Update Helm release cilium to v1.17.3 - autoclosed
This MR contains the following updates:
Package | Update | Change |
---|---|---|
cilium (source) | minor |
1.16.2 -> 1.17.3
|
Release Notes
cilium/cilium (cilium)
v1.17.3
: 1.17.3
Summary of Changes
Minor Changes:
- hubble: accurately report startup failure reason from cilium status (Backport MR #38526, Upstream MR #37567, @devodev)
- Reject IPSec key rotation with mismatching key lengths to prevent IPv6 disruptions. (Backport MR #38399, Upstream MR #37936, @smagnani96)
Bugfixes:
- Always detach BPF programs from cilium_wg0 when not needed. (Backport MR #38184, Upstream MR #38179, @smagnani96)
- Avoid installing no-track rules when IP family is disabled (Backport MR #38526, Upstream MR #38438, @ysksuzuki)
- bgpv2: Fix service reconciliation by BGP peer IP change (Backport MR #38700, Upstream MR #38620, @rastislavs)
- bpf: wireguard: avoid ipcache lookup for source's security identity (Backport MR #38684, Upstream MR #38592, @julianwiedmann)
- clustermesh: fix mcs-api count of clusters disagreeing with a conflict (the count was previously increased by one) (Backport MR #38298, Upstream MR #38267, @MrFreezeex)
- Ensure that replies to world-to-pod ICMP in AWS ENI are routed via the correct parent interface. (Backport MR #38394, Upstream MR #38335, @gentoo-root)
- Fix deadlock in compilation lock (Backport MR #38805, Upstream MR #38784, @dylandreimerink)
- Fix panic caused in dual cluster setups where LRPs with
skipRedirectFromBackend
flag set to true are installed and IPv6 is disabled. (Backport MR #38700, Upstream MR #38656, @aditighag) - Fix the ipv6 only cluster doesn't work with multi pool in some k8s distribution(Openshift) (Backport MR #38526, Upstream MR #38472, @liyihuang)
- Fix: cilium-operator no longer patches services on shutdown (Backport MR #38298, Upstream MR #37967, @rsafonseca)
- Fixes an issue where the agent failed to start on clusters with large numbers of network policies. (Backport MR #38700, Upstream MR #38556, @squeed)
- For configurations with --enable-identity-mark=false, don't attempt to retrieve the source identity from skb->mark. (Backport MR #38800, Upstream MR #38737, @julianwiedmann)
- ingress: don't cleanup ingress status of unmanaged Ingress resources (Backport MR #38700, Upstream MR #38555, @mhofstetter)
- ipam/aws: properly paginate Operator
DescribeNetworkInterfaces
AWS API calls in ENI IPAM mode in order to avoid throttling, timeouts and errors from the API (Backport MR #38298, Upstream MR #37983, @antonipp) - netkit: Fix issue where MAC addresses get changed by systemd in L2 mode causing health checks to fail (Backport MR #38526, Upstream MR #37812, @jrife)
CI Changes:
- build: update golangci-lint to v2.0.0 (Backport MR #38629, Upstream MR #38473, @mhofstetter)
- ci: build CI images within merge group (Backport MR #38526, Upstream MR #38065, @marseel)
- ci: prepare CI Image build for being required (Backport MR #38526, Upstream MR #38320, @marseel)
- cilium-cli: extend no-interrupted-connections to test Egress Gateway (Backport MR #38527, Upstream MR #38193, @ysksuzuki)
- cilium-cli: extend no-interrupted-connections to test NodePort from outside (Backport MR #37797, Upstream MR #37294, @ysksuzuki)
- Clear traced UDP v4/v6 connections on check-encryption-leak script. (Backport MR #38517, Upstream MR #38264, @smagnani96)
- Ensure packet protocol before using L4 ports in the check-encryption-leak script. (Backport MR #38517, Upstream MR #38290, @smagnani96)
- Extend tracing with IP length and whether src/dst pod are CiliumInternalIP in the check-encryption-leak script. (Backport MR #38740, Upstream MR #38281, @smagnani96)
- Fix checked L4 port for UDP IPv6 packets in check-encryption-leak script. (Backport MR #38517, Upstream MR #38265, @smagnani96)
- Fix endianness for WireGuard UDP traffic in the check-encryption-leak script. (Backport MR #38517, Upstream MR #38292, @smagnani96)
- Fix erroneous TCP RST condition when no TCP packets in the check-encryption-leak script. (Backport MR #38517, Upstream MR #38291, @smagnani96)
- gh: aws-cni: set --enable-identity-mark=false option (Backport MR #38800, Upstream MR #38738, @julianwiedmann)
- gh: e2e-upgrade: also test NS & EGW disruptivity during downgrade (Backport MR #38527, Upstream MR #38511, @julianwiedmann)
- gha: enable north/south conn-disrupt-test in clustermesh upgrade tests (Backport MR #38527, Upstream MR #38554, @giorio94)
- Ignore encrypt interface field when validating option.Config after initialization (Backport MR #38298, Upstream MR #37184, @Artyop)
- Introduce tracing log info for ICMP v4/v6 packets in the check-encryption-leak script. (Backport MR #38740, Upstream MR #38278, @smagnani96)
- Manual encap checks for when $skb->encapsulation is unset in the check-encryption-leak script. (Backport MR #38517, Upstream MR #38293, @smagnani96)
- Print skb pointer and correlate timestamp for subsequent trace logs in the check-encryption-leak script. (Backport MR #38740, Upstream MR #38266, @smagnani96)
- proxy/proxyports: fix flake and data race in TestPortAllocator (Backport MR #38674, Upstream MR #38062, @tklauser)
- proxy: fix flake in TestPortAllocator test (Backport MR #38674, Upstream MR #38646, @mhofstetter)
- Refactoring and code comments for the check-encryption-leak script. (Backport MR #38740, Upstream MR #38263, @smagnani96)
- Report masqueraded flow through proxy in the check-encryption-leak script. (Backport MR #38740, Upstream MR #38297, @smagnani96)
- Shift header references when encap and move leak check on CiliumInternalIP in the check-encryption-leak script. (Backport MR #38517, Upstream MR #38280, @smagnani96)
- Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport MR #38517, Upstream MR #38289, @smagnani96)
- Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport MR #38526, Upstream MR #38289, @smagnani96)
- Skip tracking TCP proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport MR #38517, Upstream MR #38287, @smagnani96)
- Split TCP-related leak report into a separate log line with also seq/ack n. in the check-encryption-leak script. (Backport MR #38740, Upstream MR #38268, @smagnani96)
- test: Update FQDN related domain and IP (Backport MR #38769, Upstream MR #38754, @sayboras)
Misc Changes:
- [v1.17] bpf: host: ipsec: check whether destination has tunnel_endpoint (#38802, @julianwiedmann)
- [v1.17] bpf: ipsec: improve handling of source security identity in encrypted-overlay code (#38594, @julianwiedmann)
- [v1.17] deps: bump package x/oauth2 (#38403, @ferozsalam)
- [v1.17] deps: bump x/net to v0.38.0 (#38780, @ferozsalam)
- bpf: host: identify Cilium's Wireguard traffic as from HOST (Backport MR #38684, Upstream MR #37956, @julianwiedmann)
- bpf: let MARK_MAGIC_EGW_DONE carry source identity (Backport MR #38684, Upstream MR #38430, @julianwiedmann)
- bpf: nodeport: preserve monitor aggregation in egress path (Backport MR #38526, Upstream MR #38312, @julianwiedmann)
- bugtool: collect more detailed link statistics (Backport MR #38526, Upstream MR #38391, @julianwiedmann)
- chore(deps): update all github action dependencies (v1.17) (#38353, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.17) (#38436, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.17) (#38612, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.17) (#38303, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.17) (#38542, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.18.3 (v1.17) (#38730, @cilium-renovate[bot])
- chore(deps): update dependency protocolbuffers/protobuf to v30 (v1.17) (#38354, @cilium-renovate[bot])
- chore(deps): update dependency protocolbuffers/protobuf to v30.2 (v1.17) (#38611, @cilium-renovate[bot])
- chore(deps): update docker.io/library/busybox:1.37.0 docker digest to
37f7b37
(v1.17) (#38350, @cilium-renovate[bot]) - chore(deps): update docker.io/library/golang:1.23.7 docker digest to
cb45cf7
(v1.17) (#38351, @cilium-renovate[bot]) - chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.20 (v1.17) (#38434, @cilium-renovate[bot])
- chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.21 (v1.17) (#38608, @cilium-renovate[bot])
- chore(deps): update go to v1.23.8 (v1.17) (#38713, @cilium-renovate[bot])
- chore(deps): update kindest/node docker tag to v1.29.14 (v1.17) (#38352, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1742184290-6036296930bb05a4870ef40867ca33baec4489e6 (v1.17) (#38257, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.4-1742515734-d30064faed34d8936672353d4b6d6dbcfbaa7b2d (v1.17) (#38384, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.4-1742784301-90f2717e10fcd34f9aca97413fcd00ca2b8ccfee (v1.17) (#38441, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1743506100-0821ef0acdf9f824d47d34e02932be522b3e7233 (v1.17) (#38671, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744108394-d3be7c547203cd80d0c4902e4b9deac09c727456 (v1.17) (#38773, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#38316, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#38435, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#38831, @cilium-renovate[bot])
- cilium, status: Do not display annotations if KPR is disabled (Backport MR #38700, Upstream MR #38677, @borkmann)
- doc(troubleshooting): add -verbose to cilium-health status (Backport MR #38298, Upstream MR #38169, @alagoutte)
- doc: Envoy daemonset works on OpenShift (Backport MR #38298, Upstream MR #38236, @fgiloux)
- docs: Add missing kernel options to system requirements documentation to help users with custom kernels. (Backport MR #38526, Upstream MR #38173, @yrsuthari)
- docs: add per-node default pool example (Backport MR #38298, Upstream MR #38135, @acudovs)
- docs: clarify hubble flow filter match semantics (Backport MR #38700, Upstream MR #38657, @devodev)
- docs: Correct the envoy circuit-breaking example manifest (Backport MR #38298, Upstream MR #38158, @raphink)
- docs: Document jitter applied to BGP ConnectRetryTimeSeconds (Backport MR #38526, Upstream MR #38231, @rastislavs)
- docs: Update LLVM requirements to 18.1 (Backport MR #38526, Upstream MR #38294, @gentoo-root)
- Documentation: "cilium config set" restarts by default (Backport MR #38298, Upstream MR #38114, @joamaki)
- Documentation: fix mentions of per-node
cilium-dbg
tool (Backport MR #38298, Upstream MR #38276, @tklauser) - fix SBOM attestation documentation (Backport MR #38526, Upstream MR #38429, @jaehanbyun)
- fix(Documentation/installationk0s.rst): adjust kuberouter naming in k0s documentation (Backport MR #38298, Upstream MR #38243, @RiRa12621)
- images: bump distroless to static (Backport MR #38694, Upstream MR #38647, @kaworu)
- ipcache: reduce labels map memory churn in resolveLabels a bit (Backport MR #38526, Upstream MR #38494, @tklauser)
- maglev: Fix division by zero upon table recreation (Backport MR #38700, Upstream MR #38659, @borkmann)
- pkg/controller: fix data race in update params locked (Backport MR #38526, Upstream MR #38327, @aanm)
- pkg/endpoint: fix GetLabels data race access (Backport MR #38526, Upstream MR #38328, @aanm)
- pkg/endpoint: fix race in unit test (Backport MR #38298, Upstream MR #38129, @squeed)
- policy: sync policy map for fake endpoints (Backport MR #38526, Upstream MR #38367, @harsimran-pabla)
- proxy: Fix data race in proxyports test (Backport MR #38674, Upstream MR #37890, @jrajahalme)
- Removal logic for the new cil_from_wireguard program to handle Cilium Downgrades from v1.18. (#38187, @smagnani96)
- remove the endpointRoutes for aws cni in the doc (Backport MR #38700, Upstream MR #38381, @liyihuang)
- wireguard: cleanup cilium_calls map upon downgrading from v1.18 (#38595, @smagnani96)
Other Changes:
- [v1.17] hubble/exporter: Fix logging exporter options as JSON (#38476, @devodev)
- [v1.17] proxy: Bump envoy version to 1.32.x (#38306, @sayboras)
- deps: Bump GoBGP to v3.35.0 (#38405, @rastislavs)
- fix AWS ENI IPAM mode performance regression in the Operator when
--update-ec2-adapter-limit-via-api
is set totrue
(#38532, @antonipp) - Fix IPv6 for LocalRedirectPolicy with
skipRedirectFromBackend
option. (#38509, @julianwiedmann) - install: Update image digests for v1.17.2 (#38205, @cilium-release-bot[bot])
- ipsec: backport minimal VinE support for upgrade scenarios (#37993, @ldelossa)
Docker Manifests
cilium
quay.io/cilium/cilium:v1.17.3@​sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873
quay.io/cilium/cilium:stable@sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.17.3@​sha256:98d5feaf67dd9b5d8d219ff5990de10539566eedc5412bcf52df75920896ad42
quay.io/cilium/clustermesh-apiserver:stable@sha256:98d5feaf67dd9b5d8d219ff5990de10539566eedc5412bcf52df75920896ad42
docker-plugin
quay.io/cilium/docker-plugin:v1.17.3@​sha256:aece31ec01842f78ae30009b5ca42ab5abd4b042a6fff49b48d06f0f37eddef9
quay.io/cilium/docker-plugin:stable@sha256:aece31ec01842f78ae30009b5ca42ab5abd4b042a6fff49b48d06f0f37eddef9
hubble-relay
quay.io/cilium/hubble-relay:v1.17.3@​sha256:f8674b5139111ac828a8818da7f2d344b4a5bfbaeb122c5dc9abed3e74000c55
quay.io/cilium/hubble-relay:stable@sha256:f8674b5139111ac828a8818da7f2d344b4a5bfbaeb122c5dc9abed3e74000c55
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.17.3@​sha256:e9a9ab227c6e833985bde6537b4d1540b0907f21a84319de4b7d62c5302eed5c
quay.io/cilium/operator-alibabacloud:stable@sha256:e9a9ab227c6e833985bde6537b4d1540b0907f21a84319de4b7d62c5302eed5c
operator-aws
quay.io/cilium/operator-aws:v1.17.3@​sha256:40f235111fb2bca209ee65b12f81742596e881a0a3ee4d159776d78e3091ba7f
quay.io/cilium/operator-aws:stable@sha256:40f235111fb2bca209ee65b12f81742596e881a0a3ee4d159776d78e3091ba7f
operator-azure
quay.io/cilium/operator-azure:v1.17.3@​sha256:6a3294ec8a2107048254179c3ac5121866f90d20fccf12f1d70960e61f304713
quay.io/cilium/operator-azure:stable@sha256:6a3294ec8a2107048254179c3ac5121866f90d20fccf12f1d70960e61f304713
operator-generic
quay.io/cilium/operator-generic:v1.17.3@​sha256:8bd38d0e97a955b2d725929d60df09d712fb62b60b930551a29abac2dd92e597
quay.io/cilium/operator-generic:stable@sha256:8bd38d0e97a955b2d725929d60df09d712fb62b60b930551a29abac2dd92e597
operator
quay.io/cilium/operator:v1.17.3@​sha256:169c137515459fe0ea4c483021f704dba8901ac5180bdee4e05f5901dbfd7115
quay.io/cilium/operator:stable@sha256:169c137515459fe0ea4c483021f704dba8901ac5180bdee4e05f5901dbfd7115
v1.17.2
: 1.17.2
Summary of Changes
Minor Changes:
- docs: clarify wording of remote-nodes in context of a clustermesh (Backport MR #38104, Upstream MR #37989, @oblazek)
- Increase granularity of the
api_duration_seconds
metric buckets (Backport MR #38104, Upstream MR #37365, @jaredledvina) - New agent option
--policy-restore-timeout
(default 3m) has been added to bound the maximum time Cilium agent waits for endpoint policies to regenerate before starting serving resources tocilium-envoy
proxy. (Backport MR #37904, Upstream MR #37658, @jrajahalme) - Set json output as default for
cilium-dbg endpoint get
(Backport MR #37648, Upstream MR #36537, @saiaunghlyanhtet) - Set json output as default for
cilium-dbg endpoint get
(Backport MR #37742, Upstream MR #36537, @saiaunghlyanhtet)
Bugfixes:
- Apply Egress bandwith-limiting only once for traffic that is matched by an Egress Gateway policy. (Backport MR #37904, Upstream MR #37674, @julianwiedmann)
- Auth policy is properly maintained also when covered by proxy redirects. (Backport MR #37904, Upstream MR #37685, @jrajahalme)
- Do not auto detect / auto select IPoIB devices (Backport MR #37648, Upstream MR #37553, @dylandreimerink)
- Egress route reconciliation (Backport MR #38118, Upstream MR #37962, @dylandreimerink)
- Fix a regression that made it impossible to disable Hubble via Helm charts (Backport MR #37648, Upstream MR #37587, @devodev)
- Fix bug causing
cilium-dbg bpf
commands to fail with a map not found error in IPv6-only clusters. (Backport MR #37904, Upstream MR #37787, @pchaigno) - Fix creating ServiceMonitor for Hubble when dynamic metrics are enabled in the Helm chart (Backport MR #37648, Upstream MR #37474, @dustinspecker)
- Fix creation and deletion of host port maps that would occasionally leave pods without them (Backport MR #37904, Upstream MR #37419, @javanthropus)
- Fix dropped NodePort traffic to hostNetwork backends with Geneve+DSR (Backport MR #37648, Upstream MR #36978, @tommasopozzetti)
- Fix envoy metrics could not be obtained on IPv6-only clusters (Backport MR #37904, Upstream MR #37818, @haozhangami)
- Fix helm charts to properly configure tls and peer service for dynamic Hubble metrics. (Backport MR #37904, Upstream MR #37543, @rectified95)
- Fix service id exceeds max limit (Backport MR #37648, Upstream MR #37191, @haozhangami)
- Fix the
--dns-policy-unload-on-shutdown
feature for restored endpoints (Backport MR #37648, Upstream MR #37532, @antonipp) - Fix the possible race condition caused by async update from aws to instance map in issue #36428 (Backport MR #38104, Upstream MR #37650, @liyihuang)
- Fix traffic not getting masqueraded with wildcard devices or egress-masquerade-interfaces when enable-masquerade-to-route-source flag is set. (Backport MR #37648, Upstream MR #37450, @liyihuang)
- fix(helm): multiPoolPreAllocation fix conditional avoid null (Backport MR #37742, Upstream MR #37585, @acelinkio)
- fix: cilium-config configmap was incorrectly resulting in values like
2.09715…2e+06
instead of2097152
(Backport MR #37648, Upstream MR #37236, @dee-kryvenko) - fix: duplicate label maps in helm chart templates and add missing commonlabels (Backport MR #37742, Upstream MR #37693, @cmergenthaler)
- Fix: Resolved an issue causing ArgoCD to report constant out-of-sync status due to the hasKey check in Helm. The condition has been simplified to ensure proper synchronization. No functional changes to deployments. (Backport MR #37648, Upstream MR #37536, @nicl-dev)
- Fixed Envoy JSON log format conversion in Helm, preventing crashes. (Backport MR #37742, Upstream MR #37656, @kahirokunn)
- helm: fix large number handling (Backport MR #37742, Upstream MR #37670, @justin0u0)
- hubble: escape terminal special characters from observe output (Backport MR #37648, Upstream MR #37401, @devodev)
- hubble: fix locking of hubble metrics registry for dynamically configured metrics (Backport MR #38104, Upstream MR #37923, @marseel)
- identity: fix bug where fromNodes/toNodes could be used to allow custom endpoint (Backport MR #38104, Upstream MR #36657, @oblazek)
- ipam/multi-pool: Periodically perform pool maintenance (Backport MR #38104, Upstream MR #37895, @gandro)
- operator: explicit controller-runtime controller names to avoid naming conflicts (Backport MR #37742, Upstream MR #37606, @mhofstetter)
- operator: Fix duplicate configurations (Backport MR #37648, Upstream MR #37293, @joestringer)
- Restore aggregration of network trace events for Egress Gateway reply traffic on the gateway node (Backport MR #38104, Upstream MR #38029, @julianwiedmann)
- Updated Gateway API and GAMMA processing to remove incorrect behavior when both parentRefs were present. (Backport MR #38154, Upstream MR #38143, @youngnick)
- Workaround for iptables 1.8.10, used in OpenShift 4.16, 4.17 and 4.18, returning a wrong error message
iptables: Incompatible with this kernel
toiptables -n -L CHAIN
when the chain does not exist. This prevents iptables configuration and induced unnecessary loops and log messages. (Backport MR #38104, Upstream MR #37749, @fgiloux)
CI Changes:
- .github: Remove misleading step from ipsec workflow (Backport MR #37742, Upstream MR #37681, @joestringer)
- .github: s/enbaled/enabled/ (Backport MR #37648, Upstream MR #37449, @chansuke)
- bgpv1: wait for watchers to be ready in tests (Backport MR #37904, Upstream MR #37884, @harsimran-pabla)
- CI: GKE backslash missing disable insecure kubelet (Backport MR #37904, Upstream MR #37850, @auriaave)
- CI: GKE, disable insecure kubelet readonly port (Backport MR #37904, Upstream MR #37844, @auriaave)
- ci: switch to monitor aggregation medium (Backport MR #38104, Upstream MR #38036, @marseel)
- gh: ci-e2e-upgrade: Add encryption leak checks for wireguard (Backport MR #37904, Upstream MR #37551, @jschwinger233)
- gh: ipsec-e2e: add concurrency for connectivity tests (Backport MR #37925, Upstream MR #37891, @julianwiedmann)
- gh: update naming for bpftrace leak detection script (Backport MR #37904, Upstream MR #37865, @julianwiedmann)
Misc Changes:
- always render enable-hubble in the Cilium configmap (Backport MR #37904, Upstream MR #37703, @kaworu)
- bpf: Add option to utilize core maps via BPF_F_NO_COMMON_LRU (Backport MR #38104, Upstream MR #38037, @borkmann)
- bpf: minor clean-ups for the ENI symmetric routing feature (Backport MR #37648, Upstream MR #37379, @julianwiedmann)
- chore(deps): update all github action dependencies (v1.17) (#37950, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.17) (#37944, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.17) (#38048, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.17.0 (v1.17) (#37793, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.18.0 (v1.17) (#37949, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.18.2 (v1.17) (#38057, @cilium-renovate[bot])
- chore(deps): update go to v1.23.7 (v1.17) (#37996, @cilium-renovate[bot])
- chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security] (v1.17) (#37833, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211 (v1.17) (#38148, @cilium-renovate[bot])
- cilium-dbg: output parentIfIndex in bpf endpoint list (Backport MR #37742, Upstream MR #37398, @Mahdi-BZ)
- cilium: Allow to configure tunnel source port range (Backport MR #37904, Upstream MR #37777, @borkmann)
- cilium: Pull in vxlan netlink Go fix and uncomment assertion in test (Backport MR #37904, Upstream MR #37808, @borkmann)
- docs: complete load balancer service manifest in kubeproxy-free (Backport MR #37648, Upstream MR #37466, @ybelleguic)
- docs: fix broken links (Backport MR #38104, Upstream MR #37995, @nueavv)
- docs: masquerading: mention that BPF masq also pulls in BPF Host-Routing (Backport MR #37648, Upstream MR #37604, @julianwiedmann)
- docs: use latest for rtd theme commit with fixed version selector (Backport MR #37614, Upstream MR #37421, @ayuspin)
- envoy: remove duplicated service/endpointslice informers when envoyConfig is enabled (Backport MR #37742, Upstream MR #37683, @marseel)
- Fix API generation and add trusted dependencies to renovate config (Backport MR #37648, Upstream MR #36957, @aanm)
- Fix API generation and add trusted dependencies to renovate config (Backport MR #37742, Upstream MR #36957, @aanm)
- Fix helm value for IPAM Multi-Pool (Backport MR #38104, Upstream MR #37963, @saintdle)
- fqdn/dnsproxy: use
netip.Addr
forDNSProxy.usedServers
(Backport MR #38104, Upstream MR #37985, @tklauser) - gha: Update the helm flag for TLS related test (Backport MR #37648, Upstream MR #37428, @sayboras)
- ipcache: Slightly optimize calls to fetch tunnel and encrypt metadata (Backport MR #38104, Upstream MR #38021, @christarazi)
- labels: fix TestNewFrom test (Backport MR #37904, Upstream MR #37846, @giorio94)
- Moves Unix socket listener configuration to a new file specifically for Linux builds. (Backport MR #37648, Upstream MR #37399, @ritwikranjan)
- operator: Explicitly init the FQDN regex LRU cache (Backport MR #37648, Upstream MR #37366, @christarazi)
- pkg/hive: always use default logger when decorating cells (Backport MR #37742, Upstream MR #37636, @aanm)
- policy: Skip iteration when proxy port priority is zero (Backport MR #37648, Upstream MR #37422, @jrajahalme)
- Remove grpc-health-probe binary from the Hubble Relay image as it is no longer used (Backport MR #37904, Upstream MR #37806, @rolinh)
- Update Hubble UI to v0.13.2 which contains security fixes, add the missing traffic direction in the flow table, and enhance the home namespace list. See v0.13.2 for more details (Backport MR #37742, Upstream MR #37631, @yannikmesserli)
- use runtime image set by env var action in build and lint (Backport MR #37648, Upstream MR #37253, @Artyop)
Other Changes:
- [v1.17] Revert "Fix dropped NodePort traffic to hostNetwork backends with Geneve+DSR" (#38101, @julianwiedmann)
- Backport set runtime action 1.17 (#37854, @Artyop)
- gha: Update GatewayAPI conformance report (#37671, @sayboras)
- install: Update image digests for v1.17.1 (#37580, @cilium-release-bot[bot])
- v1.17: gh/workflows: Remove conformance-externalworkloads (#37738, @brb)
Docker Manifests
cilium
quay.io/cilium/cilium:v1.17.2@​sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1
quay.io/cilium/cilium:stable@sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.17.2@​sha256:981250ebdc6e66e190992eaf75cfca169113a8f08d5c3793fe15822176980398
quay.io/cilium/clustermesh-apiserver:stable@sha256:981250ebdc6e66e190992eaf75cfca169113a8f08d5c3793fe15822176980398
docker-plugin
quay.io/cilium/docker-plugin:v1.17.2@​sha256:a599893f1fc76fc31afad2bbb73af7e7f618adbf02043b2098fafeca4adf551c
quay.io/cilium/docker-plugin:stable@sha256:a599893f1fc76fc31afad2bbb73af7e7f618adbf02043b2098fafeca4adf551c
hubble-relay
quay.io/cilium/hubble-relay:v1.17.2@​sha256:42a8db5c256c516cacb5b8937c321b2373ad7a6b0a1e5a5120d5028433d586cc
quay.io/cilium/hubble-relay:stable@sha256:42a8db5c256c516cacb5b8937c321b2373ad7a6b0a1e5a5120d5028433d586cc
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.17.2@​sha256:7cb8c23417f65348bb810fe92fb05b41d926f019d77442f3fa1058d17fea7ffe
quay.io/cilium/operator-alibabacloud:stable@sha256:7cb8c23417f65348bb810fe92fb05b41d926f019d77442f3fa1058d17fea7ffe
operator-aws
quay.io/cilium/operator-aws:v1.17.2@​sha256:955096183e22a203bbb198ca66e3266ce4dbc2b63f1a2fbd03f9373dcd97893c
quay.io/cilium/operator-aws:stable@sha256:955096183e22a203bbb198ca66e3266ce4dbc2b63f1a2fbd03f9373dcd97893c
operator-azure
quay.io/cilium/operator-azure:v1.17.2@​sha256:455fb88b558b1b8ba09d63302ccce76b4930581be89def027184ab04335c20e0
quay.io/cilium/operator-azure:stable@sha256:455fb88b558b1b8ba09d63302ccce76b4930581be89def027184ab04335c20e0
operator-generic
quay.io/cilium/operator-generic:v1.17.2@​sha256:81f2d7198366e8dec2903a3a8361e4c68d47d19c68a0d42f0b7b6e3f0523f249
quay.io/cilium/operator-generic:stable@sha256:81f2d7198366e8dec2903a3a8361e4c68d47d19c68a0d42f0b7b6e3f0523f249
operator
quay.io/cilium/operator:v1.17.2@​sha256:697a7e6c4765ef053d33dd2d9d7f14642c01dfa7333ad7902de7ca5afbf3b419
quay.io/cilium/operator:stable@sha256:697a7e6c4765ef053d33dd2d9d7f14642c01dfa7333ad7902de7ca5afbf3b419
v1.17.1
: 1.17.1
Summary of Changes
Minor Changes:
- [v1.17] agent: Deprecate lb-only mode (#37391, @brb)
- helm: Update CiliumNodeConfig version (Backport MR #37440, Upstream MR #37403, @sayboras)
Bugfixes:
- ces: Fix bug where stale endpoint information was injected into IPCache (Backport MR #37416, Upstream MR #37347, @gandro)
- socket-lb: Fix null pointer dereference in socketlb/cgroup.go (Backport MR #37440, Upstream MR #37426, @alvaroaleman)
CI Changes:
- test: Move the dind image to Quay to avoid rate-limiting (Backport MR #37440, Upstream MR #37388, @pchaigno)
Misc Changes:
- chore(deps): update all github action dependencies (v1.17) (#37502, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.17) (#37342, @cilium-renovate[bot])
- chore(deps): update dependency cilium/little-vm-helper to v0.0.23 (v1.17) (#37501, @cilium-renovate[bot])
- chore(deps): update go to v1.23.6 (v1.17) (#37446, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#37409, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#37496, @cilium-renovate[bot])
Other Changes:
- install: Update image digests for v1.17.0 (#37432, @cilium-release-bot[bot])
Docker Manifests
cilium
quay.io/cilium/cilium:v1.17.1@​sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866
quay.io/cilium/cilium:stable@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.17.1@​sha256:1de22f46bfdd638de72c2224d5223ddc3bbeacda1803cb75799beca3d4bf7a4c
quay.io/cilium/clustermesh-apiserver:stable@sha256:1de22f46bfdd638de72c2224d5223ddc3bbeacda1803cb75799beca3d4bf7a4c
docker-plugin
quay.io/cilium/docker-plugin:v1.17.1@​sha256:d4d838be1d8c20eaf1810f1be1ccc963e8229653357ec6cf8e8c1a53f3f03a71
quay.io/cilium/docker-plugin:stable@sha256:d4d838be1d8c20eaf1810f1be1ccc963e8229653357ec6cf8e8c1a53f3f03a71
hubble-relay
quay.io/cilium/hubble-relay:v1.17.1@​sha256:397e8fbb188157f744390a7b272a1dec31234e605bcbe22d8919a166d202a3dc
quay.io/cilium/hubble-relay:stable@sha256:397e8fbb188157f744390a7b272a1dec31234e605bcbe22d8919a166d202a3dc
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.17.1@​sha256:034b479fba340f9d98510e509c7ce1c36e8889a109d5f1c2240fcb0942bc772c
quay.io/cilium/operator-alibabacloud:stable@sha256:034b479fba340f9d98510e509c7ce1c36e8889a109d5f1c2240fcb0942bc772c
operator-aws
quay.io/cilium/operator-aws:v1.17.1@​sha256:da74748057c836471bfdc0e65bb29ba0edb82916ec4b99f6a4f002b2fcc849d6
quay.io/cilium/operator-aws:stable@sha256:da74748057c836471bfdc0e65bb29ba0edb82916ec4b99f6a4f002b2fcc849d6
operator-azure
quay.io/cilium/operator-azure:v1.17.1@​sha256:b9e3e3994f5fcf1832e1f344f3b3b544832851b1990f124b2c2c68e3ffe04a9b
quay.io/cilium/operator-azure:stable@sha256:b9e3e3994f5fcf1832e1f344f3b3b544832851b1990f124b2c2c68e3ffe04a9b
operator-generic
quay.io/cilium/operator-generic:v1.17.1@​sha256:628becaeb3e4742a1c36c4897721092375891b58bae2bfcae48bbf4420aaee97
quay.io/cilium/operator-generic:stable@sha256:628becaeb3e4742a1c36c4897721092375891b58bae2bfcae48bbf4420aaee97
operator
quay.io/cilium/operator:v1.17.1@​sha256:5c5f4408112365ae10ebcbab2621c273cebc671fe63b0f19cc1376326f140f89
quay.io/cilium/operator:stable@sha256:5c5f4408112365ae10ebcbab2621c273cebc671fe63b0f19cc1376326f140f89
v1.17.0
: 1.17.0
We are excited to announce the Cilium 1.17.0 release!
A total of 2761 new commits have been contributed to this release by a growing community of over 880 developers and over 20,800 GitHub stars!
To keep up to date with all the latest Cilium releases, see Announcements
Here's what's new in v1.17.0:
-
🚦 Quality of Service: Annotate your Pods for Guaranteed, Burstable or BestEffort egress network traffic priority (#36025, @hemanthmalla) -
🌐 Multi-Cluster Service API: Use Kubernetes MCS to manage global services in a Cilium Cluster Mesh (#34439, @MrFreezeex) -
🔀 Load Balance based on L4 Protocol: Differentiate TCP and UDP based protocols for load balancing, so multiple services on the same port can be directed to different backends (#33434, @jibi) -
🧲 Per-Service LB Algorithms: Choose maglev or random load balancing algorithms for individual services (#35735, @kl52752) -
⛔ Deny lists for Service source ranges: Control whether Kubernetes loadBalancerSourceRanges are treated as an allow or deny list (#36120, @borkmann) -
🏊 Better control over IPAM: IPs can be allocated statically using AWS tags, and multi-pool can support single IP ranges for pools (#34622, @antonipp; #34618, @juliusmh) -
🔌 Dynamic MTU detection: Cilium respects changes made to MTU made at runtime without requiring agent restart (#34314, @dylandreimerink)
:guardswoman: Security
-
🚀 Improved network policy performance: The cost of computing complex combinations of network policies has been reduced (Various MRs by @joamaki, @jrajahalme, @marseel, @nathanjsweet, @squeed and @youngnick) -
🗂️ Prioritize critical network policies: Cilium respects Kubernetes priorityNamespaces to prioritize endpoint propagation for critical namespaces when using CiliumEndpointSlices (#34199, @Kaczyniec) -
📋 Validate Network Policies: Receive better feedback from Kubernetes when creating network policies (#34585, @squeed; #35904, @renyunkang; #36598, @pippolo84) -
🏷️ Select CIDRGroups by Label: Add labels to CIDRGroups and use these for network policy selection (#36087, @squeed) -
🛎️ Extend ToServices for in-cluster services: Services with a selector can be selected with ToServices network policies statements (#34208, @chaunceyjiang) -
🚧 FQDN Filtering for hostNetwork: Use CiliumClusterwideNetworkPolicy to configure Layer 7 filtering for DNS requests on nodes in the cluster (#34024, @atykhyy) -
📶 HTTP policies on port ranges: Redirect multiple ports in a single policy towards Envoy for Layer 7 filtering of HTTP traffic (#36056, @jrajahalme)
-
⛩️ Gateway API 1.2.1: Add support for the latest Gateway API v1.2.1 release, including HTTP retries and mirror fractions (#34720, @sayboras) -
📝 Static Gateway Addressing: Cilium now supports statically specifying addresses for gateways (#33042, @chaunceyjiang) -
🔐 Improved Envoy TLS handling: Use SDS for managing TLS visibility secrets in Envoy, improving policy calculation speed and secrets access (#35513, @youngnick)
:artificial_satellite: Observability
-
🔍 Dynamic Hubble Metrics: Configure Hubble metrics with a new hubble-metrics-config ConfigMap to tune your network observability (#35185, @rectified95) -
🛤️ Track enabled features using Prometheus: The cilium-agent and cilium-operator components expose Prometheus metrics for which features are enabled. (#35852, @aanm) -
📊 Many new metrics: Improved metrics related to BGP, network connections, network policy, pod management, and Cilium component status (Various MRs by @AwesomePatrol, @harsimran-pabla, @joestringer, @jshr-w, @mikejoh, @nimishamehta5, @odinuge, @ovidiutirla, @rectified95 and @sjdot)
-
📈 Better cluster connectivity checking: The cilium-health component for cluster-wide network connectivity health detection is better tuned for reliable health checking at high scale (#35163, @jshr-w) -
⏳ Rate-limit monitor events: Balance the number of eBPF events against the CPU usage required to process them (#29711, @siwiutki) -
👥 Double-Write Identity mode: New allocation mode for Security Identities to ease migration between CRD and KVStore identity backends (#31920, @antonipp) -
⚖️ Better scale testing: This release benefits from regular automated scale testing for network policy (#35278, @marseel)
-
❤️ Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback!- Seznam, Alibaba Cloud, SysEleven, QingCloud, ECCO, Reddit, Confluent, SamsungAds, and Sony
- The Cilium Annual Report 2024 was released covering all the highlights from across the community and marking the “Year of Kubernetes Networking”
- The community gathered at Cilium + eBPF Day and the Cilium Developer Summit in Salt Lake City
- Meet us at the upcoming CiliumCon and the Cilium Developer Summit in London
And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you.
For the full changelog check https://github.com/cilium/cilium/blob/v1.17.0/CHANGELOG.md
Docker Manifests
cilium
quay.io/cilium/cilium:v1.17.0@​sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1d
quay.io/cilium/cilium:stable@sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1d
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.17.0@​sha256:05ccf79102724a943b967337a7cd45177118b76b72fb937d0c8ecb3ce136605c
quay.io/cilium/clustermesh-apiserver:stable@sha256:05ccf79102724a943b967337a7cd45177118b76b72fb937d0c8ecb3ce136605c
docker-plugin
quay.io/cilium/docker-plugin:v1.17.0@​sha256:cf2a7b6779e1264c35d77a799aab25ee9bb67582764b297edf6ad62fa02a3c6f
quay.io/cilium/docker-plugin:stable@sha256:cf2a7b6779e1264c35d77a799aab25ee9bb67582764b297edf6ad62fa02a3c6f
hubble-relay
quay.io/cilium/hubble-relay:v1.17.0@​sha256:022c084588caad91108ac73e04340709926ea7fe12af95f57fcb794b68472e05
quay.io/cilium/hubble-relay:stable@sha256:022c084588caad91108ac73e04340709926ea7fe12af95f57fcb794b68472e05
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.17.0@​sha256:0154a855650dac844347d35404e08f3ad141c05e1d903a648558e6f15e4fef8b
quay.io/cilium/operator-alibabacloud:stable@sha256:0154a855650dac844347d35404e08f3ad141c05e1d903a648558e6f15e4fef8b
operator-aws
quay.io/cilium/operator-aws:v1.17.0@​sha256:a81cea10c4210589750c2588a20ece2822fd57be8529df4dc7779031cec66af7
quay.io/cilium/operator-aws:stable@sha256:a81cea10c4210589750c2588a20ece2822fd57be8529df4dc7779031cec66af7
operator-azure
quay.io/cilium/operator-azure:v1.17.0@​sha256:56e83fbdfbea161b2252c51c7ce03960f7141700473bbd2906bcdb53f46610d7
quay.io/cilium/operator-azure:stable@sha256:56e83fbdfbea161b2252c51c7ce03960f7141700473bbd2906bcdb53f46610d7
operator-generic
quay.io/cilium/operator-generic:v1.17.0@​sha256:1ce5a5a287166fc70b6a5ced3990aaa442496242d1d4930b5a3125e44cccdca8
quay.io/cilium/operator-generic:stable@sha256:1ce5a5a287166fc70b6a5ced3990aaa442496242d1d4930b5a3125e44cccdca8
operator
quay.io/cilium/operator:v1.17.0@​sha256:39c9221d75f47f717fe438912309a96b59b8257a74dc624fdeebebcfbd74b587
quay.io/cilium/operator:stable@sha256:39c9221d75f47f717fe438912309a96b59b8257a74dc624fdeebebcfbd74b587
v1.16.9
: 1.16.9
Summary of Changes
Minor Changes:
- Reject IPSec key rotation with mismatching key lengths to prevent IPv6 disruptions. (Backport MR #38400, Upstream MR #37936, @smagnani96)
- Skip WireGuard traffic in the BPF SNAT processing, slightly reducing pressure on the BPF Connection tracking and NAT maps. (Backport MR #38747, Upstream MR #35900, @smagnani96)
Bugfixes:
- bpf: wireguard: avoid ipcache lookup for source's security identity (Backport MR #38747, Upstream MR #38592, @julianwiedmann)
- Fix panic caused in dual cluster setups where LRPs with
skipRedirectFromBackend
flag set to true are installed and IPv6 is disabled. (Backport MR #38701, Upstream MR #38656, @aditighag) - For configurations with --enable-identity-mark=false, don't attempt to retrieve the source identity from skb->mark. (Backport MR #38747, Upstream MR #38737, @julianwiedmann)
CI Changes:
- build: update golangci-lint to v2.0.0 (Backport MR #38631, Upstream MR #38473, @mhofstetter)
- ci: build CI images within merge group (Backport MR #38525, Upstream MR #38065, @marseel)
- ci: prepare CI Image build for being required (Backport MR #38525, Upstream MR #38320, @marseel)
- Clear traced UDP v4/v6 connections on check-encryption-leak script. (Backport MR #38521, Upstream MR #38264, @smagnani96)
- Ensure packet protocol before using L4 ports in the check-encryption-leak script. (Backport MR #38521, Upstream MR #38290, @smagnani96)
- Extend tracing with IP length and whether src/dst pod are CiliumInternalIP in the check-encryption-leak script. (Backport MR #38741, Upstream MR #38281, @smagnani96)
- Fix checked L4 port for UDP IPv6 packets in check-encryption-leak script. (Backport MR #38521, Upstream MR #38265, @smagnani96)
- Fix endianness for WireGuard UDP traffic in the check-encryption-leak script. (Backport MR #38521, Upstream MR #38292, @smagnani96)
- Fix erroneous TCP RST condition when no TCP packets in the check-encryption-leak script. (Backport MR #38521, Upstream MR #38291, @smagnani96)
- gh: aws-cni: set --enable-identity-mark=false option (Backport MR #38747, Upstream MR #38738, @julianwiedmann)
- gh: ci-e2e-upgrade: Add encryption leak checks for wireguard (Backport MR #38521, Upstream MR #37551, @jschwinger233)
- gh: update naming for bpftrace leak detection script (Backport MR #38521, Upstream MR #37865, @julianwiedmann)
- Introduce tracing log info for ICMP v4/v6 packets in the check-encryption-leak script. (Backport MR #38741, Upstream MR #38278, @smagnani96)
- Manual encap checks for when $skb->encapsulation is unset in the check-encryption-leak script. (Backport MR #38521, Upstream MR #38293, @smagnani96)
- Print skb pointer and correlate timestamp for subsequent trace logs in the check-encryption-leak script. (Backport MR #38741, Upstream MR #38266, @smagnani96)
- Refactoring and code comments for the check-encryption-leak script. (Backport MR #38741, Upstream MR #38263, @smagnani96)
- Report masqueraded flow through proxy in the check-encryption-leak script. (Backport MR #38741, Upstream MR #38297, @smagnani96)
- Shift header references when encap and move leak check on CiliumInternalIP in the check-encryption-leak script. (Backport MR #38521, Upstream MR #38280, @smagnani96)
- Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport MR #38521, Upstream MR #38289, @smagnani96)
- Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport MR #38525, Upstream MR #38289, @smagnani96)
- Skip tracking TCP proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport MR #38521, Upstream MR #38287, @smagnani96)
- Split TCP-related leak report into a separate log line with also seq/ack n. in the check-encryption-leak script. (Backport MR #38741, Upstream MR #38268, @smagnani96)
- test: Update FQDN related domain and IP (Backport MR #38770, Upstream MR #38754, @sayboras)
Misc Changes:
- [v1.16] deps: bump github.com/containerd/containerd to v1.7.27 (#38496, @ferozsalam)
- [v1.16] deps: Bump package x/net (#38323, @ferozsalam)
- [v1.16] deps: bump package x/oauth2 (#38404, @ferozsalam)
- [v1.16]: deps: bump x/net to v0.38.0 (#38781, @ferozsalam)
- bpf: host: identify Cilium's Wireguard traffic as from HOST (Backport MR #38747, Upstream MR #37956, @julianwiedmann)
- bpf: let MARK_MAGIC_EGW_DONE carry source identity (Backport MR #38747, Upstream MR #38430, @julianwiedmann)
- chore(deps): update all github action dependencies (v1.16) (#38347, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.16) (#38515, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.16) (patch) (#38346, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#38304, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#38442, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#38543, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.18.3 (v1.16) (#38731, @cilium-renovate[bot])
- chore(deps): update dependency protocolbuffers/protobuf to v30 (v1.16) (#38348, @cilium-renovate[bot])
- chore(deps): update dependency protocolbuffers/protobuf to v30.2 (v1.16) (#38714, @cilium-renovate[bot])
- chore(deps): update docker.io/library/busybox:1.36.1 docker digest to
e246aa2
(v1.16) (#38344, @cilium-renovate[bot]) - chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.21 (v1.16) (#38613, @cilium-renovate[bot])
- chore(deps): update go to v1.23.8 (v1.16) (#38345, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1742184290-6036296930bb05a4870ef40867ca33baec4489e6 (v1.16) (#38258, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.4-1742515734-d30064faed34d8936672353d4b6d6dbcfbaa7b2d (v1.16) (#38385, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1743506100-0821ef0acdf9f824d47d34e02932be522b3e7233 (v1.16) (#38672, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1743993953-6f87ef30cb1aca19e233099304bd08d689f380dd (v1.16) (#38774, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.16) (patch) (#38317, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.16) (patch) (#38614, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.16) (patch) (#38832, @cilium-renovate[bot])
- docs: Add missing kernel options to system requirements documentation to help users with custom kernels. (Backport MR #38525, Upstream MR #38173, @yrsuthari)
- docs: clarify hubble flow filter match semantics (Backport MR #38701, Upstream MR #38657, @devodev)
- docs: Document jitter applied to BGP ConnectRetryTimeSeconds (Backport MR #38525, Upstream MR #38231, @rastislavs)
- docs: Update LLVM requirements to 18.1 (Backport MR #38342, Upstream MR #38294, @gentoo-root)
- Documentation: "cilium config set" restarts by default (Backport MR #38299, Upstream MR #38114, @joamaki)
- Documentation: fix mentions of per-node
cilium-dbg
tool (Backport MR #38299, Upstream MR #38276, @tklauser) - images: bump distroless to static (Backport MR #38695, Upstream MR #38647, @kaworu)
- pkg/controller: fix data race in update params locked (Backport MR #38525, Upstream MR #38327, @aanm)
- pkg/endpoint: fix race in unit test (Backport MR #38299, Upstream MR #38129, @squeed)
- remove the endpointRoutes for aws cni in the doc (Backport MR #38701, Upstream MR #38381, @liyihuang)
Other Changes:
- [v1.16] hubble: fix flowfilter flag parsing allowing only one filter (#38794, @devodev)
- [v1.16] proxy: Bump envoy version to 1.32.x (#38307, @sayboras)
- fix AWS ENI IPAM mode performance regression in the Operator when
--update-ec2-adapter-limit-via-api
is set totrue
(#38533, @antonipp) - gha: Skip HTTPRouteServiceTypes test (#38343, @sayboras)
- install: Update image digests for v1.16.8 (#38207, @cilium-release-bot[bot])
Docker Manifests
cilium
quay.io/cilium/cilium:v1.16.9@​sha256:98f8e547fd0720e042a1eb7bd6f50a521cbe0a8ea8e013f783f1709fc023c266
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.16.9@​sha256:69b9b80046f2a293de96e228ffdf7803bdd387d2c8cc6fa836a240c4932d7066
docker-plugin
quay.io/cilium/docker-plugin:v1.16.9@​sha256:867b37f934411c11e9e50d0d691a2d1376ec4fe4c573c9b3af6950d559a97b28
hubble-relay
quay.io/cilium/hubble-relay:v1.16.9@​sha256:c978b77e607cc7fb9a92741464470002a192af47c5dec57b83f693919857199e
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.16.9@​sha256:59d2a5d5ab017c974c42eeb7f265f9b91aafad2ee6c73d5dffe0bfe44bedd134
operator-aws
quay.io/cilium/operator-aws:v1.16.9@​sha256:f00e854ad7ae0c55e0e2352b71a98fe1358ba029e2e93b236a18c3b43664f948
operator-azure
quay.io/cilium/operator-azure:v1.16.9@​sha256:549ef9d238b84313f4a9f25518a77ec16cc9b86a19e66242bee920eb9c065fea
operator-generic
quay.io/cilium/operator-generic:v1.16.9@​sha256:0489f71dfeff23d1fbc4ee85a81a0274076ab2b53072aadbdf5963e83dc3faf7
operator
quay.io/cilium/operator:v1.16.9@​sha256:c8d0d6ca36d49bdeeb82d75b58a061f10e9e402d493241d648c4e329027b67ee
v1.16.8
: 1.16.8
Summary of Changes
Minor Changes:
- docs: clarify wording of remote-nodes in context of a clustermesh (Backport MR #38106, Upstream MR #37989, @oblazek)
- Increase granularity of the
api_duration_seconds
metric buckets (Backport MR #38014, Upstream MR #37365, @jaredledvina)
Bugfixes:
- Do not auto detect / auto select IPoIB devices (Backport MR #37647, Upstream MR #37553, @dylandreimerink)
- Egress route reconciliation (Backport MR #38120, Upstream MR #37962, @dylandreimerink)
- Fix creation and deletion of host port maps that would occasionally leave pods without them (Backport MR #37900, Upstream MR #37419, @javanthropus)
- Fix envoy metrics could not be obtained on IPv6-only clusters (Backport MR #37900, Upstream MR #37818, @haozhangami)
- Fix the
--dns-policy-unload-on-shutdown
feature for restored endpoints (Backport MR #37647, Upstream MR #37532, @antonipp) - fix: cilium-config configmap was incorrectly resulting in values like
2.09715…2e+06
instead of2097152
(Backport MR #37647, Upstream MR #37236, @dee-kryvenko) - Fix: cilium-operator no longer patches services on shutdown (Backport MR #38106, Upstream MR #37967, @rsafonseca)
- helm: fix large number handling (Backport MR #37743, Upstream MR #37670, @justin0u0)
- hubble: escape terminal special characters from observe output (Backport MR #37647, Upstream MR #37401, @devodev)
- identity: fix bug where fromNodes/toNodes could be used to allow custom endpoint (Backport MR #38014, Upstream MR #36657, @oblazek)
- Restore aggregration of network trace events for Egress Gateway reply traffic on the gateway node (Backport MR #38106, Upstream MR #38029, @julianwiedmann)
CI Changes:
- .github: Remove misleading step from ipsec workflow (Backport MR #37743, Upstream MR #37681, @joestringer)
- bgpv1: wait for watchers to be ready in tests (Backport MR #38014, Upstream MR #37884, @harsimran-pabla)
- ci: add leak detection to conformance-ipsec-upgrade (Backport MR #36575, Upstream MR #36377, @smagnani96)
- CI: GKE backslash missing disable insecure kubelet (Backport MR #37900, Upstream MR #37850, @auriaave)
- CI: GKE, disable insecure kubelet readonly port (Backport MR #37900, Upstream MR #37844, @auriaave)
- ci: switch to monitor aggregation medium (Backport MR #38106, Upstream MR #38036, @marseel)
- Cleanups after LLVM upgrade. (Backport MR #37801, Upstream MR #32067, @gentoo-root)
Misc Changes:
- [v1.16] docs: Update requirements.txt dependencies (#37616, @joestringer)
- allocator: correctly propagate context to RunGC call (Backport MR #37743, Upstream MR #36034, @giorio94)
- chore(deps): update all github action dependencies (v1.16) (#37952, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#37997, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#38049, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.18.2 (v1.16) (#37951, @cilium-renovate[bot])
- chore(deps): update go to v1.23.7 (v1.16) (#37998, @cilium-renovate[bot])
- chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security] (v1.16) (#37834, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211 (v1.16) (#38149, @cilium-renovate[bot])
- docs: fix broken links (Backport MR #38106, Upstream MR #37995, @nueavv)
- Fix API generation and add trusted dependencies to renovate config (Backport MR #37647, Upstream MR #36957, @aanm)
- Fix helm value for IPAM Multi-Pool (Backport MR #38014, Upstream MR #37963, @saintdle)
- labels: fix TestNewFrom test (Backport MR #37900, Upstream MR #37846, @giorio94)
- Moves Unix socket listener configuration to a new file specifically for Linux builds. (Backport MR #37647, Upstream MR #37399, @ritwikranjan)
- Remove grpc-health-probe binary from the Hubble Relay image as it is no longer used (Backport MR #37900, Upstream MR #37806, @rolinh)
- wireguard: attach Ingress program for native routing mode configurations (Backport MR #38117, Upstream MR #37108, @julianwiedmann)
Other Changes:
- [v1.16] images: update cilium-{runtime,builder} (#38054, @julianwiedmann)
- install: Update image digests for v1.16.7 (#37709, @cilium-release-bot[bot])
- v1.16: gh/workflows: Remove conformance-externalworkloads (#37739, @brb)
Docker Manifests
cilium
quay.io/cilium/cilium:v1.16.8@​sha256:569ec9056ef2e3b283edb508b31e4ff04058cb7bd551cc9433512ebdef07804d
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.16.8@​sha256:5ea1c42de93879a853e35a1287dfc0c2bcf912fcdc8ce092dfb322819123c8ea
docker-plugin
quay.io/cilium/docker-plugin:v1.16.8@​sha256:74664fa646f3fe6b8615830b21073602dece8b5397db7384b5aa0e585857265e
hubble-relay
quay.io/cilium/hubble-relay:v1.16.8@​sha256:498c04894fc95b6792d713dfb5e11aad236d41433710ddf73425483e855170be
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.16.8@​sha256:409009711eab9e0f97c13c67c9b18aa48be130d970f09b067e1ae35df24b2252
operator-aws
quay.io/cilium/operator-aws:v1.16.8@​sha256:c596b30650899c5ecde8b114e0a4e8679f83122c2477056d8d437df78b7a981b
operator-azure
quay.io/cilium/operator-azure:v1.16.8@​sha256:c9dc8757e5941c72764b4a73d39c270378f156cc005722db95c77e0d1897dd04
operator-generic
quay.io/cilium/operator-generic:v1.16.8@​sha256:86c879ed25396a992fb8bf0297289f0b61f30f9a4a260f483abbdb39d919644d
operator
quay.io/cilium/operator:v1.16.8@​sha256:c2b0716672ce2bf68c2679c8b98ddab4c80f2c6891560e538ce4e117240ba220
v1.16.7
: 1.16.7
Summary of Changes
Minor Changes:
- Add IngressDeny and EgressDeny rules validation for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy (Backport MR #37124, Upstream MR #36598, @pippolo84)
- doc: Added hostLegacyRouting limitation for Talos (Backport MR #37168, Upstream MR #36852, @PhilipSchmid)
Bugfixes:
- agent: defend against null pointer refs in cecManager.getEndpoint() (Backport MR #37375, Upstream MR #37188, @aetimmes)
- Allow cilium agent to start on linux kernels that don't have CONFIG_XFRM. (Backport MR #37278, Upstream MR #37123, @julianwiedmann)
- ces: Fix bug where stale endpoint information was injected into IPCache (Backport MR #37417, Upstream MR #37347, @gandro)
- envoy: add configurable access log buffer size (Backport MR #37168, Upstream MR #36823, @aetimmes)
- Fix a bug that prevents a pod from accessing Nodeport services when the pod is also in scope of a broad-range Egress Gateway policy. (Backport MR #37168, Upstream MR #36929, @julianwiedmann)
- Fix bug causing the endpoint regeneration failure handler to be effective only once (Backport MR #37278, Upstream MR #37085, @giorio94)
- Fix bug potentially causing newly added endpoints to remain stuck in waiting-to-regenerate state forever, causing traffic from/to that endpoint to be incorrectly dropped. (Backport MR #37168, Upstream MR #37086, @giorio94)
- Fix specifying multiple interfaces for egress masquerade with enable-masquerade-to-route-source=false (Backport MR #37168, Upstream MR #36103, @viktor-kurchenko)
- maps/nat/stats: Use Start context when waiting for maps (Backport MR #37278, Upstream MR #37262, @tommyp1ckles)
- nodeinit: move kubelet restart inside if/else in startup.bash (Backport MR #37375, Upstream MR #37282, @ayuspin)
- Restore the original flag semantics for --egress-masquerade-interfaces to the same as v1.17.0-pre.2 or earlier (Backport MR #37168, Upstream MR #36504, @viktor-kurchenko)
- socket-lb: Fix null pointer dereference in socketlb/cgroup.go (Backport MR #37441, Upstream MR #37426, @alvaroaleman)
CI Changes:
- [v1.16] ctmap/gc: don't clamp conntrack scan timeout in CI (#37380, @giorio94)
- gh: harmonize lvh kernel naming scheme (Backport MR #37375, Upstream MR #37322, @julianwiedmann)
- gh: update removed --loglevel option for kind (Backport MR #37168, Upstream MR #36935, @julianwiedmann)
- gha: bump ubuntu version in conformance-externalworkloads (Backport MR #37168, Upstream MR #36859, @giorio94)
- gha: correctly downgrade to patch release in ipsec workflows (Backport MR #37168, Upstream MR #36858, @giorio94)
- gha: fix retrieval of DNS server in conformance external workloads (Backport MR #37375, Upstream MR #37361, @giorio94)
- gha: Retrieve eks supported version via aws cli (Backport MR #37223, Upstream MR #37210, @sayboras)
- Modify bpftrace script in CI to ignore proxy traffic if destination is outside pod CIDRs. (Backport MR #37168, Upstream MR #36364, @smagnani96)
- Skip tracking unmarked plain-text TCP RST packets generated from proxy timeouts in the CI bpftrace script. (Backport MR #37168, Upstream MR #36962, @smagnani96)
- test: Fix the flake for TestRestoredPort (Backport MR #37278, Upstream MR #37106, @sayboras)
- test: Move demo-httpd from Docker to Quay (Backport MR #37278, Upstream MR #37149, @joestringer)
- test: Move the dind image to Quay to avoid rate-limiting (Backport MR #37441, Upstream MR #37388, @pchaigno)
Misc Changes:
- build: Remove debug leftover from Makefile (Backport MR #37168, Upstream MR #36917, @gentoo-root)
- chore(deps): update actions/setup-go action to v5.3.0 (v1.16) (#37117, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.16) (#37244, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.16) (#37505, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#37343, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#37550, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.16.24 (v1.16) (#37338, @cilium-renovate[bot])
- chore(deps): update dependency cilium/little-vm-helper to v0.0.20 (v1.16) (#37215, @cilium-renovate[bot])
- chore(deps): update dependency cilium/little-vm-helper to v0.0.23 (v1.16) (#37503, @cilium-renovate[bot])
- chore(deps): update go to v1.23.6 (v1.16) (#37497, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1737535524-fe8efeb16a7d233bffd05af9ea53599340d3f18e (v1.16) (#37201, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.16) (patch) (#37411, @cilium-renovate[bot])
- cilium-dbg/troubleshoot: do not import cilium-dbg from operator (Backport MR #37375, Upstream MR #37326, @aanm)
- clustermesh: Add hidden flag --allow-unsafe-policy-skb-usage (Backport MR #37168, Upstream MR #36602, @joestringer)
- doc(glossary): Geneve as final RFC (Backport MR #37375, Upstream MR #37316, @alagoutte)
- doc: ebpf host-routing and netfilter (Backport MR #37168, Upstream MR #36921, @PhilipSchmid)
- doc: eks cluster restriction removed (Backport MR #37278, Upstream MR #37043, @viktor-kurchenko)
- doc: Removed nodeinit from aks byocni install (Backport MR #37168, Upstream MR #37048, @PhilipSchmid)
- docs: Add SNI policy example (Backport MR #37375, Upstream MR #37234, @sayboras)
- docs: Clarify Identity-Relevant Labels description (Backport MR #37168, Upstream MR #36924, @joestringer)
- docs: Fix broken link in BGP control plane docs (Backport MR #37375, Upstream MR #37241, @mikejoh)
- docs: pass current_version to html_context (Backport MR #37168, Upstream MR #37008, @ayuspin)
- docs: Remove stale limitation on KPR+IPsec (Backport MR #37168, Upstream MR #37054, @pchaigno)
- images: don't assume Dockerfile directory in builder/runtime update scripts (Backport MR #37375, Upstream MR #34488, @tklauser)
- proxy: Mark restored port as configured (Backport MR #37168, Upstream MR #36953, @jrajahalme)
- Remove outdated roadmap matrix and links to it (Backport MR #37278, Upstream MR #37170, @xmulligan)
- remove stable tags from image build (#37394, @aanm)
- renovate: add fix grpc-go autodetection (Backport MR #37278, Upstream MR #33570, @aanm)
Other Changes:
- [v1.16] envoy: Bump envoy version to v1.31.x (#37157, @sayboras)
- chore(deps): update go to v1.23.5 (v1.16) (#37189, @sayboras)
- Do not leak ipcache entries when apiserver entities are cluster external (#36927, @antonipp)
- install: Update image digests for v1.16.6 (#37154, @cilium-release-bot[bot])
- Revert "chore(deps): update all-dependencies (v1.16)" (#37525, @sayboras)
Docker Manifests
cilium
quay.io/cilium/cilium:v1.16.7@​sha256:294d2432507fed393b26e9fbfacb25c2e37095578cb34dabac7312b66ed0782e
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.16.7@​sha256:8e7eda5b194d45c3b1607f5bf31cbb3fecd0f1cf85ce32b41f93b2bd832bf02f
docker-plugin
quay.io/cilium/docker-plugin:v1.16.7@​sha256:d5c331e03a7c9f158e43eef46537a7656b668dcf76e7b8397520770a51747803
hubble-relay
quay.io/cilium/hubble-relay:v1.16.7@​sha256:8f408ed921cd534394aa1c57b313741cec6aec03a14ea243b2173cbf2c88c91e
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.16.7@​sha256:dbdc856303e1ab6734538e29791fdfc4fe2c1295fd7bbce8fa006cd3165f85c8
operator-aws
quay.io/cilium/operator-aws:v1.16.7@​sha256:110d922337bdbfc3cd4d7d71b85b2c8f72c1d9925e9b61b4cd73ff990799d7ba
operator-azure
quay.io/cilium/operator-azure:v1.16.7@​sha256:4e7e64cc505676d402c68043934e2c8efc75b294245514d7611a58d06b5e0f69
operator-generic
quay.io/cilium/operator-generic:v1.16.7@​sha256:25a41ac50bcebfb780ed2970e55a5ba1a5f26996850ed5a694dc69b312e0b5a0
operator
quay.io/cilium/operator:v1.16.7@​sha256:bac2496ba4348267ca5f16c2dd73ba7be76330cdd0eef0a6958c260a3bf5951d
v1.16.6
: 1.16.6
Summary of Changes
Major Changes:
- Add feature tracking in Cilium agent as prometheus metrics (Backport MR #36263, Upstream MR #35852, @aanm)
- Add feature tracking in Cilium Operator as prometheus metrics (Backport MR #36263, Upstream MR #36077, @aanm)
Minor Changes:
- envoy: Use yaml format for bootstrap config (Backport MR #36782, Upstream MR #36820, @sayboras)
- Reject CNP/CCNP with CIDR rules where CIDRGroupRef is used in combination with ExceptCIDRs (#36561, @pippolo84)
- service: Cap number of backends included in monitor message (Backport MR #36635, Upstream MR #36394, @joamaki)
Bugfixes:
- cilium: LB source ranges fixes (Backport MR #36635, Upstream MR #36517, @borkmann)
- eni.subnetTagsFilter and eni.instanceTagsFilter are now templated to comma separated string (Backport MR #36872, Upstream MR #36617, @sderoe)
- envoy: Configure internal address config based on IP family (Backport MR #36782, Upstream MR #36733, @sayboras)
- Fix connectivity issue caused by stale cilium eBPF program when using --bpf-filter-priority (Backport MR #36635, Upstream MR #36176, @tamilmani1989)
- metrics/features: remove reporting metrics' defaults by default (Backport MR #36263, Upstream MR #36298, @aanm)
- pkg/redirectpolicy: Fix backend slices in processConfig (Backport MR #36872, Upstream MR #35496, @Sm0ckingBird)
- ui: drop CORS headers from api response (Backport MR #36872, Upstream MR #35762, @geakstr)
CI Changes:
- [v1.16] .github: Remove CI Fuzz workflow (#36641, @joestringer)
- [v1.16] gh: e2e-upgrade: use 6.12 kernel for netkit test configs (#36620, @julianwiedmann)
- [v1.16] gha: use /test to trigger tests in stable branches (#36673, @giorio94)
- ci: fix job names for various ci workflows (Backport MR #36263, Upstream MR #36397, @marseel)
- Extend the check-ipsec-leak bpftrace script to capture additional details of leaked packets (Backport MR #36872, Upstream MR #33398, @giorio94)
- gh: e2e-upgrade: add coverage for 6.6 kernel (Backport MR #36988, Upstream MR #36626, @julianwiedmann)
- gh: e2e-upgrade: de-renovate the config example (Backport MR #36635, Upstream MR #36463, @julianwiedmann)
- gha: drop leftover token parameter in net-perf-gke workflow (#36684, @giorio94)
- gha: fix merging of features-related artifacts (#36665, @giorio94)
- gha: merge artifacts in net-perf-gke workflow (Backport MR #36263, Upstream MR #36236, @giorio94)
- gha: Use ubuntu-24.04 for integration-test (Backport MR #36659, Upstream MR #36628, @sayboras)
Misc Changes:
- .github/workflows: always install cilium-cli (Backport MR #36263, Upstream MR #36234, @aanm)
- .github/workflows: do not fail ginkgo if unable to fetch features (Backport MR #36263, Upstream MR #36461, @aanm)
- .github: fix conformance-k8s NP test (Backport MR #36263, Upstream MR #36355, @aanm)
- [v1.16] Use bash syntax to consume env variable (#36636, @ferozsalam)
- Add more features tracking in Cilium agent as prometheus metrics (Backport MR #36263, Upstream MR #36078, @aanm)
- Add policy-related features tracking in Cilium agent as prometheus metrics (Backport MR #36263, Upstream MR #36203, @aanm)
- Add the tls:// prefix in the Hubble TLS doc (Backport MR #36635, Upstream MR #36410, @liyihuang)
- chore(deps): update all github action dependencies (v1.16) (#36612, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.16) (#36762, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.16) (#36950, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.16) (#37099, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.16) (patch) (#36760, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#36707, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#36787, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#36949, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#37033, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.16.23 (v1.16) (#36895, @cilium-renovate[bot])
- chore(deps): update docker.io/library/busybox:1.36.1 docker digest to
7c3c3ce
(v1.16) (#36609, @cilium-renovate[bot]) - chore(deps): update docker.io/library/golang:1.22.10 docker digest to
1a6e657
(v1.16) (#36850, @cilium-renovate[bot]) - chore(deps): update docker.io/library/golang:1.22.10 docker digest to
9855006
(v1.16) (#36610, @cilium-renovate[bot]) - chore(deps): update go to v1.22.11 (v1.16) (#37045, @cilium-renovate[bot])
- chore(deps): update helm/kind-action action to v1.12.0 (v1.16) (#36839, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.16) (patch) (#36611, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.16) (patch) (#36699, @cilium-renovate[bot])
- doc: fix typo on kubeproxy-free (CEV -> CVE) (Backport MR #36872, Upstream MR #36701, @alagoutte)
- docs: Add missing default identity label in the description of identity-relevant labels' example (Backport MR #36635, Upstream MR #36558, @liyihuang)
- docs: Clarify the behavior of CiliumNetworkPolicies toCIDRSet (Backport MR #36635, Upstream MR #36549, @verysonglaa)
- Ensure debug symbols are generated for the debug image even when stripping symbols for the release image. (Backport MR #36635, Upstream MR #36417, @EricMountain)
- Fix
make -C Documentation update-cmdref
when make uses--jobserver-style=fifo
. (Backport MR #36872, Upstream MR #36788, @gentoo-root) - fix(deps): update module golang.org/x/net to v0.33.0 [security] (v1.16) (#36711, @cilium-renovate[bot])
- ingress, gateway-api: Convert test fixtures to file based (Backport MR #36782, Upstream MR #36732, @sayboras)
- metrics/features: enable ClusterMesh (Backport MR #36263, Upstream MR #36402, @aanm)
- metrics/features: refactor metric names (Backport MR #36263, Upstream MR #36209, @aanm)
- Prepare for release v1.16.6 (#36989, @cilium-release-bot[bot])
- Remove reference to DNS polling (Backport MR #36872, Upstream MR #36679, @JacobHenner)
Other Changes:
- [v1.16] author backport: helm: avoid setting bpf-lb-sock-terminate-pod-connections (#36650, @ysksuzuki)
- install: Update image digests for v1.16.5 (#36671, @cilium-release-bot[bot])
Docker Manifests
cilium
quay.io/cilium/cilium:v1.16.6@​sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
quay.io/cilium/cilium:stable@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.16.6@​sha256:ab2070ea48a52a55d961b81b7b5fbac7d40a3f428be9b1b6b9071d47f194456a
quay.io/cilium/clustermesh-apiserver:stable@sha256:ab2070ea48a52a55d961b81b7b5fbac7d40a3f428be9b1b6b9071d47f194456a
docker-plugin
quay.io/cilium/docker-plugin:v1.16.6@​sha256:f8f5833a60900b0264fd8982b11329e130c1a326afe2e4653e9f2d2e3fb2af66
quay.io/cilium/docker-plugin:stable@sha256:f8f5833a60900b0264fd8982b11329e130c1a326afe2e4653e9f2d2e3fb2af66
hubble-relay
quay.io/cilium/hubble-relay:v1.16.6@​sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b
quay.io/cilium/hubble-relay:stable@sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.16.6@​sha256:0e3c7fbcb6bde9a247cd2dd3d25230e2859d40d2eb58aba6265a2aab216775a9
quay.io/cilium/operator-alibabacloud:stable@sha256:0e3c7fbcb6bde9a247cd2dd3d25230e2859d40d2eb58aba6265a2aab216775a9
operator-aws
quay.io/cilium/operator-aws:v1.16.6@​sha256:d11ee1cfa3465defe2df7ec1c6e8a77bcaf280b44d2c61aa7496c58b29550f6d
quay.io/cilium/operator-aws:stable@sha256:d11ee1cfa3465defe2df7ec1c6e8a77bcaf280b44d2c61aa7496c58b29550f6d
operator-azure
quay.io/cilium/operator-azure:v1.16.6@​sha256:0a05d7aea760923897aabd715213ab11a706051673d41fab3874a37f897c1bdd
quay.io/cilium/operator-azure:stable@sha256:0a05d7aea760923897aabd715213ab11a706051673d41fab3874a37f897c1bdd
operator-generic
quay.io/cilium/operator-generic:v1.16.6@​sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc
quay.io/cilium/operator-generic:stable@sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc
operator
quay.io/cilium/operator:v1.16.6@​sha256:09ab2878e103fa32a00fd1fe4469f7042cfb053627b44c82fa03a04a820c0b46
quay.io/cilium/operator:stable@sha256:09ab2878e103fa32a00fd1fe4469f7042cfb053627b44c82fa03a04a820c0b46
v1.16.5
: 1.16.5
Summary of Changes
Minor Changes:
- hubble: Stop building 32-bit binaries (Backport MR #36066, Upstream MR #35974, @michi-covalent)
Bugfixes:
- Address potential connectivity disruption when using either L7 / DNS Network policies in combination with per-endpoint routes and hostLegacyRouting, or L7 / DNS network policies in combination with IPsec network encryption. (Backport MR #36540, Upstream MR #36484, @julianwiedmann)
- bgp: fix race in bgp stores (Backport MR #36066, Upstream MR #35971, @harsimran-pabla)
- BGPv1: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport MR #36286, Upstream MR #36230, @rastislavs)
- BGPv2: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport MR #36286, Upstream MR #36165, @rastislavs)
- Cilium agent now waits until endpoints have restored before starting accepting new xDS streams. (Backport MR #36049, Upstream MR #35984, @jrajahalme)
- Cilium no longer keeps old DNS-IP mappings alive while reaping newer ones, leading to spurious drops in connections to domains with many IPs associated. (Backport MR #36462, Upstream MR #36252, @bimmlerd)
- cilium-health-ep controller is made to be more robust against successive failures. (Backport MR #36066, Upstream MR #35936, @jrajahalme)
- DNS proxy port is no longer released when endpoint with a DNS policy fails to regenerate successfully. A potential deadlock between CEC/CCEC parser and endpoint policy update is removed. (Backport MR #36468, Upstream MR #36142, @jrajahalme)
- Envoy "initial fetch timeout" warnings are now demoted to info level, as they are expected to happen during Cilium Agent restart. (Backport MR #36049, Upstream MR #36060, @jrajahalme)
- Fix an issue where pod-to-world traffic goes up stack when BPF host routing is enabled with tunnel. (Backport MR #35861, Upstream MR #35098, @jschwinger233)
- Fix identity leak for kvstore identity mode (Backport MR #36066, Upstream MR #34893, @odinuge)
- Fix potential Cilium agent panic during endpoint restoration, occurring if the corresponding pod gets deleted while the agent is restarting. This regression only affects Cilium v1.16.4. (Backport MR #36302, Upstream MR #36292, @giorio94)
- gateway-api: Fix gateway checks for namespace (Backport MR #36462, Upstream MR #35452, @sayboras)
- gha: Remove hostLegacyRouting in clustermesh (Backport MR #36357, Upstream MR #35418, @sayboras)
- helm: Use an absolute FQDN for the Hubble peer-service endpoint to avoid incorrect DNS resolution outside the cluster (Backport MR #36066, Upstream MR #36005, @devodev)
- hubble: consistently use v as prefix for the Hubble version (Backport MR #36286, Upstream MR #35891, @rolinh)
- iptables: Fix data race in iptables manager (Backport MR #36066, Upstream MR #35902, @pippolo84)
- lrp: update LRP services with stale backends on agent restart (Backport MR #36106, Upstream MR #36036, @ysksuzuki)
- policy: Fix bug that allowed port ranges to be attached to L7 policies, which is not permitted. (#36050, @nathanjsweet)
- Unbreak the cilium-dbg preflight migrate-identity command (Backport MR #36286, Upstream MR #36089, @giorio94)
- Use
strconv.Itoa
instead ofstring()
for the correct behavior when convertingkafka.ErrorCode
fromint32
tostring
. Add relevant unit tests for Kafka plugin and handler. (Backport MR #36066, Upstream MR #35856, @nddq)
CI Changes:
- [v1.16] ci: modularize chart CI push workflow (#35958, @ferozsalam)
- gh: conformance-clustermesh: test with IPsec + BPF NodePort (Backport MR #36462, Upstream MR #36384, @julianwiedmann)
- gha: configure environment in build-images-base/image-digests job (Backport MR #36462, Upstream MR #36318, @giorio94)
- node_local_store: prevent racey tests while using mock node store. (Backport MR #36066, Upstream MR #35945, @tommyp1ckles)
- Remove unnecessary hubble port-forward commands (Backport MR #36066, Upstream MR #33523, @michi-covalent)
Misc Changes:
- [v1.16] docs: egress masquerade selector (#36333, @viktor-kurchenko)
- [v1.16] images: bump cni plugins to v1.6.0 (#36092, @ferozsalam)
- bugtool: dump tail-call map for bpf_wireguard (Backport MR #36286, Upstream MR #36183, @julianwiedmann)
- chore(deps): update all github action dependencies (v1.16) (#36155, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.16) (#36275, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.16) (#36443, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.16) (patch) (#36277, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#35546, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#36152, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#36279, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#36444, @cilium-renovate[bot])
- chore(deps): update cilium/little-vm-helper action to v0.0.19 (v1.16) (#36153, @cilium-renovate[bot])
- chore(deps): update docker.io/library/golang:1.22.9 docker digest to
147f428
(v1.16) (#36222, @cilium-renovate[bot]) - chore(deps): update go to v1.22.10 (v1.16) (#36441, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.7-1732605705-2aa20ee3acb68cd38d57669af19508bea8f0ba62 (v1.16) (#36180, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.8-1733837904-eaae5aca0fb988583e5617170a65ac5aa51c0aa8 (v1.16) (#36495, @cilium-renovate[bot])
- chore(deps): update quay.io/lvh-images/kind docker tag to bpf-20241129.013349 (v1.16) (#36278, @cilium-renovate[bot])
- chore(deps): update quay.io/lvh-images/kind docker tag to bpf-20241206.013345 (v1.16) (#36442, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.16) (patch) (#36154, @cilium-renovate[bot])
- docs: Add the tls:// prefix before the IP address (Backport MR #36286, Upstream MR #36118, @liyihuang)
- docs: Fix typo in multi-pool section title (Backport MR #36312, Upstream MR #36305, @joestringer)
- docs: In k0s guide, remove dashes to fix invalid Bash variable names. (Backport MR #36066, Upstream MR #35923, @yilas)
- docs: lrp: fix kernel version requirement for skipRedirectFromBackend (Backport MR #36066, Upstream MR #35921, @ysksuzuki)
- docs: system-requirements: require 5.4 kernel (Backport MR #36462, Upstream MR #36386, @julianwiedmann)
- docs: WireGuard doesn't require overlay port in Network Firewalls (Backport MR #36286, Upstream MR #36208, @julianwiedmann)
- Endpoint populate new policymap early if empty (Backport MR #36479, Upstream MR #36361, @jrajahalme)
- envoy: Configure internal_address_config to avoid warning log (Backport MR #36015, Upstream MR #35943, @sayboras)
- envoy: Pass tofqdns-proxy-response-max-delay to Envoy (Backport MR #36468, Upstream MR #36330, @jrajahalme)
- fix(deps): update module golang.org/x/crypto to v0.31.0 [security] (v1.16) (#36530, @cilium-renovate[bot])
- Fixed BGP documentation (Backport MR #36066, Upstream MR #35953, @seadog007)
- images: Use cilium-builder image instead of golang to build hubble (Backport MR #36312, Upstream MR #35697, @learnitall)
- lrp: fix kernel version requirement in warning log (Backport MR #36286, Upstream MR #36141, @ysksuzuki)
- Makefile: fix swagger definition for automatic renovate updates (Backport MR #36066, Upstream MR #35979, @aanm)
- proxy: Take proxy port reference for new redirects immediately (Backport MR #36468, Upstream MR #36435, @jrajahalme)
- proxyports: Resolve data races in test (Backport MR #36468, Upstream MR #36399, @jrajahalme)
- proxyports: Sleep a bit longer in tests (Backport MR #36468, Upstream MR #36389, @jrajahalme)
- Remove duplicated watch on services and endpoint in the cilium-agent (Backport MR #36066, Upstream MR #35838, @MrFreezeex)
- Rework error handling logic in neighbor discovery (Backport MR #36093, Upstream MR #35144, @pippolo84)
- Silence spurious clustermesh-related warnings (Backport MR #36225, Upstream MR #35867, @giorio94)
- Update documentation for egress masquerading behavior (Backport MR #36462, Upstream MR #36267, @liyihuang)
Other Changes:
- [1.16] ci/ipsec-upgrade: increase cilium status wait duration (#36082, @harsimran-pabla)
- [v1.16] cilium, service: Fix checkLBSrcRange propagation to LB map (#36511, @borkmann)
- install: Update image digests for v1.16.4 (#36047, @cilium-release-bot[bot])
- jrajahalme/v1.16 cilium cli (#36541, @jrajahalme)
- Revert "workflows/ipsec: Cover Ingress" (#36116, @harsimran-pabla)
Docker Manifests
cilium
quay.io/cilium/cilium:v1.16.5@​sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
quay.io/cilium/cilium:stable@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.16.5@​sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958
quay.io/cilium/clustermesh-apiserver:stable@sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958
docker-plugin
quay.io/cilium/docker-plugin:v1.16.5@​sha256:d6b4ed076ae921535c2a543d4b5b63af474288ee4501653a1f442c935beb5768
quay.io/cilium/docker-plugin:stable@sha256:d6b4ed076ae921535c2a543d4b5b63af474288ee4501653a1f442c935beb5768
hubble-relay
quay.io/cilium/hubble-relay:v1.16.5@​sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00
quay.io/cilium/hubble-relay:stable@sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.16.5@​sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0
quay.io/cilium/operator-alibabacloud:stable@sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0
operator-aws
quay.io/cilium/operator-aws:v1.16.5@​sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476
quay.io/cilium/operator-aws:stable@sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476
operator-azure
quay.io/cilium/operator-azure:v1.16.5@​sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9
quay.io/cilium/operator-azure:stable@sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9
operator-generic
quay.io/cilium/operator-generic:v1.16.5@​sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039
quay.io/cilium/operator-generic:stable@sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039
operator
quay.io/cilium/operator:v1.16.5@​sha256:617896e1b23a2c4504ab2c84f17964e24dade3b5845f733b11847202230ca940
quay.io/cilium/operator:stable@sha256:617896e1b23a2c4504ab2c84f17964e24dade3b5845f733b11847202230ca940
v1.16.4
: 1.16.4
Security Advisories
This release addresses https://github.com/cilium/cilium/security/advisories/GHSA-xg58-75qf-9r67.
Summary of Changes
Minor Changes:
- Added Helm option 'envoy.initialFetchTimeoutSeconds' (default 30 seconds) to override the Envoy default (15 seconds). (Backport MR #35908, Upstream MR #35809, @jrajahalme)
- clustermesh: add guardrails for known broken ENI/aws-chaining + cluster ID combination (Backport MR #35543, Upstream MR #35349, @giorio94)
- helm: Lower default
hubble.tls.auto.certValidityDuration
to 365 days (Backport MR #35781, Upstream MR #35630, @chancez) - helm: New socketLB.tracing flag (Backport MR #35781, Upstream MR #35747, @pchaigno)
- hubble-relay: Return underlying connection errors when connecting to peer manager (Backport MR #35781, Upstream MR #35632, @chancez)
- netkit: Fix issue where traffic originating from the host namespace fails to reach the pod when using endpoint routes and network policies. (Backport MR #35543, Upstream MR #35306, @jrife)
Bugfixes:
- Avoid duplicate errors in health status for node-neighbor-link-updater (Backport MR #35468, Upstream MR #35179, @wedaly)
- bgpv1: fix reconciliation of services with shared VIPs (Backport MR #35468, Upstream MR #35333, @rastislavs)
- bgpv2,operator: Fix the race condition in the nodeSelector conflict detection logic (Backport MR #35863, Upstream MR #35690, @YutaroHayakawa)
- bgpv2: set local peering address when specified (Backport MR #35781, Upstream MR #35552, @harsimran-pabla)
- Cilium datapath now gives precedence for the more specific allow rule with L7 rules when rules with port ranges are present. (Backport MR #35603, Upstream MR #35150, @jrajahalme)
- Cilium's DNS proxy no longer gets stuck for a specific five-tuple if an
timeout waiting for response
error is encountered. (Backport MR #35781, Upstream MR #35589, @bimmlerd) - config: Remove superfluous warning on native routing CIDR (Backport MR #35781, Upstream MR #35738, @gandro)
- Fix missing flowlabel hash on SRv6 traffic. (Backport MR #35781, Upstream MR #35498, @akaliwod)
- Fix packet drops for pod-to-pod connections that pass through ingress & egress proxy when using IPsec, caused by MTU misconfiguration. (Backport MR #35543, Upstream MR #35173, @smagnani96)
- Fix possible disruption of long running pod to node traffic on agent restart in kvstore mode (Backport MR #35781, Upstream MR #35673, @giorio94)
- Fix redirect from L3 device to remote endpoint via overlay network. (Backport MR #35468, Upstream MR #35165, @julianwiedmann)
- Fixed a bug where replies for pod-originating connections came into scope of HostFW Ingress Network policy. Applicable to configurations that use iptables for Masquerading. (Backport MR #35908, Upstream MR #35694, @julianwiedmann)
- Fixes a bug where the operator incorrectly flagged CiliumNetworkPolicies containing ICMP rules as invalid. (Backport MR #35781, Upstream MR #35599, @squeed)
- Fixes a performance regression when ingesting network policies in clusters with large numbers of Services. (Backport MR #35543, Upstream MR #35293, @squeed)
- Fixes a potential deadlock when restarting cilium agent with pods with DNS interception configured (Backport MR #35906, Upstream MR #35890, @squeed)
- Fixes BPF Masquerading exclusion CIDR for IPAM modes "eni", "azure" and "alibabacloud". (#35611, @pippolo84)
- helm: Fix configmap unmarshal error on egressGateway.maxPolicyEntries (Backport MR #35319, Upstream MR #35301, @hox)
- helm: fix duplicate configmap key for
bpf-lb-sock-terminate-pod-connections
(Backport MR #35781, Upstream MR #35703, @solidDoWant) - helm: set automountServiceAccountToken to false for hubble-relay sa (Backport MR #35781, Upstream MR #35674, @ayuspin)
- hubble: fix endpoint cluster name (Backport MR #35781, Upstream MR #35415, @kaworu)
- hubble: Lock exporters while gathering metrics (Backport MR #35908, Upstream MR #35860, @joestringer)
- Ingress endpoint is now included in the lxcmap so that ARP and ND6 work for them. (Backport MR #35781, Upstream MR #35143, @jrajahalme)
- ipam: Validate CiliumNode resource in ENI mode (Backport MR #35792, Upstream MR #35784, @sayboras)
- l7lb: fix registration of flag loadbalancer-l7 (Backport MR #35781, Upstream MR #35623, @mhofstetter)
- Log errors when reloading hubble exporter configuration dynamically and do not attempt to close os.Stdout (Backport MR #35319, Upstream MR #35069, @chancez)
- option: Reduce log level for WG strict mode + IPv6 (Backport MR #35908, Upstream MR #35763, @pchaigno)
- Policy properly propagates proxy listener name and priority from a L3 wildcard rule with policies requiring authentication. (Backport MR #35468, Upstream MR #35381, @jrajahalme)
- treewide: Add wrapper for
netlink
functions that may fail withErrDumpInterrupted
(Backport MR #35654, Upstream MR #35614, @gandro) - wireguard: Fix connectivity issues following node reboots. (Backport MR #35908, Upstream MR #35750, @jrife)
CI Changes:
- .github/conformance-ginkgo: replace deprecated jq flag (Backport MR #35468, Upstream MR #35399, @aanm)
- .github: extend timeout for tests-ipsec-upgrade workflow (Backport MR #35781, Upstream MR #35657, @rastislavs)
- .github: remove libncurses5 from integration tests (Backport MR #35468, Upstream MR #35408, @aanm)
- [v1.16] gh: e2e-upgrade: restart LRP backend pod after upgrade (#35329, @ysksuzuki)
- [v1.16] github: update rhel8 LVH image to rhel8.6 (#35733, @julianwiedmann)
- Additionally test KVStore mode in E2E/IPSec workflows (Backport MR #35905, Upstream MR #35679, @giorio94)
- ci: conformance-kind: re-enable flaky Aggregator test (Backport MR #35582, Upstream MR #35286, @julianwiedmann)
- ci: datapath-verifier: bump lvh images (Backport MR #35648, Upstream MR #35456, @julianwiedmann)
- gha: Update chmod command (Backport MR #35468, Upstream MR #35400, @sayboras)
- github: Pass the workflow step timeout to go test (Backport MR #35908, Upstream MR #35814, @jrajahalme)
- Refactor and set a default for GH_RUNNER_EXTRA_POWER (Backport MR #35319, Upstream MR #35267, @aanm)
- workflows/gateway-api: Cover IPsec with GatewayAPI (Backport MR #35908, Upstream MR #35584, @pchaigno)
- workflows/ingress: Run basic checks (Backport MR #35908, Upstream MR #35683, @pchaigno)
- workflows/ipsec: Cover Ingress (Backport MR #35908, Upstream MR #35476, @pchaigno)
- workflows: Extend IPsec tests to cover egress gateway (Backport MR #35540, Upstream MR #35323, @pchaigno)
Misc Changes:
- .github/build-images-base: checkout base branch to get scripts (Backport MR #35319, Upstream MR #35236, @aanm)
- .github: remove retention days for image digests (Backport MR #35468, Upstream MR #35457, @aanm)
- bpf: vxlan helper improvements (Backport MR #35543, Upstream MR #34755, @julianwiedmann)
- chore(deps): update all github action dependencies (v1.16) (#35382, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.16) (#35439, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.16) (#35573, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.16) (#35710, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#35438, @cilium-renovate[bot])
- chore(deps): update docker.io/library/golang:1.22.8 docker digest to
0ca97f4
(v1.16) (#35730, @cilium-renovate[bot]) - chore(deps): update docker.io/library/golang:1.22.8 docker digest to
b274ff1
(v1.16) (#35379, @cilium-renovate[bot]) - chore(deps): update go to v1.22.9 (v1.16) (#35854, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1729635771-fa4efeff33a344a45e14a4068c61dc438b3d2270 (v1.16) (#35491, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.16) (patch) (#35731, @cilium-renovate[bot])
- cilium, docs: Extend requirements for L7 proxy (Backport MR #35781, Upstream MR #35669, @borkmann)
- cilium: add probe for netkit for more user friendly error when not supported (Backport MR #35781, Upstream MR #35551, @borkmann)
- ctrl-runtime: lower severity of retryable reconcile errors (Backport MR #35592, Upstream MR #35364, @giorio94)
- daemon: Reduce level of socket LB tracing warning (Backport MR #35908, Upstream MR #35798, @pchaigno)
- datapath: move policy map value prefix length to flags (Backport MR #35603, Upstream MR #35534, @jrajahalme)
- dnsproxy: fix error when sessionUDPFactory fails (Backport MR #35543, Upstream MR #33998, @marseel)
- docs/ipsec: Remove KPR limitation (Backport MR #35908, Upstream MR #35743, @pchaigno)
- docs/xfrm: Fix incorrect statement regarding XFRM IN policies (Backport MR #35781, Upstream MR #35626, @pchaigno)
- docs: Change invalid Helm option --agent.enabled with --agent=false in upgrade documentation (Backport MR #35319, Upstream MR #35288, @oneumyvakin)
- docs: clean up stale kernel requirements (Backport MR #35582, Upstream MR #35575, @julianwiedmann)
- docs: Fix incorrect link to RFC 4271 for BGP control plane timers. (Backport MR #35781, Upstream MR #35725, @nvibert)
- docs: kpr: update error message regarding SocketLB tracing (Backport MR #35468, Upstream MR #35337, @julianwiedmann)
- docs: tuning: XDP LB also supports tunnel routing (Backport MR #35582, Upstream MR #35574, @julianwiedmann)
- docs: update 1.16 upgrade note for LRP (#35944, @ysksuzuki)
- docs: update default identity label filters (Backport MR #35468, Upstream MR #35422, @marseel)
- docs: XFRM reference guide for IPsec development (Backport MR #35582, Upstream MR #35322, @pchaigno)
- Envoy simplify listener setup (Backport MR #35764, Upstream MR #35642, @jrajahalme)
- envoy: Configure internal_address_config to avoid warning log (Backport MR #35471, Upstream MR #35090, @sayboras)
- envoy: Limit started serving logging to the typeURL of the stream (Backport MR #35781, Upstream MR #35736, @jrajahalme)
- Fix wrongly spelled config option in error message (Backport MR #35543, Upstream MR #35390, @baurmatt)
- helm: clarify text for serviceNoBackendResponse (Backport MR #35908, Upstream MR #35734, @julianwiedmann)
- hubble: Add 'release' Make target (Backport MR #35781, Upstream MR #35561, @michi-covalent)
- image: Use cilium-builder instead of golang as operator builder image (Backport MR #35781, Upstream MR #35351, @learnitall)
- iptables: always warn about missing xt_socket module (Backport MR #35781, Upstream MR #35591, @julianwiedmann)
- makefile: add target to install Cilium in kvstore mode (Backport MR #35905, Upstream MR #35646, @giorio94)
- proxy: Ensure proxy ports are written on shutdown (Backport MR #35908, Upstream MR #35839, @jrajahalme)
- Silence spurious clustermesh-related warnings (Backport MR #35850, Upstream MR #35867, @giorio94)
Other Changes:
- [v1.16] envoy: Add configuration for OverloadManager (#35787, @sayboras)
- [v1.16] envoy: Bump envoy version from 1.29.x to 1.30.x (#35563, @sayboras)
- [v1.16] policy/correlation: Fix
PolicyMatch{L3Proto,L4Only}
case (#35681, @gandro) - chore(deps): update cilium-envoy dependency (#35920, @sayboras)
- install: Update image digests for v1.16.3 (#35361, @cilium-release-bot[bot])
- Policy add deny rule test and benchmark (#35714, @jrajahalme)
Docker Manifests
cilium
quay.io/cilium/cilium:v1.16.4@​sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
quay.io/cilium/cilium:stable@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.16.4@​sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2
quay.io/cilium/clustermesh-apiserver:stable@sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2
docker-plugin
quay.io/cilium/docker-plugin:v1.16.4@​sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e
quay.io/cilium/docker-plugin:stable@sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e
hubble-relay
quay.io/cilium/hubble-relay:v1.16.4@​sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2
quay.io/cilium/hubble-relay:stable@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.16.4@​sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686
quay.io/cilium/operator-alibabacloud:stable@sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686
operator-aws
quay.io/cilium/operator-aws:v1.16.4@​sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be
quay.io/cilium/operator-aws:stable@sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be
operator-azure
quay.io/cilium/operator-azure:v1.16.4@​sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de
quay.io/cilium/operator-azure:stable@sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de
operator-generic
quay.io/cilium/operator-generic:v1.16.4@​sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5
quay.io/cilium/operator-generic:stable@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5
operator
quay.io/cilium/operator:v1.16.4@​sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff
quay.io/cilium/operator:stable@sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff
v1.16.3
: 1.16.3
Summary of Changes
Bugfixes:
- bgpv2: fix reconciliation of services with shared VIPs (Backport MR #35274, Upstream MR #35166, @rastislavs)
- bgpv2: Fix service reconciliation logic to update service advertisement metadata only after successful reconciliation (Backport MR #35036, Upstream MR #34976, @rastislavs)
- bpf: nat: recreate a NAT entry if the packet hits the stale entry (Backport MR #35036, Upstream MR #34913, @ysksuzuki)
- bugtool: fix cilium-health command (Backport MR #35274, Upstream MR #35068, @ayuspin)
- Fix a low-probability issue where the DNS proxy could occasionally drop DNS queries due to "duplicate request id" errors. (Backport MR #35036, Upstream MR #34941, @bimmlerd)
- Fix issue where bpf packet buffer mark would in some cases set incorrect mark value resulting in incorrectly SNATed traffic. (Backport MR #35036, Upstream MR #34789, @tommyp1ckles)
- Fix parameter check to forbid IPAM ENI with TUNNEL routing, and prevent agent segfault when also IPSec is enabled. (Backport MR #34918, Upstream MR #34651, @smagnani96)
- Fixed bug in LB-IPAM where restarting the operator would unshare previously shared IPs between services (Backport MR #35036, Upstream MR #34783, @dylandreimerink)
- Fixed bug in tracking policy changes that could have resulted in revert not woking in failure cases as expected. (Backport MR #35274, Upstream MR #35109, @jrajahalme)
- Fixed bug where service id allocator would loop infinity when out of service ids (Backport MR #35274, Upstream MR #35033, @WeeNews)
- Fixes startup fatal error when updating CiliumNode resource. (Backport MR #34918, Upstream MR #34862, @harsimran-pabla)
- gateway-api: Align GRPCRoute matchers with GEP specification (Backport MR #35274, Upstream MR #34808, @cfsnyder)
- helm template function no longer errors when using k8sServiceHost: auto (Backport MR #35274, Upstream MR #35186, @kreeuwijk)
- hubble: add printer for lost events (Backport MR #35274, Upstream MR #35208, @aanm)
- ipcache: Yet another refcounting fix with mix of APIs (Backport MR #35036, Upstream MR #34715, @gandro)
- netkit: Allow ARP packets through when using host firewall. (Backport MR #35274, Upstream MR #35070, @jrife)
- wireguard: Fix issue where updates to a WireGuard device's configuration caused connectivity blips. (Backport MR #35115, Upstream MR #34612, @jrife)
CI Changes:
- .github/lint-build-commits: fix workflow for push events (Backport MR #35274, Upstream MR #35264, @aanm)
- .github: create cache directories on cache miss (Backport MR #35157, Upstream MR #35088, @aanm)
- .github: do not push floating tag from MRs (Backport MR #35230, Upstream MR #35227, @aanm)
- .github: install golang action after checkout (Backport MR #35157, Upstream MR #34843, @aanm)
- .github: re-enable configurations in e2e-upgrade (Backport MR #35157, Upstream MR #34800, @aanm)
- .github: specify cache-dependency-path in lint-workflows (Backport MR #35157, Upstream MR #34845, @aanm)
- [1.16] test: Skip envoy internal_address_config warning log (#35053, @pippolo84)
- [v1.16] gha: fix incorrect go version in lint-build-commits workflow (#35312, @giorio94)
- ci: conformance-[gateway-api|ginkgo|ingress] wait for images before matrix generation (Backport MR #34918, Upstream MR #34820, @aanm)
- fix: repository nil value handled on workflow_dispatch context for renovate updates (Backport MR #34918, Upstream MR #34902, @Artyop)
- servicemesh, ci: run internal to NodePort test (Backport MR #35274, Upstream MR #35177, @marseel)
Misc Changes:
- .github: add cache to cilium-cli and hubble-cli build workflows (Backport MR #35157, Upstream MR #34847, @aanm)
- .github: clean up disk for lint-build workflow (Backport MR #35157, Upstream MR #35141, @aanm)
- .github: fix build image process to commit changes (Backport MR #35274, Upstream MR #35262, @aanm)
- .github: fix lvh-kind warnings (Backport MR #35157, Upstream MR #34811, @aanm)
- .github: fix runtime image digests (Backport MR #35274, Upstream MR #35107, @aanm)
- .github: push floating tag for push events for stable branches (#35235, @aanm)
- [v1.16] .github: do not update github runners for bpf workflows (#35106, @aanm)
- [v1.16] manually update dependency cilium/cilium-cli to v0.16.19 (v1.16) (#35310, @julianwiedmann)
- bgpv2/docs: add ebgp multihop documentation (Backport MR #35036, Upstream MR #34951, @harsimran-pabla)
- bgpv2: cleanup service reconciliation logic (Backport MR #35036, Upstream MR #34959, @rastislavs)
- Change GH runners to GH's default (Backport MR #35157, Upstream MR #33451, @aanm)
- chore(deps): update all github action dependencies (v1.16) (#35025, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.16) (#35082, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.16) (#35250, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#35005, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#35283, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.16.18 (v1.16) (#34999, @cilium-renovate[bot])
- chore(deps): update docker.io/library/golang:1.22.7 docker digest to
ddad330
(v1.16) (#35101, @cilium-renovate[bot]) - chore(deps): update go to v1.22.8 (v1.16) (#35201, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727741018-e3a7412f65722ebbe34254b3582b89d315765d0d (v1.16) (#35137, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727997080-b094128ed01b784b63ada19b54f8c7fdc3042e6e (v1.16) (#35218, @cilium-renovate[bot])
- cilium-cli: Show config.cilium.io annotations on configmap (Backport MR #35155, Upstream MR #35020, @joamaki)
- docs: Add known issue for netkit endpoint route issues (Backport MR #35274, Upstream MR #35126, @jrife)
- docs: fix EKS Kubernetes compatibility link (Backport MR #35036, Upstream MR #34922, @fjvela)
- docs: Improve warning on insecure global IPsec keys (Backport MR #34918, Upstream MR #34846, @pchaigno)
- docs: move sig-policy to second Tuesday of the month (Backport MR #35115, Upstream MR #35040, @squeed)
- fix: Assign PodStore from Pod resource until cell migration is completed (Backport MR #35274, Upstream MR #34090, @dlapcevic)
- helm: add client auth to hubble server certificate (Backport MR #35036, Upstream MR #34934, @kaworu)
- helm: set key usages for hubble certificates with cert-manager (Backport MR #35036, Upstream MR #34946, @kaworu)
- Improve speed on lint commits GH workflow (Backport MR #35157, Upstream MR #34848, @aanm)
- install/kubernetes: fix Operator's clusterrole for pods deletion (Backport MR #35274, Upstream MR #35193, @aanm)
- Re-write GitHub cache usages across workflows (Backport MR #35157, Upstream MR #34866, @aanm)
- Remove conformance-e2e tests (Backport MR #35157, Upstream MR #34742, @aanm)
Other Changes:
- [v1.16] Add missing test coverage in v1.16 branch (#35223, @aanm)
- [v1.16] author backport: fix ENABLE_LOCAL_REDIRECT_POLICY (#35129, @ysksuzuki)
- [v1.16] author backport: LRP fixes (#35072, @ysksuzuki)
- [v1.16] ginkgo: disable test for deprecated annotations-based L7 visibility (#35160, @tklauser)
- [v1.16] test/k8s: replace L7 visibility Pod annotations by L7 visibility policy (#35151, @tklauser)
- install: Update image digests for v1.16.2 (#35052, @cilium-release-bot[bot])
Docker Manifests
cilium
quay.io/cilium/cilium:v1.16.3@​sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28
quay.io/cilium/cilium:stable@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.16.3@​sha256:598cb4fd30b47bf2bc229cd6a011e451cf14753e56a80bb9ef01a09a519f52fb
quay.io/cilium/clustermesh-apiserver:stable@sha256:598cb4fd30b47bf2bc229cd6a011e451cf14753e56a80bb9ef01a09a519f52fb
docker-plugin
quay.io/cilium/docker-plugin:v1.16.3@​sha256:87af6722fdf73cd98123635108f1507d2c982aad82b89906a2925dc4e251acae
quay.io/cilium/docker-plugin:stable@sha256:87af6722fdf73cd98123635108f1507d2c982aad82b89906a2925dc4e251acae
hubble-relay
quay.io/cilium/hubble-relay:v1.16.3@​sha256:feb60efd767e0e7863a94689f4a8db56a0acc7c1d2b307dee66422e3dc25a089
quay.io/cilium/hubble-relay:stable@sha256:feb60efd767e0e7863a94689f4a8db56a0acc7c1d2b307dee66422e3dc25a089
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.16.3@​sha256:d80a785c0e807fc708264a3fcb19be404114f619fd756dd5214f4cad5a281898
quay.io/cilium/operator-alibabacloud:stable@sha256:d80a785c0e807fc708264a3fcb19be404114f619fd756dd5214f4cad5a281898
operator-aws
quay.io/cilium/operator-aws:v1.16.3@​sha256:47f5abc5fa528472d3509c3199d7aab1e120833fb68df455e3b4476916385916
quay.io/cilium/operator-aws:stable@sha256:47f5abc5fa528472d3509c3199d7aab1e120833fb68df455e3b4476916385916
operator-azure
quay.io/cilium/operator-azure:v1.16.3@​sha256:2882aaf03c32525a99181b7c065b2bb19c03eba6626fc736aebe368d90791542
quay.io/cilium/operator-azure:stable@sha256:2882aaf03c32525a99181b7c065b2bb19c03eba6626fc736aebe368d90791542
operator-generic
quay.io/cilium/operator-generic:v1.16.3@​sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b
quay.io/cilium/operator-generic:stable@sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b
operator
quay.io/cilium/operator:v1.16.3@​sha256:11219d0027c7ab5fb5ac531d4456b570b51f0d871c52c69e5e70c164bb38af0f
quay.io/cilium/operator:stable@sha256:11219d0027c7ab5fb5ac531d4456b570b51f0d871c52c69e5e70c164bb38af0f
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot. Tell Nogweii if it blows up.