Cilium - v1.12.0

The Cilium core team are excited to announce the Cilium 1.12 release. :tada:

:sparkles: Release Highlights
- New Integrated Ingress Controller
- Cilium Service Mesh (Multi control plane, sidecar/sidecar-free, Envoy CRD)
- Multi-Cluster Service Affinity, Connecting clusters with Helm, Lightweight cluster support
- Stable Egress Gateway, NAT46 for Services, Quarantine service backends
- Dynamic Allocation of PodCIDRs, AWS ENI prefix delegation, IPv6 for BGP, BBR
- Automatic Helm Values, AKS BYOCNI, Improved Chaining, Hubble CLI Improvements

Summary of Changes

Major Changes: * Add cilium ingress controller implementation (#18867, @sayboras) * Add integration for external VXLAN Tunnel Endpoint devices (#17370, @vincentmli) * Add K8s Service Topology Aware Hints (#17929, @brb) * add support for AKS BYOCNI (#19379, @nbusseneau) * Add support for CiliumEnvoyConfig CRD. (#18894, @michi-covalent) * Add support for enabling BBR congestion control for Pods, and move bandwidth manager out of beta. (#19287, @borkmann) * Add support for k8s 1.23.0 (#18008, @aanm) * Add support for Kubernetes v1.24.0 (#19545, @aanm) * Adding support for AWS ENI prefix delegation - IPv4 Only (#18463, @hemanthmalla) * Cilium: initial NAT46/64 implementation (#18779, @borkmann) * Delegated IPAM plugin (#19219, @wedaly) * Enables ICMP network policy function by default (#20174, @chez-shanpu) * Implementation of a GoBGP backed BGP control plane. (#18860, @ldelossa) * Promote egress gateway to stable (#19320, @jibi) * Support dynamic allocation of pod CIDRs in cluster pool v2 IPAM mode (#18887, @gandro) * Support setting service backend states such as quarantine, maintenance so that these backends are not selected for load-balancing service traffic. (#18814, @aditighag)

Minor Changes: * add an option to wait for kube-proxy (Backport PR #20563, Upstream PR #20517, @michi-covalent) * Add concurrency limiting for DNS message processing (#19592, @nebril) * Add config flag to add a prefix to AgentNotReadyNodeTaint value in order to enable the taint being ignored by cluster autoscaler. (#19247, @thejosephstevens) * Add counter to track all datapath timeouts due to FQDN IP updates (#19809, @ungureanuvladvictor) * Add emptyDir volume for frontend container of hubble-ui (#20027, @mkilchhofer) * Add metric on datapath update latency due to FQDN IP updates (#19992, @rahulkjoshi) * Add metric on number of requests rejected by DNS Proxy semaphore (Backport PR #20534, Upstream PR #20491, @rahulkjoshi) * Add Prometheus gRPC metrics for hubble and hubble-relay (Backport PR #20519, Upstream PR #20376, @chancez) * Add source filter for the cilium fqdn cache list command (#19980, @ungureanuvladvictor) * Add support for aws-cni chaining in IPv6 EKS clusters (#18522, @mKeRix) * Add support for disabling ENI PD at node level (Backport PR #20401, Upstream PR #20308, @hemanthmalla) * Add support for getting earliest events from Observer API (#19819, @chancez) * Add support for L7 policies with VTEP integration (#19473, @vincentmli) * Add support to opt-in for using ENI's primary IP for allocations (#20050, @hemanthmalla) * Add type label to the identity metric (#19999, @ungureanuvladvictor) * Add unreachable route for pod IP on deletion (#18505, @lbernail) * Adds support to connect Clustermesh clusters through Helm Chart. (#17851, @samueltorres) * Align values.yaml with templates (#17243, @dungdm93) * Allow unloading DNS policy rules on graceful shutdown (#18701, @tklauser) * Allow using install-no-conntrack-iptables-rules when all masquerading is disabled. (#18482, @pchaigno) * api,cli: add identity range in status response & cli output (#18152, @ArthurChiao) * api: Add cni chaining status in status API. (#18345, @sayboras) * AWS EC2 Instance tag filter (#19181, @prune998) * aws: Add ability to mark ENIs as unmanaged (#19096, @gandro) * bgp: Check the Condition.Ready field when adding ready endpoints (#20176, @ysksuzuki) * bpf, Hubble: Add is_reply information (when available) at the TO_OVERLAY observability point (#19185, @qmonnet) * Bugtool: Add additional Linux traffic-control (tc) data to cilium-bugtool output. (#19856, @tommyp1ckles) * CA certificates in Envoy TLS validation contexts are supported via k8s Secrets with 'ca.crt' key. (Backport PR #20534, Upstream PR #20458, @jrajahalme) * Change default agent health check port to avoid conflicts (#19830, @tklauser) * Change default prometheus ports to new reserved Cilium ports (#20156, @knfoo) * Cilium images can now be built also on arm64. (#17980, @jrajahalme) * Cilium Istio integration is updated to Istio release 1.10.6 (Backport PR #20519, Upstream PR #18384, @jrajahalme) * cli/metrics: Sort label in metrics list command (#18455, @sayboras) * clustermesh: Add support for service-affinity (#19521, @sayboras) * clustermesh: added new command-line options k8s-kubeconfig-path and clustermesh-health-port (#18803, @abocim) * daemon: add support for IPv6 native routing CIDR (#17332, @jibi) * daemon: Allow to enable PCAP recorder in non-lb mode (#18592, @brb) * daemon: Don't auto disable session affinity (Backport PR #20519, Upstream PR #16179, @brb) * daemon: Rename host-reachable services to socket LB (Backport PR #20534, Upstream PR #20369, @brb) * daemon: Split --bpf-lb-map-max into multiple options (#19326, @koncha99) * daemon: Support the wildcard option for directRoutingDevice (#17930, @ysksuzuki) * datapath: Allow egress GW with XDP (#19587, @brb) * datapath: make tc filter priority configurable (#18896, @intel-dlanders) * datapath: Remove !CONNTRACK (#18502, @brb) * datapath: Remove !CONNTRACK (v2) (#18551, @brb) * docs: Update alibabacloud RAM permission requirements (#19077, @jaffcheng) * docs: update Azure Service Principal / IPAM documentation (#18891, @nbusseneau) * Dynamic Per Resource Timeouts (#19991, @tommyp1ckles) * egressgw: emit a warning rather than a fatal error when L7 proxy is enabled (#19608, @jibi) * Enable VTEP integration dynamic ARP resolution for Cilium-managed pod (#18758, @vincentmli) * Ensure priority scheduling of CNI agent. Repair a deprecated Kubernetes annotation. The annotation was used to schedule pods at high priority. This deprecation, which occurred in Kubernetes 1.16, results in unexpected behavior. (#18667, @sdake) * Envoy upstream connections no longer use the original source address for any destination associated with a CIDR or toFQDNs policy. (#19255, @jrajahalme) * envoy: Bump cilium envoy to latest version v1.21.3 (#20142, @sayboras) * feat(helm): allow to set Hubble Relay and UI service type and nodePort (#19450, @raphink) * Fix an issue where PodDisruptionBudgets were not created by the Helm chart (#18317, @lic17) * Fixes L7 policies with Azure CNI chaining. (#19088, @nitishm) * helm: Add bpf-root configuration value in helms (#18335, @sayboras) * helm: add description for some Helm values (#19658, @my-git9) * helm: Add values for custom service monitor annotations (#18681, @michi-covalent) * helm: Create cilium IngressClass (#19524, @sayboras) * helm: Move tls related helm option to 1.12 in upgrade docs (#19089, @sayboras) * helm: Remove duplicated key hostAliases (Backport PR #20333, Upstream PR #20278, @sayboras) * helm: Set Linux nodeSelector for nodeinit and preflight (Backport PR #20333, Upstream PR #20216, @gandro) * helm: support lookup remote CA (#17434, @dungdm93) * helm: Upgrade certgen to the latest version v0.1.8 (#18607, @sayboras) * hubble/relay: Make the Hubble Peer service available by making it a Kubernetes service to eliminate the need to share a local Unix domain socket between a privileged pod (cilium daemon) and an unprivileged one (hubble-relay). (#18620, @nathanjsweet) * hubble: Add "flows-to-world" metric to monitor policy decisions on traffic that reaches outside the cluster. (#17790, @michi-covalent) * images: Bump Hubble CLI to v0.9.0 (#18077, @gandro) * Improve policy import performance, particularly with CIDR policies (#18433, @joestringer) * Improve verbosity of drop notification messages. (Backport PR #20519, Upstream PR #20387, @aspsk) * In the case of recovering the services, cilium will not fail directly on the first service recovery error but will try to recover other services. (#18422, @chowmean) * ingress: Add SocketOptions configuration (#19549, @sayboras) * ingress: Avoid plain text TLS secret in CEC (#19410, @sayboras) * ingress: Fix conformance tests for host-rules and path-rule (#19321, @sayboras) * ingress: Set max stream duration as 0 (#19550, @sayboras) * install/kubernetes: Add CAP_IPC_LOCK for mmap (#19812, @sayboras) * install: add tolerations for the certgen cronjob (#18019, @wolffberg) * Introduce a new CRD (CiliumEgressGatewayPolicy) for Egress Gateway configuration. Deprecate the previous CRD (CiliumEgressNATPolicy). (#19561, @julianwiedmann) * IPSec key rotation without agent restart (#19814, @jibi) * k8s/crds: Allow ingress entity in CNP (Backport PR #20563, Upstream PR #20536, @sayboras) * k8s: keep CiliumNode labels synced with Node object (#18609, @jibi) * k8s: keep KVStore CiliumNode labels synced with Node object (#19375, @jibi) * Locally allocated identities are now restored during restart, helping avoid transient drops due to identity changes in policies. (#19360, @jrajahalme) * Making operator aware of pending pod backlog on nodes for IP allocations (#19007, @hemanthmalla) * metrics: Add extra clustermesh metrics (#18348, @sayboras) * metrics: Add go_* metrics (#19153, @chancez) * metrics: Expose xfrm stats in prometheus metrics (#18553, @sayboras) * Move the BGP Control Plane to utilize CiliumNode objects. This enable support for IPAM driven PodCIDR announcements. (#19872, @ldelossa) * Prefers k8s node IP when picking masquerading IPs (#16849, @liuyuan10) * proxy: Add proxy common http options arguments to agent (#19138, @jmcshane) * Remove privileged mode in Cilium's DaemonSet (#14446, @aanm) * Rename bpf.hostRouting to bpf.hostLegacyRouting in ciliumconfig (#19064, @chenk008) * Runtime device detection (#17460, @joamaki) * service: Always allocate higher ID for svc/backend (#18113, @brb) * Speed up identity lookup in Hubble and L7 proxy by no longer calculating SHA256 over labels. (#20104, @tklauser) * ui: v0.9.0 images and drop envoy proxy container (#19565, @geakstr) * Update cilium agent Grafana dashboard to filter by pod (Backport PR #20333, Upstream PR #20307, @ungureanuvladvictor) * Update to CNI spec version 1.0.0 (#19719, @tklauser) * Use DeleteOnMetadataMatch instead of Delete for endpointUpdated (#19996, @kvaster) * Use direct routing device only when tunneling is disabled and BPF Host Routing or NodePort are enabled. (#18815, @YutaroHayakawa) * vtep: VTEP map implementation to improve VTEP integration feature (#18824, @vincentmli)

Bugfixes: * node-init now takes enableIPv4Masquerade into account on GKE. (Backport PR #20519, Upstream PR #19533, @bmcustodio) * Add missing & fix wrong traces for IPSec + overlay receive path (#18731, @YutaroHayakawa) * Add missing packet trace for some non-NodePort SNAT egress (#19158, @YutaroHayakawa) * Add missing source identity to drop notifications during encryption with native routing mode (#18682, @YutaroHayakawa) * Add/Fix traces for the packets received from the network in IPSec + native routing. (#18704, @YutaroHayakawa) * Additional FQDN selector identity tracking fixes (Backport PR #17988, Upstream PR #17788, @joestringer) * alibabacloud: Fix derived VPC CIDR block (#19056, @jaffcheng) * allocator: fix out-of-valid-range identities being allocated (#18151, @ArthurChiao) * Also take secondary CIDRs into account when checking for validity of IPv4NativeRoutingCIDR (#18653, @codablock) * Avoid deleting in-use program arrays in bpf_load() and bpf_load_cgroups() in init.sh (#18985, @ti-mo) * bgp,bugfix: parse ips when converting from slim_core to k8s service (#18358, @ldelossa) * bgpv1: Use IP address used for peering as a nexthop (#19402, @YutaroHayakawa) * bpf: Don't emit policy verdict post-L7 (Backport PR #20401, Upstream PR #20245, @joestringer) * bpf: egressgw: sync logic to determine if destination is outside cluster (#18246, @jibi) * bpf: Fix maglev hash with hostServices.hostNamespaceOnly (#18336, @ysksuzuki) * bpf: Provision HostPort also for case of Maglev (Backport PR #20401, Upstream PR #20379, @borkmann) * bpf: Use tunnel port flag instead of hardcoded value (#20115, @pchaigno) * bug: Fixed a rare CiliumIdentity race deletion. (Backport PR #20333, Upstream PR #19936, @nathanjsweet) * bugtool: fix IP route debug gathering commands (#18059, @tklauser) * Cilium host proxy is updated to Envoy release 1.21.1 (#18899, @jrajahalme) * Cilium monitor now correctly reports security identities for L7 flows. (#18783, @jrajahalme) * cilium: fix conflicting iptables-legacy and iptables-nft rules (#20123, @jrfastab) * cilium: Fix node mismatch endpoint restoration bug when the CiliumEndPoint CRD is disabled. (#19040, @zhanghe9702) * cli: Update regex for key value validation (#19794, @sayboras) * cli: Use custom named map instead of StringToStringVar (#19968, @sayboras) * clustermesh-apiserver: fix cmd-line args processing (#18277, @abocim) * clustermesh-apiserver: fixed nil pointer dereference (#18957, @abocim) * clustermesh: Add ownerReferences for CiliumNodes (#19959, @sayboras) * clustermesh: Correct shared service annotation behaviour (#19042, @sayboras) * clustermesh: fix: identities allocation range (#19076, @abocim) * clustermesh: Modify shared-service annotation after creation (#18766, @sayboras) * cmd: Allow more complicated patterns in map string type. (#19955, @sayboras) * cmd: Fix issue reading string map type via config map (#18478, @sayboras) * cmd: Fix issue where a ConfigMap value of {} was parsed as map["{}":""]. (#19172, @gandro) * Consider VPC's secondary CIDRs during cilium_host IP restoration (#19341, @hemanthmalla) * contrib: Fix passing ipFamily to kind.sh (#19707, @brb) * daemon, node: Remove old, discarded router IPs from cilium_host (#17762, @christarazi) * daemon, option: Fix vlan bpf bypass ids loading (Backport PR #20401, Upstream PR #20282, @pippolo84) * daemon: Fix issue where stale router IPs were not cleaned up (Backport PR #20519, Upstream PR #20389, @gandro) * daemon: Fix KPR init finalisation (#18304, @brb) * daemon: Fix missing errors in KPR init (#18499, @brb) * daemon: Fix multi-dev XDP check (#18305, @brb) * datapath/config: Fix L2 addr retrieval (#19081, @brb) * datapath: Fix implicit-int-conversion err in common.h (#19832, @brb) * datapath: Fix IPv6 DSR (#18713, @brb) * datapath: Fix missing monitor events for NodePort BPF traffic when monitor-aggregation set to > none (#18454, @brb) * datapath: Fix security ID propagation in tunnel header for NodePort BPF forwarded requests (#19061, @brb) * datapath: Only unload obsolete XDP when attached (#18636, @jaffcheng) * egressgateway: fix initial reconciliation (#18325, @jibi) * egressgateway: fix manager logic (#17813, @jibi) * endpoint: Fix packets to host dropped with the chaining mode and host firewall (#19734, @ysksuzuki) * Envoy version checking is now disabled whenever L7 proxy is disabled too (Backport PR #20519, Upstream PR #20440, @bmcustodio) * Fatal when IPv6 is enabled but corresponding kernel modules are missing (#18941, @vadorovsky) * Fix 'node-init' in GKE's 'cos' images. (#19017, @bmcustodio) * Fix bpf lb maglev list command when ipv4 or ipv6 Maglev lookup tables are empty (#18469, @ti-mo) * Fix a bug where a backend pod can be selected by a local redirect policy deployed in a different namespace if the local redirect policy was deployed first. (#19193, @aditighag) * Fix a bug where agent would log warnings such as "JoinEP: Failed to load program" in legitimate cases where endpoints are getting deleted. (#18216, @aditighag) * Fix a bug where Cilium would constantly create network interfaces if IPAM limits are reached (#18975, @michi-covalent) * Fix a bug with local redirect policies selecting host networked pods as local endpoints not taking effect. (#18563, @aditighag) * Fix agent crash when IPv6 is partially disabled in the host kernel. (#18716, @pchaigno) * Fix agent panic in some cases when service matcher local redirect policy was deployed prior to the selected service. (#19522, @aditighag) * Fix an issue where the tunnel map sync controller causes errors even though tunneling is disabled. (#18247, @tklauser) * Fix Azure IPAM 403 errors for Azure instances using Azure Compute Gallery images (#19697, @andrew-bulford-form3) * Fix blackhole route error when cleanup (#20042, @soulseen) * Fix BPF attachment when bandwidth manager is enabled without host firewall or kube-proxy-replacement. (#18717, @pchaigno) * Fix bug that would cause some pod traffic to leave through the wrong interface if --aws-release-excess-ips is used and masquerading disabled. (#19162, @pchaigno) * Fix bug where Cilium drops traffic from remote nodes in etcd mode, despite policy that allows the traffic (#18777, @joestringer) * Fix bug where established host connections would be interrupted on agent restart if the host firewall was enabled. (#19998, @pchaigno) * Fix bug where FQDN policy calculation could trigger a deadlock in cilium-agent (#19031, @joestringer) * Fix bug where Hubble flows report that a packet is both forwarded and dropped by host firewall. It will now only report the drop. (#18484, @YutaroHayakawa) * Fix bug where the 'ipcache-inject-labels' controller constantly fails in non-Kubernetes environments (#19165, @christarazi) * Fix bug where the Cilium DNS proxy slows down significantly (and even OOMs) due to lock contention from spawning many goroutines when handling bursty DNS traffic (#19336, @nebril) * Fix bug where unnecessary ipset was created and populated in tunneling mode with iptables masquerading. (#18788, @pchaigno) * Fix Cilium bootstrapping regression with etcd without relying on DNS (#20106, @aanm) * Fix Cilium initialization for clusters with etcd-operator (#20131, @aanm) * Fix concurrency issue while waiting for node-init DaemonSet to be ready (#18897, @aanm) * Fix config map options validation (Backport PR #20401, Upstream PR #20304, @pippolo84) * Fix connectivity outage periods with ENI IPAM mode and IPsec enabled when nodes are deleted from the cluster (#18827, @christarazi) * Fix crash on startup if proxy is disabled (#18198, @chaosbox) * Fix deadlock with kube-apiserver policy matching feature (#18343, @codablock) * Fix drop for packets sent via AF_PACKET + mmap ring buffer in pod (#19308, @liuyuan10) * Fix drop of large packets redirected through an egress gateway node when running in native routing mode. (Backport PR #20401, Upstream PR #20269, @pchaigno) * Fix error propagation in bpf_lxc (#20144, @DolceTriade) * Fix for a bug where unused IPs on the node cannot be allocated when IP release handshake is enabled. Adds support for aborting IP release, if the node doesn't have excess anymore. (#18330, @hemanthmalla) * Fix for data race in IP release features (#18217, @hemanthmalla) * Fix for excess IP release race condition. New operator flag excess-ip-release-delay is introduced to control waiting period before marking an IP for release. (#17939, @hemanthmalla) * fix identity gc to return correct max/min id (Backport PR #20401, Upstream PR #20361, @dkhachyan) * Fix incorrect packet trace for encrypted packets received from the network (#18643, @YutaroHayakawa) * Fix IPsec in Azure's IPAM mode (#18911, @pchaigno) * Fix issue where StatefulSet pod restarts could trigger persistent connectivity issues for the pods due to overzealous CiliumEndpoint resource removal by cilium-agent instances (#18864, @timoreimann) * Fix kube-apiserver policy matching feature with tunneling enabled (#18527, @christarazi) * Fix log rotation of compressed logs (#19152, @chancez) * Fix memory leak in the DNS cache when a long-lived endpoint makes many unique DNS lookups over time (#19925, @christarazi) * Fix mtu setting for tunnel interface in init.sh (Backport PR #20563, Upstream PR #20552, @ChengyuanLiCY) * Fix possible IP leak in case ENI's are not present in the CN yet (#18352, @codablock) * Fix race condition leading to inconsistent CiliumNode that can cause the agent to fatal. (#19923, @pchaigno) * Fix support of BPF-based HostPort on init containers. (#18725, @pchaigno) * Fix TCP connectivity issues in the DSR mode when conntrack entries with missing DSR flag are reused. (#18041, @Inode1) * Fix the bug that ipsec packets bypass the <- stack trace after encryption (#18608, @YutaroHayakawa) * Fix the bugs when empty CiliumEndpointSlices were created and leaked. (Backport PR #20519, Upstream PR #20251, @alan-kut) * Fixed a bug where deleted identities would remain in BPF policy maps. (#19005, @jrajahalme) * Fixed Cilium agent regression causing a crash due to ipcache controller being scheduled too soon. (#19501, @jrajahalme) * Fixed node init in RKE (#19286, @raphink) * Fixed PodCIDR announcement being overwritten by SVC announcement (Backport PR #20519, Upstream PR #20413, @dylandreimerink) * Fixed removal of stale bpf_netdev tc filters for interfaces with a dot in the name (#18344, @stek29) * Fixed SystemD >=245 sysctl(rp_filter) config incompatibility (#20072, @dylandreimerink) * Fixes a bug in the BGP control plane which causes the wrong BGP virtual servers to be selected for reconciliation or removal (#19659, @ldelossa) * helm: Fix cluster-id arguments in clustermesh deployment (Backport PR #20333, Upstream PR #20312, @sayboras) * helm: Fix Helm template for externalWorkloads (#18206, @gandro) * helm: Fix Hubble Service when ServiceMonitor is being used (#19220, @juissi-t) * helm: Fix invalid type for Certificate spec.ipAddresses (#19211, @superbrothers) * helm: Fix operator cloud image digests (#18116, @joestringer) * helm: Relax hubble ui image versions validation (#20039, @sayboras) * helm: Removed unnecessary Kubernetes RBAC permissions for cilium-agent (#19053, @nathanjsweet) * helm: Update Clustermesh-APIServer RBAC permissions for platforms (like Openshift) that have the OwnerReferencesPermissionEnforcement admission controller enabled. (#19071, @nathanjsweet) * hubble/parser/threefour: check (Parser).linkGetter before accessing it (Backport PR #20519, Upstream PR #20446, @tklauser) * hubble/recorder: Sanitize pcap filename (#18612, @gandro) * hubble: Added nil check in filterByTCPFlags() to avoid segfault (#18877, @wazir-ahmed) * hubble: Fix misclassification of to-network reply packets (#18196, @gandro) * identity: fix incorrect maximum identity when ClusterID > 0 (#18148, @ArthurChiao) * Improve endpoint and DNS proxy lock contention during bursty DNS traffic (#19347, @christarazi) * Improve garbage collection for resources allocated by ToFQDNs policy for services which rotate IP addresses frequently such as Amazon S3 (#19452, @joestringer) * Improve reliably of faulty connections for kube-apiservers behind a LB.
Reduce the number of connections to kube-apiserver by 6 for each cilium-agent. (#19259, @aanm) * Improvements to excess IP release handshake (#18296, @hemanthmalla) * install/kubernetes: fix hubble-ui with TLS (#19338, @aanm) * ipam/crd: Fix spurious "Unable to update CiliumNode custom resource" failures in cilium-agent (#17856, @gandro) * ipsec: fix stale keys reclaim logic (Backport PR #20401, Upstream PR #19932, @jibi) * ipsec: set interface ID different from 0 (#18789, @tormath1) * iptables: ensure all rules are installed consistently (#19693, @jibi) * iptables: fix typo in addProxyRule condition (#20109, @jibi) * labelfilter: Refine default label regexps (#18693, @twpayne) * makefile: fix unstripped docker images build (#18339, @zhanghe9702) * metallb: fix SIGSEGV error when Service resource is deleted. (#19249, @Inode1) * monitor: Output non-trace messages to stderr (#18479, @YutaroHayakawa) * node: Don't skip masquerading for External node IPs (#18483, @pchaigno) * nodediscovery: ensure we cache the nodeResource correctly to avoid null pointer dereferencing (#20158, @odinuge) * nodediscovery: make LocalNode return a deep copy of localNode (Backport PR #20401, Upstream PR #20392, @jibi) * nodemanager: Fix bug where Cilium tried to reach stale health endpoints on kubeapi-server nodes (#20210, @gandro) * Only apply XDP acceleration for IPv6 Nodeport when enabled (with --bpf-lb-acceleration=native). (#19534, @julianwiedmann) * operator: Add cilium node garbage collector (#19576, @sayboras) * operator: fix identity GC collection (#19649, @aanm) * pkg/k8s/version: Also set EndpointSlice when forcing version (Backport PR #20534, Upstream PR #20383, @joamaki) * policy: Fix selector identity release for FQDN (#18166, @joestringer) * Preserve tail call maps during resize to prevent drops during agent upgrade (#17744, @ti-mo) * Prevent unmanaged pods in GKE's containerd flavors.
Important: Users should update their node taints from node.cilium.io/agent-not-ready=true:NoSchedule to node.cilium.io/agent-not-ready=true:NoExecute.
Important:* During the first node reboot after the fix is applied pods may still get IPs from the default CNI as cilium-node-init is only run later in the node startup process. The fix will then be in place for all subsequent reboots. (#18486, @bmcustodio) * Prometheus lint errors in operator metrics (#17789, @krishgobinath) * Restore patch in ciliumnetworkpolicies/status ClusterRole (Backport PR #20401, Upstream PR #20373, @pippolo84) * Revert "pkg/endpoint: Pass endpoint alive context to regeneration tasks" (#18253, @aditighag) * Revert Prometheus client to fix 'cilium metrics list' (#19496, @ti-mo) * route: sort by priority to identify the default one (#18564, @jibi) * Skip node ipset updates if iptables masquerading is disabled (#17871, @pchaigno) * Update the 'refresh period' formatting in readme and doc (#19205, @dongwangdw) * Use identity labels for selector matching for Egress NAT Gateway (#19194, @blzhao-0) * vtep: fix pod src identity in send_trace_notify (Backport PR #20534, Upstream PR #19434, @vincentmli) * wireguard: Reject duplicate public keys (#19344, @gandro)

CI Changes: * .github/workflow: revert cilium-cli changes in stable workflows (#19582, @aanm) * .github/workflows: bump v1.10 workflows to cilium-cli v0.10.5 (#19897, @tklauser) * .github/workflows: bump v1.10 workflows to cilium-cli v0.10.6 (#19935, @tklauser) * .github/workflows: do not use pre-defined image digests (#19575, @aanm) * .github/workflows: fix hubble installation using cilium-cli (#19568, @aanm) * .github/workflows: install the right helm chart version for stable branches (#19609, @aanm) * .github: Change cilium-cleanup order in workflows (#19163, @jtaleric) * .github: Disable EKS encryption tests (#18090, @joestringer) * .github: Exclude Runtime CI job from flake tracker (#19095, @pchaigno) * .travis: Disable race build on master (#19773, @pchaigno) * Add basic kube-apiserver policy matching e2e test (#18333, @christarazi) * Add missing VTEP complexity tests (#19539, @vincentmli) * Add support for tparse in go test targets (#20032, @joestringer) * aws: Disable flaky test (#18092, @joestringer) * bpf/test: Fix incorrect macro definition (#18660, @pchaigno) * bpf: Add WireGuard to complexity and compile tests (#18048, @pchaigno) * bpf: Cover native routing CIDR check in compile tests (#18702, @pchaigno) * bpf: Reenable features disabled because of complexity issues (#19938, @pchaigno) * build(deps): bump actions/setup-go from 3.1.0 to 3.2.0 (#19971, @dependabot[bot]) * build(deps): bump github/codeql-action from 1.1.2 to 1.1.3 (#18930, @dependabot[bot]) * Change all IP address that are using Oranges IP range to RFC1918 address space (#17741, @duttaANI) * checkpatch: Update image for "checkpatch" target, reuse target in CI (#19805, @qmonnet) * checkpatch: update to lastest image to fix off-by-one index in commit list (#18270, @tklauser) * ci, images: update all quay.io/cilium/* images (#18299, @tklauser) * ci-l4lb: Check out stable branch (#19905, @michi-covalent) * CI: add CIFuzz integration (#18034, @DavidKorczynski) * ci: Bump cyclonus to v0.4.7 (#18747, @joamaki) * ci: collect sysdump as a separate workflow in L4LB tests (#18380, @oblazek) * ci: create a new subnetwork for each new GKE cluster (#18821, @nbusseneau) * ci: disable failing test on net-next (#18520) (#18544, @nbusseneau) * ci: disable WireGuard testing in multicluster workflow (#18700, @nbusseneau) * CI: Enable IPv6 tests on KIND (#18845, @brb) * ci: fix documentation workflow (#20025, @nbusseneau) * ci: fix missing sysdump as separate workflow in L4LB tests for stable branches (#18428, @oblazek) * ci: fix QEMU image build following Google Cloud SDK updates (#18720, @nbusseneau) * ci: fix quotes in backport workflows (#18268, @nebril) * ci: Increase retention for release image CI artifacts to 10 days (#20141, @michi-covalent) * CI: merge NAT46x64 and L4LB GH actions (#19288, @brb) * ci: pick up cilium-cli v0.11.10 for master, v1.11 and v1.12 workflows (Backport PR #20401, Upstream PR #20360, @tklauser) * ci: pick up cilium-cli v0.11.11 for master, v1.11 and v1.12 workflows (Backport PR #20519, Upstream PR #20420, @tklauser) * ci: pick up cilium-cli v0.11.9 for master/v1.11 workflows (#20234, @tklauser) * ci: provide CI images with unstripped binaries (#20238, @tklauser) * ci: remove box download timeout in upstream tests (#18707, @nbusseneau) * ci: Require cluster-wide connectivity before running tests (#18153, @gandro) * ci: Restart pods when toggling KPR switch (#18031, @brb) * CI: run K8sServices on KIND (#18812, @brb) * ci: set Cilium base version to v1.10.12 in v1.10 conformance tests (#19946, @tklauser) * ci: set PR base for codeql workflow (#18283, @tklauser) * ci: update cilium-cli to v0.10.0 (#18207, @tklauser) * ci: update cilium-cli to v0.10.1 (#18575, @sayboras) * ci: update cilium-cli to v0.10.3 (#18820, @tklauser) * ci: update cilium-cli to v0.10.4 (#18933, @tklauser) * ci: update master workflows to cilium-cli v0.11.4 (#19665, @tklauser) * ci: Update Uninstall Command For Cilium CLI (#19679, @nathanjsweet) * ci: use python3 instead of python (#18443, @nebril) * cilium/cmd, test/runtime: convert test loading invalid policy JSON to unit test (Backport PR #20534, Upstream PR #20512, @tklauser) * cocci: New test to find missing identity_is_{remote_,}node (#18385, @pchaigno) * config: Fix unit tests for native routing CIDR (Backport PR #20519, Upstream PR #20473, @pchaigno) * connectivity-check: Use ports outside ephemeral range (#19337, @christarazi) * docs: Bump up Netlify Python version to 3.8 (Backport PR #20519, Upstream PR #20486, @michi-covalent) * Enable CI for feature branches (#18554, @jibi) * fix aws-cni conformance test (#20049, @aanm) * Fix kubectl CI flakiness (#18087, @aanm) * ipam/clusterpool_v2: Fix data race in unit test (#19024, @gandro) * ipcache: Fix failing controller check from SupportsDelete (#19751, @joamaki) * jenkins: switch to ad-hoc GKE cluster creation/deletion (#19918, @nbusseneau) * jenkinsfiles: add IMAGE_REGISTRY env parameter (#19459, @nbusseneau) * jenkinsfiles: bump runtime tests VM boot timeout (#18886, @nbusseneau) * jenkinsfiles: fix docker manifest inspect commands in GKE pipeline (Backport PR #20333, Upstream PR #20325, @tklauser) * jenkinsfiles: Increase VM boot timeout (#19458, @pchaigno) * jenkinsfiles: Update calls to Quay API (#19229, @pchaigno) * Load the dev operator image into kind/microk8s as well (#19995, @ungureanuvladvictor) * master/v1.11 CI: Pick up the latest cilium-cli (#19873, @michi-covalent) * mlh: swap net-next kernel from K8s 1.16 to 1.23 (#18178, @nbusseneau) * mlh: update Jenkins jobs following 1.23 support (#18028, @nbusseneau) * mlh: update Jenkins jobs following 1.24 support (#19904, @nbusseneau) * mlh: update Jenkins jobs following net-next fix for K8s 1.24 (#20220, @nbusseneau) * Partially revert ".github: enable cilium-cli helm based installation" (#19554, @aanm) * prog_test: Fix build breakage (#18659, @joestringer) * Provide only 2 VTEP endpoints in default node_config.h (#18778, @ti-mo) * Quarantine frequent failures (#18051, @joestringer) * Revert "ci: use CLI 0.11.8 for AKS workflow" (#20272, @tklauser) * Revert "test/Services: Quarantine 'Tests with direct routing'" (#18312, @gandro) * Revert "workflows: Reenable IPsec test in EKS workflow" (#19078, @pchaigno) * runtime: Bump privileged test timeout (#19487, @joestringer) * set base-version in 1.10 workflows (#18262, @nebril) * Set debug.verbose to "flow" as a default for all CI runs (#18431, @christarazi) * Support running K8sVerifier tests on kind (#18549, @joestringer) * test/contrib: Bump CoreDNS version to 1.8.3 (#18018, @brb) * test/helpers: fix kubectl version detection for RCs (#18133, @tklauser) * test/helpers: Fix variadic expansion related panic (Backport PR #20519, Upstream PR #20332, @christarazi) * test/k8s/manifests: bump test-verifier image to latest version (Backport PR #20519, Upstream PR #20461, @tklauser) * test/K8sUpdates: Bump stable branch for v1.12 development (#18251, @pchaigno) * test/nat46x64: Fix out-of-bounds index error (#19466, @pchaigno) * test/runtime: fix flake on non-ready endpoints (#18627, @tklauser) * test/runtime: remove disabled memcache test (Backport PR #20401, Upstream PR #20132, @tklauser) * test/Runtime: Skip pre/post-checks during build (#18954, @pchaigno) * test/RuntimePrivilegedUnitTests: Fix always-passing test (#19231, @pchaigno) * test/RuntimePrivilegedUnitTests: Log timestamps (#19129, @pchaigno) * test: Add Error Log Exceptions (#18117, @nathanjsweet) * test: add git safe directory in test VMs (#19860, @tklauser) * test: Add info which L4LB request fails (#19714, @brb) * test: Add TS to each bash dbg output in L4LB (#20094, @brb) * test: Also delete hubble-peer when cleaning up old tests. (#19979, @DolceTriade) * test: Bump L4LB timeout from 30min to 45min (#20151, @brb) * test: bump l4lb Vagrantfile kind to 0.11.1 (#18370, @jibi) * test: Clarify performance test names (#18142, @joestringer) * test: cleanup Services test suite (#18655, @brb) * test: Collect logs from init containers (#18254, @pchaigno) * test: Do not completely quarantine E/W svc suite (#19960, @brb) * test: Do not redeploy Cilium in Egress GW suite (#18181, @brb) * test: Do not run DualStack tests on k8s < 1.20 (#18831, @brb) * test: Do not start cilium monitor in K8sServicesTest (Backport PR #20534, Upstream PR #20499, @brb) * test: Don't redeploy in AfterAll of K8sServices test case (#18869, @brb) * test: Extend coredns clusterrole with additional resource permissions (#18104, @aditighag) * test: Fix bpffs mount on kind (#18695, @joestringer) * test: Fix directory name for source archive (#19635, @michi-covalent) * test: Fix failing net-next tests after changing to k8s 1.23 (#18184, @brb) * test: Fix graceful termination test flake (#18050, @aditighag) * test: Fix incorrect selector for netperf-service (#18006, @christarazi) * test: Fix make target for e2e tests (#18356, @pchaigno) * test: Fix pod cleanup after various tests (#18448, @joestringer) * test: Flush CT tables after L7 proxy tests in K8sServices (#18857, @brb) * test: Get rid of external_ips.go (#18765, @brb) * test: Move service-proxy-name to unit test (#18679, @brb) * test: Move some Services test cases to separate suites (#18684, @brb) * test: Pin eksctl version (#19631, @michi-covalent) * test: Quarantine Secondary nodeport device tests (#18091, @joestringer) * test: remove nightly test leftovers (Backport PR #20534, Upstream PR #20526, @tklauser) * test: Remove sockops test cases (Backport PR #20534, Upstream PR #20500, @brb) * test: Remove unused Nightly suites (#20128, @brb) * test: Remove workaround for old issue #12141 (#18722, @pchaigno) * test: Restructure k8sT/Services.go (#18696, @brb) * test: Run ip r l if ip r a fails (#18171, @brb) * test: Runtime check that container create succeeds (#19184, @jrajahalme) * test: temporary increase Hubble buffer size to 64k (#18058, @jibi) * test: Use more explicit key for k8s3's taint (#19951, @pchaigno) * test: Use stable image tag for Graceful termination test (#18208, @aditighag) * test: use stable zookeeper image (#18186, @tklauser) * test: Wait for pod termination in K8sServicesTest (#19750, @brb) * test: Wait until host EP is ready (=regenerated) (#18859, @brb) * tests-l4lb: Use Helm chart from local branch (#19953, @michi-covalent) * Update 5.4 VM image (#19842, @pchaigno) * update bpf_ct_tests.c to use node_config.h (#20177, @sahid) * Update cilium-iproute2 (Backport PR #20534, Upstream PR #20549, @pchaigno) * Update netlink library to not set XFRMA_IF_ID = 0 by default (#18506, @tklauser) * Use docker manifest inspect to wait for images instead of using quay API (#19307, @YutaroHayakawa) * vagrant, test: Enable IPv6 connectivity to the outside world (#18714, @pchaigno) * vagrant: Bump 4.19 VM image (#20185, @pchaigno) * vagrant: Bump all Vagrant box versions (#19168, @pchaigno) * vagrant: Bump all Vagrant box versions except net-next (#19507, @pchaigno) * vagrant: Bump net-next Vagrant box version (#19915, @pchaigno) * vagrant: Don't recreate natnetworks (#19523, @pchaigno) * vagrant: Fix IPv6 NAT setup (#19997, @pchaigno) * vagrant: update 4.19 and net-next VM images (#18496, @nbusseneau) * vagrant: Update 4.9 and 5.4 VM images (#18473, @pchaigno) * vagrant: Update all VM images (#17761, @pchaigno) * vagrant: Update all VM images (#18774, @pchaigno) * vagrant: Update the net-next VM image (#19607, @pchaigno) * workflow CI image bug (#19327, @weizhoublue) * workflow: aws-cni-v1.10: use helm chart from PR (#19952, @jibi) * workflow: checkout correct ref in v1.10 and v1.11 l4lb workflows (#19898, @jibi) * workflow: l4lb: pass correct path for PR checkout (#20007, @jibi) * workflow: Reenable IPsec testing on AKS (#18974, @pchaigno) * workflow: Reenable IPsec testing on EKS (#19030, @pchaigno) * workflow: use correct bwm helm option for v1.11 AWS CNI test (#19895, @jibi) * workflow: Wait for AKS nodes to be ready (#19025, @pchaigno) * workflows: conformance v1.10: fix native-routing-cidr flag (#18656, @jibi) * workflows: disable rollback on CLI install (#18140, @nbusseneau) * workflows: Downgrade to helm v3.8.2 to fix AWS CNI runs for v1.10 (#20073, @joamaki) * workflows: Fix concurrency groups (#18193, @pchaigno) * workflows: Fix the fix to concurrency groups (#18201, @nbusseneau) * workflows: Increase timeout for AKS workflow (#19020, @pchaigno) * workflows: pin Cyclonus image to its SHA (#19026, @nbusseneau) * workflows: Pin the kubectl version used with EKS workflows (#19716, @joamaki) * workflows: Remove unnecessary code in AWS-CNI workflow (#18156, @pchaigno) * workflows: Run CodeQL workflow is the workflow is edited (#17982, @pchaigno) * workflows: Update call to Quay API (#19228, @pchaigno) * workflows: Update call to Quay API in external workloads (#19230, @jibi) * workflows: update v1.10 workflows to v0.10.7 cilium CLI (#20020, @jibi) * workflows: Wait for first AKS systempool to be deleted (#19097, @pchaigno)

Misc Changes: * .github/workflows: fix hubble-relay cilium-cli installation (#19579, @aanm) * .github: add dependabot for docker images (#19390, @aanm) * .github: add failing_test_jenkins_template form for filing CI bugs (#18223, @qmonnet) * .github: add parameter to allow for image suffix (#18200, @aanm) * .github: add workflow to build beta images (#18052, @aanm) * .github: Fix 1.11.1 project link for MLH (#18395, @joestringer) * .github: fix conditions for running CODEOWNERS checks (#18981, @qmonnet) * .github: Fix external workloads workflow for master (#19483, @jrajahalme) * .github: Remove release template (#19166, @joestringer) * [docs] Add training and support information to Getting Help (Backport PR #20333, Upstream PR #20194, @lizrice) * [users] Add Mux Inc entry. (#19419, @dilyevsky) * add 'refreshPeriod' to spelling wordlist (#19394, @aanm) * Add a 'Limitations' section to 'External Workloads'. (#19366, @bmcustodio) * Add a note about conflicting node CIDRs #20204 (#20208, @wokalski) * Add APPUiO by VSHN to Cilium Users (#18880, @tobru) * Add cilium cli to aws cni conformance tests (#19555, @aanm) * Add Civo (#18745, @saiyam1814) * Add consistency checks for the CODEOWNERS file (#18260, @qmonnet) * add context when return errors during datapath initialization (#18011, @kerthcet) * Add Deckhouse to users (#19804, @konstantin-axenov) * Add Elastic Path to USERS.md (#19622, @sealneaward) * Add ENI limits for i4i and x2i instance types (#19627, @hemanthmalla) * Add ESP to firewall requirements in documentation for IPSec enabled C… (Backport PR #20333, Upstream PR #20314, @Kikiodazie) * add gsod application form to docs (#19512, @xmulligan) * Add Infomaniak to Cilium users (#19354, @reneluria) * Add JUMO to active Cilium users (#18626, @thehunt33r) * Add kOps as cilium user (#18848, @olemarkus) * Add Kube-OVN to USERS (#19605, @oilbeater) * Add Kubermatic to USERS (#18611, @rastislavs) * add KubeSphere/KubeKey to the USERS list (#18937, @FeynmanZhou) * Add link to CFP template doc (#19380, @lizrice) * Add Meltwater to users file (#18192, @recollir) * Add metric to track terminating endpoint events (Backport PR #20519, Upstream PR #20404, @aditighag) * Add missing error reporting in replaceNetworkDatapath (#18715, @YutaroHayakawa) * Add MyFitnessPal to Users list (#19345, @audip) * Add Peer Service to Cilium DS Port List (Backport PR #20519, Upstream PR #20296, @nathanjsweet) * Add Rancher Labs to Cilium users (#19292, @divya-mohan0209) * add roadmap section and fix governance link (#19615, @xmulligan) * add robots.txt to Cilium documentation (#19578, @aanm) * Add Scaleway to the list of users (#18807, @remyleone) * Add support for Amazon EC2 c7g instances (#18708, @otterley) * Add T-Systems International to Cilium users list (#18984, @ManuStoessel) * Add Typhoon (Poseidon Labs) to Cilium users (#18822, @dghubble) * add website contributing link (#18940, @xmulligan) * added a CLOMonitor exception file for Slack (#19235, @xmulligan) * added a link to the DCO page to show people how to amend a commit (#19294, @xmulligan) * Added ByteDance to users.md (#19823, @Jiang1155) * added Google Season of Docs Project proposal page (#19215, @xmulligan) * added NYT to the Cilium Users list (#19382, @prune998) * Adding IKEA IT AB to the USERS.md (#20099, @knfoo) * Adding Liquid Reply to Users (#19342, @mkorbi) * Adding Overstock to the USERS.md (#19762, @ntaylor1781) * Adds a locked function to do ipcache delete on metadata match (#17909, @Weil0ng) * Adds missing lock for cesTracker operation (#18055, @Weil0ng) * Alibabacloud fixes (#18762, @jaffcheng) * alibabacloud: Fix missing instance due to incomplete subnet list (#19155, @jaffcheng) * alignchecker: fix LLVM 15 build by removing an unused variable (#19368, @aspsk) * Allocate Ingress IPs for new reserved:ingress identity (#19764, @jrajahalme) * api/v1: regenerate to update copyright year (#18403, @tklauser) * api: change "group not found" log to debug (#19927, @tklauser) * api: generate markdown documentation for gRPC APIs (#18799, @rolinh) * api: re-sync bpf drop reasons (Backport PR #20401, Upstream PR #20149, @julianwiedmann) * avoid calling OnFlowDelivery with nil (#18605, @kaworu) * azure/api: remove TestRateLimit (#18481, @tklauser) * Badges for CLOMonitor and Artifacthub were added to the README (#19105, @xmulligan) * BGP Control Plane Followups: Conditionally load CRDs, tune back relist interval for shared informers, server side filter nodes. (#19417, @ldelossa) * bgp,testing: fix race condition in checking fencer map (#18884, @ldelossa) * bgp: Add support for ClusterPool pod CIDRs (#17899, @gandro) * bgp: Fixed broken bgp speaker unit tests (Backport PR #20519, Upstream PR #20521, @dylandreimerink) * Bpf fix conditional compilation (#19104, @jrajahalme) * bpf, hubble: explicitly mark trace reason as "unknown" when relevant (#19226, @qmonnet) * bpf/sock: Use renamed field (#19532, @jrajahalme) * bpf: Add trace reason for TRACE_TO_PROXY (#19189, @borkmann) * bpf: Clean up license and copyright notices for Linux UAPI headers (#18870, @qmonnet) * bpf: do not pass 0 as a trace reason for send_trace_notify() (#19424, @qmonnet) * bpf: Don't hardcode cb CB_ENCRYPT_DST index (#20105, @pchaigno) * bpf: Dual-license code as GPL 2.0 and 2-Clause BSD (#18858, @qmonnet) * bpf: egressgw: don't redirect to tunnel dev if EP is running on gateway node (#19629, @jibi) * bpf: Fix implicit cast for BPF TPROXY debug message (#18429, @pchaigno) * bpf: fix native local build (#19218, @aanm) * bpf: Fix stale map removal in agent logs (#17973, @borkmann) * bpf: Forbid implicit int conversions (#18501, @pchaigno) * bpf: Handle tuple collisions for inactive backends (Backport PR #20519, Upstream PR #20407, @borkmann) * bpf: Quieten mock targets (#17992, @joestringer) * bpf: Remove DNS quirk for monitor aggregation (#19108, @borkmann) * bpf: Remove duplicate conntrack code (#18631, @pchaigno) * bpf: Rename tail call targets (#19807, @pchaigno) * bpf: Reset Pod's queue mapping in host veth to fix phys dev mq selection (#18388, @borkmann) * bpf: Simplify ipv6_hdrlen's prototype (#18703, @pchaigno) * bpf: specify handle_lxc_traffic return type to fix -Wimplicit-int error (#19891, @tklauser) * bpf: Split bpf_lxc CT lookups to their own tail calls (#19818, @pchaigno) * bpf: switch egress gateway logic to identity_is_cluster() (Backport PR #20519, Upstream PR #20209, @jibi) * bugtool: Add structured node and health output (#20011, @gandro) * build(deps): bump 8398a7/action-slack from 3.11.0 to 3.12.0 (#17965, @dependabot[bot]) * build(deps): bump 8398a7/action-slack from 3.12.0 to 3.13.0 (#18423, @dependabot[bot]) * build(deps): bump actions/cache from 2.1.6 to 2.1.7 (#17972, @dependabot[bot]) * build(deps): bump actions/cache from 2.1.7 to 3 (#19208, @dependabot[bot]) * build(deps): bump actions/cache from 3.0.0 to 3.0.1 (#19271, @dependabot[bot]) * build(deps): bump actions/cache from 3.0.1 to 3.0.2 (#19391, @dependabot[bot]) * build(deps): bump actions/cache from 3.0.2 to 3.0.3 (#20029, @dependabot[bot]) * build(deps): bump actions/cache from 3.0.3 to 3.0.4 (#20093, @dependabot[bot]) * build(deps): bump actions/cache from 3.0.4 to 3.0.5 (#20494, @dependabot[bot]) * build(deps): bump actions/checkout from 2.4.0 to 3 (#18990, @dependabot[bot]) * build(deps): bump actions/checkout from 3.0.0 to 3.0.1 (#19448, @dependabot[bot]) * build(deps): bump actions/checkout from 3.0.1 to 3.0.2 (#19535, @dependabot[bot]) * build(deps): bump actions/download-artifact from 2.0.10 to 2.1.0 (#18163, @dependabot[bot]) * build(deps): bump actions/download-artifact from 2.1.0 to 3 (#19013, @dependabot[bot]) * build(deps): bump actions/setup-go from 2.1.4 to 2.1.5 (#18322, @dependabot[bot]) * build(deps): bump actions/setup-go from 2.1.5 to 2.2.0 (#18752, @dependabot[bot]) * build(deps): bump actions/setup-go from 2.2.0 to 3 (#18960, @dependabot[bot]) * build(deps): bump actions/setup-go from 3.0.0 to 3.1.0 (#19801, @dependabot[bot]) * build(deps): bump actions/setup-go from 3.2.0 to 3.2.1 (#20466, @dependabot[bot]) * build(deps): bump actions/stale from 4.1.0 to 5 (#18991, @dependabot[bot]) * build(deps): bump actions/upload-artifact from 2.2.4 to 2.3.0 (#18165, @dependabot[bot]) * build(deps): bump actions/upload-artifact from 2.3.0 to 2.3.1 (#18263, @dependabot[bot]) * build(deps): bump actions/upload-artifact from 2.3.1 to 3 (#19027, @dependabot[bot]) * build(deps): bump actions/upload-artifact from 3.0.0 to 3.1.0 (#19899, @dependabot[bot]) * build(deps): bump aws-actions/configure-aws-credentials from 1.5.11 to 1.6.0 (#17998, @dependabot[bot]) * build(deps): bump aws-actions/configure-aws-credentials from 1.6.0 to 1.6.1 (#18528, @dependabot[bot]) * build(deps): bump azure/login from 1.4.1 to 1.4.2 (#18154, @dependabot[bot]) * build(deps): bump azure/login from 1.4.2 to 1.4.3 (#18550, @dependabot[bot]) * build(deps): bump azure/login from 1.4.3 to 1.4.4 (#19670, @dependabot[bot]) * build(deps): bump docker/build-push-action from 2.10.0 to 3 (#19725, @dependabot[bot]) * build(deps): bump docker/build-push-action from 2.7.0 to 2.8.0 (#18516, @dependabot[bot]) * build(deps): bump docker/build-push-action from 2.8.0 to 2.9.0 (#18687, @dependabot[bot]) * build(deps): bump docker/build-push-action from 2.9.0 to 2.10.0 (#19144, @dependabot[bot]) * build(deps): bump docker/login-action from 1.10.0 to 1.12.0 (#18307, @dependabot[bot]) * build(deps): bump docker/login-action from 1.12.0 to 1.13.0 (#18842, @dependabot[bot]) * build(deps): bump docker/login-action from 1.13.0 to 1.14.0 (#18962, @dependabot[bot]) * build(deps): bump docker/login-action from 1.14.0 to 1.14.1 (#18992, @dependabot[bot]) * build(deps): bump docker/login-action from 1.14.1 to 2 (#19727, @dependabot[bot]) * build(deps): bump docker/setup-buildx-action from 1.6.0 to 1.7.0 (#19612, @dependabot[bot]) * build(deps): bump docker/setup-buildx-action from 1.7.0 to 2 (#19728, @dependabot[bot]) * build(deps): bump docker/setup-qemu-action from 1.2.0 to 2 (#19722, @dependabot[bot]) * build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1334 to 1.61.1340 (#17979, @dependabot[bot]) * build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1340 to 1.61.1357 (#18039, @dependabot[bot]) * build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.10.0 to 1.10.3 (#18065, @dependabot[bot]) * build(deps): bump github.com/Azure/azure-sdk-for-go from 59.3.0+incompatible to 59.4.0+incompatible (#18020, @dependabot[bot]) * build(deps): bump github.com/cilium/ebpf from 0.7.0 to 0.8.0 (#18578, @dependabot[bot]) * build(deps): bump github.com/cilium/ebpf from 0.8.1 to 0.9.0 (#19972, @dependabot[bot]) * build(deps): bump github.com/cilium/workerpool from 1.1.1 to 1.1.2 (#19300, @dependabot[bot]) * build(deps): bump github.com/containernetworking/cni from 1.0.1 to 1.1.0 (#19620, @dependabot[bot]) * build(deps): bump github.com/containernetworking/cni from 1.1.0 to 1.1.1 (#20058, @dependabot[bot]) * build(deps): bump github.com/containernetworking/plugins from 1.0.1 to 1.1.0 (#19043, @dependabot[bot]) * build(deps): bump github.com/containernetworking/plugins from 1.1.0 to 1.1.1 (#19293, @dependabot[bot]) * build(deps): bump github.com/docker/docker from 20.10.11+incompatible to 20.10.12+incompatible (#18288, @dependabot[bot]) * build(deps): bump github.com/docker/docker from 20.10.12+incompatible to 20.10.14+incompatible (#19285, @dependabot[bot]) * build(deps): bump github.com/docker/docker from 20.10.14+incompatible to 20.10.16+incompatible (#19811, @dependabot[bot]) * build(deps): bump github.com/docker/docker from 20.10.16+incompatible to 20.10.17+incompatible (#20136, @dependabot[bot]) * build(deps): bump github.com/fsnotify/fsnotify from 1.5.1 to 1.5.4 (#19596, @dependabot[bot]) * build(deps): bump github.com/go-openapi/errors from 0.20.1 to 0.20.2 (#18599, @dependabot[bot]) * build(deps): bump github.com/go-openapi/loads from 0.21.0 to 0.21.1 (#18771, @dependabot[bot]) * build(deps): bump github.com/go-openapi/runtime from 0.21.0 to 0.23.1 (#18908, @dependabot[bot]) * build(deps): bump github.com/go-openapi/runtime from 0.23.1 to 0.23.3 (#19302, @dependabot[bot]) * build(deps): bump github.com/go-openapi/runtime from 0.23.3 to 0.24.0 (#19636, @dependabot[bot]) * build(deps): bump github.com/go-openapi/runtime from 0.24.0 to 0.24.1 (#19736, @dependabot[bot]) * build(deps): bump github.com/go-openapi/spec from 0.20.4 to 0.20.5 (#19397, @dependabot[bot]) * build(deps): bump github.com/go-openapi/spec from 0.20.5 to 0.20.6 (#19668, @dependabot[bot]) * build(deps): bump github.com/go-openapi/strfmt from 0.21.0 to 0.21.1 (#18001, @dependabot[bot]) * build(deps): bump github.com/go-openapi/validate from 0.21.0 to 0.22.0 (#20119, @dependabot[bot]) * build(deps): bump github.com/google/go-cmp from 0.5.7 to 0.5.8 (#19595, @dependabot[bot]) * build(deps): bump github.com/google/gops from 0.3.22 to 0.3.23 (#19737, @dependabot[bot]) * build(deps): bump github.com/hashicorp/consul/api from 1.11.0 to 1.12.0 (#18291, @dependabot[bot]) * build(deps): bump github.com/hashicorp/consul/api from 1.12.0 to 1.13.0 (#20121, @dependabot[bot]) * build(deps): bump github.com/onsi/gomega from 1.17.0 to 1.19.0 (#19234, @dependabot[bot]) * build(deps): bump github.com/osrg/gobgp/v3 from 3.1.0 to 3.2.0 (#19667, @dependabot[bot]) * build(deps): bump github.com/osrg/gobgp/v3 from 3.2.0 to 3.3.0 (#20071, @dependabot[bot]) * build(deps): bump github.com/prometheus/client_golang from 1.11.0 to 1.12.1 (#18674, @dependabot[bot]) * build(deps): bump github.com/shirou/gopsutil/v3 from 3.21.11 to 3.21.12 (#18354, @dependabot[bot]) * build(deps): bump github.com/shirou/gopsutil/v3 from 3.21.12 to 3.22.2 (#19001, @dependabot[bot]) * build(deps): bump github.com/shirou/gopsutil/v3 from 3.22.2 to 3.22.3 (#19328, @dependabot[bot]) * build(deps): bump github.com/shirou/gopsutil/v3 from 3.22.3 to 3.22.4 (#19669, @dependabot[bot]) * build(deps): bump github.com/shirou/gopsutil/v3 from 3.22.4 to 3.22.5 (#20044, @dependabot[bot]) * build(deps): bump github.com/spf13/cast from 1.4.1 to 1.5.0 (#19780, @dependabot[bot]) * build(deps): bump github.com/spf13/cobra from 1.2.1 to 1.3.0 (#18290, @dependabot[bot]) * build(deps): bump github.com/spf13/cobra from 1.3.0 to 1.4.0 (#19329, @dependabot[bot]) * build(deps): bump github.com/spf13/viper from 1.10.1 to 1.11.0 (#19430, @dependabot[bot]) * build(deps): bump github.com/spf13/viper from 1.11.0 to 1.12.0 (#19988, @dependabot[bot]) * build(deps): bump github.com/spf13/viper from 1.9.0 to 1.10.1 (#18289, @dependabot[bot]) * build(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1 (#19156, @dependabot[bot]) * build(deps): bump github.com/stretchr/testify from 1.7.1 to 1.7.2 (#20120, @dependabot[bot]) * build(deps): bump github.com/stretchr/testify from 1.7.2 to 1.7.3 (#20253, @dependabot[bot]) * build(deps): bump github/codeql-action from 1.0.23 to 1.0.24 (#17977, @dependabot[bot]) * build(deps): bump github/codeql-action from 1.0.24 to 1.0.25 (#18145, @dependabot[bot]) * build(deps): bump github/codeql-action from 1.0.25 to 1.0.26 (#18245, @dependabot[bot]) * build(deps): bump github/codeql-action from 1.0.26 to 1.0.27 (#18451, @dependabot[bot]) * build(deps): bump github/codeql-action from 1.0.27 to 1.0.28 (#18532, @dependabot[bot]) * build(deps): bump github/codeql-action from 1.0.28 to 1.0.29 (#18577, @dependabot[bot]) * build(deps): bump github/codeql-action from 1.0.29 to 1.0.30 (#18598, @dependabot[bot]) * build(deps): bump github/codeql-action from 1.0.30 to 1.0.31 (#18686, @dependabot[bot]) * build(deps): bump github/codeql-action from 1.0.31 to 1.0.32 (#18735, @dependabot[bot]) * build(deps): bump github/codeql-action from 1.0.32 to 1.1.0 (#18785, @dependabot[bot]) * build(deps): bump github/codeql-action from 1.1.0 to 1.1.1 (#18840, @dependabot[bot]) * build(deps): bump github/codeql-action from 1.1.1 to 1.1.2 (#18854, @dependabot[bot]) * build(deps): bump github/codeql-action from 1.1.3 to 1.1.4 (#19084, @dependabot[bot]) * build(deps): bump github/codeql-action from 1.1.4 to 1.1.5 (#19160, @dependabot[bot]) * build(deps): bump github/codeql-action from 1.1.5 to 2.1.6 (#19269, @dependabot[bot]) * build(deps): bump github/codeql-action from 2.1.11 to 2.1.12 (#20057, @dependabot[bot]) * build(deps): bump github/codeql-action from 2.1.12 to 2.1.13 (#20274, @dependabot[bot]) * build(deps): bump github/codeql-action from 2.1.13 to 2.1.14 (#20294, @dependabot[bot]) * build(deps): bump github/codeql-action from 2.1.14 to 2.1.15 (#20345, @dependabot[bot]) * build(deps): bump github/codeql-action from 2.1.15 to 2.1.16 (#20506, @dependabot[bot]) * build(deps): bump github/codeql-action from 2.1.6 to 2.1.7 (#19335, @dependabot[bot]) * build(deps): bump github/codeql-action from 2.1.7 to 2.1.8 (#19371, @dependabot[bot]) * build(deps): bump github/codeql-action from 2.1.8 to 2.1.9 (#19599, @dependabot[bot]) * build(deps): bump github/codeql-action from 2.1.9 to 2.1.11 (#19853, @dependabot[bot]) * build(deps): bump go.etcd.io/etcd/api/v3 from 3.5.2 to 3.5.3 (#19442, @dependabot[bot]) * build(deps): bump go.etcd.io/etcd/api/v3 from 3.5.3 to 3.5.4 (#19559, @dependabot[bot]) * build(deps): bump go.etcd.io/etcd/client/pkg/v3 from 3.5.2 to 3.5.3 (#19443, @dependabot[bot]) * build(deps): bump go.etcd.io/etcd/client/pkg/v3 from 3.5.3 to 3.5.4 (#19557, @dependabot[bot]) * build(deps): bump go.etcd.io/etcd/client/v3 from 3.5.1 to 3.5.2 (#19054, @dependabot[bot]) * build(deps): bump go.etcd.io/etcd/client/v3 from 3.5.2 to 3.5.3 (#19444, @dependabot[bot]) * build(deps): bump go.etcd.io/etcd/client/v3 from 3.5.3 to 3.5.4 (#19558, @dependabot[bot]) * build(deps): bump go.uber.org/multierr from 1.7.0 to 1.8.0 (#19114, @dependabot[bot]) * build(deps): bump golang.org/x/tools from 0.1.10 to 0.1.11 (#20159, @dependabot[bot]) * build(deps): bump golang.org/x/tools from 0.1.7 to 0.1.8 (#18134, @dependabot[bot]) * build(deps): bump golang.org/x/tools from 0.1.8 to 0.1.10 (#19157, @dependabot[bot]) * build(deps): bump golangci/golangci-lint-action from 2.5.2 to 3 (#18943, @dependabot[bot]) * build(deps): bump golangci/golangci-lint-action from 3.0.0 to 3.1.0 (#18965, @dependabot[bot]) * build(deps): bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (#19779, @dependabot[bot]) * build(deps): bump google-github-actions/setup-gcloud from 0.2.1 to 0.3 (#18144, @dependabot[bot]) * build(deps): bump google-github-actions/setup-gcloud from 0.3.0 to 0.4.0 (#18594, @dependabot[bot]) * build(deps): bump google-github-actions/setup-gcloud from 0.4.0 to 0.5.1 (#18841, @dependabot[bot]) * build(deps): bump google-github-actions/setup-gcloud from 0.5.1 to 0.6.0 (#19094, @dependabot[bot]) * build(deps): bump google.golang.org/grpc from 1.42.0 to 1.43.0 (#18292, @dependabot[bot]) * build(deps): bump google.golang.org/grpc from 1.43.0 to 1.45.0 (#19301, @dependabot[bot]) * build(deps): bump google.golang.org/grpc from 1.45.0 to 1.46.0 (#19560, @dependabot[bot]) * build(deps): bump google.golang.org/grpc from 1.46.0 to 1.46.2 (#19835, @dependabot[bot]) * build(deps): bump google.golang.org/grpc from 1.46.2 to 1.47.0 (#20045, @dependabot[bot]) * build(deps): bump google.golang.org/protobuf from 1.27.1 to 1.28.0 (#19284, @dependabot[bot]) * build(deps): bump gopkg.in/ini.v1 from 1.64.0 to 1.66.0 (#18064, @dependabot[bot]) * build(deps): bump gopkg.in/ini.v1 from 1.66.0 to 1.66.2 (#18103, @dependabot[bot]) * build(deps): bump gopkg.in/ini.v1 from 1.66.2 to 1.66.4 (#18767, @dependabot[bot]) * build(deps): bump gopkg.in/ini.v1 from 1.66.4 to 1.66.6 (#20021, @dependabot[bot]) * build(deps): bump helm/kind-action from 1.2.0 to 1.3.0 (#20198, @dependabot[bot]) * build(deps): bump KyleMayes/install-llvm-action from 1.5.0 to 1.5.1 (#18944, @dependabot[bot]) * build(deps): bump KyleMayes/install-llvm-action from 1.5.1 to 1.5.2 (#19322, @dependabot[bot]) * build(deps): bump KyleMayes/install-llvm-action from 1.5.2 to 1.5.3 (#19865, @dependabot[bot]) * build(deps): bump library/alpine from 3.12.7 to 3.15.4 in /images/cache (#19413, @dependabot[bot]) * build(deps): bump library/alpine from 3.15.4 to 3.16.0 in /images/cache (#19943, @dependabot[bot]) * build(deps): bump nick-invision/retry from 2.5.1 to 2.6.0 (#18226, @dependabot[bot]) * build(deps): bump nick-invision/retry from 2.6.0 to 2.7.0 (#19577, @dependabot[bot]) * build: Fix compilation issue for non-linux platform (#19662, @sayboras) * build: Fix cross compiling for amd64 on arm64 (#19175, @jrajahalme) * byteorder: use native instructions in host/network order conversion (#18606, @tklauser) * Capital One added to Users doc (#20084, @bradwhitfield) * Changed the documentation for Kubespray installation to recommend using -e flag for cilium_version variable instead of editing the role variables. (#18342, @necatican) * ci: Pin down image for the documentation workflow (#19356, @qmonnet) * ci: Replace prbot-stale with actions/stale (#18503, @twpayne) * ci: Update Cilium CLI to v0.11.3 (#19602, @nathanjsweet) * Cilium host proxy is updated to Envoy release 1.21.0 (#18748, @jrajahalme) * cilium, lbmap: Use silent delete in deleteBackendLocked for now (#19352, @borkmann) * cilium: Add knob for local address to be considered host id in ipcache (#19513, @borkmann) * cilium: make tcp rebalance grace period configurable (#19800, @borkmann) * cilium: nat46/64 ci codeowner & monitor drop reason (#19298, @borkmann) * Clarify identity generated from CIDR-based policies and add security identity internal docs (#16716, @christarazi) * Clarify taint effects in the documentation. (#19186, @bmcustodio) * Clean up UpdateIPCacheVTEPMapping() (#19510, @vincentmli) * cni: Add log file for CNI executions (#18353, @sayboras) * Code of conduct email updated to conduct@cilium.io (#19511, @xmulligan) * CODEOWNERS: Add clustermesh entries (#19316, @pchaigno) * CODEOWNERS: Assign clustermesh-apiserver code to @cilium/sig-clustermesh (#18972, @kaworu) * CODEOWNERS: clean-up entries for deleted files (#18000, @qmonnet) * CODEOWNERS: Do not assign reviewers for Documentation/helm-values.rst (#18651, @qmonnet) * CODEOWNERS: Extend proxy group to pkg/fqdn (#19874, @christarazi) * CODEOWNERS: janitors renamed to tophat (#18360, @pchaigno) * contrib/backporting: Include golang in the image (#18664, @glibsm) * contrib/scripts: Support env vars for kind script (#20035, @christarazi) * contrib: Fix release script helm value generation (#18538, @joestringer) * contrib: Improve version matching in readme bump (#18548, @joestringer) * contrib: Make KIND cluster ipFamily configurable (#19068, @brb) * contrib: Support contrib/scripts/kind.sh on macOS (#20096, @sayboras) * Crane joins Cilium as a user (#19065, @slzcc) * ctmap: Do not use nil locks (Backport PR #20401, Upstream PR #20388, @jrajahalme) * daemon, fqdn: Add flag to control FQDN regex LRU size (#19383, @christarazi) * daemon, install/kubernetes: fix typo in DNS policy rule unload flag/value doc (#18982, @tklauser) * daemon, option: consistently hard-code host device (#18467, @tklauser) * daemon, option: remove deprecated native-routing-cidr option (#19677, @tklauser) * daemon, option: remove deprecated prefilter- options (#19913, @julianwiedmann) * daemon/cmd: Extend Cilium status with graceful termination config (#17969, @aditighag) * daemon: deprecate --endpoint-interface-name-prefix option (#18558, @tklauser) * daemon: Deprecate --host-reachable-services-protos (#19083, @brb) * daemon: Deprecate KPR=probe (Backport PR #20401, Upstream PR #20328, @brb) * daemon: Don't ignore sockops failures (#19080, @pchaigno) * daemon: don't mark deprecated flags as hidden twice (#19086, @tklauser) * daemon: Fix build after VTEP routes conflict (#20077, @joestringer) * daemon: Init k8s watchers after setting agent flags (#18770, @pchaigno) * daemon: Initialize k8sCachesSynced channel before calling Initk8sSubsystem() (#19626, @jrajahalme) * daemon: Removed unused method (#18729, @aditighag) * datapath/link: Initialize link monitor explicitly (#18565, @joestringer) * datapath: Change FIB lookups to enable NodePort multihoming (#18585, @brb) * datapath: Improve sysctl warning for bpf_jit_enable (#20018, @joamaki) * datapath: Improved BPF testing framework (#20017, @dylandreimerink) * datapath: Use FROM_NETDEV instead of FROM_LXC in nodeport.h (#19986, @brb) * dependabot: disable all AWS package updates (#18102, @tklauser) * dependabot: disable cloud provider SDK updates (#18067, @tklauser) * dependabot: Unignore prometheus/client_golang (#20075, @ti-mo) * dev-tool: Add cfssl and cfssljson tool check (#18337, @sayboras) * development: add kind cluster shell helpers (#19069, @ldelossa) * dnsproxy: update dnsproxy benchmark memory calculation (Backport PR #20519, Upstream PR #20305, @odinuge) * Do not disable peer service when hubble.listenAddress is empty (#19886, @chancez) * doc: add note about checkpatch during dev workflow (#19879, @sahid) * doc: add upgrade note about nativeRoutingCIDR deprecation (#18095, @kaworu) * doc: getting started minor fixes (#18024, @kaworu) * doc: update doc to inform about SERVER_BOX/VERSION (#19749, @sahid) * doc: use ipv4NativeRoutingCIDR instead of nativeRoutingCIDR (#18026, @kaworu) * doc: VTEP redirection and L7 policy partially incompatible (#19700, @vincentmli) * docs(bpf): fix minor grammar errors in struct padding section (Backport PR #20534, Upstream PR #20249, @maxbrunet) * docs(MAINTAINERS): fix link to commit_access.rst (#20081, @raphink) * docs(masquerading): add missing "address" (Backport PR #20563, Upstream PR #20538, @raphink) * docs(policy): add notes on DNS/L7 policies & Cilium agent availability (Backport PR #20333, Upstream PR #20289, @raphink) * docs(README): add logo option for dark theme (#19920, @raphink) * docs, ci, test/l4lb: use latest cilium-cli release according to stable.txt (#20203, @tklauser) * docs,ci: updates to ci docs (#19174, @ldelossa) * docs: Add CLI installation for ServiceMesh (Backport PR #20519, Upstream PR #20406, @sayboras) * docs: Add cluster install/prep guide for AKS-to-AKS clustermesh (Backport PR #20534, Upstream PR #20439, @dylandreimerink) * docs: Add default conntrack gc interval (#19977, @aditighag) * docs: Add developers guide page about BPF testing framework (#20165, @dylandreimerink) * docs: Add docs-builder build as dependency to live preview (#19885, @qmonnet) * docs: Add example how to config ipmasq via ConfigMap (Backport PR #20519, Upstream PR #20239, @brb) * docs: Add Getting Started docs for clustermesh service affinity (Backport PR #20333, Upstream PR #20228, @sayboras) * docs: Add getting started docs for Ingress (#19760, @sayboras) * docs: add Hands-on tutorial (#18583, @vannyle) * docs: Add interactive help for make targets (Documentation/Makefile) (#20012, @qmonnet) * docs: add kube-apiserver to the special identity list (#20047, @kaworu) * docs: Add limitation document for bandwidth-manager + nested network namespace (#18400, @YutaroHayakawa) * docs: add missing ingress special identity (#20060, @kaworu) * docs: Add more envoy supported extensions (Backport PR #20401, Upstream PR #20241, @sayboras) * Docs: add project roadmap (#19540, @lizrice) * docs: Add read:user scope for github token (#19063, @sayboras) * docs: add registry (quay.io/) for pre-loading images for kind (#18017, @adamzhoul) * docs: Add requirement for ginkgo version (#19248, @sayboras) * docs: add robots.txt in a static directory (#19564, @aanm) * docs: add Talos to adopters list (#18879, @frezbo) * docs: Add troubleshooting docs for Ingress (Backport PR #20519, Upstream PR #20428, @sayboras) * docs: Add upgrade note regarding custom ports (#17975, @errordeveloper) * docs: added GSoD technical writers (#19799, @xmulligan) * docs: adding Accuknox to USERS (#19103, @nyrahul) * docs: adding Nexxiot to USERS (#19332, @alex-berger) * docs: adding Snapp to USERS (#19128, @m-yosefpor) * docs: builder,runtime images (#18576, @kkourt) * docs: Clarify deprecated "prefilter-devices" (#18112, @brb) * docs: clarify upgrade impact for clients using an egress gateway (#18097, @jibi) * docs: Clarify use of the eni.subnetTagsFilter option (#19276, @gandro) * docs: cleanup and tidy up the 1.11 upgrade guide (#18093, @aanm) * docs: disable k3s network policy enforcement (#18671, @tklauser) * docs: Document clustermesh datapath configuration for non-tunneled modes (Backport PR #20519, Upstream PR #16499, @jrajahalme) * docs: Document monitor aggregation levels (#19349, @michi-covalent) * docs: Document operator.unmanagedPodWatcher (#19820, @joestringer) * docs: Document required kernel configuration options (#18546, @pchaigno) * docs: Document the kube-apiserver entity (#18396, @christarazi) * docs: Document unsupported focused tests for runtime suite (#19173, @aditighag) * docs: Don't mark pre-upgrade step as "recommended" (#18468, @pchaigno) * docs: Don't rely on assignee filter for reviews (#18676, @pchaigno) * docs: export KUBECONFIG for cilium-cli with k3s (#18697, @tklauser) * docs: Fix first-interface-index documentation (#18327, @gandro) * docs: fix a Links documentation style guide error (Backport PR #20534, Upstream PR #20460, @Kikiodazie) * docs: Fix and clean-up the build framework for the documentation (#19969, @qmonnet) * docs: Fix build after etcd v3.5.4 version bump (#20171, @joestringer) * docs: Fix display of misspelled words (#19542, @qmonnet) * docs: fix eksctl ClusterConfig to allow copy (#18110, @aanm) * docs: fix flags for 1.12 branch (Backport PR #20519, Upstream PR #20408, @aanm) * docs: Fix incorrect command in IPsec GSG (#19767, @pchaigno) * docs: Fix incorrect FQDN flag (#19930, @pchaigno) * docs: Fix incorrect mention of bpf.masquerade's default value (#18420, @pchaigno) * docs: Fix incorrect values for hubble-ui standalone install (#18661, @ysksuzuki) * docs: fix link to signoff / certificate of origin section (#18123, @timoreimann) * docs: Fix max SPI value for IPsec key rotations (#19893, @pchaigno) * docs: Fix reference to upgrade guide (#20184, @joestringer) * docs: fix small spelling mistakes in masquerading pages (#18338, @yanhongchang) * docs: fix tip about opening the Hubble server port on all nodes (#19036, @rolinh) * docs: Fix up mailmap a bit and update authors (#17983, @borkmann) * docs: Fix update-spelling_wordlist.sh to run command on spelling errors (Backport PR #20519, Upstream PR #20481, @qmonnet) * docs: fix version warning banner (#19611, @aanm) * docs: fix version warning URL to point to docs.cilium.io (#19563, @aanm) * docs: Fixed service list command in clustermesh affinity guide (Backport PR #20519, Upstream PR #20442, @dylandreimerink) * docs: improve description for session affinity with KPR (#19478, @julianwiedmann) * docs: improve guide to setup Cilium overlay on EKS (#19207, @oliwave) * docs: Improve kubeproxy replacement and OKD GSG guide. (Backport PR #20534, Upstream PR #20447, @tommyp1ckles) * docs: Improve policy troubleshooting guide (Backport PR #20401, Upstream PR #20399, @joestringer) * docs: ipsec: remove node-to-node encryption (Backport PR #20519, Upstream PR #20422, @NikAleksandrov) * docs: KUBECONFIG for cilium-cli with k3s (#18068, @kkourt) * docs: L7 traffic management getting started guide (Backport PR #20519, Upstream PR #20421, @sayboras) * docs: Mark Git repo as safe in Docker build-docs container (#19861, @qmonnet) * docs: Mention how to build images for local CI testing (#17984, @brb) * docs: Mention KPR in DR mode sec ID limitation (#19113, @brb) * docs: minor fixes (#20218, @julianwiedmann) * docs: Minor updates to IPsec limitations (#18647, @pchaigno) * docs: move sitemap-index.xml to static directory (#19681, @aanm) * docs: Nit changes to steps for image building (#20153, @pchaigno) * docs: prevent search engines from indexing old branches (#18111, @aanm) * docs: Regenerate doc for Helm values (#18953, @pchaigno) * docs: Remove '\r' chars from grep result to parse Alpine image name (#19888, @qmonnet) * docs: remove gobpf, mention cilium/ebpf (#18657, @ti-mo) * docs: Remove incorrect beta note for host policies (#18470, @pchaigno) * docs: Remove manual installation instruction for kind clustermesh (#18075, @aditighag) * docs: remove mention of 250 nodes for kvstore (#17995, @aanm) * docs: remove stale EgressGW limitation with CES (#20195, @julianwiedmann) * docs: Remove trailing step in AWS helm install (#18893, @joestringer) * docs: Replace 'micro version' with 'patch version' (#18279, @pchaigno) * docs: Replace janitors team with tophat team (#18430, @pchaigno) * docs: set right path for robots.txt (#19638, @aanm) * docs: set robots.txt in the right directory (#18243, @aanm) * docs: set the right url for API version check (#19610, @aanm) * docs: Update clustermesh example verification steps (#18764, @sayboras) * docs: update CODEOWNERS feature release instructions (#18252, @nbusseneau) * docs: Update company name in MAINTAINERS.md (#19431, @sayboras) * docs: Update contributing guide pages (#18346, @sayboras) * docs: update copybutton.css following the docutils update (#19498, @qmonnet) * docs: Update docs with minimum helm version (Backport PR #20519, Upstream PR #20403, @aditighag) * docs: update egress gateway documentation and mark the feature stable (#19862, @jibi) * docs: update k8s instructions on how to update k8s libraries (#18040, @aanm) * docs: Update max MTU value for Nodeport XDP on AWS (#19593, @qmonnet) * docs: Update shared service annotation docs (#19313, @sayboras) * docs: Update Sphinx to v4.5.0 (#19348, @qmonnet) * docs: Update stable release versions (#18222, @borkmann) * docs: Update the kind documentation with cgroup requirements (#18269, @aditighag) * docs: Update the minimum required Minikube version (#18155, @pchaigno) * docs: Use kubectl exec daemonset/cilium where possible (#18723, @pchaigno) * docs: Warn against Helm's --reuse-values in Cilium upgrades (#18259, @gandro) * Document installing Cilium on Rancher Desktop (#19049, @chancez) * Document that clustermesh cluster-id range is 1-255 (#19683, @stonith) * Document v1.11 feature deprecations (#17993, @joestringer) * Documentation for adding CRDs into Cilium (#19275, @ldelossa) * Documentation/gettingstarted: disable curl progress meter (#18698, @tklauser) * Documentation: Improve cilium-cli and hubble cli installation instructions (Backport PR #20534, Upstream PR #20415, @chancez) * Documentation: Only install 1 replica of operator on k3s (Backport PR #20519, Upstream PR #20416, @chancez) * Documentation: Restart cilium-operator and cilium after enabling Service Mesh (Backport PR #20519, Upstream PR #20417, @chancez) * Drop years and copyright symbol from copyright notices (#18813, @qmonnet) * Dynamic Cluster Pool follow-ups (#19777, @gandro) * elf: Don't assume data symbols are 4-bytes long (#18518, @pchaigno) * elf: Move functions only used in tests (#18383, @twpayne) * elf: skip TestWrite if ELF file wasn't built (#18046, @gandro) * Enable cilium-cli helm based installation (#18898, @aanm) * endpoint: Print error for regeneration timeout (#19333, @pchaigno) * endpointmanager: Add extra check for out-of-range endpoint IDs (Backport PR #20519, Upstream PR #20363, @twpayne) * eni: Fix broken build due to unit test (#19278, @gandro) * Envoy update for service mesh (#19101, @jrajahalme) * envoy: Limit accesslog socket permissions (#19190, @jrajahalme) * Exclude interface's primary address from IP pool by default in Azure (Backport PR #20333, Upstream PR #19743, @hemanthmalla) * Expose hubble-ui security context in helm chart hubble.ui.securityContext (#19441, @hemslo) * Expose metrics for active FQDN connections per endpoint (#19857, @christarazi) * feat(command): allow to dump as YAML (#19480, @raphink) * Feat: add ingressClassName to hubble ingress spec (#18044, @cyril-corbon) * Fix a function comment typo (#18231, @hangyan) * Fix a typo in the documentation (#18411, @gjkim42) * fix CODEOWNERS (#18980, @kaworu) * Fix comment for EndpointCreated function (#19465, @Jiang1155) * Fix documented EC2 IAM action (#17958, @austince) * Fix helm chart annotations for CRDs installed by Cilium (#18141, @joestringer) * Fix Makefile.docker not to specify --load and --push flags at once (#18316, @YutaroHayakawa) * Fix missing capabilities when not running Cilium on containerd-based Kubernetes (#19903, @AtkinsChang) * Fix running documentation make targets on MacOS (#19900, @chancez) * Fix smoke tests by filtering out go_ metrics from metrics linting (#19399, @chancez) * Fix the typo in Fatalf message of printConfigurations (#18413, @21kyu) * Fixed warnings generated by "make -C test/bpf/ nat-test" due to improper castings (#18015, @cdelzotti) * Fixes:Added the declaration of license (#19834, @yulng) * fqdn/dnsproxy: fix test build (Backport PR #20534, Upstream PR #20537, @tklauser) * fqdn: Use read-write mutex inside NameManager (#19486, @christarazi) * gha: Add ingress conformance test (#19742, @sayboras) * gha: Add retry options for ingress sanity check (#19825, @sayboras) * gha: Bump cilum cli version to v0.11.6 (#19828, @sayboras) * git: Ignore local emacs config (#18939, @jrajahalme) * github: Backport DNS fix for external workloads 1.10 and 1.11 tests (#19516, @jrajahalme) * go.mod, vendor: update cloud provider SDK Go modules (#18983, @tklauser) * go.mod, vendor: update cloud provider SDK Go modules (#19409, @tklauser) * go.mod, vendor: update cloud provider SDK Go modules (#19664, @tklauser) * go.mod, vendor: update cloud provider SDK Go modules for July 2022 (Backport PR #20401, Upstream PR #20371, @tklauser) * go.mod, vendor: update cloud provider SDK Go modules for June 2022 (#20126, @tklauser) * go.mod, vendor: update cloud SDK modules (#18355, @tklauser) * go.mod: update kevinburke/ssh_config dependency (#19289, @kevinburke) * health: Fix cluster-health-port for health endpoint (#18061, @gandro) * Helm Chart loop monitor sidecar (#19363, @yuriydzobak) * helm: Bump cilium/startup-script image tag (#19263, @gandro) * helm: don't generate the hubble-peer svc during preflight checks (#19759, @kaworu) * helm: Enable ingress controller in smoke tests (ipv4 + ipv6) (#19644, @sayboras) * helm: Enable offline deployments for OpenShift clusters (#18849, @nathanjsweet) * helm: Expose agent DNS proxy parameters as chart values (#19967, @joaoubaldo) * helm: Fix syntax error in Hubble UI className (#20056, @gandro) * helm: Make DNS policy for cilium-agent and cilium-operator pods configurable (Backport PR #20519, Upstream PR #20082, @michi-covalent) * helm: Templatize preflight and clustermesh-apiserver repos (#20206, @michi-covalent) * helm: Update links in values.yaml (#18471, @sayboras) * helm: use port 80/443 by default for the peer service (#19933, @rolinh) * highlight values.yaml.tmpl as yaml (#20250, @kaworu) * hubble/filters: add a unit test for TCP flows without flags (#18971, @kaworu) * hubble/filters: strict number check for full HTTP status code (#19429, @kaworu) * hubble: Improve performance of identity getter (#20005, @gandro) * hubble: read proxy port from trace event (#18510, @zhanghe9702) * hubble: remove unused local observer field (#19962, @kaworu) * identity: Initialize local identity allocator early (#19556, @jrajahalme) * images, contrib/coccinelle: update alpine image to 3.16.0 (Backport PR #20519, Upstream PR #20378, @tklauser) * images,test: Remove noop SKIP_DOCS (#18955, @pchaigno) * images/cilium: remove cilium group from Dockerfile (#19711, @aanm) * images/runtime: update CNI plugins to 1.1.1 (#19690, @tklauser) * images: Bump Hubble CLI to v0.10.0 (Backport PR #20401, Upstream PR #20286, @gandro) * images: Fix build on arm64 (#18795, @jrajahalme) * images: Remove copyright years from copyright notices (#19359, @qmonnet) * images: Update bpftool (#19046, @pchaigno) * images: Update cilium-bpftool (#20197, @NikAleksandrov) * images: Update cilium-iproute2 (#18784, @pchaigno) * images: update gops binary in images to v0.3.22 (#18175, @tklauser) * Improve Cilium DNS Proxy-related error metrics (#19702, @christarazi) * Improve dev-doctor hints (#18562, @jtaleric) * Improve Egress Gateway Getting Started Guide (Backport PR #20519, Upstream PR #20471, @pippolo84) * Improve Egress Gateway Getting Started Guide (Backport PR #20563, Upstream PR #20531, @pippolo84) * Improve the efficiency of the k8s-unmanaged.sh script (#19471, @gavinmcnair) * ingress: Couple of cleanup and TODOs (#19647, @sayboras) * install/cilium-operator: fix clusterrole rules (#19686, @aanm) * install/kubernetes: Avoid quoting version twice (#20188, @joestringer) * install/kubernetes: bump etcd to v3.5.4 (#20134, @aanm) * install/kubernetes: do not initialize variable twice (Backport PR #20519, Upstream PR #20430, @aanm) * install/kubernetes: expose DNS policy rule unload agent flag as helm value (#18809, @tklauser) * install/kubernetes: fix helm generation for operator image digest (#17968, @aanm) * install/kubernetes: Remove deprecated cluster roles (#18168, @christarazi) * install: Fix hubble-ui image references (#18209, @joestringer) * install: Fix typos of cilium (#20113, @twpayne) * ipam: Shutdown retry trigger on node deletion (#20140, @christarazi) * ipcache: Add test asserting out-of-order Kubernetes events (#19258, @christarazi) * ipcache: Error out from InjectLabels if Checker is nil (#19887, @jrajahalme) * ipcache: Make SupportsDelete() more robust by using a separate map (#19641, @joamaki) * ipcache: Use incremental policy updates (#18996, @joestringer) * ipsec: Rewrite parser for IPsec secret (#19824, @pchaigno) * iptables: Fix race condition on ipset removal (#18790, @pchaigno) * k8s-conformance: Improve skipped tests format/links (#19628, @joestringer) * k8s: Fix CRD schema version for v2alpha1 (#18215, @joestringer) * k8s: Move CiliumEnvoyConfig to v2 (#19688, @jrajahalme) * k8s: Update libraries to 1.23.3 (#18633, @christarazi) * k8s: update libraries to v1.23.0 (#18190, @aanm) * k8s: Use kubelet's logic to close all idle connections (#19290, @christarazi) * labels/cidr: use netip types to improve GetCIDRLabels and IPStringToLabel performace (Backport PR #20401, Upstream PR #20316, @tklauser) * List Simple Life as Cilium user (#19377, @sergeyshevch) * loader: Use new eBPF ISA feature probes (#19170, @pchaigno) * localdev: fix kind helm install shell function (#19149, @ldelossa) * logo: fix position of central polygon (#19216, @sisp) * LRP minor improvements (#19489, @aditighag) * maglev: fix TestPermutations backend generation (#19663, @kaworu) * maglev: use github.com/cilium/workerpool (#19940, @kaworu) * MAINTAINERS: adding myself to committers list (#18781, @lizrice) * MAINTAINERS: update committers (#20014, @tklauser) * Make API ratelimit logs less noisy by default (#18934, @panchm) * Make k8s-cilium-exec.sh friendlier to read (#17997, @weizhoublue) * make: check that Go major/minor version matches required version (#19528, @tklauser) * make: fix Makefile docker pull command to cause an error when using podman (#19748, @koba1t) * make: grep for new go:build tags in PRIV_TEST_PKGS_EVAL (#19415, @tklauser) * make: remove deprecated test targets (#19436, @tklauser) * Makefile: Add 'make kind-image' to 'make help' (#19963, @joestringer) * Makefile: Add kind-image target (#17990, @joestringer) * Makefile: Fix TESTPKGS commandline (#19100, @joestringer) * Makefile: Measure unit test coverage by package (#20038, @joestringer) * Makefile: Push image in 'kind-image' target (#18167, @joestringer) * maps/lbmap: fix maglev test suite build (#19435, @tklauser) * metrics: Fix NaN value for cilium metrics list CLI (#19987, @sayboras) * Misc Makefile improvements for quiet mode V=0 (#20031, @joestringer) * Misc. testing cleanups (#18238, @christarazi) * Move Equinix to the correct place in the alphabet (#19527, @xmulligan) * Moved Azure secrets to secret resource (#18010, @wolffberg) * neigh: minor improvements for neigh tests to be less flaky (#18057, @borkmann) * neigh: Support multi device neighbor discovery (Backport PR #20333, Upstream PR #20092, @ysksuzuki) * New config hubble.relay.securityContext in Helm values. (#18242, @ooraini) * node: don't set write-only NodeAddressingElement.AddressType property (#19044, @tklauser) * node: Fix bug where node ipsets are never cleaned (#18582, @pchaigno) * None (#19280, @pacoxu) * operator: start the event queue in a dedicated go routine (Backport PR #20519, Upstream PR #20353, @aanm) * Optimize CIDR label functions (#19843, @christarazi) * pkg/bpf: add map name in error message for OpenParallel (#19491, @aanm) * pkg/bpf: Include BPF map names during map creation (#20091, @christarazi) * pkg/daemon: Log error when node port init fails (#18475, @aditighag) * pkg/datapath/linux: Simplify logical conditions for IPsec node encryption (#18915, @christarazi) * pkg/datapath: Remove transitive dependency on netlink (#18619, @aditighag) * pkg/elf: Mark tests as integration tests (#18326, @twpayne) * pkg/endpoint: fix data race in endpoint logger (#18769, @aanm) * pkg/fqdn: Replace remaining usages of regex compile with LRU (#19875, @christarazi) * pkg/k8s: do not wait for endpointslice cache sync in k8s >= 1.17 (Backport PR #20570, Upstream PR #20569, @aanm) * pkg/k8s: use subresource "nodes/status" to update node annotations (#19590, @aanm) * pkg/labels: Optimize SortedList() and FormatForKVStore() (#19423, @christarazi) * pkg/mac refactor for common code use (#18793, @vincentmli) * pkg/maps: Fix data races around accessing nat maps (#18952, @aditighag) * pkg/metrics: Remove source node label (Backport PR #20519, Upstream PR #20433, @aditighag) * pkg/policy/api: Optimize Decision MarshalJSON() (#19704, @MikeLing) * pkg/policy/api: Optimize FQDNSelector String() (#19570, @christarazi) * pkg/policy/policy: Optimize SearchContext String() (#19661, @MikeLing) * pkg/policy/rule: Optimize rule String() (#19822, @MikeLing) * policy: Reduce allocations during FQDN processing (#17959, @joestringer) * preallocate memory before looping over it (#19566, @florianl) * Prepare for 1.12.0 development (#17961, @aanm) * Prepare for release v1.12.0-rc0 (#19032, @aanm) * Prepare for release v1.12.0-rc1 (#19393, @aanm) * Prepare for release v1.12.0-rc2 (#19694, @aanm) * Prepare v1.12 stable branch (#20276, @aanm) * README.rst: Add subsections on Governance and Adopters to make the info more discoverable, and to satisfy CLOMonitor (#19037, @xmulligan) * README.rst: fix stable release table (#19517, @tklauser) * Reduce datapath from_lxc complexity (#17758, @jrajahalme) * reduce GC load (#18757, @florianl) * Refactor IPCache to remove static package-level globals (#19073, @joestringer) * release: Generate helm values docs (#18137, @joestringer) * Remove unused functionality in pkg/bpf (#18378, @tklauser) * Removes any log swallowing that was occuring on daemon/cmd init (#19188, @ldelossa) * replace hardcode "docker" command with $(CONTAINER_ENGINE) (#18009, @ArthurChiao) * Revert "allocator: fix out-of-valid-range identities being allocated" (#18808, @pchaigno) * Revert "build(deps): bump github.com/prometheus/client_golang" (#19398, @aanm) * Revert "build(deps): bump google.golang.org/protobuf from 1.27.1 to 1… (#19395, @aanm) * Revert "datapath: Remove !CONNTRACK" (#18545, @nbusseneau) * Revert "ipsec: set interface ID different from 0" (#19019, @pchaigno) * Revert "iptables: Don't use ip{,6}tables if unavailable" (#18768, @pchaigno) * Revert "test/Services: Quarantine 'Checks service on same node'" (#18170, @borkmann) * Scripts: Update k8s-unmanaged script to only return pods where host networking is false (#18349, @thejosephstevens) * Select new backend if old connection from src port to cluster IP was closed (#19451, @amol-go) * Spell out the full term of the CRD acronym (#19381, @Kikiodazie) * Stablize kube-apiserver policy matching feature, namely by fixing unncessary identity churn when kube-apiserver is running outside of the cluster (#18150, @christarazi) * Standardize testing directory filepath naming (#18621, @joestringer) * Support builder image on arm64 (#19768, @chancez) * Support for Cilium in Exoscale SKS (#20076, @retrack) * Templatize helm template image references (#20066, @joestringer) * Tencent Cloud added as a user (#19183, @xmulligan) * Test runtime cilium in container (take two) (#19310, @jrajahalme) * test/bpf: Fix format of check-complexity.sh script (#19836, @pchaigno) * test/bpf: Fix mock dependencies (#19099, @joestringer) * test/upgrade: use the unreleased helm chart of stable branches (#19710, @aanm) * test: Fix make target for k8s tests (Backport PR #20401, Upstream PR #20264, @ysksuzuki) * test: fix typo in log output (#19134, @julianwiedmann) * test: Fix whitespace in docker-run-cilium (#19358, @jrajahalme) * test: Revert sys-fs-bpf.mount rename (#19385, @jrajahalme) * test: Skip flaky K8sServices NodePort test (#18402, @twpayne) * test: Support multiple nodes without Cilium (#17954, @pchaigno) * testutils/mockmaps: Bring duplicate backend calls check back (#19544, @aditighag) * tooling: add kind-down script (#18721, @ldelossa) * treewide: bump copyright year to 2022 in generated files (#18392, @tklauser) * treewide: Fix typos of Kubernetes (#20114, @twpayne) * treewide: Sort imports according to Go conventions (#18357, @twpayne) * treewide: Tidy up more imports (#18389, @twpayne) * Trimmed down Cilium's Cluster Roles to only the necessary rules (#19074, @aanm) * trivial: Fix test step stutter 'to to' (#18188, @joestringer) * ui: v0.8.3 (#18033, @geakstr) * ui: v0.8.5 (#18203, @geakstr) * Unify the term points "Fast Redirect" on host to the "BPF Host Routing". (#18862, @chenk008) * Update AUTHORS and mailmap (#19488, @joestringer) * Update aws-sdk-go-v2 to support m6a c6i im4gn is4gen g5g g5 EC2 instances types (#18220, @ese) * Update bpftool to get latest feature probes (#19422, @borkmann) * Update cli-download.rst (#20181, @nvibert) * Update CLOMonitor badge url (#19365, @cynthia-sg) * Update cloud provider modules (#18683, @tklauser) * Update Copyright header in identity_range.go (#19115, @ti-mo) * Update external docker images (#19384, @aanm) * Update Go to 1.17.4 (#18128, @tklauser) * Update Go to 1.17.5 (#18224, @tklauser) * Update Go to 1.17.6 (#18441, @tklauser) * Update Go to 1.17.7 (#18796, @tklauser) * Update Go to 1.17.8 (#19058, @tklauser) * Update Go to 1.18 (#19169, @tklauser) * Update Go to 1.18.1 (#19432, @tklauser) * Update Go to 1.18.2 (#19775, @tklauser) * Update Go to 1.18.3, golangci-lint to 1.46.2 (#20061, @tklauser) * Update Go to 1.18.4 (Backport PR #20534, Upstream PR #20501, @tklauser) * Update gops to v0.3.25 (Backport PR #20534, Upstream PR #20438, @tklauser) * update k8s library versions (#18590, @aanm) * update k8s versions to the latest releases (Backport PR #20519, Upstream PR #20507, @aanm) * Update native routing CIDR flags description (#18367, @jibi) * Update SAP adoption info in USERS.md (#18936, @ghost) * Update stable releases (#18236, @joestringer) * Update stable releases (#18547, @joestringer) * Update stable releases (#18929, @joestringer) * Update stable releases (#19242, @aanm) * Update stable releases (#19503, @tklauser) * Update stable releases (#19841, @joestringer) * Update stable releases (#20224, @joestringer) * Update USERS.md (#19837, @edude03) * Update USERS.md (#20002, @FaKod) * update USERS.md with Equinix info (#19504, @matoszz) * UPDATE users.md: Add CONNY (#19815, @ant31) * Update values.yaml.tmpl (Backport PR #20401, Upstream PR #20357, @michi-covalent) * update-docs : add details for how to enable/disable Policy Audit Mode by endpoint (#19876, @BryanStenson-okta) * Upgrade cilium/ebpf to version 0.8.1 (#18903, @ti-mo) * Upgrade to cilium/lumberjack v2.2.2 to Flush() gzip writer before Sync()ing (#19361, @chancez) * Use cilium/ebpf/rlimit for bumping memlock rlimits (#18640, @ti-mo) * Use FQDN regex LRU everywhere (#19632, @christarazi) * Users page now includes platforms, products, and services (#19357, @xmulligan) * Vagrant cleanups (#19253, @julianwiedmann) * vagrant: add git exception in dev VMs for cilium repo for root user (#19855, @jibi) * vagrant: fix overlap of IPv6 Node/Pod CIDRs on dev-VM (#19303, @julianwiedmann) * vagrant: Generate kubeconfig correctly for netnext (#18498, @YutaroHayakawa) * Various cleanups around pkg/datapath (#20041, @tklauser) * vendor: bump github.com/shirou/gopsutil/v3 from 3.21.10 to 3.21.11 (#18255, @rolinh) * vendor: Promote controller-tools fork to cilium repo (#18185, @christarazi) * vendor: pull in the latest changes from github.com/vishvananda/netlink (#18618, @aditighag) * wireguard: Fix invalid bits when agent init (#19118, @junnplus) * WithDialer is deprecated and use WithContextDialer instead (#19281, @luckymrwang)

Other Changes: * .github: add unstripped image builds (#20315, @aanm) * [v1.12] gha: Add ingress conformance test (#20362, @sayboras) * Add Ayedo as users (#18863, @hrittikhere) * codeowners: update for v1.12 backports (#20342, @aanm) * Fix unstripped id for gh action (#20319, @jtaleric) * install: Update image digests for v1.12.0-rc3 (#20281, @aanm) * Prepare for release v1.12.0-rc3 (#20279, @aanm)