Cilium - v1.10.11

We are pleased to release Cilium v1.10.11. This release includes security-relevant fixes as well as regular bugfixes for the Cilium v1.10.x release series.

The following security issues have been identified and resolved by the community. These vulnerabilities first require an adversary to gain node-level access to nodes where Cilium is running, for instance gaining root access to the nodes, or gaining access to a user associated with group 1000. See the individual security advisories below for more details:

• CVE-2022-29179 (CVSS score: High, 7.5, CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)
• CVE-2022-29178 (CVSS score:Moderate, 4.2, CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L)

Users are recommended to update following the upgrade guide to ensure that the Cilium ClusterRoles are correctly upgraded.

Summary of Changes

Minor Changes:
* hubble/relay: Make the Hubble Peer service available by making it a Kubernetes service to eliminate the need to share a local Unix domain socket between a privileged pod (cilium daemon) and an unprivileged one (hubble-relay). (Backport PR #19744, Upstream PR #18620, @nathanjsweet)
* metrics: Add go_* metrics (Backport PR #19637, Upstream PR #19153, @chancez)

Bugfixes:
* Fixed Cilium agent regression causing a crash due to ipcache controller being scheduled too soon. (Backport PR #19574, Upstream PR #19501, @jrajahalme)
* Improve garbage collection for resources allocated by ToFQDNs policy for services which rotate IP addresses frequently such as Amazon S3 (Backport PR #19584, Upstream PR #19452, @joestringer)
* operator: Add cilium node garbage collector (Backport PR #19744, Upstream PR #19576, @sayboras)

CI Changes:
* jenkinsfiles: Increase VM boot timeout (Backport PR #19482, Upstream PR #19458, @pchaigno)

Misc Changes:
* build(deps): bump actions/checkout from 3.0.1 to 3.0.2 (#19537, @dependabot[bot])
* build(deps): bump docker/build-push-action from 2.10.0 to 3 (#19726, @dependabot[bot])
* build(deps): bump docker/login-action from 1.14.1 to 2 (#19721, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 1.6.0 to 1.7.0 (#19617, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 1.7.0 to 2 (#19724, @dependabot[bot])
* build(deps): bump docker/setup-qemu-action from 1.2.0 to 2 (#19723, @dependabot[bot])
* docs: fix version warning URL to point to docs.cilium.io (Backport PR #19584, Upstream PR #19563, @aanm)
* docs: improve description for session affinity with KPR (Backport PR #19482, Upstream PR #19478, @julianwiedmann)
* docs: set the right url for API version check (Backport PR #19672, Upstream PR #19610, @aanm)
* docs: Update max MTU value for Nodeport XDP on AWS (Backport PR #19672, Upstream PR #19593, @qmonnet)
* identity: Initialize local identity allocator early (Backport PR #19574, Upstream PR #19556, @jrajahalme)
* images/cilium: remove cilium group from Dockerfile (Backport PR #19744, Upstream PR #19711, @aanm)
* LRP minor improvements (Backport PR #19482, Upstream PR #19489, @aditighag)
* make: check that Go major/minor version matches required version (Backport PR #19584, Upstream PR #19528, @tklauser)
* pkg/bpf: add map name in error message for OpenParallel (Backport PR #19482, Upstream PR #19491, @aanm)
* pkg/k8s: use subresource "nodes/status" to update node annotations (Backport PR #19674, Upstream PR #19590, @aanm)
* test/upgrade: use the unreleased helm chart of stable branches (Backport PR #19744, Upstream PR #19710, @aanm)
* Trimmed down Cilium's Cluster Roles to only the necessary rules (Backport PR #19674, Upstream PR #19074, @aanm)
* v1.10: images/runtime: update CNI plugins to 1.1.1 (#19692, @tklauser)

Other Changes:
* install: Update image digests for v1.10.10 (#19475, @joestringer)
* Prepare for release v1.10.11 (#19755, @aanm)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.10.11@sha256:48e1a261046c2e534e370f960f0920233f9fd5ad4623aebdca0e403264a06202
quay.io/cilium/cilium:v1.10.11@sha256:48e1a261046c2e534e370f960f0920233f9fd5ad4623aebdca0e403264a06202

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.10.11@sha256:ea07dd1c842befe9c5941a328497a47d41b2af47379527750e4b0f03af20532b
quay.io/cilium/clustermesh-apiserver:v1.10.11@sha256:ea07dd1c842befe9c5941a328497a47d41b2af47379527750e4b0f03af20532b

docker-plugin

docker.io/cilium/docker-plugin:v1.10.11@sha256:b2bec081798391e348b1dcb6669a523e3a8adc70850c403d923fa897688251f6
quay.io/cilium/docker-plugin:v1.10.11@sha256:b2bec081798391e348b1dcb6669a523e3a8adc70850c403d923fa897688251f6

hubble-relay

docker.io/cilium/hubble-relay:v1.10.11@sha256:8f30fb40bd46be4d1bfb55eb91cff7d0f8958eeb486d6184b5495f6624cf6ff1
quay.io/cilium/hubble-relay:v1.10.11@sha256:8f30fb40bd46be4d1bfb55eb91cff7d0f8958eeb486d6184b5495f6624cf6ff1

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.10.11@sha256:83e18445ef3285317ed712514966cda8213722f548bea5ded61ad3446067b94b
quay.io/cilium/operator-alibabacloud:v1.10.11@sha256:83e18445ef3285317ed712514966cda8213722f548bea5ded61ad3446067b94b

operator-aws

docker.io/cilium/operator-aws:v1.10.11@sha256:aed283cb4932fec07746c09770b7a9ec959aab6d5051dfdd3449c9d7d9be2a33
quay.io/cilium/operator-aws:v1.10.11@sha256:aed283cb4932fec07746c09770b7a9ec959aab6d5051dfdd3449c9d7d9be2a33

operator-azure

docker.io/cilium/operator-azure:v1.10.11@sha256:1acea544097ede5f120d190309b46c1ea62da5fa6c61203945073d86a7891203
quay.io/cilium/operator-azure:v1.10.11@sha256:1acea544097ede5f120d190309b46c1ea62da5fa6c61203945073d86a7891203

operator-generic

docker.io/cilium/operator-generic:v1.10.11@sha256:468ce59342298f1cf87ca8512cd9192754e83348b347a4bc7c27158ef9c4a37d
quay.io/cilium/operator-generic:v1.10.11@sha256:468ce59342298f1cf87ca8512cd9192754e83348b347a4bc7c27158ef9c4a37d

operator

docker.io/cilium/operator:v1.10.11@sha256:d24af610f2e55f9ff1737690bb09ae948cc390c9cfd88b5d3728d747cc7a3a25
quay.io/cilium/operator:v1.10.11@sha256:d24af610f2e55f9ff1737690bb09ae948cc390c9cfd88b5d3728d747cc7a3a25