Cilium Versions Save

We are pleased to release Cilium v1.13.12. This release contains various bug fixes and performance / usability improvements.

Summary of Changes

Minor Changes:

• api/cli: Encryption status now includes rendering IPsec status in JSON. (Backport PR #30386, Upstream PR #30167, @viktor-kurchenko)
• helm: Add extraVolumeMounts to cilium config init container (Backport PR #30386, Upstream PR #30131, @ayuspin)
• ui: release v0.13.0 (Backport PR #30723, Upstream PR #30711, @geakstr)

Bugfixes:

• Add specific drop reason for missing tail calls if the host datapath is not ready yet (Backport PR #30315, Upstream PR #29482, @ti-mo)
• Fix all packet drops due to missed tail calls, enable zero tolerance for these errors in CI (Backport PR #30315, Upstream PR #30248, @ti-mo)
• Fix nodeinit issue causing NotReady state in Kubernetes nodes when laying down an incorrect CNI config (Backport PR #30522, Upstream PR #30399, @tlcowling)
• Updating ENI prefix delegation fallback to use dedicated error codes (Backport PR #30679, Upstream PR #30536, @hemanthmalla)

CI Changes:

• [v1.13] backport Go version check fixes in preparation for Go 1.21 update (#30417, @tklauser)
• ci/ipsec: Fix version retrieval for downgrades to closest patch release (Backport PR #30522, Upstream PR #30503, @qmonnet)
• ci: add trigger phrase to Gateway API conformance test workflow name (Backport PR #30679, Upstream PR #30525, @tklauser)
• CI: Change cloud regions (Backport PR #30679, Upstream PR #30378, @brlbil)
• gha: explicilty specify beefier runner type for clustermesh workflows (Backport PR #30386, Upstream PR #30335, @giorio94)
• gha: make runner type for clustermesh workflows configurable (Backport PR #30679, Upstream PR #30496, @giorio94)
• Network performance (Backport PR #30679, Upstream PR #30247, @marseel)
• Rework GHA workflows to checkout the untrusted context in a separate directory for increased separation (Backport PR #30386, Upstream PR #30207, @giorio94)
• Update GitHub upload-artifact action (Backport PR #30522, Upstream PR #30443, @brlbil)

Misc Changes:

• Added Last page Edit on Documentation (Backport PR #30679, Upstream PR #30612, @gailsuccess)
• bpf: lb: return drop reasons from __lb4_rev_nat() (Backport PR #30522, Upstream PR #30410, @julianwiedmann)
• build(deps): bump jinja2 from 3.1.2 to 3.1.3 in /Documentation (Backport PR #30522, Upstream PR #30219, @dependabot[bot])
• chore(deps): update go to v1.20.13 (v1.13) (patch) (#30186, @renovate[bot])
• chore(deps): update go to v1.21.6 (v1.13) (minor) (#29817, @renovate[bot])
• chore(deps): update hubble cli to v0.13.0 (v1.13) (minor) (#30275, @renovate[bot])
• chore(deps): update stable lvh-images (v1.13) (patch) (#30493, @renovate[bot])
• doc: Add Azure CNI Powered by cilium as external installer (Backport PR #30386, Upstream PR #28286, @tamilmani1989)
• docs: warn users that IPsec and KPR are mutual exclusive (Backport PR #30522, Upstream PR #30403, @f1ko)
• hubble-ui: release v0.12.3 (Backport PR #30522, Upstream PR #30422, @geakstr)
• loader, bpf: remove context cancellation check, lower pending map removal Warning to Info (Backport PR #30315, Upstream PR #30214, @ti-mo)

Other Changes:

• [1.13] Ignore ct buffer drops on minor release downgrades only (#30270, @rgo3)
• [v1.13] ci/ipsec: Fix downgrade version for release preparation commits (#30715, @qmonnet)
• [v1.13] ci/ipsec: Re-enable node-to-node-encryption check (#30402, @qmonnet)
• [v1.13] pkg/allocator: Improve 'Key allocation attempt failed' handling for CRD mode (#30120, @antonipp)
• bpf: l3: fix-up kube-proxy workaround in l3_local_delivery() to bpf_overlay (#30313, @julianwiedmann)
• envoy: Bump envoy version for x/net library (#30516, @sayboras)
• envoy: Bump envoy version to v1.26.7 (#30694, @sayboras)
• install: Update image digests for v1.13.11 (#30317, @gentoo-root)

We are pleased to release Cilium v1.14.7. This release contains various bug fixes and performance / usability improvements, including a fix for performance regression for pod-to-pod traffic WireGuard and tunneling (https://github.com/cilium/cilium/pull/30329).

Summary of Changes

Minor Changes:

• api/cli: Encryption status now includes rendering IPsec status in JSON. (Backport PR #30554, Upstream PR #30167, @viktor-kurchenko)
• Envoy running inside the Cilium Agent may now be scraped by Prometheus when using Prometheus' ServiceMonitor objects. (Backport PR #30355, Upstream PR #30126, @youngnick)
• helm: Add extraVolumeMounts to cilium config init container (Backport PR #30355, Upstream PR #30131, @ayuspin)
• ui: release v0.13.0 (Backport PR #30724, Upstream PR #30711, @geakstr)

Bugfixes:

• envoy: Change socket option from 'STATE_LISTENING' to 'STATE_PREBIND' (Backport PR #30680, Upstream PR #30543, @chaunceyjiang)
• Fix all packet drops due to missed tail calls, enable zero tolerance for these errors in CI (Backport PR #30323, Upstream PR #30248, @ti-mo)
• Fix cilium-envoy ServiceMonitor port name (Backport PR #30554, Upstream PR #27207, @pixiono)
• Fix error when using multiple allowRoutes namespaces in gateway (#30551, @mhofstetter)
• Fix error when using multiple allowRoutes namespaces in gateway (Backport PR #30554, Upstream PR #30100, @chaunceyjiang)
• Fix issue where agent attempting to restore local node information (such as cilium_host ip) would fail on k8s fallback method. (Backport PR #30355, Upstream PR #29460, @tommyp1ckles)
• Fix nodeinit issue causing NotReady state in Kubernetes nodes when laying down an incorrect CNI config (Backport PR #30554, Upstream PR #30399, @tlcowling)
• Fix performance regression for pod-to-pod traffic WireGuard and tunneling. (Backport PR #30554, Upstream PR #30329, @3u13r)
• Fix rare bug possibly causing connection disruption and/or agent panic due to node events processing before full initialization. (Backport PR #30554, Upstream PR #30282, @giorio94)
• hive: Fix start hook log output (Backport PR #30724, Upstream PR #30712, @joamaki)
• init well-known identity before new policy repository to fix the fqdn policy issue when enable well-known identity. (Backport PR #30554, Upstream PR #30052, @yingnanzhang666)
• L2 announcements retry getting lease after losing it (Backport PR #30355, Upstream PR #30340, @dylandreimerink)
• node/wireguard: Fix node-to-node encryption inconsistencies in kvstore mode (Backport PR #30534, Upstream PR #30423, @gandro)
• Updating ENI prefix delegation fallback to use dedicated error codes (Backport PR #30680, Upstream PR #30536, @hemanthmalla)

CI Changes:

• ci datapath-verifier: add connectivity test (Backport PR #30371, Upstream PR #29633, @mhofstetter)
• ci/ipsec: Fix version retrieval for downgrades to closest patch release (Backport PR #30554, Upstream PR #30503, @qmonnet)
• ci: add trigger phrase to Gateway API conformance test workflow name (Backport PR #30680, Upstream PR #30525, @tklauser)
• ci: Bump timeout of ci-runtime (Backport PR #30554, Upstream PR #29317, @YutaroHayakawa)
• ci: bypass proxy.golang.org in Go toolchain installation (Backport PR #30371, Upstream PR #29549, @tklauser)
• CI: Change cloud regions (Backport PR #30680, Upstream PR #30378, @brlbil)
• ci: disable cgo when installing Go toolchain (Backport PR #30371, Upstream PR #27869, @tklauser)
• ci: run verifier tests with proper Go toolchain version (Backport PR #30371, Upstream PR #27857, @tklauser)
• Extend the clustermesh workflows to additionally cover the external kvstore case (Backport PR #30355, Upstream PR #29983, @giorio94)
• gh: ci-verifier: use lvh-images/complexity-test as renovate dependency (Backport PR #30680, Upstream PR #30520, @julianwiedmann)
• gha: additionally cover BPF masquerade in clustermesh E2E tests (Backport PR #30680, Upstream PR #30321, @giorio94)
• gha: explicilty specify beefier runner type for clustermesh workflows (Backport PR #30355, Upstream PR #30335, @giorio94)
• gha: make runner type for clustermesh workflows configurable (Backport PR #30680, Upstream PR #30496, @giorio94)
• Improve Conformance Cluster Mesh workflow coverage (Backport PR #30355, Upstream PR #29926, @giorio94)
• Network performance (Backport PR #30554, Upstream PR #30247, @marseel)
• Rework GHA workflows to checkout the untrusted context in a separate directory for increased separation (Backport PR #30355, Upstream PR #30207, @giorio94)
• Update GitHub upload-artifact action (Backport PR #30554, Upstream PR #30443, @brlbil)

Misc Changes:

• Added Last page Edit on Documentation (Backport PR #30680, Upstream PR #30612, @gailsuccess)
• bpf: fib: fix issues with L2 resolution (Backport PR #30372, Upstream PR #30128, @julianwiedmann)
• bpf: lb: return drop reasons from __lb4_rev_nat() (Backport PR #30554, Upstream PR #30410, @julianwiedmann)
• bpf: overlay: restore bpf_clear_meta() in from-overlay (Backport PR #30355, Upstream PR #30343, @julianwiedmann)
• build(deps): bump jinja2 from 3.1.2 to 3.1.3 in /Documentation (Backport PR #30554, Upstream PR #30219, @dependabot[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.20 (v1.14) (#30144, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.21 (v1.14) (#30571, @renovate[bot])
• chore(deps): update dependency go to v1.21.6 (v1.14) (#30174, @renovate[bot])
• chore(deps): update dependency go to v1.21.6 (v1.14) (#30640, @renovate[bot])
• chore(deps): update docker.io/library/alpine docker tag to v3.18.6 (v1.14) (#30641, @renovate[bot])
• chore(deps): update go to v1.21.6 (v1.14) (minor) (#30145, @renovate[bot])
• chore(deps): update hubble cli to v0.13.0 (v1.14) (minor) (#30274, @renovate[bot])
• chore(deps): update stable lvh-images (v1.14) (patch) (#30492, @renovate[bot])
• chore(deps): update stable lvh-images (v1.14) (patch) (#30575, @renovate[bot])
• doc: Add Azure CNI Powered by cilium as external installer (Backport PR #30355, Upstream PR #28286, @tamilmani1989)
• docs: Add Egress Gateway Policy warning on egressIP and interface being mutually exclusive in the egressGateway spec. (Backport PR #30554, Upstream PR #30236, @soggiest)
• docs: warn users that IPsec and KPR are mutual exclusive (Backport PR #30554, Upstream PR #30403, @f1ko)
• hive: Fix hive hook output and move lifecycle to cell package (Backport PR #30554, Upstream PR #30416, @joamaki)
• hubble-ui: release v0.12.3 (Backport PR #30554, Upstream PR #30422, @geakstr)
• ipcache: Skip conflict logging for tunnelpeer if native routing (Backport PR #30355, Upstream PR #27331, @christarazi)
• loader, bpf: remove context cancellation check, lower pending map removal Warning to Info (Backport PR #30323, Upstream PR #30214, @ti-mo)
• Rename egress_policies.h to srv6.h and add SRv6 related trace reasons. (Backport PR #30680, Upstream PR #30154, @ldelossa)
• Rerun go mod tidy to fix missing entry (#30358, @giorio94)

Other Changes:

• [v1.14] ci/ipsec: Fix downgrade version for release preparation commits (#30716, @qmonnet)
• [v1.14] ci/ipsec: Re-enable node-to-node-encryption check (#30401, @qmonnet)
• envoy: Bump envoy version for x/net library (#30515, @sayboras)
• envoy: Bump envoy version to v1.26.7 (#30693, @sayboras)
• install: Update image digests for v1.14.6 (#30318, @gentoo-root)
• remove stable tags from 1.14 releases (#30557, @aanm)

We are pleased to release Cilium v1.14.6.

This release includes various bugfixes and performance enhancements. The amount of trace events is reduced when monitor aggregation is enabled, allowing to improve pod-to-pod performance with tunneling and IPsec. An inconsistency in the node manager is fixed, which led to incorrect masquerading of traffic to node internal IP addresses. Other fixes include fixes for mTLS, DNS proxy, datapath, etc.

Summary of Changes

Minor Changes:

• Add Proxy l7 metrics proxy_type label and and Cleanup (Backport PR #29703, Upstream PR #27863, @tommyp1ckles)
• Reduce "stale identity observed" warnings (Backport PR #29863, Upstream PR #27894, @leblowl)

Bugfixes:

• [1.14] ingress: fix ingress class reconciliation (#29810, @mhofstetter)
• Add default toleration for SPIRE agent on control plane nodes (Backport PR #30198, Upstream PR #28947, @meyskens)
• Cilium DNS proxy can now use the original pod's address as the source address towards the DNS servers (--dnsproxy-enable-transparent-mode). (Backport PR #30213, Upstream PR #29239, @jrajahalme)
• cilium-preflight: use the k8s node name instead of relying on hostname (Backport PR #29996, Upstream PR #29809, @marseel)
• Do not attempt an mTLS handshake between reserved identities in Mutual Auth, as they would always fail (Backport PR #30265, Upstream PR #29400, @meyskens)
• Fix a bug that may cause traffic to the node internal IP addresses to be incorrectly masqueraded when node encryption and remote node identities are both disabled, due to an inconsistency in the node manager when handling ipset entries insertions and deletions on node updates. (Backport PR #30221, Upstream PR #29986, @qmonnet)
• Fix and prevent future bugs limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #29996, Upstream PR #29616, @learnitall)
• Fix cleanup of AWS-related leftover iptables chains (Backport PR #29863, Upstream PR #29448, @giorio94)
• helm: Fix envoy servicemonitor annotations (Backport PR #30198, Upstream PR #30017, @pmcgrath)
• metrics: fix issue where logging err/warn metric is never updated. (Backport PR #29863, Upstream PR #29201, @tommyp1ckles)
• nodediscovery: Fix bug where CiliumInternalIP was flapping (Backport PR #29972, Upstream PR #29964, @gandro)
• policy: Fix mapstate changes error in entry change comparison (Backport PR #29996, Upstream PR #29815, @jrajahalme)
• Remove non fatal errors from SPIRE client in the operator (Backport PR #30265, Upstream PR #28698, @meyskens)
• Unify parsing of StringSlice flags and allow splitting by commas (preferably) or by spaces. This fixes parsing of 'prometheus.metrics'. (Backport PR #30080, Upstream PR #29848, @joamaki)

CI Changes:

• bpf: fix test configuration for 5.10 and 6.1 kernels (Backport PR #30198, Upstream PR #29999, @julianwiedmann)
• ci-ipsec-upgrade: Add vxlan w/ no EP routes (Backport PR #29703, Upstream PR #29653, @brb)
• ci-ipsec-{e2e,upgrade}: Use lvh-kind (Backport PR #29966, Upstream PR #29514, @brb)
• ci/ipsec: Skip waiting for images when skipping upgrade/dowgrade (Backport PR #29966, Upstream PR #29793, @qmonnet)
• ci: add nameserver 1.1.1.1 to conformance-runtime test LVM (Backport PR #29863, Upstream PR #29455, @mhofstetter)
• ci: always use full matrix for scheduled cloud-provider workflows (Backport PR #29863, Upstream PR #29694, @mhofstetter)
• ci: fix dns issue when pulling cilium-docker-plugin in ci-runtime (Backport PR #29863, Upstream PR #29502, @mhofstetter)
• ci: increase disk size for GKE clusters (ci-gke & ci-external-workloads) (Backport PR #30198, Upstream PR #29528, @mhofstetter)
• Conformance AKS: wait for cilium-test namespace deletion during uninstallation (Backport PR #30198, Upstream PR #29893, @giorio94)
• datapath: Cover subnet encryption in XFRM leak test (Backport PR #30080, Upstream PR #27212, @pchaigno)
• datapath: Fix TestNodeChurnXFRMLeaks (Backport PR #30080, Upstream PR #27274, @brb)
• Fix collecting of verifier logs in ci-verifier (Backport PR #29863, Upstream PR #29752, @lmb)
• gh/workflows: Add lvh-kind action and use it in ci-e2e (Backport PR #29966, Upstream PR #29485, @brb)
• gha: add step to ensure presence/absence of the AWS iptables chains (Backport PR #29863, Upstream PR #29670, @giorio94)
• gha: enable IPv6 in clustermesh upgrade/downgrade workflow (Backport PR #29863, Upstream PR #29675, @giorio94)
• node: Integration test for XFRM leaks on node churn (Backport PR #30080, Upstream PR #27187, @pchaigno)
• workflows: Increase IPsec e2e test's timeout (Backport PR #30265, Upstream PR #30194, @julianwiedmann)
• workflows: Increase IPsec upgrade test's timeout (Backport PR #30080, Upstream PR #29934, @pchaigno)
• workflows: Make the conn-disrupt test more sensitive (Backport PR #29703, Upstream PR #29623, @pchaigno)
• workflows: move cilium_cli_version definition to set-env-variables action (Backport PR #30198, Upstream PR #29237, @jibi)

Misc Changes:

• bgpv1: set running flag in manager (Backport PR #30080, Upstream PR #30013, @harsimran-pabla)
• bpf: ipv4: always return drop reason from ipv4_handle_fragmentation() (Backport PR #29996, Upstream PR #29880, @julianwiedmann)
• chore(deps): update all github action dependencies to v5 (v1.14) (major) (#29784, @renovate[bot])
• chore(deps): update all lvh-images main (v1.14) (patch) (#29781, @renovate[bot])
• chore(deps): update github/codeql-action action to v2.22.9 (v1.14) (#29783, @renovate[bot])
• doc: Update recommended way for installing cilium on AKS (Backport PR #30198, Upstream PR #28910, @tamilmani1989)
• docs: fix chained veth plugin example (Backport PR #30265, Upstream PR #30209, @squeed)
• docs: Fix keyid derivation in IPsec docs (Backport PR #30080, Upstream PR #30000, @brb)
• Fix bug preventing endpoint-related debug logs from being emitted (Backport PR #29829, Upstream PR #29495, @learnitall)
• Fix cilium-envoy ServiceMonitor template typo (Backport PR #30198, Upstream PR #29976, @cornfeedhobo)
• Fix log error in clustermesh-apiserver when connecting external workloads (Backport PR #29919, Upstream PR #29896, @giorio94)
• fix(deps): update module golang.org/x/crypto to v0.17.0 [security] (main) (Backport PR #30198, Upstream PR #29971, @renovate[bot])
• fix: remove help message in build config failure (Backport PR #30265, Upstream PR #28974, @vipul-21)
• Helm: enforce routing mode when either gke.enabled or aksbyocni.enabled are set (Backport PR #30080, Upstream PR #29674, @giorio94)
• hubble: Reduce "stale identities observed" debug messages even more (Backport PR #29996, Upstream PR #29957, @gandro)
• k8s: Bump CRD schema version to 1.27.x (#29908, @joestringer)
• Modularize iptables manager (Backport PR #30221, Upstream PR #28746, @pippolo84)
• resource: Fix flaky TestResource_RepeatedDelete (Backport PR #29996, Upstream PR #28588, @joamaki)
• Revert "cilium: Ensure xfrm state is initialized for route IP before … (Backport PR #29868, Upstream PR #29801, @jrfastab)

Other Changes:

• [1.14] loader: fix obsolete XDP program removal (#30229, @rgo3)
• [v1.14] ci: In conn-disrupt-test action, disable node-to-node-encryption check (#29742, @qmonnet)
• Add specific drop reason for missing tail calls if the host datapath is not ready yet (#30204, @ti-mo)
• bgpv1: Add bgp/routes API endpoint and cilium bgp routes CLI command & integrate it in the bugtool (#30205, @rastislavs)
• install: Update image digests for v1.14.5 (#29806, @nebril)
• v1.14: update dependency cilium/cilium-cli to v0.15.19 (#30135, @pchaigno)

We are pleased to release Cilium v1.13.11.

This release includes various bugfixes and performance enhancements. The amount of trace events is reduced when monitor aggregation is enabled, allowing to improve pod-to-pod performance with tunneling and IPsec. Other fixes include fixes for DNS proxy, datapath, etc.

Summary of Changes

Minor Changes:

• Reduce "stale identity observed" warnings (Backport PR #29997, Upstream PR #27894, @leblowl)

Bugfixes:

• Cilium DNS proxy can now use the original pod's address as the source address towards the DNS servers (--dnsproxy-enable-transparent-mode). (Backport PR #30216, Upstream PR #29239, @jrajahalme)
• cilium-preflight: use the k8s node name instead of relying on hostname (Backport PR #29997, Upstream PR #29809, @marseel)
• Fix and prevent future bugs limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #29997, Upstream PR #29616, @learnitall)
• iptables: remove logic to control non-existent net.ipv6.ip_early_demux (Backport PR #30182, Upstream PR #29310, @julianwiedmann)
• nodediscovery: Fix bug where CiliumInternalIP was flapping (Backport PR #29974, Upstream PR #29964, @gandro)
• Restore host-stack bypass for pod-to-pod traffic in a configuration with kube-proxy, tunnel routing and per-endpoint routes. (Backport PR #30182, Upstream PR #27908, @julianwiedmann)

CI Changes:

• Add secondary iface to KIND network (Backport PR #30010, Upstream PR #26338, @ysksuzuki)
• ci-ipsec-upgrade: Add vxlan w/ no EP routes (Backport PR #29702, Upstream PR #29653, @brb)
• ci-ipsec-{e2e,upgrade}: Use lvh-kind (Backport PR #30010, Upstream PR #29514, @brb)
• ci/ipsec: Skip waiting for images when skipping upgrade/dowgrade (Backport PR #30010, Upstream PR #29793, @qmonnet)
• ci: add nameserver 1.1.1.1 to conformance-runtime test LVM (Backport PR #29847, Upstream PR #29455, @mhofstetter)
• ci: always use full matrix for scheduled cloud-provider workflows (Backport PR #29847, Upstream PR #29694, @mhofstetter)
• datapath: Cover subnet encryption in XFRM leak test (Backport PR #30081, Upstream PR #27212, @pchaigno)
• datapath: Fix TestNodeChurnXFRMLeaks (Backport PR #30081, Upstream PR #27274, @brb)
• gh/workflows: Add lvh-kind action and use it in ci-e2e (Backport PR #30010, Upstream PR #29485, @brb)
• gha: enable IPv6 in clustermesh upgrade/downgrade workflow (Backport PR #29847, Upstream PR #29675, @giorio94)
• node: Integration test for XFRM leaks on node churn (Backport PR #30081, Upstream PR #27187, @pchaigno)
• workflows: Increase IPsec e2e test's timeout (Backport PR #30267, Upstream PR #30194, @julianwiedmann)
• workflows: Increase IPsec upgrade test's timeout (Backport PR #30081, Upstream PR #29934, @pchaigno)
• workflows: Make the conn-disrupt test more sensitive (Backport PR #29702, Upstream PR #29623, @pchaigno)

Misc Changes:

• bpf: ipv4: always return drop reason from ipv4_handle_fragmentation() (Backport PR #29997, Upstream PR #29880, @julianwiedmann)
• chore(deps): update all github action dependencies (v1.13) (patch) (#29850, @renovate[bot])
• chore(deps): update go (v1.13) (patch) (#30143, @renovate[bot])
• doc: Update recommended way for installing cilium on AKS (Backport PR #30182, Upstream PR #28910, @tamilmani1989)
• docs: Fix keyid derivation in IPsec docs (Backport PR #30081, Upstream PR #30000, @brb)
• Fix kind.sh development scripts on MacOS (Backport PR #30010, Upstream PR #25317, @chancez)
• fix(deps): update module golang.org/x/crypto to v0.17.0 [security] (main) (Backport PR #30182, Upstream PR #29971, @renovate[bot])
• hubble: Reduce "stale identities observed" debug messages even more (Backport PR #29997, Upstream PR #29957, @gandro)
• Revert "cilium: Ensure xfrm state is initialized for route IP before … (Backport PR #29869, Upstream PR #29801, @jrfastab)

Other Changes:

• [1.13] Ignore packet drops of type Failed to update or lookup TC buffer (#30249, @rgo3)
• [1.13] loader: fix obsolete XDP program removal (#30231, @rgo3)
• [v1.13] ci: In conn-disrupt-test action, disable node-to-node-encryption check (#29741, @qmonnet)
• [v1.13] go.mod: bump Go to 1.20 (#29818, @tklauser)
• [v1.13] node: Fix IP removal from ipset on node updates (#29898, @qmonnet)
• install: Update image digests for v1.13.10 (#29807, @nebril)
• v1.13: ipam: Fix invalid PodCIDR in CiliumNode in ENI/Azure/MultiPool mode (#30137, @pchaigno)
• v1.13: update dependency cilium/cilium-cli to v0.15.19 (#30136, @pchaigno)

We are pleased to release Cilium v1.12.18.

This release includes various bugfixes and performance enhancements. The amount of trace events is reduced when monitor aggregation is enabled, allowing to improve pod-to-pod performance with tunneling and IPsec. Other fixes include fixes for DNS proxy, datapath, etc.

Summary of Changes

Minor Changes:

• Add option to configure the resources of the cgroups automount init Container in the Cilium Agent DaemonSet. (Backport PR #30004, Upstream PR #22384, @shaardie)

Bugfixes:

• Cilium DNS proxy can now use the original pod's address as the source address towards the DNS servers (--dnsproxy-enable-transparent-mode). (Backport PR #30217, Upstream PR #29239, @jrajahalme)
• cilium-preflight: use the k8s node name instead of relying on hostname (Backport PR #30004, Upstream PR #29809, @marseel)
• Fix and prevent future bugs limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #30004, Upstream PR #29616, @learnitall)
• iptables: remove logic to control non-existent net.ipv6.ip_early_demux (Backport PR #30181, Upstream PR #29310, @julianwiedmann)
• nodediscovery: Fix bug where CiliumInternalIP was flapping (Backport PR #29979, Upstream PR #29964, @gandro)

CI Changes:

• ci-ipsec-upgrade: Add vxlan w/ no EP routes (Backport PR #29701, Upstream PR #29653, @brb)
• ci: always use full matrix for scheduled cloud-provider workflows (Backport PR #29842, Upstream PR #29694, @mhofstetter)
• datapath: Cover subnet encryption in XFRM leak test (Backport PR #30082, Upstream PR #27212, @pchaigno)
• datapath: Fix TestNodeChurnXFRMLeaks (Backport PR #30082, Upstream PR #27274, @brb)
• gha: enable IPv6 in clustermesh upgrade/downgrade workflow (Backport PR #29842, Upstream PR #29675, @giorio94)
• node: Integration test for XFRM leaks on node churn (Backport PR #30082, Upstream PR #27187, @pchaigno)
• workflows: Increase IPsec e2e test's timeout (Backport PR #30268, Upstream PR #30194, @julianwiedmann)
• workflows: Increase IPsec upgrade test's timeout (Backport PR #30082, Upstream PR #29934, @pchaigno)
• workflows: Make the conn-disrupt test more sensitive (Backport PR #29701, Upstream PR #29623, @pchaigno)

Misc Changes:

• bpf: ipv4: always return drop reason from ipv4_handle_fragmentation() (Backport PR #30004, Upstream PR #29880, @julianwiedmann)
• docs: Fix keyid derivation in IPsec docs (Backport PR #30082, Upstream PR #30000, @brb)
• fix(deps): update module golang.org/x/crypto to v0.17.0 [security] (main) (Backport PR #30181, Upstream PR #29971, @renovate[bot])
• Revert "cilium: Ensure xfrm state is initialized for route IP before … (Backport PR #29871, Upstream PR #29801, @jrfastab)

Other Changes:

• install: Update image digests for v1.12.17 (#29808, @nebril)
• v1.12: Ignore packet drops of type Failed to update or lookup TC buffer (#30202, @pchaigno)
• v1.12: ipam: Fix invalid PodCIDR in CiliumNode in ENI/Azure/MultiPool mode (#30147, @pchaigno)
• v1.12: update dependency cilium/cilium-cli to v0.15.19 (#30146, @pchaigno)
• v1.12: workflow/ipsec-e2e: bump CLI to v0.15.19 (#30239, @pchaigno)

Summary of Changes

Minor Changes:

• bgpv1: Enable cilium-dbg bgp routes advertised command without specifying a peer (Backport PR #30230, Upstream PR #30033, @rastislavs)
• cilium-agent: Remove the obsolete --bpf-lb-dev-ip-addr-inherit option (Backport PR #30264, Upstream PR #29963, @joamaki)

Bugfixes:

• Add default toleration for SPIRE agent on control plane nodes (Backport PR #30230, Upstream PR #28947, @meyskens)
• Avoid panic during BPF program compilation when clang command fails to start (Backport PR #30264, Upstream PR #30009, @ti-mo)
• bgpv1: Avoid creating resource.Store in Start() hive hooks of BGP CP to ensure proper BGP CP initialization. (Backport PR #30079, Upstream PR #29954, @rastislavs)
• bpf: fix wrong loopback address mask value (Backport PR #30230, Upstream PR #29946, @haiyuewa)
• Cilium DNS proxy can now use the original pod's address as the source address towards the DNS servers (--dnsproxy-enable-transparent-mode). (Backport PR #30212, Upstream PR #29239, @jrajahalme)
• daemon: Fail init if requirements for BPF masquerade are not met (Backport PR #30230, Upstream PR #29778, @pippolo84)
• Do not attempt an mTLS handshake between reserved identities in Mutual Auth, as they would always fail (Backport PR #30230, Upstream PR #29400, @meyskens)
• Due to a race condition in the experimental runtime device detection, Cilium could fail to make a newly added device available for node port services. (Backport PR #30230, Upstream PR #29917, @bimmlerd)
• Fix a bug that may cause traffic to the node internal IP addresses to be incorrectly masqueraded when node encryption and remote node identities are both disabled, due to an inconsistency in the node manager when handling ipset entries insertions and deletions on node updates. (Backport PR #30230, Upstream PR #29986, @qmonnet)
• Fix and prevent future bugs limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #30079, Upstream PR #29616, @learnitall)
• Fix bugs in health-server that cause the state in the prober's cache to drift and allow nodes with empty IP addresses to be added. (Backport PR #30230, Upstream PR #29745, @thorn3r)
• Fix instances of leaked health reporter updates. (Backport PR #30230, Upstream PR #30134, @tommyp1ckles)
• gateway-api: fix status reconcile error handling (Backport PR #30230, Upstream PR #29894, @mhofstetter)
• gateway-api: Requeue Gateway for owning GRPCRoute (Backport PR #30230, Upstream PR #30124, @sayboras)
• gateway: Add GRPCRoute support for status changed predicate (Backport PR #30230, Upstream PR #30176, @sayboras)
• helm: Fix envoy servicemonitor annotations (Backport PR #30230, Upstream PR #30017, @pmcgrath)
• l7lb: Fix bug where not all relevant ports of a Service were synchronized to Envoy (Backport PR #30264, Upstream PR #30107, @mhofstetter)
• maps/metricspath: protect against concurrent access in Collect (Backport PR #30230, Upstream PR #30104, @buroa)
• nodediscovery: Fix bug where CiliumInternalIP was flapping (Backport PR #29973, Upstream PR #29964, @gandro)
• policy: Fix mapstate changes error in entry change comparison (Backport PR #30079, Upstream PR #29815, @jrajahalme)
• Remove non fatal errors from SPIRE client in the operator (Backport PR #30230, Upstream PR #28698, @meyskens)
• Unify parsing of StringSlice flags and allow splitting by commas (preferably) or by spaces. This fixes parsing of 'prometheus.metrics'. (Backport PR #30079, Upstream PR #29848, @joamaki)

CI Changes:

• bpf: fix test configuration for 5.10 and 6.1 kernels (Backport PR #30230, Upstream PR #29999, @julianwiedmann)
• ci-clustermesh-upgrade: Adjust name of test to run, to match cilium-cli's renaming (Backport PR #30264, Upstream PR #30211, @qmonnet)
• ci: Add a call to the update label backport action (Backport PR #30264, Upstream PR #29902, @joestringer)
• Conformance AKS: wait for cilium-test namespace deletion during uninstallation (Backport PR #30230, Upstream PR #29893, @giorio94)
• identity: deflake test TestGetIdentity (Backport PR #30079, Upstream PR #29720, @mhofstetter)
• workflows: Increase IPsec e2e test's timeout (Backport PR #30230, Upstream PR #30194, @julianwiedmann)
• workflows: Increase IPsec upgrade test's timeout (Backport PR #30079, Upstream PR #29934, @pchaigno)

Misc Changes:

• [v1.15] docs: add deprecation notice for enable-remote-node-identity for v1.15 (#30208, @tklauser)
• bgpv1: set running flag in manager (Backport PR #30079, Upstream PR #30013, @harsimran-pabla)
• bpf: ipv4: always return drop reason from ipv4_handle_fragmentation() (Backport PR #30079, Upstream PR #29880, @julianwiedmann)
• chore(deps): update actions/setup-go action to v5 (v1.15) (#30142, @renovate[bot])
• chore(deps): update all lvh-images main (v1.15) (patch) (#30225, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.19 (main) (Backport PR #30230, Upstream PR #29942, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.19 (v1.15) (#30141, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.20 (v1.15) (#30201, @renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.6 docker digest to 6fbd2d3 (v1.15) (#30050, @renovate[bot])
• chore(deps): update go to v1.21.6 (v1.15) (patch) (#30173, @renovate[bot])
• doc: Update recommended way for installing cilium on AKS (Backport PR #30230, Upstream PR #28910, @tamilmani1989)
• docs: Document renovate testing strategy (Backport PR #30230, Upstream PR #30166, @joestringer)
• docs: fix chained veth plugin example (Backport PR #30230, Upstream PR #30209, @squeed)
• docs: Fix keyid derivation in IPsec docs (Backport PR #30079, Upstream PR #30000, @brb)
• docs: Update Gateway API version in example (Backport PR #30230, Upstream PR #30115, @sayboras)
• endpoint: Use resolved named port also in the proxy stats (Backport PR #30079, Upstream PR #29813, @jrajahalme)
• Fix cilium-envoy ServiceMonitor template typo (Backport PR #30230, Upstream PR #29976, @cornfeedhobo)
• Fix log error in clustermesh-apiserver when connecting external workloads (Backport PR #30079, Upstream PR #29896, @giorio94)
• Fix regression causing a 10x increase in the duration of endpoint integration tests (Backport PR #30079, Upstream PR #29826, @giorio94)
• fix(deps): update module golang.org/x/crypto to v0.17.0 [security] (main) (Backport PR #30230, Upstream PR #29971, @renovate[bot])
• fix: remove help message in build config failure (Backport PR #30230, Upstream PR #28974, @vipul-21)
• fqdn: serialize requests per-name (Backport PR #30230, Upstream PR #30109, @squeed)
• fqdn: skip ipcache insertion for names without fqdn selectors (Backport PR #30230, Upstream PR #30110, @squeed)
• Helm: enforce routing mode when either gke.enabled or aksbyocni.enabled are set (Backport PR #30079, Upstream PR #29674, @giorio94)
• hubble: Reduce "stale identities observed" debug messages even more (Backport PR #30079, Upstream PR #29957, @gandro)
• identity: stop double-update of selector cache and regenerate when a local identity is allocated (Backport PR #30079, Upstream PR #29865, @squeed)
• k8s/slim: Clarify instructions for updating slim files (Backport PR #30230, Upstream PR #29877, @christarazi)
• labels: small optimization in NewFrom and various cleanups (Backport PR #30230, Upstream PR #30006, @tklauser)
• metrics: revert changes to pre-init kubernetes events metrics + improve metric logs (Backport PR #30079, Upstream PR #29343, @tommyp1ckles)
• Modularize stale endpoint gc in an independent cell (Backport PR #30079, Upstream PR #29246, @pippolo84)
• policy: expand "world" entity selector to select all address families (Backport PR #29961, Upstream PR #29958, @squeed)
• policy: Fix MapState.Equals() (Backport PR #30264, Upstream PR #30233, @jrajahalme)
• updated docs to reflect Envoy as a DS option (Backport PR #30230, Upstream PR #29518, @nvibert)
• Use Resource[T] to implement CEP and CES watchers (Backport PR #30230, Upstream PR #29249, @pippolo84)

Other Changes:

• [1.15] loader: fix obsolete XDP program removal (#30224, @rgo3)
• Add specific drop reason for missing tail calls if the host datapath is not ready yet (#30203, @ti-mo)
• install: Update image digests for v1.15.0-rc.0 (#29906, @joestringer)

v1.15.0-rc.0

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.0-rc.1@sha256:53e4473bc10a04ffe86e8de5b3e2b5cce6a72954b29ae50f329753820f46261b

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.0-rc.1@sha256:dede7d9d56156f284d0a993e18b3a97901aa19b8ea63898b0c26cda46f0593fb

docker-plugin

quay.io/cilium/docker-plugin:v1.15.0-rc.1@sha256:3993c08f20bfb441223122f80a94fc5f940119cc70226ca279888673ae0ff3f7

hubble-relay

quay.io/cilium/hubble-relay:v1.15.0-rc.1@sha256:137fc854260d59127d10234ec8ed2c389382bdd0c62911398e083cd7d0cdabec

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.0-rc.1@sha256:ddefe38b20d9f352685b486897a77787202b9f855d0679496792864c4fa59500

operator-aws

quay.io/cilium/operator-aws:v1.15.0-rc.1@sha256:7d4b7b931d15a14048cbcdf4ff9fdd432dbc03d12128e5c0e12d215631cade28

operator-azure

quay.io/cilium/operator-azure:v1.15.0-rc.1@sha256:fcffa96ffcd271419933b127cfccd51c45a3d5ecbc92858f505a2b4e2d84c0f7

operator-generic

quay.io/cilium/operator-generic:v1.15.0-rc.1@sha256:a85e9ce2ca1c337050f4a2eab60255aaaeb386415de8a3810298a4a88dedf7b8

operator

quay.io/cilium/operator:v1.15.0-rc.1@sha256:c7f989c98b0be42a993d5ad425f1346d1f7d671edcc502b88ecd20a979d8db33

Summary of Changes

Minor Changes:

• gateway-api: Update API version for Reference Grant (#29811, @sayboras)
• helm: Add missing SA automount configuration (#29511, @ayuspin)
• helm: Added support for existing Cilium SPIRE NS (#29032, @PhilipSchmid)
• helm: Allow setting resources for the agent init containers (#29610, @ayuspin)

Bugfixes:

• cilium-preflight: use the k8s node name instead of relying on hostname (#29809, @marseel)
• endpoint: fix panic in RunMetadataResolver due to send on closed channel (#29615, @mhofstetter)
• Fix bug where deleted nodes would reappear in the cilium_node_connectivity_* metrics (#29566, @christarazi)
• Fix cleanup of AWS-related leftover iptables chains (#29448, @giorio94)
• Fix missing NODE_ADD Hubble peer messages in some cases (#28226, @AwesomePatrol)
• Fix possible disruption of long running, cross-cluster, pod to node traffic on agent restart (#29613, @giorio94)
• Fix potential deadlock that results in stale authentication entries in Cilium (#29082, @meyskens)
• metrics: fix issue where logging err/warn metric is never updated. (#29201, @tommyp1ckles)
• The DNS proxy will now compute a UDP checksum over the IPv6 response packet and the pseudo-header. (#29493, @danehans)

CI Changes:

• ci datapath-verifier: add connectivity test (#29633, @mhofstetter)
• ci-ipsec-e2e: Misc refactor + more keys (#29592, @brb)
• ci-ipsec-upgrade: Add vxlan w/ no EP routes (#29653, @brb)
• ci-ipsec-{e2e,upgrade}: Use lvh-kind (#29514, @brb)
• ci/ipsec: Skip waiting for images when skipping upgrade/dowgrade (#29793, @qmonnet)
• ci: add documentation check to documentation workflow (#29684, @mhofstetter)
• ci: always use full matrix for scheduled cloud-provider workflows (#29694, @mhofstetter)
• ci: disable preemptible VM & GKE clusters on tests based on GKE (#29607, @mhofstetter)
• Define PUSH_TO_DOCKER_HUB environment variable (#29644, @michi-covalent)
• Fix collecting of verifier logs in ci-verifier (#29752, @lmb)
• Fix exporting results to gs bucket. (#29587, @marseel)
• gh/workflows: Bump CLI to v0.15.18 #29849 (@brb)
• gh/workflows: Drop rading /proc in case of failure (#29855, @brb)
• gh: e2e: test conformance & upgrade with 5.4 kernel and EgressGW (#29651, @julianwiedmann)
• gha: add step to ensure presence/absence of the AWS iptables chains (#29670, @giorio94)
• gha: enable IPv6 in clustermesh upgrade/downgrade workflow (#29675, @giorio94)
• gha: Migrate from MetalLB to L2LB (#28926, @sayboras)
• gha: sig-servicemesh owns Ingress or Gateway API related workflows (#29812, @sayboras)
• Make LB-IPAM tests less flaky (#29678, @dylandreimerink)
• Mock out time for BPF ratelimit test to make it more stable (#29740, @dylandreimerink)
• renovate: enable Cilium CLI patch updates for Cilium <v1.14 (#29794, @giorio94)
• Simplify CI image build workflow before v1.15 branch (#29834, @joestringer)
• test: Fail ginkgo tests on warnings (#29624, @pchaigno)
• workflows: Make the conn-disrupt test more sensitive (#29623, @pchaigno)

Misc Changes:

• Address device <-> node addressing race (#29555, @bimmlerd)
• bpf/Makefile: remove gen_compile_commands make target (#29611, @ti-mo)
• bpf: clean up some IPv4 header validations (#29585, @julianwiedmann)
• bpf: l3: restore MARK_MAGIC_PROXY_INGRESS for from-proxy traffic (#29721, @julianwiedmann)
• chore(deps): update actions/setup-python action to v4.8.0 (main) (#29769, @renovate[bot])
• chore(deps): update actions/stale action to v9 (main) (#29772, @renovate[bot])
• chore(deps): update all github action dependencies to v5 (main) (major) (#29773, @renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#29556, @renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#29766, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.17 (main) (#29557, @renovate[bot])
• chore(deps): update docker.io/library/alpine docker tag to v3.19.0 (main) (#29770, @renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.5 docker digest to 2ff79bc (main) (#29765, @renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.11 (main) (#29767, @renovate[bot])
• chore(deps): update github/codeql-action action to v2.22.9 (main) (#29768, @renovate[bot])
• chore(deps): update go to v1.21.5 (main) (patch) (#29659, @renovate[bot])
• chore(deps): update google-github-actions/setup-gcloud action to v2 (main) (#29780, @renovate[bot])
• chore(deps): update hubble cli to v0.12.3 (main) (patch) (#29749, @renovate[bot])
• chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231211.012942 (main) (#29777, @renovate[bot])
• chore: add SI Analytics as cilium user (#29744, @JhoLee)
• chore: rename CIDRGroups resource to CiliumCIDRGroups (#29515, @pippolo84)
• cilium-dbg: Add "statedb node-addresses" command (#29479, @joamaki)
• cilium: Do not warn on socket tracing if EnableSocketLBTracing was not set (#29730, @borkmann)
• cilium: iptables masquerade to route source fixes (#29591, @borkmann)
• Clean up deprecated and unused IPCache APIs after FQDN transition to asynchronous APIs (#29657, @tklauser)
• CODEOWNERS: assign pkg/ip to @cilium/sig-agent (#29669, @tklauser)
• CODEOWNERS: sig-clustermesh additionally owns clustermesh-related GHA workflows and helm templates (#29671, @giorio94)
• codeowners: use new teams cilium/envoy & cilium/fqdn (#29627, @mhofstetter)
• daemon: Fix incorrect node and ciliumnode resource type in annotations (#29522, @hargrovee)
• do not start bandwidth manager in dry mode (#29183, @dylandreimerink)
• docs: add documentation for policy-cidr-match-mode=nodes (#28421, @squeed)
• docs: add MaxConnectedClusters documentation (#29637, @thorn3r)
• Docs: Adds Webhook Limitation to EKS Install Doc (#29497, @danehans)
• docs: Modify BGP MD5 password with Helm default change (#29527, @YutaroHayakawa)
• docs: specify which further release for fqdn option removal. (#29531, @squeed)
• Don't log an error if the to be deleted ipset entry does not exist (#29561, @giorio94)
• Envoy silence expected internal listener warning (#29786, @jrajahalme)
• envoy: perform version check directly on envoy binary (not starter) (#29512, @mhofstetter)
• examples: update guestbook example with new image registry (#29603, @mhofstetter)
• fix(deps): update all go dependencies main (main) (minor) (#29771, @renovate[bot])
• fix(deps): update all go dependencies main (main) (patch) (#29593, @renovate[bot])
• fqdn: avoid converting from netip.Addr to net.IP and back (#29625, @tklauser)
• guestbook: update example with leader/follower naming (#29642, @mhofstetter)
• helm: Allow unsupported K8s versions for now (#29888, @gandro)
• hubble-relay: fix panic during server shutdown (#29705, @mhofstetter)
• images: bump cni plugins to v1.4.0 (#29622, @squeed)
• improve the correctness of the rate limiting implementation in certain edge cases. (#29397, @dylandreimerink)
• ingress: add unit tests to test default ingressclass (#29792, @mhofstetter)
• ipcache: use TriggerController, not UpdateController (#29548, @squeed)
• k8s/resource: Add support for releasable Resource[T] (#29414, @pippolo84)
• Makefile: Fix variable override not working in all cases (#29599, @gandro)
• Optimize IP/FQDN management in the DNSCache (#29691, @squeed)
• pkg/rand: remove random name generator (#29664, @aanm)
• pkg: proxy: only install from-proxy rules/routes for native routing (#29761, @julianwiedmann)
• plugins/cilium-cni: Introduce endpoint customization (#29707, @gandro)
• Prepare for release v1.15.0-pre.3 (#29596, @aanm)
• Prepare v1.15 stable branch (#29838, @joestringer)
• proxy: export ProxyConfig fields (#29827, @tklauser)
• README: Update releases (#29609, @aanm)
• release image: Allow arbitrary pre-release identifiers (#29173, @michi-covalent)
• Revert "cilium: Ensure xfrm state is initialized for route IP before … (#29801, @jrfastab)
• statedb: Fix revision indexing (#29840, @joamaki)
• test: remove probes-test.sh (#29612, @rgo3)
• Update SPIRE dependency to v1.8.5 (#29597, @meyskens)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.0-rc.0@sha256:dfd696fb4325e996098607224cf379ccdbbe969634750fa10082e7ac31d0819a

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.0-rc.0@sha256:7a6be505270347b8e4076941b282ecd3c89cbdce68f50a3ba6e0bd5a60553c47

docker-plugin

quay.io/cilium/docker-plugin:v1.15.0-rc.0@sha256:fe6325f2268adafa28b0a0a81f5f2254014fc1aa8981c47fce6c688e3879993a

hubble-relay

quay.io/cilium/hubble-relay:v1.15.0-rc.0@sha256:eb89a6c12bef00f62f393630958f58d769f0add5ba6fa914180ec21d845034ae

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.0-rc.0@sha256:9f34a4d32c87f7dfb7fff45c2660e58113a036dca06e75ea20b5bd46856c20fa

operator-aws

quay.io/cilium/operator-aws:v1.15.0-rc.0@sha256:d28d947653bff9ad9a010bdc4bb75d3f0ce5517b601d768075f11ea32242491c

operator-azure

quay.io/cilium/operator-azure:v1.15.0-rc.0@sha256:0f6828ab7688159e3b7bc259094af6c9643783a48b2fc0630885dcabe9249831

operator-generic

quay.io/cilium/operator-generic:v1.15.0-rc.0@sha256:cc0800697151d9a68c9547c66e9d5f4a67537efd369cb10caf19e79748b24b02

operator

quay.io/cilium/operator:v1.15.0-rc.0@sha256:5e14c97ee92c6eef799b3125ab4b557c3c7c6cfe55d78c8c655bdf7aae4212ab

We are pleased to release Cilium v1.14.5.

This release include expanded credential and resource limit related configuration parameters for the Agent DaemonSet and SPIRE agent, fixes to an issue where stale nodes would appear in the cilium_node_connectivity_* metrics, enhancements to the detail shown by the IPsec CLI subcommands, a fix to a datapath fix for SNAT running behind multiple network interfaces, a fix to NAT entry GC when DSR enabled, a fix for endpoint label changes during the re-init restoration, and a variety of other stability enhancements. Also included are performance enhancements to concurrency techniques used in policy generation and the selectorcache read/write path.

Summary of Changes

Minor Changes:

• Adds affinity, nodeSelector, podSecurityContext and securityContext to the SPIRE agent deployment values (Backport PR #29187, Upstream PR #29077, @meyskens)
• helm: Add missing SA automount configuration (Backport PR #29689, Upstream PR #29511, @ayuspin)
• helm: Allow setting resources for the agent init containers (Backport PR #29689, Upstream PR #29610, @ayuspin)
• Network policies for reserved:ingress identity are now enforced by Cilium Ingress and Gateway API. (Backport PR #29447, Upstream PR #28126, @jrajahalme)

Bugfixes:

• "envoy-admin" cluster is renamed as "/envoy-admin", requiring all references in CEC/CCEC to be updated. (Backport PR #29477, Upstream PR #29020, @jrajahalme)
• Avoid missed tail calls due to inserting policy programs too early during endpoint regeneration (#29308, @ti-mo)
• bpf: Fix drop of IPv6 reply traffic when 1) pod-originating connection is SNATed by iptables, and 2) Host Firewall is enabled. (Backport PR #29477, Upstream PR #28813, @oblazek)
• bpf: xdp: don't support GENEVE passthrough with DSR-Hybrid (Backport PR #29187, Upstream PR #28959, @julianwiedmann)
• ctmap: consider CT entry's .dsr flag in PurgeOrphanNATEntries() (Backport PR #29641, Upstream PR #29098, @julianwiedmann)
• datapath: Fix ENI egress routing table for cilium_host IP (Backport PR #29390, Upstream PR #29335, @gandro)
• Do not skip FIB lookup when running in BPF Host Routing when Endpoint Routes enabled (Backport PR #29187, Upstream PR #28264, @aspsk)
• endpoint: fix panic in RunMetadataResolver due to send on closed channel (Backport PR #29251, Upstream PR #29615, @mhofstetter)
• endpointmanager: unmap ip for lookup (Backport PR #29641, Upstream PR #29554, @tklauser)
• Fix bug where deleted nodes would reappear in the cilium_node_connectivity_* metrics (Backport PR #29641, Upstream PR #29566, @christarazi)
• Fix external workloads not working with non-default ClusterID (Backport PR #29477, Upstream PR #29378, @giorio94)
• Fix possible disruption of long running, cross-cluster, pod to node traffic on agent restart (Backport PR #29641, Upstream PR #29613, @giorio94)
• Fix routing delegation to AWS-VPC-CNI when using the security groups feature. (Backport PR #29641, Upstream PR #29111, @Alex-Waring)
• Fix the Created timestamps in cilium bpf nat list that used to display the same values. (Backport PR #29187, Upstream PR #27062, @gentoo-root)
• Fixed label synchronization issues in Cilium, ensuring accurate representation of endpoint labels during restoration and addressing out-of-sync problems caused by label changes while the Cilium agent is down. (Backport PR #29251, Upstream PR #29248, @aanm)
• gateway-api: add watch for reference grant in TLSRoute reconciler (Backport PR #29187, Upstream PR #29007, @mhofstetter)
• gateway-api: Avoid redirect loop when the same host name is used for http and https listeners (Backport PR #29442, Upstream PR #29115, @sayboras)
• gateway: Ignore loadbalancer class for Gateway service (Backport PR #29641, Upstream PR #29547, @sayboras)
• Handle non-AEAD IPsec keys in cilium encrypt status. (Backport PR #29641, Upstream PR #29182, @viktor-kurchenko)
• ingress: fix foreground deletion of Ingress (Backport PR #29477, Upstream PR #29367, @mhofstetter)
• Install loopback CNI atomically to protect against aborted copy (Backport PR #29641, Upstream PR #29462, @akhilles)
• ipam: Fix bug where IP lease did not expire (Backport PR #29641, Upstream PR #29443, @gandro)
• ipam: Fix bug where IP lease did not expire (Backport PR #29652, Upstream PR #29443, @gandro)
• iptables: remove logic to control non-existent net.ipv6.ip_early_demux (Backport PR #29477, Upstream PR #29310, @julianwiedmann)
• metrics: fix potential conflict on metrics registration (Backport PR #29270, Upstream PR #27007, @ysksuzuki)
• metrics: fix potential conflict on metrics registration (Backport PR #29477, Upstream PR #27007, @ysksuzuki)
• Replace Cilium's base image from ubuntu:22.04 with Cilium's Runtime image (also ubuntu:22.04 based). (Backport PR #29364, Upstream PR #29340, @aanm)
• Support downgrade path for XDP attachments from Cilium 1.15 (#29104, @ti-mo)
• When using stacked network interfaces (such as br0 -> eth0) in the egress path, ensure that BPF SNAT checks are applied on all interfaces. (Backport PR #29477, Upstream PR #29160, @julianwiedmann)

CI Changes:

• bpf: complexity-tests: add HAVE_FIB_NEIGH (Backport PR #29477, Upstream PR #29348, @julianwiedmann)
• ci-ipsec-upgrade: Check for errors (Backport PR #29270, Upstream PR #29189, @brb)
• ci-ipsec-upgrade: Check for errors (Backport PR #29477, Upstream PR #29189, @brb)
• ci-ipsec-upgrade: Drop no-missed-tail-calls exclusion (Backport PR #29477, Upstream PR #29325, @brb)
• ci-ipsec-upgrade: Fix upgrade/downgrade path and add missed tail calls check to upgrade (Backport PR #28876, Upstream PR #29072, @brb)
• CI: Let actions/cilium-config use Chart.yaml-specified image by default (Backport PR #28876, Upstream PR #28016, @jschwinger233)
• Clean up tests-ipsec-upgrade workflow (Backport PR #28876, Upstream PR #27977, @michi-covalent)
• Test upgrade/downgrade to patch release for IPsec (Backport PR #28876, Upstream PR #28815, @qmonnet)
• Wait for downgrade images to be ready in GHA clustermesh upgrade/downgrade test (Backport PR #29477, Upstream PR #29409, @giorio94)
• workflows: Add debug info to IPsec key rotation test (Backport PR #29477, Upstream PR #29353, @pchaigno)

Misc Changes:

• .github: use GitHub workflow from the same branch (#29252, @aanm)
• [v1.14] CI: fix broken BPF complexity tests (#29553, @lmb)
• Add workqueue.(delayingType).waitingLoop to goleak exception list (Backport PR #29187, Upstream PR #28557, @dylandreimerink)
• chore(deps): update actions/checkout action to v4 (v1.14) (#29595, @renovate[bot])
• chore(deps): update actions/github-script action to v7 (v1.14) (#29149, @renovate[bot])
• chore(deps): update actions/setup-python action to v4.8.0 (v1.14) (#29579, @renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#29121, @renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (minor) (#29265, @renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (patch) (#29282, @renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (patch) (#29576, @renovate[bot])
• chore(deps): update all lvh-images main (v1.14) (patch) (#29417, @renovate[bot])
• chore(deps): update all lvh-images main (v1.14) (patch) (#29577, @renovate[bot])
• chore(deps): update cilium/cilium digest to d42be92 (v1.14) (#29133, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.13 (v1.14) (#29123, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.14 (v1.14) (#29283, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.16 (v1.14) (#29465, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.17 (v1.14) (#29729, @renovate[bot])
• chore(deps): update docker.io/library/alpine docker tag to v3.18.5 (v1.14) (#29578, @renovate[bot])
• chore(deps): update docker.io/library/golang:1.20.11 docker digest to 4e4a34f (v1.14) (#29416, @renovate[bot])
• chore(deps): update docker.io/library/golang:1.20.11 docker digest to 77e4e42 (v1.14) (#29281, @renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 8eab65d (v1.14) (#29575, @renovate[bot])
• chore(deps): update go to v1.20.12 (v1.14) (patch) (#29660, @renovate[bot])
• chore(deps): update google-github-actions/auth action to v2 (v1.14) (#29598, @renovate[bot])
• chore(deps): update hubble cli to v0.12.3 (v1.14) (patch) (#29746, @renovate[bot])
• chore(deps): update module github.com/go-jose/go-jose/v3 to v3.0.1 [security] (v1.14) (#29320, @renovate[bot])
• chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231113.012843 (v1.14) (#29129, @renovate[bot])
• chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231120.012927 (v1.14) (#29284, @renovate[bot])
• ci-ipsec-upgrade: Do not run conn tests after installing Cilium (Backport PR #29270, Upstream PR #29178, @brb)
• ci-ipsec-upgrade: Do not run conn tests after installing Cilium (Backport PR #29477, Upstream PR #29178, @brb)
• Docs: Adds Webhook Limitation to EKS Install Doc (Backport PR #29641, Upstream PR #29497, @danehans)
• docs: bump required Helm version (Backport PR #29477, Upstream PR #29273, @nebril)
• examples: update guestbook example with new image registry (Backport PR #29641, Upstream PR #29603, @mhofstetter)
• images: bump cni plugins to v1.4.0 (Backport PR #29724, Upstream PR #29622, @squeed)
• ipsec: Small refactorings on key loading and state creation (Backport PR #29477, Upstream PR #29352, @pchaigno)

Other Changes:

• [v1.14] Author Backport of 28896 (k8s ingress & gateway api: qualify envoy clusters and their references) (#29218, @mhofstetter)
• [v1.14] bgpv1: Fix BGP component tests using the same VirtualRouter config (#29453, @rastislavs)
• [v1.14] bpf: Fix identity determination in bpf_overlay.c (#29606, @ysksuzuki)
• [v1.14] bpf: use bpf_xdp_load_bytes() / bpf_xdp_store_bytes() helpers (#29719, @julianwiedmann)
• [v1.14] ci-ipsec-upgrade: Disable Linux 5.10-based configs (#29358, @brb)
• [v1.14] gh: datapath-verifier: also run on 6.1 kernel (#29650, @julianwiedmann)
• envoy: Bump cilium-envoy with golang 1.21.5 (#29656, @sayboras)
• envoy: Bump envoy container image with golang 1.21 and latest grpc package (#29383, @sayboras)
• install: Update image digests for v1.14.4 (#29147, @thorn3r)
• Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. (#29205, @thorn3r)
• v1.14: ariane: Run ci-ipsec-upgrade when testing backports (#29225, @brb)

We are pleased to release Cilium v1.13.10.

This release include expanded SA credential and resource limit related configuration parameters for the Agent DaemonSet, fixes to an issue where stale nodes would appear in the cilium_node_connectivity_* metrics, enhancements to the detail shown by the IPsec CLI subcommands, a fix to a datapath fix for SNAT running behind multiple network interfaces, and a fix to NAT entry GC when DSR enabled. In addition, there are performance enhancements to concurrency techniques used in policy generation and the selectorcache read/write path.

Summary of Changes

Minor Changes:

• helm: Add missing SA automount configuration (Backport PR #29690, Upstream PR #29511, @ayuspin)
• helm: Add SA to nodeinit ds (Backport PR #29690, Upstream PR #24836, @darox)
• helm: Allow setting resources for the agent init containers (Backport PR #29690, Upstream PR #29610, @ayuspin)

Bugfixes:

• Avoid missed tail calls due to inserting policy programs too early during endpoint regeneration (#29309, @ti-mo)
• ctmap: consider CT entry's .dsr flag in PurgeOrphanNATEntries() (Backport PR #29640, Upstream PR #29098, @julianwiedmann)
• datapath: Fix ENI egress routing table for cilium_host IP (Backport PR #29391, Upstream PR #29335, @gandro)
• Fix bug where deleted nodes would reappear in the cilium_node_connectivity_* metrics (Backport PR #29640, Upstream PR #29566, @christarazi)
• Handle non-AEAD IPsec keys in cilium encrypt status. (Backport PR #29640, Upstream PR #29182, @viktor-kurchenko)
• Replace Cilium's base image from ubuntu:22.04 with Cilium's Runtime image (also ubuntu:22.04 based). (Backport PR #29709, Upstream PR #29340, @aanm)
• Support downgrade path for XDP attachments from Cilium 1.15 (#29105, @ti-mo)
• When using stacked network interfaces (such as br0 -> eth0) in the egress path, ensure that BPF SNAT checks are applied on all interfaces. (Backport PR #29475, Upstream PR #29160, @julianwiedmann)

CI Changes:

• ci-ipsec-upgrade: Check for errors (Backport PR #29272, Upstream PR #29189, @brb)
• ci-ipsec-upgrade: Fix upgrade/downgrade path and add missed tail calls check to upgrade (Backport PR #29003, Upstream PR #29072, @brb)
• CI: Let actions/cilium-config use Chart.yaml-specified image by default (Backport PR #29003, Upstream PR #28016, @jschwinger233)
• Clean up tests-ipsec-upgrade workflow (Backport PR #29003, Upstream PR #27977, @michi-covalent)
• gha: align ci-ipsec-e2e workflow name to main (#29687, @giorio94)
• Test upgrade/downgrade to patch release for IPsec (Backport PR #29003, Upstream PR #28815, @qmonnet)
• Wait for downgrade images to be ready in GHA clustermesh upgrade/downgrade test (Backport PR #29475, Upstream PR #29409, @giorio94)
• workflows: Add debug info to IPsec key rotation test (Backport PR #29475, Upstream PR #29353, @pchaigno)

Misc Changes:

• .github: use GitHub workflow from the same branch (#29256, @aanm)
• chore(deps): update actions/checkout action to v4 (v1.13) (#29287, @renovate[bot])
• chore(deps): update all github action dependencies (v1.13) (minor) (#29286, @renovate[bot])
• chore(deps): update all github action dependencies (v1.13) (patch) (#29139, @renovate[bot])
• chore(deps): update all lvh-images main (v1.13) (patch) (#29150, @renovate[bot])
• chore(deps): update all lvh-images main (v1.13) (patch) (#29419, @renovate[bot])
• chore(deps): update docker.io/library/golang docker tag to v1.20.12 (v1.13) (#29661, @renovate[bot])
• chore(deps): update docker.io/library/golang:1.20.11 docker digest to 77e4e42 (v1.13) (#29285, @renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 2b7412e (v1.13) (#29138, @renovate[bot])
• chore(deps): update hubble cli to v0.12.3 (v1.13) (patch) (#29747, @renovate[bot])
• chore(deps): update myrotvorets/set-commit-status-action action to v2 (v1.13) (#29289, @renovate[bot])
• ci-ipsec-upgrade: Do not run conn tests after installing Cilium (Backport PR #29192, Upstream PR #29178, @brb)
• Docs: Adds Webhook Limitation to EKS Install Doc (Backport PR #29640, Upstream PR #29497, @danehans)
• examples: update guestbook example with new image registry (Backport PR #29640, Upstream PR #29603, @mhofstetter)
• Fix bug preventing endpoint-related debug logs from being emitted (Backport PR #29700, Upstream PR #29495, @learnitall)
• images: bump cni plugins to v1.4.0 (Backport PR #29723, Upstream PR #29622, @squeed)
• ipsec: Small refactorings on key loading and state creation (Backport PR #29475, Upstream PR #29352, @pchaigno)
• Update the logrus dependency to address a security issue. (#29672, @rolinh)

Other Changes:

• [1.13] Address selectorcache concurrent read/write (#29186, @tklauser)
• [v1.13] Let renovatebot update Go toolchain version in a single PR (#29743, @tklauser)
• envoy: Bump cilium-envoy with golang 1.21.5 (#29655, @sayboras)
• envoy: Bump envoy container image with golang 1.21 and latest grpc package (#29384, @sayboras)
• install: Update image digests for v1.13.9 (#29136, @nathanjsweet)
• Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. (#29206, @thorn3r)
• v1.13: ariane: Run ci-ipsec-upgrade when testing backports (#29227, @brb)