Overview All releases

Version History

v1.16.0-pre.1 v1.16.0-pre.0 v1.15.3 v1.15.2 v1.15.1 v1.15.0 v1.15.0-rc.1 v1.15.0-rc.0 v1.15.0-pre.3 v1.15.0-pre.2 v1.15.0-pre.1 v1.15.0-pre.0 v1.14.9 v1.14.8 v1.14.7 v1.14.6 v1.14.5 v1.14.4 v1.14.3 v1.14.2 v1.14.1 v1.14.0 v1.14.0-snapshot.4 v1.14.0-snapshot.3

v1.14.0-snapshot.2

v1.14.0-snapshot.1

v1.14.0-snapshot.0

v1.14.0-rc.1 v1.14.0-rc.0 v1.13.14 v1.13.13 v1.13.12 v1.13.11 v1.13.10 v1.13.9 v1.13.8 v1.13.7 v1.13.6 v1.13.5 v1.13.4

v1.13.3

v1.13.2 v1.13.1 v1.13.0

v1.13.0-rc5

v1.13.0-rc4

v1.13.0-rc3

v1.13.0-rc2

v1.13.0-rc1

v1.13.0-rc0

v1.12.19 v1.12.18 v1.12.17 v1.12.16 v1.12.15 v1.12.14 v1.12.13 v1.12.12 v1.12.11 v1.12.10 v1.12.9 v1.12.8 v1.12.7 v1.12.6 v1.12.5 v1.12.4 v1.12.3 v1.12.2 v1.12.1 v1.12.0

v1.12.0-rc3

v1.12.0-rc2

v1.12.0-rc1

v1.12.0-rc0

v1.11.20 v1.11.19 v1.11.18 v1.11.17 v1.11.16 v1.11.15 v1.11.14 v1.11.13 v1.11.12 v1.11.11 v1.11.10 v1.11.9 v1.11.8 v1.11.7 v1.11.6 v1.11.5 v1.11.4 v1.11.3 v1.11.2 v1.11.1

v1.11.0

v1.11.0-rc3

v1.11.0-rc2

v1.11.0-rc1

v1.11.0-rc0

v1.10.20 v1.10.19 v1.10.18 v1.10.17 v1.10.16 v1.10.15 v1.10.14 v1.10.13 v1.10.12 v1.10.11 v1.10.10 v1.10.9 v1.10.8 v1.10.7

v1.10.6

v1.10.5

v1.10.4

v1.10.3

v1.10.2

v1.10.1

v1.10.0

v1.10.0-rc2

v1.10.0-rc1

v1.10.0-rc0

v1.9.18 v1.9.17 v1.9.16 v1.9.15 v1.9.14 v1.9.13 v1.9.12

v1.9.11

v1.9.10

v1.9.9

v1.9.8

v1.9.7

v1.9.6

v1.9.5

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc3

v1.9.0-rc2

v1.9.0-rc1

v1.8.13

v1.8.12

v1.8.11

v1.8.10

v1.8.9

v1.8.8

v1.8.7

v1.8.6

v1.8.5

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc4

v1.8.0-rc3

v1.8.0-rc2

v1.8.0-rc1

v1.7.16

v1.7.15

v1.7.14

v1.7.13

v1.7.12

v1.7.11

v1.7.10

v1.7.9

v1.7.8

v1.7.7

v1.7.6

v1.7.5

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc4

v1.7.0-rc3

v1.7.0-rc2

v1.7.0-rc1

v1.6.12

v1.6.11

v1.6.10

v1.6.9

v1.6.8

v1.6.7

v1.6.6

v1.6.5

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.13

v1.5.12

v1.5.11

v1.5.10

v1.5.9

v1.5.8

v1.5.7

v1.5.6

v1.5.5

v1.5.4

v1.5.3

v1.5.1

v1.5.0

v1.4.10

v1.4.9

v1.4.8

v1.4.7

v1.4.6

v1.4.5

1.4.4

1.4.3

v1.4.2

1.4.1

v1.4.0

v1.3.8

v1.3.7

1.3.6

1.3.5

v1.3.4

v1.3.3

1.3.2

v1.3.1

1.3.0

v1.2.8

v1.2.7

v1.2.6

v1.2.5

v1.2.4

v1.2.3

1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc1

v1.1.6

1.1.5

v1.1.4

1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.1.0-rc4

v1.1.0-rc3

v1.1.0-rc2

v1.1.0-rc1

v1.0.7

1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v1.0.0

v1.0.0-rc9

v1.0.0-rc8

v1.0.0-rc7

v1.0.0-rc6

v1.0.0-rc5

v1.0.0-rc4

v1.0.0-rc2

v1.0.0-rc14

v1.0.0-rc13

v1.0.0-rc11

v1.0.0-rc10

v1.0.0-rc1

v0.11

0.10.1

v0.10.0

v0.9.0

v0.9.0-rc1

v0.8.2

v0.8.1

v0.8.0

Cilium - v1.13.3

Security

We are pleased to release Cilium v1.13.3. This release fixes bugs in ipsec and policy implementations and is recommended for all users.

Summary of Changes

Major Changes:
* Assume Ingress identity for cluster internal traffic through Cilium Ingress for policy enforcement. (Backport PR #25019, Upstream PR #24826, @jrajahalme)
* policy: Promote Deny Policies from Beta to Stable (#25427, @nathanjsweet)

Minor Changes:
* Drop traffic matching an egress gateway policy when no gateway are found (Backport PR #24999, Upstream PR #24835, @MrFreezeex)
* ingress: Add ownerReferences for shared mode (Backport PR #25013, Upstream PR #24942, @sayboras)
* sysdump: Added Kubernetes CNI logs to sysdump. (Backport PR #25346, Upstream PR #23937, @marseel)
* Update CNI (loopback) to 1.3.0 (Backport PR #25454, Upstream PR #25400, @anfernee)
* Use BGP Control Plane annotations from Node Resource for creation of CiliumNode Resource (Backport PR #25346, Upstream PR #24914, @margau)

Bugfixes:
* Add support for builtin kernel modules (Backport PR #25137, Upstream PR #23953, @TheAifam5)
* Address cilium-agent startup performance regression. (Backport PR #25185, Upstream PR #25007, @bimmlerd)
* cmd/cleanup: Fix cleanup of generic XDP programs (Backport PR #25184, Upstream PR #25117, @pchaigno)
* datapath: Fix double SNAT (Backport PR #25223, Upstream PR #25189, @brb)
* DNS proxy now always updates the proxy policy to avoid intermittent policy drops. (Backport PR #25346, Upstream PR #25147, @jrajahalme)
* Filter ipv6 advertisements when using metallb as BGP speaker. (Backport PR #25137, Upstream PR #25043, @harsimran-pabla)
* Fix a regression in which link-local addresses were not treated with the "host" identity in some circumstances. (Backport PR #25368, Upstream PR #25298, @asauber)
* Fix broken IPv4 connectivity from outside to NodePort service when using L7 ingress policy, by removing PROXY_RT route table. (Backport PR #25086, Upstream PR #24807, @jschwinger233)
* Fix bug that caused ToCIDR netpols matching kube-apiserver IPs (when external to the cluster) to not reliably allow connectivity. (#25241, @giorio94)
* Fix bug that causes enforcement of host policies on reply IPv6 pod traffic. (Backport PR #25137, Upstream PR #25024, @pchaigno)
* Fix bug where Cilium configurations running with tunneling disabled, BPF-masq disabled, but with masquerading enabled, do not clean up ipset configuration when a node IP changes. This can lead to a lack of masquerading on those node IPs. (Backport PR #25013, Upstream PR #24825, @christarazi)
* Fix connectivity issue if nodes share the same name across the clustermesh and wireguard is enabled (Backport PR #25013, Upstream PR #24785, @giorio94)
* Fix data race affecting the preferred mark in backends, e.g. backends selected by service with affinity set to local. In very rare cases a backend might be missing its preferred status and a non-local backend might be selected. (Backport PR #25346, Upstream PR #25087, @joamaki)
* Fix incorrect network policy ebpf setup that may lead to incorrect packets denies when CEP is present in multiple CES (Backport PR #25184, Upstream PR #24838, @alan-kut)
* Fix operator shutdown hanging when kvstore is enabled (Backport PR #25223, Upstream PR #24979, @giorio94)
* Fix operator startup delay caused by leader election lease not being released correctly (Backport PR #25137, Upstream PR #24978, @giorio94)
* Fix panic due to assignment to nil BGP service announcements map. (Backport PR #25013, Upstream PR #24985, @harsimran-pabla)
* Fix permission issue when copying cni plugins onto host path (Backport PR #25346, Upstream PR #24891, @JohnJAS)
* Fix security-group-tags not working in ENI (Backport PR #25013, Upstream PR #24951, @aanm)
* Fix spurious errors containing "Failed to map node IP address to allocated ID". (Backport PR #25346, Upstream PR #25222, @bimmlerd)
* Fix syncing of relevant node annotations into CiliumNode (Backport PR #25368, Upstream PR #25307, @meyskens)
* Fix the bug when long-living connections using egress gateway may be reset. (Backport PR #25346, Upstream PR #24905, @gentoo-root)
* ipcache don't short-circuit InjectLabels if source differs (Backport PR #25077, Upstream PR #24875, @squeed)
* pkg/kvstore: Fix for deadlock in etcd status checker (Backport PR #25013, Upstream PR #24786, @hemanthmalla)
* Track reply packets in long-living egress gateway connections and SNATed host-local connections. (Backport PR #25424, Upstream PR #25112, @gentoo-root)
* When using KPR Nodeport with DSR, support backends in hostNetwork or with L7 policies. (Backport PR #24795, Upstream PR #22978, @julianwiedmann)

CI Changes:
* Always use the 8.8.8.8 DNS resolver in kind (Backport PR #25409, Upstream PR #24713, @aspsk)
* ci: remove STATUS commands from upstream tests' Jenkinsfile (Backport PR #25137, Upstream PR #25046, @nbusseneau)
* Delete "Cilium monitor verbose mode" test (Backport PR #25346, Upstream PR #25212, @michi-covalent)
* Enable testing of BPF programs requiring XDP_TX in CI (Backport PR #25409, Upstream PR #24250, @lmb)
* inctimer: fix test flake where timer does not fire within time. (Backport PR #25346, Upstream PR #25219, @tommyp1ckles)
* jenkinsfiles: Fix order of ginkgo tests (Backport PR #25137, Upstream PR #25002, @pchaigno)
* mlh: update Jenkins jobs following removal of kernel 4.9 support (#24955, @nbusseneau)
* test: Unquarantine host firewall + nodeport test (Backport PR #25184, Upstream PR #25025, @pchaigno)

Misc Changes:
* bpf: dsr: don't track L2 addresses for DSR traffic (Backport PR #24795, Upstream PR #24524, @julianwiedmann)
* bpf: dsr: restore CB_SRC_LABEL across DSR-INGRESS tail-call (Backport PR #24795, Upstream PR #24794, @julianwiedmann)
* bpf: lb: introduce an optimized CT lookup (Backport PR #24795, Upstream PR #22936, @julianwiedmann)
* bpf: minor CT cleanups (Backport PR #24795, Upstream PR #23718, @julianwiedmann)
* bpf: nodeport: minor DSR improvements (Backport PR #24795, Upstream PR #23326, @julianwiedmann)
* chore(deps): update docker.io/library/golang:1.19.8 docker digest to 9f2dd04 (v1.13) (#25421, @renovate[bot])
* chore(deps): update hubble cli to v0.11.5 (v1.13) (patch) (#25125, @renovate[bot])
* daemon: Mark CES feature as beta in agent flag (Backport PR #25013, Upstream PR #24850, @pchaigno)
* docs: socketLB.hostNamespaceOnly also needed for gVisor (Backport PR #25346, Upstream PR #25322, @pchaigno)
* docs: Add matrix version between envoy and cilium (Backport PR #25223, Upstream PR #25109, @sayboras)
* docs: Add platform support to docs (Backport PR #25223, Upstream PR #25174, @joestringer)
* docs: small fixes for k8s upgrade guide (Backport PR #25013, Upstream PR #24869, @tklauser)
* Documentation: add migration document (Backport PR #25013, Upstream PR #23751, @squeed)
* documentation: move policy warning to v1.13.2 section (#24997, @squeed)
* envoy: Debug log remote IDs for Envoy policies (Backport PR #25013, Upstream PR #24939, @jrajahalme)
* Fix missed clustermesh config change race condition with back-to-back changes (Backport PR #25013, Upstream PR #24993, @giorio94)
* Fix possible panic in the ipcache when removing the prefix labels for an unknown resource ID (Backport PR #25346, Upstream PR #25230, @giorio94)
* Fixed documentation regarding cilium versioning scheme and support (Backport PR #25223, Upstream PR #25171, @ayesha-kr)
* gha: Add retry mechanism in http test (Backport PR #25346, Upstream PR #25244, @sayboras)
* helm: add clustermesh nodeport config warning about known bug #24692 (Backport PR #25223, Upstream PR #25033, @giorio94)
* hive: Don't log interrupt signal as error (Backport PR #25013, Upstream PR #23880, @joamaki)
* ipsec: Install default-drop XFRM policy sooner (Backport PR #25346, Upstream PR #25257, @pchaigno)
* Makefile: use a specific template for mktemp files (Backport PR #25223, Upstream PR #25192, @kaworu)
* node/manager: Only remove old IPs if they weren't already added (Backport PR #25013, Upstream PR #25067, @christarazi)
* pkg/service: Backends leak follow ups with revised fixes, debugging improvements and unit tests (Backport PR #25223, Upstream PR #24770, @aditighag)
* Remote node identities are enabled by default in the Cilium agent. They have already been enabled by default in the Helm charts since Cilium version 1.7. (Backport PR #25013, Upstream PR #24874, @tklauser)
* Update the documentation for required IAM policy rights needed for Cilium to work in EKS. (Backport PR #25137, Upstream PR #25078, @toredash)
* Update threat model (Backport PR #25013, Upstream PR #24760, @ferozsalam)

Other Changes:
* [v1.13] contrib/backporting: Fix main branch reference (#25091, @joestringer)
* envoy: Upgrade to v1.23.9 (#25208, @sayboras)
* install: Update image digests for v1.13.2 (#24952, @gentoo-root)
* v1.13: docs: Document upgrade impact for IPsec (#24963, @pchaigno)
* v1.13: docs: Fix typo in IPsec upgrade note (#24973, @pchaigno)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.13.3@sha256:77176464a1e11ea7e89e984ac7db365e7af39851507e94f137dcf56c87746314
quay.io/cilium/cilium:v1.13.3@sha256:77176464a1e11ea7e89e984ac7db365e7af39851507e94f137dcf56c87746314
docker.io/cilium/cilium:stable@sha256:77176464a1e11ea7e89e984ac7db365e7af39851507e94f137dcf56c87746314
quay.io/cilium/cilium:stable@sha256:77176464a1e11ea7e89e984ac7db365e7af39851507e94f137dcf56c87746314

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.13.3@sha256:5ad8e9dc17f5677d1d75b53a4e80ec2e5c4fcf4973ced8b30f8ad53933c6969a
quay.io/cilium/clustermesh-apiserver:v1.13.3@sha256:5ad8e9dc17f5677d1d75b53a4e80ec2e5c4fcf4973ced8b30f8ad53933c6969a
docker.io/cilium/clustermesh-apiserver:stable@sha256:5ad8e9dc17f5677d1d75b53a4e80ec2e5c4fcf4973ced8b30f8ad53933c6969a
quay.io/cilium/clustermesh-apiserver:stable@sha256:5ad8e9dc17f5677d1d75b53a4e80ec2e5c4fcf4973ced8b30f8ad53933c6969a

docker-plugin

docker.io/cilium/docker-plugin:v1.13.3@sha256:e94d344c8e059ce87453dff579086bd0bed9d65e69434ad60eef783380c4e860
quay.io/cilium/docker-plugin:v1.13.3@sha256:e94d344c8e059ce87453dff579086bd0bed9d65e69434ad60eef783380c4e860
docker.io/cilium/docker-plugin:stable@sha256:e94d344c8e059ce87453dff579086bd0bed9d65e69434ad60eef783380c4e860
quay.io/cilium/docker-plugin:stable@sha256:e94d344c8e059ce87453dff579086bd0bed9d65e69434ad60eef783380c4e860

hubble-relay

docker.io/cilium/hubble-relay:v1.13.3@sha256:19e4aae5ff72cd9fbcb7d2d16a1570533320a478acc015fc91a4d41a177cadf6
quay.io/cilium/hubble-relay:v1.13.3@sha256:19e4aae5ff72cd9fbcb7d2d16a1570533320a478acc015fc91a4d41a177cadf6
docker.io/cilium/hubble-relay:stable@sha256:19e4aae5ff72cd9fbcb7d2d16a1570533320a478acc015fc91a4d41a177cadf6
quay.io/cilium/hubble-relay:stable@sha256:19e4aae5ff72cd9fbcb7d2d16a1570533320a478acc015fc91a4d41a177cadf6

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.13.3@sha256:8dba4795cb38200746a2236623f5b84742ee2c56a8afda724c85f5027ea854eb
quay.io/cilium/operator-alibabacloud:v1.13.3@sha256:8dba4795cb38200746a2236623f5b84742ee2c56a8afda724c85f5027ea854eb
docker.io/cilium/operator-alibabacloud:stable@sha256:8dba4795cb38200746a2236623f5b84742ee2c56a8afda724c85f5027ea854eb
quay.io/cilium/operator-alibabacloud:stable@sha256:8dba4795cb38200746a2236623f5b84742ee2c56a8afda724c85f5027ea854eb

operator-aws

docker.io/cilium/operator-aws:v1.13.3@sha256:394c40d156235d3c2004f77bb73402457092351cc6debdbc5727ba36fbd863ae
quay.io/cilium/operator-aws:v1.13.3@sha256:394c40d156235d3c2004f77bb73402457092351cc6debdbc5727ba36fbd863ae
docker.io/cilium/operator-aws:stable@sha256:394c40d156235d3c2004f77bb73402457092351cc6debdbc5727ba36fbd863ae
quay.io/cilium/operator-aws:stable@sha256:394c40d156235d3c2004f77bb73402457092351cc6debdbc5727ba36fbd863ae

operator-azure

docker.io/cilium/operator-azure:v1.13.3@sha256:7749b732d510954d9fb74f7e675b31b49100fd773e588c6fbbf42529acfb1be8
quay.io/cilium/operator-azure:v1.13.3@sha256:7749b732d510954d9fb74f7e675b31b49100fd773e588c6fbbf42529acfb1be8
docker.io/cilium/operator-azure:stable@sha256:7749b732d510954d9fb74f7e675b31b49100fd773e588c6fbbf42529acfb1be8
quay.io/cilium/operator-azure:stable@sha256:7749b732d510954d9fb74f7e675b31b49100fd773e588c6fbbf42529acfb1be8

operator-generic

docker.io/cilium/operator-generic:v1.13.3@sha256:fa7003cbfdf8358cb71786afebc711b26e5e44a2ed99bd4944930bba915b8910
quay.io/cilium/operator-generic:v1.13.3@sha256:fa7003cbfdf8358cb71786afebc711b26e5e44a2ed99bd4944930bba915b8910
docker.io/cilium/operator-generic:stable@sha256:fa7003cbfdf8358cb71786afebc711b26e5e44a2ed99bd4944930bba915b8910
quay.io/cilium/operator-generic:stable@sha256:fa7003cbfdf8358cb71786afebc711b26e5e44a2ed99bd4944930bba915b8910

operator

docker.io/cilium/operator:v1.13.3@sha256:70245141d9c38df09c4c3884f61af81036672059b1ae45e8b1e2175b6cc0998c
quay.io/cilium/operator:v1.13.3@sha256:70245141d9c38df09c4c3884f61af81036672059b1ae45e8b1e2175b6cc0998c
docker.io/cilium/operator:stable@sha256:70245141d9c38df09c4c3884f61af81036672059b1ae45e8b1e2175b6cc0998c
quay.io/cilium/operator:stable@sha256:70245141d9c38df09c4c3884f61af81036672059b1ae45e8b1e2175b6cc0998c

Security

Security wording was detected, but no CVEs were found.

Details

date

May 26, 2023, 9:11 p.m.

name

1.13.3

type

Patch

official page

https://github.com/cilium/cilium/releases/tag/v1.13.3

👇

🔍View and search all Cilium releases.
🛠️Create and share lists to track your tools.
🚨Setup notifications for major, security, feature or patch updates.
🚀Much more coming soon!

Continue with GitHub

Continue with Google

Username

Password

Password (again)

leave this field blank to prove your humanity