Cilium - v1.11.5

Security

We are pleased to release Cilium v1.11.5. This release includes security-relevant fixes as well as regular bugfixes for the Cilium v1.11.x release series.

The following security issues have been identified and resolved by the community. These vulnerabilities first require an adversary to gain node-level access to nodes where Cilium is running, for instance gaining root access to the nodes, or gaining access to a user associated with group 1000. See the individual security advisories below for more details:

  • CVE-2022-29179 (CVSS score: High, 7.5, CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)
  • CVE-2022-29178 (CVSS score:Moderate, 4.2, CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L)

Users are recommended to update following the upgrade guide to ensure that the Cilium ClusterRoles are correctly upgraded.

Summary of Changes

Minor Changes:
* datapath: Allow egress GW with XDP (Backport PR #19671, Upstream PR #19587, @brb)
* hubble/relay: Make the Hubble Peer service available by making it a Kubernetes service to eliminate the need to share a local Unix domain socket between a privileged pod (cilium daemon) and an unprivileged one (hubble-relay). (Backport PR #19752, Upstream PR #18620, @nathanjsweet)
* k8s: keep KVStore CiliumNode labels synced with Node object (Backport PR #19481, Upstream PR #19375, @jibi)
* metrics: Add go_* metrics (Backport PR #19585, Upstream PR #19153, @chancez)

Bugfixes:
* Add missing packet trace for some non-NodePort SNAT egress (Backport PR #19752, Upstream PR #19158, @YutaroHayakawa)
* clustermesh-apiserver: fixed nil pointer dereference (Backport PR #19752, Upstream PR #18957, @abocim)
* Fatal when IPv6 is enabled but corresponding kernel modules are missing (Backport PR #19481, Upstream PR #18941, @vadorovsky)
* Fix drop for packets sent via AF_PACKET + mmap ring buffer in pod (Backport PR #19481, Upstream PR #19308, @liuyuan10)
* Fixed Cilium agent regression causing a crash due to ipcache controller being scheduled too soon. (Backport PR #19573, Upstream PR #19501, @jrajahalme)
* Improve garbage collection for resources allocated by ToFQDNs policy for services which rotate IP addresses frequently such as Amazon S3 (Backport PR #19585, Upstream PR #19452, @joestringer)
* operator: Add cilium node garbage collector (Backport PR #19752, Upstream PR #19576, @sayboras)
* operator: fix identity GC collection (Backport PR #19671, Upstream PR #19649, @aanm)
* Use identity labels for selector matching for Egress NAT Gateway (Backport PR #19481, Upstream PR #19194, @blzhao-0)

CI Changes:
* jenkinsfiles: add IMAGE_REGISTRY env parameter (Backport PR #19519, Upstream PR #19459, @nbusseneau)
* jenkinsfiles: Increase VM boot timeout (Backport PR #19481, Upstream PR #19458, @pchaigno)

Misc Changes:
* add robots.txt to Cilium documentation (Backport PR #19585, Upstream PR #19578, @aanm)
* build(deps): bump actions/checkout from 3.0.1 to 3.0.2 (#19538, @dependabot[bot])
* build(deps): bump docker/build-push-action from 2.10.0 to 3 (#19729, @dependabot[bot])
* build(deps): bump docker/login-action from 1.14.1 to 2 (#19731, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 1.6.0 to 1.7.0 (#19618, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 1.7.0 to 2 (#19730, @dependabot[bot])
* build(deps): bump docker/setup-qemu-action from 1.2.0 to 2 (#19732, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.8 to 2.1.9 (#19600, @dependabot[bot])
* daemon, fqdn: Add flag to control FQDN regex LRU size (Backport PR #19671, Upstream PR #19383, @christarazi)
* daemon: Initialize k8sCachesSynced channel before calling Initk8sSubsystem() (Backport PR #19573, Upstream PR #19626, @jrajahalme)
* docs: fix version warning URL to point to docs.cilium.io (Backport PR #19585, Upstream PR #19563, @aanm)
* docs: improve description for session affinity with KPR (Backport PR #19519, Upstream PR #19478, @julianwiedmann)
* docs: improve guide to setup Cilium overlay on EKS (Backport PR #19481, Upstream PR #19207, @oliwave)
* docs: move sitemap-index.xml to static directory (Backport PR #19752, Upstream PR #19681, @aanm)
* docs: set right path for robots.txt (Backport PR #19671, Upstream PR #19638, @aanm)
* docs: set the right url for API version check (Backport PR #19671, Upstream PR #19610, @aanm)
* docs: Update max MTU value for Nodeport XDP on AWS (Backport PR #19671, Upstream PR #19593, @qmonnet)
* identity: Initialize local identity allocator early (Backport PR #19573, Upstream PR #19556, @jrajahalme)
* images/cilium: remove cilium group from Dockerfile (Backport PR #19752, Upstream PR #19711, @aanm)
* LRP minor improvements (Backport PR #19519, Upstream PR #19489, @aditighag)
* make: check that Go major/minor version matches required version (Backport PR #19585, Upstream PR #19528, @tklauser)
* pkg/bpf: add map name in error message for OpenParallel (Backport PR #19519, Upstream PR #19491, @aanm)
* pkg/k8s: use subresource "nodes/status" to update node annotations (Backport PR #19673, Upstream PR #19590, @aanm)
* pkg/labels: Optimize SortedList() and FormatForKVStore() (Backport PR #19671, Upstream PR #19423, @christarazi)
* pkg/policy/api: Optimize FQDNSelector String() (Backport PR #19671, Upstream PR #19570, @christarazi)
* Removes any log swallowing that was occuring on daemon/cmd init (Backport PR #19671, Upstream PR #19188, @ldelossa)
* test/upgrade: use the unreleased helm chart of stable branches (Backport PR #19752, Upstream PR #19710, @aanm)
* Trimmed down Cilium's Cluster Roles to only the necessary rules (Backport PR #19673, Upstream PR #19074, @aanm)
* v1.11: images/runtime: update CNI plugins to 1.1.1 (#19691, @tklauser)

Other Changes:
* install: Update image digests for v1.11.4 (#19476, @joestringer)
* Prepare for release v1.11.5 (#19756, @aanm)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.11.5@sha256:79e66c3c2677e9ecc3fd5b2ed8e4ea7e49cf99ed6ee181f2ef43400c4db5eef0
quay.io/cilium/cilium:v1.11.5@sha256:79e66c3c2677e9ecc3fd5b2ed8e4ea7e49cf99ed6ee181f2ef43400c4db5eef0
docker.io/cilium/cilium:stable@sha256:79e66c3c2677e9ecc3fd5b2ed8e4ea7e49cf99ed6ee181f2ef43400c4db5eef0
quay.io/cilium/cilium:stable@sha256:79e66c3c2677e9ecc3fd5b2ed8e4ea7e49cf99ed6ee181f2ef43400c4db5eef0

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.11.5@sha256:5514ab415aa8986a45876490a14957489f73d86d55513242153d6893fd0fdaf3
quay.io/cilium/clustermesh-apiserver:v1.11.5@sha256:5514ab415aa8986a45876490a14957489f73d86d55513242153d6893fd0fdaf3
docker.io/cilium/clustermesh-apiserver:stable@sha256:5514ab415aa8986a45876490a14957489f73d86d55513242153d6893fd0fdaf3
quay.io/cilium/clustermesh-apiserver:stable@sha256:5514ab415aa8986a45876490a14957489f73d86d55513242153d6893fd0fdaf3

docker-plugin

docker.io/cilium/docker-plugin:v1.11.5@sha256:d4a34531843e3ae6b45d776a36775aae6f1073eec49116f51384d8d19a6fb7ea
quay.io/cilium/docker-plugin:v1.11.5@sha256:d4a34531843e3ae6b45d776a36775aae6f1073eec49116f51384d8d19a6fb7ea
docker.io/cilium/docker-plugin:stable@sha256:d4a34531843e3ae6b45d776a36775aae6f1073eec49116f51384d8d19a6fb7ea
quay.io/cilium/docker-plugin:stable@sha256:d4a34531843e3ae6b45d776a36775aae6f1073eec49116f51384d8d19a6fb7ea

hubble-relay

docker.io/cilium/hubble-relay:v1.11.5@sha256:8498f27a9c85ff74e56e18cfce4f0ccfae6f55d4134d708d364d273f3043f817
quay.io/cilium/hubble-relay:v1.11.5@sha256:8498f27a9c85ff74e56e18cfce4f0ccfae6f55d4134d708d364d273f3043f817
docker.io/cilium/hubble-relay:stable@sha256:8498f27a9c85ff74e56e18cfce4f0ccfae6f55d4134d708d364d273f3043f817
quay.io/cilium/hubble-relay:stable@sha256:8498f27a9c85ff74e56e18cfce4f0ccfae6f55d4134d708d364d273f3043f817

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.11.5@sha256:063956884c549d8d5e5f540fb84d39c7ba62b02cb52f5f7297c46652379963a7
quay.io/cilium/operator-alibabacloud:v1.11.5@sha256:063956884c549d8d5e5f540fb84d39c7ba62b02cb52f5f7297c46652379963a7
docker.io/cilium/operator-alibabacloud:stable@sha256:063956884c549d8d5e5f540fb84d39c7ba62b02cb52f5f7297c46652379963a7
quay.io/cilium/operator-alibabacloud:stable@sha256:063956884c549d8d5e5f540fb84d39c7ba62b02cb52f5f7297c46652379963a7

operator-aws

docker.io/cilium/operator-aws:v1.11.5@sha256:8ff67ee754ef752af98d41819fb25261f9506872f47d17c6a552ed5c5e063d2d
quay.io/cilium/operator-aws:v1.11.5@sha256:8ff67ee754ef752af98d41819fb25261f9506872f47d17c6a552ed5c5e063d2d
docker.io/cilium/operator-aws:stable@sha256:8ff67ee754ef752af98d41819fb25261f9506872f47d17c6a552ed5c5e063d2d
quay.io/cilium/operator-aws:stable@sha256:8ff67ee754ef752af98d41819fb25261f9506872f47d17c6a552ed5c5e063d2d

operator-azure

docker.io/cilium/operator-azure:v1.11.5@sha256:e6565a0bafbd6a6c45c2467010b6a3032e32db9889083214e988e2706e84816e
quay.io/cilium/operator-azure:v1.11.5@sha256:e6565a0bafbd6a6c45c2467010b6a3032e32db9889083214e988e2706e84816e
docker.io/cilium/operator-azure:stable@sha256:e6565a0bafbd6a6c45c2467010b6a3032e32db9889083214e988e2706e84816e
quay.io/cilium/operator-azure:stable@sha256:e6565a0bafbd6a6c45c2467010b6a3032e32db9889083214e988e2706e84816e

operator-generic

docker.io/cilium/operator-generic:v1.11.5@sha256:8ace281328b27d4216218c604d720b9a63a8aec2bd1996057c79ab0168f9d6d8
quay.io/cilium/operator-generic:v1.11.5@sha256:8ace281328b27d4216218c604d720b9a63a8aec2bd1996057c79ab0168f9d6d8
docker.io/cilium/operator-generic:stable@sha256:8ace281328b27d4216218c604d720b9a63a8aec2bd1996057c79ab0168f9d6d8
quay.io/cilium/operator-generic:stable@sha256:8ace281328b27d4216218c604d720b9a63a8aec2bd1996057c79ab0168f9d6d8

operator

docker.io/cilium/operator:v1.11.5@sha256:a6095fedca15081df3bfb70aa627578d642eeaf3b0e0140100c1086fd47bbfb5
quay.io/cilium/operator:v1.11.5@sha256:a6095fedca15081df3bfb70aa627578d642eeaf3b0e0140100c1086fd47bbfb5
docker.io/cilium/operator:stable@sha256:a6095fedca15081df3bfb70aa627578d642eeaf3b0e0140100c1086fd47bbfb5
quay.io/cilium/operator:stable@sha256:a6095fedca15081df3bfb70aa627578d642eeaf3b0e0140100c1086fd47bbfb5


Details

date
May 16, 2022, 7:54 p.m.
name
1.11.5
type
Patch
👇
Register or login to:
  • 🔍View and search all Cilium releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or