Cilium - v1.11.13

Security

We are pleased to release Cilium v1.11.13. This release contains a new flag for bugtool, fixes related to TLS connexions in Envoy, the CES queue delay metric, the Agent init check, as well as a range of other regular bugfixes.

See the notes below for a full description of the changes.

Summary of Changes

Minor Changes:
* Bugtool: add flag to exclude object for endpoints (Backport PR #23313, Upstream PR #22370, @tbalthazar)
* Fix crash of CES queue delay metric when CESTracker is nil (Backport PR #23313, Upstream PR #22884, @dlapcevic)

Bugfixes:
* Added Agent init check that removes all CiliumEndpoints referencing local Node that are not managed. This fixes issues where sometimes CiliumEndpoints referencing still running Pods can become unmanaged during Cilium restart. (Backport PR #22563, Upstream PR #20350, @tommyp1ckles)
* Clear stale CNP status nodes if updates have been disabled (Backport PR #22563, Upstream PR #20366, @pippolo84)
* clustermesh: Add missing brackets of IPv6 address for etcd option (Backport PR #23313, Upstream PR #22962, @YutaroHayakawa)
* docs: Update Cilium Sphinx RTD Theme reference (Backport PR #22563, Upstream PR #22321, @kimstacy)
* envoy: Fix regression on passing TLS SNI option to upstream TLS connections (#23031, @jrajahalme)
* Fail validate-cnp preflight check if a CiliumClusterwideNetworkPolicy is using an empty toEndpoints/fromEndpoints selector (Backport PR #22563, Upstream PR #21990, @thorn3r)
* Fix a data race in dnsproxy which could lead to DNS requests drops. (Backport PR #23313, Upstream PR #22619, @aspsk)

CI Changes:
* .github: Pin docker buildx version to v0.9.1 (v2) (Backport PR #23313, Upstream PR #23220, @joestringer)
* daemon/cmd: improve stale cilium endpoint error handling. (Backport PR #23313, Upstream PR #22600, @tommyp1ckles)
* golangci-lint-action: Remove skip-go-installation option (#23216, @michi-covalent)
* test/helpers: Fix retry condition for CiliumExecContext (Backport PR #23313, Upstream PR #22726, @christarazi)
* test: service: fix formatting of error msg in doFragmentedRequest() (Backport PR #23313, Upstream PR #22772, @julianwiedmann)

Misc Changes:
* .github/workflows: use right event type for auto labeler (Backport PR #22563, Upstream PR #22508, @aanm)
* .github: add PR labeler for external contributions (Backport PR #22563, Upstream PR #22461, @aanm)
* Add sphinxcontrib-googleanalytics to doc requirements (Backport PR #23313, Upstream PR #22821, @chalin)
* backporting: leave backport/author PRs alone (Backport PR #23313, Upstream PR #22654, @bimmlerd)
* build(deps): bump actions/cache from 3.0.11 to 3.2.3 (#22986, @dependabot[bot])
* build(deps): bump actions/download-artifact from 3.0.1 to 3.0.2 (#22958, @dependabot[bot])
* build(deps): bump actions/upload-artifact from 3.1.1 to 3.1.2 (#22987, @dependabot[bot])
* build(deps): bump docker/build-push-action from 3.2.0 to 3.3.0 (#23114, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.37 to 2.1.38 (#23071, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.38 to 2.1.39 (#23187, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from 3.3.1 to 3.4.0 (#23251, @dependabot[bot])
* build(deps): update package dependencies (Backport PR #23313, Upstream PR #23140, @fengshunli)
* chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 0e0402c (v1.11) (#22638, @renovate[bot])
* ci, github: Fix IPv6 conformance test (Backport PR #23055, Upstream PR #22774, @borkmann)
* contrib: Update PR template for backport (Backport PR #23313, Upstream PR #23058, @sayboras)
* daemon/cmd: Fix error handling for getting proxy port (Backport PR #22563, Upstream PR #22296, @christarazi)
* docs: add instructions to build the base images from external forks (Backport PR #22563, Upstream PR #22304, @aanm)
* docs: Fix kubectl create output in docs after some deployments have moved from K8s "extensions" to "apps". (Backport PR #22563, Upstream PR #22002, @cleverhu)
* docs: Improve IPsec guide (Backport PR #23313, Upstream PR #23135, @pchaigno)
* docs: Improve wording for deny policies limitation (Backport PR #23313, Upstream PR #23095, @joestringer)
* docs: update committer security requirements (Backport PR #23313, Upstream PR #23134, @xmulligan)
* gha: Bump k8s version in kind conformance tests (Backport PR #23055, Upstream PR #22325, @sayboras)
* IPsec: Refactor ipSecReplaceState{In,Out} functions (Backport PR #23313, Upstream PR #23158, @pchaigno)
* k8s: don't consider 4xx a successful interaction (Backport PR #22563, Upstream PR #22393, @bimmlerd)
* Update CNI to 1.2.0 (Backport PR #23313, Upstream PR #23267, @michi-covalent)
* Update Layer 7 Protocol Visibility Document. (Backport PR #23313, Upstream PR #22807, @obaranov1)
* vendor: Pick up security fixes (#23215, @michi-covalent)

Other Changes:
* [v1.11] images: Bump Hubble CLI to v0.11.1 (#23302, @gandro)
* install: Update image digests for v1.11.12 (#22818, @joestringer)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.11.13@sha256:cc5212dd709d1fadf19ffeae602d2af54d03634791f0f1a7e3bab0bd263918a1
quay.io/cilium/cilium:v1.11.13@sha256:cc5212dd709d1fadf19ffeae602d2af54d03634791f0f1a7e3bab0bd263918a1

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.11.13@sha256:c95b5f21e1cc7242562cf4696446151e43d955fe7f0726906c441ff8f93040f4
quay.io/cilium/clustermesh-apiserver:v1.11.13@sha256:c95b5f21e1cc7242562cf4696446151e43d955fe7f0726906c441ff8f93040f4

docker-plugin

docker.io/cilium/docker-plugin:v1.11.13@sha256:4e6181c4d12036dd20c0bb64edaa19fb9f3fe9c9136fca09d1a9f282b8f7b103
quay.io/cilium/docker-plugin:v1.11.13@sha256:4e6181c4d12036dd20c0bb64edaa19fb9f3fe9c9136fca09d1a9f282b8f7b103

hubble-relay

docker.io/cilium/hubble-relay:v1.11.13@sha256:8835d4a0510d7da6319463aefdf30da814f0fbf5ef349e07f45c951bfb1d57ce
quay.io/cilium/hubble-relay:v1.11.13@sha256:8835d4a0510d7da6319463aefdf30da814f0fbf5ef349e07f45c951bfb1d57ce

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.11.13@sha256:665cd383f44f66cf6f242bb8daccb66a04c1c4c36a18a352ad77ea748a3d28ac
quay.io/cilium/operator-alibabacloud:v1.11.13@sha256:665cd383f44f66cf6f242bb8daccb66a04c1c4c36a18a352ad77ea748a3d28ac

operator-aws

docker.io/cilium/operator-aws:v1.11.13@sha256:110cae87219e55e34ef9e9a93961442a248becd95773e695516895e3f799e618
quay.io/cilium/operator-aws:v1.11.13@sha256:110cae87219e55e34ef9e9a93961442a248becd95773e695516895e3f799e618

operator-azure

docker.io/cilium/operator-azure:v1.11.13@sha256:747bba41d4207bc6e84df1de9c5b2f2dbfe525b4ddde38b427d4eda1e9284596
quay.io/cilium/operator-azure:v1.11.13@sha256:747bba41d4207bc6e84df1de9c5b2f2dbfe525b4ddde38b427d4eda1e9284596

operator-generic

docker.io/cilium/operator-generic:v1.11.13@sha256:a34fc3d5007201bdfe7fc3a469351dc6b9f190720ea54622f94cdfb0b28c6726
quay.io/cilium/operator-generic:v1.11.13@sha256:a34fc3d5007201bdfe7fc3a469351dc6b9f190720ea54622f94cdfb0b28c6726

operator

docker.io/cilium/operator:v1.11.13@sha256:859ff723b1b6c03f7f0126383e619fcff9fb78648eca6f4c6a4412989047f9da
quay.io/cilium/operator:v1.11.13@sha256:859ff723b1b6c03f7f0126383e619fcff9fb78648eca6f4c6a4412989047f9da

Security

Security wording was detected, but no CVEs were found.

Details

date
Jan. 27, 2023, 2:15 p.m.
name
1.11.13
type
Patch
official page
https://github.com/cilium/cilium/releases/tag/v1.11.13
👇
Register or login to:
  • 🔍View and search all Cilium releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or