Cilium - v1.11.16

Security

We are pleased to release Cilium v1.11.16.

This release addresses the following security issue:
* GHSA-pg5p-wwp8-97g8

Note: When updating to this release, make sure that you are using new helm chart version.

Summary of Changes

Minor Changes:
* envoy: Bump envoy to v1.23.8 (#24911, @sayboras)
* envoy: Bump envoy version to v1.23.7 (#24748, @sayboras)

Bugfixes:
* Add missing xfrm-no-track rules for IPv6 IPSec. This fixes a connectivity issue for IPv6 IPSec with externalTrafficPolicy=local. (Backport PR #24604, Upstream PR #24557, @jschwinger233)
* Fix for disabled cloud provider rate limiting (Backport PR #24458, Upstream PR #24413, @hemanthmalla)
* Fix missing delete events on informer re-lists to ensure all delete events are correctly emitted and using the latest known object state, so that all event handlers and stores always reflect the actual apiserver state as best as possible (#24872, @aanm)
* Fixed bug where L7 rules would be incorrectly merged between rules for the same (remote) endpoint. This bug could have caused L7 rules to be bypassed via a wildcard header rule being improperly appended to the set of HTTP rules when both a policy with HTTP header rules applying to multiple endpoints and an allow-all rule for only one of those endpoints are specified. (Backport PR #24852, Upstream PR #24788, @jrajahalme)
* Handle leaked service backends that may lead to filling up of lb4_backends map and thereby connectivity issues. (Backport PR #24823, Upstream PR #24681, @aditighag)
* ipsec: Clean up stale XFRM policies and states (Backport PR #24823, Upstream PR #24773, @pchaigno)

CI Changes:
* Fix race conditions when deleting CNP / CCNP in e2e tests (Backport PR #24710, Upstream PR #24484, @jschwinger233)
* renovate: Fix Hubble release digest regex (Backport PR #24604, Upstream PR #24477, @gandro)
* tests: add exceptions for lease errors due to etcd (Backport PR #24823, Upstream PR #24723, @jibi)

Misc Changes:
* Avoid clearing objects in CiliumEndpoint conversion funcs (Backport PR #24931, Upstream PR #24928, @aanm)
* Avoid clearing objects in conversion funcs (Backport PR #24931, Upstream PR #24241, @odinuge)
* checker: Fix incorrect checker for ExportedEqual() (Backport PR #24458, Upstream PR #24373, @christarazi)
* chore(deps): update dependency cilium/hubble to v0.11.3 (v1.11) (#24820, @renovate[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.16.5 (v1.11) (#24644, @renovate[bot])
* chore(deps): update docker.io/library/alpine:3.16.4 docker digest to 2cf17aa (v1.11) (#24493, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 24a0df4 (v1.11) (#24498, @renovate[bot])
* chore(deps): update quay.io/cilium/hubble docker tag to v0.11.3 (v1.11) (#24499, @renovate[bot])
* docs: add note that there are two Cilium CLIs (Backport PR #24604, Upstream PR #24435, @lizrice)
* docs: fix typo in operations/troubleshooting.rst (Backport PR #24604, Upstream PR #24460, @NikAleksandrov)
* docs: Fix upgradeCompatibility references (Backport PR #24823, Upstream PR #24711, @joestringer)
* docs: Update Cluster Mesh requirements to mention node InternalIP explicitly (Backport PR #24458, Upstream PR #24164, @jspaleta)
* docs: Update the documentation for the --conntrack-gc-interval flag (Backport PR #24458, Upstream PR #24400, @pchaigno)
* Fix duplicated logs for test-output.log (Backport PR #24458, Upstream PR #24171, @romanspb80)
* hubble-ui: allow ingress from non root / urls (Backport PR #24604, Upstream PR #23631, @geakstr)
* loader: Don't compile .asm files by default (Backport PR #24823, Upstream PR #24769, @pchaigno)
* pkg/bandwidth: add error for bandwidth manager not being enabled (Backport PR #24823, Upstream PR #24715, @aanm)

Other Changes:
* Add IPSec remark for upgrade to v1.11.15 (#24632, @darox)
* Add note about known regression in ConfigMap values prioritized over flags in Cilium agent (#24743, @aanm)
* In service recovery, don't skip if one of the service recovery fails (#23922, @jaredledvina)
* install: Update image digests for v1.11.15 (#24425, @nebril)
* Prepare for release v1.11.16 (#24880, @michi-covalent)
* v1.11: docs: Document IPsec upgrade issue on v1.11.15 (#24704, @pchaigno)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.11.16@sha256:d2f2632c997a027ee4e540432edb4d8594e78e33315427e7ec3c06b473ec1e4e
quay.io/cilium/cilium:v1.11.16@sha256:d2f2632c997a027ee4e540432edb4d8594e78e33315427e7ec3c06b473ec1e4e

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.11.16@sha256:67a051ef38ae113bcf7dc27ebb23a1137ece961ce86f087226ff5a0046099106
quay.io/cilium/clustermesh-apiserver:v1.11.16@sha256:67a051ef38ae113bcf7dc27ebb23a1137ece961ce86f087226ff5a0046099106

docker-plugin

docker.io/cilium/docker-plugin:v1.11.16@sha256:1ee1bae0c2299d94ff162fc2847f9827823ff3d8e055e07da06e4ca28efe9391
quay.io/cilium/docker-plugin:v1.11.16@sha256:1ee1bae0c2299d94ff162fc2847f9827823ff3d8e055e07da06e4ca28efe9391

hubble-relay

docker.io/cilium/hubble-relay:v1.11.16@sha256:c4c12759ba628e64a0f3fada99d2632627e5391ae0b49c3f35da51c3ba9eac9f
quay.io/cilium/hubble-relay:v1.11.16@sha256:c4c12759ba628e64a0f3fada99d2632627e5391ae0b49c3f35da51c3ba9eac9f

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.11.16@sha256:d60aedfabf0957da1d975ee54779172f990366e9fb8bf55184ac31a0d77adc65
quay.io/cilium/operator-alibabacloud:v1.11.16@sha256:d60aedfabf0957da1d975ee54779172f990366e9fb8bf55184ac31a0d77adc65

operator-aws

docker.io/cilium/operator-aws:v1.11.16@sha256:526dab3bee6231f71da44d14f25c17dfb53afba876bfc99374a11c0fb4278e36
quay.io/cilium/operator-aws:v1.11.16@sha256:526dab3bee6231f71da44d14f25c17dfb53afba876bfc99374a11c0fb4278e36

operator-azure

docker.io/cilium/operator-azure:v1.11.16@sha256:0c2da6adf29f521f6d2ffe92794ad598fc99231eba2814b80cf608362cc14a3c
quay.io/cilium/operator-azure:v1.11.16@sha256:0c2da6adf29f521f6d2ffe92794ad598fc99231eba2814b80cf608362cc14a3c

operator-generic

docker.io/cilium/operator-generic:v1.11.16@sha256:ea3fbe5ab65efc41228d716a64804b6fca9e2299835c3d39ae1cb248c1594c55
quay.io/cilium/operator-generic:v1.11.16@sha256:ea3fbe5ab65efc41228d716a64804b6fca9e2299835c3d39ae1cb248c1594c55

operator

docker.io/cilium/operator:v1.11.16@sha256:44fb99adbba82605702aa9c41380c1c79ad5565bbd3c9d961f9aab55387be586
quay.io/cilium/operator:v1.11.16@sha256:44fb99adbba82605702aa9c41380c1c79ad5565bbd3c9d961f9aab55387be586


Security

Security wording was detected, but no CVEs were found.

Details

date
April 18, 2023, 5:42 p.m.
name
1.11.16
type
Patch
👇
Register or login to:
  • 🔍View and search all Cilium releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or