Cilium - v1.13.0


Changelog

The Cilium core team are excited to announce the Cilium 1.13 release. :tada:

v1.13.0

Summary of Changes

Major Changes:
* Add IPv6 BIG TCP support (#20349, @NikAleksandrov)
* Add LoadBalancer IP address management (LB-IPAM) (#21764, @dylandreimerink)
* Add partial support for SCTP (#20033, @DolceTriade)
* Add per-node configuration overrides. There is a new Kubernetes resource type, CiliumNodeConfig, which allows for fine-grained configuration of Nodes based on label selectors. (Backport PR #22822, Upstream PR #22656, @squeed)
* Add support for k8s 1.26 (#22270, @thorn3r)
* Add tracing for socket-based load balancing. (#20492, @aditighag)
* Added capability to announce LoadBalancer services via BGP Control Plane (#22397, @dylandreimerink)
* bpf: Add stateless RFC8215 NAT46/64 for standalone lb (#21777, @borkmann)
* cilium: completion of nat46/64 gateway (Backport PR #22948, Upstream PR #22421, @borkmann)
* CiliumNetworkPolicy now supports enforcement of SNI in TLS connections. (#22398, @jrajahalme)
* gateway-api: Add support for gateway-api v0.5.1 (#21749, @sayboras)
* ingress: Support shared load balancer mode (#21386, @sayboras)
* Sign Cilium container images using cosign (#21918, @sandipanpanda)
* Support Kubernetes v1.21 new field internalTrafficPolicy=Local. (Backport PR #23001, Upstream PR #21871, @gentoo-root)

Minor Changes:
* [v1.13] hubble-relay: deprecate peer svc through local unix domain socket (#23442, @kaworu)
* add nonMasqueradeCIDRs configuration to the ipMasqAgent section in Helm Chart values. (#20137, @cyclinder)
* Add "cilium map events " command that lists bpf map operation events" (#21235, @tommyp1ckles)
* Add --source-ranges option to cilium bpf lb list (#19705, @julianwiedmann)
* Add ability to specify topologySpreadConstraints on all parts using kind Deployment.

This helps users to correctly spread the pods across failure-domains such as
regions, zones, nodes, and other user-defined topology domains to achieve
maximum high availability (HA) and efficient resource utilization. (#20046, @mkilchhofer)
* add an option to wait for kube-proxy (#20517, @michi-covalent)
* add helm option configuredMTU to overwrite auto-detected MTU and tunnelPort helm document (#20639, @vincentmli)
* Add metric on number of requests rejected by DNS Proxy semaphore (#20491, @rahulkjoshi)
* Add new ENI IPAM metrics for allocation, release (#20755, @wu0407)
* Add option to configure the resources of the cgroups automount init Container in the Cilium Agent DaemonSet. (#22384, @shaardie)
* Add Prometheus gRPC metrics for hubble and hubble-relay (#20376, @chancez)
* Add support for disabling ENI PD at node level (#20308, @hemanthmalla)
* add support for k8s 1.25.0 (#20995, @aanm)
* Add support to fallback from ENI PD if subnet is out of /28 prefixes (#20822, @hemanthmalla)
* Add the additional print columns CiliumInternalIP and InternalIP for kubectl get ciliumnode command. (#21258, @bavarianbidi)
* Add TraceID field to Hubble flow and populate it from L7/HTTP flow. (#21456, @rolinh)
* Add workload name and kind into L7 flows (#21039, @chancez)
* Added 'envoy.filters.http.jwt_authn' and 'envoy.filters.http.oauth2' to the build to be used in CiliumEnvoyConfig resources. (#22562, @jrajahalme)
* Added hubble.ui.frontend.server.ipv6.enabled helm flag to control nginx server ipv6 listener (#21127, @geakstr)
* Adjust CES bucket sizes for metrics (#21860, @AwesomePatrol)
* Allow users to specify hostports with localhost hostIP (#21366, @aspsk)
* Automatically adjust bpf-policy-map-max if the maximum value is exceeded (#22129, @Vishal-Chdhry)
* bpf/tests: fix redundant usage of variable offset (#22390, @sahid)
* bpf: Add missing identity to TRACE_TO_STACK packet traces (#21403, @pchaigno)
* bpf: Implement Segment Routing Header (SRH) support (#20764, @pchaigno)
* bpf: nat: fix usage of ipv6_hdrlen() with unhandled Extension headers (#22544, @julianwiedmann)
* Bugtool: add flag to exclude object for endpoints (#22370, @tbalthazar)
* Bump Linux minimum version to 4.19.57 (or equivalent) (Backport PR #23232, Upstream PR #23124, @joestringer)
* CA certificates in Envoy TLS validation contexts are supported via k8s Secrets with 'ca.crt' key. (#20458, @jrajahalme)
* Cilium Istio integration is updated to Istio release 1.10.6 (#18384, @jrajahalme)
* Cilium Network Policy can now have TLS termination and/or origination without L7 rules. (#21808, @jrajahalme)
* cilium, bwm: Disable slow start after idle under pacing (#21356, @borkmann)
* cilium: Add deprecation warning for service ids (Backport PR #22822, Upstream PR #22700, @joamaki)
* cilium: Remove attached bpf_xdp upon "cilium cleanup" (#19735, @zhanghe9702)
* clarify some docs around the kubeProxyReplacement=partial mode (#19831, @aecay)
* clustermesh: Add an infrastructure to connect time parameter exchange and capability negotiation (Backport PR #22822, Upstream PR #22553, @YutaroHayakawa)
* ctmap: add support for GC of DSR orphaned entries (#21626, @jibi)
* daemon: Deprecate SockOps (Backport PR #23687, Upstream PR #23555, @brb)
* daemon: Don't auto disable session affinity (#16179, @brb)
* daemon: Rename host-reachable services to socket LB (#20369, @brb)
* Default NodesGCInterval in CLI is 5m (0s before) to align with default helm value. (#20671, @hemslo)
* Disable and deprecate force-local-policy-eval-at-source (#22190, @pchaigno)
* Disable eBPF host routing in cni chaining mode (#22044, @smwyzi)
* DNS proxy: forward the original security identity (#20711, @aspsk)
* DNS Proxy: pass original security identity (#20859, @aspsk)
* dnsproxy: stop serving DNS traffic before agent shutdown (#20795, @nebril)
* docs: refactor AKS installation instructions (Backport PR #23687, Upstream PR #23304, @nbusseneau)
* document ipv4/ipv6 native routing cidr helm option missing in Documentation and helm reference (#21195, @vincentmli)
* egressgw: drop support for CiliumEgressNATPolicy (#21874, @julianwiedmann)
* Enable icmp error replies with enable-pmtu-discovery flag (#21825, @nnbu)
* Enable operator operation without kubernetes. (#21344, @pruiz)
* eni: Add garbage collector for leaked ENIs (#21409, @gandro)
* envoy: Bump envoy version to 1.21.5 (#20771, @sayboras)
* envoy: Bump envoy version to 1.22.7 (Backport PR #23644, Upstream PR #23502, @sayboras)
* envoy: Support LB capability for existing k8s Service (Backport PR #22835, Upstream PR #21244, @sayboras)
* Fatal when enabling DSR and tunneling on KubeProxyReplacement (#22031, @Shunpoco)
* feat(helm): allow adding extra containers to the cilium daemonset (#20343, @mhulscher)
* feat(hubble): add L7 verdicts to hubble_policy_verdicts_total metric (Backport PR #23147, Upstream PR #22622, @raphink)
* Fix behavior where packets leave node if there are no backends (#21539, @michaelasp)
* Fix crash of CES queue delay metric when CESTracker is nil (Backport PR #23147, Upstream PR #22884, @dlapcevic)
* fix empty message when tunnel and socketLB service missing in switch case (#21314, @vincentmli)
* fqdn/metrics: Fix ProxyUpstreamTime error=timeout (#20752, @joestringer)
* Get rid of KPR=probe and socket-LB protocols (#22083, @brb)
* helm: Add node-role.kubernetes.io/control-plane key (Backport PR #23001, Upstream PR #22893, @my-git9)
* helm: Add validation for Ingress Controller (#21550, @sayboras)
* helm: Document debug.verbose option (Backport PR #23284, Upstream PR #23178, @sayboras)
* Helm: optionally use less permissive linux capabilities. (#21506, @jonkerj)
* helm: Properly support passing subnet-tags/subnet-ids/instance-tags filters as a list (#21297, @slayer321)
* helm: Remove chart fields planned for removal in 1.12 (#21881, @my-git9)
* helm: Remove duplicated key hostAliases (#20278, @sayboras)
* helm: Set Linux nodeSelector for nodeinit and preflight (#20216, @gandro)
* helm: Support configuring Cilium shared Ingress Service type and nodePorts (#22583, @chancez)
* hubble/filter: add a new endpoint workload filter (#21296, @kaworu)
* hubble/metrics: Add source_ip/destination_ip labels to contextLabels (#21322, @chancez)
* hubble/metrics: Add workload-name and app options to sourceContext and destinationContext (#21320, @chancez)
* hubble: Add hubble_policy_verdicts_total metric (#20470, @michi-covalent)
* hubble: Add kafka metrics (#21318, @chancez)
* hubble: Add reserved-identity metric context (#20474, @michi-covalent)
* hubble: add support for filtering by trace ID (#21551, @rolinh)
* hubble: Add support for SockLB tracing (#21685, @gandro)
* hubble: Extract traceIDs into exemplars in HTTP metrics (#21599, @chancez)
* image: Bump base image to ubuntu 22.04 (#20943, @sayboras)
* image: Upgrade ubuntu base image to 22.04 (#21097, @sayboras)
* Improve policy deletion overhead by about 50% in large environments with a large number of policy rules (#22153, @odinuge)
* Improve verbosity of drop notification messages. (#20387, @aspsk)
* Improve verbosity of drop notification messages. (#20827, @aspsk)
* In ENI IPAM mode, try to allocate new ENIs in the same subnet as the primary ENI instead of the subnet with the most available addresses. (#22000, @bimmlerd)
* ingress: add websockets configuration (#20814, @nikhiljha)
* ingress: Follow-up items for shared LB mode (#21493, @sayboras)
* ingress: Propagate required annotations from Ingress to LB Service (#20860, @NikhilSharmaWe)
* ingress: Rename LB annotation to annotation prefixes (#21222, @sayboras)
* ingress: Support NodePort for dedicated Ingress (Backport PR #23284, Upstream PR #22974, @sayboras)
* install/kubernetes: make securityContext SELinux options configurable (Backport PR #22822, Upstream PR #22721, @tklauser)
* install: add TerminationMessagePolicy to cilium pods (#21012, @squeed)
* Introduce Hubble HTTP v2 metrics and dashboards (#21181, @chancez)
* Introduce smarter internal cache to reduce memory consumption for FQDN / DNS policy usage, especially in environment with heavy FQDN / DNS policy usage (#21288, @odinuge)
* ipam: Add exponential backoff when pool maintanance fails (#21473, @gandro)
* ipam: Change default rate limiting access to external APIs (#21387, @gandro)
* ipam: Support custom owner IPs in CRD IPAM pool (#21379, @llhhbc)
* K8s client as reusable cell (#21026, @joamaki)
* k8s/crds: Allow ingress entity in CNP (#20536, @sayboras)
* label all Cilium resources with "app.kubernetes.io/part-of: cilium" (#20213, @cyclinder)
* Load multiple programs for one CollectionSpec loading (#22025, @alexkats)
* maglev: support setting a weight of a backend in a service spec via new cmdline argument (#18306, @oblazek)
* makefile: add a new target to run 'golangci-lint run --fix' (#21547, @aspsk)
* Minor cleanups in FQDN name manager (#20886, @pippolo84)
* Move the clusterrole precheck inline script to one that can be ran locally. (#20786, @ldelossa)
* operator: Add RBAC permission for CiliumNodeConfigs resource (Backport PR #23001, Upstream PR #22824, @sayboras)
* pkg/metrics: include revision and arch info in cilium_version (Backport PR #23147, Upstream PR #22795, @ArthurChiao)
* Prepend Envoy resources with CEC namespace and name (#21500, @pippolo84)
* put stderr of iptables command into error instead of merging into stdout (#20895, @liuyuan10)
* relay: Add Go runtime metrics and process metrics (#22316, @chancez)
* Remove check on intSlice type from config map validation (#20638, @pippolo84)
* Remove deprecated spec.eni.{min-allocate,pre-allocate,max-above-watermark} parameters (#21951, @obaranov1)
* Remove IPVLAN support following the deprecation in v1.11. (#20453, @pchaigno)
* sctp: Handle SCTP when correlating Endpoints to services. (#21490, @DolceTriade)
* service: Improve memory usage when handling update of a big service. (#20410, @alan-kut)
* Sign container images with cosign (#21739, @sandipanpanda)
* Support configuring metricsRelabelings on ServiceMonitors (#21051, @chancez)
* Support L4 any port policy. (#21185, @liuxu623)
* Support new hubble metrics context: "labelsContext" (#21079, @chancez)
* The CNI configuration file is now written only after the agent has successfully started up. Configuring a custom CNI configuration file is now simpler and more reliable. See the docs for more details. (#21375, @squeed)
* The default CNI version is now v0.4.0. Cilium now supports the CNI CHECK action. (#20956, @squeed)
* Traffic addressed to a service IP is dropped, if no backend is available. (#22388, @julianwiedmann)
* Traffic can now we redirected to Envoy listeners via Cilium Network Policy listener option. (Backport PR #22822, Upstream PR #21600, @jrajahalme)
* Update cilium agent Grafana dashboard to filter by pod (#20307, @ungureanuvladvictor)
* Update connectivity tests for clusters running NodeLocal DNSCache with Local Redirect Policy. (#20086, @eminaktas)
* Update Helm Chart to use Hubble-UI v0.10.0 images by default. (Backport PR #23500, Upstream PR #23184, @pjbgf)
* When combining XDP Nodeport Acceleration with Egress Gateway, forwarding the EgressGW reply traffic no longer requires a specific iptables configuration on the Gateway node. (#20837, @julianwiedmann)
* XDP NodePort Acceleration can also be used for clusters in tunnel mode. (#21364, @julianwiedmann)

Full change log can be found in changelog


Details

date
Feb. 15, 2023, 3:57 p.m.
name
1.13.0
type
Minor
👇
Register or login to:
  • 🔍View and search all Cilium releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or