Cilium - v1.10.2

We are pleased to release Cilium v1.10.2.

This release fixes some bugs reported found in 1.10.1 that were reported by users, notably:
- Fix connectivity issues when kube-proxy replacement is enabled, caused by ineffective socket-based load balancing (aka host reachable services) in the private cgroup namespace mode of container runtimes (e.g., docker cgroupv2 configuration);
- Fix hw_csum dmesg message for ICMP probe packets;
- Regression for the faulty router IP restoration logic which could cause cilium_host interface to have more than 1 IPv4 address;
- DNS proxy is now more available during Cilium restarts, including upgrades;
- Plumb Azure interface's VPC / primary CIDR and set it as native routing CIDR in Azure IPAM mode.

Summary of Changes

Minor Changes: * Fixes connectivity issues when kube-proxy replacement is enabled, caused by
ineffective socket based load balancing (aka host reachable services) in the private
cgroup namespace mode of container runtimes (e.g., docker cgroupv2 configuration). (Backport PR #16671, Upstream PR #16259, @aditighag)

Bugfixes: * bpf: fix iptables masquerading for node -> remote pod traffic (Backport PR #16654, Upstream PR #16136, @jibi) * bpf: fix hw_csum issue for icmp probe packets (Backport PR #16614, Upstream PR #16604, @borkmann) * daemon, node: Fix faulty router IP restoration logic (Backport PR #16675, Upstream PR #16672, @christarazi) * DNS proxy is now more available during Cilium restarts, including upgrades. (Backport PR #16686, Upstream PR #16391, @jrajahalme) * External Workloads service access is enabled again. (Backport PR #16686, Upstream PR #16662, @jrajahalme) * Fix issue where generating Hubble certs were broken (Backport PR #16614, Upstream PR #16509, @alex1989hu) * ipsec: Fix logging of SPI after key rotations (Backport PR #16614, Upstream PR #16557, @pchaigno) * lrp: Skip clusterIP service restore in service delete callback (Backport PR #16614, Upstream PR #16548, @aditighag) * Plumb Azure interface's VPC / primary CIDR and set it as native routing CIDR in Azure IPAM mode (Backport PR #16697, Upstream PR #16696, @christarazi) * Potential deadlock in pod identity updates has been fixed. (Backport PR #16614, Upstream PR #16529, @jrajahalme) * pkg/option: Fix default assignment of EnableWellKnownIdentities (Backport PR #16614, Upstream PR #16434, @mauriciovasquezbernal)

CI Changes: * ci: Disable NFS locking (Backport PR #16686, Upstream PR #16554, @gandro) * cicd: skip codesql on forks (Backport PR #16686, Upstream PR #16560, @ldelossa) * node-neigh: Fix concurrent arping update unit test flake (Backport PR #16614, Upstream PR #16578, @brb) * Pick up cilium-cli v0.8.2 (Backport PR #16654, Upstream PR #16650, @michi-covalent) * tests: rework custom calls's AfterEach/AfterAll blocks to skip if needed (Backport PR #16686, Upstream PR #16651, @qmonnet) * vagrant: Bump all Vagrant box versions (Backport PR #16654, Upstream PR #16589, @pchaigno) * workflows: Skip jobs instead of workflows (Backport PR #16562, Upstream PR #16487, @pchaigno)

Misc Changes: * build(deps): bump actions/download-artifact from 2.0.9 to 2.0.10 (#16574, @dependabot[bot]) * build(deps): bump actions/upload-artifact from 2.2.3 to 2.2.4 (#16586, @dependabot[bot]) * build(deps): bump docker/build-push-action from 2.5.0 to 2.6.1 (#16742, @dependabot[bot]) * build(deps): bump docker/login-action from 1.9.0 to 1.10.0 (#16641, @dependabot[bot]) * build(deps): bump docker/setup-buildx-action from 1.3.0 to 1.4.1 (#16685, @dependabot[bot]) * build(deps): bump helm/kind-action from 1.1.0 to 1.2.0 (#16709, @dependabot[bot]) * CODEOWNERS: Give maintainer's code to github-sec team (Backport PR #16562, Upstream PR #16426, @pchaigno) * contrib: Identify upstream commits by author and date (Backport PR #16654, Upstream PR #16572, @pchaigno) * docs: fix check-crd-compat-table script (Backport PR #16614, Upstream PR #16545, @aanm) * docs: Fix typo in BGP GSG (Backport PR #16614, Upstream PR #16563, @christarazi) * docs: Hubble UI does not show HTTP endpoints anymore (Backport PR #16562, Upstream PR #16535, @gandro) * docs: run GitHub action when Charts are touched to check Helm values ref (Backport PR #16654, Upstream PR #16577, @qmonnet) * images/script: update the example hubble cli Deployment version (Backport PR #16562, Upstream PR #16537, @kaworu) * images: Remove trailing newlines before computing SHA256 (Backport PR #16654, Upstream PR #16621, @pchaigno) * k8s: Fix logging (Backport PR #16614, Upstream PR #16530, @jrajahalme) * Refactor logging package to split syslog functionality into separate file (Backport PR #16686, Upstream PR #16600, @tklauser) * vendor: Update go.universe.tf/metallb (Backport PR #16614, Upstream PR #16523, @christarazi)

Other Changes: * .github: Rename maintainer's little helper's config file (#16457, @pchaigno) * docs: improve the helm chart documentation (#16653, @bmcustodio) * docs: update the version specific notes table (#16729, @bmcustodio) * install: Update image digests for v1.10.1 (#16546, @aanm)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.10.2@sha256:1112a29c8fe04c2a47e5e250112a940c9b81d6700b7e8bba159ab996a05282b9
quay.io/cilium/cilium:v1.10.2@sha256:1112a29c8fe04c2a47e5e250112a940c9b81d6700b7e8bba159ab996a05282b9
docker.io/cilium/cilium:stable@sha256:1112a29c8fe04c2a47e5e250112a940c9b81d6700b7e8bba159ab996a05282b9
quay.io/cilium/cilium:stable@sha256:1112a29c8fe04c2a47e5e250112a940c9b81d6700b7e8bba159ab996a05282b9

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.10.2@sha256:d8ac4a1bfe4dd36d49119b8a2bcad7f218ea1d21547a00593181873ce0ff4ed5
quay.io/cilium/clustermesh-apiserver:v1.10.2@sha256:d8ac4a1bfe4dd36d49119b8a2bcad7f218ea1d21547a00593181873ce0ff4ed5
docker.io/cilium/clustermesh-apiserver:stable@sha256:d8ac4a1bfe4dd36d49119b8a2bcad7f218ea1d21547a00593181873ce0ff4ed5
quay.io/cilium/clustermesh-apiserver:stable@sha256:d8ac4a1bfe4dd36d49119b8a2bcad7f218ea1d21547a00593181873ce0ff4ed5

docker-plugin

docker.io/cilium/docker-plugin:v1.10.2@sha256:6f59af4314da3d7a7cdcacfb8e8854caf63bf7781e674eedac6579fbda896431
quay.io/cilium/docker-plugin:v1.10.2@sha256:6f59af4314da3d7a7cdcacfb8e8854caf63bf7781e674eedac6579fbda896431
docker.io/cilium/docker-plugin:stable@sha256:6f59af4314da3d7a7cdcacfb8e8854caf63bf7781e674eedac6579fbda896431
quay.io/cilium/docker-plugin:stable@sha256:6f59af4314da3d7a7cdcacfb8e8854caf63bf7781e674eedac6579fbda896431

hubble-relay

docker.io/cilium/hubble-relay:v1.10.2@sha256:b819d93267cc229250e16c01194927b295a5cf680d25f6a65cd8c2966ac51ae8
quay.io/cilium/hubble-relay:v1.10.2@sha256:b819d93267cc229250e16c01194927b295a5cf680d25f6a65cd8c2966ac51ae8
docker.io/cilium/hubble-relay:stable@sha256:b819d93267cc229250e16c01194927b295a5cf680d25f6a65cd8c2966ac51ae8
quay.io/cilium/hubble-relay:stable@sha256:b819d93267cc229250e16c01194927b295a5cf680d25f6a65cd8c2966ac51ae8

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.10.2@sha256:26a2881a5912df30d3edfbb62e8b3e36b107ba01b5227ec58a7d505816890f74
quay.io/cilium/operator-alibabacloud:v1.10.2@sha256:26a2881a5912df30d3edfbb62e8b3e36b107ba01b5227ec58a7d505816890f74
docker.io/cilium/operator-alibabacloud:stable@sha256:26a2881a5912df30d3edfbb62e8b3e36b107ba01b5227ec58a7d505816890f74
quay.io/cilium/operator-alibabacloud:stable@sha256:26a2881a5912df30d3edfbb62e8b3e36b107ba01b5227ec58a7d505816890f74

operator-aws

docker.io/cilium/operator-aws:v1.10.2@sha256:5e4ac722ec9fd3f4cd33c3a3e0ed2076aa15a71dee6720145bbce9c9aefb2eaa
quay.io/cilium/operator-aws:v1.10.2@sha256:5e4ac722ec9fd3f4cd33c3a3e0ed2076aa15a71dee6720145bbce9c9aefb2eaa
docker.io/cilium/operator-aws:stable@sha256:5e4ac722ec9fd3f4cd33c3a3e0ed2076aa15a71dee6720145bbce9c9aefb2eaa
quay.io/cilium/operator-aws:stable@sha256:5e4ac722ec9fd3f4cd33c3a3e0ed2076aa15a71dee6720145bbce9c9aefb2eaa

operator-azure

docker.io/cilium/operator-azure:v1.10.2@sha256:8c5ce723e85000047fc9e2c35cd2df2ff78d776d384182254ba4bf33ae9c49ab
quay.io/cilium/operator-azure:v1.10.2@sha256:8c5ce723e85000047fc9e2c35cd2df2ff78d776d384182254ba4bf33ae9c49ab
docker.io/cilium/operator-azure:stable@sha256:8c5ce723e85000047fc9e2c35cd2df2ff78d776d384182254ba4bf33ae9c49ab
quay.io/cilium/operator-azure:stable@sha256:8c5ce723e85000047fc9e2c35cd2df2ff78d776d384182254ba4bf33ae9c49ab

operator-generic

docker.io/cilium/operator-generic:v1.10.2@sha256:a88b04cb5895610620da6e90d362af9e512d2baa51a0a0d77ab34186dfb20c68
quay.io/cilium/operator-generic:v1.10.2@sha256:a88b04cb5895610620da6e90d362af9e512d2baa51a0a0d77ab34186dfb20c68
docker.io/cilium/operator-generic:stable@sha256:a88b04cb5895610620da6e90d362af9e512d2baa51a0a0d77ab34186dfb20c68
quay.io/cilium/operator-generic:stable@sha256:a88b04cb5895610620da6e90d362af9e512d2baa51a0a0d77ab34186dfb20c68

operator

docker.io/cilium/operator:v1.10.2@sha256:bae2b9c75f9ff191a4654ebfe7d61feddfb39c88ca272ee3f556d964eaaba9e6
quay.io/cilium/operator:v1.10.2@sha256:bae2b9c75f9ff191a4654ebfe7d61feddfb39c88ca272ee3f556d964eaaba9e6
docker.io/cilium/operator:stable@sha256:bae2b9c75f9ff191a4654ebfe7d61feddfb39c88ca272ee3f556d964eaaba9e6
quay.io/cilium/operator:stable@sha256:bae2b9c75f9ff191a4654ebfe7d61feddfb39c88ca272ee3f556d964eaaba9e6