Changelog

The Cilium core team are excited to announce the Cilium 1.13 release. :tada:

v1.13.0

Summary of Changes

Major Changes: * Add IPv6 BIG TCP support (#20349, @NikAleksandrov) * Add LoadBalancer IP address management (LB-IPAM) (#21764, @dylandreimerink) * Add partial support for SCTP (#20033, @DolceTriade) * Add per-node configuration overrides. There is a new Kubernetes resource type, CiliumNodeConfig, which allows for fine-grained configuration of Nodes based on label selectors. (Backport PR #22822, Upstream PR #22656, @squeed) * Add support for k8s 1.26 (#22270, @thorn3r) * Add tracing for socket-based load balancing. (#20492, @aditighag) * Added capability to announce LoadBalancer services via BGP Control Plane (#22397, @dylandreimerink) * bpf: Add stateless RFC8215 NAT46/64 for standalone lb (#21777, @borkmann) * cilium: completion of nat46/64 gateway (Backport PR #22948, Upstream PR #22421, @borkmann) * CiliumNetworkPolicy now supports enforcement of SNI in TLS connections. (#22398, @jrajahalme) * gateway-api: Add support for gateway-api v0.5.1 (#21749, @sayboras) * ingress: Support shared load balancer mode (#21386, @sayboras) * Sign Cilium container images using cosign (#21918, @sandipanpanda) * Support Kubernetes v1.21 new field internalTrafficPolicy=Local. (Backport PR #23001, Upstream PR #21871, @gentoo-root)

Minor Changes: * [v1.13] hubble-relay: deprecate peer svc through local unix domain socket (#23442, @kaworu) * add nonMasqueradeCIDRs configuration to the ipMasqAgent section in Helm Chart values. (#20137, @cyclinder) * Add "cilium map events

This helps users to correctly spread the pods across failure-domains such as
regions, zones, nodes, and other user-defined topology domains to achieve
maximum high availability (HA) and efficient resource utilization. (#20046, @mkilchhofer) * add an option to wait for kube-proxy (#20517, @michi-covalent) * add helm option configuredMTU to overwrite auto-detected MTU and tunnelPort helm document (#20639, @vincentmli) * Add metric on number of requests rejected by DNS Proxy semaphore (#20491, @rahulkjoshi) * Add new ENI IPAM metrics for allocation, release (#20755, @wu0407) * Add option to configure the resources of the cgroups automount init Container in the Cilium Agent DaemonSet. (#22384, @shaardie) * Add Prometheus gRPC metrics for hubble and hubble-relay (#20376, @chancez) * Add support for disabling ENI PD at node level (#20308, @hemanthmalla) * add support for k8s 1.25.0 (#20995, @aanm) * Add support to fallback from ENI PD if subnet is out of /28 prefixes (#20822, @hemanthmalla) * Add the additional print columns CiliumInternalIP and InternalIP for kubectl get ciliumnode command. (#21258, @bavarianbidi) * Add TraceID field to Hubble flow and populate it from L7/HTTP flow. (#21456, @rolinh) * Add workload name and kind into L7 flows (#21039, @chancez) * Added 'envoy.filters.http.jwt_authn' and 'envoy.filters.http.oauth2' to the build to be used in CiliumEnvoyConfig resources. (#22562, @jrajahalme) * Added hubble.ui.frontend.server.ipv6.enabled helm flag to control nginx server ipv6 listener (#21127, @geakstr) * Adjust CES bucket sizes for metrics (#21860, @AwesomePatrol) * Allow users to specify hostports with localhost hostIP (#21366, @aspsk) * Automatically adjust bpf-policy-map-max if the maximum value is exceeded (#22129, @Vishal-Chdhry) * bpf/tests: fix redundant usage of variable offset (#22390, @sahid) * bpf: Add missing identity to TRACE_TO_STACK packet traces (#21403, @pchaigno) * bpf: Implement Segment Routing Header (SRH) support (#20764, @pchaigno) * bpf: nat: fix usage of ipv6_hdrlen() with unhandled Extension headers (#22544, @julianwiedmann) * Bugtool: add flag to exclude object for endpoints (#22370, @tbalthazar) * Bump Linux minimum version to 4.19.57 (or equivalent) (Backport PR #23232, Upstream PR #23124, @joestringer) * CA certificates in Envoy TLS validation contexts are supported via k8s Secrets with 'ca.crt' key. (#20458, @jrajahalme) * Cilium Istio integration is updated to Istio release 1.10.6 (#18384, @jrajahalme) * Cilium Network Policy can now have TLS termination and/or origination without L7 rules. (#21808, @jrajahalme) * cilium, bwm: Disable slow start after idle under pacing (#21356, @borkmann) * cilium: Add deprecation warning for service ids (Backport PR #22822, Upstream PR #22700, @joamaki) * cilium: Remove attached bpf_xdp upon "cilium cleanup" (#19735, @zhanghe9702) * clarify some docs around the kubeProxyReplacement=partial mode (#19831, @aecay) * clustermesh: Add an infrastructure to connect time parameter exchange and capability negotiation (Backport PR #22822, Upstream PR #22553, @YutaroHayakawa) * ctmap: add support for GC of DSR orphaned entries (#21626, @jibi) * daemon: Deprecate SockOps (Backport PR #23687, Upstream PR #23555, @brb) * daemon: Don't auto disable session affinity (#16179, @brb) * daemon: Rename host-reachable services to socket LB (#20369, @brb) * Default NodesGCInterval in CLI is 5m (0s before) to align with default helm value. (#20671, @hemslo) * Disable and deprecate force-local-policy-eval-at-source (#22190, @pchaigno) * Disable eBPF host routing in cni chaining mode (#22044, @smwyzi) * DNS proxy: forward the original security identity (#20711, @aspsk) * DNS Proxy: pass original security identity (#20859, @aspsk) * dnsproxy: stop serving DNS traffic before agent shutdown (#20795, @nebril) * docs: refactor AKS installation instructions (Backport PR #23687, Upstream PR #23304, @nbusseneau) * document ipv4/ipv6 native routing cidr helm option missing in Documentation and helm reference (#21195, @vincentmli) * egressgw: drop support for CiliumEgressNATPolicy (#21874, @julianwiedmann) * Enable icmp error replies with enable-pmtu-discovery flag (#21825, @nnbu) * Enable operator operation without kubernetes. (#21344, @pruiz) * eni: Add garbage collector for leaked ENIs (#21409, @gandro) * envoy: Bump envoy version to 1.21.5 (#20771, @sayboras) * envoy: Bump envoy version to 1.22.7 (Backport PR #23644, Upstream PR #23502, @sayboras) * envoy: Support LB capability for existing k8s Service (Backport PR #22835, Upstream PR #21244, @sayboras) * Fatal when enabling DSR and tunneling on KubeProxyReplacement (#22031, @Shunpoco) * feat(helm): allow adding extra containers to the cilium daemonset (#20343, @mhulscher) * feat(hubble): add L7 verdicts to hubble_policy_verdicts_total metric (Backport PR #23147, Upstream PR #22622, @raphink) * Fix behavior where packets leave node if there are no backends (#21539, @michaelasp) * Fix crash of CES queue delay metric when CESTracker is nil (Backport PR #23147, Upstream PR #22884, @dlapcevic) * fix empty message when tunnel and socketLB service missing in switch case (#21314, @vincentmli) * fqdn/metrics: Fix ProxyUpstreamTime error=timeout (#20752, @joestringer) * Get rid of KPR=probe and socket-LB protocols (#22083, @brb) * helm: Add node-role.kubernetes.io/control-plane key (Backport PR #23001, Upstream PR #22893, @my-git9) * helm: Add validation for Ingress Controller (#21550, @sayboras) * helm: Document debug.verbose option (Backport PR #23284, Upstream PR #23178, @sayboras) * Helm: optionally use less permissive linux capabilities. (#21506, @jonkerj) * helm: Properly support passing subnet-tags/subnet-ids/instance-tags filters as a list (#21297, @slayer321) * helm: Remove chart fields planned for removal in 1.12 (#21881, @my-git9) * helm: Remove duplicated key hostAliases (#20278, @sayboras) * helm: Set Linux nodeSelector for nodeinit and preflight (#20216, @gandro) * helm: Support configuring Cilium shared Ingress Service type and nodePorts (#22583, @chancez) * hubble/filter: add a new endpoint workload filter (#21296, @kaworu) * hubble/metrics: Add source_ip/destination_ip labels to contextLabels (#21322, @chancez) * hubble/metrics: Add workload-name and app options to sourceContext and destinationContext (#21320, @chancez) * hubble: Add hubble_policy_verdicts_total metric (#20470, @michi-covalent) * hubble: Add kafka metrics (#21318, @chancez) * hubble: Add reserved-identity metric context (#20474, @michi-covalent) * hubble: add support for filtering by trace ID (#21551, @rolinh) * hubble: Add support for SockLB tracing (#21685, @gandro) * hubble: Extract traceIDs into exemplars in HTTP metrics (#21599, @chancez) * image: Bump base image to ubuntu 22.04 (#20943, @sayboras) * image: Upgrade ubuntu base image to 22.04 (#21097, @sayboras) * Improve policy deletion overhead by about 50% in large environments with a large number of policy rules (#22153, @odinuge) * Improve verbosity of drop notification messages. (#20387, @aspsk) * Improve verbosity of drop notification messages. (#20827, @aspsk) * In ENI IPAM mode, try to allocate new ENIs in the same subnet as the primary ENI instead of the subnet with the most available addresses. (#22000, @bimmlerd) * ingress: add websockets configuration (#20814, @nikhiljha) * ingress: Follow-up items for shared LB mode (#21493, @sayboras) * ingress: Propagate required annotations from Ingress to LB Service (#20860, @NikhilSharmaWe) * ingress: Rename LB annotation to annotation prefixes (#21222, @sayboras) * ingress: Support NodePort for dedicated Ingress (Backport PR #23284, Upstream PR #22974, @sayboras) * install/kubernetes: make securityContext SELinux options configurable (Backport PR #22822, Upstream PR #22721, @tklauser) * install: add TerminationMessagePolicy to cilium pods (#21012, @squeed) * Introduce Hubble HTTP v2 metrics and dashboards (#21181, @chancez) * Introduce smarter internal cache to reduce memory consumption for FQDN / DNS policy usage, especially in environment with heavy FQDN / DNS policy usage (#21288, @odinuge) * ipam: Add exponential backoff when pool maintanance fails (#21473, @gandro) * ipam: Change default rate limiting access to external APIs (#21387, @gandro) * ipam: Support custom owner IPs in CRD IPAM pool (#21379, @llhhbc) * K8s client as reusable cell (#21026, @joamaki) * k8s/crds: Allow ingress entity in CNP (#20536, @sayboras) * label all Cilium resources with "app.kubernetes.io/part-of: cilium" (#20213, @cyclinder) * Load multiple programs for one CollectionSpec loading (#22025, @alexkats) * maglev: support setting a weight of a backend in a service spec via new cmdline argument (#18306, @oblazek) * makefile: add a new target to run 'golangci-lint run --fix' (#21547, @aspsk) * Minor cleanups in FQDN name manager (#20886, @pippolo84) * Move the clusterrole precheck inline script to one that can be ran locally. (#20786, @ldelossa) * operator: Add RBAC permission for CiliumNodeConfigs resource (Backport PR #23001, Upstream PR #22824, @sayboras) * pkg/metrics: include revision and arch info in cilium_version (Backport PR #23147, Upstream PR #22795, @ArthurChiao) * Prepend Envoy resources with CEC namespace and name (#21500, @pippolo84) * put stderr of iptables command into error instead of merging into stdout (#20895, @liuyuan10) * relay: Add Go runtime metrics and process metrics (#22316, @chancez) * Remove check on intSlice type from config map validation (#20638, @pippolo84) * Remove deprecated spec.eni.{min-allocate,pre-allocate,max-above-watermark} parameters (#21951, @obaranov1) * Remove IPVLAN support following the deprecation in v1.11. (#20453, @pchaigno) * sctp: Handle SCTP when correlating Endpoints to services. (#21490, @DolceTriade) * service: Improve memory usage when handling update of a big service. (#20410, @alan-kut) * Sign container images with cosign (#21739, @sandipanpanda) * Support configuring metricsRelabelings on ServiceMonitors (#21051, @chancez) * Support L4 any port policy. (#21185, @liuxu623) * Support new hubble metrics context: "labelsContext" (#21079, @chancez) * The CNI configuration file is now written only after the agent has successfully started up. Configuring a custom CNI configuration file is now simpler and more reliable. See the docs for more details. (#21375, @squeed) * The default CNI version is now v0.4.0. Cilium now supports the CNI CHECK action. (#20956, @squeed) * Traffic addressed to a service IP is dropped, if no backend is available. (#22388, @julianwiedmann) * Traffic can now we redirected to Envoy listeners via Cilium Network Policy listener option. (Backport PR #22822, Upstream PR #21600, @jrajahalme) * Update cilium agent Grafana dashboard to filter by pod (#20307, @ungureanuvladvictor) * Update connectivity tests for clusters running NodeLocal DNSCache with Local Redirect Policy. (#20086, @eminaktas) * Update Helm Chart to use Hubble-UI v0.10.0 images by default. (Backport PR #23500, Upstream PR #23184, @pjbgf) * When combining XDP Nodeport Acceleration with Egress Gateway, forwarding the EgressGW reply traffic no longer requires a specific iptables configuration on the Gateway node. (#20837, @julianwiedmann) * XDP NodePort Acceleration can also be used for clusters in tunnel mode. (#21364, @julianwiedmann)

Full change log can be found in changelog