Cilium - v1.11.7

Security

We are pleased to release Cilium v1.11.7. This release adds support for AKS BYOCNI, improves systemd support, and includes a range of other regular bugfixes. See the notes below for a full description.

Summary of Changes

Major Changes: * add support for AKS BYOCNI (Backport PR #20364, Upstream PR #19379, @nbusseneau)

Minor Changes: * Add metric on datapath update latency due to FQDN IP updates (Backport PR #20263, Upstream PR #19992, @rahulkjoshi) * IPSec key rotation without agent restart (Backport PR #20157, Upstream PR #19814, @jibi) * metrics: Add extra clustermesh metrics (Backport PR #20229, Upstream PR #18348, @sayboras) * Speed up identity lookup in Hubble and L7 proxy by no longer calculating SHA256 over labels. (Backport PR #20364, Upstream PR #20104, @tklauser) * Use DeleteOnMetadataMatch instead of Delete for endpointUpdated (Backport PR #20263, Upstream PR #19996, @kvaster) * v1.11: helm: disable the peer service by default (#20291, @rolinh)

Bugfixes: * node-init now takes enableIPv4Masquerade into account on GKE. (Backport PR #20412, Upstream PR #19533, @bmcustodio) * bpf: Fix typo in host firewall tail call (Commit https://github.com/cilium/cilium/commit/0f6513399d66b7302f3fd11613430f47118e6b42, @pchaigno) * bpf: Use tunnel port flag instead of hardcoded value (Backport PR #20263, Upstream PR #20115, @pchaigno) * bug: Fixed a rare CiliumIdentity race deletion. (Backport PR #20364, Upstream PR #19936, @nathanjsweet) * cilium: fix conflicting iptables-legacy and iptables-nft rules (Backport PR #20364, Upstream PR #20123, @jrfastab) * Consider VPC's secondary CIDRs during cilium_host IP restoration (Backport PR #20364, Upstream PR #19341, @hemanthmalla) * daemon, option: Fix vlan bpf bypass ids loading (Backport PR #20412, Upstream PR #20282, @pippolo84) * daemon: Fix issue where stale router IPs were not cleaned up (Backport PR #20412, Upstream PR #20389, @gandro) * datapath: Fix security ID propagation in tunnel header for NodePort BPF forwarded requests (Backport PR #20301, Upstream PR #19061, @brb) * Fix agent panic in some cases when service matcher local redirect policy was deployed prior to the selected service. (Backport PR #20263, Upstream PR #19522, @aditighag) * Fix Azure IPAM 403 errors for Azure instances using Azure Compute Gallery images (Backport PR #20364, Upstream PR #19697, @andrew-bulford-form3) * Fix Cilium bootstrapping regression with etcd without relying on DNS (Backport PR #20263, Upstream PR #20106, @aanm) * Fix Cilium initialization for clusters with etcd-operator (Backport PR #20263, Upstream PR #20131, @aanm) * Fix drop of large packets redirected through an egress gateway node when running in native routing mode. (Backport PR #20412, Upstream PR #20269, @pchaigno) * fix identity gc to return correct max/min id (Backport PR #20412, Upstream PR #20361, @dkhachyan) * Fixed SystemD >=245 sysctl(rp_filter) config incompatibility (Backport PR #20364, Upstream PR #20072, @dylandreimerink) * helm: Fix cluster-id arguments in clustermesh deployment (Backport PR #20364, Upstream PR #20312, @sayboras) * ipsec: fix stale keys reclaim logic (Backport PR #20157, Upstream PR #19932, @jibi) * iptables: ensure all rules are installed consistently (Backport PR #20178, Upstream PR #19693, @jibi) * iptables: fix typo in addProxyRule condition (Backport PR #20178, Upstream PR #20109, @jibi) * nodediscovery: ensure we cache the nodeResource correctly to avoid null pointer dereferencing (Backport PR #20263, Upstream PR #20158, @odinuge) * nodediscovery: make LocalNode return a deep copy of localNode (Backport PR #20157, Upstream PR #20392, @jibi) * nodemanager: Fix bug where Cilium tried to reach stale health endpoints on kubeapi-server nodes (Backport PR #20263, Upstream PR #20210, @gandro)

CI Changes: * ci: provide CI images with unstripped binaries (Backport PR #20263, Upstream PR #20238, @tklauser) * jenkinsfiles: fix docker manifest inspect commands in GKE pipeline (Backport PR #20364, Upstream PR #20325, @tklauser) * runtime: Bump privileged test timeout (Backport PR #20263, Upstream PR #19487, @joestringer)

Misc Changes: * [docs] Add training and support information to Getting Help (Backport PR #20364, Upstream PR #20194, @lizrice) * Add a note about conflicting node CIDRs #20204 (Backport PR #20263, Upstream PR #20208, @wokalski) * Add ESP to firewall requirements in documentation for IPSec enabled Cā€¦ (Backport PR #20364, Upstream PR #20314, @Kikiodazie) * api: re-sync bpf drop reasons (Backport PR #20412, Upstream PR #20149, @julianwiedmann) * build(deps): bump actions/cache from 3.0.4 to 3.0.5 (#20495, @dependabot[bot]) * build(deps): bump actions/setup-go from 3.2.0 to 3.2.1 (#20465, @dependabot[bot]) * build(deps): bump github/codeql-action from 2.1.12 to 2.1.13 (#20261, @dependabot[bot]) * build(deps): bump github/codeql-action from 2.1.13 to 2.1.14 (#20293, @dependabot[bot]) * build(deps): bump github/codeql-action from 2.1.14 to 2.1.15 (#20344, @dependabot[bot]) * build(deps): bump github/codeql-action from 2.1.15 to 2.1.16 (#20504, @dependabot[bot]) * build(deps): bump helm/kind-action from 1.2.0 to 1.3.0 (#20201, @dependabot[bot]) * ctmap: Do not use nil locks (Backport PR #20412, Upstream PR #20388, @jrajahalme) * docs(policy): add notes on DNS/L7 policies & Cilium agent availability (Backport PR #20364, Upstream PR #20289, @raphink) * docs: Document clustermesh datapath configuration for non-tunneled modes (Backport PR #20412, Upstream PR #16499, @jrajahalme) * docs: Fix reference to upgrade guide (Backport PR #20263, Upstream PR #20184, @joestringer) * docs: Improve policy troubleshooting guide (Backport PR #20412, Upstream PR #20399, @joestringer) * docs: remove stale EgressGW limitation with CES (Backport PR #20263, Upstream PR #20195, @julianwiedmann) * helm: Templatize preflight and clustermesh-apiserver repos (Backport PR #20263, Upstream PR #20206, @michi-covalent) * operator: start the event queue in a dedicated go routine (Backport PR #20493, Upstream PR #20353, @aanm) * update-docs : add details for how to enable/disable Policy Audit Mode by endpoint (Backport PR #20263, Upstream PR #19876, @BryanStenson-okta) * v1.11: Update Go to 1.17.12 (#20503, @tklauser)

Other Changes: * install: Update image digests for v1.11.6 (#20223, @joestringer) * update k8s versions to the latest releases (#20513, @aanm)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.11.7@sha256:66a6f72a49e55e21278d07a99ff2cffa7565ed07f2578d54b5a92c1a492a6597
quay.io/cilium/cilium:v1.11.7@sha256:66a6f72a49e55e21278d07a99ff2cffa7565ed07f2578d54b5a92c1a492a6597
docker.io/cilium/cilium:stable@sha256:66a6f72a49e55e21278d07a99ff2cffa7565ed07f2578d54b5a92c1a492a6597
quay.io/cilium/cilium:stable@sha256:66a6f72a49e55e21278d07a99ff2cffa7565ed07f2578d54b5a92c1a492a6597

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.11.7@sha256:faffaadeeed55779af31479a8b4663df4b5de2515018127a919409e3281e1b6f
quay.io/cilium/clustermesh-apiserver:v1.11.7@sha256:faffaadeeed55779af31479a8b4663df4b5de2515018127a919409e3281e1b6f
docker.io/cilium/clustermesh-apiserver:stable@sha256:faffaadeeed55779af31479a8b4663df4b5de2515018127a919409e3281e1b6f
quay.io/cilium/clustermesh-apiserver:stable@sha256:faffaadeeed55779af31479a8b4663df4b5de2515018127a919409e3281e1b6f

docker-plugin

docker.io/cilium/docker-plugin:v1.11.7@sha256:6d4d2add41050e4007c4134dcec757c2f62422b0203f85cd6f6e150df9062782
quay.io/cilium/docker-plugin:v1.11.7@sha256:6d4d2add41050e4007c4134dcec757c2f62422b0203f85cd6f6e150df9062782
docker.io/cilium/docker-plugin:stable@sha256:6d4d2add41050e4007c4134dcec757c2f62422b0203f85cd6f6e150df9062782
quay.io/cilium/docker-plugin:stable@sha256:6d4d2add41050e4007c4134dcec757c2f62422b0203f85cd6f6e150df9062782

hubble-relay

docker.io/cilium/hubble-relay:v1.11.7@sha256:df6248b57528eadcf2fac6a27b47bad629ce1c868457a9a2e4835a47e0f18bd3
quay.io/cilium/hubble-relay:v1.11.7@sha256:df6248b57528eadcf2fac6a27b47bad629ce1c868457a9a2e4835a47e0f18bd3
docker.io/cilium/hubble-relay:stable@sha256:df6248b57528eadcf2fac6a27b47bad629ce1c868457a9a2e4835a47e0f18bd3
quay.io/cilium/hubble-relay:stable@sha256:df6248b57528eadcf2fac6a27b47bad629ce1c868457a9a2e4835a47e0f18bd3

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.11.7@sha256:2d154ac2d9dc000fd8ffd4e79bf6f10e9053c326bb6f75ed02a93b91ed2e986c
quay.io/cilium/operator-alibabacloud:v1.11.7@sha256:2d154ac2d9dc000fd8ffd4e79bf6f10e9053c326bb6f75ed02a93b91ed2e986c
docker.io/cilium/operator-alibabacloud:stable@sha256:2d154ac2d9dc000fd8ffd4e79bf6f10e9053c326bb6f75ed02a93b91ed2e986c
quay.io/cilium/operator-alibabacloud:stable@sha256:2d154ac2d9dc000fd8ffd4e79bf6f10e9053c326bb6f75ed02a93b91ed2e986c

operator-aws

docker.io/cilium/operator-aws:v1.11.7@sha256:a5c4e2b27e403976dfdbf5a12f9dc3dbfce6f4e265056965febc7e1aa37a50e4
quay.io/cilium/operator-aws:v1.11.7@sha256:a5c4e2b27e403976dfdbf5a12f9dc3dbfce6f4e265056965febc7e1aa37a50e4
docker.io/cilium/operator-aws:stable@sha256:a5c4e2b27e403976dfdbf5a12f9dc3dbfce6f4e265056965febc7e1aa37a50e4
quay.io/cilium/operator-aws:stable@sha256:a5c4e2b27e403976dfdbf5a12f9dc3dbfce6f4e265056965febc7e1aa37a50e4

operator-azure

docker.io/cilium/operator-azure:v1.11.7@sha256:b5676bfb80361c6365a31b7e19d59c7f1d3c350fb1cd08948b74bb28204a39b3
quay.io/cilium/operator-azure:v1.11.7@sha256:b5676bfb80361c6365a31b7e19d59c7f1d3c350fb1cd08948b74bb28204a39b3
docker.io/cilium/operator-azure:stable@sha256:b5676bfb80361c6365a31b7e19d59c7f1d3c350fb1cd08948b74bb28204a39b3
quay.io/cilium/operator-azure:stable@sha256:b5676bfb80361c6365a31b7e19d59c7f1d3c350fb1cd08948b74bb28204a39b3

operator-generic

docker.io/cilium/operator-generic:v1.11.7@sha256:0f8ed5d815873d20848a360df3f2ebbd4116481ff817d3f295557801e0b45900
quay.io/cilium/operator-generic:v1.11.7@sha256:0f8ed5d815873d20848a360df3f2ebbd4116481ff817d3f295557801e0b45900
docker.io/cilium/operator-generic:stable@sha256:0f8ed5d815873d20848a360df3f2ebbd4116481ff817d3f295557801e0b45900
quay.io/cilium/operator-generic:stable@sha256:0f8ed5d815873d20848a360df3f2ebbd4116481ff817d3f295557801e0b45900

operator

docker.io/cilium/operator:v1.11.7@sha256:4af4c24fcb49dc0ad5981216bf1bfa8d7b8b67ade9d152bd19becd4c48a2fa24
quay.io/cilium/operator:v1.11.7@sha256:4af4c24fcb49dc0ad5981216bf1bfa8d7b8b67ade9d152bd19becd4c48a2fa24
docker.io/cilium/operator:stable@sha256:4af4c24fcb49dc0ad5981216bf1bfa8d7b8b67ade9d152bd19becd4c48a2fa24
quay.io/cilium/operator:stable@sha256:4af4c24fcb49dc0ad5981216bf1bfa8d7b8b67ade9d152bd19becd4c48a2fa24


Security

Security wording was detected, but no CVEs were found.

Details

date
July 18, 2022, 3:40 p.m.
name
1.11.7
type
Patch
šŸ‘‡
Register or login to:
  • šŸ”View and search all Cilium releases.
  • šŸ› ļøCreate and share lists to track your tools.
  • šŸšØSetup notifications for major, security, feature or patch updates.
  • šŸš€Much more coming soon!
Continue with GitHub
Continue with Google
or