chore(deps): update helm release cilium to v1.14.0
This MR contains the following updates:
Package | Update | Change |
---|---|---|
cilium (source) | patch |
v1.14.0-rc.1 -> 1.14.0
|
Release Notes
cilium/cilium (cilium)
v1.14.0
: 1.14.0
Changelog
The Cilium core team are excited to announce the Cilium 1.14 release.
⚠ Warning - IPsec ⚠
Do NOT upgrade to this release if you are using IPsec.
Summary of Changes
Major Changes:
- Add mtls-spiffe as auth mode in the CiliumNetworkPolicy (#24263, @meyskens)
- Add support for Kubernetes v1.27 (#24837, @tklauser)
- Add support for Kubernetes v1.27 (#25602, @nathanjsweet)
- Add support for references to CiliumCIDRGroup inside FromCIDRSet for ingress rules in CNPs (#24638, @pippolo84)
- Add TLSRoute support to GatewayAPI (#25106, @meyskens)
- Add WireGuard host2host and LB encryption (#19401, @brb)
- Added L2 announcement feature (#25471, @dylandreimerink)
- cilium: fib lookup consolidation (#23884, @borkmann)
- cilium: IPv4 BIG TCP support (#26172, @borkmann)
- Implement BPF-based masquerading for IPv6 (#23165, @qmonnet)
- Introduce kvstoremesh, a clustermesh-apiserver companion component allowing to cache remote cluster information in the local kvstore for increased scalability and separation. (#26083, @giorio94)
- Module Health: Add Health Provider/Reporter (#25662, @tommyp1ckles)
- New high-scale ipcache mode to support clustermeshes with millions of pods. (#25148, @pchaigno)
- Support DSR with Geneve dispatch in CNI mode (#23890, @ysksuzuki)
- Support for deploying Cilium L7 Proxy (Envoy) independently as a separate DaemonSet for availability, performance, and security benefits. (#25081, @mhofstetter)
- The Cilium operator now taints nodes where Cilium is scheduled to run but is not running. This prevents pods from being scheduled on nodes without Cilium. The CNI configuration file is no longer removed on agent shutdown. This means that pod deletion will always succeed; previously it would fail if Cilium was down for an upgrade. This should help prevent nodes accidentally entering an unmanageable state. It also means that nodes are not removed from cloud LoadBalancer backends during Cilium upgrades. (#23486, @squeed)
Minor Changes:
-
- Add a new set of flags for CES work queue limit and burst rates,
CESWriteQPSLimit
toand
CESWriteQPSBurst`. The processed work queue items always trigger a single CES create, update or write request to the kube-apiserver. The work queue rate limiting effectively limits the rate of writes to the kube-apiserver for CES api objects. - Set the default
CESWriteQPSLimit
to10
andCESWriteQPSBurst
to20
. - Set the maximums for qps
50
and burst100
. These values cannot be exceeded regardless of any configuration. - Unhide
CESMaxCEPsInCES
andCESSlicingMode
flags from appearing in logs whenCES
is enabled. (#24675, @dlapcevic)
- Add a new set of flags for CES work queue limit and burst rates,
- [SNAT] add "need to frag" ICMP support (#18414, @sahid)
- Add
--hubble-monitor-events
flag, to control the event types that get to the hubble subsystem. (#24828, @epk) - Add a mechanism for the SPIRE server to signal rotated certificates for re-authenticating connections (#24300, @meyskens)
- Add a SPIRE delegate API client to receive SPIFFE certificates for mTLS (#23968, @meyskens)
- Add flag to administratively enable APIs on bootstrap (#25009, @joestringer)
- Add flag to configure the size of the egress gateway policy map (#23019, @cyclinder)
- Add hubble_lost_events_total metric for the number of events lost by Hubble. (#22865, @lambdanis)
- add native tunnel encapsulation support for the XDP Loadbalancer (#24422, @julianwiedmann)
- Add network policy auth method "always-fail" (#24609, @meyskens)
- Add new logging format option, 'json-ts', for JSON formatted logs with timestamps (#24307, @learnitall)
- Add option to remove query from HTTP flows (#25746, @ChrsMark)
- Add pod-asymmetric context labeling that either uses pod or pod-short based on traffic direction. (#22731, @marqc)
- Add Prometheus metrics support to clustermesh-apiserver (#25316, @giorio94)
- Add support for allocating PodCIDRs from multiple IPAM pools (#22762, @gandro)
- Add support for BGP graceful restart configuration via CiliumBGPPeeringPolicy CRD (#25660, @harsimran-pabla)
- Add support for eBGP-multihop configuration for CiliumBGPNeighbor in CiliumBGPPeeringPolicy CRD (#25708, @rastislavs)
- Add support for Hybrid mode when using DSR with Geneve dispatch. (#25553, @julianwiedmann)
- Add support for load-balancing encapsulated requests in a configuration with high-scale ipcache. (#25854, @julianwiedmann)
- Add support for load-balancing unencapsulated requests in a configuration with high-scale ipcache. (#25745, @julianwiedmann)
- Add support for paginated lists in etcd, and propagate config options (#25469, @giorio94)
- Add support for setting BGP timer parameters in CiliumBGPNeighbor CRD (#25408, @rastislavs)
- Add support for the
ingressclass.kubernetes.io/is-default-class
annotation on Cilium's IngressClass (#23719, @meyskens) - Add tls-server-enforce-mtls flag to hubble-relay to enforce mTLS connection with clients. (Backport MR #26636, Upstream MR #25582, @marqc)
- Added Gratuitous ARP Pod Announcements (#25482, @markpash)
- Adds
peerPort
field to CiliumBGPPeeringPolicy for specifying the port of a BGP neighbor. If unspecified, port 179 is used. (#25809, @danehans) - agent/helm: Deprecate --kpr=partial|strict|disabled and use --kpr=true|false instead (#26036, @brb)
- alibabacloud: Support selecting subnet by IDs (#23131, @jaffcheng)
- Align selection of IP addresses used for masquerading and NodePort SNAT with Linux kernel behavior, by preferring addresses assigned to the interface earlier and filtering out secondary addresses. (#22866, @akhilles)
- Allow Cilium Operator to restart any unmanaged pods via --pod-restart-selector, rather than just kube-dns pods (#22911, @lvyanru8200)
- Allow devices from local route table to be used for datapath programs. (#24608, @oblazek)
- Allow to use a Secret for the caBundle (#25728, @farcaller)
- auth: Add spire identity registration for CiliumIdentity (#24471, @sayboras)
- bgpv1: Consolidate CRD API to follow K8s API Conventions (#26040, @rastislavs)
- BGPv1: Set N-bit in graceful restart capability negotiation. (#26325, @harsimran-pabla)
- BPF NodePort is now enabled by default if CiliumEnvoyConfig is configured. (Backport MR #26636, Upstream MR #25901, @jrajahalme)
- bpf, ipcache: unconditionally assume support for LPM trie maps (#24258, @tklauser)
- Change cilium_host IPv6 address, use node router IPv6 instead of native node IPv6, and fixed several relative IPv6 issues. (#24208, @jschwinger233)
- Change default helm value of authentication.mutual.spire.install.enabled to true (Backport MR #27038, Upstream MR #26864, @meyskens)
- Cilium by default overwrites changes to its CNI configuration file. With this change, setting cni.exclusive to false disables this behavior. This is useful when additional plugins wish to chain after Cilium, such as Istio. (Backport MR #27038, Upstream MR #26773, @squeed)
- Cilium L7 Proxy: Envoy config dump contains Cilium network policies (#25028, @mhofstetter)
- Cilium now supports chaining with arbitrary CNI plugins. To use, set the Helm value cni.chainingTarget. (#24956, @squeed)
- Cilium now waits longer before returning a failure in the event of a pod creation burst. (#25805, @squeed)
- cilium/cmd: Remove deprecated policy_trace command (#23550, @sayboras)
- clustermesh-apiserver: expose information about completion of initial synchronization through etcd (#25388, @giorio94)
- clustermesh-apiserver: expose information about completion of initial synchronization through etcd (#25905, @giorio94)
- clustermesh-apiserver: rework services synchronization to improve performance (#25260, @giorio94)
- clustermesh: enable per-cluster RBAC in etcd server (#24284, @giorio94)
- cmd/cleanup: add socketlb program cleanup (#25136, @rgo3)
- cmd/service: unify service list/get output (#24136, @oblazek)
- cmd: Add NodeEncryption status to the cilium status command (#24399, @romanspb80)
- daemon: remove deprecated force-local-policy-eval-at-source option (#24727, @tklauser)
- Deprecate
--tunnel
in favor of--routing-mode
and--tunnel-protocol
. (#24561, @pchaigno) - Deprecate CNP Node status updates. (#24464, @marseel)
- Disable by default CNP Node Status GC in cilium-operator. (#24390, @marseel)
- DNS Proxy binds to loopback interfaces only (#25309, @mhofstetter)
- dns proxy: Only reuse DNS proxy port when it's free (#25466, @anfernee)
- dns: Set --tofqdns-min-ttl to zero by default (#21439, @michi-covalent)
- egressgw: add support for excludedCIDRs (#23448, @jibi)
- Enable configuration of the source IP verification per endpoint (#23985, @pchaigno)
- Enable endpoint routes + veth fast redirect support (#22006, @aspsk)
- Enable update-ec2-adapter-limit-via-api by default (#24564, @christarazi)
- Enabled cilium_bpf_map_pressure metric by default (#24721, @vishal-chdhry)
- endpoint: omit pre-1.11 compatibility restoration symlink (#24730, @tklauser)
- envoy: Add idle timeout configuration option (#25214, @sayboras)
- envoy: Bump envoy to 1.24.2 (#23940, @sayboras)
- envoy: Bump envoy to 1.24.3 (#24148, @sayboras)
- envoy: Bump envoy to v1.25.4 (#24649, @sayboras)
- envoy: Bump envoy to v1.25.8 (Backport MR #26887, Upstream MR #26815, @sayboras)
- envoy: Bump envoy version to v1.25.5 (#24893, @sayboras)
- envoy: Bump envoy version to v1.25.6 (#25165, @mhofstetter)
- envoy: Bump envoy version to v1.25.7 (#25882, @mhofstetter)
- envoy: Use embedded proxylib from cilium-proxy image (#26101, @sayboras)
- etcd: extend rate limiting to consider the number of inflight requests (#25817, @giorio94)
- Expand agent metric Policy Import Errors to count all policy changes (#23349, @dlapcevic)
- Expose Cilium agent go runtime scheduler latency prometheus metric
go_sched_latencies_seconds
(#24745, @derailed) - Extend clustermesh status reporting with remote configuration and synchronization information (Backport MR #27069, Upstream MR #26788, @giorio94)
- Extend the Helm chart to allow configuring kvstoremesh. (#26109, @giorio94)
- feat: optional bpf mount (#24161, @frezbo)
- Fix broken IPv6 connectivity from outside to NodePort service when L7 ingress policy applied by removing MROXY_RT route table. (#24882, @jschwinger233)
- Fix CIDR json tag in CNP CIDRRule (#25617, @pippolo84)
- Fix docker-cilium-image target for DOCKER_FLAGS=--push (#23679, @pippolo84)
- Fix endpoint slices filtering to ensure we filter out headless services and continue to support older k8s versions where service labels are not propagated to endpoint slices (Backport MR #26799, Upstream MR #25351, @odinuge)
- Fixed incorrectly rendered chart when specified both configMap and customConf (#25200, @marseel)
- gateway-api: Bump version to v0.6.0 (#22680, @sayboras)
- helm: Add CPU panel to Hubble L7 HTTP Workload dashboard (#24934, @chancez)
- helm: Add SA to nodeinit ds (#24836, @darox)
- helm: Allow node port allocation for Ingress LB service (Backport MR #26799, Upstream MR #26502, @sayboras)
- helm: Bump default spire image version (#25444, @sayboras)
- Helm: Clean up deprecated values (#24214, @qmonnet)
- helm: deprecate clustermesh CA configuration in favor of the global CA configuration (#25010, @giorio94)
- helm: Improve spire template (#25589, @sayboras)
- helm: simplify TLS configuration of clustermesh peers (#24222, @giorio94)
- helm: use Helm hooks instead of Job unique name (#23102, @sathieu)
- High-Scale IPcache: Chapter 3 (#25438, @pchaigno)
- hubble-relay: deprecate peer svc through local unix domain socket (#23407, @kaworu)
- hubble: Add GetNamespaces to observer API (#25563, @chancez)
- hubble: traffic direction filter (#24120, @kaworu)
- identity/cache: fix panic when re-init of cache after close. (#25269, @tommyp1ckles)
- Improve cilium monitor output for dropped packets: display source file names instead of numerical ids (#24143, @aspsk)
- Increase the default CiliumEndpointSlice sync time from 0 to 500ms (#23615, @dlapcevic)
- ingress: Default TLS certificate for ingress (#26065, @sathieu)
- install/kubernetes: make image digests for all components optional & configurable (#22732, @rastislavs)
- Integration of sample dashboards with Helm chart (#23794, @jcpunk)
- Introduce the support for specifying a CA bundle in the helm chart (#24862, @giorio94)
- ipam/crd: Add new flag for configuring CiliumNode update rate (#23017, @jaffcheng)
- ipam: Add ability to automatically create
CiliumPodIPPool
resources in multi-pool IPAM mode (#25991, @gandro) - ipmasq: Add support for ip-masq-agent with IPv6 (#23219, @qmonnet)
- ipsec, option: Make the IPsec key rotation delay configurable (#24811, @pchaigno)
- Make Envoy sockets for tproxy and the xDS API and bind to localhost only (#24011, @meyskens)
- metrics: Add k8s client rate limiter latency metric (#25555, @ysksuzuki)
- metrics: support toggle bootstrap times metric via daemon config (#22643, @ArthurChiao)
- Modify operator metric CES errors sync to count all CES sync events (#23335, @dlapcevic)
- mtls: SPIRE server and agent installation (#24765, @sayboras)
- multi-pool: Determine IP pool based on
ipam.cilium.io/ip-pool
annotation (#25511, @gandro) - mutual-auth: Avoid confusion on mTLS wording (#25761, @sayboras)
- mutual-auth: Support spire k8s service dns resolution (#26031, @sayboras)
- operator/ipam/metrics: Add new, more accurate, per-node available/used/needed metrics to deprecated existing ipam_ips metric. (#24776, @tommyp1ckles)
- operator: Fix default API server addr in metrics subcommand (#26132, @pippolo84)
- operator: proper rolling update (#23589, @mhofstetter)
- option,helm: Add a flag to opt out from support for Kubernetes NetworkPolicy in Cilium (#23127, @ChengyuanLiCY)
- policy: Derivative policies (policies for cloud provider-specific identities) for egress deny rules were not being generated, this has now been fixed. (#23927, @rockc2020)
- Prepare Cilium API for IPAM pools (#24248, @tklauser)
- Remove sockops-enable and friends (#23606, @mohit-marathe)
- Rename the
sec_label
field in remote_endpoint_info structure tosec_identity
(#25057, @ldelossa) - Replace wait-for-it in SPIRE setup with a busybox script (#24959, @meyskens)
- Report the kernel error code in case of packet drops due to failures to create conntrack map entries. (#24716, @gentoo-root)
- Report the kernel error code in case of packet drops due to failures to create NAT map entries. (#25883, @julianwiedmann)
- Retire Cilium-Integrated Istio documentation (#25722, @networkop)
- Return better error codes from hooked syscalls, such as connect() and bind(). (#22965, @gentoo-root)
- Revert "Revert agent/helm: Deprecate --kpr=partial|strict|disabled and use --kpr=true|false instead" (#26496, @brb)
- Set BGP IdleHoldTimeAfterReset to 5 seconds, session reset can happen on BGP peer configuration change. (#26001, @harsimran-pabla)
- Significantly reduce Hubble flow traffic by transmitting only requested information (#23198, @AwesomePatrol)
- spire: Add identity GC capability (#25867, @sayboras)
- Support
enable-endpoint-routes
withenable-high-scale-ipcache
. (#25601, @pchaigno) - Support defining IPAM pools using CiliumPodIPPool CRD (#25824, @tklauser)
- Support externalTrafficPolicy=local for BGP CPlane service VIP advertisement (#25477, @YutaroHayakawa)
- Support Gateway API v0.7.0 (#25711, @meyskens)
- Support GENEVE encapsulation with high-scale ipcache. (#25591, @pchaigno)
- Supports IPv4 ICMP "fragmentation needed" in egress SNAT (#25054, @liuyuan10)
- sysdump: Added Kubernetes CNI logs to sysdump. (#23937, @marseel)
- The Cilium agent now manages the CNI configuration file. This will allow for faster startup times when injecting Cilium as a chained plugin, such as with aws-cni. (#24389, @squeed)
- The deprecated pod-short context option in Hubble metrics is now removed (#26125, @lambdanis)
Bugfixes:
- Add drop notifications from various error paths in the BPF datapath. (Backport MR #27038, Upstream MR #26956, @julianwiedmann)
- Add host-side interface info to cni.Result, which allows bandwidth CNI to work with Cilium (Backport MR #26636, Upstream MR #26518, @nayihz)
- Added validation to ensure that enabling Ingress or Gateway API support while l7proxy is disabled will fail, as this is an incompatible configuration. (#25215, @youngnick)
- auth: Switch to observing identity changes (Backport MR #26636, Upstream MR #26375, @mhofstetter)
- bgpv1: Unconditionally select node when empty nodeSelector is given (Backport MR #26734, Upstream MR #26590, @YutaroHayakawa)
- bpf/nat: fix current behavior that is silently ignoring errors in a revSNAT context (#19753, @sahid)
- bpf: lb: deal with stale rev_nat_index after svc lookup in fallback path (#24757, @julianwiedmann)
- bpf: nodeport: don't reset aggregate ID when revDNAT is called by bpf_lxc (#25929, @julianwiedmann)
- bpf: nodeport: fix handling of stale CT entry with CT_REPLY (#23894, @julianwiedmann)
- bpf: nodeport: fix up trace point in to-overlay NAT paths (#24886, @julianwiedmann)
- Bugfix: Invert
--hubble-monitor-events
logic to be an allowlist (#25167, @epk) - Bypassing policy check for IPv6 NDP to fix broken pod-to-pod connectivity when per-endpoint route is enabled with policy. (#24919, @jschwinger233)
- CIDRGroup reference metric will not count nonexistent CIDRGroups (#26133, @akstron)
- client, health/client: set dummy host header on unix:// local communication (Backport MR #26838, Upstream MR #26800, @tklauser)
- datapath: bigtcp: Fix the IPv4 BIG TCP may not work (#26336, @haiyuewa)
- datapath: Do not send ICMP6 NA over cilium_wg0 (#23969, @brb)
- datapath: Fix L7 reply to outside when endpoint routes disabled (#21980, @brb)
- egressgw: fix race with endpoint deletion (Backport MR #27038, Upstream MR #26901, @jibi)
- egressgw: retry getIdentityLabels on failure (Backport MR #26734, Upstream MR #26457, @jibi)
- Fix a bug in the Egress Gateway feature when using the --install-egress-gateway-routes option. Delete stale IP rules after a CiliumEgressGatewayPolicy is updated and selects a different egress network interface. (Backport MR #27069, Upstream MR #26846, @julianwiedmann)
- Fix a bug where datapath option DisableSipVerification can no longer be used. (#25533, @oblazek)
- Fix broken IPv6 access to native node devices due to wrong source IPv6 of NA response. (#25329, @jschwinger233)
- Fix bug in AlibabaCloud where instance type limits could not be determined (#25387, @haozhangami)
- Fix bug that caused transient IPsec packet drops on upgrades when tunneling is enabled. (Backport MR #26914, Upstream MR #26708, @pchaigno)
- Fix bug where bpf map entries may not be reliably dumped or garbage collected when the map is actively being updated. (Backport MR #26838, Upstream MR #26583, @tommyp1ckles)
- Fix bug with
toServices
policy where service backend churn left stale CIDR identities (#25687, @christarazi) - Fix Cilium crash during network policy computation (#24322, @joestringer)
- Fix compilation error when enabling Wireguard and XDP (#25734, @ysksuzuki)
- Fix data race affecting the preferred mark in backends, e.g. backends selected by service with affinity set to local. In very rare cases a backend might be missing its preferred status and a non-local backend might be selected. (#25087, @joamaki)
- Fix enable-stale-cilium-endpoint-cleanup flag not actually disabling the cleanup init set when set to false. This provides a workaround for an existing panic that can occur when running using etcd kvstore. (#23874, @sjdot)
- Fix error propagation issue in clustermesh which prevented retrying on certain validation errors (Backport MR #26799, Upstream MR #26613, @giorio94)
- Fix failure to load the datapath for new pods on latest kernel when (almost) all datapath features are enabled. (#24405, @borkmann)
- Fix for Identities that can be deleted before CESs are reconciled (#25001, @dlapcevic)
- Fix issue where Cilium ServiceAPI would ignore backend changes to services with backends that were used in several services and updated at least once (#24474, @strudelPi)
- Fix issues that caused SPIRE not to install properly (#25160, @meyskens)
- Fix missed deletion events when reconnecting to/disconnecting from remote clusters (identities) (#25677, @giorio94)
- Fix missed deletion events when reconnecting to/disconnecting from remote clusters (ipcache entries) (#25675, @giorio94)
- Fix missed deletion events when reconnecting to/disconnecting from remote clusters (nodes and services) (#25499, @giorio94)
- Fix missing metric "cilium_services_events_total" (Backport MR #27038, Upstream MR #26719, @christarazi)
- Fix operator entering broken state when it has outdated version of the CES in the cache. (Backport MR #27038, Upstream MR #26455, @alan-kut)
- Fix panic due to nil-map assignment in l2announcer (#26315, @dylandreimerink)
- Fix panic in hubble http v2 metrics (#24350, @chancez)
- Fix possible connection drops on agents restart when a service is associated with multiple endpointslices or has backends across multiple clusters (Backport MR #27038, Upstream MR #26912, @giorio94)
- Fix SNAT by the N/S load-balancer for fragmented IPv4 requests. (Backport MR #26636, Upstream MR #26550, @julianwiedmann)
- Fix some test failures for bpf_nat_test.c (#24534, @YutaroHayakawa)
- Fixed double metric accounting for k8s events (Backport MR #26636, Upstream MR #26349, @dylandreimerink)
- Fixed proxy redirect policy implementation when any deny rule prevents them. (Backport MR #26813, Upstream MR #26344, @jrajahalme)
- Fixes an issue where SRv6 encapsulated packets are forwarded to the wrong layer 2 next hop. (#26136, @ldelossa)
- Fixes issue in BGP reconciler when multiple pod cidr withdrawals are done. (#25320, @harsimran-pabla)
- Handles nodeIP changes when CEPs are checkpointed to tmpfs and the nodeIP changes across a reboot. (#26281, @bprashanth)
- helm: Fix a bug caused by incorrect indentation of the extraEnv parameter for Hubble UI backend (Backport MR #26914, Upstream MR #26797, @toVersus)
- Implement OnAddNode handlers for CiliumNodeUpdater and EndpointManager (Backport MR #26734, Upstream MR #26484, @pippolo84)
- ingress: Delay secret sync if not available (Backport MR #26995, Upstream MR #26988, @sayboras)
- ipam/azure: fix crash due to race condition when handling new node. (Backport MR #27038, Upstream MR #26658, @tommyp1ckles)
- iptables: Fix wrong use of podCIDR in cluster node NAT exclusion (#26397, @gandro)
- Keep sync on deployed proxy ports when retrying proxy redirect creation. (#26343, @jrajahalme)
- nat: fix usage in nat.h of csum.h module (#25576, @sahid)
- Policy auth precedence fix (Backport MR #26813, Upstream MR #26331, @jrajahalme)
- Removed unnecessary updates to service status by MetalLB (#23210, @ysksuzuki)
- Revert "datapath: Remove 2005 route table" (#23346, @brb)
- Solved an issue failing to forward traffic to Services if the Endpoint Slices had the same Address on different Slices (#24202, @aojea)
- SPIRE Server image now is the value from the Helm values file (Backport MR #27038, Upstream MR #26911, @meyskens)
- Support IPv4 DSR for packets with IP options. (#23810, @julianwiedmann)
- Temporarily disable bpf-clock-probe to avoid causing interruptions for long-lived connections during upgrades (Backport MR #27033, Upstream MR #26981, @margamanterola)
- test/controlplane: Disable endpoint GC (#26383, @pippolo84)
- test: bigtcp: Update the BIG TCP checking message (#26377, @haiyuewa)
- The operator now reconciles duplicate entries in a CiliumEndpointSlice on startup. (#24596, @alan-kut)
- Updates TransformXXX Functions in k8s pkg (#26244, @danehans)
- Validate "ownership" of hostPort service being deleted (Backport MR #26734, Upstream MR #22587, @yasz24)
CI Changes:
- .github/workflows: add JUnit tag on workflows that have JUnits (#25930, @aanm)
- .github/workflows: add missing GH action version annotations (#25369, @tklauser)
- .github/workflows: let renovate update kind (#26312, @tklauser)
- .github/workflows: let renovate update kind in ingress workflow (#26390, @tklauser)
- .github/workflows: re-enable coverage in BPF tests (#23291, @tklauser)
- .github/workflows: run datapath complexity tests directly in VM (#24117, @tklauser)
- .github/workflows: use Helm mode cilium-cli in K8sUpstreamNetConformance (Backport MR #26734, Upstream MR #26692, @tklauser)
- .github: add 'name' field for the conformance-e2e job (Backport MR #26838, Upstream MR #26791, @aanm)
- .github: add cilium sysdump to test artifacts (#26143, @aanm)
- .github: add missing job to check for code changes (#25926, @aanm)
- .github: Clean up RBAC artifacts for v1.13 CI (#22823, @joestringer)
- .github: Fail if print-chart-version.sh fails or does not exist (#26086, @chancez)
- .github: Fix chart push on forks (#25274, @chancez)
- .github: Pin docker buildx version to v0.9.1 (#23206, @joestringer)
- .github: Rename failure step in actions (#24437, @joestringer)
- .github: run scruffy for cilium/cilium only (#25772, @aanm)
- .github: simplify conformance-runtime workflow (#25955, @aanm)
- [UT]improve network_policy_test.go for apiversion (#22591, @my-git9)
- Add 1.13 conformance test (#24033, @aanm)
- Add BPF unit tests for IPsec (#25699, @jschwinger233)
- Add checker to verify if comments from ginkgo GH workflows are in sync (#25971, @aanm)
- Add container image scanning to Cilium images. (#26489, @ferozsalam)
- Add improvements in Conformance Runtime (#25797, @aanm)
- Add initial fuzz coverage of linux node handler. (#22577, @AdamKorcz)
- Add schema validation for configuration-matrix files (#26081, @aanm)
- Always use the 8.8.8.8 DNS resolver in kind (#24713, @aspsk)
- ariane: don't skip verifier and l4lb tests on vendor/ changes (Backport MR #26734, Upstream MR #26715, @tklauser)
- bgp,test: Properly wait for FRR container to be ready (#25777, @YutaroHayakawa)
- bgpv1: Avoid ports from common ip_local_port_range in unit tests (#26174, @rastislavs)
- bgpv1: Exercise HoldTime in Test_NeighborAddDel (#25760, @rastislavs)
- bgpv1: Extend the timeout for the Test_NeighborAddDel test (#25970, @rastislavs)
- bgpv1: Retry peer checks in NeighborAddDel test to avoid flakes (#25641, @rastislavs)
- bpf unit tests: Run tests on changes to pks/bpf/** (#25911, @qmonnet)
- bpf,test: Add an option to disable coverage report per file (#24338, @YutaroHayakawa)
- bpf/test: Get rid of 4.9 leftovers (#23399, @brb)
- bpf: Cover high-scale IPcache in complexity tests (#25592, @pchaigno)
- bpf: inline test functions with ctx as input (#24662, @anfernee)
- bpf: test: add some IPv6 DSR integration tests (#25443, @julianwiedmann)
- bpf: test: fix pktgen for IPv6 NEXTHDR_DEST option (#26151, @julianwiedmann)
- bpf: tests: pktgen infra for tunneling + GENEVE-DSR test (#26301, @julianwiedmann)
- bpf: Update checkpatch image (#24215, @qmonnet)
- bpf: Various fixes for
MAX_*_OPTIONS
and support for 5.10 (#24122, @pchaigno) - build: Generate SBOM during image release (#23221, @joestringer)
- CI / Kind enhancements (#24714, @aanm)
- CI Workflow: Add all AWS supported k8s versions (#26361, @brlbil)
- CI Workflow: Add all Azure supported k8s versions (#26356, @brlbil)
- CI Workflow: Add all GKE supported k8s version (#26364, @brlbil)
- CI Workflows: Fix matrix generation (#26406, @brlbil)
- CI Workflows: Fix sysdump file creation (#26402, @brlbil)
- CI Workflows: Fix sysdump name typo (#26415, @brlbil)
- ci-aks, ci-external-workloads: Use cilium-cli Helm mode (#26382, @michi-covalent)
- ci-datapath: Enable IPV6 masquerading when KMR=off (#25111, @brb)
- ci-datapath: Fix issue where test were wrongly reported as passing (#24813, @gandro)
- ci-datapath: Use QUAY_ORGANIZATION_DEV for Quay org name (#25052, @michi-covalent)
- ci-e2e-v1.13: Fix workflow (#25412, @brb)
- ci-e2e: backport changes in conformance-e2e into v1.13 tests (#25386, @brb)
- ci-e2e: Bump cilium-cli v0.1.4.5 (#25672, @brb)
- ci-e2e: Bump CLI version to v0.14.8 (#26475, @brb)
- ci-e2e: Enable --debug when running with EGW (#25789, @brb)
- ci-e2e: Increase hubble buffer capacity (#25710, @brb)
- ci-e2e: Run cilium-cli in Helm mode (#25780, @brb)
- ci-gke: Set
useDigest=false
for Hubble Relay (Backport MR #26914, Upstream MR #26890, @gandro) - ci-l4lb-v1.1{1,2}: Remove helm charts (#25529, @brb)
- ci-multi-pool: Use ip-masq-agent for masquerading (Backport MR #26636, Upstream MR #26538, @gandro)
- ci-verifier: run verifier tests directly on VM instead of containerized (#26509, @ti-mo)
- ci/github: Set
useDigest=false
for Hubble Relay (Backport MR #26887, Upstream MR #26869, @gandro) - ci/multicluster: Re-enable WireGuard testing (#22815, @gandro)
- CI: Add JUnit reports upload (#25801, @brlbil)
- ci: Add workflow for testing multi-pool IPAM (#26175, @gandro)
- ci: Disable WireGuard in ci-multicluster again (#23045, @gandro)
- ci: Disable wireguard in v1.13 conformance datapath (#24804, @pippolo84)
- ci: don't use ./contrib/scripts/kind.sh --xdp in 1.13 workflow (#24611, @tklauser)
- ci: fix Azure cluster names sometimes being too long (Backport MR #27038, Upstream MR #26933, @nbusseneau)
- ci: fix Cilium CLI install in ConformanceKindEnvoyDaemonSet (#25459, @nbusseneau)
- ci: fix clustermesh worfklows on stable branches (#25089, @nbusseneau)
- ci: fix datapath complexity workflow (#24528, @tklauser)
- ci: fix gke network starvation (#25597, @brlbil)
- ci: fix missing timeout in Cyclonus test (#24529, @nbusseneau)
- ci: fix status reporting in the ci-multicluster test (#24784, @giorio94)
- ci: github actions job to run kubernetes upstream conformance tests (#25913, @aojea)
- ci: Mark skipped matrix workflows as successful (#24922, @gandro)
- ci: move 4.19 complexity tests to tests-datapath-verifier GHA workflow (#24517, @tklauser)
- ci: quarantine
K8sAgentIstioTest
(#24476, @nbusseneau) - ci: remove GKE from Jenkins jobs (#23826, @nbusseneau)
- ci: remove test namespace deletion workaround in GKE v1.12 workflow (#22655, @tklauser)
- ci: replace deprecated set-output command in integraton test workflow (#23633, @tklauser)
- CI: run integration-tests on test changes in MRs (#26405, @marseel)
- CI: Stabilize ConformanceKindEnvoyDaemonSet (#26260, @mhofstetter)
- ci: update cilium-cli to v0.12.12 (#23030, @tklauser)
- CI: Verifier tests: Keep generated object files and logs on test failure (#25862, @qmonnet)
- CI: wait for cilium to become ready in conformance-{aks,gke} before port forward relay (#25839, @learnitall)
- cocci: Fix Python path for coccilib (#24430, @qmonnet)
- CODEOWNERS: Add sig-foundations (#24976, @joamaki)
- conformance-k8s-kind: disable kindnet, enable log dumping (#24982, @squeed)
- conformance-k8s-kind: Use Helm mode cilium-cli (#25916, @michi-covalent)
- conformance-runtime: Bump timeout to wait for images (#25947, @michi-covalent)
- contrib/kind: no longer create local docker registry (#24541, @squeed)
- datapath/linux/ethtool: deflake TestIsVirtualDriver (#26027, @tklauser)
- datapath/linux/route: fix CI expectations for rule string format (#24577, @NikAleksandrov)
- Disable failing encryption connectivity tests on GKE (#23183, @brlbil)
- docs: add documentation for Ginkgo-based GHA (#26055, @aanm)
- docs: Run rstcheck on the README.rst (#26454, @qmonnet)
- docs: Update external workloads instructions (Backport MR #26734, Upstream MR #26607, @michi-covalent)
- Drop the GKE-based multicluster GitHub actions workflow in favor of the kind-based one (#24996, @giorio94)
- Drop the GKE-based multicluster GitHub actions workflow in favor of the kind-based ones (stable branches) (#26188, @giorio94)
- drop v1.10 support for eks tests (#24037, @aanm)
- egressgw: switch to Cilium CLI connectivity tests (#25719, @jibi)
- Enable egress gateway in datapath CI (#24210, @lmb)
- Enable loadBalancer.acceleration=testing-only in some datapath conformance cases (#24738, @lmb)
- Enable previously disabled encryption tests on GKE (#24603, @brlbil)
- Enable testing of BPF programs requiring XDP_TX in CI (#24250, @lmb)
- Fix broken target_url for conformance-clustermesh (#24315, @YutaroHayakawa)
- Fix execution of coccinelle checks (#24392, @qmonnet)
- Fix external-contribution-label workflow renovate tag (#25429, @chancez)
- Fix k8s podCIDRs for vagrant deployment (#22786, @romanspb80)
- Fix potential panic logic for checker.go (#22354, @yanggangtony)
- Fix verifier issues in IPv6 BPF tests (#25191, @dylandreimerink)
- Fixed flake in pkg/hive/job tests. (#25293, @dylandreimerink)
- Fixed TestTimer_ExitOnCloseFnCtx channel close panic (#25211, @dylandreimerink)
- fuzzing: modify oss-fuzz build script (#24262, @AdamKorcz)
- gateway-api: Add tests for standard CRD (#26372, @sayboras)
- gateway-api: Enable HTTMRouteListenerHostnameMatching test (#26226, @sayboras)
- gateway-api: Fix flaky conformance tests (#24317, @sayboras)
- gh/workflow: change multicluster GKE cluster provisioning to none blocking mode (#25394, @brlbil)
- gh/workflow: Reintroduce running GKE workflows in matrix strategy (#25654, @brlbil)
- gh/workflow: Remove specific GKE 1.24.5 version (#23164, @brlbil)
- gh/workflow: Run GKE workflow in matrix strategy (#25364, @brlbil)
- gh/workflows: Enable Host FW in ci-dp (#24429, @brb)
- gh/workflows: Fix encryption installation in ci-datapath (#23325, @brb)
- gh/workflows: Optionally enable dual stack in ci-e2e (Backport MR #26914, Upstream MR #26856, @brb)
- gh/workflows: Remove conformance-kind (#25707, @brb)
- gh/workflows: Rename ci-datapath to ci-e2e (#25164, @brb)
- gh/workflows: Split ci-dp encrypt tests into separate matrix configs (#24296, @brb)
- gh/workflows: Use
2023042
.212204 LVH images (#25681, @brb) - gh/workflows: Use cilium-cli GHA to install CLI exec (#25228, @brb)
- gha: Bump timeout to 90 minutes for build commit. (#23996, @sayboras)
- gha: Clean-up Ingress job configuration (#25311, @sayboras)
- gha: enable debug logs in conformance-clustermesh workflows (#26186, @giorio94)
- gha: Increase Ingress status wait time (#26219, @sayboras)
- gha: Move to helm install mode for Gateway API jobs (#25608, @sayboras)
- gha: Move to helm mode for aws-cni, eks, gke (#25820, @sayboras)
- gha: Run integration tests in GHA (#22900, @sayboras)
- gha: Run kubernetes Conformance and SIG-network tests (#24209, @aojea)
- gha: test kvstoremesh in conformance-clustermesh (#26223, @giorio94)
- gha: test the different auth modes in conformance-clustermesh (#26252, @giorio94)
- gha: use Cilium CLI Helm mode for conformance-clustermesh (#25834, @giorio94)
- github/workflows: Enable DSR with WireGuard in ci-dp (#25039, @brb)
- Improve golangci-lint usage (#25157, @joestringer)
- Improved reliability of pkg/hive/job timer double trigger unit test (#26022, @dylandreimerink)
- kind: Bump k8s version to 1.27.0 (#24841, @sayboras)
- kludge: hardcode Google Cloud SDK key due to error 500 (#24045, @nbusseneau)
- kvstore: fix TestWorkqueueSyncStoreMetrics flake (#25706, @giorio94)
- Let renovatebot update Go toolchain version in a single MR (#24895, @tklauser)
- lint: enable gosec G402 (minimum TLS version) (#23247, @kaworu)
- Make CI test resources unique for retries. (#25990, @viktor-kurchenko)
- Make it easier to migrate off of gopkg.in/check.v1 (#25484, @lmb)
- Migrate L7 TLS Ginkgo tests to cilium-cli (#24414, @meyskens)
- mirror: Only run on cilium/cilium (#25179, @michi-covalent)
- Mitigate GKE workflow flake (#24755, @brlbil)
- mlh: update Jenkins jobs following 1.27 support (#24983, @nbusseneau)
- mlh: update Jenkins jobs following removal of kernel 4.9 support (#23822, @nbusseneau)
- mlh: update Jenkins jobs names (
master
>main
) (#24958, @nbusseneau) - Move datapath verifier tests into GH actions workflow (#22754, @tklauser)
- NONE (#25258, @aojea)
- pin managed clusters' K8s version on stable branches (#22724, @nbusseneau)
- pkg/k8s: Clean-up: Remove duplicate package import in pkg/k8s/factory_functions_test.go (#23433, @my-git9)
- policy: add two more fuzzers (#22336, @AdamKorcz)
- Quarantine "K8sDatapathConfig Iptables Skip conntrack for pod traffic test. (#23824, @marseel)
- renovate: Add explicit gitAuthor (#24739, @gandro)
- renovate: add packageRule group for cilium-cli (#24725, @tklauser)
- renovate: Add packageRule group for Hubble CLI (#24637, @gandro)
- renovate: automate golangci-lint upgrades (#24664, @mhofstetter)
- renovate: ignore ginkgo updates (#26423, @tklauser)
- renovate: Update builder and runtime images once a week (#24846, @michi-covalent)
- renovate: Update Dockerfiles that use golang image weekly (#24877, @michi-covalent)
- replace cilium/customvet by cilium/linters (Backport MR #26799, Upstream MR #26755, @rolinh)
- Replace integration_tests build tag with INTEGRATION_TESTS env (#24925, @ti-mo)
- resource: Work around a rare race in initial sync (#23292, @joamaki)
- Revert ".github/workflows: run datapath complexity tests directly in VM" (#24535, @tklauser)
- Revert "build: Generate SBOM during image release" (#23204, @ldelossa)
- Revert "gh/workflow: Run GKE workflow in matrix strategy" (#25464, @thorn3r)
- Revert "Use workflow configuration variables for quay organization na… (#23169, @michi-covalent)
- Run all ginkgo tests on GitHub actions (#25713, @aanm)
- Run latest fuzzers in OSS-Fuzz (#22580, @AdamKorcz)
- Set CILIUM_CLI_MODE env variable at the top level (#26387, @michi-covalent)
- Set CILIUM_CLI_MODE env variable at the top level (#26404, @michi-covalent)
- Set VERSION to 1.14.0-dev (#25237, @michi-covalent)
- test, jenkinsfile: Clean up natnetworks in CI after test run (#22704, @pchaigno)
- test/k8s: quarantine High-scale IPcache test (#25668, @aanm)
- test/k8s: remove istio.go test (#24894, @aanm)
- test/k8s: remove k8s agent health tests (#24433, @tklauser)
- test/nat46x64: silence curl output (#26024, @tklauser)
- test/Updates: Explicit error message on failure (#24920, @pchaigno)
- test/Vagrantfile: Debug information for natnetwork (#22675, @pchaigno)
- test/Vagrantfile: Don't hide natnetwork errors (#22702, @pchaigno)
- test/verifier: Fix compilation command (#24412, @pchaigno)
- test: add cluster mesh conformance tests with Kind (#23496, @giorio94)
- test: add comments for NFS's IP ranges on local CI VM scripts (#22934, @Shunpoco)
- test: Avoid spamming logs in monitor aggregation test (#25152, @pchaigno)
- test: Block HubbleObserveFollow until ready (#25090, @pchaigno)
- test: Bump timeout of service plumbing check (#23439, @pchaigno)
- test: Cleanup ginkgo test artifacts (#25833, @pchaigno)
- test: Dump VirtualBox version used in CI jobs (#22701, @pchaigno)
- test: Enable Envoy trace logs for TLS test (#22646, @jrajahalme)
- test: Enable IPv6 masq for IPsec (#24885, @jschwinger233)
- test: ensure cleanup in hubble "test L7 flow" (#23525, @giorio94)
- test: Exclude per-endpoint object files from artifacts (#23382, @pchaigno)
- test: Fix consistent failure in IPv6 masquerading test (#25036, @pchaigno)
- test: Fix the attempted fix for the hostfw flake (#26362, @pchaigno)
- test: gather containerd logs on failure (#24133, @squeed)
- test: remove govalidator dependency (#25314, @rolinh)
- test: Remove RuntimeDatapathLB (#24245, @brb)
- test: Remove unused
SkipGKEQuarantined
helper (#23354, @pchaigno) - test: Unquarantine IPv6 masquerading test (#25149, @pchaigno)
- test: Unquarantine K8sDatapathConfig Encapsulation (#22674, @pchaigno)
- test: Unquarantine tests for iptables-based masquerading (#23228, @pchaigno)
- test: Unquarantine working FQDN test (#23357, @pchaigno)
- tests: quarantine services nodeport w/ L7 policy test. (#25236, @tommyp1ckles)
- tests: small fixups for the GENEVE-DSR e2e tests (#25062, @julianwiedmann)
- Transfer Runtime tests to GitHub actions (#25516, @aanm)
- travis: Run on main branch (#25108, @pchaigno)
- Trigger required workflows using Ariane (Backport MR #27097, Upstream MR #27002, @michi-covalent)
- Update EKS conformance tests to use both amd64 and arm64 hosts. (#24853, @chancez)
- Update image registry to quay.io (#23093, @obaranov1)
- Update push-chart workflow concurrency group (#25431, @chancez)
- Use cilium-cli latest stable version in conformance-datapath workflows (#24809, @pippolo84)
- Use cli-based Helm install for
tests-smoke
conformance workflow (#25493, @bleggett) - Use CLI-based Helm installation for ingress tests (#25609, @dhawton)
- Use workflow configuration variables for quay organization names (#23145, @michi-covalent)
- v1.14: ci: use Ariane to trigger workflows (#26625, @nbusseneau)
- vagrant: bump box versions to pick up Go 1.20.1 (#23983, @tklauser)
- vagrant: Bump Vagrant box versions (#24984, @pchaigno)
- vagrant: Bump VM images to the latest versions (#22781, @pchaigno)
- vagrant: Default to 4.19 (#24950, @pchaigno)
- workflow: Cover VXLAN + IPsec + endpoint routes in datapath tests (#23396, @pchaigno)
- workflow: Disable monitor aggregation in IPv6 smoke test (#23816, @pchaigno)
- workflow: enable pod-to-cidr tests (#23986, @brlbil)
- workflow: enable pod-to-world tests (#23103, @brlbil)
- workflow: Reenable L7 tests on EKS + IPsec (#22617, @pchaigno)
- workflows/clustermesh: set kubectl version to match the one of the kubernetes cluster (#25221, @giorio94)
- workflows/datapath: Fix always-passing step (#24918, @pchaigno)
- workflows/externalworkload: Avoid using
--config
when unnecessary (#24567, @pchaigno) - workflows/k8skind: Disable the flaky Aggregator test (#24989, @pchaigno)
- workflows/push charts: Checkout main branch before set-env-variables (#25296, @chancez)
- workflows: add the kind-based clustermesh conformance test for stable branches (#25029, @giorio94)
- workflows: add trigger sentence in ci-verifier workflow file (#23587, @kaworu)
- workflows: Cover IPsec + GENEVE (#24125, @pchaigno)
- workflows: e2e: bump Cilium CLI to v0.14.2 (#25194, @jibi)
- workflows: e2e: bump max-parallel to 16 (#25763, @jibi)
- workflows: Fix owner tag for stable branch workflows (#25158, @pchaigno)
- workflows: l4lb/verifier: fix skip-test-run job (#24072, @jibi)
- workflows: l4lb/verifier: replace tabs with spaces (#24108, @jibi)
- workflows: Pin gke to 1.24.5 (#22798, @joamaki)
- workflows: Run stable branches' L4LB workflows on a schedule (#25080, @pchaigno)
- workflows: Run stable branches' workflows on a schedule (#24991, @pchaigno)
Misc Changes:
- .gitattributes: Highlight Jenkinsfiles as Groovy (#23435, @pchaigno)
- .gitattributes: Mark install/kubernetes/cilium/README.md as generated (#24295, @qmonnet)
- .gitattributes: Mark install/kubernetes/cilium/values.yaml as generated (#24007, @qmonnet)
- .github: add dedicated job to wait for images (#26184, @aanm)
- .github: Add mirror from main -> master (#24941, @joestringer)
- .github: add renovate/stop-updating label on renovate's MRs (#25649, @aanm)
- .github: fix renovate docker image update (#23229, @aanm)
- .github: fix renovate's config file (#23231, @aanm)
- .github: Improve mirror workflow (#24962, @joestringer)
- .github: Push Helm charts for hotfixes (#25836, @joestringer)
- .github: rebuild ginkgo tests in case of cache miss (#26263, @aanm)
- .github: refactor job matrix generation into YAML files (#26019, @aanm)
- .github: set right project to track v1.13 backport MRs (#24157, @aanm)
- @errordeveloper is no longer an active committer (#23293, @errordeveloper)
- [cilium cmd] fix wrong notes. (#22871, @yanggangtony)
- [cilium-cmd bpf-metrics-list] return first when []*metricsRow is nil. (#22873, @yanggangtony)
- [UT] k8s/utils/util.go ut enhancement (#23680, @my-git9)
-
dev-doctor
- if path togo.mod
invalid, look in current directory (#25327, @bleggett) - A few cleanups for per-cluster CT/SNAT maps (#25712, @YutaroHayakawa)
- Add a hint about using Vagrant on Apple Silicon (#24626, @brandshaide)
- Add a package for slices utilities (#25069, @pippolo84)
- Add Ascend.io to USERS.md (#24775, @thejosephstevens)
- Add Back Market in the USERS list (#26413, @NitriKx)
- add better errors for our calls to Setsockopt() (#24287, @squeed)
- Add BPF test facility to test skb->cb (#24181, @YutaroHayakawa)
- Add Cistec User (#25104, @olinux-dev)
- add CNCF Resources and Link CoC to Governance docs (#23689, @xmulligan)
- Add configuration docs for API restrictions (#24968, @joestringer)
- add Cosmonic to the Users file (#23290, @xmulligan)
- Add detailed panic messages for slim ObjectMeta and ListMeta (#25107, @hemanthmalla)
- Add documentation about kvstoremesh (#26348, @giorio94)
- Add fuzzer for
pkg/fqdn
(#22519, @AdamKorcz) - add helm option to customize nodeinit scripts (#24375, @mblaschke)
- Add helm values for K8s API server client rate limits and instructions on how to size them when using L2 announcements. (Backport MR #26799, Upstream MR #26711, @dylandreimerink)
- Add information about securing access to Cilium pods and provide a single page security reference (#23599, @zacharysarah)
- Add kernel.org's
.clang-format
for editor-agnostic C formatting hints (#25488, @bleggett) - Add kvstoremesh Dockerfile and build images through the CI (#26106, @giorio94)
- Add L2 responder map dumping to sysdump (Backport MR #26734, Upstream MR #26667, @dylandreimerink)
- Add link to threat model in security policy (#24673, @ferozsalam)
- Add Lorenz Bauer to committers (#24864, @xmulligan)
- Add make commands for setting up clustermesh in kind (#24190, @marseel)
- Add microsoft as user to cilium (#25838, @tamilmani1989)
- Add missing LB IPAM description in the operator document (#25696, @YutaroHayakawa)
- Add Palark GmbH to USERS.md (#24421, @shurup)
- Add Proton to USERS (#24636, @MrFreezeex)
- add renovate support for go mod (#23864, @aanm)
- Add Robinhood Markets to Cilium USERS.md (#24026, @madhusudancs)
- Add S&P Global to Users (#23700, @xmulligan)
- Add the tunnel values to the config map even when the default values are used. (Backport MR #26838, Upstream MR #26712, @3u13r)
- add toEntities/fromEntities CRD description missing options (#22279, @slayer321)
- Add top level
make run_bpf_tests
target to run eBPF unit tests in the Cilium builder container (#25173, @ldelossa) - Add User DaimlerTruck AG (#24408, @brandshaide)
- Add User doc to MR Template (#24186, @xmulligan)
- add versioning schema for WireGuard in Renovate (#24015, @aanm)
- Add Zero Hash to Cilium users (#25987, @eugenestarchenko)
- Added ClickHouse to users (#24532, @tsolodov)
- Added a new job group system to manage the lifecycle of jobs within cells (#24558, @dylandreimerink)
- Added gARP capability to L2 announcer feature (#25933, @dylandreimerink)
- Added link to CFP Design repo (#23792, @xmulligan)
- Added metrics for pkg/k8s/resource (#26269, @dylandreimerink)
- Adding Eficode to USERS.md (#25931, @punasusi)
- Adding eni limits for missing aws instances of families
c7g
,m6idn
,m6in
,m7g,
r6idn,
r6in, and
r7g` (#23835, @muratso) - Adding United Cloud to adopters list (#25084, @carnerito)
- Adds a new NOTRACK rule for node-local-dns (#24230, @Weil0ng)
- Agent: add support for watching kvstoremesh prefixes (#26154, @giorio94)
- Alibabacloud API request performance improvements (#22478, @jaffcheng)
- alignchecker: fully parse structures (#24365, @aspsk)
- api: Add libraries to Pascalify API endpoints (#24967, @joestringer)
- Auth Map: Initial Garbage Collection (#25754, @mhofstetter)
- Auth use signalmap (#25284, @jrajahalme)
- auth: add missing config values to helm values (#25973, @mhofstetter)
- auth: add missing stream package import (#26018, @giorio94)
- auth: auth map cache (#25634, @mhofstetter)
- auth: define auth handlers as private hive cell (#24074, @mhofstetter)
- auth: delete cache-entry on ErrKeyNotExist (#26342, @mhofstetter)
- auth: display textual representation of auth type in authKey.String() (#26525, @mhofstetter)
- auth: Enable ClusterFirstWithHostNet dnsPolicy conditionally (#24803, @sayboras)
- auth: feature flag for authentication (#26208, @mhofstetter)
- auth: fix initial k8s events sync in auth map gc (#26059, @mhofstetter)
- auth: implement re-authentication in case of rotated certificates (#25927, @mhofstetter)
- auth: introduce hive cell (modularization) (#24041, @mhofstetter)
- auth: optimize log output for pending auth (Backport MR #26734, Upstream MR #26642, @mhofstetter)
- auth: policy based auth map GC (#26068, @mhofstetter)
- auth: streamline logging (#25965, @mhofstetter)
- auth: temporarily disable node-based auth gc (#26073, @mhofstetter)
- auth: Use authmap for auth_required policies (#24410, @jrajahalme)
- auth: use NodeManager instead of k8s.CiliumNodeResource in auth gc (Backport MR #26636, Upstream MR #26592, @mhofstetter)
- AWS CNI v1.12 Cilium install fixed. (#26084, @viktor-kurchenko)
- Backport the 64-bit stack alignment patch for LLVM, which is expected on all modern kernel versions. (#25338, @gentoo-root)
- backporting: Fix pattern to handle commit subjects that begin with a space (#25653, @gentoo-root)
- BGP CP: Adds Intro to Docs (#26195, @danehans)
- BGP CP: Updates docs for PeerPort (#25876, @danehans)
- bgpv1: component test framework (#25362, @harsimran-pabla)
- bgpv1: Documentation update to reflect current architecture (#25954, @harsimran-pabla)
- bgpv1: Don't use net package for addressing (#25313, @YutaroHayakawa)
- bgpv1: Fix use of k8s.LocalNodeResource and LocalCiliumNodeResource types (#25615, @joamaki)
- bgpv1: graceful restart component test (#25914, @harsimran-pabla)
- BGPv1: Introduce generic bgp manager layer (#25016, @harsimran-pabla)
- bgpv1: pass router state to gobgp (#26194, @harsimran-pabla)
- bgpv1: Reset BGP session in UpdateNeighbor if necessary (#25827, @rastislavs)
- bgpv1: set correct upper limits to BPG timers and GR restart time (Backport MR #26636, Upstream MR #26534, @harsimran-pabla)
- bgpv1: use slim_core_v1 node instead of corev1 in test fixtures (#25625, @harsimran-pabla)
- bom: update to version 0.5.1 (#25451, @mhofstetter)
- bpf & envoy: Add support for authentication on ingress policies (#23839, @mhofstetter)
- bpf, cilium/cmd: remove unused hidden
cilium bpf migrate-map
sub-command (#25196, @tklauser) - bpf, datapath: unconditionally assume support for direct access to map values (#24504, @tklauser)
- bpf, datapath: unconditionally assume support for LRU hash maps (#24378, @tklauser)
- bpf, ebpf: remove GetMapType() and mock probing (#23634, @rgo3)
- bpf, ipcache: unconditionally assume LPM trie delete/dump support (#24377, @tklauser)
- bpf/init.sh: move node config generation to Go (#25380, @rgo3)
- bpf/Makefile: Delete duplicate LB_OPTIONS in Makefile (#24883, @jschwinger233)
- bpf/makefile: fix spelling issue and make it clear which bear cli. (#25273, @tommyp1ckles)
- bpf/nat: remove unnecessary nexthdr variable (#24537, @sahid)
- bpf/wireguard: Skip encryption for cluster-external traffic (#24586, @pchaigno)
- bpf: add drop reason for TTL exceeded (Backport MR #27038, Upstream MR #26884, @julianwiedmann)
- bpf: add new macro __section_entry (#26123, @Jack-R-lantern)
- bpf: clean up some revalidate_data() users (#25337, @julianwiedmann)
- bpf: Consistent usage of
MARK_MAGIC_
constants (#23125, @pchaigno) - bpf: dsr: fix IPIP health-encap on older kernels (Backport MR #26636, Upstream MR #26609, @julianwiedmann)
- bpf: encap: endianness cleanups (#23931, @julianwiedmann)
- bpf: encap: send TO_OVERLAY trace before adding encapsulation (#25828, @julianwiedmann)
- bpf: fib: delay smac selection until fib_do_redirect() has picked the oif (#26290, @julianwiedmann)
- bpf: Fix VTEP compilation error (#24152, @pchaigno)
- bpf: fixes for IPv6 revNAT (#24610, @julianwiedmann)
- bpf: handle VLAN before XDP meta-data in from-netdev (#24063, @julianwiedmann)
- bpf: init.sh: rename TUNNEL_MODE variable to TUNNEL_MROTOCOL (#24969, @julianwiedmann)
- bpf: Inter-cluster SNAT with ClusterIP global service (#24212, @YutaroHayakawa)
- bpf: Introduce per-cluster conntrack maps (#22857, @YutaroHayakawa)
- bpf: L3 cleanups (#23876, @julianwiedmann)
- bpf: lb: clean up IPv4 loopback handling (#25456, @julianwiedmann)
- bpf: lb: minor cleanups (#26216, @julianwiedmann)
- bpf: lb: misc cleanups (#25372, @julianwiedmann)
- bpf: lb: small cleanups (#24320, @julianwiedmann)
- bpf: minor HostFW cleanups (#25881, @julianwiedmann)
- bpf: minor improvements to XDP punt with XFER_PKT_NO_SVC (#23106, @julianwiedmann)
- bpf: minor LB cleanups (#25061, @julianwiedmann)
- bpf: misc cleanups (#24291, @julianwiedmann)
- bpf: misc CT cleanups (#26104, @julianwiedmann)
- bpf: nat: consistently use has_l4_header in IPv4 SNAT path (#25741, @julianwiedmann)
- bpf: nat: fix build error in snat_v6_prepare_state() (#26510, @julianwiedmann)
- bpf: nat: fix L4 csum case in ingress path for ICMP-embedded SCTP (#25315, @julianwiedmann)
- bpf: nat: reduce CT lookup scope (#25917, @julianwiedmann)
- bpf: nat: remove unused ct_delete*() helpers (#26076, @julianwiedmann)
- bpf: nat: tolerate unhandled protocol types in revSNAT path (#25740, @julianwiedmann)
- bpf: nodeport cleanups (#23965, @julianwiedmann)
- bpf: nodeport: don't set .addr in revSNAT target (#25381, @julianwiedmann)
- bpf: nodeport: don't track L2 addr for connection to local backend (#24324, @julianwiedmann)
- bpf: nodeport: handle result from encap ctx_redirect() in revDNAT path (#25058, @julianwiedmann)
- bpf: nodeport: only set outer src IP for tunnel encap in XDP (Backport MR #26799, Upstream MR #26726, @julianwiedmann)
- bpf: nodeport: reduce CT lookup scope (#25826, @julianwiedmann)
- bpf: nodeport: remove lb4_populate_ports() (#25063, @julianwiedmann)
- bpf: nodeport: SNAT before adding tunnel info in NAT egress path (#25305, @julianwiedmann)
- bpf: nodeport: trivial cleanups (#24732, @julianwiedmann)
- bpf: nodeport: wire up ext_err in revSNAT path (#25406, @julianwiedmann)
- bpf: remove a redundant IPcache lookup in from-host (#24107, @julianwiedmann)
- bpf: Remove dead code for consistency between IPv4/v6 (#24008, @pchaigno)
- bpf: Remove flowlabel optimization for identity (#23795, @pchaigno)
- bpf: remove MapInfo, DumpParser and MapKey/Value DeepCopy (#25792, @ti-mo)
- bpf: remove redundant policy_mark_skip() in handle_ipv6_from_lxc() (#23447, @julianwiedmann)
- bpf: remove special handle for ICMPv6 echo targeting router IPv6 (#24921, @jschwinger233)
- bpf: Remove unneeded orig_dip from ipv6_host_policy_egress (#23724, @gentoo-root)
- bpf: Remove unneeded orig_sip from ipv6_host_policy_ingress (#23577, @gentoo-root)
- bpf: remove unused type ProgType and ProgType* consts (#26360, @tklauser)
- bpf: Replace deprecated "-target bpf" with "--target=bpf" for clang (Backport MR #26636, Upstream MR #26553, @qmonnet)
- bpf: simplify adding/removing types to alignchecker (#24736, @aspsk)
- bpf: small CT cleanups (#24686, @julianwiedmann)
- bpf: test: Fix the byte order in the IPV4 macro (#25114, @gentoo-root)
- bpf: Update IPv6 BPF masquerading code to bring it closer to IPv4's, fix SNAT for packets from local endpoints, for overlay (#26236, @qmonnet)
- bpf: Use inline assembly for packet context access, to prevent some undesirable optimizations from LLVM (#25336, @qmonnet)
- bpf: xdp: fix coccicheck warning about DROP_MISSED_TAIL_CALL (#25924, @julianwiedmann)
- bpf: xdp: use CT tuple hash for tunnel encap's source port (#26177, @julianwiedmann)
- Break import cycles and move the datapath cell to datapath/cell.go (#24337, @bimmlerd)
- bug: Fix Potential Nil Reference in GetLabels Implementation (#24416, @nathanjsweet)
- bugtool: dump auth map related information (#26066, @mhofstetter)
- bugtool: improve ss output (#24334, @squeed)
- bugtool: simplify
removeIfEmpty
with more effiicientos.ReadDir
(#24566, @Juneezee) - Build test darwin target (#23358, @aditighag)
- build(deps): bump actions/cache from 3.0.11 to 3.2.3 (#22981, @dependabot[bot])
- build(deps): bump actions/cache from 3.2.3 to 3.2.4 (#23450, @dependabot[bot])
- build(deps): bump actions/download-artifact from 3.0.1 to 3.0.2 (#22956, @dependabot[bot])
- build(deps): bump actions/github-script from 6.3.3 to 6.4.0 (#23411, @dependabot[bot])
- build(deps): bump actions/setup-go from 3.4.0 to 3.5.0 (#22706, @dependabot[bot])
- build(deps): bump actions/stale from 6.0.1 to 7.0.0 (#22828, @dependabot[bot])
- build(deps): bump azure/setup-helm from 3.4 to 3.5 (#22705, @dependabot[bot])
- build(deps): bump docker/build-push-action from 3.2.0 to 3.3.0 (#23112, @dependabot[bot])
- build(deps): bump docker/build-push-action from 3.3.0 to 4.0.0 (#23489, @dependabot[bot])
- build(deps): bump docker/setup-buildx-action from 2.2.1 to 2.4.0 (#23449, @dependabot[bot])
- build(deps): bump docker/setup-buildx-action from 2.4.0 to 2.4.1 (#23593, @dependabot[bot])
- build(deps): bump github.com/cilium/lumberjack/v2 from 2.2.2 to 2.3.0 (#22448, @dependabot[bot])
- build(deps): bump github.com/containernetworking/plugins from 1.1.1 to 1.2.0 (#23294, @dependabot[bot])
- build(deps): bump github.com/docker/docker from 20.10.21+incompatible to 20.10.23+incompatible (#23388, @dependabot[bot])
- build(deps): bump github.com/docker/docker from 20.10.23+incompatible to 23.0.1+incompatible (#23664, @dependabot[bot])
- build(deps): bump github.com/docker/docker from 23.0.1+incompatible to 23.0.3+incompatible (#24753, @dependabot[bot])
- build(deps): bump github.com/go-openapi/spec from 0.20.7 to 0.20.8 (#23673, @dependabot[bot])
- build(deps): bump github.com/onsi/gomega from 1.24.1 to 1.26.0 (#23295, @dependabot[bot])
- build(deps): bump github.com/osrg/gobgp/v3 from 3.5.0 to 3.10.0 (#22908, @dependabot[bot])
- build(deps): bump github.com/prometheus/procfs from 0.8.0 to 0.9.0 (#23069, @dependabot[bot])
- build(deps): bump github.com/shirou/gopsutil/v3 from 3.22.10 to 3.23.1 (#23511, @dependabot[bot])
- build(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 (#23414, @dependabot[bot])
- build(deps): bump github/codeql-action from 2.1.36 to 2.1.37 (#22758, @dependabot[bot])
- build(deps): bump github/codeql-action from 2.1.39 to 2.2.1 (#23410, @dependabot[bot])
- build(deps): bump github/codeql-action from 2.2.1 to 2.2.2 (#23608, @dependabot[bot])
- build(deps): bump github/codeql-action from
959cbb7
to 2.1.39 (#23196, @dependabot[bot]) - build(deps): bump go.etcd.io/etcd/client/pkg/v3 from 3.5.6 to 3.5.7 (#23571, @dependabot[bot])
- build(deps): bump go.etcd.io/etcd/client/v3 from 3.5.6 to 3.5.7 (#23649, @dependabot[bot])
- build(deps): bump go.opentelemetry.io/otel/trace from 1.11.2 to 1.12.0 (#23454, @dependabot[bot])
- build(deps): bump go.uber.org/dig from 1.15.0 to 1.16.0 (#23039, @dependabot[bot])
- build(deps): bump go.uber.org/dig from 1.16.0 to 1.16.1 (#23188, @dependabot[bot])
- build(deps): bump go.uber.org/multierr from 1.8.0 to 1.9.0 (#23067, @dependabot[bot])
- build(deps): bump golang.org/x/crypto from 0.3.0 to 0.5.0 (#22941, @dependabot[bot])
- build(deps): bump golang.org/x/term from 0.4.0 to 0.5.0 (#23651, @dependabot[bot])
- build(deps): bump golang.org/x/tools from 0.4.0 to 0.5.0 (#23610, @dependabot[bot])
- build(deps): bump golangci/golangci-lint-action from 3.3.1 to 3.4.0 (#23249, @dependabot[bot])
- build(deps): bump google-github-actions/setup-gcloud from 1.0.1 to 1.1.0 (#23570, @dependabot[bot])
- build(deps): bump google.golang.org/grpc from 1.51.0 to 1.52.3 (#23390, @dependabot[bot])
- build(deps): bump helm/kind-action from 1.4.0 to 1.5.0 (#22707, @dependabot[bot])
- build(deps): bump KyleMayes/install-llvm-action from 1.6.1 to 1.7.0 (#23386, @dependabot[bot])
- build(deps): bump nick-invision/retry from 2.8.2 to 2.8.3 (#22895, @dependabot[bot])
- build(deps): bump requests from 2.28.2 to 2.31.0 in /Documentation (#25603, @dependabot[bot])
- build: Avoid cross compilation issue on Windows (#25904, @sayboras)
- build: custom-vet-check should respect make variable GO (#23668, @mhofstetter)
- Bump readme with 1.13.0 (#23786, @aanm)
- Bump version in Readme and fix script (#24459, @aanm)
- Bumped CoverBee to v0.3.0 and cilium/ebpf to v0.10.0 (#23212, @dylandreimerink)
- Bumped CoverBee version to v0.3.2 (#24180, @dylandreimerink)
- certificatemanager,daemon: Modularized the certificate manager (#23132, @dylandreimerink)
- certloader: Correctly support RequestClientCert in WatchedClientConfig (Backport MR #26887, Upstream MR #26812, @chancez)
- Change enableEndpointCRD helm option type from string to boolean Fix operator panic that occurs when Endpoint CRD is disabled and CiliumEndpointSlice is enabled (#25798, @doniacld)
- Change wording on toServices limitations (see #20067) (#25796, @atykhyy)
- Check IP Family for LB source range (#24273, @sugangli)
- chore(deps): pin dependencies (main) (#25275, @renovate[bot])
- chore(deps): update actions/checkout action to v3.3.0 (master) (#23674, @renovate[bot])
- chore(deps): update actions/setup-go action to v4 (main) (#24981, @renovate[bot])
- chore(deps): update actions/setup-go action to v4.0.1 (main) (#26313, @renovate[bot])
- chore(deps): update actions/stale action to v8 (main) (#25047, @renovate[bot])
- chore(deps): update actions/upload-artifact action to v3 (main) (#25048, @renovate[bot])
- chore(deps): update all github action dependencies (main) (minor) (#24995, @renovate[bot])
- chore(deps): update all github action dependencies (main) (minor) (#25401, @renovate[bot])
- chore(deps): update all github action dependencies (main) (minor) (#25850, @renovate[bot])
- chore(deps): update all github action dependencies (main) (minor) (#26306, @renovate[bot])
- chore(deps): update all github action dependencies (main) (patch) (#25198, @renovate[bot])
- chore(deps): update all github action dependencies (main) (patch) (#25540, @renovate[bot])
- chore(deps): update all github action dependencies (main) (patch) (#25701, @renovate[bot])
- chore(deps): update all github action dependencies (main) (patch) (#25846, @renovate[bot])
- chore(deps): update all github action dependencies (main) (patch) (#26054, @renovate[bot])
- chore(deps): update all github action dependencies (main) (patch) (#26425, @renovate[bot])
- chore(deps): update all github action dependencies (master) (minor) (#24006, @renovate[bot])
- chore(deps): update all github action dependencies (master) (minor) (#24280, @renovate[bot])
- chore(deps): update all github action dependencies (master) (patch) (#23671, @renovate[bot])
- chore(deps): update all github action dependencies (master) (patch) (#23918, @renovate[bot])
- chore(deps): update all github action dependencies (master) (patch) (#24278, @renovate[bot])
- chore(deps): update all github action dependencies (master) (patch) (#24513, @renovate[bot])
- chore(deps): update all github action dependencies (v1.14) (minor) (#26699, @renovate[bot])
- chore(deps): update all github action dependencies (v1.14) (minor) (#26824, @renovate[bot])
- chore(deps): update all github action dependencies (v1.14) (patch) (#26698, @renovate[bot])
- chore(deps): update all github action dependencies (v1.14) (patch) (#26823, @renovate[bot])
- chore(deps): update all github action dependencies to v1.1.1 (main) (patch) (#25402, @renovate[bot])
- chore(deps): update aws-actions/configure-aws-credentials action to v2 (master) (#24281, @renovate[bot])
- chore(deps): update base-images (master) (#22565, @renovate[bot])
- chore(deps): update base-images (master) (#24102, @renovate[bot])
- chore(deps): update base-images (master) (#24439, @renovate[bot])
- chore(deps): update base-images (master) (minor) (#23563, @renovate[bot])
- chore(deps): update cilium cli (main) (minor) (#25245, @renovate[bot])
- chore(deps): update cilium/cilium-cli digest to
207512c
(main) (#25397, @renovate[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.13.2 (main) (#25027, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.14.3 (main) (#25541, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.14.5 (main) (#25700, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.14.7 (main) (#25847, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.14.8 (main) (#26482, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.15.0 (v1.14) (#26700, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.15.2 (v1.14) (#26782, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.15.4 (v1.14) (#26876, @renovate[bot])
- chore(deps): update dependency cilium/hubble to v0.11.1 (master) (#23518, @renovate[bot])
- chore(deps): update dependency cilium/hubble to v0.11.2 (master) (#23773, @renovate[bot])
- chore(deps): update dependency cilium/hubble to v0.11.3 (master) (#24703, @renovate[bot])
- chore(deps): update dependency cilium/hubble to v0.11.6 (main) (#26041, @renovate[bot])
- chore(deps): update dependency go to v1.20.5 (main) (#26051, @renovate[bot])
- chore(deps): update dependency google/gops to v0.3.27 (master) (#24005, @renovate[bot])
- chore(deps): update dependency kubernetes-sigs/kind to v0.20.0 (main) (#26428, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.17.1 (master) (#22996, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.17.2 (master) (#23672, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.17.3 (master) (#24639, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.18.0 (main) (#25415, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.18.2 (main) (#26261, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.18.2 (main) (#26297, @renovate[bot])
- chore(deps): update docker.io/library/alpine:3.17.2 docker digest to
ff6bdca
(master) (#24354, @renovate[bot]) - chore(deps): update docker.io/library/golang docker tag to v1.19.6 (master) (#23753, @renovate[bot])
- chore(deps): update docker.io/library/golang docker tag to v1.19.6 (master) (#23754, @renovate[bot])
- chore(deps): update docker.io/library/golang docker tag to v1.20.1 (master) (#23562, @renovate[bot])
- chore(deps): update docker.io/library/golang docker tag to v1.20.2 (master) (#24231, @renovate[bot])
- chore(deps): update docker.io/library/golang docker tag to v1.20.2 (master) (#24232, @renovate[bot])
- chore(deps): update docker.io/library/golang docker tag to v1.20.5 (main) (#26304, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.19.5 docker digest to
572f680
(master) (#23575, @renovate[bot]) - chore(deps): update docker.io/library/golang:1.20.1 docker digest to
52921e6
(master) (#24103, @renovate[bot]) - chore(deps): update docker.io/library/golang:1.20.4 docker digest to
690e413
(main) (#25277, @renovate[bot]) - chore(deps): update docker.io/library/golang:1.20.5 docker digest to
6b3fa4b
(main) (#26050, @renovate[bot]) - chore(deps): update docker.io/library/golang:1.20.5 docker digest to
8f958bf
(main) (#26283, @renovate[bot]) - chore(deps): update docker.io/library/golang:1.20.5 docker digest to
fd9306e
(v1.14) (#26696, @renovate[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to
0bced47
(v1.14) (#26697, @renovate[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to
2a357c4
(main) (#26284, @renovate[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to
ac58ff7
(main) (#25295, @renovate[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to
f05532b
(master) (#23477, @renovate[bot]) - chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to
149531e
(master) (#24614, @renovate[bot]) - chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to
21e5d22
(master) (#23726, @renovate[bot]) - chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to
26d07ba
(master) (#23352, @renovate[bot]) - chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to
42ddd0c
(master) (#23602, @renovate[bot]) - chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to
48e033b
(master) (#23654, @renovate[bot]) - chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to
6b01107
(master) (#23498, @renovate[bot]) - chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to
9ecc53c
(main) (#25398, @renovate[bot]) - chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to
9ecc53c
(main) (#26285, @renovate[bot]) - chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to
ddde70b
(master) (#24254, @renovate[bot]) - chore(deps): update github/codeql-action action to v2.2.12 (main) (#25034, @renovate[bot])
- chore(deps): update github/codeql-action action to v2.2.5 (master) (#24023, @renovate[bot])
- chore(deps): update go to v1.20.3 (main) (patch) (#24980, @renovate[bot])
- chore(deps): update go to v1.20.4 (main) (patch) (#25246, @renovate[bot])
- chore(deps): update go to v1.20.5 (main) (patch) (#25957, @renovate[bot])
- chore(deps): update golangci/golangci-lint docker tag to v1.52.2 (master) (#24722, @renovate[bot])
- chore(deps): update golangci/golangci-lint docker tag to v1.53.2 (main) (#25841, @renovate[bot])
- chore(deps): update golangci/golangci-lint docker tag to v1.53.3 (main) (#26258, @renovate[bot])
- chore(deps): update helm/kind-action action to v1.7.0 (main) (#25546, @renovate[bot])
- chore(deps): update hubble cli to v0.11.5 (main) (patch) (#25124, @renovate[bot])
- chore(deps): update hubble cli to v0.12.0 (v1.14) (minor) (#26763, @renovate[bot])
- chore(deps): update quay.io/cilium/hubble docker tag to v0.11.1 (master) (#23519, @renovate[bot])
- chore(deps): update quay.io/cilium/hubble docker tag to v0.11.2 (master) (#23774, @renovate[bot])
- chore(deps): update quay.io/cilium/hubble docker tag to v0.11.3 (master) (#24465, @renovate[bot])
- chore(deps): update quay.io/cilium/hubble docker tag to v0.11.6 (main) (#25996, @renovate[bot])
- chore(deps): update sigstore/cosign-installer action to v3 (master) (#24282, @renovate[bot])
- chore: Fix typos in comments (#22837, @mainred)
- chore: Update json-mock image (#24173, @sayboras)
- chore: use errors.Is to check for a specific error (#22912, @Fish-pro)
- ci, l4lb: Remove leftover args after DinD conversion (#23257, @borkmann)
- ci: only report status after matrix jobs are done (#23865, @spacewander)
- ci: update cilium-cli etcd version to v3.5.4 (#24028, @kahirokunn)
- ci: update cilium-cli using renovate bot (#23902, @tklauser)
- cilium statedb dump command & bugtool (#26256, @joamaki)
- cilium, bigtcp: Add max gso/gro rates to sysdump (#26392, @borkmann)
- cilium, bigtcp: Make probing for GRO/GSO max size more graceful (#26385, @borkmann)
- cilium-cni: remove duplicated link set up operation (#23766, @giorio94)
- cilium/cmd: Deprecate
cilium endpoint regenerate
command (#25949, @christarazi) - cilium: enable bpf host routing with per endpoint routes for IPv6 as well (#26205, @borkmann)
- cilium: Improve IPv6 BIG TCP probing (#26303, @borkmann)
- cilium: Repoint netlink lib back to upstream. (#26359, @borkmann)
- Cleanup: improve metav1 package import statement (#23248, @my-git9)
- cli: add "cilium bpf config list" (#26105, @mhofstetter)
- cli: Remove unnecessary type for variable vp (Viper) (#23105, @tanberBro)
- clustermesh-apiserver: add missing metrics and documentation (#26070, @giorio94)
- clustermesh-apiserver: don't wait for the presence of unused CRDs (#26220, @giorio94)
- clustermesh-apiserver: ExternalTrafficPolicy and internalTrafficPolicy can now be changed. (#24166, @kahirokunn)
- clustermesh-apiserver: extract kvstore client initialization and heartbeat logic in separate cells (#25554, @giorio94)
- clustermesh-apiserver: rework identities, endpoints and nodes synchronization to improve performance (#25049, @giorio94)
- clustermesh/types: don't panic on invalid IP in PrefixClusterFromCIDR (#23137, @tklauser)
- clustermesh: allow waiting for the CiliumClusterConfig to appear when required (#25671, @giorio94)
- clustermesh: ensure that the status of the remote clusters controller is correcty reported (#26271, @giorio94)
- clustermesh: fix broken test due to merge race (#26389, @giorio94)
- clustermesh: fix client usage when setting the cluster configuration (#24591, @giorio94)
- clustermesh: fix SyncedCanaries capability name mismatch (#25685, @giorio94)
- clustermesh: improve reliability of TestClusterMesh (#26370, @giorio94)
- clustermesh: Introduce ClusterID reservation mechanism (#26124, @marseel)
- clustermesh: Introduce per-cluster NAT maps (#22875, @YutaroHayakawa)
- clustermesh: Make IPCache CPlane aware of the ClusterID (#22935, @YutaroHayakawa)
- clustermesh: reduce memory consumption due to non-shared services (#23948, @giorio94)
- clustermesh: remote services handling misc improvements (#24515, @giorio94)
- clustermesh: split the generic logic from the specific part (#25921, @giorio94)
- clustermesh: unbreak test (#26294, @giorio94)
- cmd/policy: Close file descriptor if required (#23945, @jiuker)
- cmd: enhance cilium bpf policy list&get (#25389, @mhofstetter)
- cni-plugin: Clean up code (#26505, @gandro)
- cocci: Work around a bug in coccinelle to better check files, add a few missing
const
qualifiers to BPF code (#24606, @qmonnet) - CODEOWNERS: Add cilium/ipcache for pkg/source (#25176, @christarazi)
- CODEOWNERS: Add ownerships of new BGP team (#23916, @pchaigno)
- CODEOWNERS: additional coverage (#23494, @tklauser)
- CODEOWNERS: assign /pkg/auth to sig-servicemesh (#23844, @mhofstetter)
- CODEOWNERS: assign images/hubble-relay to SIG Hubble (#23277, @rolinh)
- CODEOWNERS: assign operator/pkg/{gateway-api,model} to @cilium/sig-servicemesh (#22683, @tklauser)
- CODEOWNERS: Assign pkg/slices to sig-foundations (#25737, @pippolo84)
- CODEOWNERS: Cover test/bpf_tests by sig-datapath (#22928, @christarazi)
- CODEOWNERS: Cover the egress gateway guide (#23194, @pchaigno)
- CODEOWNERS: Fold cilium/health into cilium/sig-agent (#23952, @pchaigno)
- CODEOWNERS: include @cilium/sig-datapath for all datapath specific CI changes (#24487, @tklauser)
- CODEOWNERS: Make Hubble team (not docs-structure) own examples/hubble (#23778, @qmonnet)
- CODEOWNERS: pkg/bpf to loader, pkg/recorder to sig-datapath (#25648, @ti-mo)
- command/exec: remove unused (*Cmd).WithFilters method (#25642, @tklauser)
- config: fix tunnel port for DSR-GENEVE with direct-routing (#25384, @julianwiedmann)
- config: spell out that --egress-masquerade-interfaces is for iptables (Backport MR #27055, Upstream MR #26950, @julianwiedmann)
- configmap & utime sync: provide via hive cell (#24830, @mhofstetter)
- conformance-runtime: remove optimizations and update little-vm-helper (#25825, @aanm)
- contrib/kind: adapt clustermesh related make targets to recent changes (#24693, @giorio94)
- contrib/kind: default to dual-stack clusters (#23646, @squeed)
- contrib/scripts: Ignore all vendor sub-directories (#25566, @michi-covalent)
- contrib: Add devcontainer configuration (#22856, @sayboras)
- contrib: Add support for snapshot releases (#24092, @joestringer)
- contrib: detect pre-release version correctly (#24708, @aanm)
- contrib: Fix codegen script to avoid double make (#24718, @joestringer)
- contrib: Fix GitHub token check to allow fine-grained tokens (#22963, @gentoo-root)
- contrib: output easier way to install Cilium in kind. (#23488, @squeed)
- contrib: Remove deb,rpm packaging (#23081, @joestringer)
- contrib: Set IPv6 for dual-stack Kubenetes nodeIP on dev VM (#23543, @jschwinger233)
- Controller clean up (#25579, @jrajahalme)
- Convert daemon ipcache usages to new ipcache async API (#25749, @christarazi)
- Convert the clustermesh subsystem into a hive.Cell (#25561, @giorio94)
- converted node manager dynamic metrics into modular metrics (#25887, @dylandreimerink)
- CRD List Generation (#25910, @dhawton)
- crd: Refactor RegisterCRDsCell to be extensible (#25590, @pippolo84)
- daemon, ipam: omit IPAM mode check before calling ipam.Allocator.RestoreFinished (#25041, @tklauser)
- daemon, ipcache: Plumb root context to IP identity watcher (#22626, @christarazi)
- daemon, maps/ipcache: Replace usage of
net.IP*
for ingress IPs (#26045, @christarazi) - daemon/cmd: fix a couple of func doc string (#25030, @cuishuang)
- daemon: Check for leaked goroutines from the agent cell (#24076, @joamaki)
- daemon: Clarify host IP sync controller's intent (#21743, @christarazi)
- daemon: Document the use for required API options (#25170, @joestringer)
- daemon: fix issue where IPAM options in custom CNI confs was ignored (Backport MR #26799, Upstream MR #26732, @squeed)
- daemon: fix spelling in ipam-multi-pool-pre-allocation flag usage (#26529, @tklauser)
- daemon: ignore EEXIST on NodeEnsureLocalIMRule (#24645, @tklauser)
- daemon: Log warning if BPF Clock probe fail (#25287, @pchaigno)
- daemon: Mark flag for node encryption as beta (#25319, @pchaigno)
- daemon: move circular initialization of policy.Repository to hive (#24073, @lmb)
- daemon: Perform early (partial) local node info initialization (#24866, @joamaki)
- daemon: Remove encrypt key from syncHostIPs() (#25252, @christarazi)
- daemon: Remove execute bit from test (#25150, @joestringer)
- daemon: Update code comment regarding PolicyReactionEvent (#25607, @christarazi)
- daemon: use netlink for managed neighbor support probe (#25134, @rgo3)
- daemon: use the real err instead of a nil one (#24115, @spacewander)
- datapath: Add auth_type to policy verdict message (#25410, @jrajahalme)
- datapath: Introduce helpers for __ctx_is checks (#23820, @spacewander)
- datapath: Switch to LPM policy map (#23885, @jrajahalme)
- dev: disable bpf monitor aggregation in kind helm values (#23846, @mhofstetter)
- dnsproxy: Improve regex used for matching dns queries by reducing its complexity and size to save memory and speed up matching (#20246, @odinuge)
- dnsproxy: stop using the regex lru in the dns proxy to avoid keeping large unused regex in memory when no longer needed (#22584, @odinuge)
- Do not upgrade to golang 1.20 in 1.13 branch (#23723, @aanm)
- doc: Documented incompatibility of EgressGW and kvstore (Backport MR #26636, Upstream MR #26139, @PhilipSchmid)
- doc: update masquerading.rst to reflect new support for icmp (#24556, @sahid)
- docs(bpf): update unprivileged_bpf_disabled description (#23378, @spacewander)
- docs, kpr, maglev: Move Maglev out of beta (Backport MR #26636, Upstream MR #19541, @borkmann)
- docs/contributing: update CRD registration instructions (#25008, @tklauser)
- docs/ipsec: Clarify limitation on number of nodes (Backport MR #26838, Upstream MR #26810, @pchaigno)
- docs/ipsec: Document RSS limitation (Backport MR #27038, Upstream MR #26979, @pchaigno)
- docs/ipsec: Extend troubleshooting section (Backport MR #27038, Upstream MR #26808, @pchaigno)
- docs/testing/e2e: correct cilium-cli usage for helm mode (Backport MR #26887, Upstream MR #26840, @tklauser)
- Docs: Add
policy_implementation_delay
to metrics (#22998, @learnitall) - docs: Add a comparison table for IPAM modes (#24285, @raphink)
- docs: Add APAC timezone meeting to README (#24902, @lizrice)
- docs: Add contact link to threat model (#24674, @ferozsalam)
- docs: Add debugging guide for inspecting gops / pprof profiles (Backport MR #26734, Upstream MR #26675, @christarazi)
- docs: Add externalTrafficPolicy=Local description to BGP CPlane doc (#25960, @YutaroHayakawa)
- docs: add FOSSA badge to readme (#22737, @lizrice)
- docs: Add L2 Pod Announcements docs (Backport MR #26636, Upstream MR #26517, @markpash)
- docs: Add missing backslash in Helm command (#25800, @james0209)
- docs: Add notes for dev setup for Ubuntu desktop (#23691, @jschwinger233)
- docs: Add requirements for installing Cilium on Raspberry Pi (#23337, @darox)
- docs: Add section on development and RC images (#24424, @borkmann)
- docs: Add steps to start Hubble UI with cilium-cli, but only after Hubble itself has started (#25538, @fujitatomoya)
- docs: add trace observation point description (#23028, @mainred)
- docs: add upgrade note about deletion of stale entries in clustermesh (#26067, @giorio94)
- docs: Clarify committer vote procedures (#22787, @joestringer)
- docs: Clarify the steps to update images (#25367, @gentoo-root)
- docs: cleanup SPIRE & Envoy values in helm reference (#26039, @mhofstetter)
- docs: Deprecate
cluster-pool-v2beta
(#25767, @gandro) - docs: Disable host DNS resolver with Virtualbox for Minikube quick installation guide (#25569, @zhouhaibing089)
- docs: Document the hooks that Cilium uses (#22792, @joestringer)
- docs: Endpoints are local to the node on which the cilium agent is running. (#24017, @tnorlin)
- docs: Fix a typo in Istio integration documentation (#23584, @yanggangtony)
- docs: Fix a typo in K8s with Kubespray installation guide (#23585, @yanggangtony)
- docs: Fix gRPC API generation for online docs (Backport MR #27097, Upstream MR #27014, @qmonnet)
- docs: Fix Makefile target name in CODEOWNERS update hint (#24583, @ferozsalam)
- docs: fix Rule spec document typos (#24319, @nrnrk)
- docs: fix Rule spec document typos (#24443, @nrnrk)
- docs: fix SCM_WEB reference on mtls-auth docs (Backport MR #26914, Upstream MR #26899, @aanm)
- docs: Fix the cilium-cli default branch name (#26461, @michi-covalent)
- docs: Fix the cilium/proxy default branch name (#26464, @learnitall)
- docs: fix typos and formatting (#25365, @peterj)
- docs: fixed search for every page (Backport MR #27069, Upstream MR #26892, @geakstr)
- docs: Fixing typo in description of label release-note/ci (#24665, @mhofstetter)
- docs: HOWTO run cilium-cli e2e connectivity tests (Backport MR #26734, Upstream MR #25217, @brb)
- docs: Ignore Helm values, update spelling list (Backport MR #26838, Upstream MR #26759, @qmonnet)
- docs: Improve description of the installation steps to run cilium documentation locally (#24056, @kayceeDev)
- docs: Istio docs fix sidecar inject method (Backport MR #26636, Upstream MR #26526, @networkop)
- docs: Make CRD compat script work on older trees (#23710, @joestringer)
- docs: Mark IPv6 BPF masquerading as beta (#26499, @qmonnet)
- docs: Mention --kube-proxy-replacement=boolean changes (Backport MR #26734, Upstream MR #26577, @brb)
- docs: Mention caveats about kube-proxy replacement config changes (#24531, @aditighag)
- docs: modify
MRELOAD_VM
for local CI VM (#22902, @Shunpoco) - Docs: Move Maintainers to Committers (#24124, @xmulligan)
- docs: Multi-Pool IPAM now partially supports iptables-based NAT (Backport MR #26636, Upstream MR #26522, @gandro)
- docs: Note that CiliumEndpointSlice and K8s' EndpointSlice are distinct (#24842, @qmonnet)
- docs: Pick up PyYAML 6.0.1 (Backport MR #26887, Upstream MR #26883, @michi-covalent)
- docs: Policy Audit Mode improvements (#23591, @kaworu)
- docs: Promote Deny Policies out of Beta (#23921, @nathanjsweet)
- docs: Regenerate codeowners documentation (#23979, @pchaigno)
- docs: remove clustermesh-apiserver gops port from system requirements (#26230, @giorio94)
- docs: Remove custom entities note (Backport MR #26887, Upstream MR #26655, @joestringer)
- docs: remove no-longer-valid known policy issue (Backport MR #26799, Upstream MR #26660, @squeed)
- docs: Remove sockops, sockmaps from eBPF datapath diagrams (#24824, @zacharysarah)
- docs: Revert Python version in docs-builder image to 3.7.9, downgrade sphinxcontrib-applehelp, to fix builds on Read The Docs (#24099, @qmonnet)
- docs: Slack updates (#25723, @lizrice)
- docs: Specify Helm chart version in "cilium install" commands (Backport MR #27038, Upstream MR #26934, @michi-covalent)
- Docs: Update BGP docs to reflect CRD consolidation (#26196, @rastislavs)
- docs: Update cluster mesh instructions (Backport MR #26734, Upstream MR #26608, @michi-covalent)
- docs: Update dependencies for documentation build system (Sphinx, add-ons etc.) (#24014, @qmonnet)
- docs: Update development setup with preferred kind-based approach (#25535, @christarazi)
- docs: Update Documentation on Deny Policy Bug Fix (#23468, @nathanjsweet)
- docs: Update gateway-api version to v0.6.1 (#25439, @sayboras)
- docs: Update Go Extension docs (Backport MR #26799, Upstream MR #26504, @sayboras)
- docs: Update governance voting templates (#25802, @joestringer)
- docs: Update hostfw tuto with ICMP policy rule (#22999, @pchaigno)
- docs: Update KMR limitations wrt IPsec (#22775, @raymonddejong)
- docs: update KMR section on DSR (Backport MR #26636, Upstream MR #26582, @julianwiedmann)
- docs: Update kvstore documentation with potential circular dependency. (#26353, @marseel)
- docs: Update output for "cilium status" when troubleshooting (extensions/v1beta1::Ingress now deprecated in favor of networking.k8s.io/v1beta1::Ingress) (#22968, @yulng)
- docs: Update the docs for Helm mode Cilium CLI (Backport MR #26734, Upstream MR #26606, @michi-covalent)
- docs: Upgrade Note For Deny Policy Fix (Backport MR #26636, Upstream MR #26245, @nathanjsweet)
- docs: Use kubeProxyReplacement=true for Gateway API docs (Backport MR #27097, Upstream MR #27066, @michi-covalent)
- docu: add section about envoy daemonset deployment (#26033, @mhofstetter)
- Document cilium_host's IPv6 change in upgrade guide (Backport MR #26734, Upstream MR #26615, @jschwinger233)
- Document contributor steps to update the Helm chart (#23739, @meyskens)
- Document how to migrate from Ingress to Gateway API (#25599, @nvibert)
- Document multi-pool IPAM mode (#26308, @tklauser)
- Documentation/community: add multi-pool IPAM to list of beta features (Backport MR #26636, Upstream MR #26566, @tklauser)
- Documentation: add CONFIG_SCHEDSTATS to required kconfigs (#26035, @ti-mo)
- Documentation: Add documentation for hive (#23746, @joamaki)
- Documentation: Add graceful restart section in BGP documentation (#26354, @harsimran-pabla)
- Documentation: add section to roadmap about modularization (#24096, @joamaki)
- Documentation: Document BGP timers & neighbor update behavior (#25906, @rastislavs)
- Documentation: enable parallel builds (#23752, @squeed)
- Documentation: explicitly state that KVStoreMesh is beta level as part of the feature title (Backport MR #27038, Upstream MR #26868, @giorio94)
- Documentation: Fix Envoy LB docs incorrect supported annotation values (Backport MR #27038, Upstream MR #26867, @rauanmayemir)
- Documentation: include bgp cli commands in bgp-cp documentation (#25691, @harsimran-pabla)
- documentation: remove release docs (#24463, @aanm)
- drop v1.10 support (#23903, @aanm)
- e2e-tests: git-ignore directory old-charts (#23705, @mhofstetter)
- Egress Gateway: make CiliumEndpoint reconciliation asynchronous from k8s watcher (Backport MR #26799, Upstream MR #26741, @jibi)
- egressgateway: provide a very basic Cell (#24330, @lmb)
- egressgw: add policies by source IP cache (#23967, @jibi)
- egressgw: fix up removal for IP routes (Backport MR #27097, Upstream MR #26857, @julianwiedmann)
- egressgw: improve reconciliation for IP routes (Backport MR #27097, Upstream MR #26721, @julianwiedmann)
- egressgw: improve reconciliation for IP rules (Backport MR #27097, Upstream MR #26736, @julianwiedmann)
- egressgw: optimize policy matching logic (#24042, @jibi)
- egressgw: policy: stop iterating through nodes after first match (#24898, @jibi)
- endpoint: don't hold the endpoint lock while generating policy (#26242, @squeed)
- endpoint: fix policy map sync warning due to policymap authtype diffs (#26218, @mhofstetter)
- endpoint: Update comments for ToMapState() usage (#24321, @joestringer)
- EndpointManager and NodeManager Cells (#21746, @joamaki)
- endpointmgr: guard against potential nil deref (#22521, @ldelossa)
- envoy: Avoid using deprecated field (#24043, @sayboras)
- envoy: Re-organize supported envoy resource import (#26469, @sayboras)
- envoy: remove unnecessary wait and log message after starting envoy (#24455, @mhofstetter)
- envoy: Support more envoy image tag formats (#24750, @sayboras)
- etcd: print debug message event value as string (#23714, @giorio94)
- etcd: start the status checker only after establishing the initial session (#26363, @giorio94)
- examples: setup HUBBLE_SERVER for the Hubble CLI Deployment (#24154, @kaworu)
- Extend ipcache key with ClusterID (#22200, @YutaroHayakawa)
- Extend tunnel map key with ClusterID (#22687, @YutaroHayakawa)
- feat: add teuto.net to USERS (#25088, @cwrau)
- Fix implicit conversion warning in DSR with GENEVE (#25299, @ysksuzuki)
- Fix "make -C Documentation builder-image" (Backport MR #26887, Upstream MR #26874, @michi-covalent)
- Fix 404s in the README.md (#23954, @aanm)
- Fix a typo in pkg/option/config.go (#23731, @meyskens)
- Fix and improve Conformance Ginkgo UX (#25950, @aanm)
- Fix bug that causes traffic not to be encrypted when WireGuard node encryption is enabled. (#24903, @3u13r)
- Fix CI image build cache (#26020, @aanm)
- Fix comment error about monitorNotify in
pkg/datapath/ipcache/listener.go
. (#23963, @hxysayhi) - Fix fatal error when shutting down the clustermesh-apiserver (#25310, @giorio94)
- Fix hive test argument order and race (#25545, @bimmlerd)
- fix kind job with network policy failures (Backport MR #26799, Upstream MR #26639, @aojea)
- Fix kind.sh development scripts on MacOS (#25317, @chancez)
- Fix misleading use of bpf_ntohl (#24483, @lazybetrayer)
- Fix neighbor test flakes (#26156, @borkmann)
- Fix possible race condition in the clustermesh's users management test (#24652, @giorio94)
- Fix some map handling logic as well as some issues with CLI commands related to ip-masq-agent, introduced with IPv6 support (#26435, @qmonnet)
- Fix TLS policies after certificatemanager modularization (#23895, @tklauser)
- Fix typo in doc: network/concepts/ipam/crd.rst (#24908, @takp)
- fix(deps): pin dependencies (main) (#25026, @renovate[bot])
- fix(deps): pin dependencies (main) (#25539, @renovate[bot])
- fix(deps): pin dependencies (main) (#25849, @renovate[bot])
- fix(deps): pin dependencies (master) (#24147, @renovate[bot])
- fix(deps): pin dependencies (master) (#24277, @renovate[bot])
- fix(deps): pin dependencies (master) (#24299, @renovate[bot])
- fix(deps): pin dependencies (master) (#24438, @renovate[bot])
- fix(deps): pin dependencies (master) (#24659, @renovate[bot])
- fix(deps): pin dependencies (master) (#24881, @renovate[bot])
- fix(deps): update all go dependencies main (main) (minor) (#26286, @renovate[bot])
- fix(deps): update all go dependencies main (main) (minor) (#26429, @renovate[bot])
- fix(deps): update all go dependencies main (main) (patch) (#25035, @renovate[bot])
- fix(deps): update all go dependencies main (main) (patch) (#25414, @renovate[bot])
- fix(deps): update all go dependencies main (main) (patch) (#25542, @renovate[bot])
- fix(deps): update all go dependencies main (main) (patch) (#26056, @renovate[bot])
- fix(deps): update all go dependencies main (main) (patch) (#26427, @renovate[bot])
- fix(deps): update all go dependencies master (master) (#23987, @renovate[bot])
- fix(deps): update all go dependencies master (master) (patch) (#23982, @renovate[bot])
- fix(deps): update all go dependencies master (master) (patch) (#24149, @renovate[bot])
- fix(deps): update all go dependencies master (master) (patch) (#24279, @renovate[bot])
- fix(deps): update all go dependencies master to v2 (master) (major) (#24110, @renovate[bot])
- fix(deps): update module github.com/prometheus/procfs to v0.11.0 (main) (#26319, @renovate[bot])
- fix(deps): update module google.golang.org/protobuf to v1.29.1 [security] (master) (#24376, @renovate[bot])
- fix(deps): update module gopkg.in/yaml.v2 to v3 (master) (#24112, @renovate[bot])
- fix: clean golang code for golint (#22665, @yulng)
- fix: Flag --ipv4-native-routing-cidr update in cli (#23643, @deepeshaburse)
- Fix: Link Security Team (#24135, @xmulligan)
- fix:'go routine' should be 'goroutine' (#22904, @yulng)
- fix:prevent goroutine leakage for pkg/k8s/watchers (#22362, @yulng)
- fix:Use ID instead of Id (#22569, @yulng)
- Fixed panic when generating code coverage report of eBPF tests (#24094, @dylandreimerink)
- fix:make fsnotify event more readable (#22903, @yulng)
- fqdn: use map to dedup to reduce memory usage of dns gc job (#25142, @odinuge)
- Further clarify the deprecation of MetalLB BGP ControlPlane in user facing docs. (Backport MR #27055, Upstream MR #27005, @ldelossa)
- garp: Introduce Gratuitous ARP Cell (#25254, @markpash)
- gateway-api: Add header modifier and splitting examples (#25186, @nvibert)
- gateway-api: now function GatewayAPI also supports TLSRoute (#26060, @spacewander)
- Generate preprocessed C source with BPF tests (#24093, @YutaroHayakawa)
- Get CEP from k8s cache during initialization. (#24340, @marseel)
- gha: fix conformance-ginkgo base branch retrieval (#26085, @giorio94)
- gha: Replace deprecated set-output commands (#22890, @sayboras)
- gha: Skip flaky test HTTMRouteHeaderMatching in GatewayAPI (#24169, @sayboras)
- go.mod, golangci-lint: update base Go version to 1.20 (#24113, @tklauser)
- go.mod, vendor: bump sigs.k8s.io/controller-runtime to v0.14.1 (#23011, @tklauser)
- Godoc improvements for
pkg/bgpv1
(#25686, @danehans) - golangci-lint: Update to v1.51.2 (#24153, @mhofstetter)
- helm/hubble-ui: use v0.12.0 hubble-ui (Backport MR #27038, Upstream MR #27011, @geakstr)
- helm:
nodeEncryption
is only supported with WireGuard (#25770, @gandro) - helm: add .extraEnv to cilium-agents config init container (#26408, @nberlee)
- helm: add extraArgs to clustermesh-apiserver (#25693, @rcanderson23)
- helm: Add support of additional labels to hubble ui ingress (#24077, @ReillyBrogan)
- helm: address review comments regarding helm value docs (#26296, @tklauser)
- helm: Allow adding annotations to certgen Job and CronJob (#22356, @eripa)
- helm: Avoid error in IDE due to .range keyword (#25766, @sayboras)
- helm: Correct the flag names in validate.yaml (#26167, @sayboras)
- helm: Fix typo in dashboard path (#24733, @jcpunk)
- helm: Ignore .github folder in .helmignore (#24719, @darox)
- helm: Parameterize image registries in Makefile.values (#24635, @michi-covalent)
- helm: Remove deprecated hubble.tls.ca (#25261, @ysksuzuki)
- helm: Remove duplicated key k8sClientRateLimit (Backport MR #27038, Upstream MR #26986, @sayboras)
- helm: Use kubeProxyReplacement as string (Backport MR #26636, Upstream MR #26549, @jrajahalme)
- hive/jobs: fix enqueueing of multiple jobs via variadic func (#25633, @mhofstetter)
- hive: Add hive.Command() (#23074, @joamaki)
- hive: Add support for config overrides in tests (#24597, @joamaki)
- hive: add support for map[string]string flags (#25643, @giorio94)
- hive: fix documentation for cell.Provide & cell.ProvidePrivate (#24238, @mhofstetter)
- hive: Make timer job test less flaky (#25308, @jrajahalme)
- hubble-relay: set WORKDIR to nonroot home (#23405, @kaworu)
- hubble: add a unique identifier to flows (#23638, @kaworu)
- hubble: fix Hubble Relay BASE_IMAGE (#23636, @kaworu)
- hubble: improve hubble lost event log rate limit (#24720, @kaworu)
- hubble: Optimize namespace tracking (Backport MR #26799, Upstream MR #26547, @glibsm)
- hubble: Remove spammy debug log message on lost events (#25321, @pchaigno)
- hubble: Use netip.Addr instead of net.IP in getter functions (#23143, @lambdanis)
- identity, policy: remove unused arguments from interfaces (#23946, @lmb)
- identity/cache: don't panic in CachingIdentityAllocator.Close() (#24694, @lmb)
- identity: cache: close channel in writing party (#25353, @bimmlerd)
- identity: Make identity allocations observable (#26373, @mhofstetter)
- images/builder: update proto dependencies (#24328, @rolinh)
- images: scripts to update and check envoy image version (#25413, @mhofstetter)
- images: update cilium-{runtime,builder} (#23146, @joestringer)
- images: update golang images to 1.19.5 (#23157, @aanm)
- images: update gops using renovate bot (#23907, @tklauser)
- Implement commands for listing per-cluster CT/SNAT maps (#24629, @YutaroHayakawa)
- Implement GC for per-cluster CT/SNAT maps (#24576, @YutaroHayakawa)
- Improve clustermesh's users management test reliability (#24917, @giorio94)
- improve inclusive language in governance (#23109, @xmulligan)
- Improve logging statements in CES usage and reduce code reuse (#22428, @yanggangtony)
- Improve Makefile to ease debugging (#26159, @pippolo84)
- Improve reliability of kvstore-related tests (#26347, @giorio94)
- Improved job docs on hive page (#25312, @dylandreimerink)
- Increase logging verbosity of Kubernetes API Server in kind (#24384, @marseel)
- Ingnore updating client-go fork in renovate dependencies (#26305, @marseel)
- ingress: Avoid potential nil pointer during cleanup (#24444, @sayboras)
- ingress: Improve coverage with unit tests (#24684, @sayboras)
- init.sh,loader: load overlay programs in Go (#24876, @rgo3)
- init.sh: move socketlb creation into own pkg (#23557, @rgo3)
- Install fib rules and routes with proto kernel to avoid systemd messing with them (#24288, @NikAleksandrov)
- internal-feature: We removed all instances of io.ReadAll to reduce the attack surface of possible DoS attacks. (#22602, @nathanjsweet)
- introduces dedicated inline functions for per-packet-lb service translation on pod egress (#23715, @ldelossa)
- IPAM multipool followups (#26138, @tklauser)
- IPAM pools followups (#25498, @tklauser)
- ipam/allocator: remove unused Allocator methods (#25053, @tklauser)
- ipam/allocator: remove unused allocator types (#25963, @tklauser)
- ipam/multipool: wait for restoration before releasing CIDRs (Backport MR #26734, Upstream MR #26668, @tklauser)
- ipam: add method to get IP owner per pool (#24358, @tklauser)
- ipam: clean up terminology around excluded IPs (#23942, @tklauser)
- ipam: various minor cleanups (#23383, @tklauser)
- ipcache: Add ability to override identity via UpsertMetadata (#21667, @gandro)
- ipcache: fix not waiting for k8s caches to sync (#25975, @squeed)
- ipcache: Fix wrong assertion in ipcache metadata test (#23549, @christarazi)
- jenkinsfiles: remove ginkgo-based Jenkinsfiles (#26171, @aanm)
- k8s / policy: allow all services for toServices when using highscale ipcache (#26127, @squeed)
- k8s api: remove status documentation from CRD CiliumIdentity (#24512, @mhofstetter)
- k8s/watchers: Fix calling Done() with proper error (#24616, @christarazi)
- k8s/watchers: Fix erroneous warning logs due to empty CIDRGroupRef (#25072, @christarazi)
- k8s/watchers: Fix race condition in init functions (#23170, @christarazi)
- k8s: api: clean up CRD versioning (#24671, @julianwiedmann)
- k8s: fix ciliumpodippools CRD controller-gen version (#25976, @mhofstetter)
- k8s: remove unused singular CRD name consts (#25003, @tklauser)
- k8s: Split SharedResources into binary specific cells (#25757, @pippolo84)
- k8s: Update comment about rule preprocessing (#25864, @odinuge)
- k8s: use core/v1 consts for topology-aware hints annotation/label (#23538, @tklauser)
- k8s: Use Resource[*Pod] in pod watcher for the local pod watching (#26181, @joamaki)
- k8s: Use slim Node in LocalNode Resource and K8s watchers (#25282, @joamaki)
- kafka, go.mod, vendor: use github.com/cilium/kafka fork (#22689, @tklauser)
- kafka: remove unused package (#26523, @tklauser)
- kvstore/etcd: don't use atomic type for version check timeout (#24360, @tklauser)
- kvstore: limit keys attached to single lease, and react to expiration (#25966, @giorio94)
- kvstore: Propagate ClusterID with Service (#23514, @YutaroHayakawa)
- kvstore: share etcd client logger to reduce memory usage (#26485, @giorio94)
- kvstoremesh: mark the cilium-kvstoremesh secret as optional in the clustermesh-apiserver volume definition (#26318, @giorio94)
- labels, ipcache: Introduce convenience NewFrom() (#23218, @christarazi)
- labelsfilter: Assign review to sig-policy (#25290, @joestringer)
- loader: check enabled L7 proxy via config property (Backport MR #26636, Upstream MR #26627, @mhofstetter)
- Log error message on unhealthy /healthz check (#24683, @sjdot)
- MAINTAINERS.md: add Casey Callendrello to the list of maintainers (#23344, @tklauser)
- MAINTAINERS.md: add Julian Wiedmann (#23278, @tklauser)
- MAINTAINERS: add Dylan Reimerink to the list of maintainers (#25577, @ti-mo)
- MAINTAINERS: Add missing link to GitHub account (#23050, @christarazi)
- MAINTAINERS: Add Nick Young (#25874, @joestringer)
- MAINTAINERS: Move @twpayne to emeritus status (#23688, @twpayne)
- MAINTAINERS: updates company affiliations for Michal and Tom (#23138, @tklauser)
- Make api/v1/model/BackendAddressState const string , not manual define. (#22874, @yanggangtony)
- Make log statements easier to read (#22971, @yulng)
- make: rework kind-install-cilium-clustermesh for Cilium CLI Helm mode (Backport MR #26799, Upstream MR #26753, @giorio94)
- make: use vendored goimports to format generated APIs (#24810, @tklauser)
- Makefile: Fix kind deployment in quiet mode (#25873, @joestringer)
- makefile: introduce variable CILIUM_CLI for cilium cli binary (#25031, @mhofstetter)
- Makefile: new target kind-debug to debug cilium operator & agent in kind cluster (#23898, @mhofstetter)
- Makefile: remove -test.v from GOTEST_BASE (#25703, @ti-mo)
- Makefile: use CLI options to set local images for kind-install-cilium-clustermesh (#25810, @thorn3r)
- Mark tests as successful if they are not supposed to run (#23847, @aanm)
- Marking L2-announcements a beta feature (Backport MR #26914, Upstream MR #26891, @dylandreimerink)
- metrics: Metrics initial modularization (#25651, @dylandreimerink)
- metrics: provide the global services metric through the hive (#26157, @giorio94)
- Minor improvements to DNS proxy around
notifyOnDNSMsg()
(#22341, @christarazi) - Modularize API server (api/v1/server) (#24016, @joamaki)
- Modularize eventsmap and monitor.Agent (#25197, @bimmlerd)
- monitor: update DBG_CT_LOOKUP4_2 / DBG_CT_LOOKUP6_2 output (Backport MR #26636, Upstream MR #26558, @julianwiedmann)
- Move @lzang to emeritus committer (#23373, @xmulligan)
- Move ct_lookup in bpf_host.c to a separate tailcall (#23831, @gentoo-root)
- Move github.com/cilium/ipam packages to main repo (#25289, @tklauser)
- Move policy package over to asynchronous IPCache API (#20116, @joestringer)
- Moved @raybejjani to Emeritus Committers (#23323, @raybejjani)
- multi-pool: Document unsupported kvstore mode (Backport MR #26734, Upstream MR #26662, @gandro)
- multi-pool: Support allocating from new IPAM pools on demand (#25765, @gandro)
- Mutual Auth Docs (Backport MR #26887, Upstream MR #25509, @nvibert)
- mutual-auth: Add beta label for helm and cli flags (Backport MR #27038, Upstream MR #26984, @sayboras)
- node/manager: Utilize set.SliceSubsetOf in ipcache deletion (#25180, @christarazi)
- node: register ipsec metric once (#25335, @jrajahalme)
- node: Use new asynchronous IPCache API for Manager (v2) (#23208, @christarazi)
- node_ids: introduce GetNodeID (#26155, @mhofstetter)
- nodehandler: register node-id restore as hive lifecycle hook (#25497, @mhofstetter)
- nodeid map: provide map via hive cell (#25574, @mhofstetter)
- nodemanager: inject ipcache into nodemanager via hive (#24261, @mhofstetter)
- Operator api server modularization (#24228, @pippolo84)
- operator, hive, k8s: don't call workerpool.New from hive constructors (#24419, @tklauser)
- operator, k8s: Prevent CEC watcher goroutine leak (#24316, @yulng)
- operator/cmd: add goleak check to TestOperatorHive (#24431, @tklauser)
- operator/cmd: Move Cilium Operator version log earlier (#25018, @christarazi)
- operator: Clarify log msg for unmanaged pods (#23855, @christarazi)
- operator: cleanup CRD registration (#23701, @mhofstetter)
- operator: fix deadlock when running in kvstore mode (#24631, @giorio94)
- operator: Fix use of Resource.Events() in CEC controller (#22844, @joamaki)
- operator: Remove duplicated package import (#24078, @pippolo84)
- Optimize
PrefixString()
(#23201, @christarazi) - Optimize GetControllerName for CNP (#23717, @marseel)
- Optimize getting identity by key with CRD Backend by introducing indexer. (#23064, @alan-kut)
- Optimize the comparison mode of bool judgment (#22922, @Fish-pro)
- option: Skip
NodeEncryptionOptOutLabels
when marshalling to json (#24470, @gandro) - Perform map creation and opening using cilium/ebpf API (#22693, @ti-mo)
- pkg/datapath: skip TestArpPingHandling due flakiness (#25840, @aanm)
- pkg/datapath: skip TestArpPingHandlingForMultiDevice due flakiness (#25821, @aanm)
- pkg/endpoint: Use structured logging for error condition (#22846, @christarazi)
- pkg/envoy/xds package cleanup (#24044, @tanberBro)
- pkg/ip: Remove redundant type conversions (#23108, @tanberBro)
- pkg/ipam: Update histogram buckets for trigger metrics (#25600, @hemanthmalla)
- pkg/ipcache: add ipcacher interface (#24274, @aanm)
- pkg/k8s: Replace label failure-domain.beta.kunerbetes.io deprecated in K8s 1.17 (with topology.kubernetes.io) (#23177, @my-git9)
- pkg/policy: Add benchmark for ForEachGo (#22845, @christarazi)
- pkg/stream: Simplify ToChannel usage (#24432, @joamaki)
- plugins/cilium-cni: clean up code in cmdAdd (#26533, @tklauser)
- policy: Add GetAuthTypes() (#26116, @jrajahalme)
- policy: lazily start SelectorCache.handleUserNotifications (#24325, @lmb)
- policy: mapstate should respect authType in dataPath equality (#23780, @mhofstetter)
- policy: Optimize getNets() (#26345, @jrajahalme)
- policy: track policy rule origin per selector (#23811, @bimmlerd)
- policy: Utilize the DistillPolicy() code path in tests (#24402, @christarazi)
- Pprof modularization (#24114, @pippolo84)
- Preparatory refactoring for IPAM pools (#24247, @tklauser)
- Prepare for release v1.14.0-rc.0 (#26546, @joestringer)
- Prepare for release v1.14.0-snapshot.0 (#24091, @joestringer)
- Prepare for release v1.14.0-snapshot.1 (#24695, @aanm)
- Prepare for release v1.14.0-snapshot.3 (#25830, @aanm)
- Prepare for release v1.14.0-snapshot.4 (#26324, @joestringer)
- Prepare for v1.14 development cycle (#22614, @joestringer)
- Prepare for v1.14.0-snapshot.2 release (#25206, @joestringer)
- Prepare v1.14 stable branch (#26548, @joestringer)
- proxy: introduce initial proxy cell (#25779, @mhofstetter)
- Publish the 2022 Cilium security audits (#26213, @zacharysarah)
- README.rst, MLH: Update stable releases, following the latest round of patch releases. (#23421, @qmonnet)
- README.rst: Fix broken link to L7 policies (#24488, @PriyaSharma9)
- README.rst: Fix timezones in details for community meeting (#24520, @qmonnet)
- README: Bump latest snapshot release version (#26326, @joestringer)
- README: Bump prerelease to v1.14.0-snapshot.2 (#25207, @joestringer)
- README: Update for latest snapshot prerelease (#25845, @joestringer)
- Reduce amount of bpf instructions needed for handling ipv6 addresses (#25195, @ti-mo)
- Reduce the amount of repeating code in CT (#25356, @gentoo-root)
- Refactor CRD generation in Makefile (#24615, @christarazi)
- Refactor egressgateway specific maps into a cell (#24865, @lmb)
- Refactor generate-k8s-api in Makefile (#24651, @mhofstetter)
- Refactor k8s identities GC into a cell.Module (#22892, @pippolo84)
- Refactor node annotations (#23772, @marseel)
- Refactor set.SliceSubsetOf (#25559, @pippolo84)
- refactor: move CRD registration to separate cell (#24219, @knight42)
- Remove 'ip' shellout from setUpRoutingTable() (#26486, @ti-mo)
- Remove COSIGN_EXPERIMENTAL: "true" env variable for signing images (#24845, @sandipanpanda)
- Remove custom iproute2 fork (#26221, @ti-mo)
- Remove dependency on $GOPATH for
make generate-k8s-api
(#23428, @ldelossa) - remove export from shell session to avoid the inconsistency (#22932, @fujitatomoya)
- Remove ip assignments for cilium_host from init.sh (#25771, @rgo3)
- Remove Jenkins CI documentation (Backport MR #26887, Upstream MR #26653, @joestringer)
- Remove references to GOPATH in documentation (#25942, @JamesLaverack)
- Remove relevant metrics series on pod deletion (#23162). (#23385, @marqc)
- Remove unused parameter from NewCachingIdentityAllocator (#25594, @giorio94)
- Rename master branch to main (#24717, @joestringer)
- Renovate configuration fixes (#25330, @kaworu)
- renovate/images: Revert accidental commits (#23497, @gandro)
- renovate: Add stop updating label (#24065, @sayboras)
- renovate: add support for GH workflow updates (#23625, @aanm)
- renovate: allow golang 1.20 in "v1.13" and "master" branch (#23547, @aanm)
- renovate: do not update 'github.com/mdlayher/arp' (#25807, @aanm)
- renovate: exclude github.com/{cilium,vishvananda}/netlink (#26311, @tklauser)
- renovate: fix config file format (#24109, @tklauser)
- renovate: group golangci-lint updates (#24688, @mhofstetter)
- renovate: ignore cilium-test Dockerfile (#23560, @aanm)
- renovate: update source import paths on Go module major updates (#24003, @tklauser)
- Replace client-go with private fork. (#26250, @marseel)
- Replace legacy bpf syscalls with ebpf-go library APIs (#25355, @ti-mo)
- Replace the string with constants from the http package (#25614, @Fish-pro)
- Replaces K8s NewDeltaFIFO with NewDeltaFIFOWithOptions (#25606, @danehans)
- Require binary.Size and unsafe.Sizeof of all types to match (#26340, @ti-mo)
- Resource API refactoring and shared resources (#21744, @joamaki)
- resource: Add Resource[Endpoints] and adapt existing watchers (#23977, @joamaki)
- resource: Fix flaky test due to missing Done call (#25646, @joamaki)
- resource: implement stream.Observable (#25934, @mhofstetter)
- Revert "agent/helm: Deprecate --kpr=partial|strict|disabled and use --kpr=true|false instead" (#26493, @joestringer)
- Revert "docs: fix Rule spec document typos" (#24418, @aditighag)
- Revert "kludge: hardcode Google Cloud SDK key due to error 500" (#24060, @sayboras)
- Revert "mlh: update Jenkins jobs following 1.27 support" (#25151, @pchaigno)
- Revert "Update k8s tests and libraries to v1.27.0" (#25044, @pchaigno)
- Revert and fix ip rules (#25350, @NikAleksandrov)
- Revert https://github.com/cilium/cilium/pull/24288 (#24676, @aanm)
- routing: Extend unit tests (#24933, @krabradosty)
- Run Hubble Relay as non-root user by default. (#23259, @rolinh)
- Service Mesh mTLS: auth request & response (#24159, @mhofstetter)
- Service Mesh mTLS: BPF map auth provided by hive cell (#24406, @mhofstetter)
- Service Mesh mTLS: Inject IPCache into auth manager via hive (#24259, @mhofstetter)
- Service Mesh mTLS: introduce auth map (#24218, @mhofstetter)
- Service Mesh mTLS: suppress policy verdict notification for authenticated packets (#24352, @mhofstetter)
- Silence misleading log messages about service resolution in clustermesh (Backport MR #26734, Upstream MR #26614, @giorio94)
- slices: Introduce slices.UniqueFunc() (#25743, @YutaroHayakawa)
- Slightly improve UX around passing
--metrics
(#22888, @christarazi) - Small documentation fixups (Backport MR #27038, Upstream MR #26999, @aanm)
- sort identities by id/name to avoid random results (#23329, @nickolaev)
- source: Reorder sources based on strength (#25175, @christarazi)
- statedb: An in-memory database (#24523, @joamaki)
- statedb: Fix WriteJSON with multiple tables (#24970, @joamaki)
- stateId: delete redundant type conversion (#23056, @XiaozhiD-web)
- stream: Improve function documentation (#25922, @joamaki)
- test-l4lb: Use QUAY_ORGANIZATION_DEV as the Quay org name (#25050, @michi-covalent)
- test/k8s: make kafka tests more reliable (#26121, @aanm)
- test: bump upgrade tests to test 1.13 (#23790, @aanm)
- test: Update NetworkPolicy to networking.k8s.io/v1 (#22907, @yulng)
- testutils: remove gocheck (#25684, @lmb)
- This moves from the autogenerated badge from the deprecated
slackin
system hosted on heroku, to just a simple generated badge. (#26416, @thebsdbox) - This moves from the larger default code spaces logo, to a smaller logo in keeping with all existing links in the README. (#26417, @thebsdbox)
- tools/maptool: correctly build with CGO_ENABLED=0 if not in RACE mode (#24142, @tklauser)
- treewide: Fix code comment stutters (#24940, @joestringer)
- treewide: fix some shebangs (#26293, @markpash)
- Unify feature probing packages (#25627, @rgo3)
- Update BGP related documentation to reflect feature status. (Backport MR #27038, Upstream MR #26951, @ldelossa)
- Update CFP issue template to link repo (#23841, @xmulligan)
- Update CNI to 1.2.0 (#23267, @michi-covalent)
- Update docs for Kubernetes 1.27 (Backport MR #26734, Upstream MR #26671, @christarazi)
- Update Go to 1.20.1 (#23896, @tklauser)
- Update k3s cilium installation to match k3s default podCIDR (#25270, @vincentmli)
- update k8s control plane tests (#23813, @aanm)
- Update l2-announcements policy example in docs to be more realistic (Backport MR #27055, Upstream MR #27039, @dylandreimerink)
- Update MAINTAINERS.md to include Tom Hadlaw (#22769, @christarazi)
- Update NYTimes User (#25023, @abebars)
- update readme with v1.14.0-snapshot.1 (#24707, @aanm)
- Update stable release for v1.11.17 (#25517, @jrajahalme)
- Update stable releases (#22820, @joestringer)
- Update stable releases (#23742, @joestringer)
- Update stable releases (#24960, @michi-covalent)
- Update stable releases (#25727, @thorn3r)
- Update stable releases (#26272, @qmonnet)
- Update USERS.md for SIGHUP (#25982, @julianwiedmann)
- Updates endpoint pkg to use netip.Addr (#25521, @danehans)
- Updates informer pkg to use TransformFunc() (#25604, @danehans)
- Updates k8sTest pkg to use netip.Addr (#25325, @danehans)
- Updates Multi-Pool IPAM Docs for v1.14 Release (Backport MR #27055, Upstream MR #26967, @danehans)
- Use &netlink.LinkNotFoundError{} to determine link not found error (#22438, @tanberBro)
- use /usr/bin/env bash instead of /bin/bash in contrib, examples and test dirs (#24948, @MrFreezeex)
- use /usr/bin/env bash instead of /bin/bash in images dir (#25558, @MrFreezeex)
- use atomic.Pointer instead of bare LoadPointer (#23971, @lmb)
- use DescribeVSwitches to get vswitch tags (#23635, @haozhangami)
- Use resource for CNPs and CCNPs (#24509, @pippolo84)
- Use veth device for probing managed neighbor support (#25598, @ti-mo)
- USERS.md: Add Polar Signals (#24158, @brancz)
- vendor: bump golang-lru to v2 (requires Go >= 1.18 support for generics) (#22644, @rolinh)
- vendor: Update go-restful (Backport MR #26636, Upstream MR #26560, @ferozsalam)
- vendor: Update vishvananda/netlink/ and x/sys (#26410, @borkmann)
- vendor: update wireguard dependency (#23849, @aanm)
- versioncheck: fix parsing of snapshot release versions (#24286, @tklauser)
- When a k8s node contains multiple addresses of the same type and family, Cilium will now emit a warning-level log message stating: "Detected multiple IPs of the same address type, Cilium will only consider the first IP in the Node resource" (#25304, @danehans)
Other Changes:
- [v1.14] Revert "Add support for --hubble-redact=http-url-query" (#26997, @chancez)
- envoy: Bump envoy version to v1.25.9 (#27078, @sayboras)
- install: Update image digests for v1.14.0-rc.1 (#26862, @joestringer)
- Prepare for release v1.14.0-rc.1 (#26854, @joestringer)
v1.14.0-snapshot.4
: 1.14.0-snapshot.4
Summary of Changes
Major Changes:
- Add support for Kubernetes v1.27 (#25602, @nathanjsweet)
- Added L2 announcement feature (#25471, @dylandreimerink)
- cilium: IPv4 BIG TCP support (#26172, @borkmann)
- Implement BPF-based masquerading for IPv6 (#23165, @qmonnet)
- Introduce kvstoremesh, a clustermesh-apiserver companion component allowing to cache remote cluster information in the local kvstore for increased scalability and separation. (#26083, @giorio94)
- Module Health: Add Health Provider/Reporter (#25662, @tommyp1ckles)
Minor Changes:
- Add agent flag
enable-ipsec-key-watcher
to allow users to disable the IPsec key watcher and thus require an agent restart for the key rotation to take effect. (#25893, @pchaigno) - Add helm value
envoyConfig.enabled
that can be used to enable CiliumEnvoyConfig CRD independently of Cilium Ingress controller. (#26005, @jrajahalme) - Add option to remove query from HTTP flows (#25746, @ChrsMark)
- Add support for BGP graceful restart configuration via CiliumBGPPeeringPolicy CRD (#25660, @harsimran-pabla)
- Add support for eBGP-multihop configuration for CiliumBGPNeighbor in CiliumBGPPeeringPolicy CRD (#25708, @rastislavs)
- Add support for Hybrid mode when using DSR with Geneve dispatch. (#25553, @julianwiedmann)
- Add support for load-balancing encapsulated requests in a configuration with high-scale ipcache. (#25854, @julianwiedmann)
- Add support for load-balancing unencapsulated requests in a configuration with high-scale ipcache. (#25745, @julianwiedmann)
- Added Gratuitous ARP Pod Announcements (#25482, @markpash)
- Adds
peerPort
field to CiliumBGPPeeringPolicy for specifying the port of a BGP neighbor. If unspecified, port 179 is used. (#25809, @danehans) - Allow devices from local route table to be used for datapath programs. (#24608, @oblazek)
- bgpv1: Consolidate CRD API to follow K8s API Conventions (#26040, @rastislavs)
- clustermesh-apiserver: expose information about completion of initial synchronization through etcd (#25905, @giorio94)
- daemon: don't allow egress gateway with KV store identity allocation (#26189, @jibi)
- Deprecate CNP Node status updates. (#24464, @marseel)
- envoy: Bump envoy version to v1.25.7 (#25882, @mhofstetter)
- etcd: extend rate limiting to consider the number of inflight requests (#25817, @giorio94)
- Extend the Helm chart to allow configuring kvstoremesh. (#26109, @giorio94)
- hubble: Add GetNamespaces to observer API (#25563, @chancez)
- ingress: Default TLS certificate for ingress (#26065, @sathieu)
- ipam: Add ability to automatically create
CiliumPodIPPool
resources in multi-pool IPAM mode (#25991, @gandro) - ipmasq: Add support for ip-masq-agent with IPv6 (#23219, @qmonnet)
- mutual-auth: Avoid confusion on mTLS wording (#25761, @sayboras)
- mutual-auth: Support spire k8s service dns resolution (#26031, @sayboras)
- operator: Fix default API server addr in metrics subcommand (#26132, @pippolo84)
- Report the kernel error code in case of packet drops due to failures to create NAT map entries. (#25883, @julianwiedmann)
- Set BGP IdleHoldTimeAfterReset to 5 seconds, session reset can happen on BGP peer configuration change. (#26001, @harsimran-pabla)
- spire: Add identity GC capability (#25867, @sayboras)
- Support defining IPAM pools using CiliumPodIPPool CRD (#25824, @tklauser)
- Support externalTrafficPolicy=local for BGP CPlane service VIP advertisement (#25477, @YutaroHayakawa)
- Support Gateway API v0.7.0 (#25711, @meyskens)
- The deprecated pod-short context option in Hubble metrics is now removed (#26125, @lambdanis)
Bugfixes:
- bpf: fix error handling for invoke_tailcall_if() (#26118, @julianwiedmann)
- bpf: lxc: fix one missing drop notification in CT lookup tail calls (#26115, @julianwiedmann)
- bpf: nodeport: don't reset aggregate ID when revDNAT is called by bpf_lxc (#25929, @julianwiedmann)
- Envoy resource namespacing (#26037, @jrajahalme)
- Fix a bug that would cause connectivity drops of type XfrmOutPolBlock on upgrade when IPsec is enabled. (#25735, @pchaigno)
- Fix bug with
toServices
policy where service backend churn left stale CIDR identities (#25687, @christarazi) - Fix false error log message when IPsec is enabled with IPAM modes ENI or Azure and a remote node is deleted. (#26093, @pchaigno)
- Fix for Identities that can be deleted before CESs are reconciled (#25001, @dlapcevic)
- Fix issue where Cilium ServiceAPI would ignore backend changes to services with backends that were used in several services and updated at least once (#24474, @strudelPi)
- Fix leak of IPsec XFRM FWD policies in IPAM modes
cluster-pool
,kubernetes
, andcrd
when nodes are deleted. Fix incorrect catch-all default-drop XFRM OUT policy for IPsec IPv6 traffic that could lead to leaking plain-text IPv6 traffic if combined with some other bug. (#25953, @pchaigno) - Fix missed deletion events when reconnecting to/disconnecting from remote clusters (identities) (#25677, @giorio94)
- Fix missed deletion events when reconnecting to/disconnecting from remote clusters (ipcache entries) (#25675, @giorio94)
- Fix panic due to nil-map assignment in l2announcer (#26315, @dylandreimerink)
- Fix three issues in the bug fix to attach IPsec BPF programs to ENI interfaces: do not fatal if loading unexpectedly fails (which may happen if the device is suddenly deleted), ignore veth device changes in order not to reinitialize when new endpoints appear and wait 1 second for further device state changes between reinitializations. (#25936, @joamaki)
- Fixed Cilium agent crash when policy refers to a non-existing Envoy listener. (#25969, @jrajahalme)
- Fixes an issue where SRv6 encapsulated packets are forwarded to the wrong layer 2 next hop. (#26136, @ldelossa)
CI Changes:
- .github/workflows: add JUnit tag on workflows that have JUnits (#25930, @aanm)
- .github/workflows: let renovate update kind (#26312, @tklauser)
- .github: add cilium sysdump to test artifacts (#26143, @aanm)
- .github: add missing job to check for code changes (#25926, @aanm)
- .github: Fail if print-chart-version.sh fails or does not exist (#26086, @chancez)
- .github: simplify conformance-runtime workflow (#25955, @aanm)
- Add checker to verify if comments from ginkgo GH workflows are in sync (#25971, @aanm)
- Add schema validation for configuration-matrix files (#26081, @aanm)
- bgp,test: Properly wait for FRR container to be ready (#25777, @YutaroHayakawa)
- bgpv1: Avoid ports from common ip_local_port_range in unit tests (#26174, @rastislavs)
- bgpv1: Extend the timeout for the Test_NeighborAddDel test (#25970, @rastislavs)
- bpf unit tests: Run tests on changes to pks/bpf/** (#25911, @qmonnet)
- bpf: test: fix pktgen for IPv6 NEXTHDR_DEST option (#26151, @julianwiedmann)
- bpf: tests: test EgressGW reply path with native routing (#25932, @julianwiedmann)
- CI: Add JUnit reports upload (#25801, @brlbil)
- ci: github actions job to run kubernetes upstream conformance tests (#25913, @aojea)
- CI: Stabilize ConformanceKindEnvoyDaemonSet (#26260, @mhofstetter)
- CI: Verifier tests: Keep generated object files and logs on test failure (#25862, @qmonnet)
- CI: wait for cilium to become ready in conformance-{aks,gke} before port forward relay (#25839, @learnitall)
- conformance-k8s-kind: Use Helm mode cilium-cli (#25916, @michi-covalent)
- conformance-runtime: Bump timeout to wait for images (#25947, @michi-covalent)
- datapath/linux/ethtool: deflake TestIsVirtualDriver (#26027, @tklauser)
- docs: add documentation for Ginkgo-based GHA (#26055, @aanm)
- Drop the GKE-based multicluster GitHub actions workflow in favor of the kind-based ones (stable branches) (#26188, @giorio94)
- egressgw: switch to Cilium CLI connectivity tests (#25719, @jibi)
- gha: Increase Ingress status wait time (#26219, @sayboras)
- gha: Move to helm mode for aws-cni, eks, gke (#25820, @sayboras)
- gha: use Cilium CLI Helm mode for conformance-clustermesh (#25834, @giorio94)
- Improved reliability of pkg/hive/job timer double trigger unit test (#26022, @dylandreimerink)
- Run all ginkgo tests on GitHub actions (#25713, @aanm)
- test/nat46x64: silence curl output (#26024, @tklauser)
- test: Cleanup ginkgo test artifacts (#25833, @pchaigno)
Misc Changes:
- .github: add dedicated job to wait for images (#26184, @aanm)
- .github: Push Helm charts for hotfixes (#25836, @joestringer)
- .github: rebuild ginkgo tests in case of cache miss (#26263, @aanm)
- .github: refactor job matrix generation into YAML files (#26019, @aanm)
- Add detailed panic messages for slim ObjectMeta and ListMeta (#25107, @hemanthmalla)
- Add kvstoremesh Dockerfile and build images through the CI (#26106, @giorio94)
- Add microsoft as user to cilium (#25838, @tamilmani1989)
- Add Zero Hash to Cilium users (#25987, @eugenestarchenko)
- Added gARP capability to L2 announcer feature (#25933, @dylandreimerink)
- Added metrics for pkg/k8s/resource (#26269, @dylandreimerink)
- Adding Eficode to USERS.md (#25931, @punasusi)
- Agent: add support for watching kvstoremesh prefixes (#26154, @giorio94)
- Auth Map: Initial Garbage Collection (#25754, @mhofstetter)
- auth: add missing config values to helm values (#25973, @mhofstetter)
- auth: add missing stream package import (#26018, @giorio94)
- auth: feature flag for authentication (#26208, @mhofstetter)
- auth: fix initial k8s events sync in auth map gc (#26059, @mhofstetter)
- auth: implement re-authentication in case of rotated certificates (#25927, @mhofstetter)
- auth: policy based auth map GC (#26068, @mhofstetter)
- auth: streamline logging (#25965, @mhofstetter)
- auth: temporarily disable node-based auth gc (#26073, @mhofstetter)
- AWS CNI v1.12 Cilium install fixed. (#26084, @viktor-kurchenko)
- BGP CP: Updates docs for PeerPort (#25876, @danehans)
- bgpv1: Documentation update to reflect current architecture (#25954, @harsimran-pabla)
- bgpv1: graceful restart component test (#25914, @harsimran-pabla)
- bgpv1: Reset BGP session in UpdateNeighbor if necessary (#25827, @rastislavs)
- bpf: clean up some revalidate_data() users (#25337, @julianwiedmann)
- bpf: encap: send TO_OVERLAY trace before adding encapsulation (#25828, @julianwiedmann)
- bpf: fib: delay smac selection until fib_do_redirect() has picked the oif (#26290, @julianwiedmann)
- bpf: lb: minor cleanups (#26216, @julianwiedmann)
- bpf: minor HostFW cleanups (#25881, @julianwiedmann)
- bpf: misc CT cleanups (#26104, @julianwiedmann)
- bpf: nat: reduce CT lookup scope (#25917, @julianwiedmann)
- bpf: nat: remove unused ct_delete*() helpers (#26076, @julianwiedmann)
- bpf: nodeport: reduce CT lookup scope (#25826, @julianwiedmann)
- bpf: nodeport: wire up trace struct for IPv6 RevDNAT (#26047, @julianwiedmann)
- bpf: remove MapInfo, DumpParser and MapKey/Value DeepCopy (#25792, @ti-mo)
- bpf: Use "fallthrough;", compile with -Wimplicit-fallthrough (#26211, @qmonnet)
- bpf: xdp: fix coccicheck warning about DROP_MISSED_TAIL_CALL (#25924, @julianwiedmann)
- bpf: xdp: use CT tuple hash for tunnel encap's source port (#26177, @julianwiedmann)
- bugtool: dump auth map related information (#26066, @mhofstetter)
- build(deps): bump requests from 2.28.2 to 2.31.0 in /Documentation (#25603, @dependabot[bot])
- build: Avoid cross compilation issue on Windows (#25904, @sayboras)
- Change enableEndpointCRD helm option type from string to boolean Fix operator panic that occurs when Endpoint CRD is disabled and CiliumEndpointSlice is enabled (#25798, @doniacld)
- chore(deps): update all github action dependencies (main) (minor) (#25850, @renovate[bot])
- chore(deps): update all github action dependencies (main) (patch) (#25846, @renovate[bot])
- chore(deps): update all github action dependencies (main) (patch) (#26054, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.14.7 (main) (#25847, @renovate[bot])
- chore(deps): update dependency cilium/hubble to v0.11.6 (main) (#26041, @renovate[bot])
- chore(deps): update dependency go to v1.20.5 (main) (#26051, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.18.2 (main) (#26261, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.20.4 docker digest to
690e413
(main) (#25277, @renovate[bot]) - chore(deps): update docker.io/library/golang:1.20.5 docker digest to
6b3fa4b
(main) (#26050, @renovate[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to
2a357c4
(main) (#26284, @renovate[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to
ac58ff7
(main) (#25295, @renovate[bot]) - chore(deps): update go to v1.20.5 (main) (patch) (#25957, @renovate[bot])
- chore(deps): update golangci/golangci-lint docker tag to v1.53.2 (main) (#25841, @renovate[bot])
- chore(deps): update golangci/golangci-lint docker tag to v1.53.3 (main) (#26258, @renovate[bot])
- chore(deps): update quay.io/cilium/hubble docker tag to v0.11.6 (main) (#25996, @renovate[bot])
- cilium/cmd: Deprecate
cilium endpoint regenerate
command (#25949, @christarazi) - cilium: Improve IPv6 BIG TCP probing (#26303, @borkmann)
- cli: add "cilium bpf config list" (#26105, @mhofstetter)
- clustermesh-apiserver: add missing metrics and documentation (#26070, @giorio94)
- clustermesh-apiserver: don't wait for the presence of unused CRDs (#26220, @giorio94)
- clustermesh-apiserver: rework identities, endpoints and nodes synchronization to improve performance (#25049, @giorio94)
- clustermesh: ensure that the status of the remote clusters controller is correcty reported (#26271, @giorio94)
- clustermesh: Introduce ClusterID reservation mechanism (#26124, @marseel)
- clustermesh: split the generic logic from the specific part (#25921, @giorio94)
- clustermesh: unbreak test (#26294, @giorio94)
- conformance-runtime: remove optimizations and update little-vm-helper (#25825, @aanm)
- Controller clean up (#25579, @jrajahalme)
- Convert daemon ipcache usages to new ipcache async API (#25749, @christarazi)
- converted node manager dynamic metrics into modular metrics (#25887, @dylandreimerink)
- CRD List Generation (#25910, @dhawton)
- ctmap: right-shift kernel jiffies by BPF_MONO_SCALER (#26197, @ti-mo)
- daemon, maps/ipcache: Replace usage of
net.IP*
for ingress IPs (#26045, @christarazi) - daemon: Perform early (partial) local node info initialization (#24866, @joamaki)
- dnsproxy: stop using the regex lru in the dns proxy to avoid keeping large unused regex in memory when no longer needed (#22584, @odinuge)
- docker: Detect default "desktop-linux" builder (#25908, @jrajahalme)
- docs: Add APAC timezone meeting to README (#24902, @lizrice)
- docs: Add externalTrafficPolicy=Local description to BGP CPlane doc (#25960, @YutaroHayakawa)
- docs: add upgrade note about deletion of stale entries in clustermesh (#26067, @giorio94)
- docs: cleanup SPIRE & Envoy values in helm reference (#26039, @mhofstetter)
- docs: Deprecate
cluster-pool-v2beta
(#25767, @gandro) - docs: remove clustermesh-apiserver gops port from system requirements (#26230, @giorio94)
- docs: Slack updates (#25723, @lizrice)
- Docs: Update BGP docs to reflect CRD consolidation (#26196, @rastislavs)
- docs: Update development setup with preferred kind-based approach (#25535, @christarazi)
- docs: Update governance voting templates (#25802, @joestringer)
- Document how to migrate from Ingress to Gateway API (#25599, @nvibert)
- Documentation: add CONFIG_SCHEDSTATS to required kconfigs (#26035, @ti-mo)
- Documentation: Document BGP timers & neighbor update behavior (#25906, @rastislavs)
- Documentation: include bgp cli commands in bgp-cp documentation (#25691, @harsimran-pabla)
- Dump maps and events for all lb4/6 v3 backends (#26108, @ti-mo)
- endpoint: fix policy map sync warning due to policymap authtype diffs (#26218, @mhofstetter)
- Fix and improve Conformance Ginkgo UX (#25950, @aanm)
- Fix CI image build cache (#26020, @aanm)
- Fix neighbor test flakes (#26156, @borkmann)
- fix(deps): pin dependencies (main) (#25539, @renovate[bot])
- fix(deps): pin dependencies (main) (#25849, @renovate[bot])
- fix(deps): update all go dependencies main (main) (minor) (#26286, @renovate[bot])
- fix(deps): update all go dependencies main (main) (patch) (#25542, @renovate[bot])
- fix(deps): update module github.com/docker/docker to v24 (main) (#26316, @renovate[bot])
- gateway-api: now function GatewayAPI also supports TLSRoute (#26060, @spacewander)
- gha: fix conformance-ginkgo base branch retrieval (#26085, @giorio94)
- helm: add extraArgs to clustermesh-apiserver (#25693, @rcanderson23)
- helm: Add flag to disable CRD check for mass server-side apply (#25956, @jcpunk)
- helm: address review comments regarding helm value docs (#26296, @tklauser)
- helm: Correct the flag names in validate.yaml (#26167, @sayboras)
- Improve Makefile to ease debugging (#26159, @pippolo84)
- Ingnore updating client-go fork in renovate dependencies (#26305, @marseel)
- install: Fail helm if kube-proxy-replacement is not valid (#25907, @jrajahalme)
- IPAM multipool followups (#26138, @tklauser)
- ipam/allocator: remove unused allocator types (#25963, @tklauser)
- ipcache: fix not waiting for k8s caches to sync (#25975, @squeed)
- ipsec: Fix cleanup of XFRM states and policies (#26072, @pchaigno)
- jenkinsfiles: remove ginkgo-based Jenkinsfiles (#26171, @aanm)
- k8s / policy: allow all services for toServices when using highscale ipcache (#26127, @squeed)
- k8s: fix ciliumpodippools CRD controller-gen version (#25976, @mhofstetter)
- k8s: Update comment about rule preprocessing (#25864, @odinuge)
- k8s: Use Resource[*Pod] in pod watcher for the local pod watching (#26181, @joamaki)
- kvstore: limit keys attached to single lease, and react to expiration (#25966, @giorio94)
- MAINTAINERS: Add Nick Young (#25874, @joestringer)
- Makefile: Fix kind deployment in quiet mode (#25873, @joestringer)
- Makefile: remove -test.v from GOTEST_BASE (#25703, @ti-mo)
- Makefile: use CLI options to set local images for kind-install-cilium-clustermesh (#25810, @thorn3r)
- metrics: Metrics initial modularization (#25651, @dylandreimerink)
- metrics: provide the global services metric through the hive (#26157, @giorio94)
- node_ids: introduce GetNodeID (#26155, @mhofstetter)
- pkg/datapath: skip TestArpPingHandling due flakiness (#25840, @aanm)
- pkg/ipam: Update histogram buckets for trigger metrics (#25600, @hemanthmalla)
- policy: Add GetAuthTypes() (#26116, @jrajahalme)
- Prepare for release v1.14.0-snapshot.3 (#25830, @aanm)
- proxy: introduce initial proxy cell (#25779, @mhofstetter)
- README: Update for latest snapshot prerelease (#25845, @joestringer)
- Remove custom iproute2 fork (#26221, @ti-mo)
- Remove ip assignments for cilium_host from init.sh (#25771, @rgo3)
- Remove references to GOPATH in documentation (#25942, @JamesLaverack)
- renovate: exclude github.com/{cilium,vishvananda}/netlink (#26311, @tklauser)
- Replace client-go with private fork. (#26250, @marseel)
- Replaces K8s NewDeltaFIFO with NewDeltaFIFOWithOptions (#25606, @danehans)
- resource: Add Resource[Endpoints] and adapt existing watchers (#23977, @joamaki)
- resource: Fix flaky test due to missing Done call (#25646, @joamaki)
- resource: implement stream.Observable (#25934, @mhofstetter)
- statedb: Fix WriteJSON with multiple tables (#24970, @joamaki)
- stream: Improve function documentation (#25922, @joamaki)
- test/k8s: make kafka tests more reliable (#26121, @aanm)
- testutils: remove gocheck (#25684, @lmb)
- Update network attacker sections of the threat model (#25640, @ferozsalam)
- Update stable releases (#26272, @qmonnet)
- Update USERS.md for SIGHUP (#25982, @julianwiedmann)
- Updates informer pkg to use TransformFunc() (#25604, @danehans)
Docker Manifests
cilium
docker.io/cilium/cilium:v1.14.0-snapshot.4@​sha256:dd75919c7b81d06289ffa1dcc0e238f77294a45c57212a87634f277f28835e7d
quay.io/cilium/cilium:v1.14.0-snapshot.4@​sha256:dd75919c7b81d06289ffa1dcc0e238f77294a45c57212a87634f277f28835e7d
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.14.0-snapshot.4@​sha256:2b844061901af8bd3da5bb99d893694c915e2ceee05e661131e2d684fb0de68c
quay.io/cilium/clustermesh-apiserver:v1.14.0-snapshot.4@​sha256:2b844061901af8bd3da5bb99d893694c915e2ceee05e661131e2d684fb0de68c
docker-plugin
docker.io/cilium/docker-plugin:v1.14.0-snapshot.4@​sha256:0282b913a1fecd2088d64296e492a1a786a3f839551bf00679ae469a4558b620
quay.io/cilium/docker-plugin:v1.14.0-snapshot.4@​sha256:0282b913a1fecd2088d64296e492a1a786a3f839551bf00679ae469a4558b620
hubble-relay
docker.io/cilium/hubble-relay:v1.14.0-snapshot.4@​sha256:5a04cc8b09a00a254466b09f8ff77b9e4e56954aa5ac13f43c8a7c05a5725cd1
quay.io/cilium/hubble-relay:v1.14.0-snapshot.4@​sha256:5a04cc8b09a00a254466b09f8ff77b9e4e56954aa5ac13f43c8a7c05a5725cd1
kvstoremesh
docker.io/cilium/kvstoremesh:v1.14.0-snapshot.4@​sha256:a6c5a3f0f420fde69d4e60fdda82bd78c244fb2c12d09a6041a636840a02cc17
quay.io/cilium/kvstoremesh:v1.14.0-snapshot.4@​sha256:a6c5a3f0f420fde69d4e60fdda82bd78c244fb2c12d09a6041a636840a02cc17
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.14.0-snapshot.4@​sha256:86e40be4fac515ec3aae3f54bad8b7112ed0001a860c86092342dfd49fb5b97f
quay.io/cilium/operator-alibabacloud:v1.14.0-snapshot.4@​sha256:86e40be4fac515ec3aae3f54bad8b7112ed0001a860c86092342dfd49fb5b97f
operator-aws
docker.io/cilium/operator-aws:v1.14.0-snapshot.4@​sha256:449e30b7bf5492adfc605c50a1a0f5fc822af20ec6787fa93070a22fd5524731
quay.io/cilium/operator-aws:v1.14.0-snapshot.4@​sha256:449e30b7bf5492adfc605c50a1a0f5fc822af20ec6787fa93070a22fd5524731
operator-azure
docker.io/cilium/operator-azure:v1.14.0-snapshot.4@​sha256:72055583294266a78a2262d17fba2129f568946ba61708ee89e2bf74f7da693b
quay.io/cilium/operator-azure:v1.14.0-snapshot.4@​sha256:72055583294266a78a2262d17fba2129f568946ba61708ee89e2bf74f7da693b
operator-generic
docker.io/cilium/operator-generic:v1.14.0-snapshot.4@​sha256:1bfe879fff900180000265743afde223c809e3189c8dd704b1c10fb0ccedba6f
quay.io/cilium/operator-generic:v1.14.0-snapshot.4@​sha256:1bfe879fff900180000265743afde223c809e3189c8dd704b1c10fb0ccedba6f
operator
docker.io/cilium/operator:v1.14.0-snapshot.4@​sha256:2d47129ebb7bfca3b65e628c0eaaf02d1708ae4aedd29d70ea0f9dc282a7ebda
quay.io/cilium/operator:v1.14.0-snapshot.4@​sha256:2d47129ebb7bfca3b65e628c0eaaf02d1708ae4aedd29d70ea0f9dc282a7ebda
v1.14.0-snapshot.3
: 1.14.0-snapshot.3
Summary of Changes
Major Changes:
- Add TLSRoute support to GatewayAPI (#25106, @meyskens)
- New high-scale ipcache mode to support clustermeshes with millions of pods. (#25148, @pchaigno)
- Support for deploying Cilium L7 Proxy (Envoy) independently as a separate DaemonSet for availability, performance, and security benefits. (#25081, @mhofstetter)
Minor Changes:
- add native tunnel encapsulation support for the XDP Loadbalancer (#24422, @julianwiedmann)
- Add Prometheus metrics support to clustermesh-apiserver (#25316, @giorio94)
- Add support for allocating PodCIDRs from multiple IPAM pools (#22762, @gandro)
- Add support for paginated lists in etcd, and propagate config options (#25469, @giorio94)
- Add support for setting BGP timer parameters in CiliumBGPNeighbor CRD (#25408, @rastislavs)
- Allow to disable external workloads support in clustermesh-apiserver to improve performance when not needed. (#25259, @giorio94)
- Cilium now supports chaining with arbitrary CNI plugins. To use, set the Helm value cni.chainingTarget. (#24956, @squeed)
- clustermesh-apiserver: expose information about completion of initial synchronization through etcd (#25388, @giorio94)
- clustermesh-apiserver: rework services synchronization to improve performance (#25260, @giorio94)
- cmd/cleanup: add socketlb program cleanup (#25136, @rgo3)
- DNS Proxy binds to loopback interfaces only (#25309, @mhofstetter)
- dns proxy: Only reuse DNS proxy port when it's free (#25466, @anfernee)
- envoy: Add idle timeout configuration option (#25214, @sayboras)
- Fix CIDR json tag in CNP CIDRRule (#25617, @pippolo84)
- Fixed incorrectly rendered chart when specified both configMap and customConf (#25200, @marseel)
- helm: Bump default spire image version (#25444, @sayboras)
- helm: deprecate clustermesh CA configuration in favor of the global CA configuration (#25010, @giorio94)
- helm: Improve spire template (#25589, @sayboras)
- High-Scale IPcache: Chapter 3 (#25438, @pchaigno)
- identity/cache: fix panic when re-init of cache after close. (#25269, @tommyp1ckles)
- multi-pool: Determine IP pool based on
ipam.cilium.io/ip-pool
annotation (#25511, @gandro) - operator/ipam/metrics: Add new, more accurate, per-node available/used/needed metrics to deprecated existing ipam_ips metric. (#24776, @tommyp1ckles)
- Replace wait-for-it in SPIRE setup with a busybox script (#24959, @meyskens)
- Significantly reduce Hubble flow traffic by transmitting only requested information (#23198, @AwesomePatrol)
- Support
enable-endpoint-routes
withenable-high-scale-ipcache
. (#25601, @pchaigno) - Support GENEVE encapsulation with high-scale ipcache. (#25591, @pchaigno)
- Update CNI (loopback) to 1.3.0 (#25400, @anfernee)
- Updating documentation helm values now works also on arm64. (#25422, @jrajahalme)
- Use BGP Control Plane annotations from Node Resource for creation of CiliumNode Resource (#24914, @margau)
Bugfixes:
- Add drop notifications for various error paths in the datapath. (#25183, @julianwiedmann)
- Added validation to ensure that enabling Ingress or Gateway API support while l7proxy is disabled will fail, as this is an incompatible configuration. (#25215, @youngnick)
- Avoid dropping short packets (that don't have their L3 header in linear data) in the to-netdev and from-host paths. (#25159, @julianwiedmann)
- bpf,datapath: read jiffies from /proc/schedstat (#25795, @ti-mo)
- bpf/nat: fix current behavior that is silently ignoring errors in a revSNAT context (#19753, @sahid)
- bpf: lb: deal with stale rev_nat_index after svc lookup in fallback path (#24757, @julianwiedmann)
- Compare annotations before discarding CiliumNode updates. (#25465, @LynneD)
- datapath: Fix double SNAT (#25189, @brb)
- DNS proxy now always updates the proxy policy to avoid intermittent policy drops. (#25147, @jrajahalme)
- Fix a bug due to which we would leak Linux XFRM policies, potentially leading to increased CPU consumption, when IPsec is enabled with Azure or ENI IPAM. (#25784, @pchaigno)
- Fix a bug that would cause connectivity drops of type XfrmInNoStates on upgrade when IPsec is enabled with ENI or Azure IPAM mode. (#25724, @pchaigno)
- Fix a possible deadlock when using WireGuard transparent encryption. (#25419, @bimmlerd)
- Fix a regression in which link-local addresses were not treated with the "host" identity in some circumstances. (#25298, @asauber)
- Fix broken IPv6 access to native node devices due to wrong source IPv6 of NA response. (#25329, @jschwinger233)
- Fix bug affecting EKS installations with IPsec encryption enabled, where Cilium wouldn't attach its IPsec BPF program to new ENI interfaces, resulting in connectivity loss between pods on remote nodes. (#25744, @joamaki)
- Fix data race affecting the preferred mark in backends, e.g. backends selected by service with affinity set to local. In very rare cases a backend might be missing its preferred status and a non-local backend might be selected. (#25087, @joamaki)
- Fix incorrect hubble flow data when HTTP requests contain an
x-forwarded-for
header by adding an explicituse_remote_address: true
config to Envoy HTTP configuration to always use the actual remote address of the incoming connection rather than the value ofx-forwarded-for
header, which may originate from an untrusted source. This change has no effect on Cilium policy enforcement where the source security identity is always resolved before HTTP headers are parsed. Previous Cilium behavior of not addingx-forwarded-for
headers is retained via an explicitskip_xff_append: true
config setting, except for Cilium Ingress where the source IP address is now appended tox-forwarded-for
header. (#25674, @jrajahalme) - Fix missed deletion events when reconnecting to/disconnecting from remote clusters (nodes and services) (#25499, @giorio94)
- Fix missing drop notifications on conntrack lookup failures when IPv4 and IPv6 are both enabled or socket-level load balancing is disabled. (#25426, @bleggett)
- Fix operator shutdown hanging when kvstore is enabled (#24979, @giorio94)
- Fix path asymmetry when using pod-to-pod encryption with IPsec and tunnel mode. (#25440, @pchaigno)
- Fix permission issue when copying cni plugins onto host path (#24891, @JohnJAS)
- Fix RevSNAT for ICMPv6 packets. (#25306, @julianwiedmann)
- Fix spurious errors containing "Failed to map node IP address to allocated ID". (#25222, @bimmlerd)
- Fix syncing of relevant node annotations into CiliumNode (#25307, @meyskens)
- Fixes issue in BGP reconciler when multiple pod cidr withdrawals are done. (#25320, @harsimran-pabla)
- gateway-api: Race condition between routes and Gateway (#25573, @sayboras)
- gateway-api: Skip reconciliation for non-matching controller routes (#25549, @sayboras)
- helm: Correct typo in Ingress validation (#25570, @sayboras)
- Reject incorrect configuration enable-host-legacy-routing=false kube-proxy-replacement=partial. (#25803, @pchaigno)
- Track reply packets in long-living egress gateway connections and SNATed host-local connections. (#25112, @gentoo-root)
CI Changes:
- .github/workflows: add missing GH action version annotations (#25369, @tklauser)
- .github: Fix chart push on forks (#25274, @chancez)
- .github: run scruffy for cilium/cilium only (#25772, @aanm)
- Add github workflow to push development helm charts to quay.io (#25205, @chancez)
- Add improvements in Conformance Runtime (#25797, @aanm)
- bgpv1: Exercise HoldTime in Test_NeighborAddDel (#25760, @rastislavs)
- bgpv1: Retry peer checks in NeighborAddDel test to avoid flakes (#25641, @rastislavs)
- bpf: Cover high-scale IPcache in complexity tests (#25592, @pchaigno)
- bpf: test: add some IPv6 DSR integration tests (#25443, @julianwiedmann)
- ci-e2e-v1.13: Fix workflow (#25412, @brb)
- ci-e2e: backport changes in conformance-e2e into v1.13 tests (#25386, @brb)
- ci-e2e: Bump cilium-cli v0.1.4.5 (#25672, @brb)
- ci-e2e: Enable --debug when running with EGW (#25789, @brb)
- ci-e2e: Increase hubble buffer capacity (#25710, @brb)
- ci-e2e: Run cilium-cli in Helm mode (#25780, @brb)
- ci-l4lb-v1.1{1,2}: Remove helm charts (#25529, @brb)
- ci: fix Cilium CLI install in ConformanceKindEnvoyDaemonSet (#25459, @nbusseneau)
- ci: fix gke network starvation (#25597, @brlbil)
- CODEOWNERS: Add sig-foundations (#24976, @joamaki)
- Delete "Cilium monitor verbose mode" test (#25212, @michi-covalent)
- Fix external-contribution-label workflow renovate tag (#25429, @chancez)
- Fix verifier issues in IPv6 BPF tests (#25191, @dylandreimerink)
- Fixed flake in pkg/hive/job tests. (#25293, @dylandreimerink)
- Fixed TestTimer_ExitOnCloseFnCtx channel close panic (#25211, @dylandreimerink)
- fuzzing: modify oss-fuzz build script (#24262, @AdamKorcz)
- gh/workflow: change multicluster GKE cluster provisioning to none blocking mode (#25394, @brlbil)
- gh/workflow: Reintroduce running GKE workflows in matrix strategy (#25654, @brlbil)
- gh/workflow: Run GKE workflow in matrix strategy (#25364, @brlbil)
- gh/workflows: Remove conformance-kind (#25707, @brb)
- gh/workflows: Rename ci-datapath to ci-e2e (#25164, @brb)
- gh/workflows: Use
2023042
.212204 LVH images (#25681, @brb) - gh/workflows: Use cilium-cli GHA to install CLI exec (#25228, @brb)
- gha: Clean-up Ingress job configuration (#25311, @sayboras)
- gha: Move to helm install mode for Gateway API jobs (#25608, @sayboras)
- hostfw tests flake workaround (#25323, @tommyp1ckles)
- Improve golangci-lint usage (#25157, @joestringer)
- inctimer: fix test flake where timer does not fire within time. (#25219, @tommyp1ckles)
- kvstore: fix TestWorkqueueSyncStoreMetrics flake (#25706, @giorio94)
- Make it easier to migrate off of gopkg.in/check.v1 (#25484, @lmb)
- mirror: Only run on cilium/cilium (#25179, @michi-covalent)
- NONE (#25258, @aojea)
- Pick up the latest startup-script image (#25774, @michi-covalent)
- Revert "gh/workflow: Run GKE workflow in matrix strategy" (#25464, @thorn3r)
- Set VERSION to 1.14.0-dev (#25237, @michi-covalent)
- test/k8s: add host firewall workaround for svc host policy test. (#25461, @tommyp1ckles)
- test/k8s: for services test, wait for all applied manifests to delete (#25341, @tommyp1ckles)
- test/k8s: quarantine High-scale IPcache test (#25668, @aanm)
- test/k8s: quarantine K8sDatapathServicesTest (#25670, @aanm)
- test/k8s: update host policies for firewall tests. (#25374, @tommyp1ckles)
- test: Collect sysdump as part of artifacts (#25079, @pchaigno)
- test: delete ginkgo test "NodePort with L7 Policy from outside" (#25702, @jschwinger233)
- test: prevent panic on k8s services host fw test on some runs. (#25747, @tommyp1ckles)
- test: remove govalidator dependency (#25314, @rolinh)
- test: Switch target FQDN (#25571, @pchaigno)
- tests: quarantine services nodeport w/ L7 policy test. (#25236, @tommyp1ckles)
- Transfer Runtime tests to GitHub actions (#25516, @aanm)
- Update push-chart workflow concurrency group (#25431, @chancez)
- Use cli-based Helm install for
tests-smoke
conformance workflow (#25493, @bleggett) - Use CLI-based Helm installation for ingress tests (#25609, @dhawton)
- workflows/clustermesh: set kubectl version to match the one of the kubernetes cluster (#25221, @giorio94)
- workflows/push charts: Checkout main branch before set-env-variables (#25296, @chancez)
- workflows: e2e: bump Cilium CLI to v0.14.2 (#25194, @jibi)
- workflows: e2e: bump max-parallel to 16 (#25763, @jibi)
Misc Changes:
- .github: add renovate/stop-updating label on renovate's MRs (#25649, @aanm)
-
dev-doctor
- if path togo.mod
invalid, look in current directory (#25327, @bleggett) - A few cleanups for per-cluster CT/SNAT maps (#25712, @YutaroHayakawa)
- Add configuration docs for API restrictions (#24968, @joestringer)
- Add kernel.org's
.clang-format
for editor-agnostic C formatting hints (#25488, @bleggett) - Add missing LB IPAM description in the operator document (#25696, @YutaroHayakawa)
- Add top level
make run_bpf_tests
target to run eBPF unit tests in the Cilium builder container (#25173, @ldelossa) - Auth use signalmap (#25284, @jrajahalme)
- auth: auth map cache (#25634, @mhofstetter)
- Backport the 64-bit stack alignment patch for LLVM, which is expected on all modern kernel versions. (#25338, @gentoo-root)
- bgpv1: component test framework (#25362, @harsimran-pabla)
- bgpv1: Don't use net package for addressing (#25313, @YutaroHayakawa)
- bgpv1: Fix use of k8s.LocalNodeResource and LocalCiliumNodeResource types (#25615, @joamaki)
- BGPv1: Introduce generic bgp manager layer (#25016, @harsimran-pabla)
- bgpv1: use slim_core_v1 node instead of corev1 in test fixtures (#25625, @harsimran-pabla)
- bom: update to version 0.5.1 (#25451, @mhofstetter)
- bpf, cilium/cmd: remove unused hidden
cilium bpf migrate-map
sub-command (#25196, @tklauser) - bpf/init.sh: move node config generation to Go (#25380, @rgo3)
- bpf/makefile: fix spelling issue and make it clear which bear cli. (#25273, @tommyp1ckles)
- bpf: dsr: fix typo in tail_nodeport_dsr_ingress_ipv4() (#25742, @julianwiedmann)
- bpf: lb: clean up IPv4 loopback handling (#25456, @julianwiedmann)
- bpf: lb: misc cleanups (#25372, @julianwiedmann)
- bpf: nat: consistently use has_l4_header in IPv4 SNAT path (#25741, @julianwiedmann)
- bpf: nat: fix L4 csum case in ingress path for ICMP-embedded SCTP (#25315, @julianwiedmann)
- bpf: nat: tolerate unhandled protocol types in revSNAT path (#25740, @julianwiedmann)
- bpf: nodeport: don't set .addr in revSNAT target (#25381, @julianwiedmann)
- bpf: nodeport: SNAT before adding tunnel info in NAT egress path (#25305, @julianwiedmann)
- bpf: nodeport: wire up ext_err in revSNAT path (#25406, @julianwiedmann)
- bpf: Use inline assembly for packet context access, to prevent some undesirable optimizations from LLVM (#25336, @qmonnet)
- build(deps): bump github.com/docker/distribution from 2.8.1+incompatible to 2.8.2+incompatible (#25393, @dependabot[bot])
- chore(deps): pin dependencies (main) (#25275, @renovate[bot])
- chore(deps): update actions/upload-artifact action to v3 (main) (#25048, @renovate[bot])
- chore(deps): update all github action dependencies (main) (minor) (#25401, @renovate[bot])
- chore(deps): update all github action dependencies (main) (patch) (#25198, @renovate[bot])
- chore(deps): update all github action dependencies (main) (patch) (#25540, @renovate[bot])
- chore(deps): update all github action dependencies (main) (patch) (#25701, @renovate[bot])
- chore(deps): update all github action dependencies to v1.1.1 (main) (patch) (#25402, @renovate[bot])
- chore(deps): update cilium cli (main) (minor) (#25245, @renovate[bot])
- chore(deps): update cilium/cilium-cli digest to
207512c
(main) (#25397, @renovate[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.14.3 (main) (#25541, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.14.5 (main) (#25700, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.18.0 (main) (#25415, @renovate[bot])
- chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to
9ecc53c
(main) (#25398, @renovate[bot]) - chore(deps): update go to v1.20.4 (main) (patch) (#25246, @renovate[bot])
- chore(deps): update helm/kind-action action to v1.7.0 (main) (#25546, @renovate[bot])
- chore(deps): update hubble cli to v0.11.5 (main) (patch) (#25124, @renovate[bot])
- clustermesh-apiserver: extract kvstore client initialization and heartbeat logic in separate cells (#25554, @giorio94)
- clustermesh: allow waiting for the CiliumClusterConfig to appear when required (#25671, @giorio94)
- clustermesh: fix SyncedCanaries capability name mismatch (#25685, @giorio94)
- cmd: enhance cilium bpf policy list&get (#25389, @mhofstetter)
- CODEOWNERS: Assign pkg/slices to sig-foundations (#25737, @pippolo84)
- CODEOWNERS: pkg/bpf to loader, pkg/recorder to sig-datapath (#25648, @ti-mo)
- command/exec: remove unused (*Cmd).WithFilters method (#25642, @tklauser)
- config: fix tunnel port for DSR-GENEVE with direct-routing (#25384, @julianwiedmann)
- contrib/scripts: Ignore all vendor sub-directories (#25566, @michi-covalent)
- Convert the clustermesh subsystem into a hive.Cell (#25561, @giorio94)
- crd: Refactor RegisterCRDsCell to be extensible (#25590, @pippolo84)
- daemon: Document the use for required API options (#25170, @joestringer)
- daemon: Log warning if BPF Clock probe fail (#25287, @pchaigno)
- daemon: Mark flag for node encryption as beta (#25319, @pchaigno)
- daemon: Remove encrypt key from syncHostIPs() (#25252, @christarazi)
- daemon: Update code comment regarding PolicyReactionEvent (#25607, @christarazi)
- daemon: use netlink for managed neighbor support probe (#25134, @rgo3)
- datapath: Add auth_type to policy verdict message (#25410, @jrajahalme)
- docs:
socketLB.hostNamespaceOnly
also needed for gVisor (#25322, @pchaigno) - docs: Add Bottlerocket OS to validated distros (#25390, @nebril)
- docs: Add missing backslash in Helm command (#25800, @james0209)
- docs: Add platform support to docs (#25174, @joestringer)
- docs: Add steps to start Hubble UI with cilium-cli, but only after Hubble itself has started (#25538, @fujitatomoya)
- docs: Clarify the steps to update images (#25367, @gentoo-root)
- docs: Disable host DNS resolver with Virtualbox for Minikube quick installation guide (#25569, @zhouhaibing089)
- docs: document missing entity 'ingress' (#25665, @mhofstetter)
- docs: Fix broken link to backends leak issue (#25278, @akhilles)
- docs: fix typos and formatting (#25365, @peterj)
- docs: Improve BGP Control Plane page (#23939, @krouma)
- docs: Remove sockops, sockmaps from eBPF datapath diagrams (#24824, @zacharysarah)
- docs: Update gateway-api version to v0.6.1 (#25439, @sayboras)
- Fix implicit conversion warning in DSR with GENEVE (#25299, @ysksuzuki)
- Fix fatal error when shutting down the clustermesh-apiserver (#25310, @giorio94)
- Fix hive test argument order and race (#25545, @bimmlerd)
- Fix kind.sh development scripts on MacOS (#25317, @chancez)
- Fix possible panic in the ipcache when removing the prefix labels for an unknown resource ID (#25230, @giorio94)
- fix(deps): pin dependencies (main) (#25026, @renovate[bot])
- fix(deps): update all go dependencies main (main) (patch) (#25035, @renovate[bot])
- fix(deps): update all go dependencies main (main) (patch) (#25414, @renovate[bot])
- Fixed documentation regarding cilium versioning scheme and support (#25171, @ayesha-kr)
- fqdn: use map to dedup to reduce memory usage of dns gc job (#25142, @odinuge)
- garp: Introduce Gratuitous ARP Cell (#25254, @markpash)
- gateway-api: Add header modifier and splitting examples (#25186, @nvibert)
- gha: Add retry mechanism in http test (#25244, @sayboras)
- Godoc improvements for
pkg/bgpv1
(#25686, @danehans) - helm:
nodeEncryption
is only supported with WireGuard (#25770, @gandro) - helm: Avoid error in IDE due to .range keyword (#25766, @sayboras)
- helm: Remove deprecated hubble.tls.ca (#25261, @ysksuzuki)
- hive/jobs: fix enqueueing of multiple jobs via variadic func (#25633, @mhofstetter)
- hive: add support for map[string]string flags (#25643, @giorio94)
- hive: Make timer job test less flaky (#25308, @jrajahalme)
- hubble: Remove spammy debug log message on lost events (#25321, @pchaigno)
- identity: cache: close channel in writing party (#25353, @bimmlerd)
- images: scripts to update and check envoy image version (#25413, @mhofstetter)
- Improved job docs on hive page (#25312, @dylandreimerink)
- IPAM pools followups (#25498, @tklauser)
- ipsec: Install default-drop XFRM policy sooner (#25257, @pchaigno)
- k8s: Split SharedResources into binary specific cells (#25757, @pippolo84)
- k8s: Use slim Node in LocalNode Resource and K8s watchers (#25282, @joamaki)
- labelsfilter: Assign review to sig-policy (#25290, @joestringer)
- MAINTAINERS: add Dylan Reimerink to the list of maintainers (#25577, @ti-mo)
- makefile: introduce variable CILIUM_CLI for cilium cli binary (#25031, @mhofstetter)
- Makefile: use a specific template for mktemp files (#25192, @kaworu)
- Modularize eventsmap and monitor.Agent (#25197, @bimmlerd)
- Move github.com/cilium/ipam packages to main repo (#25289, @tklauser)
- multi-pool: Support allocating from new IPAM pools on demand (#25765, @gandro)
- node/manager: Utilize set.SliceSubsetOf in ipcache deletion (#25180, @christarazi)
- node: register ipsec metric once (#25335, @jrajahalme)
- node: Use new asynchronous IPCache API for Manager (v2) (#23208, @christarazi)
- nodehandler: register node-id restore as hive lifecycle hook (#25497, @mhofstetter)
- nodeid map: provide map via hive cell (#25574, @mhofstetter)
- Perform map creation and opening using cilium/ebpf API (#22693, @ti-mo)
- pkg/datapath: skip TestArpPingHandlingForMultiDevice due flakiness (#25821, @aanm)
- pkg/envoy/xds package cleanup (#24044, @tanberBro)
- Prepare for v1.14.0-snapshot.2 release (#25206, @joestringer)
- README: Bump prerelease to v1.14.0-snapshot.2 (#25207, @joestringer)
- Reduce amount of bpf instructions needed for handling ipv6 addresses (#25195, @ti-mo)
- Reduce the amount of repeating code in CT (#25356, @gentoo-root)
- Refactor egressgateway specific maps into a cell (#24865, @lmb)
- Refactor set.SliceSubsetOf (#25559, @pippolo84)
- Remove COSIGN_EXPERIMENTAL: "true" env variable for signing images (#24845, @sandipanpanda)
- Remove unused parameter from NewCachingIdentityAllocator (#25594, @giorio94)
- Renovate configuration fixes (#25330, @kaworu)
- renovate: do not update 'github.com/mdlayher/arp' (#25807, @aanm)
- Replace legacy bpf syscalls with ebpf-go library APIs (#25355, @ti-mo)
- Replace the string with constants from the http package (#25614, @Fish-pro)
- Revert and fix ip rules (#25350, @NikAleksandrov)
- routing: Extend unit tests (#24933, @krabradosty)
- slices: Introduce slices.UniqueFunc() (#25743, @YutaroHayakawa)
- Slim down Node handler interface (#25450, @bimmlerd)
- test/provision/compile.sh: Make usable from dev VM (#25352, @jrajahalme)
- Unify feature probing packages (#25627, @rgo3)
- Update k3s cilium installation to match k3s default podCIDR (#25270, @vincentmli)
- Update stable release for v1.11.17 (#25517, @jrajahalme)
- Update stable releases (#25727, @thorn3r)
- Updates endpoint pkg to use netip.Addr (#25521, @danehans)
- Updates k8sTest pkg to use netip.Addr (#25325, @danehans)
- use /usr/bin/env bash instead of /bin/bash in contrib, examples and test dirs (#24948, @MrFreezeex)
- use /usr/bin/env bash instead of /bin/bash in images dir (#25558, @MrFreezeex)
- Use veth device for probing managed neighbor support (#25598, @ti-mo)
- When a k8s node contains multiple addresses of the same type and family, Cilium will now emit a warning-level log message stating: "Detected multiple IPs of the same address type, Cilium will only consider the first IP in the Node resource" (#25304, @danehans)
Docker Manifests
cilium
docker.io/cilium/cilium:v1.14.0-snapshot.3@​sha256:f0fd212111143ec56fa0a51a6140be96dca40ab8e207dc52aa88d44d395abf81
quay.io/cilium/cilium:v1.14.0-snapshot.3@​sha256:f0fd212111143ec56fa0a51a6140be96dca40ab8e207dc52aa88d44d395abf81
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.14.0-snapshot.3@​sha256:8bcfae32ece9db19d72de00f34f9b59fa2ebe00b33c4f8ed504a1994921d23cf
quay.io/cilium/clustermesh-apiserver:v1.14.0-snapshot.3@​sha256:8bcfae32ece9db19d72de00f34f9b59fa2ebe00b33c4f8ed504a1994921d23cf
docker-plugin
docker.io/cilium/docker-plugin:v1.14.0-snapshot.3@​sha256:db65fe9a63d8cf2ee2ee54da277d2174762f08e4efcf7c6806863dc9c02f74e3
quay.io/cilium/docker-plugin:v1.14.0-snapshot.3@​sha256:db65fe9a63d8cf2ee2ee54da277d2174762f08e4efcf7c6806863dc9c02f74e3
hubble-relay
docker.io/cilium/hubble-relay:v1.14.0-snapshot.3@​sha256:27e6b77b5cea7826a8fb5fbf720663123cee58f951d1bc41e8cf51eb1684c2ac
quay.io/cilium/hubble-relay:v1.14.0-snapshot.3@​sha256:27e6b77b5cea7826a8fb5fbf720663123cee58f951d1bc41e8cf51eb1684c2ac
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.14.0-snapshot.3@​sha256:e8ff4b580de9672f2e17e4f305283300af3f493e41e8d39026067c797caf6cde
quay.io/cilium/operator-alibabacloud:v1.14.0-snapshot.3@​sha256:e8ff4b580de9672f2e17e4f305283300af3f493e41e8d39026067c797caf6cde
operator-aws
docker.io/cilium/operator-aws:v1.14.0-snapshot.3@​sha256:281292efcd7a80dfc63269f6301f20e877ad9821befb6f0970fed3c3f4cf344e
quay.io/cilium/operator-aws:v1.14.0-snapshot.3@​sha256:281292efcd7a80dfc63269f6301f20e877ad9821befb6f0970fed3c3f4cf344e
operator-azure
docker.io/cilium/operator-azure:v1.14.0-snapshot.3@​sha256:b44660fcbe7f593986466011ea083e0a7c1efd1690df68e302aca86d7d18c02d
quay.io/cilium/operator-azure:v1.14.0-snapshot.3@​sha256:b44660fcbe7f593986466011ea083e0a7c1efd1690df68e302aca86d7d18c02d
operator-generic
docker.io/cilium/operator-generic:v1.14.0-snapshot.3@​sha256:c714d7d535afbcb70d930b07127f74401e0bf1a444981c4b50f6b268b7e12d73
quay.io/cilium/operator-generic:v1.14.0-snapshot.3@​sha256:c714d7d535afbcb70d930b07127f74401e0bf1a444981c4b50f6b268b7e12d73
operator
docker.io/cilium/operator:v1.14.0-snapshot.3@​sha256:62217676c80688e60d43b59d32830f1389f9433df8971e665b8576899a4f4043
quay.io/cilium/operator:v1.14.0-snapshot.3@​sha256:62217676c80688e60d43b59d32830f1389f9433df8971e665b8576899a4f4043
v1.14.0-snapshot.2
We are pleased to release Cilium v1.14.0-snapshot.2.
Summary of Changes
Major Changes:
- Add support for references to CiliumCIDRGroup inside FromCIDRSet for ingress rules in CNPs (#24638, @pippolo84)
- Assume Ingress identity for cluster internal traffic through Cilium Ingress for policy enforcement. (#24826, @jrajahalme)
- Support DSR with Geneve dispatch in CNI mode (#23890, @ysksuzuki)
Minor Changes:
- Add
--hubble-monitor-events
flag, to control the event types that get to the hubble subsystem. (#24828, @epk) - Add a mechanism for the SPIRE server to signal rotated certificates for re-authenticating connections (#24300, @meyskens)
- Add flag to administratively enable APIs on bootstrap (#25009, @joestringer)
- Add network policy auth method "always-fail" (#24609, @meyskens)
- Add new logging format option, 'json-ts', for JSON formatted logs with timestamps (#24307, @learnitall)
- auth: Add spire identity registration for CiliumIdentity (#24471, @sayboras)
- Change cilium_host IPv6 address, use node router IPv6 instead of native node IPv6, and fixed several relative IPv6 issues. (#24208, @jschwinger233)
- Cilium L7 Proxy: Envoy config dump contains Cilium network policies (#25028, @mhofstetter)
- cmd: Add NodeEncryption status to the cilium status command (#24399, @romanspb80)
- daemon: remove deprecated force-local-policy-eval-at-source option (#24727, @tklauser)
- Deprecate
--tunnel
in favor of--routing-mode
and--tunnel-protocol
. (#24561, @pchaigno) - Drop traffic matching an egress gateway policy when no gateway are found (#24835, @MrFreezeex)
- Enable endpoint routes + veth fast redirect support (#22006, @aspsk)
- Enable update-ec2-adapter-limit-via-api by default (#24564, @christarazi)
- Enabled cilium_bpf_map_pressure metric by default (#24721, @Vishal-Chdhry)
- endpoint: omit pre-1.11 compatibility restoration symlink (#24730, @tklauser)
- envoy: Bump envoy to v1.25.4 (#24649, @sayboras)
- envoy: Bump envoy version to v1.25.5 (#24893, @sayboras)
- envoy: Bump envoy version to v1.25.6 (#25165, @mhofstetter)
- Expose Cilium agent go runtime scheduler latency prometheus metric
go_sched_latencies_seconds
(#24745, @derailed) - Fix broken IPv6 connectivity from outside to NodePort service when L7 ingress policy applied by removing MROXY_RT route table. (#24882, @jschwinger233)
- helm: Add CPU panel to Hubble L7 HTTP Workload dashboard (#24934, @chancez)
- helm: Add SA to nodeinit ds (#24836, @darox)
- Helm: Clean up deprecated values (#24214, @qmonnet)
- ingress: Add ownerReferences for shared mode (#24942, @sayboras)
- Introduce the support for specifying a CA bundle in the helm chart (#24862, @giorio94)
- ipsec, option: Make the IPsec key rotation delay configurable (#24811, @pchaigno)
- mtls: SPIRE server and agent installation (#24765, @sayboras)
- Provides operational state of BGP peers via CLI 'cilium bgp peers' (#24612, @harsimran-pabla)
- Remove sockops-enable and friends (#23606, @mohit-marathe)
- Rename the
sec_label
field in remote_endpoint_info structure tosec_identity
(#25057, @ldelossa) - Report the kernel error code in case of packet drops due to failures to create conntrack map entries. (#24716, @gentoo-root)
- Supports IPv4 ICMP "fragmentation needed" in egress SNAT (#25054, @liuyuan10)
- The Cilium agent now manages the CNI configuration file. This will allow for faster startup times when injecting Cilium as a chained plugin, such as with aws-cni. (#24389, @squeed)
Bugfixes:
- Address cilium-agent startup performance regression. (#25007, @bimmlerd)
- bpf: dsr: fix parsing of IPv6 AUTH extension header (#24792, @julianwiedmann)
- bpf: nodeport: fix up trace point in to-overlay NAT paths (#24886, @julianwiedmann)
- bpf: policy: fix handling of ICMPv6 packet with extension headers (#24797, @julianwiedmann)
- Bugfix: Invert
--hubble-monitor-events
logic to be an allowlist (#25167, @epk) - cmd/cleanup: Fix cleanup of generic XDP programs (#25117, @pchaigno)
- Filter ipv6 advertisements when using metallb as BGP speaker. (#25043, @harsimran-pabla)
- Fix broken IPv4 connectivity from outside to NodePort service when using L7 ingress policy, by removing MROXY_RT route table. (#24807, @jschwinger233)
- Fix bug that causes enforcement of host policies on reply IPv6 pod traffic. (#25024, @pchaigno)
- Fix bug where Cilium configurations running with tunneling disabled, BPF-masq disabled, but with masquerading enabled, do not clean up ipset configuration when a node IP changes. This can lead to a lack of masquerading on those node IPs. (#24825, @christarazi)
- Fix connectivity issue if nodes share the same name across the clustermesh and wireguard is enabled (#24785, @giorio94)
- Fix incorrect network policy ebpf setup that may lead to incorrect packets denies when CEP is present in multiple CES (#24838, @alan-kut)
- Fix issues that caused SPIRE not to install properly (#25160, @meyskens)
- Fix operator startup delay caused by leader election lease not being released correctly (#24978, @giorio94)
- Fix panic due to assignment to nil BGP service announcements map. (#24985, @harsimran-pabla)
- Fix security-group-tags not working in ENI (#24951, @aanm)
- Fix the bug when long-living connections using egress gateway may be reset. (#24905, @gentoo-root)
- Fixed bug where L7 rules would be incorrectly merged between rules for the same (remote) endpoint. This bug could have caused L7 rules to be bypassed via a wildcard header rule being improperly appended to the set of HTTP rules when both a policy with HTTP header rules applying to multiple endpoints and an allow-all rule for only one of those endpoints are specified. (#24788, @jrajahalme)
- gateway-api: Re-queue gateway for namespace change (#24624, @sayboras)
- Handle leaked service backends that may lead to filling up of
lb4_backends
map and thereby connectivity issues. (#24681, @aditighag) - helm: mandate issuer configuration when using cert-manager to generate certificates (#24666, @giorio94)
- ipcache don't short-circuit InjectLabels if source differs (#24875, @squeed)
- ipsec: Clean up stale XFRM policies and states (#24773, @pchaigno)
- pkg/kvstore: Fix for deadlock in etcd status checker (#24786, @hemanthmalla)
- Prevent egress gateway from adding and then immediately removing BPF policy entries for policies that don't match any gateway node (#24646, @MrFreezeex)
- Solve control-plane deadlock issues leading to outages. A typical log line indicative of this issue is
probe=l7-proxy msg="No response from probe within 15 seconds"
(#24672, @bimmlerd) - The operator now reconciles duplicate entries in a CiliumEndpointSlice on startup. (#24596, @alan-kut)
CI Changes:
- Always use the 8.8.8.8 DNS resolver in kind (#24713, @aspsk)
- bpf: inline test functions with ctx as input (#24662, @anfernee)
- CI / Kind enhancements (#24714, @aanm)
- ci-datapath: Enable IPV6 masquerading when KMR=off (#25111, @brb)
- ci-datapath: Fix issue where test were wrongly reported as passing (#24813, @gandro)
- ci-datapath: Use QUAY_ORGANIZATION_DEV for Quay org name (#25052, @michi-covalent)
- ci: Disable wireguard in v1.13 conformance datapath (#24804, @pippolo84)
- ci: fix clustermesh worfklows on stable branches (#25089, @nbusseneau)
- ci: fix status reporting in the ci-multicluster test (#24784, @giorio94)
- ci: Mark skipped matrix workflows as successful (#24922, @gandro)
- ci: move 4.19 complexity tests to tests-datapath-verifier GHA workflow (#24517, @tklauser)
- ci: remove
STATUS
commands from upstream tests' Jenkinsfile (#25046, @nbusseneau) - conformance-k8s-kind: disable kindnet, enable log dumping (#24982, @squeed)
- Drop the GKE-based multicluster GitHub actions workflow in favor of the kind-based one (#24996, @giorio94)
- Enable loadBalancer.acceleration=testing-only in some datapath conformance cases (#24738, @lmb)
- Enable previously disabled encryption tests on GKE (#24603, @brlbil)
- github/workflows: Enable DSR with WireGuard in ci-dp (#25039, @brb)
- jenkinsfiles: Fix order of ginkgo tests (#25002, @pchaigno)
- kind: Bump k8s version to 1.27.0 (#24841, @sayboras)
- Let renovatebot update Go toolchain version in a single MR (#24895, @tklauser)
- Mitigate GKE workflow flake (#24755, @brlbil)
- mlh: update Jenkins jobs following 1.27 support (#24983, @nbusseneau)
- mlh: update Jenkins jobs names (
master
>main
) (#24958, @nbusseneau) - Port verifier tests to Go (#24538, @ti-mo)
- renovate: Add explicit gitAuthor (#24739, @gandro)
- renovate: add packageRule group for cilium-cli (#24725, @tklauser)
- renovate: Update builder and runtime images once a week (#24846, @michi-covalent)
- renovate: Update Dockerfiles that use golang image weekly (#24877, @michi-covalent)
- Replace integration_tests build tag with INTEGRATION_TESTS env (#24925, @ti-mo)
- test/k8s: remove istio.go test (#24894, @aanm)
- test/Updates: Explicit error message on failure (#24920, @pchaigno)
- test: Avoid spamming logs in monitor aggregation test (#25152, @pchaigno)
- test: Block HubbleObserveFollow until ready (#25090, @pchaigno)
- test: Enable IPv6 masq for IPsec (#24885, @jschwinger233)
- test: Fix and unquarantine
Skip conntrack
test (#25038, @pchaigno) - test: Fix consistent failure in IPv6 masquerading test (#25036, @pchaigno)
- test: Unquarantine host firewall + nodeport test (#25025, @pchaigno)
- test: Unquarantine IPv6 masquerading test (#25149, @pchaigno)
- tests: add exceptions for lease errors due to etcd (#24723, @jibi)
- tests: small fixups for the GENEVE-DSR e2e tests (#25062, @julianwiedmann)
- travis: Run on main branch (#25108, @pchaigno)
- Update EKS conformance tests to use both amd64 and arm64 hosts. (#24853, @chancez)
- Use cilium-cli latest stable version in conformance-datapath workflows (#24809, @pippolo84)
- vagrant: Bump Vagrant box versions (#24984, @pchaigno)
- vagrant: Default to 4.19 (#24950, @pchaigno)
- workflows/datapath: Fix always-passing step (#24918, @pchaigno)
- workflows/k8skind: Disable the flaky Aggregator test (#24989, @pchaigno)
- workflows: add the kind-based clustermesh conformance test for stable branches (#25029, @giorio94)
- workflows: Fix owner tag for stable branch workflows (#25158, @pchaigno)
- workflows: Run stable branches' L4LB workflows on a schedule (#25080, @pchaigno)
- workflows: Run stable branches' workflows on a schedule (#24991, @pchaigno)
Misc Changes:
- .github: Add mirror from main -> master (#24941, @joestringer)
- .github: Improve mirror workflow (#24962, @joestringer)
- Add a package for slices utilities (#25069, @pippolo84)
- Add Ascend.io to USERS.md (#24775, @thejosephstevens)
- Add Cistec User (#25104, @olinux-dev)
- Add Lorenz Bauer to committers (#24864, @xmulligan)
- Added a new job group system to manage the lifecycle of jobs within cells (#24558, @dylandreimerink)
- Adding United Cloud to adopters list (#25084, @carnerito)
- api: Add libraries to Pascalify API endpoints (#24967, @joestringer)
- auth: Enable ClusterFirstWithHostNet dnsPolicy conditionally (#24803, @sayboras)
- auth: Use authmap for auth_required policies (#24410, @jrajahalme)
- Avoid clearing objects in CiliumEndpoint conversion funcs (#24928, @aanm)
- bpf/Makefile: Delete duplicate LB_OPTIONS in Makefile (#24883, @jschwinger233)
- bpf: dsr: restore CB_SRC_LABEL across DSR-INGRESS tail-call (#24794, @julianwiedmann)
- bpf: init.sh: rename TUNNEL_MODE variable to TUNNEL_MROTOCOL (#24969, @julianwiedmann)
- bpf: minor LB cleanups (#25061, @julianwiedmann)
- bpf: nodeport: handle result from encap ctx_redirect() in revDNAT path (#25058, @julianwiedmann)
- bpf: nodeport: remove lb4_populate_ports() (#25063, @julianwiedmann)
- bpf: nodeport: trivial cleanups (#24732, @julianwiedmann)
- bpf: remove special handle for ICMPv6 echo targeting router IPv6 (#24921, @jschwinger233)
- bpf: simplify adding/removing types to alignchecker (#24736, @aspsk)
- bpf: small CT cleanups (#24686, @julianwiedmann)
- bpf: test: Fix the byte order in the IPV4 macro (#25114, @gentoo-root)
- bugtool: improve ss output (#24334, @squeed)
- build(deps): bump github.com/docker/docker from 23.0.1+incompatible to 23.0.3+incompatible (#24753, @dependabot[bot])
- chore(deps): update actions/setup-go action to v4 (main) (#24981, @renovate[bot])
- chore(deps): update actions/stale action to v8 (main) (#25047, @renovate[bot])
- chore(deps): update all github action dependencies (main) (minor) (#24995, @renovate[bot])
- chore(deps): update all github action dependencies (master) (patch) (#24513, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.13.2 (main) (#25027, @renovate[bot])
- chore(deps): update dependency cilium/hubble to v0.11.3 (master) (#24703, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.17.3 (master) (#24639, @renovate[bot])
- chore(deps): update github/codeql-action action to v2.2.12 (main) (#25034, @renovate[bot])
- chore(deps): update go to v1.20.3 (main) (patch) (#24980, @renovate[bot])
- chore(deps): update golangci/golangci-lint docker tag to v1.52.2 (master) (#24722, @renovate[bot])
- clustermesh: remote services handling misc improvements (#24515, @giorio94)
- CODEOWNERS: Add cilium/ipcache for pkg/source (#25176, @christarazi)
- configmap & utime sync: provide via hive cell (#24830, @mhofstetter)
- contrib/kind: adapt clustermesh related make targets to recent changes (#24693, @giorio94)
- contrib: detect pre-release version correctly (#24708, @aanm)
- contrib: Fix codegen script to avoid double make (#24718, @joestringer)
- daemon, ipam: omit IPAM mode check before calling ipam.Allocator.RestoreFinished (#25041, @tklauser)
- daemon/cmd: fix a couple of func doc string (#25030, @cuishuang)
- daemon: Mark CES feature as beta in agent flag (#24850, @pchaigno)
- daemon: Remove execute bit from test (#25150, @joestringer)
- datapath: Switch to LPM policy map (#23885, @jrajahalme)
- docs/contributing: update CRD registration instructions (#25008, @tklauser)
- docs: Add matrix version between envoy and cilium (#25109, @sayboras)
- docs: Fix upgradeCompatibility references (#24711, @joestringer)
- docs: Mention caveats about kube-proxy replacement config changes (#24531, @aditighag)
- docs: Note that CiliumEndpointSlice and K8s' EndpointSlice are distinct (#24842, @qmonnet)
- docs: small fixes for k8s upgrade guide (#24869, @tklauser)
- Document known kube-apiserver policy bug (#24868, @squeed)
- egressgw: change special values for gatewayIP (#24449, @MrFreezeex)
- egressgw: policy: stop iterating through nodes after first match (#24898, @jibi)
- envoy: Debug log remote IDs for Envoy policies (#24939, @jrajahalme)
- envoy: Support more envoy image tag formats (#24750, @sayboras)
- Expose bpf-lb-sock-hostns-only in cilium status (#24570, @romanspb80)
- feat: add teuto.net to USERS (#25088, @cwrau)
- Fix bug that causes traffic not to be encrypted when WireGuard node encryption is enabled. (#24903, @3u13r)
- Fix missed clustermesh config change race condition with back-to-back changes (#24993, @giorio94)
- Fix typo in doc: network/concepts/ipam/crd.rst (#24908, @takp)
- fix(deps): pin dependencies (master) (#24881, @renovate[bot])
- helm: add clustermesh nodeport config warning about known bug #24692 (#25033, @giorio94)
- helm: Fix typo in dashboard path (#24733, @jcpunk)
- helm: Ignore .github folder in .helmignore (#24719, @darox)
- hive: Add support for config overrides in tests (#24597, @joamaki)
- hubble: improve hubble lost event log rate limit (#24720, @kaworu)
- identity/cache: don't panic in CachingIdentityAllocator.Close() (#24694, @lmb)
- images/builder: update proto dependencies (#24328, @rolinh)
- Implement commands for listing per-cluster CT/SNAT maps (#24629, @YutaroHayakawa)
- Improve clustermesh's users management test reliability (#24917, @giorio94)
- init.sh,loader: load overlay programs in Go (#24876, @rgo3)
- init.sh: move socketlb creation into own pkg (#23557, @rgo3)
- ipam/allocator: remove unused Allocator methods (#25053, @tklauser)
- k8s/watchers: Fix erroneous warning logs due to empty CIDRGroupRef (#25072, @christarazi)
- k8s: api: clean up CRD versioning (#24671, @julianwiedmann)
- k8s: remove unused singular CRD name consts (#25003, @tklauser)
- loader: Don't compile
.asm
files by default (#24769, @pchaigno) - make: use vendored goimports to format generated APIs (#24810, @tklauser)
- Modularize API server (api/v1/server) (#24016, @joamaki)
- Move ct_lookup in bpf_host.c to a separate tailcall (#23831, @gentoo-root)
- Move policy package over to asynchronous IPCache API (#20116, @joestringer)
- node/manager: Only remove old IPs if they weren't already added (#25067, @christarazi)
- Operator api server modularization (#24228, @pippolo84)
- operator/cmd: Move Cilium Operator version log earlier (#25018, @christarazi)
- pkg/bandwidth: add error for bandwidth manager not being enabled (#24715, @aanm)
- pkg/cgroups: Prune excessive debug logging (#24815, @aditighag)
- pkg/service: Backends leak follow ups with revised fixes, debugging improvements and unit tests (#24770, @aditighag)
- pkg/service: Extend unit test cases (#24742, @aditighag)
- Prepare for release v1.14.0-snapshot.1 (#24695, @aanm)
- Remote node identities are enabled by default in the Cilium agent. They have already been enabled by default in the Helm charts since Cilium version 1.7. (#24874, @tklauser)
- Rename master branch to main (#24717, @joestringer)
- renovate: group golangci-lint updates (#24688, @mhofstetter)
- Revert "mlh: update Jenkins jobs following 1.27 support" (#25151, @pchaigno)
- Revert "Update k8s tests and libraries to v1.27.0" (#25044, @pchaigno)
- Service Mesh mTLS: BPF map auth provided by hive cell (#24406, @mhofstetter)
- source: Reorder sources based on strength (#25175, @christarazi)
- statedb: An in-memory database (#24523, @joamaki)
- test-l4lb: Use QUAY_ORGANIZATION_DEV as the Quay org name (#25050, @michi-covalent)
- treewide: Fix code comment stutters (#24940, @joestringer)
- Update NYTimes User (#25023, @abebars)
- update readme with v1.14.0-snapshot.1 (#24707, @aanm)
- Update stable releases (#24960, @michi-covalent)
- Update the documentation for required IAM policy rights needed for Cilium to work in EKS. (#25078, @toredash)
- Update threat model (#24760, @ferozsalam)
Docker Manifests
cilium
docker.io/cilium/cilium:v1.14.0-snapshot.2@​sha256:fb92067c1c5c031ae6a6581ef46c35304acb316850d718470fef58c5571f150b
quay.io/cilium/cilium:v1.14.0-snapshot.2@​sha256:fb92067c1c5c031ae6a6581ef46c35304acb316850d718470fef58c5571f150b
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.14.0-snapshot.2@​sha256:9e06603b72be5eff51930af3cbdd945d0b69f514531ba1569bb4a4b26fad2521
quay.io/cilium/clustermesh-apiserver:v1.14.0-snapshot.2@​sha256:9e06603b72be5eff51930af3cbdd945d0b69f514531ba1569bb4a4b26fad2521
docker-plugin
docker.io/cilium/docker-plugin:v1.14.0-snapshot.2@​sha256:d99c9216137b52bb40fcfd56ca422702235d61b7375175f3f404169826f79061
quay.io/cilium/docker-plugin:v1.14.0-snapshot.2@​sha256:d99c9216137b52bb40fcfd56ca422702235d61b7375175f3f404169826f79061
hubble-relay
docker.io/cilium/hubble-relay:v1.14.0-snapshot.2@​sha256:d7bca0ec8e6b0597b11d8ddca4e889fdab0057a0e7dcf4ea8e1faae69c20d5de
quay.io/cilium/hubble-relay:v1.14.0-snapshot.2@​sha256:d7bca0ec8e6b0597b11d8ddca4e889fdab0057a0e7dcf4ea8e1faae69c20d5de
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.14.0-snapshot.2@​sha256:1c896f17772ea7b37aca9aaab128e63e6598fdb607e54329525705e3f241b1a7
quay.io/cilium/operator-alibabacloud:v1.14.0-snapshot.2@​sha256:1c896f17772ea7b37aca9aaab128e63e6598fdb607e54329525705e3f241b1a7
operator-aws
docker.io/cilium/operator-aws:v1.14.0-snapshot.2@​sha256:5b07ff515077169459d41f527a5f45327e1a6f2ba41d0a41559ea416a880036e
quay.io/cilium/operator-aws:v1.14.0-snapshot.2@​sha256:5b07ff515077169459d41f527a5f45327e1a6f2ba41d0a41559ea416a880036e
operator-azure
docker.io/cilium/operator-azure:v1.14.0-snapshot.2@​sha256:8db15e6810d6fc3e1ac54dc4d29caf8c8566ec0c160695312b2540111438e278
quay.io/cilium/operator-azure:v1.14.0-snapshot.2@​sha256:8db15e6810d6fc3e1ac54dc4d29caf8c8566ec0c160695312b2540111438e278
operator-generic
docker.io/cilium/operator-generic:v1.14.0-snapshot.2@​sha256:ac6e3f6058c2692decba6d8b84f8b505b5b677ead8efc78c1ca234873fb92b63
quay.io/cilium/operator-generic:v1.14.0-snapshot.2@​sha256:ac6e3f6058c2692decba6d8b84f8b505b5b677ead8efc78c1ca234873fb92b63
operator
docker.io/cilium/operator:v1.14.0-snapshot.2@​sha256:16acb7bb9145dd998a046f3c46fc6ccd3585ae8de2a21f814a1e69bf8bf82874
quay.io/cilium/operator:v1.14.0-snapshot.2@​sha256:16acb7bb9145dd998a046f3c46fc6ccd3585ae8de2a21f814a1e69bf8bf82874
v1.14.0-snapshot.1
: 1.14.0-snapshot.1
We are pleased to release Cilium v1.14.0-snapshot.1.
Summary of Changes
Major Changes:
- Add mtls-spiffe as auth mode in the CiliumNetworkPolicy (#24263, @meyskens)
- cilium: fib lookup consolidation (#23884, @borkmann)
- The Cilium operator now taints nodes where Cilium is scheduled to run but is not running. This prevents pods from being scheduled on nodes without Cilium. The CNI configuration file is no longer removed on agent shutdown. This means that pod deletion will always succeed; previously it would fail if Cilium was down for an upgrade. This should help prevent nodes accidentally entering an unmanageable state. It also means that nodes are not removed from cloud LoadBalancer backends during Cilium upgrades. (#23486, @squeed)
Minor Changes:
- [SNAT] add "need to frag" ICMP support (#18414, @sahid)
- Add a SPIRE delegate API client to receive SPIFFE certificates for mTLS (#23968, @meyskens)
- Add hubble_lost_events_total metric for the number of events lost by Hubble. (#22865, @lambdanis)
- bpf, ipcache: unconditionally assume support for LPM trie maps (#24258, @tklauser)
- clustermesh: enable per-cluster RBAC in etcd server (#24284, @giorio94)
- cmd/service: unify service list/get output (#24136, @oblazek)
- Disable by default CNP Node Status GC in cilium-operator. (#24390, @marseel)
- dns: Set --tofqdns-min-ttl to zero by default (#21439, @michi-covalent)
- envoy: Bump envoy to 1.24.3 (#24148, @sayboras)
- feat: optional bpf mount (#24161, @frezbo)
- helm: simplify TLS configuration of clustermesh peers (#24222, @giorio94)
- Hide
--install-iptables-rules
agent flag and removeinstallIptablesRules
Helm flag (#24081, @pchaigno) - hubble: traffic direction filter (#24120, @kaworu)
- Improve cilium monitor output for dropped packets: display source file names instead of numerical ids (#24143, @aspsk)
- Increase the default CiliumEndpointSlice sync time from 0 to 500ms (#23615, @dlapcevic)
- Integration of sample dashboards with Helm chart (#23794, @jcpunk)
- Make Envoy sockets for tproxy and the xDS API and bind to localhost only (#24011, @meyskens)
- Move poststart eni script to agent pod from nodeinit pod (#24134, @nebril)
- policy: Derivative policies (policies for cloud provider-specific identities) for egress deny rules were not being generated, this has now been fixed. (#23927, @rockc2020)
- Prepare Cilium API for IPAM pools (#24248, @tklauser)
- Support L2-less devices with fast forward (bpf-based host routing) (#23935, @jschwinger233)
Bugfixes:
- Add missing xfrm-no-track rules for IPv6 IPSec. This fixes a connectivity issue for IPv6 IPSec with externalTrafficPolicy=local. (#24557, @jschwinger233)
- Add support for builtin kernel modules (#23953, @TheAifam5)
- Add the option to preserve CNI configuration file on agent shutdown. This can help prevent issues where pods can no longer be deleted. This may cause some transient error messages to be displayed if a pod is scheduled while Cilium is being upgraded. (#24009, @squeed)
- agent: rework clustermesh config watcher for increased robustness (#24163, @giorio94)
- Avoid k8s CiliumNode initialization problems when Cilium connects to the KVStore (#24156, @aanm)
- bpf: fix ipv6 extension header parsing error (#24309, @chenyuezhou)
- bpf: nodeport: fix handling of stale CT entry with CT_REPLY (#23894, @julianwiedmann)
- Correctly configure extra SANs for the clustermesh API server certificate when generated through certgen (#24339, @giorio94)
- daemon: fix panic when running with etcd with endpoint crd disabled (#24085, @tommyp1ckles)
- daemon: initialize datapath before compiling sockops programs (#24140, @jibi)
- endpoint: fix k8sNamespace log field when ep gets deleted (#24575, @mhofstetter)
- Fix a bug where users are unable to change a wrong remote etcd configuration (#24046, @oblazek)
- Fix a memory leak in the service cache, and possible missed service updates on scale to zero events in rare circumstances (#24619, @giorio94)
- Fix bug in BGP CP where changing the route-id of an existing router would cause announcements to disappear (#24304, @dylandreimerink)
- Fix bug that would prevent IPsec from working with GENEVE encapsulation. (#24116, @borkmann)
- Fix bug where ingress policies for remote-note identities are not applied correctly new nodes join the cluster, specifically when the nodes joining the cluster had IP addresses specified in CIDR policies (#23764, @christarazi)
- Fix Cilium crash during network policy computation (#24322, @joestringer)
- Fix Cilium Operator from crashing when encountering empty node pools on Azure (#24189, @forgems)
- Fix deadlock in cilium-operator when using CiliumEndpointSlices (#24343, @alan-kut)
- Fix enable-stale-cilium-endpoint-cleanup flag not actually disabling the cleanup init set when set to false. This provides a workaround for an existing panic that can occur when running using etcd kvstore. (#23874, @sjdot)
- Fix failure to load the datapath for new pods on latest kernel when (almost) all datapath features are enabled. (#24405, @borkmann)
- Fix FIB lookup for traffic to a L7 service backend, when BPF host-routing is enabled and multiple external devices are configured. (#24182, @julianwiedmann)
- Fix for disabled cloud provider rate limiting (#24413, @hemanthmalla)
- Fix incorrectly dropping in-cluster traffic for L7 ingress resources (#23984, @sayboras)
- Fix IPv6 policy enforcement for SNATed traffic from the Host (#24132, @ysksuzuki)
- Fix panic in hubble http v2 metrics (#24350, @chancez)
- Fix Pod connectivity interruption during agent restart (#24336, @ti-mo)
- Fix some test failures for bpf_nat_test.c (#24534, @YutaroHayakawa)
- init.sh: fix cgroup program detachment and detach multiple progs with retry (#24118, @ti-mo)
- install: don't render role / rolebinding when agent disabled (#23877, @squeed)
- Services backends with publishNotReadyAddresses are able to receive traffic independently if they are Terminating, since is the user intent to make them reachable despite its state. (#24174, @aojea)
- Set user-agent for k8s client with Cilium's version (#24275, @aanm)
- Solved an issue failing to forward traffic to Services if the Endpoint Slices had the same Address on different Slices (#24202, @aojea)
- When using KMR Nodeport with DSR, support backends in hostNetwork or with L7 policies. (#22978, @julianwiedmann)
CI Changes:
- .github/workflows: re-enable coverage in BPF tests (#23291, @tklauser)
- .github/workflows: run datapath complexity tests directly in VM (#24117, @tklauser)
- .github: Rename failure step in actions (#24437, @joestringer)
- Add 1.13 conformance test (#24033, @aanm)
- bpf,test: Add an option to disable coverage report per file (#24338, @YutaroHayakawa)
- bpf/Makefile: Cover VTEP in compile tests (#24106, @pchaigno)
- bpf/test: Add unit test to check whether netpol drops result in metric counter increament (#24469, @brb)
- bpf: Update checkpatch image (#24215, @qmonnet)
- bpf: Various fixes for
MAX_*_OPTIONS
and support for 5.10 (#24122, @pchaigno) - ci: don't use ./contrib/scripts/kind.sh --xdp in 1.13 workflow (#24611, @tklauser)
- ci: fix datapath complexity workflow (#24528, @tklauser)
- ci: fix missing timeout in Cyclonus test (#24529, @nbusseneau)
- ci: quarantine
K8sAgentIstioTest
(#24476, @nbusseneau) - cocci: Fix Python path for coccilib (#24430, @qmonnet)
- contrib/kind: no longer create local docker registry (#24541, @squeed)
- datapath/linux/route: fix CI expectations for rule string format (#24577, @NikAleksandrov)
- drop v1.10 support for eks tests (#24037, @aanm)
- egressgw: test: switch to WaitForEgressPolicyEntries (#24097, @jibi)
- Enable egress gateway in datapath CI (#24210, @lmb)
- Enable testing of BPF programs requiring XDP_TX in CI (#24250, @lmb)
- Fix broken target_url for conformance-clustermesh (#24315, @YutaroHayakawa)
- Fix execution of coccinelle checks (#24392, @qmonnet)
- Fix race conditions when deleting CNP / CCNP in e2e tests (#24484, @jschwinger233)
- Fixed flake in the
TestRequestIPWithMismatchedLabel
LB-IPAM tests. (#23297, @dylandreimerink) - gateway-api: Fix flaky conformance tests (#24317, @sayboras)
- gh/workflows: Enable Host FW in ci-dp (#24429, @brb)
- gh/workflows: Split ci-dp encrypt tests into separate matrix configs (#24296, @brb)
- gha: Clean-up Ingress/GatewayAPI Conformance tests (#24025, @sayboras)
- gha: Run kubernetes Conformance and SIG-network tests (#24209, @aojea)
- Increase timeout waiting for resources in Ingress conformance test (#24388, @meyskens)
- Migrate L7 TLS Ginkgo tests to cilium-cli (#24414, @meyskens)
- renovate: Add packageRule group for Hubble CLI (#24637, @gandro)
- renovate: automate golangci-lint upgrades (#24664, @mhofstetter)
- renovate: Fix Hubble release digest regex (#24477, @gandro)
- Revert ".github/workflows: run datapath complexity tests directly in VM" (#24535, @tklauser)
- Run latest fuzzers in OSS-Fuzz (#22580, @AdamKorcz)
- test/k8s: remove k8s agent health tests (#24433, @tklauser)
- test/verifier: Fix compilation command (#24412, @pchaigno)
- test: add cluster mesh conformance tests with Kind (#23496, @giorio94)
- test: Enable conformance tests for non-SCTP traffic in conjunction with SCTP policies (#24144, @joestringer)
- test: gather containerd logs on failure (#24133, @squeed)
- test: Remove RuntimeDatapathLB (#24245, @brb)
- test: Remove some {DP,Services} Ginkgo test cases (#24223, @brb)
- test: Update 1.26 k8s version (#24569, @sayboras)
- workflow: enable pod-to-cidr tests (#23986, @brlbil)
- workflows/externalworkload: Avoid using
--config
when unnecessary (#24567, @pchaigno) - workflows: Cover IPsec + GENEVE (#24125, @pchaigno)
- workflows: l4lb/verifier: fix skip-test-run job (#24072, @jibi)
- workflows: l4lb/verifier: replace tabs with spaces (#24108, @jibi)
Misc Changes:
- .gitattributes: Mark install/kubernetes/cilium/README.md as generated (#24295, @qmonnet)
- .github: set right project to track v1.13 backport MRs (#24157, @aanm)
- .github: skip confirmation prompts on cosign (#24456, @aanm)
- Add a hint about using Vagrant on Apple Silicon (#24626, @brandshaide)
- add better errors for our calls to Setsockopt() (#24287, @squeed)
- Add BPF test facility to test skb->cb (#24181, @YutaroHayakawa)
- add helm option to customize nodeinit scripts (#24375, @mblaschke)
- Add link to threat model in security policy (#24673, @ferozsalam)
- Add make commands for setting up clustermesh in kind (#24190, @marseel)
- Add Palark GmbH to USERS.md (#24421, @shurup)
- Add Proton to USERS (#24636, @MrFreezeex)
- Add User DaimlerTruck AG (#24408, @brandshaide)
- Add User doc to MR Template (#24186, @xmulligan)
- Added ClickHouse to users (#24532, @tsolodov)
- Adds a new NOTRACK rule for node-local-dns (#24230, @Weil0ng)
- agent: install CNI plugin binary in an InitContainer (#24075, @squeed)
- alignchecker: fully parse structures (#24365, @aspsk)
- auth: define auth handlers as private hive cell (#24074, @mhofstetter)
- Avoid clearing objects in conversion funcs (#24241, @odinuge)
- bgp: extract exportPodCIDRReconciler logic into a generic function (#24546, @jibi)
- bpf, datapath: unconditionally assume support for direct access to map values (#24504, @tklauser)
- bpf, datapath: unconditionally assume support for LRU hash maps (#24378, @tklauser)
- bpf, ebpf: remove GetMapType() and mock probing (#23634, @rgo3)
- bpf, ipcache: unconditionally assume LPM trie delete/dump support (#24377, @tklauser)
- bpf,test: Define BPF_TEST macro for map-in-map/prog-map initialization (#24127, @YutaroHayakawa)
- bpf/nat: remove unnecessary nexthdr variable (#24537, @sahid)
- bpf/wireguard: Skip encryption for cluster-external traffic (#24586, @pchaigno)
- bpf: dsr: don't track L2 addresses for DSR traffic (#24524, @julianwiedmann)
- bpf: Fix VTEP compilation error (#24152, @pchaigno)
- bpf: fixes for IPv6 revNAT (#24610, @julianwiedmann)
- bpf: Inter-cluster SNAT with ClusterIP global service (#24212, @YutaroHayakawa)
- bpf: lb: small cleanups (#24320, @julianwiedmann)
- bpf: misc cleanups (#24291, @julianwiedmann)
- bpf: nodeport cleanups (#23965, @julianwiedmann)
- bpf: nodeport: don't track L2 addr for connection to local backend (#24324, @julianwiedmann)
- bpf: remove a redundant IPcache lookup in from-host (#24107, @julianwiedmann)
- bpf: Remove fib_redirect's BPF_FIB_LOOKUP_DIRECT (#24271, @borkmann)
- Break import cycles and move the datapath cell to datapath/cell.go (#24337, @bimmlerd)
- bug: Fix Potential Nil Reference in GetLabels Implementation (#24416, @nathanjsweet)
- bugtool: Add ingress/egress tc filter dump (#24057, @joestringer)
- bugtool: simplify
removeIfEmpty
with more effiicientos.ReadDir
(#24566, @Juneezee) - Bump version in Readme and fix script (#24459, @aanm)
- Bumped CoverBee version to v0.3.2 (#24180, @dylandreimerink)
- Check IP Family for LB source range (#24273, @sugangli)
- checker: Fix incorrect checker for ExportedEqual() (#24373, @christarazi)
- chore(deps): update all github action dependencies (master) (minor) (#24280, @renovate[bot])
- chore(deps): update all github action dependencies (master) (patch) (#24278, @renovate[bot])
- chore(deps): update aws-actions/configure-aws-credentials action to v2 (master) (#24281, @renovate[bot])
- chore(deps): update base-images (master) (#24102, @renovate[bot])
- chore(deps): update base-images (master) (#24439, @renovate[bot])
- chore(deps): update dependency google/gops to v0.3.27 (master) (#24005, @renovate[bot])
- chore(deps): update docker.io/library/alpine:3.17.2 docker digest to
ff6bdca
(master) (#24354, @renovate[bot]) - chore(deps): update docker.io/library/golang docker tag to v1.20.2 (master) (#24231, @renovate[bot])
- chore(deps): update docker.io/library/golang docker tag to v1.20.2 (master) (#24232, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.20.1 docker digest to
52921e6
(master) (#24103, @renovate[bot]) - chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to
149531e
(master) (#24614, @renovate[bot]) - chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to
ddde70b
(master) (#24254, @renovate[bot]) - chore(deps): update quay.io/cilium/hubble docker tag to v0.11.3 (master) (#24465, @renovate[bot])
- chore(deps): update sigstore/cosign-installer action to v3 (master) (#24282, @renovate[bot])
- chore: Update json-mock image (#24173, @sayboras)
- ci: only report status after matrix jobs are done (#23865, @spacewander)
- ci: update cilium-cli etcd version to v3.5.4 (#24028, @kahirokunn)
- cilium, docs: Move sig-datapath meeting to on-demand only (#24205, @borkmann)
- clustermesh-apiserver: ExternalTrafficPolicy and internalTrafficPolicy can now be changed. (#24166, @kahirokunn)
- clustermesh: fix client usage when setting the cluster configuration (#24591, @giorio94)
- clustermesh: reduce memory consumption due to non-shared services (#23948, @giorio94)
- cocci: Work around a bug in coccinelle to better check files, add a few missing
const
qualifiers to BPF code (#24606, @qmonnet) - CODEOWNERS: include @cilium/sig-datapath for all datapath specific CI changes (#24487, @tklauser)
- contrib: Add support for snapshot releases (#24092, @joestringer)
- contrib: Remove deb,rpm packaging (#23081, @joestringer)
- daemon: Check for leaked goroutines from the agent cell (#24076, @joamaki)
- daemon: ignore EEXIST on NodeEnsureLocalIMRule (#24645, @tklauser)
- daemon: move circular initialization of policy.Repository to hive (#24073, @lmb)
- daemon: use the real err instead of a nil one (#24115, @spacewander)
- doc: Fixed CiliumNode CRD fields for cluster-pool doc (#24428, @PhilipSchmid)
- doc: kubeProxyReplacement=strict / kube-proxy co-existence (#24407, @PhilipSchmid)
- doc: update masquerading.rst to reflect new support for icmp (#24556, @sahid)
- Docs: Add
policy_implementation_delay
to metrics (#22998, @learnitall) - docs: Add a comparison table for IPAM modes (#24285, @raphink)
- docs: Add contact link to threat model (#24674, @ferozsalam)
- docs: add note that there are two Cilium CLIs (#24435, @lizrice)
- docs: Add section on development and RC images (#24424, @borkmann)
- docs: Cleanup and update list of supported drivers for XDP (#24398, @pchaigno)
- docs: Document CONFIG_PERF_EVENTS requirement (#24055, @joestringer)
- docs: Document kernel requirement for L3 devices support (#24101, @pchaigno)
- docs: Document the threat model for Cilium (#24497, @ferozsalam)
- docs: Endpoints are local to the node on which the cilium agent is running. (#24017, @tnorlin)
- docs: Fix Makefile target name in CODEOWNERS update hint (#24583, @ferozsalam)
- docs: fix Rule spec document typos (#24319, @nrnrk)
- docs: fix Rule spec document typos (#24443, @nrnrk)
- docs: fix typo in operations/troubleshooting.rst (#24460, @NikAleksandrov)
- docs: Fixing typo in description of label release-note/ci (#24665, @mhofstetter)
- docs: Improve description of the installation steps to run cilium documentation locally (#24056, @kayceeDev)
- Docs: Move Maintainers to Committers (#24124, @xmulligan)
- docs: Revert Python version in docs-builder image to 3.7.9, downgrade sphinxcontrib-applehelp, to fix builds on Read The Docs (#24099, @qmonnet)
- docs: Update Cluster Mesh requirements to mention node InternalIP explicitly (#24164, @jspaleta)
- docs: Update egress gateway limitations (#24244, @pchaigno)
- docs: Update the documentation for the
--conntrack-gc-interval
flag (#24400, @pchaigno) - Documentation: add migration document (#23751, @squeed)
- Documentation: add section to roadmap about modularization (#24096, @joamaki)
- documentation: remove release docs (#24463, @aanm)
- egressgateway: provide a very basic Cell (#24330, @lmb)
- Emit full verifier logs to agent logs and verifier.log in the endpoint directory (#24506, @ti-mo)
- endpoint: correctly log IPv6 addresses (#24255, @tklauser)
- endpoint: Update comments for ToMapState() usage (#24321, @joestringer)
- envoy: Avoid using deprecated field (#24043, @sayboras)
- envoy: remove unnecessary wait and log message after starting envoy (#24455, @mhofstetter)
- examples: setup HUBBLE_SERVER for the Hubble CLI Deployment (#24154, @kaworu)
- Fix a typo in pkg/option/config.go (#23731, @meyskens)
- Fix comment error about monitorNotify in
pkg/datapath/ipcache/listener.go
. (#23963, @hxysayhi) - Fix duplicated logs for test-output.log (#24171, @romanspb80)
- Fix misleading use of bpf_ntohl (#24483, @lazybetrayer)
- Fix possible race condition in the clustermesh's users management test (#24652, @giorio94)
- fix(deps): pin dependencies (master) (#24147, @renovate[bot])
- fix(deps): pin dependencies (master) (#24277, @renovate[bot])
- fix(deps): pin dependencies (master) (#24299, @renovate[bot])
- fix(deps): pin dependencies (master) (#24438, @renovate[bot])
- fix(deps): pin dependencies (master) (#24659, @renovate[bot])
- fix(deps): update all go dependencies master (master) (#23987, @renovate[bot])
- fix(deps): update all go dependencies master (master) (patch) (#23982, @renovate[bot])
- fix(deps): update all go dependencies master (master) (patch) (#24149, @renovate[bot])
- fix(deps): update all go dependencies master (master) (patch) (#24279, @renovate[bot])
- fix(deps): update all go dependencies master to v2 (master) (major) (#24110, @renovate[bot])
- fix(deps): update module google.golang.org/protobuf to v1.29.1 [security] (master) (#24376, @renovate[bot])
- fix(deps): update module gopkg.in/yaml.v2 to v3 (master) (#24112, @renovate[bot])
- fix: Flag --ipv4-native-routing-cidr update in cli (#23643, @deepeshaburse)
- Fix: Link Security Team (#24135, @xmulligan)
- Fixed panic when generating code coverage report of eBPF tests (#24094, @dylandreimerink)
- Generate preprocessed C source with BPF tests (#24093, @YutaroHayakawa)
- Get CEP from k8s cache during initialization. (#24340, @marseel)
- gha: Skip flaky test HTTMRouteHeaderMatching in GatewayAPI (#24169, @sayboras)
- gha: Skip HTTMRouteListenerHostnameMatching test temporarily (#24521, @sayboras)
- go.mod, golangci-lint: update base Go version to 1.20 (#24113, @tklauser)
- golangci-lint: Update to v1.51.2 (#24153, @mhofstetter)
- helm: Add support of additional labels to hubble ui ingress (#24077, @ReillyBrogan)
- helm: Parameterize image registries in Makefile.values (#24635, @michi-covalent)
- hive: fix documentation for cell.Provide & cell.ProvidePrivate (#24238, @mhofstetter)
- hubble-ui: allow ingress from non root
/
urls (#23631, @geakstr) - hubble: Use netip.Addr instead of net.IP in getter functions (#23143, @lambdanis)
- Implement GC for per-cluster CT/SNAT maps (#24576, @YutaroHayakawa)
- Increase logging verbosity of Kubernetes API Server in kind (#24384, @marseel)
- ingress: Avoid potential nil pointer during cleanup (#24444, @sayboras)
- ingress: Improve coverage with unit tests (#24684, @sayboras)
- Install fib rules and routes with proto kernel to avoid systemd messing with them (#24288, @NikAleksandrov)
- ipam: add method to get IP owner per pool (#24358, @tklauser)
- k8s api: remove status documentation from CRD CiliumIdentity (#24512, @mhofstetter)
- k8s/watchers: Fix calling Done() with proper error (#24616, @christarazi)
- kvstore/etcd: don't use atomic type for version check timeout (#24360, @tklauser)
- Makefile: new target kind-debug to debug cilium operator & agent in kind cluster (#23898, @mhofstetter)
- nodemanager: inject ipcache into nodemanager via hive (#24261, @mhofstetter)
- operator, hive, k8s: don't call workerpool.New from hive constructors (#24419, @tklauser)
- operator, k8s: Prevent CEC watcher goroutine leak (#24316, @yulng)
- operator/cmd: add goleak check to TestOperatorHive (#24431, @tklauser)
- operator: fix deadlock when running in kvstore mode (#24631, @giorio94)
- Operator: Move leader election to a separate Kubernetes client (#24267, @alexkats)
- operator: Remove duplicated package import (#24078, @pippolo84)
- Optimize
PrefixString()
(#23201, @christarazi) - Optimize GetControllerName for CNP (#23717, @marseel)
- option: Skip
NodeEncryptionOptOutLabels
when marshalling to json (#24470, @gandro) - pkg/ipcache: add ipcacher interface (#24274, @aanm)
- pkg/stream: Simplify ToChannel usage (#24432, @joamaki)
- policy: lazily start SelectorCache.handleUserNotifications (#24325, @lmb)
- policy: track policy rule origin per selector (#23811, @bimmlerd)
- policy: Utilize the DistillPolicy() code path in tests (#24402, @christarazi)
- Pprof modularization (#24114, @pippolo84)
- Preparatory refactoring for IPAM pools (#24247, @tklauser)
- README.rst: Fix broken link to L7 policies (#24488, @PriyaSharma9)
- README.rst: Fix timezones in details for community meeting (#24520, @qmonnet)
- Refactor CRD generation in Makefile (#24615, @christarazi)
- Refactor generate-k8s-api in Makefile (#24651, @mhofstetter)
- refactor: move CRD registration to separate cell (#24219, @knight42)
- renovate: Add stop updating label (#24065, @sayboras)
- renovate: fix config file format (#24109, @tklauser)
- renovate: update source import paths on Go module major updates (#24003, @tklauser)
- Revert "docs: fix Rule spec document typos" (#24418, @aditighag)
- Revert https://github.com/cilium/cilium/pull/24288 (#24676, @aanm)
- Service Mesh mTLS: auth request & response (#24159, @mhofstetter)
- Service Mesh mTLS: Inject IPCache into auth manager via hive (#24259, @mhofstetter)
- Service Mesh mTLS: introduce auth map (#24218, @mhofstetter)
- Service Mesh mTLS: suppress policy verdict notification for authenticated packets (#24352, @mhofstetter)
- test: bump upgrade tests to test 1.13 (#23790, @aanm)
- tools/maptool: correctly build with CGO_ENABLED=0 if not in RACE mode (#24142, @tklauser)
- use atomic.Pointer instead of bare LoadPointer (#23971, @lmb)
- Use resource for CNPs and CCNPs (#24509, @pippolo84)
- USERS.md: Add Polar Signals (#24158, @brancz)
- versioncheck: fix parsing of snapshot release versions (#24286, @tklauser)
v1.14.0-snapshot.0
: 1.14.0-snapshot.0
Summary of Changes
Major Changes:
- Add WireGuard host2host and LB encryption (#19401, @brb)
- policy: Promote Deny Policies from Beta to Stable (#22966, @nathanjsweet)
Minor Changes:
- Add CLI command to dump cgroups metadata (#23641, @alexkats)
- Add flag to configure the size of the egress gateway policy map (#23019, @cyclinder)
- Add pod-asymmetric context labeling that either uses pod or pod-short based on traffic direction. (#22731, @marqc)
- Add pod-name hubble metrics context for pod name label without namespace (#23199, @chancez)
- Add support for the
ingressclass.kubernetes.io/is-default-class
annotation on Cilium's IngressClass (#23719, @meyskens) - alibabacloud: Support selecting subnet by IDs (#23131, @jaffcheng)
- Align selection of IP addresses used for masquerading and NodePort SNAT with Linux kernel behavior, by preferring addresses assigned to the interface earlier and filtering out secondary addresses. (#22866, @akhilles)
- Allow Cilium Operator to restart any unmanaged pods via --pod-restart-selector, rather than just kube-dns pods (#22911, @lvyanru8200)
- cilium/cmd: Remove deprecated policy_trace command (#23550, @sayboras)
- egressgw: add support for excludedCIDRs (#23448, @jibi)
- Enable configuration of the source IP verification per endpoint (#23985, @pchaigno)
- envoy: Bump envoy to 1.24.2 (#23940, @sayboras)
- Expand agent metric Policy Import Errors to count all policy changes (#23349, @dlapcevic)
- Fix docker-cilium-image target for DOCKER_FLAGS=--push (#23679, @pippolo84)
- gateway-api: Bump version to v0.6.0 (#22680, @sayboras)
- helm: Add pod and container security context (#23443, @sayboras)
- helm: Add SA automount configuration (#23441, @sayboras)
- helm: Add support of annotations in hubble ui service (#23709, @brnck)
- helm: use Helm hooks instead of Job unique name (#23102, @sathieu)
- hubble-relay: deprecate peer svc through local unix domain socket (#23407, @kaworu)
- ingress: Add loadBalancerIP and loadBalancerClass (#22670, @oliver-ni)
- install/kubernetes: make image digests for all components optional & configurable (#22732, @rastislavs)
- ipam/crd: Add new flag for configuring CiliumNode update rate (#23017, @jaffcheng)
- metrics: support toggle bootstrap times metric via daemon config (#22643, @ArthurChiao)
- Modify operator metric CES errors sync to count all CES sync events (#23335, @dlapcevic)
- operator: proper rolling update (#23589, @mhofstetter)
- option,helm: Add a flag to opt out from support for Kubernetes NetworkPolicy in Cilium (#23127, @ChengyuanLiCY)
- Return better error codes from hooked syscalls, such as connect() and bind(). (#22965, @gentoo-root)
- sysdump: Added Kubernetes CNI logs to sysdump. (#23937, @marseel)
Bugfixes:
- bpf: Fix broken remote-node identity classification (#23091, @ysksuzuki)
- clustermesh: fix cluster synchronization wait group increment (#23741, @giorio94)
- clustermesh: fix services cache bloat due to incorrect deletion (#23947, @giorio94)
- datapath: Do not send ICMP6 NA over cilium_wg0 (#23969, @brb)
- datapath: Fix L7 reply to outside when endpoint routes disabled (#21980, @brb)
- egressgw: update all internal caches once k8s state is synced (#24034, @jibi)
- Fix bug that would prevent SRv6 decapsulation when BPF Host Routing was disabled. (#23825, @ldelossa)
- Fix memory leak caused on clustermesh reconnect. (#23785, @oblazek)
- Fix operator crash race condition for CES identity map concurrent read/write (#23605, @dlapcevic)
- Fix restoreServicesLocked() potential nil pointer panic (#23446, @dlapcevic)
- fix(helm): add missing updateStrategy to hubble-ui deployment (#23975, @mhulscher)
- Fixes a bug where the Helm value
cni.configMap
no longer worked. (#23743, @squeed) - Fixes a memory leak and (possible) source of stale data for Clustermesh whenever the connection to the remote cluster is disrupted or restarted. (#23532, @squeed)
- gateway-api: Combine metrics registry with operator (#23501, @sayboras)
- Hubble Relay: fix reported uptime (#23966, @rolinh)
- ipam/crd: Fix panic due to concurrent map read and map write (#23713, @gandro)
- kvstore: prevent deletion delay for node-unrelated events (#23745, @giorio94)
- Parses the IP addr passed as CIDR from the delegated IPAM and then use the IP addr from the parsed prefix. (#22918, @vipul-21)
- Removed unnecessary updates to service status by MetalLB (#23210, @ysksuzuki)
- Revert "datapath: Remove 2005 route table" (#23346, @brb)
- Support IPv4 DSR for packets with IP options. (#23810, @julianwiedmann)
- watchers: endpointsync can manage already owned CiliumEndpoints. (#23499, @tommyp1ckles)
CI Changes:
- .github: Clean up RBAC artifacts for v1.13 CI (#22823, @joestringer)
- .github: Pin docker buildx version to v0.9.1 (#23206, @joestringer)
- [UT]improve network_policy_test.go for apiversion (#22591, @my-git9)
- Add initial fuzz coverage of linux node handler. (#22577, @AdamKorcz)
- bpf/test: Get rid of 4.9 leftovers (#23399, @brb)
- bpf/tests: fix mac addresses definitions in egressgw test (#23351, @jibi)
- build: Generate SBOM during image release (#23221, @joestringer)
- ci/multicluster: Re-enable WireGuard testing (#22815, @gandro)
- ci: Disable WireGuard in ci-multicluster again (#23045, @gandro)
- ci: remove GKE from Jenkins jobs (#23826, @nbusseneau)
- ci: remove test namespace deletion workaround in GKE v1.12 workflow (#22655, @tklauser)
- ci: replace deprecated set-output command in integraton test workflow (#23633, @tklauser)
- CI: switch to registry.k8s.io (#23821, @ameukam)
- ci: update cilium-cli to v0.12.12 (#23030, @tklauser)
- Disable failing encryption connectivity tests on GKE (#23183, @brlbil)
- Fix k8s podCIDRs for vagrant deployment (#22786, @romanspb80)
- Fix potential panic logic for checker.go (#22354, @yanggangtony)
- gh/workflow: Remove specific GKE 1.24.5 version (#23164, @brlbil)
- gh/workflows: Fix encryption installation in ci-datapath (#23325, @brb)
- gha: Bump timeout to 90 minutes for build commit. (#23996, @sayboras)
- gha: Run integration tests in GHA (#22900, @sayboras)
- kludge: hardcode Google Cloud SDK key due to error 500 (#24045, @nbusseneau)
- lint: enable gosec G402 (minimum TLS version) (#23247, @kaworu)
- mlh: update Jenkins jobs following removal of kernel 4.9 support (#23822, @nbusseneau)
- Move datapath verifier tests into GH actions workflow (#22754, @tklauser)
- pin managed clusters' K8s version on stable branches (#22724, @nbusseneau)
- pkg/k8s: Clean-up: Remove duplicate package import in pkg/k8s/factory_functions_test.go (#23433, @my-git9)
- policy: add two more fuzzers (#22336, @AdamKorcz)
- Quarantine "K8sDatapathConfig Iptables Skip conntrack for pod traffic test. (#23824, @marseel)
- resource: Work around a rare race in initial sync (#23292, @joamaki)
- Revert "build: Generate SBOM during image release" (#23204, @ldelossa)
- Revert "Use workflow configuration variables for quay organization na… (#23169, @michi-covalent)
- test, jenkinsfile: Clean up natnetworks in CI after test run (#22704, @pchaigno)
- test/Vagrantfile: Debug information for natnetwork (#22675, @pchaigno)
- test/Vagrantfile: Don't hide natnetwork errors (#22702, @pchaigno)
- test: add comments for NFS's IP ranges on local CI VM scripts (#22934, @Shunpoco)
- test: Bump timeout of service plumbing check (#23439, @pchaigno)
- test: Dump VirtualBox version used in CI jobs (#22701, @pchaigno)
- test: Enable Envoy trace logs for TLS test (#22646, @jrajahalme)
- test: ensure cleanup in hubble "test L7 flow" (#23525, @giorio94)
- test: Exclude per-endpoint object files from artifacts (#23382, @pchaigno)
- test: Get rid of 4.9 pipeline (#23343, @brb)
- test: Remove unused
SkipGKEQuarantined
helper (#23354, @pchaigno) - test: Unquarantine K8sDatapathConfig Encapsulation (#22674, @pchaigno)
- test: Unquarantine tests for iptables-based masquerading (#23228, @pchaigno)
- test: Unquarantine working FQDN test (#23357, @pchaigno)
- test: Update policy for hairpin flow validation (#23480, @aditighag)
- Update image registry to quay.io (#23093, @obaranov1)
- Use workflow configuration variables for quay organization names (#23145, @michi-covalent)
- vagrant: bump box versions to pick up Go 1.20.1 (#23983, @tklauser)
- vagrant: Bump VM images to the latest versions (#22781, @pchaigno)
- workflow: Cover VXLAN + IPsec + endpoint routes in datapath tests (#23396, @pchaigno)
- workflow: Disable monitor aggregation in IPv6 smoke test (#23816, @pchaigno)
- workflow: enable pod-to-world tests (#23103, @brlbil)
- workflow: Reenable L7 tests on EKS + IPsec (#22617, @pchaigno)
- workflows: add trigger sentence in ci-verifier workflow file (#23587, @kaworu)
- workflows: Pin gke to 1.24.5 (#22798, @joamaki)
Misc Changes:
- .gitattributes: Highlight Jenkinsfiles as Groovy (#23435, @pchaigno)
- .gitattributes: Mark install/kubernetes/cilium/values.yaml as generated (#24007, @qmonnet)
- .github: fix renovate docker image update (#23229, @aanm)
- .github: fix renovate's config file (#23231, @aanm)
- @errordeveloper is no longer an active committer (#23293, @errordeveloper)
- [cilium cmd] fix wrong notes. (#22871, @yanggangtony)
- [cilium-cmd bpf-metrics-list] return first when []*metricsRow is nil. (#22873, @yanggangtony)
- [UT] k8s/utils/util.go ut enhancement (#23680, @my-git9)
- add CNCF Resources and Link CoC to Governance docs (#23689, @xmulligan)
- add Cosmonic to the Users file (#23290, @xmulligan)
- Add fuzzer for
pkg/fqdn
(#22519, @AdamKorcz) - Add information about securing access to Cilium pods and provide a single page security reference (#23599, @zacharysarah)
- Add leader requirement to watch from Etcd. (#23590, @marseel)
- add renovate support for go mod (#23864, @aanm)
- Add Robinhood Markets to Cilium USERS.md (#24026, @madhusudancs)
- Add S&P Global to Users (#23700, @xmulligan)
- add toEntities/fromEntities CRD description missing options (#22279, @slayer321)
- add versioning schema for WireGuard in Renovate (#24015, @aanm)
- Added link to CFP Design repo (#23792, @xmulligan)
- Adding eni limits for missing aws instances of families
c7g
,m6idn
,m6in
,m7g,
r6idn,
r6in, and
r7g` (#23835, @muratso) - agent: dump stack on stale probes (#23915, @squeed)
- Alibabacloud API request performance improvements (#22478, @jaffcheng)
- auth: introduce hive cell (modularization) (#24041, @mhofstetter)
- bpf & envoy: Add support for authentication on ingress policies (#23839, @mhofstetter)
- bpf: Consistent usage of
MARK_MAGIC_
constants (#23125, @pchaigno) - bpf: encap: endianness cleanups (#23931, @julianwiedmann)
- bpf: Fix usage of tunnel map structs (#23469, @pchaigno)
- bpf: handle VLAN before XDP meta-data in from-netdev (#24063, @julianwiedmann)
- bpf: Introduce per-cluster conntrack maps (#22857, @YutaroHayakawa)
- bpf: L3 cleanups (#23876, @julianwiedmann)
- bpf: lb: introduce an optimized CT lookup (#22936, @julianwiedmann)
- bpf: minor CT cleanups (#23718, @julianwiedmann)
- bpf: minor improvements to XDP punt with XFER_PKT_NO_SVC (#23106, @julianwiedmann)
- bpf: nodeport: minor DSR improvements (#23326, @julianwiedmann)
- bpf: Remove dead code for consistency between IPv4/v6 (#24008, @pchaigno)
- bpf: Remove flowlabel optimization for identity (#23795, @pchaigno)
- bpf: remove redundant policy_mark_skip() in handle_ipv6_from_lxc() (#23447, @julianwiedmann)
- bpf: Remove unneeded orig_dip from ipv6_host_policy_egress (#23724, @gentoo-root)
- bpf: Remove unneeded orig_sip from ipv6_host_policy_ingress (#23577, @gentoo-root)
- bpf_test: use bpf.LoadCollection, print full verifier error logs (#23281, @ti-mo)
- Build test darwin target (#23358, @aditighag)
- build(deps): bump actions/cache from 3.0.11 to 3.2.3 (#22981, @dependabot[bot])
- build(deps): bump actions/cache from 3.2.3 to 3.2.4 (#23450, @dependabot[bot])
- build(deps): bump actions/download-artifact from 3.0.1 to 3.0.2 (#22956, @dependabot[bot])
- build(deps): bump actions/github-script from 6.3.3 to 6.4.0 (#23411, @dependabot[bot])
- build(deps): bump actions/setup-go from 3.4.0 to 3.5.0 (#22706, @dependabot[bot])
- build(deps): bump actions/stale from 6.0.1 to 7.0.0 (#22828, @dependabot[bot])
- build(deps): bump azure/setup-helm from 3.4 to 3.5 (#22705, @dependabot[bot])
- build(deps): bump docker/build-push-action from 3.2.0 to 3.3.0 (#23112, @dependabot[bot])
- build(deps): bump docker/build-push-action from 3.3.0 to 4.0.0 (#23489, @dependabot[bot])
- build(deps): bump docker/setup-buildx-action from 2.2.1 to 2.4.0 (#23449, @dependabot[bot])
- build(deps): bump docker/setup-buildx-action from 2.4.0 to 2.4.1 (#23593, @dependabot[bot])
- build(deps): bump github.com/cilium/lumberjack/v2 from 2.2.2 to 2.3.0 (#22448, @dependabot[bot])
- build(deps): bump github.com/containernetworking/plugins from 1.1.1 to 1.2.0 (#23294, @dependabot[bot])
- build(deps): bump github.com/docker/docker from 20.10.21+incompatible to 20.10.23+incompatible (#23388, @dependabot[bot])
- build(deps): bump github.com/docker/docker from 20.10.23+incompatible to 23.0.1+incompatible (#23664, @dependabot[bot])
- build(deps): bump github.com/go-openapi/spec from 0.20.7 to 0.20.8 (#23673, @dependabot[bot])
- build(deps): bump github.com/onsi/gomega from 1.24.1 to 1.26.0 (#23295, @dependabot[bot])
- build(deps): bump github.com/osrg/gobgp/v3 from 3.5.0 to 3.10.0 (#22908, @dependabot[bot])
- build(deps): bump github.com/prometheus/procfs from 0.8.0 to 0.9.0 (#23069, @dependabot[bot])
- build(deps): bump github.com/shirou/gopsutil/v3 from 3.22.10 to 3.23.1 (#23511, @dependabot[bot])
- build(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 (#23414, @dependabot[bot])
- build(deps): bump github/codeql-action from 2.1.36 to 2.1.37 (#22758, @dependabot[bot])
- build(deps): bump github/codeql-action from 2.1.39 to 2.2.1 (#23410, @dependabot[bot])
- build(deps): bump github/codeql-action from 2.2.1 to 2.2.2 (#23608, @dependabot[bot])
- build(deps): bump github/codeql-action from
959cbb7
to 2.1.39 (#23196, @dependabot[bot]) - build(deps): bump go.etcd.io/etcd/client/pkg/v3 from 3.5.6 to 3.5.7 (#23571, @dependabot[bot])
- build(deps): bump go.etcd.io/etcd/client/v3 from 3.5.6 to 3.5.7 (#23649, @dependabot[bot])
- build(deps): bump go.opentelemetry.io/otel/trace from 1.11.2 to 1.12.0 (#23454, @dependabot[bot])
- build(deps): bump go.uber.org/dig from 1.15.0 to 1.16.0 (#23039, @dependabot[bot])
- build(deps): bump go.uber.org/dig from 1.16.0 to 1.16.1 (#23188, @dependabot[bot])
- build(deps): bump go.uber.org/multierr from 1.8.0 to 1.9.0 (#23067, @dependabot[bot])
- build(deps): bump golang.org/x/crypto from 0.3.0 to 0.5.0 (#22941, @dependabot[bot])
- build(deps): bump golang.org/x/term from 0.4.0 to 0.5.0 (#23651, @dependabot[bot])
- build(deps): bump golang.org/x/tools from 0.4.0 to 0.5.0 (#23610, @dependabot[bot])
- build(deps): bump golangci/golangci-lint-action from 3.3.1 to 3.4.0 (#23249, @dependabot[bot])
- build(deps): bump google-github-actions/setup-gcloud from 1.0.1 to 1.1.0 (#23570, @dependabot[bot])
- build(deps): bump google.golang.org/grpc from 1.51.0 to 1.52.3 (#23390, @dependabot[bot])
- build(deps): bump helm/kind-action from 1.4.0 to 1.5.0 (#22707, @dependabot[bot])
- build(deps): bump KyleMayes/install-llvm-action from 1.6.1 to 1.7.0 (#23386, @dependabot[bot])
- build(deps): bump nick-invision/retry from 2.8.2 to 2.8.3 (#22895, @dependabot[bot])
- build: custom-vet-check should respect make variable GO (#23668, @mhofstetter)
- Bump readme with 1.13.0 (#23786, @aanm)
- Bumped CoverBee to v0.3.0 and cilium/ebpf to v0.10.0 (#23212, @dylandreimerink)
- certificatemanager,daemon: Modularized the certificate manager (#23132, @dylandreimerink)
- chore(deps): update actions/checkout action to v3.3.0 (master) (#23674, @renovate[bot])
- chore(deps): update all github action dependencies (master) (minor) (#24006, @renovate[bot])
- chore(deps): update all github action dependencies (master) (patch) (#23671, @renovate[bot])
- chore(deps): update all github action dependencies (master) (patch) (#23918, @renovate[bot])
- chore(deps): update base-images (master) (#22565, @renovate[bot])
- chore(deps): update base-images (master) (minor) (#23563, @renovate[bot])
- chore(deps): update dependency cilium/hubble to v0.11.1 (master) (#23518, @renovate[bot])
- chore(deps): update dependency cilium/hubble to v0.11.2 (master) (#23773, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.17.1 (master) (#22996, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.17.2 (master) (#23672, @renovate[bot])
- chore(deps): update docker.io/library/golang docker tag to v1.19.6 (master) (#23753, @renovate[bot])
- chore(deps): update docker.io/library/golang docker tag to v1.19.6 (master) (#23754, @renovate[bot])
- chore(deps): update docker.io/library/golang docker tag to v1.20.1 (master) (#23562, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.19.5 docker digest to
572f680
(master) (#23575, @renovate[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to
f05532b
(master) (#23477, @renovate[bot]) - chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to
21e5d22
(master) (#23726, @renovate[bot]) - chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to
26d07ba
(master) (#23352, @renovate[bot]) - chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to
42ddd0c
(master) (#23602, @renovate[bot]) - chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to
48e033b
(master) (#23654, @renovate[bot]) - chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to
6b01107
(master) (#23498, @renovate[bot]) - chore(deps): update github/codeql-action action to v2.2.5 (master) (#24023, @renovate[bot])
- chore(deps): update quay.io/cilium/hubble docker tag to v0.11.1 (master) (#23519, @renovate[bot])
- chore(deps): update quay.io/cilium/hubble docker tag to v0.11.2 (master) (#23774, @renovate[bot])
- chore: Fix typos in comments (#22837, @mainred)
- chore: use errors.Is to check for a specific error (#22912, @Fish-pro)
- ci, l4lb: Remove leftover args after DinD conversion (#23257, @borkmann)
- ci: update cilium-cli using renovate bot (#23902, @tklauser)
- cilium-cni: remove duplicated link set up operation (#23766, @giorio94)
- Cleanup: improve metav1 package import statement (#23248, @my-git9)
- cli: Remove unnecessary type for variable vp (Viper) (#23105, @tanberBro)
- clustermesh/types: don't panic on invalid IP in PrefixClusterFromCIDR (#23137, @tklauser)
- clustermesh: Introduce per-cluster NAT maps (#22875, @YutaroHayakawa)
- clustermesh: Make IPCache CPlane aware of the ClusterID (#22935, @YutaroHayakawa)
- cmd/policy: Close file descriptor if required (#23945, @jiuker)
- CODEOWNERS: Add ownerships of new BGP team (#23916, @pchaigno)
- CODEOWNERS: additional coverage (#23494, @tklauser)
- CODEOWNERS: assign /pkg/auth to sig-servicemesh (#23844, @mhofstetter)
- CODEOWNERS: assign images/hubble-relay to SIG Hubble (#23277, @rolinh)
- CODEOWNERS: assign operator/pkg/{gateway-api,model} to @cilium/sig-servicemesh (#22683, @tklauser)
- CODEOWNERS: Cover test/bpf_tests by sig-datapath (#22928, @christarazi)
- CODEOWNERS: Cover the egress gateway guide (#23194, @pchaigno)
- CODEOWNERS: Fold cilium/health into cilium/sig-agent (#23952, @pchaigno)
- CODEOWNERS: Make Hubble team (not docs-structure) own examples/hubble (#23778, @qmonnet)
- contrib/kind: default to dual-stack clusters (#23646, @squeed)
- contrib: Add devcontainer configuration (#22856, @sayboras)
- contrib: Fix GitHub token check to allow fine-grained tokens (#22963, @gentoo-root)
- contrib: output easier way to install Cilium in kind. (#23488, @squeed)
- contrib: Set IPv6 for dual-stack Kubenetes nodeIP on dev VM (#23543, @jschwinger233)
- daemon, ipcache: Plumb root context to IP identity watcher (#22626, @christarazi)
- daemon: Clarify host IP sync controller's intent (#21743, @christarazi)
- dev: disable bpf monitor aggregation in kind helm values (#23846, @mhofstetter)
- dnsproxy: Improve regex used for matching dns queries by reducing its complexity and size to save memory and speed up matching (#20246, @odinuge)
- Do not upgrade to golang 1.20 in 1.13 branch (#23723, @aanm)
- docs(bpf): update unprivileged_bpf_disabled description (#23378, @spacewander)
- docs: add FOSSA badge to readme (#22737, @lizrice)
- docs: Add notes for dev setup for Ubuntu desktop (#23691, @jschwinger233)
- docs: Add requirements for installing Cilium on Raspberry Pi (#23337, @darox)
- docs: add trace observation point description (#23028, @mainred)
- docs: Clarify basic kernel requirement (#23951, @pchaigno)
- docs: Clarify committer vote procedures (#22787, @joestringer)
- docs: Document the hooks that Cilium uses (#22792, @joestringer)
- docs: Fix a typo in Istio integration documentation (#23584, @yanggangtony)
- docs: Fix a typo in K8s with Kubespray installation guide (#23585, @yanggangtony)
- docs: Fix the dead link to Mellanox performance tuning guide (#24012, @gentoo-root)
- docs: Make CRD compat script work on older trees (#23710, @joestringer)
- docs: modify
MRELOAD_VM
for local CI VM (#22902, @Shunpoco) - docs: Policy Audit Mode improvements (#23591, @kaworu)
- docs: Promote Deny Policies out of Beta (#23921, @nathanjsweet)
- docs: Regenerate codeowners documentation (#23979, @pchaigno)
- docs: replace usage of api.twitter.com (#23669, @kaworu)
- docs: Update dependencies for documentation build system (Sphinx, add-ons etc.) (#24014, @qmonnet)
- docs: Update Documentation on Deny Policy Bug Fix (#23468, @nathanjsweet)
- docs: Update hostfw tuto with ICMP policy rule (#22999, @pchaigno)
- docs: Update KMR limitations wrt IPsec (#22775, @raymonddejong)
- docs: Update output for "cilium status" when troubleshooting (extensions/v1beta1::Ingress now deprecated in favor of networking.k8s.io/v1beta1::Ingress) (#22968, @yulng)
- Document contributor steps to update the Helm chart (#23739, @meyskens)
- Document exemplars option for hubble httpV2 metrics (#23620, @chancez)
- Document that the
install-egress-gateway-routes
flag is only for EKS's ENI mode in egress gateway guide (#23616, @deepeshaburse) - Documentation: Add documentation for hive (#23746, @joamaki)
- Documentation: enable parallel builds (#23752, @squeed)
- drop v1.10 support (#23903, @aanm)
- e2e-tests: git-ignore directory old-charts (#23705, @mhofstetter)
- egressgw: add policies by source IP cache (#23967, @jibi)
- egressgw: optimize policy matching logic (#24042, @jibi)
- EndpointManager and NodeManager Cells (#21746, @joamaki)
- endpointmgr: guard against potential nil deref (#22521, @ldelossa)
- etcd: print debug message event value as string (#23714, @giorio94)
- Extend ipcache key with ClusterID (#22200, @YutaroHayakawa)
- Extend tunnel map key with ClusterID (#22687, @YutaroHayakawa)
- Fix 404s in the README.md (#23954, @aanm)
- Fix TLS policies after certificatemanager modularization (#23895, @tklauser)
- fix: clean golang code for golint (#22665, @yulng)
- fix:'go routine' should be 'goroutine' (#22904, @yulng)
- fix:prevent goroutine leakage for pkg/k8s/watchers (#22362, @yulng)
- fix:Use ID instead of Id (#22569, @yulng)
- Fixed BPF tests which would fail on older kernels (<=5.8) due to unsupported program loading (#22980, @dylandreimerink)
- Fixed broken/deprecated links (#23920, @PhilipSchmid)
- Fixed link to broken anchor in RKE doc (#23706, @raphink)
- Fixes a flake in the kubectl wait part of the CI (#23733, @meyskens)
- fix:make fsnotify event more readable (#22903, @yulng)
- gha: Replace deprecated set-output commands (#22890, @sayboras)
- go.mod, vendor: bump sigs.k8s.io/controller-runtime to v0.14.1 (#23011, @tklauser)
- helm: Allow adding annotations to certgen Job and CronJob (#22356, @eripa)
- hive: Add hive.Command() (#23074, @joamaki)
- hive: Don't log interrupt signal as error (#23880, @joamaki)
- hubble-relay: set WORKDIR to nonroot home (#23405, @kaworu)
- hubble: add a unique identifier to flows (#23638, @kaworu)
- hubble: fix Hubble Relay BASE_IMAGE (#23636, @kaworu)
- identity, policy: remove unused arguments from interfaces (#23946, @lmb)
- images: update cilium-{runtime,builder} (#23146, @joestringer)
- images: update golang images to 1.19.5 (#23157, @aanm)
- images: update gops using renovate bot (#23907, @tklauser)
- improve inclusive language in governance (#23109, @xmulligan)
- Improve logging statements in CES usage and reduce code reuse (#22428, @yanggangtony)
- init.sh: clean up cgroup bpf_links created by newer versions of Cilium (#23537, @ti-mo)
- internal-feature: We removed all instances of io.ReadAll to reduce the attack surface of possible DoS attacks. (#22602, @nathanjsweet)
- introduces dedicated inline functions for per-packet-lb service translation on pod egress (#23715, @ldelossa)
- ipam: clean up terminology around excluded IPs (#23942, @tklauser)
- ipam: various minor cleanups (#23383, @tklauser)
- ipcache: Add ability to override identity via UpsertMetadata (#21667, @gandro)
- ipcache: Fix wrong assertion in ipcache metadata test (#23549, @christarazi)
- IPsec: Remove
IP_POOLS
logic (#24030, @pchaigno) - k8s/watchers: Fix race condition in init functions (#23170, @christarazi)
- k8s: use core/v1 consts for topology-aware hints annotation/label (#23538, @tklauser)
- kafka, go.mod, vendor: use github.com/cilium/kafka fork (#22689, @tklauser)
- kvstore: add clusterName suffix to session controllers (#23928, @oblazek)
- kvstore: Propagate ClusterID with Service (#23514, @YutaroHayakawa)
- labels, ipcache: Introduce convenience NewFrom() (#23218, @christarazi)
- MAINTAINERS.md: add Casey Callendrello to the list of maintainers (#23344, @tklauser)
- MAINTAINERS.md: add Julian Wiedmann (#23278, @tklauser)
- MAINTAINERS: Add missing link to GitHub account (#23050, @christarazi)
- MAINTAINERS: Move @twpayne to emeritus status (#23688, @twpayne)
- MAINTAINERS: updates company affiliations for Michal and Tom (#23138, @tklauser)
- Make api/v1/model/BackendAddressState const string , not manual define. (#22874, @yanggangtony)
- Make log statements easier to read (#22971, @yulng)
- Mark tests as successful if they are not supposed to run (#23847, @aanm)
- Minor improvements to DNS proxy around
notifyOnDNSMsg()
(#22341, @christarazi) - Move @lzang to emeritus committer (#23373, @xmulligan)
- Moved @raybejjani to Emeritus Committers (#23323, @raybejjani)
- operator: Clarify log msg for unmanaged pods (#23855, @christarazi)
- operator: cleanup CRD registration (#23701, @mhofstetter)
- operator: Fix use of Resource.Events() in CEC controller (#22844, @joamaki)
- Optimize getting identity by key with CRD Backend by introducing indexer. (#23064, @alan-kut)
- Optimize the comparison mode of bool judgment (#22922, @Fish-pro)
- pkg/endpoint: Use structured logging for error condition (#22846, @christarazi)
- pkg/ip: Remove redundant type conversions (#23108, @tanberBro)
- pkg/k8s: Replace label failure-domain.beta.kunerbetes.io deprecated in K8s 1.17 (with topology.kubernetes.io) (#23177, @my-git9)
- pkg/policy: Add benchmark for ForEachGo (#22845, @christarazi)
- policy: mapstate should respect authType in dataPath equality (#23780, @mhofstetter)
- Prepare for v1.14 development cycle (#22614, @joestringer)
- proxylib: Downgrade noisy log msg to debug level (#22848, @christarazi)
- README.rst, MLH: Update stable releases, following the latest round of patch releases. (#23421, @qmonnet)
- Refactor k8s identities GC into a cell.Module (#22892, @pippolo84)
- Refactor node annotations (#23772, @marseel)
- Remove / in RKE doc link as it causes redirect bug (#23728, @raphink)
- Remove dependency on $GOPATH for
make generate-k8s-api
(#23428, @ldelossa) - remove export from shell session to avoid the inconsistency (#22932, @fujitatomoya)
- Remove relevant metrics series on pod deletion (#23162). (#23385, @marqc)
- renovate/images: Revert accidental commits (#23497, @gandro)
- renovate: add support for GH workflow updates (#23625, @aanm)
- renovate: allow golang 1.20 in "v1.13" and "master" branch (#23547, @aanm)
- renovate: ignore cilium-test Dockerfile (#23560, @aanm)
- Resource API refactoring and shared resources (#21744, @joamaki)
- Revert "kludge: hardcode Google Cloud SDK key due to error 500" (#24060, @sayboras)
- Run Hubble Relay as non-root user by default. (#23259, @rolinh)
- Slightly improve UX around passing
--metrics
(#22888, @christarazi) - sort identities by id/name to avoid random results (#23329, @nickolaev)
- stateId: delete redundant type conversion (#23056, @XiaozhiD-web)
- test/runtime: Set NO_COLOR for privileged tests (#23151, @joestringer)
- test: Update NetworkPolicy to networking.k8s.io/v1 (#22907, @yulng)
- Update CFP issue template to link repo (#23841, @xmulligan)
- Update CNI to 1.2.0 (#23267, @michi-covalent)
- Update Go to 1.20.1 (#23896, @tklauser)
- update k8s control plane tests (#23813, @aanm)
- Update MAINTAINERS.md to include Tom Hadlaw (#22769, @christarazi)
- Update signature verification docs for Sigstore 2.0 (#24029, @jedsalazar)
- Update stable releases (#22820, @joestringer)
- Update stable releases (#23742, @joestringer)
- Use &netlink.LinkNotFoundError{} to determine link not found error (#22438, @tanberBro)
- use DescribeVSwitches to get vswitch tags (#23635, @haozhangami)
- vendor: bump golang-lru to v2 (requires Go >= 1.18 support for generics) (#22644, @rolinh)
- vendor: update wireguard dependency (#23849, @aanm)
- workflow: fixes LLVM, Clang cache and install path (#23740, @brlbil)
Docker Manifests
cilium
docker.io/cilium/cilium:v1.14.0-snapshot.0@​sha256:e3026b6482f4dff7fbcc8b06e37b712728a31ad4c294581ddf5475dbcf3b7a80
quay.io/cilium/cilium:v1.14.0-snapshot.0@​sha256:e3026b6482f4dff7fbcc8b06e37b712728a31ad4c294581ddf5475dbcf3b7a80
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.14.0-snapshot.0@​sha256:f8f319ff0b43023f863702c8be8eb2305d52a4a0a60ced347622069bc13fb651
quay.io/cilium/clustermesh-apiserver:v1.14.0-snapshot.0@​sha256:f8f319ff0b43023f863702c8be8eb2305d52a4a0a60ced347622069bc13fb651
docker-plugin
docker.io/cilium/docker-plugin:v1.14.0-snapshot.0@​sha256:5667cdc4205b5efc5970d7a3bae0870b53d5a82df5d8df987c1c2f9edb7313b4
quay.io/cilium/docker-plugin:v1.14.0-snapshot.0@​sha256:5667cdc4205b5efc5970d7a3bae0870b53d5a82df5d8df987c1c2f9edb7313b4
hubble-relay
docker.io/cilium/hubble-relay:v1.14.0-snapshot.0@​sha256:dbd1e4361c272c8b45f48ae3bed54966e9e3601bf43f59ffa3b1066520cc1bd5
quay.io/cilium/hubble-relay:v1.14.0-snapshot.0@​sha256:dbd1e4361c272c8b45f48ae3bed54966e9e3601bf43f59ffa3b1066520cc1bd5
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.14.0-snapshot.0@​sha256:fd0ef1f31cb9d99dff87ac55910ec0d45caf1ee482fa8e01878b33f1487fafd0
quay.io/cilium/operator-alibabacloud:v1.14.0-snapshot.0@​sha256:fd0ef1f31cb9d99dff87ac55910ec0d45caf1ee482fa8e01878b33f1487fafd0
operator-aws
docker.io/cilium/operator-aws:v1.14.0-snapshot.0@​sha256:b570d54162121f0e7c9518376d69d24d59d565bd636ef9708110611473ff491e
quay.io/cilium/operator-aws:v1.14.0-snapshot.0@​sha256:b570d54162121f0e7c9518376d69d24d59d565bd636ef9708110611473ff491e
operator-azure
docker.io/cilium/operator-azure:v1.14.0-snapshot.0@​sha256:3e83b89b7ac8c675f2e0de8f6e8120b254bdb5b9066033c110c0cbcab5bb23b8
quay.io/cilium/operator-azure:v1.14.0-snapshot.0@​sha256:3e83b89b7ac8c675f2e0de8f6e8120b254bdb5b9066033c110c0cbcab5bb23b8
operator-generic
docker.io/cilium/operator-generic:v1.14.0-snapshot.0@​sha256:78af387bac5aaa603f88f69ce773b325cd359f8ecd9b540962d86a55be1824bf
quay.io/cilium/operator-generic:v1.14.0-snapshot.0@​sha256:78af387bac5aaa603f88f69ce773b325cd359f8ecd9b540962d86a55be1824bf
operator
docker.io/cilium/operator:v1.14.0-snapshot.0@​sha256:6574cf455cb09f8fd19f4cd08e1995afddcaf36c03727b07c1c0562a2f1e9381
quay.io/cilium/operator:v1.14.0-snapshot.0@​sha256:6574cf455cb09f8fd19f4cd08e1995afddcaf36c03727b07c1c0562a2f1e9381
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.