute and the Gateway Listener (#30686, @cjvirtucio87)
gateway-api: fixed RequestRedirect picks wrong port with multiple listeners (#31361, @chaunceyjiang)
gateway-api: Retrieve LB service from same namespace (#31271, @sayboras)
gateway-api: shorten the length of the value of the svc's label. (#31292, @chaunceyjiang)
helm: Update pod affinity for cilium-envoy (#31150, @sayboras)
hubble/relay: Fix certificate reloading in PeerManager (#31376, @glrf)
hubble: fix parsing of invalid HTTP URLs (#31100, @kaworu)
Hubble: fix traffic direction and is reply when IPSec is enabled (#31211, @kaworu)
ingress/gateway-api: sort virtual hosts in CEC (#31493, @mhofstetter)
ingress/gateway-api: stable envoy listener filterchain sort-order (#31572, @mhofstetter)
k8s/utils: correctly filter out labels in StripPodSpecialLabels (#31421, @tklauser)
metric: Avoid memory leak/increase in cilium-agent (#31714, @sayboras)
metrics: Disable prometheus metrics by default (#31144, @joestringer)
operator: fix errors/warnings metric. (#31214, @tommyp1ckles)
Updated Kernel parsing to handle single and double digit kernel version as well (#30699, @MeherRushi)

CI Changes:

Additionally test host firewall + KPR disabled in E2E tests (#30914, @giorio94)
AKS: avoid overlapping pod and service CIDRs (#31504, @bimmlerd)
bgpv1: avoid object tracker vs informer race (#31010, @bimmlerd)
bgpv1: fix Test_PodIPPoolAdvert flakiness (#31365, @rastislavs)
bgpv2/ci: added watch reactor for bgp cluster config (#31381, @harsimran-pabla)
bpf: fix go testdata check in ci (#31419, @mhofstetter)
Checkout the target branch, instead of the default one, on pull_request based GHA test workflows (#31198, @giorio94)
ci-e2e: Add e2e test with WireGuard + Host Firewall (#31594, @qmonnet)
ci-e2e: Add matrix for bpf.tproxy and ingress-controller (#31272, @sayboras)
ci/ipsec: Print more info to debug credentials removal check failures (#31652, @qmonnet)
ci: Bump lvh-kind ssh-startup-wait-retries (#31387, @YutaroHayakawa)
ci: check license of third party Go dependencies (#31129, @rolinh)
ci: fail container scans on vulnerability scan results (#31092, @ferozsalam)
contrib/scripts: Remove false positives from check-go-testdata.sh (#31089, @dylandreimerink)
deflake endpointmanager tests (#31488, @bimmlerd)
Drop legacy and superseded test from the Ginkgo suite (#31411, @giorio94)
Drop the remaining references to the CILIUM_CLI_MODE environment variable in GHA workflows. (#31199, @giorio94)
gateway-api: Enable GRPCRoute conformance tests (#31055, @sayboras)
gh/workflows: Add IPsec key rotation action and use it in ci-eks / ci-ipsec-e2e (#29704, @brb)
gh: workflows: clarify reference to issue #23283 (#31118, @julianwiedmann)
gha: disable fail-fast on integration tests (#31420, @giorio94)
gha: fix coredns logs retrieval in conformance-clustermesh (#31509, @giorio94)
gha: Remove manual device setting (#31435, @sayboras)
gha: retrieve additional coredns-related troubleshooting info (#31384, @giorio94)
introduce ARM github workflows (#31196, @aanm)
ipam: deepcopy interface resource correctly. (#26998, @tommyp1ckles)
k8s_install.sh: specify the CNI version (#31182, @aanm)
loader: fix issue where errors cancelled compile cause error logs. (#30988, @tommyp1ckles)
Make BPF unit tests reproducible (#31526, @ti-mo)
Make testdata build output more stable by reducing header includes (#31644, @ti-mo)
renovate: temporarily do not update GoBGP (#31123, @rastislavs)
slices: don't modify missed input slice in test (#31119, @bimmlerd)
test/verifier: Keep existing environment when running make (#31632, @gentoo-root)
test/verifier: Sort BPF program names for stable output (#31617, @gentoo-root)
test: Update KPR value in ipsec upgrade jobs (#31649, @sayboras)
update azure k8s versions (#31220, @brlbil)
workflows: Cover IPsec encrypted overlay mode in end-to-end tests (#31637, @pchaigno)
workflows: Debug info for key rotations (#31627, @pchaigno)
workflows: ipsec-e2e: add missing key types for some configs (#31636, @julianwiedmann)

Misc Changes:

Add monitor aggregation for all events related to packets ingressing to the network-facing device. (#31015, @learnitall)
Add the documentation for using serviceAdvertisements (#31331, @chaunceyjiang)
agent: Remove redundant pod spec checks (#31105, @aditighag)
agent: Wrap propagating errors from proxy wait group (#31398, @aditighag)
all: remove repetitive words (#31566, @deterclosed)
api: Upgrade go-swagger version to v0.30.5 (#31647, @sayboras)
Avoid depending on sysctl in the kind.sh script for IPv6 determination (#31180, @giorio94)
bgpv1: Adjust ConnectionRetryTimeSeconds to 1 in component tests (#31218, @YutaroHayakawa)
bgpv1: Disable PodCIDR Reconciler for unsupported IPAM modes (#31181, @YutaroHayakawa)
bgpv2: fix operator flaky test cases (#31255, @harsimran-pabla)
bgpv2: Introducing pod cidr reconciler for bgpv2. (#30815, @harsimran-pabla)
bgpv2: introducing PodIPPool reconciler (#31546, @harsimran-pabla)
bgpv2: remove automatic bgp peering policy translation to new BGP CRDs. (#31252, @harsimran-pabla)
bpf,config: Add ENABLE_LOCAL_REDIRECT_POLICY macro (#31098, @aditighag)
bpf: add node_key to alignchecker (#31393, @julianwiedmann)
bpf: Don't skip local delivery for plain-text packets when IPsec is enabled (#31193, @pchaigno)
bpf: host: optimize from-host's ICMPv6 path (#31127, @julianwiedmann)
bpf: lxc: also set from_tunnel for IPv6 CT entries (#30877, @julianwiedmann)
bpf: nodeport: add nodeport_rev_dnat_ingress_ipv4_hook infra (#31244, @jibi)
bpf: nodeport: clean up ct_state usage in nodeport_lb*() (#31427, @julianwiedmann)
bpf: nodeport: don't forward host id in nodeport_lb4 (#31120, @jibi)
bpf: nodeport: simplify CT entry validation in nodeport_lb*() (#31165, @julianwiedmann)
bpf: update unreachable-tailcall.o after updating CILIUM_BUILDER_IMAGE (#31412, @mhofstetter)
bpf: xdp: remove unused set_encrypt_dip() (#31367, @julianwiedmann)
bugtool: Capture memory fragmentation info from /proc (#30966, @pchaigno)
cec: move config property 'envoy-config-timeout' into hive config (#31086, @mhofstetter)
chore(deps): update all github action dependencies (main) (#31282, @renovate[bot])
chore(deps): update all github action dependencies (main) (#31443, @renovate[bot])
chore(deps): update all github action dependencies (main) (#31573, @renovate[bot])
chore(deps): update all github action dependencies (main) (#31697, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#31130, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#31131, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#31230, @renovate[bot])
chore(deps): update all lvh-images main to bpf-next-20240309.012251 (main) (patch) (#31276, @renovate[bot])
chore(deps): update all lvh-images main to bpf-next-20240315.012542 (main) (patch) (#31440, @renovate[bot])
chore(deps): update all-dependencies (main) (#31275, @renovate[bot])
chore(deps): update cilium/cilium-cli action to v0.16.0 (main) (#31281, @renovate[bot])
chore(deps): update cilium/little-vm-helper action to v0.0.17 (main) (#31695, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.16.0 (main) (#31171, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.16.3 (main) (#31386, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.16.4 (main) (#31673, @renovate[bot])
chore(deps): update docker.io/library/golang:1.22.1 docker digest to 0b55ab8 (main) (#31438, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 55c6361 (main) (#31439, @renovate[bot])
chore(deps): update github/codeql-action action to v3.24.8 (main) (#31479, @renovate[bot])
chore(deps): update go to v1.22.1 (main) (#31277, @renovate[bot])
chore(deps): update golangci/golangci-lint docker tag to v1.57.1 (main) (#31576, @renovate[bot])
chore(deps): update golangci/golangci-lint docker tag to v1.57.2 (main) (#31696, @renovate[bot])
chore(deps): update hubble cli to v0.13.2 (main) (#31320, @renovate[bot])
chore(deps): update module github.com/go-jose/go-jose/v3 to v3.0.3 [security] (main) (#31241, @renovate[bot])
chore: update json-mock image source in examples (#31373, @loomkoom)
cilium, bpf: pkts/byte count conversion for ct (#31087, @borkmann)
cilium-dbg: listing load-balancing configurations displays L7LB proxy port (#31503, @mhofstetter)
cilium: Enable plain IPIP/IP6IP6 termination (#31213, @borkmann)
config: Remove unused ENCRYPT_IFACE macro (#31323, @pchaigno)
container/bitlpm: Add Lookup Boolean Return Value (#31037, @nathanjsweet)
contrib: Add installation script for tools in devcontainer (#31534, @fujitatomoya)
controller: Add and use lookup function for controllers (#31236, @christarazi)
datapath, bpf: Remove unnecessary IPsec code (#31344, @pchaigno)
dev: Enable IPv6 system setting for devcontainer environment. (#31268, @fujitatomoya)
doc,bgpv1: Add some failure scenarios (#31249, @YutaroHayakawa)
doc,bgpv1: Bootstrapping BGP CPlane failure scenario doc (#31153, @YutaroHayakawa)
doc,bgpv1: More failure scenario and wording improvement (#31470, @YutaroHayakawa)
doc: Clarified GwAPI KPR prerequisites (#31366, @PhilipSchmid)
doc: Document APAC community meeting (#31461, @YutaroHayakawa)
docs: aks: avoid overlapping service and pod CIDRs (#31543, @bimmlerd)
docs: Correct dynamic hubble exporter sample configs example (#31445, @littlesheng19)
docs: Document No node ID found drops in case of remote node deletion (#31635, @pchaigno)
docs: Fix 'kubectl exec' invocations (quotes, double dash separator) in example script kafka-sw-gen-traffic.sh (#30462, @saintdle)
docs: Fix profiling related debugging instructions (#31044, @aditighag)
docs: Fix various typos in README.rst (#31072, @payneInTheBrian)
docs: ipsec: document native-routing + Egress proxy case (#31478, @julianwiedmann)
docs: Suggest using operator logs for troubleshooting (#31500, @simonfelding)
docs: Update link to cilium/ebpf's list of eBPF program types (#31699, @haiyuewa)
docs: Update link to USERS.md in README from RAW Github to standard Github UI (#30589, @ondrejsika)
docs: Warn on key rotations during upgrades (#31437, @pchaigno)
Document the process for disabling workflows (#31603, @michi-covalent)
Downgrade L2 Neighbor Discovery failure log to Debug (#31179, @YutaroHayakawa)
endpointmanager: Improve health reporter messages when stopped (#31231, @christarazi)
envoy: Bump golang version to 1.21.8 (#31224, @sayboras)
envoy: cleanup istio specifics (#31448, @mhofstetter)
envoy: move config values from global config into hive cell (#31351, @mhofstetter)
envoy: Remove deprecated runtime key logs (#31108, @sayboras)
envoy: support configurable Envoy base id in embedded mode (#31449, @mhofstetter)
fix 'mismatch' typos in error messages (#31660, @julianwiedmann)
Fix helm template for hubble-relay prometheus annotations (#31253, @glrf)
Fix running tests locally in kind. (#31234, @gentoo-root)
fix(deps): update all go dependencies main (main) (#31112, @renovate[bot])
fix(deps): update all go dependencies main (main) (#31278, @renovate[bot])
fix(deps): update all go dependencies main (main) (#31441, @renovate[bot])
fix(deps): update all go dependencies main (main) (#31462, @renovate[bot])
fix(deps): update google.golang.org/genproto/googleapis/rpc digest to a219d84 (main) (#31305, @renovate[bot])
fix(deps): update google.golang.org/genproto/googleapis/rpc digest to c811ad7 (main) (#31322, @renovate[bot])
fix(deps): update module github.com/docker/docker to v25.0.5+incompatible [security] (main) (#31531, @renovate[bot])
gateway-api: Replace deprecated status (#31111, @sayboras)
helm: Remove pipe in value comments to avoid breaking Helm reference (#31588, @qmonnet)
helm: update nodeinit image using renovate (#31641, @tklauser)
hive/cell/health: don't warn when reporting on stopped reporter. (#31262, @tommyp1ckles)
hubble/relay/server: remove unused Server.stop chan (#31560, @tklauser)
Ignore kvstore node events for the local node, to avoid unnecessarily increasing the ipcache_errors_total (cannot_overwrite_by_source) metric. (#31399, @giorio94)
images/builder: get rid of annoying git ownership warnings (#31538, @ti-mo)
images: bump cni plugins to v1.4.1 (#31347, @aanm)
Improve compatibility with LLVM 17. (#31403, @gentoo-root)
Improve compatibility with LLVM 17. (#31459, @gentoo-root)
Improve insertNodeNeighbor behavior to report health (#29415, @derailed)
Improve LocalNodeStore.Get() performance and fix possible deadlock (#31013, @giorio94)
ingress/gateway-api: stable address order for Ingress hostnetwork listener addresses (#31477, @mhofstetter)
ingress: sort all shared ingresses during model generation (#31494, @mhofstetter)
ingress: Update docs with network policy example (#31060, @sayboras)
IPAM: Refactors Node API Types to Support Separate IP Families (#30684, @danehans)
ipam: Remove unused variable (#31401, @christarazi)
ipcache: Remove synchronous CIDR identity allocation (#31311, @gandro)
iptables: Manage IP sets independently with the stateDB reconciler (#31099, @pippolo84)
iptables: Simplify proxy rules removing ingress/egress flag (#31068, @pippolo84)
iptables: Unit tests cleanup (#31368, @pippolo84)
kind: reset sysctl net.ipv4.ip_unprivileged_port_start to 1024 (#31370, @mhofstetter)
lint: Remove temp variable in the 'for' loop (#31523, @sayboras)
loader: add message if error is ENOTSUP (#31413, @kkourt)
lxcmap: Fix comment about byte-order (#31362, @joestringer)
Make it clear USERS.md should be production use cases (#31316, @xmulligan)
Makefiles: Allow external input for go build/test/clean flags. (#29646, @wanlin31)
Miscellaneous cleanups around node discovery (#31397, @giorio94)
modularize node discovery (#31589, @dylandreimerink)
multicast: modify list operations from iterator to batch lookup. (#31562, @harsimran-pabla)
node: add support for injection of optional ipset filter (#31550, @giorio94)
node: Replace ipv[46]MasqAddrs with Table[NodeAddress] (#30457, @joamaki)
pkg/ip: Updates PrefixToIps() to Limit the Number of Returned IPs (#30921, @danehans)
policy/k8s: Refactor and move ToServices translation to policy package (#31062, @gandro)
policy: Fix missing labels from SelectorCache selectors (#31358, @christarazi)
Prepare for release v1.16.0-pre.0 (#31121, @aanm)
proxy: configurable portrange (#31556, @mhofstetter)
proxy: remove unused ifaces and code for proxy <-> endpoint interaction (#31547, @mhofstetter)
README: Update releases (#31665, @thorn3r)
Remove HAVE_LARGE_INSN_LIMIT (#31094, @dylandreimerink)
Remove Istio ambient compatibility blurb (#31525, @bleggett)
Remove old bpf feature probes (#31096, @dylandreimerink)
Remove tcx links created by Cilium 1.16 onwards (#31553, @ti-mo)
renovate: Drop references to Cilium 1.12 (#31148, @joestringer)
renovate: separate major.minor.patch for lvh images (#31126, @aanm)
secret-sync: improve logging (#31415, @mhofstetter)
signal: remove spare debug logs (#31723, @tklauser)
stream: Relocate to cilium/stream (#30846, @joamaki)
update readme with 1.16.0-pre.0 (#31128, @aanm)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.0-pre.1@sha256:f822fed7e9ab9ef9251e3e21eaf6d4d5179a6b5831e147c3ab1caaa3f9b17b79

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.0-pre.1@sha256:6489a11ebdf28be5238842afaea4e5e2a9628e8c4fb66d712b3998fb1bfa034b

docker-plugin

quay.io/cilium/docker-plugin:v1.16.0-pre.1@sha256:0540dce44dc09dd54cbb1a665736664913dc242b9bca261fb138b8ac6de3aa8e

hubble-relay

quay.io/cilium/hubble-relay:v1.16.0-pre.1@sha256:80a213c50bc9915b73950c2efbbc04a32ab2df5058e0d5afe86c64d83a59cc2d

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.0-pre.1@sha256:9237c6dfc208e5f76c01922932d3c568f269356f485076a62c9a503d1af76710

operator-aws

quay.io/cilium/operator-aws:v1.16.0-pre.1@sha256:bf75d57fcfd1fb0b6ad8c6257e0758872278609847640fc4245cd04be139d7fd

operator-azure

quay.io/cilium/operator-azure:v1.16.0-pre.1@sha256:099fb5537d294bdf41755f93acbf8c6e2ecbca162b139028b4897f2904e04e4b

operator-generic

quay.io/cilium/operator-generic:v1.16.0-pre.1@sha256:73e8c7a415dfd3c6bb166848248c719ced5db53123c0f29c77e08771d1ec8400

operator

quay.io/cilium/operator:v1.16.0-pre.1@sha256:eb3303b6290ee9b06da28c383a65c680d03bc2028f6bdc046d5f1494eb5a485c

v1.13.14

1 month ago

We are pleased to release Cilium v1.13.14.

Security Advisories

This release addresses a security vulnerability. For more information, see https://github.com/cilium/cilium/security/advisories/GHSA-pwqm-x5x6-5586.

Summary of Changes

Minor Changes:

cni: use default logger with timestamps. (Backport PR #31309, Upstream PR #31014, @tommyp1ckles)
Introduce cilium-dbg encrypt flush --stale flag to remove XFRM states and policies with stale node IDs. (Backport PR #31309, Upstream PR #31159, @pchaigno)

Bugfixes:

Fix a bug where pod label updates are not reflected in endpoint labels in presence of filtered labels. (Backport PR #31476, Upstream PR #31395, @tklauser)
Fix bug leading to missed ipcache updates for the CiliumInternalIP when --enable-remote-node-identity=false, and unnecessary ipcache_errors_total metric increase if Cilium operates in kvstore mode. (#31396, @giorio94)
gateway-api: Retrieve LB service from same namespace (Backport PR #31496, Upstream PR #31271, @sayboras)
Handle InvalidParameterValue as well for PD fallback (Backport PR #31496, Upstream PR #31016, @hemanthmalla)
Hubble: fix traffic direction and is reply when IPSec is enabled (Backport PR #31496, Upstream PR #31211, @kaworu)
k8s/utils: correctly filter out labels in StripPodSpecialLabels (Backport PR #31476, Upstream PR #31421, @tklauser)

CI Changes:

AKS: avoid overlapping pod and service CIDRs (Backport PR #31570, Upstream PR #31504, @bimmlerd)
Centralize configuration of kind version/image in GitHub Action workflows (Backport PR #31195, Upstream PR #30916, @giorio94)
Checkout the target branch, instead of the default one, on pull_request based GHA test workflows (Backport PR #31195, Upstream PR #31198, @giorio94)
ci: Bump lvh-kind ssh-startup-wait-retries (Backport PR #31496, Upstream PR #31387, @YutaroHayakawa)
gha: disable fail-fast on integration tests (Backport PR #31496, Upstream PR #31420, @giorio94)
gha: drop unused check_url environment variable (Backport PR #31195, Upstream PR #30928, @giorio94)
introduce ARM github workflows (Backport PR #31309, Upstream PR #31196, @aanm)
ipam: deepcopy interface resource correctly. (Backport PR #31496, Upstream PR #26998, @tommyp1ckles)
loader: fix issue where errors cancelled compile cause error logs. (Backport PR #31309, Upstream PR #30988, @tommyp1ckles)

Misc Changes:

Add monitor aggregation for all events related to packets ingressing to the network-facing device. (Backport PR #31309, Upstream PR #31015, @learnitall)
chore(deps): update all github action dependencies (v1.13) (#31485, @renovate[bot])
chore(deps): update all github action dependencies (v1.13) (#31584, @renovate[bot])
chore(deps): update docker.io/library/golang:1.21.8 docker digest to 8560736 (v1.13) (#31484, @renovate[bot])
cilium-dbg: listing load-balancing configurations displays L7LB proxy port (Backport PR #31570, Upstream PR #31503, @mhofstetter)
doc: Clarified GwAPI KPR prerequisites (Backport PR #31496, Upstream PR #31366, @PhilipSchmid)
docs: Warn on key rotations during upgrades (Backport PR #31496, Upstream PR #31437, @pchaigno)

Other Changes:

install: Update image digests for v1.13.13 (#31405, @thorn3r)
v1.13: IPsec Fixes (#31612, @pchaigno)

v1.14.9

1 month ago

We are pleased to release Cilium v1.14.9.

Security Advisories

This release addresses a security vulnerability. For more information, see https://github.com/cilium/cilium/security/advisories/GHSA-pwqm-x5x6-5586.

Summary of Changes

Minor Changes:

bgpv1: BGP Control Plane metrics (Backport PR #31569, Upstream PR #31469, @YutaroHayakawa)
cni: use default logger with timestamps. (Backport PR #31335, Upstream PR #31014, @tommyp1ckles)
Introduce cilium-dbg encrypt flush --stale flag to remove XFRM states and policies with stale node IDs. (Backport PR #31335, Upstream PR #31159, @pchaigno)

Bugfixes:

[v1.14 - Author backport] envoy: enable k8s secret watch even if only CEC is enabled (#31452, @mhofstetter)
Fix a bug where pod label updates are not reflected in endpoint labels in presence of filtered labels. (Backport PR #31474, Upstream PR #31395, @tklauser)
gateway-api: Retrieve LB service from same namespace (Backport PR #31495, Upstream PR #31271, @sayboras)
Handle InvalidParameterValue as well for PD fallback (Backport PR #31495, Upstream PR #31016, @hemanthmalla)
helm: Update pod affinity for cilium-envoy (Backport PR #31495, Upstream PR #31150, @sayboras)
Hubble: fix traffic direction and is reply when IPSec is enabled (Backport PR #31569, Upstream PR #31211, @kaworu)
k8s/utils: correctly filter out labels in StripPodSpecialLabels (Backport PR #31474, Upstream PR #31421, @tklauser)

CI Changes:

[v1.14] test: Remove duplicate Cilium deployments in some datapath config tests (#31521, @qmonnet)
AKS: avoid overlapping pod and service CIDRs (Backport PR #31569, Upstream PR #31504, @bimmlerd)
Centralize configuration of kind version/image in GitHub Action workflows (Backport PR #31192, Upstream PR #30916, @giorio94)
Checkout the target branch, instead of the default one, on pull_request based GHA test workflows (Backport PR #31192, Upstream PR #31198, @giorio94)
ci: Bump lvh-kind ssh-startup-wait-retries (Backport PR #31495, Upstream PR #31387, @YutaroHayakawa)
ci: fix checking github.event.pull_request.head.sha (Backport PR #31495, Upstream PR #26775, @mhofstetter)
controlplane: fix mechanism for ensuring watchers (Backport PR #31542, Upstream PR #31030, @bimmlerd)
gha: checkout target branch in multi pool workflow (#31545, @giorio94)
gha: disable fail-fast on integration tests (Backport PR #31495, Upstream PR #31420, @giorio94)
gha: drop unused check_url environment variable (Backport PR #31192, Upstream PR #30928, @giorio94)
introduce ARM github workflows (Backport PR #31335, Upstream PR #31196, @aanm)
ipam: deepcopy interface resource correctly. (Backport PR #31495, Upstream PR #26998, @tommyp1ckles)
k8s_install.sh: specify the CNI version (Backport PR #31335, Upstream PR #31182, @aanm)
loader: fix issue where errors cancelled compile cause error logs. (Backport PR #31335, Upstream PR #30988, @tommyp1ckles)
Reduce flakiness of controlplane tests (Backport PR #31542, Upstream PR #30906, @bimmlerd)
slices: don't modify missed input slice in test (Backport PR #31495, Upstream PR #31119, @bimmlerd)

Misc Changes:

Add monitor aggregation for all events related to packets ingressing to the network-facing device. (Backport PR #31335, Upstream PR #31015, @learnitall)
Address race condition in TestGetIdentity (Backport PR #31542, Upstream PR #30885, @bimmlerd)
bgpv1: Adjust ConnectionRetryTimeSeconds to 1 in component tests (Backport PR #31335, Upstream PR #31218, @YutaroHayakawa)
chore(deps): update all github action dependencies (v1.14) (#31483, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (#31583, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.16.3 (v1.14) (#31465, @renovate[bot])
chore(deps): update docker.io/library/golang:1.21.8 docker digest to 8560736 (v1.14) (#31481, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 55c6361 (v1.14) (#31482, @renovate[bot])
cilium-dbg: listing load-balancing configurations displays L7LB proxy port (Backport PR #31569, Upstream PR #31503, @mhofstetter)
doc: Clarified GwAPI KPR prerequisites (Backport PR #31495, Upstream PR #31366, @PhilipSchmid)
docs: Warn on key rotations during upgrades (Backport PR #31495, Upstream PR #31437, @pchaigno)
Downgrade L2 Neighbor Discovery failure log to Debug (Backport PR #31335, Upstream PR #31179, @YutaroHayakawa)
ingress: Update docs with network policy example (Backport PR #31335, Upstream PR #31060, @sayboras)

Other Changes:

bgpv1: Disable PodCIDR Reconciler for unsupported IPAM modes (#31353, @YutaroHayakawa)
install: Update image digests for v1.14.8 (#31404, @thorn3r)
v1.14: IPsec Fixes (#31611, @pchaigno)

v1.15.3

1 month ago

We are pleased to release Cilium v1.15.3.

Security Advisories

This release addresses a security vulnerability. For more information, see https://github.com/cilium/cilium/security/advisories/GHSA-pwqm-x5x6-5586.

Summary of Changes

Minor Changes:

bgpv1: BGP Control Plane metrics (Backport PR #31568, Upstream PR #31469, @YutaroHayakawa)
cni: use default logger with timestamps. (Backport PR #31342, Upstream PR #31014, @tommyp1ckles)
Introduce cilium-dbg encrypt flush --stale flag to remove XFRM states and policies with stale node IDs. (Backport PR #31342, Upstream PR #31159, @pchaigno)

Bugfixes:

[v1.15 - Author backport] envoy: enable k8s secret watch even if only CEC is enabled (#31451, @mhofstetter)
cni: Use batch endpoint deletion API in chaining plugin (Backport PR #31515, Upstream PR #31456, @sayboras)
Fix a bug in the StateDB library that may have caused stale read after write. This may have potentially affected the L2 announcements feature and the node address selection. (Backport PR #31342, Upstream PR #31164, @joamaki)
Fix a bug where pod label updates are not reflected in endpoint labels in presence of filtered labels. (Backport PR #31473, Upstream PR #31395, @tklauser)
Fixed issue with assigning 0 nodeID when corresponding bpf map run out of space. Potentially it could have impacted connectivity in large clusters (>4k nodes) with IPSec or Mutual Auth enabled. Otherwise, it was merely generating unnecessary error log messages. (Backport PR #31490, Upstream PR #31380, @marseel)
gateway-api: Retrieve LB service from same namespace (Backport PR #31490, Upstream PR #31271, @sayboras)
Handle InvalidParameterValue as well for PD fallback (Backport PR #31490, Upstream PR #31016, @hemanthmalla)
helm: Update pod affinity for cilium-envoy (Backport PR #31490, Upstream PR #31150, @sayboras)
hubble/relay: Fix certificate reloading in PeerManager (Backport PR #31568, Upstream PR #31376, @glrf)
Hubble: fix traffic direction and is reply when IPSec is enabled (Backport PR #31568, Upstream PR #31211, @kaworu)
k8s/utils: correctly filter out labels in StripPodSpecialLabels (Backport PR #31473, Upstream PR #31421, @tklauser)
metrics: Disable prometheus metrics by default (Backport PR #31342, Upstream PR #31144, @joestringer)
operator: fix errors/warnings metric. (Backport PR #31490, Upstream PR #31214, @tommyp1ckles)

CI Changes:

[v1.15] test: Remove duplicate Cilium deployments in some datapath config tests (#31520, @qmonnet)
Additionally test host firewall + KPR disabled in E2E tests (Backport PR #31342, Upstream PR #30914, @giorio94)
AKS: avoid overlapping pod and service CIDRs (Backport PR #31568, Upstream PR #31504, @bimmlerd)
bgpv1: avoid object tracker vs informer race (Backport PR #31490, Upstream PR #31010, @bimmlerd)
bgpv1: fix Test_PodIPPoolAdvert flakiness (Backport PR #31490, Upstream PR #31365, @rastislavs)
bpf: fix go testdata check in ci (Backport PR #31554, Upstream PR #31419, @mhofstetter)
Centralize configuration of kind version/image in GitHub Action workflows (Backport PR #31191, Upstream PR #30916, @giorio94)
Checkout the target branch, instead of the default one, on pull_request based GHA test workflows (Backport PR #31191, Upstream PR #31198, @giorio94)
ci-e2e: Add matrix for bpf.tproxy and ingress-controller (Backport PR #31490, Upstream PR #31272, @sayboras)
ci: Bump lvh-kind ssh-startup-wait-retries (Backport PR #31490, Upstream PR #31387, @YutaroHayakawa)
controlplane: fix mechanism for ensuring watchers (Backport PR #31490, Upstream PR #31030, @bimmlerd)
Fix bug preventing consistent symbols between ELF and BTF for eBPF unit tests. (Backport PR #31342, Upstream PR #30610, @learnitall)
gateway-api: Enable GRPCRoute conformance tests (Backport PR #31342, Upstream PR #31055, @sayboras)
gha: disable fail-fast on integration tests (Backport PR #31490, Upstream PR #31420, @giorio94)
gha: drop unused check_url environment variable (Backport PR #31191, Upstream PR #30928, @giorio94)
introduce ARM github workflows (Backport PR #31342, Upstream PR #31196, @aanm)
ipam: deepcopy interface resource correctly. (Backport PR #31490, Upstream PR #26998, @tommyp1ckles)
k8s_install.sh: specify the CNI version (Backport PR #31342, Upstream PR #31182, @aanm)
loader: fix issue where errors cancelled compile cause error logs. (Backport PR #31342, Upstream PR #30988, @tommyp1ckles)
Reduce flakiness of controlplane tests (Backport PR #31490, Upstream PR #30906, @bimmlerd)
slices: don't modify missed input slice in test (Backport PR #31490, Upstream PR #31119, @bimmlerd)

Misc Changes:

Add monitor aggregation for all events related to packets ingressing to the network-facing device. (Backport PR #31342, Upstream PR #31015, @learnitall)
Address race condition in TestGetIdentity (Backport PR #31541, Upstream PR #30885, @bimmlerd)
bgpv1: Adjust ConnectionRetryTimeSeconds to 1 in component tests (Backport PR #31342, Upstream PR #31218, @YutaroHayakawa)
chore(deps): update all github action dependencies (v1.15) (#31480, @renovate[bot])
chore(deps): update all github action dependencies (v1.15) (#31582, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.16.3 (v1.15) (#31464, @renovate[bot])
chore(deps): update docker.io/library/golang:1.21.8 docker digest to 8560736 (v1.15) (#31450, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 55c6361 (v1.15) (#31453, @renovate[bot])
chore: update json-mock image source in examples (Backport PR #31568, Upstream PR #31373, @loomkoom)
cilium-dbg: listing load-balancing configurations displays L7LB proxy port (Backport PR #31568, Upstream PR #31503, @mhofstetter)
datapath, bpf: Remove unnecessary IPsec code (Backport PR #31490, Upstream PR #31344, @pchaigno)
doc: Clarified GwAPI KPR prerequisites (Backport PR #31490, Upstream PR #31366, @PhilipSchmid)
docs: Warn on key rotations during upgrades (Backport PR #31490, Upstream PR #31437, @pchaigno)
Don't emit an error message on namespace termination due to Ingress reconciliation (Backport PR #31342, Upstream PR #30808, @giorio94)
Downgrade L2 Neighbor Discovery failure log to Debug (Backport PR #31342, Upstream PR #31179, @YutaroHayakawa)
endpointmanager: Improve health reporter messages when stopped (Backport PR #31342, Upstream PR #31231, @christarazi)
hive/cell/health: don't warn when reporting on stopped reporter. (Backport PR #31490, Upstream PR #31262, @tommyp1ckles)
ingress: Update docs with network policy example (Backport PR #31342, Upstream PR #31060, @sayboras)
job: avoid a race condition in TestTimer_ExitOnCloseFnCtx (Backport PR #31490, Upstream PR #30929, @bimmlerd)
loader: add message if error is ENOTSUP (Backport PR #31490, Upstream PR #31413, @kkourt)
policy: Fix missing labels from SelectorCache selectors (Backport PR #31490, Upstream PR #31358, @christarazi)
Replaced declare_tailcall_if with logic in the loader (Backport PR #31554, Upstream PR #30467, @dylandreimerink)

Other Changes:

install: Update image digests for v1.15.2 (#31378, @jrajahalme)
v1.15: IPsec Fixes (#31610, @pchaigno)

v1.13.13

2 months ago

We are pleased to release Cilium v1.13.13.

Security Advisories

This patch release addresses security vulnerabilities. See the following security advisories for details.

IPsec

This patch release includes significant changes for the IPsec stack, to resolve issues for connections that are selected by a L7 Network Policy or a DNS Policy.

Such connections may experience disruption during the upgrade, in particular in configurations with overlay routing mode.

Summary of Changes

Bugfixes:

Fixes an L7 proxy issue by re-introducing 2005 route table. (Backport PR #31161, Upstream PR #29530, @jschwinger233)
Fixes proxy issues by opting out from SNAT for L7 + Tunnel. (Backport PR #31161, Upstream PR #29594, @jschwinger233)
Fixes proxy issues in egress direction (Backport PR #31161, Upstream PR #30095, @jschwinger233)

CI Changes:

ci/ipsec: Fix downgrade version retrieval (Backport PR #31049, Upstream PR #30742, @qmonnet)
ci: Enhance test execution security by restricting permissions to the 'organization-members' team (Backport PR #30865, Upstream PR #30790, @brlbil)
CI: Update tested K8S versions across all cloud providers (Backport PR #30865, Upstream PR #30795, @brlbil)
Fix datapath mode in Network Performance CI test (Backport PR #30865, Upstream PR #30756, @marseel)
k8s_install.sh: specify the CNI version (Backport PR #31246, Upstream PR #31182, @aanm)
workflows: Clean IPsec test output (Backport PR #30801, Upstream PR #30759, @pchaigno)

Misc Changes:

bpf: host: skip from-proxy handling in from-netdev (Backport PR #31161, Upstream PR #29962, @julianwiedmann)
bpf: l3: restore MARK_MAGIC_PROXY_INGRESS for from-proxy traffic (Backport PR #31161, Upstream PR #29721, @julianwiedmann)
bugtool: Capture memory fragmentation info from /proc (Backport PR #31157, Upstream PR #30966, @pchaigno)
Bump google.golang.org/protobuf (v1.13) (#31312, @ferozsalam)
Change ariane config CODEOWNERS (Backport PR #30865, Upstream PR #30803, @brlbil)
chore(deps): update all github action dependencies (v1.13) (#30957, @renovate[bot])
chore(deps): update all github action dependencies (v1.13) (#31115, @renovate[bot])
chore(deps): update all github action dependencies (v1.13) (#31298, @renovate[bot])
chore(deps): update all github action dependencies to v4 (v1.13) (major) (#30783, @renovate[bot])
chore(deps): update all-dependencies (v1.13) (#30955, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 77906da (v1.13) (#31295, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to e9569c2 (v1.13) (#30737, @renovate[bot])
chore(deps): update go to v1.21.7 (v1.13) (#30956, @renovate[bot])
chore(deps): update go to v1.21.8 (v1.13) (#31185, @renovate[bot])
chore(deps): update hubble cli to v0.13.2 (v1.13) (#31340, @renovate[bot])
chore(deps): update kindest/node docker tag to v1.27.11 (v1.13) (#31141, @renovate[bot])
chore(deps): update quay.io/lvh-images/kind docker tag to v6.6-20240221.111541 (v1.13) (#30982, @renovate[bot])
chore(deps): update stable lvh-images (v1.13) (patch) (#30812, @renovate[bot])
chore(deps): update stable lvh-images (v1.13) (patch) (#31142, @renovate[bot])
chore(deps): update stable lvh-images (v1.13) (patch) (#31296, @renovate[bot])
docs: Document XfrmInStateInvalid errors (Backport PR #30801, Upstream PR #30151, @pchaigno)
docs: Fix 'kubectl exec' invocations (quotes, double dash separator) in example script kafka-sw-gen-traffic.sh (Backport PR #31157, Upstream PR #30462, @saintdle)
images: bump cni plugins to v1.4.1 (#31350, @aanm)
pkg: proxy: only install from-proxy rules/routes for native routing (Backport PR #31161, Upstream PR #29761, @julianwiedmann)

Other Changes:

[v1.13] envoy: Bump golang version to 1.21.8 (#31223, @sayboras)
install: Update image digests for v1.13.12 (#30753, @michi-covalent)

v1.14.8

2 months ago

We are pleased to release Cilium v1.14.8.

Security Advisories

This patch release addresses security vulnerabilities. See the following security advisories for details.

IPsec

This patch release includes significant changes for the IPsec stack, to resolve issues for connections that are selected by a L7 Network Policy or a DNS Policy.

Such connections may experience disruption during the upgrade, in particular in configurations with overlay routing mode.

Summary of Changes

Minor Changes:

Enhance trace events from the outbound SNAT path, to report the pre-SNAT IP address and the interface index of the egress interface. (Backport PR #30835, Upstream PR #28723, @julianwiedmann)
Fixes a bug where ToFQDN IPs may be garbage collected too early, disrupting existing connections. (Backport PR #31337, Upstream PR #31205, @squeed)

Bugfixes:

endpoint: fix inability to create endpoint with labels in a single API call (Backport PR #31000, Upstream PR #30170, @oblazek)
Fix bug prevented endpoints from sending or receiving network traffic due to the 'reserved:init' label persisting after initialization. (Backport PR #31048, Upstream PR #30909, @aanm)
Fixes an IPv6 issue that cilium doesn't respond to Neighbor Solicitation targeting the pods on same node. (Backport PR #31186, Upstream PR #30837, @jschwinger233)
Fixes an L7 proxy issue by re-introducing 2005 route table. (Backport PR #31160, Upstream PR #29530, @jschwinger233)
Fixes proxy issues by opting out from SNAT for L7 + Tunnel. (Backport PR #31160, Upstream PR #29594, @jschwinger233)
Fixes proxy issues in egress direction (Backport PR #31160, Upstream PR #30095, @jschwinger233)
helm: Probe Envoy DaemonSet localhost IP directly (Backport PR #31000, Upstream PR #30970, @iandrewt)
Policy revert used in rare error cases has been corrected. (Backport PR #30882, Upstream PR #29162, @jrajahalme)
srv6: Fix packet drop with GSO type mismatch (Backport PR #30800, Upstream PR #30732, @YutaroHayakawa)
xds: Avoid xds timeout due to agent restart in envoy DS mode (Backport PR #31156, Upstream PR #31061, @sayboras)

CI Changes:

Align again conformance clustermesh matrix entries with main as the interoperability issue has been fixed (#30912, @giorio94)
ci-e2e: restore 6.1 kernels (#30862, @lmb)
ci/ipsec: Fix downgrade version retrieval (Backport PR #31048, Upstream PR #30742, @qmonnet)
ci: Enhance test execution security by restricting permissions to the 'organization-members' team (Backport PR #30864, Upstream PR #30790, @brlbil)
CI: Update tested K8S versions across all cloud providers (Backport PR #30864, Upstream PR #30795, @brlbil)
Fix datapath mode in Network Performance CI test (Backport PR #30864, Upstream PR #30756, @marseel)
workflows: Clean IPsec test output (Backport PR #30800, Upstream PR #30759, @pchaigno)

Misc Changes:

bgpv1: Remove disruptive error handling from BGPRouterManager (#30765, @YutaroHayakawa)
bgpv1: Remove or downgrade noisy logs (Backport PR #31000, Upstream PR #30868, @YutaroHayakawa)
bitlpm: Factor out common code (Backport PR #31156, Upstream PR #31026, @jrajahalme)
bpf: host: optimize from-host's ICMPv6 path (Backport PR #31186, Upstream PR #31127, @julianwiedmann)
bpf: host: skip from-proxy handling in from-netdev (Backport PR #31160, Upstream PR #29962, @julianwiedmann)
bpf: l3: restore MARK_MAGIC_PROXY_INGRESS for from-proxy traffic (Backport PR #31160, Upstream PR #29721, @julianwiedmann)
bpf: minor ICMPv6 improvements (Backport PR #31186, Upstream PR #26563, @julianwiedmann)
bugtool: Capture memory fragmentation info from /proc (Backport PR #31156, Upstream PR #30966, @pchaigno)
Bump google.golang.org/protobuf (v1.14) (#31314, @ferozsalam)
chore(deps): update actions/download-artifact action to v4.1.3 (v1.14) (#30989, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (#30954, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (#31114, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (#31294, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (patch) (#31136, @renovate[bot])
chore(deps): update all github action dependencies to v4 (v1.14) (major) (#30782, @renovate[bot])
chore(deps): update all-dependencies (v1.14) (#30952, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.23 (v1.14) (#30861, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.16.0 (v1.14) (#31173, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 77906da (v1.14) (#31291, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to e9569c2 (v1.14) (#30739, @renovate[bot])
chore(deps): update go to v1.21.7 (v1.14) (#30953, @renovate[bot])
chore(deps): update go to v1.21.8 (v1.14) (#31184, @renovate[bot])
chore(deps): update hubble cli to v0.13.2 (v1.14) (#31339, @renovate[bot])
chore(deps): update quay.io/lvh-images/kind docker tag to v6.6-20240221.111541 (v1.14) (#30979, @renovate[bot])
chore(deps): update stable lvh-images (v1.14) (patch) (#30653, @renovate[bot])
chore(deps): update stable lvh-images (v1.14) (patch) (#31137, @renovate[bot])
chore(deps): update stable lvh-images (v1.14) (patch) (#31293, @renovate[bot])
container/bitlpm: Add Lookup Boolean Return Value (Backport PR #31156, Upstream PR #31037, @nathanjsweet)
docs: Document XfrmInStateInvalid errors (Backport PR #30800, Upstream PR #30151, @pchaigno)
docs: Fix 'kubectl exec' invocations (quotes, double dash separator) in example script kafka-sw-gen-traffic.sh (Backport PR #31156, Upstream PR #30462, @saintdle)
identity/cache: only call SortedList for release (Backport PR #30864, Upstream PR #27796, @bimmlerd)
images: bump cni plugins to v1.4.1 (#31349, @aanm)
lbipam: copy slice before modification in (*LBIPAM).handlePoolModified (Backport PR #31000, Upstream PR #30859, @tklauser)
loader: also populate NATIVE_DEV_IFINDEX for cilium_overlay (Backport PR #31156, Upstream PR #31025, @julianwiedmann)
pkg: Add Bitwise LPM Trie Library (Backport PR #30864, Upstream PR #29717, @nathanjsweet)
pkg: proxy: only install from-proxy rules/routes for native routing (Backport PR #31160, Upstream PR #29761, @julianwiedmann)
slices: don't modify input slices in test (Backport PR #31000, Upstream PR #30677, @tklauser)

Other Changes:

[v1.14] bpf: nodeport: add missing ifindex in NAT trace event (#31022, @julianwiedmann)
[v1.14] envoy: Bump golang version to 1.21.8 (#31222, @sayboras)
[v1.14] iptables: Read CNI chaining mode from CNI config manager (#31265, @pippolo84)
cli: Replace --cluster-name with --helm-set cluster.name (#31177, @michi-covalent)
install: Update image digests for v1.14.7 (#30752, @michi-covalent)
Upgrade GoBGP to v3.23.0 and backport #28293 (#30793, @YutaroHayakawa)
v1.14: WG L7 (#31267, @brb)