Cilium - v1.12.8

Security

We are pleased to release Cilium v1.12.8. This release includes helm charts improvements, many bugfixes (including fixed deadlock on EKS and operator crashes) and CI improvements.

This release addresses following security issues:
* https://github.com/cilium/cilium/security/advisories/GHSA-8fg8-jh2h-f2hc
* https://github.com/cilium/cilium/security/advisories/GHSA-4hc4-pgfx-3mrx

Summary of Changes

Minor Changes:
* envoy: Bump envoy to 1.23.4 (Backport PR #23957, Upstream PR #23800, @sayboras)
* helm: Add pod and container security context (Backport PR #24083, Upstream PR #23443, @sayboras)
* helm: Add SA automount configuration (Backport PR #24083, Upstream PR #23441, @sayboras)
* helm: Add support of annotations in hubble ui service (Backport PR #23779, Upstream PR #23709, @brnck)

Bugfixes:
* [EKS] Fix deadlock causing network connectivity outages when kube-apiservers scale down (Backport PR #23957, Upstream PR #23836, @christarazi)
* Add the option to preserve CNI configuration file on agent shutdown. This can help prevent issues where pods can no longer be deleted. This may cause some transient error messages to be displayed if a pod is scheduled while Cilium is being upgraded. (Backport PR #24197, Upstream PR #24009, @squeed)
* agent: fix incorrect deletion of veth host interfaces on bootstrap (Backport PR #23957, Upstream PR #23787, @giorio94)
* Avoid k8s CiliumNode initialization problems when Cilium connects to the KVStore (Backport PR #24197, Upstream PR #24156, @aanm)
* cilium-health status: fix endpoint reachability in succinct view (Backport PR #23779, Upstream PR #23506, @giorio94)
* clustermesh: fix services cache bloat due to incorrect deletion (Backport PR #24083, Upstream PR #23947, @giorio94)
* envoy: Avoid empty typeURL for all resources (Backport PR #23861, Upstream PR #23763, @sayboras)
* Fix connectivity issue upon agent restart in case of ipv6 + direct routing + KPR replacement (Backport PR #23957, Upstream PR #23857, @giorio94)
* Fix enable-stale-cilium-endpoint-cleanup flag not actually disabling the cleanup init set when set to false. This provides a workaround for an existing panic that can occur when running using etcd kvstore. (Backport PR #24310, Upstream PR #23874, @sjdot)
* Fix operator crash race condition for CES identity map concurrent read/write (Backport PR #24197, Upstream PR #23605, @dlapcevic)
* ipam/crd: Fix panic due to concurrent map read and map write (Backport PR #23779, Upstream PR #23713, @gandro)
* node: require ipv4 address when wireguard is enabled (Backport PR #24039, Upstream PR #23552, @giorio94)
* watchers: endpointsync can manage already owned CiliumEndpoints. (Backport PR #24083, Upstream PR #23499, @tommyp1ckles)

CI Changes:
* bpf/Makefile: Cover VTEP in compile tests (Backport PR #24197, Upstream PR #24106, @pchaigno)
* ci: Update docs-builder image for documentation workflow (Backport PR #24067, Upstream PR #21040, @qmonnet)
* test: Update policy for hairpin flow validation (Backport PR #23779, Upstream PR #23480, @aditighag)
* workflows: Bump timeout of ConformanceKind workflow (Backport PR #23957, Upstream PR #22072, @pchaigno)

Misc Changes:
* .github: remove stable tags (#23830, @aanm)
* Add leader requirement to watch from Etcd. (Backport PR #24083, Upstream PR #23590, @marseel)
* bpf: Fix usage of tunnel map structs (Backport PR #24083, Upstream PR #23469, @pchaigno)
* bugtool: Add ingress/egress tc filter dump (Backport PR #24197, Upstream PR #24057, @joestringer)
* bugtool: Dump envoy metrics for troubleshooting (Backport PR #23779, Upstream PR #22797, @sayboras)
* chore(deps): update actions/checkout action to v3.3.0 (v1.12) (#23994, @renovate[bot])
* chore(deps): update all github action dependencies (v1.12) (patch) (#23993, @renovate[bot])
* chore(deps): update dependency cilium/hubble to v0.11.2 (v1.12) (#23909, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 4a45212 (v1.12) (#23693, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 9fa30fc (v1.12) (#24137, @renovate[bot])
* chore(deps): update quay.io/cilium/hubble docker tag to v0.11.2 (v1.12) (#23923, @renovate[bot])
* clustermesh, kvstore: consistently pass controller context to kvstore operations (Backport PR #23779, Upstream PR #23333, @tklauser)
* docs: correct Prometheus port (Backport PR #23779, Upstream PR #23404, @lizrice)
* docs: Document CONFIG_PERF_EVENTS requirement (Backport PR #24197, Upstream PR #24055, @joestringer)
* docs: Drop sphinxcontrib-openapi fork, switch back to upstream (Backport PR #23779, Upstream PR #23118, @qmonnet)
* docs: Fix the dead link to Mellanox performance tuning guide (Backport PR #24083, Upstream PR #24012, @gentoo-root)
* docs: Mark Git repository as safe, at runtime, if in a container (Backport PR #24067, Upstream PR #21069, @qmonnet)
* docs: replace usage of api.twitter.com (Backport PR #23779, Upstream PR #23669, @kaworu)
* Enable Google Analytics 4 (Backport PR #24067, Upstream PR #22220, @chalin)
* fix(deps): update module golang.org/x/net to v0.7.0 [security] (master) (Backport PR #23957, Upstream PR #23904, @renovate[bot])
* Fixed link to broken anchor in RKE doc (Backport PR #23779, Upstream PR #23706, @raphink)
* Introduce node IDs in the datapath and the agent, so datapath can later use them to identify remote nodes (Backport PR #23779, Upstream PR #23202, @pchaigno)
* IPsec: Remove IP_POOLS logic (Backport PR #24083, Upstream PR #24030, @pchaigno)
* Node ID restoration (Backport PR #23779, Upstream PR #23578, @pchaigno)
* Remove / in RKE doc link as it causes redirect bug (Backport PR #23779, Upstream PR #23728, @raphink)
* workflow: fixes LLVM, Clang cache and install path (Backport PR #23779, Upstream PR #23740, @brlbil)

Other Changes:
* agent: dump stack on stale probes [backport-1.12] (#24213, @squeed)
* docs: Add note for operator.extraEnv (#23843, @sayboras)
* install: Update image digests for v1.12.7 (#23738, @joestringer)
* Revert "Pick up etcd v3.5.7" (#23788, @michi-covalent)
* update images 1.12 (#24303, @nebril)
* v1.12 - Backport initContainer change (#24332, @ferozsalam)
* v1.12 backport: fix cgroup program detachment and 1.14 downgrade (#24183, @ti-mo)
* v1.12 Backports 2023-03-03 (#24155, @jibi)
* v1.12 Backports 2023-03-14 (#24369, @nebril)
* v1.12 Backports 2023-03-15 (#24386, @nebril)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.12.8@sha256:b6c3c48b380334b8f08dba6e0c28d906c0d722b8c2beb0d506b3cea27f66f78d
quay.io/cilium/cilium:v1.12.8@sha256:b6c3c48b380334b8f08dba6e0c28d906c0d722b8c2beb0d506b3cea27f66f78d

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.12.8@sha256:acb4727cb2ccde4ecd372c459c4da53823e00d36b470f80339a237fbe5127a0b
quay.io/cilium/clustermesh-apiserver:v1.12.8@sha256:acb4727cb2ccde4ecd372c459c4da53823e00d36b470f80339a237fbe5127a0b

docker-plugin

docker.io/cilium/docker-plugin:v1.12.8@sha256:8c4dd43fea669b3e0b63c0d7abae06b1f61a6ad7365f69ebc65e0b5c916e6468
quay.io/cilium/docker-plugin:v1.12.8@sha256:8c4dd43fea669b3e0b63c0d7abae06b1f61a6ad7365f69ebc65e0b5c916e6468

hubble-relay

docker.io/cilium/hubble-relay:v1.12.8@sha256:508cf85bb1a11c13abd995e3c5fd18ed3c2f1d26cbf463a97297e8b8c9149f13
quay.io/cilium/hubble-relay:v1.12.8@sha256:508cf85bb1a11c13abd995e3c5fd18ed3c2f1d26cbf463a97297e8b8c9149f13

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.12.8@sha256:d9a4a9c4f5d5969cb3bbfdbe773a182858de53c3b3d88dd39e80f89b97f1c7b2
quay.io/cilium/operator-alibabacloud:v1.12.8@sha256:d9a4a9c4f5d5969cb3bbfdbe773a182858de53c3b3d88dd39e80f89b97f1c7b2

operator-aws

docker.io/cilium/operator-aws:v1.12.8@sha256:6177a5f6ab05dedfc93268ab7aa02da37e2a96c6a4c75243cb1b33aecc1c68ad
quay.io/cilium/operator-aws:v1.12.8@sha256:6177a5f6ab05dedfc93268ab7aa02da37e2a96c6a4c75243cb1b33aecc1c68ad

operator-azure

docker.io/cilium/operator-azure:v1.12.8@sha256:da3ff887535d7687564afeb4108046069de14ed2fee368908adf9e467238ff7e
quay.io/cilium/operator-azure:v1.12.8@sha256:da3ff887535d7687564afeb4108046069de14ed2fee368908adf9e467238ff7e

operator-generic

docker.io/cilium/operator-generic:v1.12.8@sha256:7431f0c2001fb875b1a8901e103825394c38cd6c63a1435a3273ed20ae0e7578
quay.io/cilium/operator-generic:v1.12.8@sha256:7431f0c2001fb875b1a8901e103825394c38cd6c63a1435a3273ed20ae0e7578

operator

docker.io/cilium/operator:v1.12.8@sha256:1d3f32b112034dc0a7b83cde55850f00cf3adca9ae7f51aff42f2f8228998c8b
quay.io/cilium/operator:v1.12.8@sha256:1d3f32b112034dc0a7b83cde55850f00cf3adca9ae7f51aff42f2f8228998c8b

Security

Security wording was detected, but no CVEs were found.

Details

date
March 17, 2023, 12:19 p.m.
name
1.12.8
type
Patch
official page
https://github.com/cilium/cilium/releases/tag/v1.12.8
👇
Register or login to:
  • 🔍View and search all Cilium releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or