Cilium - v1.15.0-pre.1

Summary of Changes

Major Changes:
* Allow selecting nodes by CIDR policy (#27464, @squeed)

Minor Changes:
* io.cilium.podippool.namespace: <CiliumPodIPPool_NAMESPACE> and io.cilium.podippool.name: <CiliumPodIPPool_NAME> selectors can be specified for a PodIPPoolSelector of a CiliumBGPPeeringPolicy to select a CiliumPodIPPool by namespaced name instead of labels. (#28314, @danehans)
* Add an option to Cilium to set the persistent keepalive for cilium_wg0 (#27932, @chaunceyjiang)
* Add Hubble Grafana dashboards: Network and DNS overview (#27751, @lambdanis)
* Add option to pass api-rate-limit via Helm values (#28239, @ungureanuvladvictor)
* Add Proxy l7 metrics proxy_type label and and Cleanup (#27863, @tommyp1ckles)
* Add support for filtering on HTTP URLs in Hubble (#28275, @glrf)
* Allow case-insensitive name for CNI chaining mode (#28050, @asauber)
* can create the directory for the customized cni conf and remove the cni conf file in cleanup command (#27933, @sofat1989)
* Cilium-operator and clustermesh's kvstore metrics are now enabled by default in Helm. (#27653, @marseel)
* CiliumL2AnnouncementPolicy will only select Services that do not specify a LoadBalancerClass or specify a LoadBalancerClass of "io.cilium/l2-announcer". (#27976, @danehans)
* Correlate flows with CiliumNetworkPolicies (#27854, @chancez)
* Cut Cilium's initialization time for clusters with a large number of Kubernetes and Cilium Network Policies by 90% (#28173, @aanm)
* daemon: don't wait for presence of unused CiliumNodeConfig CRD (#27684, @akhilles)
* daemon: The option "EnableRemoteNodeIdentity" is now deprecated and will be removed from the v1.16 release. (#28300, @nathanjsweet)
* Delete auth map entries for removed Security IDs in SPIRE (#27663, @meyskens)
* Don't automatically infer ClusterID and ClusterName for external workloads. (#27886, @giorio94)
* egressgw: reject config with CiliumEndpointSlice (#27984, @julianwiedmann)
* endpoint: Only perform the full policy map synchronization periodically (every 15 minutes) to reduce overhead with large endpoint policy maps (#27693, @joamaki)
* Fix inaccurate calculation for bootstrap stats of restore (#27983, @PlatformLC)
* Fixes name used for disabling KVStoreMesh metrics. (#27680, @marseel)
* gateway-api: Bump the version to v0.8.1 (#28195, @sayboras)
* helm: allow annotations to be set for preflight resources (#27860, @bradwhitfield)
* Ignore StatefulSet-specific labels by default for CID creation. This includes the two following labels:
* statefulset.kubernetes.io/pod-name
* apps.kubernetes.io/pod-index (#28003, @tosi3k)
* Implement AdvertisedPathAttributes for CiliumBGPNeighbor in the CiliumBGPPeeringPolicy CRD to allow setting BGP Community and Local Preference path attributes for advertised BGP routes. (#27705, @rastislavs)
* Improve cilium status --verbose and cilium-health status --succinct support to show IPv6 IPs as well (#27912, @chaunceyjiang)
* ipam: Remove cluster-pool-v2beta code (#27753, @gandro)
* ipam: report IP owner of non-default pool IPs in multi-pool IPAM (#27968, @tklauser)
* metrics: add a metric for max observed endpoint ifindex (#27953, @asauber)
* metrics: Add workqueue metrics (#27042, @ysksuzuki)
* Mutual Auth: only respond handshake with certificate if security ID is in use on node (#27682, @meyskens)
* Operator modular metrics (#28005, @pippolo84)
* operator: Remove identity GC and CES controller legacy metrics (#28166, @pippolo84)
* The cilium-agent now sets GOMEMLIMIT to the container's memory resource limit, which helps the Go GC to avoid unnecessary OOMs. (#27958, @bimmlerd)
* The podIPPoolSelector field has been added to CiliumBGPVirtualRouter for selectively advertising multi-pool IPAM CIDRs. (#27100, @danehans)
* Update to Envoy 1.27.0, run cilium-envoy process without any privileges. (#27498, @jrajahalme)
* vendor, azure: Bump Azure SDK to Aug 2021 (#28311, @christarazi)

Bugfixes:
* bpf: lxc: support Pod->Service->Pod hairpinning with endpoint routes (#27798, @ti-mo)
* bug fix: close status collector when daemon exits (#27937, @sofat1989)
* Change routing-mode and tunnel-protocol based on .Values.tunnel and .Values.routingMode (#27841, @macmiranda)
* datapath: fix dbg-capture-proxy-[pre/post] reporting (#27704, @mhofstetter)
* datapath: fix NodePort to remote hostns backend with tunnel config (#27323, @michaelasp)
* examples: Fix YAML error backendRefs in HTTP Header Modifier (#27871, @haiyuewa)
* fix bug: pull skb data in cil_from_netdev path for HIGH_SCALE_IPCACHE mode (#27913, @sofat1989)
* Fix Gateway API HttpRoute cannot strip path prefix. (#28018, @chaunceyjiang)
* Fix hubble metric labeling when only directed Source/Destination Ingress/Egress options are specified. (#27792, @marqc)
* Fix minor bug where the previous Cilium proxy port was not reused (#27634, @christarazi)
* Fix missing packet trace after from-container for reply traffic to the proxy. (#27872, @pchaigno)
* Fix the trace notification for hairpinned reply traffic, to indicate the correct security identity for the client. (#28133, @julianwiedmann)
* Fixes a bug causing panic when counting IPsec keys number via "cilium encrypt status". (#27996, @jschwinger233)
* fqdn proxy: fix data race by using separate sessionUDPFactories (#28163, @mhofstetter)
* Implement full CES reconciliation logic in the operator (#26836, @alan-kut)
* ipam/multipool: Fix bug where allocator was unable to update CiliumNode (#27963, @gandro)
* IPSec fix for race on init resulting in XfrmIn errors and dropped packets (#28012, @jrfastab)
* k8s: Restrict configuring reserved:init policy via CNP (#28007, @joestringer)
* Must have port for Service reference (#27959, @chaunceyjiang)
* pkg/node: Updates GetIPv6AllocCIDRs() to Properly Return Secondary CIDRs (#27855, @danehans)
* Replace use of strict to true for kubeProxyReplacement in helm chart (#27433, @xtineskim)
* Restore host-stack bypass for pod-to-pod traffic in a configuration with kube-proxy, tunnel routing and per-endpoint routes. (#27908, @julianwiedmann)

CI Changes:
* .github/actions: remove GKE K8s v1.23 from test matrix. (#28297, @tommyp1ckles)
* .github/workflows: unify time to wait for images to become available (#27706, @tklauser)
* bpf: fix flakes when checking metrics map values. (#28325, @tommyp1ckles)
* CI images: Define a variable for the floating tags (#28008, @michi-covalent)
* CI images: Define a variable for the floating tags (#28228, @michi-covalent)
* CI Images: Don't push floating tags from feature branches (#28044, @michi-covalent)
* ci-e2e: Add secondary network NodePort tests (#27738, @brb)
* ci-e2e: Do not print matrix config in each step (#27999, @brb)
* ci-ipsec-upgrade: Enable IPv6 (#27220, @brb)
* ci: disable cgo when installing Go toolchain (#27869, @tklauser)
* CI: fix missing names (#27839, @brlbil)
* CI: Let actions/cilium-config use Chart.yaml-specified image by default (#28016, @jschwinger233)
* ci: Run BPF lints on workflow definition changes (#28122, @qmonnet)
* ci: run verifier tests with proper Go toolchain version (#27857, @tklauser)
* ci: set multi-pool conformance workflow status on start (#27969, @tklauser)
* ci: trigger multi-pool conformance workflow using ariane (#27957, @tklauser)
* Clean up tests-ipsec-upgrade workflow (#27977, @michi-covalent)
* contrib/kind: Log DNS queries in CoreDNS pods (#27874, @pchaigno)
* egressgw: make reconciliationEventsCount an atomic.Uint64 (#28154, @jibi)
* egressgw: manager: test: mark helpers with c.Helper() (#28020, @jibi)
* egressgw: switch unit tests to reconciliationEventsCount (#27881, @jibi)
* egressgw: test for conflicting IP rules in ENI mode (#27428, @julianwiedmann)
* Fix the build (#28229, @michi-covalent)
* gh/workflows: Bump CLI to v0.15.8 in e2e tests (#28132, @brb)
* gh/workflows: Use cilium-config action in ci-ipsec-upgrade (#27359, @brb)
* gha: Remove priviledged helm option in {Ingress, Gateway} (#28200, @sayboras)
* ginkgo: Remove K8sDatapathCustomCalls (#27911, @brb)
* golangci: enforce use of cilium/dns over miekg/dns (#27936, @tklauser)
* Refactor CiliumExecContext() Retry Logic (#28131, @carnerito)
* Remove coverage collection from BPF tests (#28090, @dylandreimerink)
* renovate: fix match string for go version updates in go.mod (#28000, @tklauser)
* Revert "CI images: Define a variable for the floating tags" (#28041, @michi-covalent)
* test: custom calls: clean up kernel 4.9 leftovers (#27887, @julianwiedmann)
* workflows/ipsec: Add missing --flush-ct for key rotation (#27883, @pchaigno)

Misc Changes:
* .github: Build images for vX.Y.Z-pre.N releases (#27862, @joestringer)
* @eloycoto is no longer an active committer (#27978, @eloycoto)
* [Docs] Clarify ClusterMesh troubleshooting steps when KVStoreMesh is enabled (#27691, @weizhoublue)
* Add error check during datapath/loader reinitialization as ApplySettings could return an error while applying sysctl settings. (#27195, @derailed)
* Add option conntrackGCMaxInterval to allow limiting the maximum connection tracking GC interval. By default the automatic interval calculation may increase the interval up to 12 hours, which may incur an unreasonable delay to releasing of CIDR identities created from ToFQDN policies. Setting this option will limit the interval and ensure such identities are marked unused earlier and removed. (#27870, @joamaki)
* Add Schenker to the user list (#27833, @amirkkn)
* Add WireGuard to the firewall rules documentation (#27170, @joestringer)
* api: regenerate flow.pb.go (#27852, @Jack-R-lantern)
* BGP CP: Calls String() Afi/Safi Methods instead of Duplicative Funcs (#28035, @danehans)
* bgpv1: Consolidate reconciler-specific maps into generic ReconcilerMetadata (#27568, @rastislavs)
* bpf,fib: refactor lib/fib.h to remove the now redundant code (#26380, @ldelossa)
* bpf: ct: reuse get_ct_map() in get_cluster_ct_map() (#27849, @julianwiedmann)
* bpf: Delete obsolete do_netdev_encrypt_pools() (#28063, @jschwinger233)
* bpf: don't build all bpf when making containers (fix) (#25937, @squeed)
* bpf: egressgw: allow to override external API (#28277, @jibi)
* bpf: egressgw: pass IPv4 tuple to egress_gw_request_needs_redirect (#27851, @jibi)
* bpf: lxc: transfer sec identity for per-EP loopback in reply direction (#27812, @julianwiedmann)
* bpf: make it easier to figure out which BUILD_PERMUTATION failed (#27541, @lmb)
* bpf: nodeport: constrain CT lookups to relevant entry types (#27607, @julianwiedmann)
* bpf: overlay: clean up CB_SRC_LABEL handling in inter-cluster-SNAT path (#28134, @julianwiedmann)
* bugtool: various updates to BPF map dump (#28065, @julianwiedmann)
* build: fix usage of local golangci-lint installation (#28162, @mhofstetter)
* chore(deps): update actions/checkout action to v4 (main) (#27940, @renovate[bot])
* chore(deps): update all github action dependencies (main) (#27904, @renovate[bot])
* chore(deps): update all github action dependencies (main) (#28188, @renovate[bot])
* chore(deps): update all github action dependencies (main) (patch) (#28066, @renovate[bot])
* chore(deps): update all github action dependencies (main) (patch) (#28190, @renovate[bot])
* chore(deps): update all github action dependencies to v3 (main) (major) (#28099, @renovate[bot])
* chore(deps): update all lvh-images main (main) (patch) (#27858, @renovate[bot])
* chore(deps): update all lvh-images main (main) (patch) (#28037, @renovate[bot])
* chore(deps): update all lvh-images main (main) (patch) (#28147, @renovate[bot])
* chore(deps): update aws-actions/configure-aws-credentials action to v4 (main) (#28100, @renovate[bot])
* chore(deps): update cilium/cilium digest to 6180087 (main) (#28096, @renovate[bot])
* chore(deps): update cilium/cilium digest to 8a11744 (main) (#28077, @renovate[bot])
* chore(deps): update cilium/cilium digest to ccaaa85 (main) (#28069, @renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.15.7 (main) (#27859, @renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.15.8 (main) (#28191, @renovate[bot])
* chore(deps): update dependency go to v1.21.1 (main) (#28067, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.21.1 docker digest to cffaba7 (main) (#28189, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.21.1 docker digest to d2aad22 (main) (#28064, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to aabed32 (main) (#27895, @renovate[bot])
* chore(deps): update docker/build-push-action action to v5 (main) (#28092, @renovate[bot])
* chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 92d40ee (main) (#27905, @renovate[bot])
* chore(deps): update go to v1.21.1 (main) (patch) (#27993, @renovate[bot])
* chore(deps): update myrotvorets/set-commit-status-action action to v2 (main) (#28073, @renovate[bot])
* chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20230915.012620 (main) (#28192, @renovate[bot])
* chore(deps): update sigstore/cosign-installer action to v3.1.2 (main) (#27907, @renovate[bot])
* chore: Add deezer as cilium user (#27846, @zwindler)
* chore: Add Prometheus templating to Cilium Metrics Dashboard (#28058, @kahirokunn)
* ci: fix AWS EKS K8s versions comment (#28249, @nbusseneau)
* CI: Silences call to cilium uninstall (#28048, @danehans)
* Cilium Charts set the persistent keepalive for cilium_wg0 (#28013, @chaunceyjiang)
* contrib/kind: custom kind values (#28155, @mhofstetter)
* contrib: Fix remote detection for security branches (#27891, @joestringer)
* contrib: Fix remote repo detection for .git suffix (#28198, @joestringer)
* contrib: Move github draft release to post-release (#27861, @joestringer)
* correct stats for total time of policyregenerateion (#28153, @PlatformLC)
* Correct the comment for Service4Value and Service6Value (#27824, @haiyuewa)
* daemon, fqdn: Remove log "DNS request no matching endpoint" when endpoint is nil (#28071, @doniacld)
* Daemon: Updates Detect() Call to Return Detected Devices (#28010, @danehans)
* dep: Replace deprecated github.com/golang/protobuf (#28203, @sayboras)
* Do not ignore link local addresses when detecting network devices. This fixes a problem in setups where network devices that only had link local addresses were ignored. (#27868, @joamaki)
* doc: add circuit-breaker example for cilium service mesh (#27641, @tanjunchen)
* docker: Tame xargs warning (#27929, @qmonnet)
* docs: Add instructions for running LVH against custom kernel (#28305, @brb)
* docs: Add Makefile and documentation for "fast" development targets (#27931, @aanm)
* docs: Add more details for the Cluster Mesh key rotation (#28145, @margamanterola)
* docs: add plusserver Kubernetes Engine to users (#28306, @sknop-cgn)
* docs: egressgw: document incompatibility with Clustermesh (#27918, @julianwiedmann)
* docs: Makefile, check-build.sh clean-ups and perf improvements (#28161, @qmonnet)
* docs: Remove "by Default" suffix in cilium-agent metrics header (#28045, @learnitall)
* docs: Remove the duplicated envoy resource list (#28281, @sayboras)
* docs: rephrasing the hubble intro doc (#27712, @vipul-21)
* docs: Update BGP control plane documentation with regards to LB class support and service announcements (#28253, @danehans)
* docs: Update Sphinx and its dependencies, Cilium theme (#28172, @qmonnet)
* docs: Update the message of Gateway API 'Programmed' (#28055, @haiyuewa)
* docs: Update the microservices-demo link (#27814, @haiyuewa)
* docs: Update the tile for 'kubectl get' Gateway API (#28056, @haiyuewa)
* During startup, the agent attempts to clear out any obsolete CiliumEndpoints.
Add retry logic to ensure this process is attempted more than once should errors occur during reconciliation. (#27593, @derailed)
* egressgateway: switch to Resource[T] (#28091, @lmb)
* egressgw: test CEGP parser (#27909, @julianwiedmann)
* endpoint: Fix use of PolicyMapFullReconciliationInterval option (#27985, @joamaki)
* Ensures daemon managed controllers are stopped when the daemon shuts down. (#28148, @derailed)
* envoy: introduce artifact copier (#27728, @mhofstetter)
* envoy: optimise getWildcardNetworkPolicyRule() (#27685, @jrajahalme)
* envoy: Sync supported resources in CiliumEnvoyConfig (#28272, @sayboras)
* envoy: update cilium/proxy to latest version (#28170, @mhofstetter)
* Fix bug when reusing the same cell in multiple hives (#27873, @giorio94)
* fix duplicated ids in prerelease testing template (#27865, @jspaleta)
* Fix k8s code generation (#27964, @aanm)
* Fix potential nil pointer dereference in SelectorManager implementation (#27805, @learnitall)
* Fix up CCG related metrics (#27806, @christarazi)
* fix(deps): update all go dependencies main (main) (#27906, @renovate[bot])
* fix(deps): update all go dependencies main (main) (minor) (#28072, @renovate[bot])
* fix(deps): update all go dependencies main (main) (patch) (#27939, @renovate[bot])
* fix(deps): update all go dependencies main (main) (patch) (#28070, @renovate[bot])
* fix(deps): update all go dependencies main (main) (patch) (#28193, @renovate[bot])
* fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.549 (main) (#28097, @renovate[bot])
* fqdn proxy: fix data race detection on TCP fqdn proxy (#28219, @mhofstetter)
* gateway-api: set controller-runtime logger (#27961, @mhofstetter)
* Helm: Improved description for tunnel, tunnelProtocol, routingMode flags (#27926, @PhilipSchmid)
* hubble: Use protobuf GetType() helper in v1.FlowProtocol() to avoid possible panic (#27889, @chancez)
* identity/cache: only call SortedList for release (#27796, @bimmlerd)
* images: Support updating Envoy to PR images (#27850, @jrajahalme)
* Improve bump-readme.sh (#27892, @joestringer)
* install/kubernetes: add the cilium/values.yaml target to .PHONY (#28225, @nbusseneau)
* ipam/multipool: Fix comment for removeExpiration (#28031, @hargrovee)
* ipam: let allocator.Dump return map of allocated IPs per pool (#27997, @tklauser)
* ipsec: Fix Godoc document comment typo (#27721, @haiyuewa)
* k8s: remove extensions/v1beta1 support (#28002, @tklauser)
* l2respondermap: Correct the comment for L2Responder Key and Stats (#27986, @haiyuewa)
* l2respondermap: Rename the L2Responder key create function (#28015, @haiyuewa)
* Make tolerations configurable in clustermesh-apiserver certgen job (#28221, @giorio94)
* policy/api: use netip.Addr when sanitizing CIDR rules (#28121, @tklauser)
* policy: Move getNets to selector cache (#27670, @jrajahalme)
* Prepare for release v1.15.0-pre.0 (#27853, @aanm)
* README: Update releases (#27864, @joestringer)
* README: Update releases (#28179, @michi-covalent)
* Register cluster-id and cluster-name flags through hive (#27823, @giorio94)
* Register service/endpoint flags through hive (#27817, @giorio94)
* Resiliency: Add retry logic to attempt to clear out stale hostip (#27673, @derailed)
* Splits Apart kind-image-fast Make Target (#28079, @danehans)
* StateDB review follow-ups (#28030, @joamaki)
* test: add namespace name in pod metadata test (#28028, @nebril)
* Update hubble-exporter.rst (#28081, @nvibert)
* Update l2-announcements.rst (#27988, @nvibert)
* Use Go 1.19 atomic types and their default value (#27844, @tklauser)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.15.0-pre.1@sha256:534af874fc6c80baf93a0fcb5ae843bc289620749fab5d72d67d4bb5f193af8e
quay.io/cilium/cilium:v1.15.0-pre.1@sha256:534af874fc6c80baf93a0fcb5ae843bc289620749fab5d72d67d4bb5f193af8e

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.15.0-pre.1@sha256:3a490173adc17ad27a81a634cdb122612e89b57d8238b3b6f8f6b5f4a80d2997
quay.io/cilium/clustermesh-apiserver:v1.15.0-pre.1@sha256:3a490173adc17ad27a81a634cdb122612e89b57d8238b3b6f8f6b5f4a80d2997

docker-plugin

docker.io/cilium/docker-plugin:v1.15.0-pre.1@sha256:7866c2cdff2fc027b500d1f87ab27a82e4ce778477697800cc5846c864f55ded
quay.io/cilium/docker-plugin:v1.15.0-pre.1@sha256:7866c2cdff2fc027b500d1f87ab27a82e4ce778477697800cc5846c864f55ded

hubble-relay

docker.io/cilium/hubble-relay:v1.15.0-pre.1@sha256:44ef1b82a0b709639641a1d1e10e959cc991ded994ff7b8888bd9ee607bbbe13
quay.io/cilium/hubble-relay:v1.15.0-pre.1@sha256:44ef1b82a0b709639641a1d1e10e959cc991ded994ff7b8888bd9ee607bbbe13

kvstoremesh

docker.io/cilium/kvstoremesh:v1.15.0-pre.1@sha256:bd1ce77dc7d9f0b5106c1c24d77aaa5c6c7fef246bbf5b5b673bb395c6351759
quay.io/cilium/kvstoremesh:v1.15.0-pre.1@sha256:bd1ce77dc7d9f0b5106c1c24d77aaa5c6c7fef246bbf5b5b673bb395c6351759

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.15.0-pre.1@sha256:fea2e57902abbbbc68055c989bad6cb1843abb636f203c94859ff58aee9bdceb
quay.io/cilium/operator-alibabacloud:v1.15.0-pre.1@sha256:fea2e57902abbbbc68055c989bad6cb1843abb636f203c94859ff58aee9bdceb

operator-aws

docker.io/cilium/operator-aws:v1.15.0-pre.1@sha256:d41d7c27aca58871f71ef07daa43c9af4de88af65190a95142e4d1ced4f7f301
quay.io/cilium/operator-aws:v1.15.0-pre.1@sha256:d41d7c27aca58871f71ef07daa43c9af4de88af65190a95142e4d1ced4f7f301

operator-azure

docker.io/cilium/operator-azure:v1.15.0-pre.1@sha256:9ac480f58b6b15d02388b6a0d4f2f0e070444f4ae1b7bc8103e2d2008415fef9
quay.io/cilium/operator-azure:v1.15.0-pre.1@sha256:9ac480f58b6b15d02388b6a0d4f2f0e070444f4ae1b7bc8103e2d2008415fef9

operator-generic

docker.io/cilium/operator-generic:v1.15.0-pre.1@sha256:39382aefa49a5163b9c28d1a73fff53e9394421884bde6f6c15abeac5d597120
quay.io/cilium/operator-generic:v1.15.0-pre.1@sha256:39382aefa49a5163b9c28d1a73fff53e9394421884bde6f6c15abeac5d597120

operator

docker.io/cilium/operator:v1.15.0-pre.1@sha256:834dd80193a6769f18001fec823ba0da1ba78f10ca0935bda1e628870767c93b
quay.io/cilium/operator:v1.15.0-pre.1@sha256:834dd80193a6769f18001fec823ba0da1ba78f10ca0935bda1e628870767c93b