Overview All releases

Version History

v1.16.0-pre.1 v1.16.0-pre.0 v1.15.4 v1.15.3 v1.15.2 v1.15.1 v1.15.0 v1.15.0-rc.1 v1.15.0-rc.0 v1.15.0-pre.3 v1.15.0-pre.2 v1.15.0-pre.1 v1.15.0-pre.0 v1.14.10 v1.14.9 v1.14.8 v1.14.7 v1.14.6 v1.14.5 v1.14.4 v1.14.3 v1.14.2 v1.14.1 v1.14.0 v1.14.0-snapshot.4 v1.14.0-snapshot.3

v1.14.0-snapshot.2

v1.14.0-snapshot.1

v1.14.0-snapshot.0

v1.14.0-rc.1 v1.14.0-rc.0 v1.13.15 v1.13.14 v1.13.13 v1.13.12 v1.13.11 v1.13.10 v1.13.9 v1.13.8 v1.13.7 v1.13.6 v1.13.5 v1.13.4 v1.13.3

v1.13.2

v1.13.1 v1.13.0

v1.13.0-rc5

v1.13.0-rc4

v1.13.0-rc3

v1.13.0-rc2

v1.13.0-rc1

v1.13.0-rc0

v1.12.19 v1.12.18 v1.12.17 v1.12.16 v1.12.15 v1.12.14 v1.12.13 v1.12.12 v1.12.11 v1.12.10 v1.12.9 v1.12.8 v1.12.7 v1.12.6 v1.12.5 v1.12.4 v1.12.3 v1.12.2 v1.12.1 v1.12.0

v1.12.0-rc3

v1.12.0-rc2

v1.12.0-rc1

v1.12.0-rc0

v1.11.20 v1.11.19 v1.11.18 v1.11.17 v1.11.16 v1.11.15 v1.11.14 v1.11.13 v1.11.12 v1.11.11 v1.11.10 v1.11.9 v1.11.8 v1.11.7 v1.11.6 v1.11.5 v1.11.4 v1.11.3 v1.11.2 v1.11.1

v1.11.0

v1.11.0-rc3

v1.11.0-rc2

v1.11.0-rc1

v1.11.0-rc0

v1.10.20 v1.10.19 v1.10.18 v1.10.17 v1.10.16 v1.10.15 v1.10.14 v1.10.13 v1.10.12 v1.10.11 v1.10.10 v1.10.9 v1.10.8 v1.10.7

v1.10.6

v1.10.5

v1.10.4

v1.10.3

v1.10.2

v1.10.1

v1.10.0

v1.10.0-rc2

v1.10.0-rc1

v1.10.0-rc0

v1.9.18 v1.9.17 v1.9.16 v1.9.15 v1.9.14 v1.9.13 v1.9.12

v1.9.11

v1.9.10

v1.9.9

v1.9.8

v1.9.7

v1.9.6

v1.9.5

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc3

v1.9.0-rc2

v1.9.0-rc1

v1.8.13

v1.8.12

v1.8.11

v1.8.10

v1.8.9

v1.8.8

v1.8.7

v1.8.6

v1.8.5

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc4

v1.8.0-rc3

v1.8.0-rc2

v1.8.0-rc1

v1.7.16

v1.7.15

v1.7.14

v1.7.13

v1.7.12

v1.7.11

v1.7.10

v1.7.9

v1.7.8

v1.7.7

v1.7.6

v1.7.5

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc4

v1.7.0-rc3

v1.7.0-rc2

v1.7.0-rc1

v1.6.12

v1.6.11

v1.6.10

v1.6.9

v1.6.8

v1.6.7

v1.6.6

v1.6.5

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.13

v1.5.12

v1.5.11

v1.5.10

v1.5.9

v1.5.8

v1.5.7

v1.5.6

v1.5.5

v1.5.4

v1.5.3

v1.5.1

v1.5.0

v1.4.10

v1.4.9

v1.4.8

v1.4.7

v1.4.6

v1.4.5

1.4.4

1.4.3

v1.4.2

1.4.1

v1.4.0

v1.3.8

v1.3.7

1.3.6

1.3.5

v1.3.4

v1.3.3

1.3.2

v1.3.1

1.3.0

v1.2.8

v1.2.7

v1.2.6

v1.2.5

v1.2.4

v1.2.3

1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc1

v1.1.6

1.1.5

v1.1.4

1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.1.0-rc4

v1.1.0-rc3

v1.1.0-rc2

v1.1.0-rc1

v1.0.7

1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v1.0.0

v1.0.0-rc9

v1.0.0-rc8

v1.0.0-rc7

v1.0.0-rc6

v1.0.0-rc5

v1.0.0-rc4

v1.0.0-rc2

v1.0.0-rc14

v1.0.0-rc13

v1.0.0-rc11

v1.0.0-rc10

v1.0.0-rc1

v0.11

0.10.1

v0.10.0

v0.9.0

v0.9.0-rc1

v0.8.2

v0.8.1

v0.8.0

Cilium - v1.13.2

Security

We are pleased to release Cilium v1.13.2.

This release addresses the following security issue:
* GHSA-pg5p-wwp8-97g8

Note: When updating to this release, make sure that you are using new helm chart version.

Summary of Changes

Known Issues:

There is a known issue (#24502) with CiliumNetworkPolicies that makes the kube-apiserver entity unreliable. Until this is resolved, it is recommended to remain on Cilium v1.12 or earlier if you are using the kube-apiserver entity in your CiliumNetworkPolicies.

Minor Changes:
* envoy: Bump envoy to v1.23.8 (#24909, @sayboras)
* envoy: Bump envoy version to v1.23.7 (#24746, @sayboras)
* Move poststart eni script to agent pod from nodeinit pod (Backport PR #24547, Upstream PR #24134, @nebril)
* Provides operational state of BGP peers via CLI 'cilium bgp peers' (Backport PR #24821, Upstream PR #24612, @harsimran-pabla)
* Support L2-less devices with fast forward (bpf-based host routing) (Backport PR #24706, Upstream PR #23935, @jschwinger233)

Bugfixes:
* agent: rework clustermesh config watcher for increased robustness (Backport PR #24547, Upstream PR #24163, @giorio94)
* bpf: dsr: fix parsing of IPv6 AUTH extension header (Backport PR #24821, Upstream PR #24792, @julianwiedmann)
* bpf: fix ipv6 extension header parsing error (Backport PR #24706, Upstream PR #24309, @chenyuezhou)
* bpf: policy: fix handling of ICMPv6 packet with extension headers (Backport PR #24821, Upstream PR #24797, @julianwiedmann)
* Correctly configure extra SANs for the clustermesh API server certificate when generated through certgen (Backport PR #24607, Upstream PR #24339, @giorio94)
* daemon: initialize datapath before compiling sockops programs (Backport PR #24547, Upstream PR #24140, @jibi)
* egressgw: update all internal caches once k8s state is synced (Backport PR #24706, Upstream PR #24034, @jibi)
* endpoint: fix k8sNamespace log field when ep gets deleted (Backport PR #24706, Upstream PR #24575, @mhofstetter)
* Fix a bug where users are unable to change a wrong remote etcd configuration (Backport PR #24547, Upstream PR #24046, @oblazek)
* Fix a memory leak in the service cache, and possible missed service updates on scale to zero events in rare circumstances (Backport PR #24706, Upstream PR #24619, @giorio94)
* Fix bug in BGP CP where changing the route-id of an existing router would cause announcements to disappear (Backport PR #24547, Upstream PR #24304, @dylandreimerink)
* Fix bug where ingress policies for remote-note identities are not applied correctly new nodes join the cluster, specifically when the nodes joining the cluster had IP addresses specified in CIDR policies (Backport PR #24547, Upstream PR #23764, @christarazi)
* Fix Cilium Operator from crashing when encountering empty node pools on Azure (Backport PR #24547, Upstream PR #24189, @forgems)
* Fix for disabled cloud provider rate limiting (Backport PR #24547, Upstream PR #24413, @hemanthmalla)
* Fix missing delete events on informer re-lists to ensure all delete events are correctly emitted and using the latest known object state, so that all event handlers and stores always reflect the actual apiserver state as best as possible (#24870, @aanm)
* Fixed bug where L7 rules would be incorrectly merged between rules for the same (remote) endpoint. This bug could have caused L7 rules to be bypassed via a wildcard header rule being improperly appended to the set of HTTP rules when both a policy with HTTP header rules applying to multiple endpoints and an allow-all rule for only one of those endpoints are specified. (Backport PR #24843, Upstream PR #24788, @jrajahalme)
* gateway-api: Re-queue gateway for namespace change (Backport PR #24758, Upstream PR #24624, @sayboras)
* Handle leaked service backends that may lead to filling up of lb4_backends map and thereby connectivity issues. (Backport PR #24758, Upstream PR #24681, @aditighag)
* helm: mandate issuer configuration when using cert-manager to generate certificates (Backport PR #24821, Upstream PR #24666, @giorio94)
* ipsec: Clean up stale XFRM policies and states (Backport PR #24821, Upstream PR #24773, @pchaigno)
* Prevent egress gateway from adding and then immediately removing BPF policy entries for policies that don't match any gateway node (Backport PR #24706, Upstream PR #24646, @MrFreezeex)
* Services backends with publishNotReadyAddresses are able to receive traffic independently if they are Terminating, since is the user intent to make them reachable despite its state. (Backport PR #24547, Upstream PR #24174, @aojea)
* Set user-agent for k8s client with Cilium's version (Backport PR #24547, Upstream PR #24275, @aanm)
* Solve control-plane deadlock issues leading to outages. A typical log line indicative of this issue is probe=l7-proxy msg="No response from probe within 15 seconds" (Backport PR #24814, Upstream PR #24672, @bimmlerd)

CI Changes:
* bpf/test: Add unit test to check whether netpol drops result in metric counter increament (Backport PR #24607, Upstream PR #24469, @brb)
* bpf/tests: fix mac addresses definitions in egressgw test (Backport PR #24607, Upstream PR #23351, @jibi)
* datapath/linux/route: fix CI expectations for rule string format (Backport PR #24607, Upstream PR #24577, @NikAleksandrov)
* Fix race conditions when deleting CNP / CCNP in e2e tests (Backport PR #24706, Upstream PR #24484, @jschwinger233)
* Fixed flake in the TestRequestIPWithMismatchedLabel LB-IPAM tests. (Backport PR #24547, Upstream PR #23297, @dylandreimerink)
* gha: Clean-up Ingress/GatewayAPI Conformance tests (Backport PR #24441, Upstream PR #24025, @sayboras)
* Increase timeout waiting for resources in Ingress conformance test (Backport PR #24441, Upstream PR #24388, @meyskens)
* Port verifier tests to Go (Backport PR #24706, Upstream PR #24538, @ti-mo)
* renovate: Fix Hubble release digest regex (Backport PR #24547, Upstream PR #24477, @gandro)
* test: Enable conformance tests for non-SCTP traffic in conjunction with SCTP policies (Backport PR #24547, Upstream PR #24144, @joestringer)
* test: Remove some {DP,Services} Ginkgo test cases (Backport PR #24547, Upstream PR #24223, @brb)
* test: Update 1.26 k8s version (Backport PR #24607, Upstream PR #24569, @sayboras)
* tests: add exceptions for lease errors due to etcd (Backport PR #24758, Upstream PR #24723, @jibi)

Misc Changes:
* Avoid clearing objects in CiliumEndpoint conversion funcs (Backport PR #24929, Upstream PR #24928, @aanm)
* Avoid clearing objects in conversion funcs (Backport PR #24929, Upstream PR #24241, @odinuge)
* bgp: extract exportPodCIDRReconciler logic into a generic function (Backport PR #24607, Upstream PR #24546, @jibi)
* bpf: Remove fib_redirect's BPF_FIB_LOOKUP_DIRECT (Backport PR #24547, Upstream PR #24271, @borkmann)
* bpf_test: use bpf.LoadCollection, print full verifier error logs (Backport PR #24607, Upstream PR #23281, @ti-mo)
* checker: Fix incorrect checker for ExportedEqual() (Backport PR #24547, Upstream PR #24373, @christarazi)
* chore(deps): update base-images (v1.13) (#24467, @renovate[bot])
* chore(deps): update dependency cilium/hubble to v0.11.3 (v1.13) (#24799, @renovate[bot])
* chore(deps): update docker.io/library/golang docker tag to v1.19.7 (v1.13) (#24233, @renovate[bot])
* chore(deps): update docker.io/library/golang docker tag to v1.19.7 (v1.13) (#24234, @renovate[bot])
* chore(deps): update docker.io/library/golang docker tag to v1.19.8 (v1.13) (#24800, @renovate[bot])
* chore(deps): update docker.io/library/golang docker tag to v1.19.8 (v1.13) (#24802, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.19.7 docker digest to d2078d2 (v1.13) (#24550, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.19.8 docker digest to 31a2f92 (v1.13) (#24831, @renovate[bot])
* chore(deps): update quay.io/cilium/hubble docker tag to v0.11.3 (v1.13) (#24472, @renovate[bot])
* cilium, docs: Move sig-datapath meeting to on-demand only (Backport PR #24547, Upstream PR #24205, @borkmann)
* doc: Fixed CiliumNode CRD fields for cluster-pool doc (Backport PR #24547, Upstream PR #24428, @PhilipSchmid)
* doc: kubeProxyReplacement=strict / kube-proxy co-existence (Backport PR #24547, Upstream PR #24407, @PhilipSchmid)
* docs: add note that there are two Cilium CLIs (Backport PR #24547, Upstream PR #24435, @lizrice)
* docs: Cleanup and update list of supported drivers for XDP (Backport PR #24547, Upstream PR #24398, @pchaigno)
* docs: Document the threat model for Cilium (Backport PR #24706, Upstream PR #24497, @ferozsalam)
* docs: fix typo in operations/troubleshooting.rst (Backport PR #24547, Upstream PR #24460, @NikAleksandrov)
* docs: Fix upgradeCompatibility references (Backport PR #24758, Upstream PR #24711, @joestringer)
* docs: Update Cluster Mesh requirements to mention node InternalIP explicitly (Backport PR #24547, Upstream PR #24164, @jspaleta)
* docs: Update egress gateway limitations (Backport PR #24547, Upstream PR #24244, @pchaigno)
* docs: Update the documentation for the --conntrack-gc-interval flag (Backport PR #24547, Upstream PR #24400, @pchaigno)
* egressgw: change special values for gatewayIP (Backport PR #24849, Upstream PR #24449, @MrFreezeex)
* Emit full verifier logs to agent logs and verifier.log in the endpoint directory (Backport PR #24706, Upstream PR #24506, @ti-mo)
* endpoint: correctly log IPv6 addresses (Backport PR #24547, Upstream PR #24255, @tklauser)
* Expose bpf-lb-sock-hostns-only in cilium status (Backport PR #24758, Upstream PR #24570, @romanspb80)
* Fix duplicated logs for test-output.log (Backport PR #24547, Upstream PR #24171, @romanspb80)
* Fixed BPF tests which would fail on older kernels (<=5.8) due to unsupported program loading (Backport PR #24607, Upstream PR #22980, @dylandreimerink)
* gha: Skip HTTPRouteListenerHostnameMatching test temporarily (Backport PR #24821, Upstream PR #24521, @sayboras)
* hubble-ui: allow ingress from non root / urls (Backport PR #24607, Upstream PR #23631, @geakstr)
* loader: Don't compile .asm files by default (Backport PR #24821, Upstream PR #24769, @pchaigno)
* Operator: Move leader election to a separate Kubernetes client (Backport PR #24547, Upstream PR #24267, @alexkats)
* pkg/bandwidth: add error for bandwidth manager not being enabled (Backport PR #24758, Upstream PR #24715, @aanm)
* pkg/cgroups: Prune excessive debug logging (Backport PR #24843, Upstream PR #24815, @aditighag)
* pkg/service: Extend unit test cases (Backport PR #24821, Upstream PR #24742, @aditighag)
* proxylib: Downgrade noisy log msg to debug level (Backport PR #24547, Upstream PR #22848, @christarazi)

Other Changes:
* Backport warning about known policy bug to v1.13 (#24892, @squeed)
* docs: Document IPsec upgrade issue on v1.13.1 (#24705, @pchaigno)
* helm: fix poststart-eni.bash execution in agent DS (#24789, @nebril)
* install: Update image digests for v1.13.1 (#24427, @nebril)
* Prepare for release v1.13.2 (#24900, @gentoo-root)
* v1.13 egress gateway tests sync (#24859, @jibi)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.13.2@sha256:85708b11d45647c35b9288e0de0706d24a5ce8a378166cadc700f756cc1a38d6
quay.io/cilium/cilium:v1.13.2@sha256:85708b11d45647c35b9288e0de0706d24a5ce8a378166cadc700f756cc1a38d6
docker.io/cilium/cilium:stable@sha256:85708b11d45647c35b9288e0de0706d24a5ce8a378166cadc700f756cc1a38d6
quay.io/cilium/cilium:stable@sha256:85708b11d45647c35b9288e0de0706d24a5ce8a378166cadc700f756cc1a38d6

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.13.2@sha256:4b07ac66d83dcf329252145f82c126705f291687d5b41161321220d115b7fee3
quay.io/cilium/clustermesh-apiserver:v1.13.2@sha256:4b07ac66d83dcf329252145f82c126705f291687d5b41161321220d115b7fee3
docker.io/cilium/clustermesh-apiserver:stable@sha256:4b07ac66d83dcf329252145f82c126705f291687d5b41161321220d115b7fee3
quay.io/cilium/clustermesh-apiserver:stable@sha256:4b07ac66d83dcf329252145f82c126705f291687d5b41161321220d115b7fee3

docker-plugin

docker.io/cilium/docker-plugin:v1.13.2@sha256:8ca48bbc394d2c12bdf472cd0108db3632aaa0eda67b9011d2d82e18e0daf810
quay.io/cilium/docker-plugin:v1.13.2@sha256:8ca48bbc394d2c12bdf472cd0108db3632aaa0eda67b9011d2d82e18e0daf810
docker.io/cilium/docker-plugin:stable@sha256:8ca48bbc394d2c12bdf472cd0108db3632aaa0eda67b9011d2d82e18e0daf810
quay.io/cilium/docker-plugin:stable@sha256:8ca48bbc394d2c12bdf472cd0108db3632aaa0eda67b9011d2d82e18e0daf810

hubble-relay

docker.io/cilium/hubble-relay:v1.13.2@sha256:51b772cab0724511583c3da3286439791dc67d7c35077fa30eaba3b5d555f8f4
quay.io/cilium/hubble-relay:v1.13.2@sha256:51b772cab0724511583c3da3286439791dc67d7c35077fa30eaba3b5d555f8f4
docker.io/cilium/hubble-relay:stable@sha256:51b772cab0724511583c3da3286439791dc67d7c35077fa30eaba3b5d555f8f4
quay.io/cilium/hubble-relay:stable@sha256:51b772cab0724511583c3da3286439791dc67d7c35077fa30eaba3b5d555f8f4

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.13.2@sha256:8b5623a272c18ba823a4105308902cf1901fef494ccad85ab00791296fde4b3b
quay.io/cilium/operator-alibabacloud:v1.13.2@sha256:8b5623a272c18ba823a4105308902cf1901fef494ccad85ab00791296fde4b3b
docker.io/cilium/operator-alibabacloud:stable@sha256:8b5623a272c18ba823a4105308902cf1901fef494ccad85ab00791296fde4b3b
quay.io/cilium/operator-alibabacloud:stable@sha256:8b5623a272c18ba823a4105308902cf1901fef494ccad85ab00791296fde4b3b

operator-aws

docker.io/cilium/operator-aws:v1.13.2@sha256:94d5a291f80e2d568302b144d1d002fb1d43b436befed74a38f630fdc6d6f0c6
quay.io/cilium/operator-aws:v1.13.2@sha256:94d5a291f80e2d568302b144d1d002fb1d43b436befed74a38f630fdc6d6f0c6
docker.io/cilium/operator-aws:stable@sha256:94d5a291f80e2d568302b144d1d002fb1d43b436befed74a38f630fdc6d6f0c6
quay.io/cilium/operator-aws:stable@sha256:94d5a291f80e2d568302b144d1d002fb1d43b436befed74a38f630fdc6d6f0c6

operator-azure

docker.io/cilium/operator-azure:v1.13.2@sha256:bfce3268bd32f1703ffb22339f9c306e99015585328a39b179c8ace72481a714
quay.io/cilium/operator-azure:v1.13.2@sha256:bfce3268bd32f1703ffb22339f9c306e99015585328a39b179c8ace72481a714
docker.io/cilium/operator-azure:stable@sha256:bfce3268bd32f1703ffb22339f9c306e99015585328a39b179c8ace72481a714
quay.io/cilium/operator-azure:stable@sha256:bfce3268bd32f1703ffb22339f9c306e99015585328a39b179c8ace72481a714

operator-generic

docker.io/cilium/operator-generic:v1.13.2@sha256:a1982c0a22297aaac3563e428c330e17668305a41865a842dec53d241c5490ab
quay.io/cilium/operator-generic:v1.13.2@sha256:a1982c0a22297aaac3563e428c330e17668305a41865a842dec53d241c5490ab
docker.io/cilium/operator-generic:stable@sha256:a1982c0a22297aaac3563e428c330e17668305a41865a842dec53d241c5490ab
quay.io/cilium/operator-generic:stable@sha256:a1982c0a22297aaac3563e428c330e17668305a41865a842dec53d241c5490ab

operator

docker.io/cilium/operator:v1.13.2@sha256:2c518afd4a1a5123755c1335e3068883283c9572f4355727d789a4846c46c2ae
quay.io/cilium/operator:v1.13.2@sha256:2c518afd4a1a5123755c1335e3068883283c9572f4355727d789a4846c46c2ae
docker.io/cilium/operator:stable@sha256:2c518afd4a1a5123755c1335e3068883283c9572f4355727d789a4846c46c2ae
quay.io/cilium/operator:stable@sha256:2c518afd4a1a5123755c1335e3068883283c9572f4355727d789a4846c46c2ae

Security

Security wording was detected, but no CVEs were found.

Details

date

April 18, 2023, 5:41 p.m.

name

1.13.2

type

Patch

official page

https://github.com/cilium/cilium/releases/tag/v1.13.2

👇

🔍View and search all Cilium releases.
🛠️Create and share lists to track your tools.
🚨Setup notifications for major, security, feature or patch updates.
🚀Much more coming soon!

Continue with GitHub

Continue with Google

Username

Password

Password (again)

leave this field blank to prove your humanity