Cilium - v1.14.0-snapshot.3

Summary of Changes

Major Changes:
* Add TLSRoute support to GatewayAPI (#25106, @meyskens)
* New high-scale ipcache mode to support clustermeshes with millions of pods. (#25148, @pchaigno)
* Support for deploying Cilium L7 Proxy (Envoy) independently as a separate DaemonSet for availability, performance, and security benefits. (#25081, @mhofstetter)

Minor Changes:
* add native tunnel encapsulation support for the XDP Loadbalancer (#24422, @julianwiedmann)
* Add Prometheus metrics support to clustermesh-apiserver (#25316, @giorio94)
* Add support for allocating PodCIDRs from multiple IPAM pools (#22762, @gandro)
* Add support for paginated lists in etcd, and propagate config options (#25469, @giorio94)
* Add support for setting BGP timer parameters in CiliumBGPNeighbor CRD (#25408, @rastislavs)
* Allow to disable external workloads support in clustermesh-apiserver to improve performance when not needed. (#25259, @giorio94)
* Cilium now supports chaining with arbitrary CNI plugins. To use, set the Helm value cni.chainingTarget. (#24956, @squeed)
* clustermesh-apiserver: expose information about completion of initial synchronization through etcd (#25388, @giorio94)
* clustermesh-apiserver: rework services synchronization to improve performance (#25260, @giorio94)
* cmd/cleanup: add socketlb program cleanup (#25136, @rgo3)
* DNS Proxy binds to loopback interfaces only (#25309, @mhofstetter)
* dns proxy: Only reuse DNS proxy port when it's free (#25466, @anfernee)
* envoy: Add idle timeout configuration option (#25214, @sayboras)
* Fix CIDR json tag in CNP CIDRRule (#25617, @pippolo84)
* Fixed incorrectly rendered chart when specified both configMap and customConf (#25200, @marseel)
* helm: Bump default spire image version (#25444, @sayboras)
* helm: deprecate clustermesh CA configuration in favor of the global CA configuration (#25010, @giorio94)
* helm: Improve spire template (#25589, @sayboras)
* High-Scale IPcache: Chapter 3 (#25438, @pchaigno)
* identity/cache: fix panic when re-init of cache after close. (#25269, @tommyp1ckles)
* multi-pool: Determine IP pool based on annotation (#25511, @gandro)
* operator/ipam/metrics: Add new, more accurate, per-node available/used/needed metrics to deprecated existing ipam_ips metric. (#24776, @tommyp1ckles)
* Replace wait-for-it in SPIRE setup with a busybox script (#24959, @meyskens)
* Significantly reduce Hubble flow traffic by transmitting only requested information (#23198, @AwesomePatrol)
* Support enable-endpoint-routes with enable-high-scale-ipcache. (#25601, @pchaigno)
* Support GENEVE encapsulation with high-scale ipcache. (#25591, @pchaigno)
* Update CNI (loopback) to 1.3.0 (#25400, @anfernee)
* Updating documentation helm values now works also on arm64. (#25422, @jrajahalme)
* Use BGP Control Plane annotations from Node Resource for creation of CiliumNode Resource (#24914, @margau)

* Add drop notifications for various error paths in the datapath. (#25183, @julianwiedmann)
* Added validation to ensure that enabling Ingress or Gateway API support while l7proxy is disabled will fail, as this is an incompatible configuration. (#25215, @youngnick)
* Avoid dropping short packets (that don't have their L3 header in linear data) in the to-netdev and from-host paths. (#25159, @julianwiedmann)
* bpf,datapath: read jiffies from /proc/schedstat (#25795, @ti-mo)
* bpf/nat: fix current behavior that is silently ignoring errors in a revSNAT context (#19753, @sahid)
* bpf: lb: deal with stale rev_nat_index after svc lookup in fallback path (#24757, @julianwiedmann)
* Compare annotations before discarding CiliumNode updates. (#25465, @LynneD)
* datapath: Fix double SNAT (#25189, @brb)
* DNS proxy now always updates the proxy policy to avoid intermittent policy drops. (#25147, @jrajahalme)
* Fix a bug due to which we would leak Linux XFRM policies, potentially leading to increased CPU consumption, when IPsec is enabled with Azure or ENI IPAM. (#25784, @pchaigno)
* Fix a bug that would cause connectivity drops of type XfrmInNoStates on upgrade when IPsec is enabled with ENI or Azure IPAM mode. (#25724, @pchaigno)
* Fix a possible deadlock when using WireGuard transparent encryption. (#25419, @bimmlerd)
* Fix a regression in which link-local addresses were not treated with the "host" identity in some circumstances. (#25298, @asauber)
* Fix broken IPv6 access to native node devices due to wrong source IPv6 of NA response. (#25329, @jschwinger233)
* Fix bug affecting EKS installations with IPsec encryption enabled, where Cilium wouldn't attach its IPsec BPF program to new ENI interfaces, resulting in connectivity loss between pods on remote nodes. (#25744, @joamaki)
* Fix data race affecting the preferred mark in backends, e.g. backends selected by service with affinity set to local. In very rare cases a backend might be missing its preferred status and a non-local backend might be selected. (#25087, @joamaki)
* Fix incorrect hubble flow data when HTTP requests contain an x-forwarded-for header by adding an explicit use_remote_address: true config to Envoy HTTP configuration to always use the actual remote address of the incoming connection rather than the value of x-forwarded-for header, which may originate from an untrusted source. This change has no effect on Cilium policy enforcement where the source security identity is always resolved before HTTP headers are parsed. Previous Cilium behavior of not adding x-forwarded-for headers is retained via an explicit skip_xff_append: true config setting, except for Cilium Ingress where the source IP address is now appended to x-forwarded-for header. (#25674, @jrajahalme)
* Fix missed deletion events when reconnecting to/disconnecting from remote clusters (nodes and services) (#25499, @giorio94)
* Fix missing drop notifications on conntrack lookup failures when IPv4 and IPv6 are both enabled or socket-level load balancing is disabled. (#25426, @bleggett)
* Fix operator shutdown hanging when kvstore is enabled (#24979, @giorio94)
* Fix path asymmetry when using pod-to-pod encryption with IPsec and tunnel mode. (#25440, @pchaigno)
* Fix permission issue when copying cni plugins onto host path (#24891, @JohnJAS)
* Fix RevSNAT for ICMPv6 packets. (#25306, @julianwiedmann)
* Fix spurious errors containing "Failed to map node IP address to allocated ID". (#25222, @bimmlerd)
* Fix syncing of relevant node annotations into CiliumNode (#25307, @meyskens)
* Fixes issue in BGP reconciler when multiple pod cidr withdrawals are done. (#25320, @harsimran-pabla)
* gateway-api: Race condition between routes and Gateway (#25573, @sayboras)
* gateway-api: Skip reconciliation for non-matching controller routes (#25549, @sayboras)
* helm: Correct typo in Ingress validation (#25570, @sayboras)
* Reject incorrect configuration enable-host-legacy-routing=false kube-proxy-replacement=partial. (#25803, @pchaigno)
* Track reply packets in long-living egress gateway connections and SNATed host-local connections. (#25112, @gentoo-root)

CI Changes:
* .github/workflows: add missing GH action version annotations (#25369, @tklauser)
* .github: Fix chart push on forks (#25274, @chancez)
* .github: run scruffy for cilium/cilium only (#25772, @aanm)
* Add github workflow to push development helm charts to (#25205, @chancez)
* Add improvements in Conformance Runtime (#25797, @aanm)
* bgpv1: Exercise HoldTime in Test_NeighborAddDel (#25760, @rastislavs)
* bgpv1: Retry peer checks in NeighborAddDel test to avoid flakes (#25641, @rastislavs)
* bpf: Cover high-scale IPcache in complexity tests (#25592, @pchaigno)
* bpf: test: add some IPv6 DSR integration tests (#25443, @julianwiedmann)
* ci-e2e-v1.13: Fix workflow (#25412, @brb)
* ci-e2e: backport changes in conformance-e2e into v1.13 tests (#25386, @brb)
* ci-e2e: Bump cilium-cli v0.1.4.5 (#25672, @brb)
* ci-e2e: Enable --debug when running with EGW (#25789, @brb)
* ci-e2e: Increase hubble buffer capacity (#25710, @brb)
* ci-e2e: Run cilium-cli in Helm mode (#25780, @brb)
* ci-l4lb-v1.1{1,2}: Remove helm charts (#25529, @brb)
* ci: fix Cilium CLI install in ConformanceKindEnvoyDaemonSet (#25459, @nbusseneau)
* ci: fix gke network starvation (#25597, @brlbil)
* CODEOWNERS: Add sig-foundations (#24976, @joamaki)
* Delete "Cilium monitor verbose mode" test (#25212, @michi-covalent)
* Fix external-contribution-label workflow renovate tag (#25429, @chancez)
* Fix verifier issues in IPv6 BPF tests (#25191, @dylandreimerink)
* Fixed flake in pkg/hive/job tests. (#25293, @dylandreimerink)
* Fixed TestTimer_ExitOnCloseFnCtx channel close panic (#25211, @dylandreimerink)
* fuzzing: modify oss-fuzz build script (#24262, @AdamKorcz)
* gh/workflow: change multicluster GKE cluster provisioning to none blocking mode (#25394, @brlbil)
* gh/workflow: Reintroduce running GKE workflows in matrix strategy (#25654, @brlbil)
* gh/workflow: Run GKE workflow in matrix strategy (#25364, @brlbil)
* gh/workflows: Remove conformance-kind (#25707, @brb)
* gh/workflows: Rename ci-datapath to ci-e2e (#25164, @brb)
* gh/workflows: Use 20230420.212204 LVH images (#25681, @brb)
* gh/workflows: Use cilium-cli GHA to install CLI exec (#25228, @brb)
* gha: Clean-up Ingress job configuration (#25311, @sayboras)
* gha: Move to helm install mode for Gateway API jobs (#25608, @sayboras)
* hostfw tests flake workaround (#25323, @tommyp1ckles)
* Improve golangci-lint usage (#25157, @joestringer)
* inctimer: fix test flake where timer does not fire within time. (#25219, @tommyp1ckles)
* kvstore: fix TestWorkqueueSyncStoreMetrics flake (#25706, @giorio94)
* Make it easier to migrate off of (#25484, @lmb)
* mirror: Only run on cilium/cilium (#25179, @michi-covalent)
* NONE (#25258, @aojea)
* Pick up the latest startup-script image (#25774, @michi-covalent)
* Revert "gh/workflow: Run GKE workflow in matrix strategy" (#25464, @thorn3r)
* Set VERSION to 1.14.0-dev (#25237, @michi-covalent)
* test/k8s: add host firewall workaround for svc host policy test. (#25461, @tommyp1ckles)
* test/k8s: for services test, wait for all applied manifests to delete (#25341, @tommyp1ckles)
* test/k8s: quarantine High-scale IPcache test (#25668, @aanm)
* test/k8s: quarantine K8sDatapathServicesTest (#25670, @aanm)
* test/k8s: update host policies for firewall tests. (#25374, @tommyp1ckles)
* test: Collect sysdump as part of artifacts (#25079, @pchaigno)
* test: delete ginkgo test "NodePort with L7 Policy from outside" (#25702, @jschwinger233)
* test: prevent panic on k8s services host fw test on some runs. (#25747, @tommyp1ckles)
* test: remove govalidator dependency (#25314, @rolinh)
* test: Switch target FQDN (#25571, @pchaigno)
* tests: quarantine services nodeport w/ L7 policy test. (#25236, @tommyp1ckles)
* Transfer Runtime tests to GitHub actions (#25516, @aanm)
* Update push-chart workflow concurrency group (#25431, @chancez)
* Use cli-based Helm install for tests-smoke conformance workflow (#25493, @bleggett)
* Use CLI-based Helm installation for ingress tests (#25609, @dhawton)
* workflows/clustermesh: set kubectl version to match the one of the kubernetes cluster (#25221, @giorio94)
* workflows/push charts: Checkout main branch before set-env-variables (#25296, @chancez)
* workflows: e2e: bump Cilium CLI to v0.14.2 (#25194, @jibi)
* workflows: e2e: bump max-parallel to 16 (#25763, @jibi)

Misc Changes:
* .github: add renovate/stop-updating label on renovate's PRs (#25649, @aanm)
* dev-doctor - if path to go.mod invalid, look in current directory (#25327, @bleggett)
* A few cleanups for per-cluster CT/SNAT maps (#25712, @YutaroHayakawa)
* Add configuration docs for API restrictions (#24968, @joestringer)
* Add's .clang-format for editor-agnostic C formatting hints (#25488, @bleggett)
* Add missing LB IPAM description in the operator document (#25696, @YutaroHayakawa)
* Add top level make run_bpf_tests target to run eBPF unit tests in the Cilium builder container (#25173, @ldelossa)
* Auth use signalmap (#25284, @jrajahalme)
* auth: auth map cache (#25634, @mhofstetter)
* Backport the 64-bit stack alignment patch for LLVM, which is expected on all modern kernel versions. (#25338, @gentoo-root)
* bgpv1: component test framework (#25362, @harsimran-pabla)
* bgpv1: Don't use net package for addressing (#25313, @YutaroHayakawa)
* bgpv1: Fix use of k8s.LocalNodeResource and LocalCiliumNodeResource types (#25615, @joamaki)
* BGPv1: Introduce generic bgp manager layer (#25016, @harsimran-pabla)
* bgpv1: use slim_core_v1 node instead of corev1 in test fixtures (#25625, @harsimran-pabla)
* bom: update to version 0.5.1 (#25451, @mhofstetter)
* bpf, cilium/cmd: remove unused hidden cilium bpf migrate-map sub-command (#25196, @tklauser)
* bpf/ move node config generation to Go (#25380, @rgo3)
* bpf/makefile: fix spelling issue and make it clear which bear cli. (#25273, @tommyp1ckles)
* bpf: dsr: fix typo in tail_nodeport_dsr_ingress_ipv4() (#25742, @julianwiedmann)
* bpf: lb: clean up IPv4 loopback handling (#25456, @julianwiedmann)
* bpf: lb: misc cleanups (#25372, @julianwiedmann)
* bpf: nat: consistently use has_l4_header in IPv4 SNAT path (#25741, @julianwiedmann)
* bpf: nat: fix L4 csum case in ingress path for ICMP-embedded SCTP (#25315, @julianwiedmann)
* bpf: nat: tolerate unhandled protocol types in revSNAT path (#25740, @julianwiedmann)
* bpf: nodeport: don't set .addr in revSNAT target (#25381, @julianwiedmann)
* bpf: nodeport: SNAT before adding tunnel info in NAT egress path (#25305, @julianwiedmann)
* bpf: nodeport: wire up ext_err in revSNAT path (#25406, @julianwiedmann)
* bpf: Use inline assembly for packet context access, to prevent some undesirable optimizations from LLVM (#25336, @qmonnet)
* build(deps): bump from 2.8.1+incompatible to 2.8.2+incompatible (#25393, @dependabot[bot])
* chore(deps): pin dependencies (main) (#25275, @renovate[bot])
* chore(deps): update actions/upload-artifact action to v3 (main) (#25048, @renovate[bot])
* chore(deps): update all github action dependencies (main) (minor) (#25401, @renovate[bot])
* chore(deps): update all github action dependencies (main) (patch) (#25198, @renovate[bot])
* chore(deps): update all github action dependencies (main) (patch) (#25540, @renovate[bot])
* chore(deps): update all github action dependencies (main) (patch) (#25701, @renovate[bot])
* chore(deps): update all github action dependencies to v1.1.1 (main) (patch) (#25402, @renovate[bot])
* chore(deps): update cilium cli (main) (minor) (#25245, @renovate[bot])
* chore(deps): update cilium/cilium-cli digest to 207512c (main) (#25397, @renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.14.3 (main) (#25541, @renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.14.5 (main) (#25700, @renovate[bot])
* chore(deps): update docker tag to v3.18.0 (main) (#25415, @renovate[bot])
* chore(deps): update docker digest to 9ecc53c (main) (#25398, @renovate[bot])
* chore(deps): update go to v1.20.4 (main) (patch) (#25246, @renovate[bot])
* chore(deps): update helm/kind-action action to v1.7.0 (main) (#25546, @renovate[bot])
* chore(deps): update hubble cli to v0.11.5 (main) (patch) (#25124, @renovate[bot])
* clustermesh-apiserver: extract kvstore client initialization and heartbeat logic in separate cells (#25554, @giorio94)
* clustermesh: allow waiting for the CiliumClusterConfig to appear when required (#25671, @giorio94)
* clustermesh: fix SyncedCanaries capability name mismatch (#25685, @giorio94)
* cmd: enhance cilium bpf policy list&get (#25389, @mhofstetter)
* CODEOWNERS: Assign pkg/slices to sig-foundations (#25737, @pippolo84)
* CODEOWNERS: pkg/bpf to loader, pkg/recorder to sig-datapath (#25648, @ti-mo)
* command/exec: remove unused (*Cmd).WithFilters method (#25642, @tklauser)
* config: fix tunnel port for DSR-GENEVE with direct-routing (#25384, @julianwiedmann)
* contrib/scripts: Ignore all vendor sub-directories (#25566, @michi-covalent)
* Convert the clustermesh subsystem into a hive.Cell (#25561, @giorio94)
* crd: Refactor RegisterCRDsCell to be extensible (#25590, @pippolo84)
* daemon: Document the use for required API options (#25170, @joestringer)
* daemon: Log warning if BPF Clock probe fail (#25287, @pchaigno)
* daemon: Mark flag for node encryption as beta (#25319, @pchaigno)
* daemon: Remove encrypt key from syncHostIPs() (#25252, @christarazi)
* daemon: Update code comment regarding PolicyReactionEvent (#25607, @christarazi)
* daemon: use netlink for managed neighbor support probe (#25134, @rgo3)
* datapath: Add auth_type to policy verdict message (#25410, @jrajahalme)
* docs: socketLB.hostNamespaceOnly also needed for gVisor (#25322, @pchaigno)
* docs: Add Bottlerocket OS to validated distros (#25390, @nebril)
* docs: Add missing backslash in Helm command (#25800, @james0209)
* docs: Add platform support to docs (#25174, @joestringer)
* docs: Add steps to start Hubble UI with cilium-cli, but only after Hubble itself has started (#25538, @fujitatomoya)
* docs: Clarify the steps to update images (#25367, @gentoo-root)
* docs: Disable host DNS resolver with Virtualbox for Minikube quick installation guide (#25569, @zhouhaibing089)
* docs: document missing entity 'ingress' (#25665, @mhofstetter)
* docs: Fix broken link to backends leak issue (#25278, @akhilles)
* docs: fix typos and formatting (#25365, @peterj)
* docs: Improve BGP Control Plane page (#23939, @krouma)
* docs: Remove sockops, sockmaps from eBPF datapath diagrams (#24824, @zacharysarah)
* docs: Update gateway-api version to v0.6.1 (#25439, @sayboras)
* Fix implicit conversion warning in DSR with GENEVE (#25299, @ysksuzuki)
* Fix fatal error when shutting down the clustermesh-apiserver (#25310, @giorio94)
* Fix hive test argument order and race (#25545, @bimmlerd)
* Fix development scripts on MacOS (#25317, @chancez)
* Fix possible panic in the ipcache when removing the prefix labels for an unknown resource ID (#25230, @giorio94)
* fix(deps): pin dependencies (main) (#25026, @renovate[bot])
* fix(deps): update all go dependencies main (main) (patch) (#25035, @renovate[bot])
* fix(deps): update all go dependencies main (main) (patch) (#25414, @renovate[bot])
* Fixed documentation regarding cilium versioning scheme and support (#25171, @ayesha-kr)
* fqdn: use map to dedup to reduce memory usage of dns gc job (#25142, @odinuge)
* garp: Introduce Gratuitous ARP Cell (#25254, @markpash)
* gateway-api: Add header modifier and splitting examples (#25186, @nvibert)
* gha: Add retry mechanism in http test (#25244, @sayboras)
* Godoc improvements for pkg/bgpv1 (#25686, @danehans)
* helm: nodeEncryption is only supported with WireGuard (#25770, @gandro)
* helm: Avoid error in IDE due to .range keyword (#25766, @sayboras)
* helm: Remove deprecated (#25261, @ysksuzuki)
* hive/jobs: fix enqueueing of multiple jobs via variadic func (#25633, @mhofstetter)
* hive: add support for map[string]string flags (#25643, @giorio94)
* hive: Make timer job test less flaky (#25308, @jrajahalme)
* hubble: Remove spammy debug log message on lost events (#25321, @pchaigno)
* identity: cache: close channel in writing party (#25353, @bimmlerd)
* images: scripts to update and check envoy image version (#25413, @mhofstetter)
* Improved job docs on hive page (#25312, @dylandreimerink)
* IPAM pools followups (#25498, @tklauser)
* ipsec: Install default-drop XFRM policy sooner (#25257, @pchaigno)
* k8s: Split SharedResources into binary specific cells (#25757, @pippolo84)
* k8s: Use slim Node in LocalNode Resource and K8s watchers (#25282, @joamaki)
* labelsfilter: Assign review to sig-policy (#25290, @joestringer)
* MAINTAINERS: add Dylan Reimerink to the list of maintainers (#25577, @ti-mo)
* makefile: introduce variable CILIUM_CLI for cilium cli binary (#25031, @mhofstetter)
* Makefile: use a specific template for mktemp files (#25192, @kaworu)
* Modularize eventsmap and monitor.Agent (#25197, @bimmlerd)
* Move packages to main repo (#25289, @tklauser)
* multi-pool: Support allocating from new IPAM pools on demand (#25765, @gandro)
* node/manager: Utilize set.SliceSubsetOf in ipcache deletion (#25180, @christarazi)
* node: register ipsec metric once (#25335, @jrajahalme)
* node: Use new asynchronous IPCache API for Manager (v2) (#23208, @christarazi)
* nodehandler: register node-id restore as hive lifecycle hook (#25497, @mhofstetter)
* nodeid map: provide map via hive cell (#25574, @mhofstetter)
* Perform map creation and opening using cilium/ebpf API (#22693, @ti-mo)
* pkg/datapath: skip TestArpPingHandlingForMultiDevice due flakiness (#25821, @aanm)
* pkg/envoy/xds package cleanup (#24044, @tanberBro)
* Prepare for v1.14.0-snapshot.2 release (#25206, @joestringer)
* README: Bump prerelease to v1.14.0-snapshot.2 (#25207, @joestringer)
* Reduce amount of bpf instructions needed for handling ipv6 addresses (#25195, @ti-mo)
* Reduce the amount of repeating code in CT (#25356, @gentoo-root)
* Refactor egressgateway specific maps into a cell (#24865, @lmb)
* Refactor set.SliceSubsetOf (#25559, @pippolo84)
* Remove COSIGN_EXPERIMENTAL: "true" env variable for signing images (#24845, @sandipanpanda)
* Remove unused parameter from NewCachingIdentityAllocator (#25594, @giorio94)
* Renovate configuration fixes (#25330, @kaworu)
* renovate: do not update '' (#25807, @aanm)
* Replace legacy bpf syscalls with ebpf-go library APIs (#25355, @ti-mo)
* Replace the string with constants from the http package (#25614, @Fish-pro)
* Revert and fix ip rules (#25350, @NikAleksandrov)
* routing: Extend unit tests (#24933, @krabradosty)
* slices: Introduce slices.UniqueFunc() (#25743, @YutaroHayakawa)
* Slim down Node handler interface (#25450, @bimmlerd)
* test/provision/ Make usable from dev VM (#25352, @jrajahalme)
* Unify feature probing packages (#25627, @rgo3)
* Update k3s cilium installation to match k3s default podCIDR (#25270, @vincentmli)
* Update stable release for v1.11.17 (#25517, @jrajahalme)
* Update stable releases (#25727, @thorn3r)
* Updates endpoint pkg to use netip.Addr (#25521, @danehans)
* Updates k8sTest pkg to use netip.Addr (#25325, @danehans)
* use /usr/bin/env bash instead of /bin/bash in contrib, examples and test dirs (#24948, @MrFreezeex)
* use /usr/bin/env bash instead of /bin/bash in images dir (#25558, @MrFreezeex)
* Use veth device for probing managed neighbor support (#25598, @ti-mo)
* When a k8s node contains multiple addresses of the same type and family, Cilium will now emit a warning-level log message stating: "Detected multiple IPs of the same address type, Cilium will only consider the first IP in the Node resource" (#25304, @danehans)

Docker Manifests











June 1, 2023, 10:41 p.m.
Register or login to:
  • 🔍View and search all Cilium releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google