8000 Releases · cilium/cilium · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Releases: cilium/cilium

1.16.3

16 Oct 11:57
@cilium-release-bot cilium-release-bot
v1.16.3
This tag was signed with the committer’s verified signature.
aanm André Martins
GPG key ID: A38D2FBA880D16AB
Verified
Learn about vigilant mode.
f221719
Compare
Choose a tag to compare
1.16.3

Summary of Changes

Bugfixes:

  • bgpv2: fix reconciliation of services with shared VIPs (Backport PR #35274, Upstream PR #35166, @rastislavs)
  • bgpv2: Fix service reconciliation logic to update service advertisement metadata only after successful reconciliation (Backport PR #35036, Upstream PR #34976, @rastislavs)
  • bpf: nat: recreate a NAT entry if the packet hits the stale entry (Backport PR #35036, Upstream PR #34913, @ysksuzuki)
  • bugtool: fix cilium-health command (Backport PR #35274, Upstream PR #35068, @ayuspin)
  • Fix a low-probability issue where the DNS proxy could occasionally drop DNS queries due to "duplicate request id" errors. (Backport PR #35036, Upstream PR #34941, @bimmlerd)
  • Fix issue where bpf packet buffer mark would in some cases set incorrect mark value resulting in incorrectly SNATed traffic. (Backport PR #35036, Upstream PR #34789, @tommyp1ckles)
  • Fix parameter check to forbid IPAM ENI with TUNNEL routing, and prevent agent segfault when also IPSec is enabled. (Backport PR #34918, Upstream PR #34651, @smagnani96)
  • Fixed bug in LB-IPAM where restarting the operator would unshare previously shared IPs between services (Backport PR #35036, Upstream PR #34783, @dylandreimerink)
  • Fixed bug in tracking policy changes that could have resulted in revert not woking in failure cases as expected. (Backport PR #35274, Upstream PR #35109, @jrajahalme)
  • Fixed bug where service id allocator would loop infinity when out of service ids (Backport PR #35274, Upstream PR #35033, @WeeNews)
  • Fixes startup fatal error when updating CiliumNode resource. (Backport PR #34918, Upstream PR #34862, @harsimran-pabla)
  • gateway-api: Align GRPCRoute matchers with GEP specification (Backport PR #35274, Upstream PR #34808, @cfsnyder)
  • helm template function no longer errors when using k8sServiceHost: auto (Backport PR #35274, Upstream PR #35186, @kreeuwijk)
  • hubble: add printer for lost events (Backport PR #35274, Upstream PR #35208, @aanm)
  • ipcache: Yet another refcounting fix with mix of APIs (Backport PR #35036, Upstream PR #34715, @gandro)
  • netkit: Allow ARP packets through when using host firewall. (Backport PR #35274, Upstream PR #35070, @jrife)
  • wireguard: Fix issue where updates to a WireGuard device's configuration caused connectivity blips. (Backport PR #35115, Upstream PR #34612, @jrife)

CI Changes:

  • .github/lint-build-commits: fix workflow for push events (Backport PR #35274, Upstream PR #35264, @aanm)
  • .github: create cache directories on cache miss (Backport PR #35157, Upstream PR #35088, @aanm)
  • .github: do not push floating tag from PRs (Backport PR #35230, Upstream PR #35227, @aanm)
  • .github: install golang action after checkout (Backport PR #35157, Upstream PR #34843, @aanm)
  • .github: re-enable configurations in e2e-upgrade (Backport PR #35157, Upstream PR #34800, @aanm)
  • .github: specify cache-dependency-path in lint-workflows (Backport PR #35157, Upstream PR #34845, @aanm)
  • [1.16] test: Skip envoy internal_address_config warning log (#35053, @pippolo84)
  • [v1.16] gha: fix incorrect go version in lint-build-commits workflow (#35312, @giorio94)
  • ci: conformance-[gateway-api|ginkgo|ingress] wait for images before matrix generation (Backport PR #34918, Upstream PR #34820, @aanm)
  • fix: repository nil value handled on workflow_dispatch context for renovate updates (Backport PR #34918, Upstream PR #34902, @Artyop)
  • servicemesh, ci: run internal to NodePort test (Backport PR #35274, Upstream PR #35177, @marseel)

Misc Changes:

  • .github: add cache to cilium-cli and hubble-cli build workflows (Backport PR #35157, Upstream PR #34847, @aanm)
  • .github: clean up disk for lint-build workflow (Backport PR #35157, Upstream PR #35141, @aanm)
  • .github: fix build image process to commit changes (Backport PR #35274, Upstream PR #35262, @aanm)
  • .github: fix lvh-kind warnings (Backport PR #35157, Upstream PR #34811, @aanm)
  • .github: fix runtime image digests (Backport PR #35274, Upstream PR #35107, @aanm)
  • .github: push floating tag for push events for stable branches (#35235, @aanm)
  • [v1.16] .github: do not update github runners for bpf workflows (#35106, @aanm)
  • [v1.16] manually update dependency cilium/cilium-cli to v0.16.19 (v1.16) (#35310, @julianwiedmann)
  • bgpv2/docs: add ebgp multihop documentation (Backport PR #35036, Upstream PR #34951, @harsimran-pabla)
  • bgpv2: cleanup service reconciliation logic (Backport PR #35036, Upstream PR #34959, @rastislavs)
  • Change GH runners to GH's default (Backport PR #35157, Upstream PR #33451, @aanm)
  • chore(deps): update all github action dependencies (v1.16) (#35025, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.16) (#35082, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.16) (#35250, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (v1.16) (#35005, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (v1.16) (#35283, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.18 (v1.16) (#34999, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/golang:1.22.7 docker digest to ddad330 (v1.16) (#35101, @cilium-renovate[bot])
  • chore(deps): update go to v1.22.8 (v1.16) (#35201, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727741018-e3a7412f65722ebbe34254b3582b89d315765d0d (v1.16) (#35137, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727997080-b094128ed01b784b63ada19b54f8c7fdc3042e6e (v1.16) (#35218, @cilium-renovate[bot])
  • cilium-cli: Show config.cilium.io annotations on configmap (Backport PR #35155, Upstream PR #35020, @joamaki)
  • docs: Add known issue for netkit endpoint route issues (Backport PR #35274, Upstream PR #35126, @jrife)
  • docs: fix EKS Kubernetes compatibility link (Backport PR #35036, Upstream PR #34922, @fjvela)
  • docs: Improve warning on insecure global IPsec keys (Backport PR #34918, Upstream PR #34846, @pchaigno)
  • docs: move sig-policy to second Tuesday of the month (Backport PR #35115, Upstream PR #35040, @squeed)
  • fix: Assign PodStore from Pod resource until cell migration is completed (Backport PR #35274, Upstream PR #34090, @dlapcevic)
  • helm: add client auth to hubble server certificate (Backport PR #35036, Upstream PR #34934, @kaworu)
  • helm: set key usages for hubble certificates with cert-manager (Backport PR #35036, Upstream PR #34946, @kaworu)
  • Improve speed on lint commits GH workflow (Backport PR #35157, Upstream PR #34848, @aanm)
  • install/kubernetes: fix Operator's clusterrole for pods deletion (Backport PR #35274, Upstream PR #35193, @aanm)
  • Re-write GitHub cache usages across workflows (Backport PR #35157, Upstream PR #34866, @aanm)
  • Remove conformance-e2e tests (Backport PR #35157, Upstream PR #34742, @aanm)

Other Changes:

  • [v1.16] Add missing test coverage in v1.16 branch (#35223, @aanm)
  • [v1.16] author backport: fix ENABLE_LOCAL_REDIRECT_POLICY (#35129, @ysksuzuki)
  • [v1.16] author backport: LRP fixes (#35072, @ysksuzuki)
  • [v1.16] ginkgo: disable test for deprecated annotations-based L7 visibility (#35160, @tklauser)
  • [v1.16] test/k8s: replace L7 visibility Pod annotations by L7 visibility policy (#35151, @tklauser)
  • install: Update image digests for v1.16.2 (#35052, @cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.3@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28
quay.io/cilium/cilium:stable@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.3@sha256:598cb4fd30b47bf2bc229cd6a011e451cf14753e56a80bb9ef01a09a519f52fb
quay.io/cilium/clustermesh-apiserver:stable@sha256:598cb4fd30b47bf2bc229cd6a011e451cf14753e56a80bb9ef01a09a519f52fb

docker-plugin

quay.io/cilium/docker-plugin:v1.16.3@sha256:87af6722fdf73cd98123635108f1507d2c982aad82b89906a2925dc4e251acae
quay.io/cilium/docker-plugin:stable@sha256:87af6722fdf73cd98123635108f1507d2c982aad82b89906a2925dc4e251acae

hubble-relay

quay.io/cilium/hubble-relay:v1.16.3@sha256:feb60efd767e0e7863a94689f4a8db56a0acc7c1d2b307dee66422e3dc25a089
quay.io/cilium/hubble-relay:stable@sha256:feb60efd767e0e7863a94689f4a8db56a0acc7c1d2b307dee66422e3dc25a089

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.3@sha256:d80a785c0e807fc708264a3fcb19be404114f619fd756dd5214f4cad5a281898
quay.io/cilium/operator-alibabacloud:stable@sha256:d80a785c0e807fc708264a3fcb19be404114f619fd756dd5214f4cad5a281898

operator-aws

quay.io/cilium/operator-aws:v1.16.3@sha256:47f5abc5fa528472d3509c3199d7aab1e120833fb68df455e3b4476916385916
quay.io/cilium/operator-aws:stable@sha256:47f5abc5fa528472d3509c3199d7aab1e120833fb68df455e3b4476916385916

operator-azure

quay.io/cilium/operator-azure:v1.16.3@sha256:2882aaf03c32525a99181b7c065b2bb19c03eba6626fc736aebe368d90791542
quay.io/cilium/operator-azure:stable@sha256:2882aaf03c32525a99181b7c065b2bb19c03eba6626fc736aebe368d90791542

operator-generic

quay.io/cilium/operator-generic:v1.16.3@sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b
quay.io/cilium/operator-generic:stable@sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b

operator

quay.io/cilium/operator:v1.16.3@sha256:11219d0027c7ab5fb5ac531d4456b570b51f0d871c52c69e5e70c164bb38af0f
`quay.io/cilium/operator:stable@sha256:11219d0027c7ab5fb5ac531d4456b570b51f0d871c52c69e5e70c164bb3...

Read more

Contributors

gandro, kaworu, and 25 other contributors
Loading

1.15.10

16 Oct 11:57
@cilium-release-bot cilium-release-bot
v1.15.10
This tag was signed with the committer’s verified signature.
aanm André Martins
GPG key ID: A38D2FBA880D16AB
Verified
Learn about vigilant mode.
2fdab41
Compare
Choose a tag to compare
1.15.10

Summary of Changes

Minor Changes:

  • bpf: do not invoke llc from Makefiles (Backport PR #35168, Upstream PR #29459, @lmb)

Bugfixes:

  • bugtool: fix cilium-health command (Backport PR #35276, Upstream PR #35068, @ayuspin)
  • Fix a bug in Cilium's kube-proxy replacement, where replies by a local backend are dropped with DROP_NO_FIB. (Backport PR #34917, Upstream PR #34303, @julianwiedmann)
  • Fix issue where bpf packet buffer mark would in some cases set incorrect mark value resulting in incorrectly SNATed traffic. (Backport PR #35037, Upstream PR #34789, @tommyp1ckles)
  • Fixed bug in LB-IPAM where restarting the operator would unshare previously shared IPs between services (Backport PR #35037, Upstream PR #34783, @dylandreimerink)
  • Fixed bug in tracking policy changes that could have resulted in revert not woking in failure cases as expected. (Backport PR #35276, Upstream PR #35109, @jrajahalme)
  • Fixed bug where service id allocator would loop infinity when out of service ids (Backport PR #35276, Upstream PR #35033, @WeeNews)
  • Fixes deadlock in identity watcher. This fixes an issue where a kvstore disconnect can cause the event receiver to exit and the event sender to get stuck forever. (Backport PR #35276, Upstream PR #34611, @dboslee)
  • Fixes startup fatal error when updating CiliumNode resource. (Backport PR #34917, Upstream PR #34862, @harsimran-pabla)
  • gateway-api: Align GRPCRoute matchers with GEP specification (Backport PR #35276, Upstream PR #34808, @cfsnyder)

CI Changes:

  • .github/lint-build-commits: fix workflow for push events (Backport PR #35276, Upstream PR #35264, @aanm)
  • .github: create cache directories on cache miss (Backport PR #35168, Upstream PR #35088, @aanm)
  • .github: do not push floating tag from PRs (Backport PR #35168, Upstream PR #35227, @aanm)
  • .github: install golang action after checkout (Backport PR #35168, Upstream PR #34843, @aanm)
  • .github: re-enable configurations in e2e-upgrade (Backport PR #35168, Upstream PR #34800, @aanm)
  • .github: specify cache-dependency-path in lint-workflows (Backport PR #35168, Upstream PR #34845, @aanm)
  • [v1.15] ci: fix check generated documentation (#35261, @mhofstetter)
  • ci: conformance-[gateway-api|ginkgo|ingress] wait for images before matrix generation (Backport PR #34917, Upstream PR #34820, @aanm)
  • ci: increase wait duration after upgrade/downgrade in E2E upgrade test (Backport PR #35168, Upstream PR #32528, @mhofstetter)
  • fix: repository nil value handled on workflow_dispatch context for renovate updates (Backport PR #34917, Upstream PR #34902, @Artyop)
  • servicemesh, ci: run internal to NodePort test (Backport PR #35276, Upstream PR #35177, @marseel)

Misc Changes:

  • .github: add cache to cilium-cli and hubble-cli build workflows (Backport PR #35168, Upstream PR #34847, @aanm)
  • .github: clean up disk for lint-build workflow (Backport PR #35168, Upstream PR #35141, @aanm)
  • .github: fix build image process to commit changes (Backport PR #35276, Upstream PR #35262, @aanm)
  • .github: fix lvh-kind warnings (Backport PR #35168, Upstream PR #34811, @aanm)
  • .github: fix runtime image digests (Backport PR #35118, Upstream PR #35107, @aanm)
  • [v1.15] helm: bump certgen to v0.1.15 (#35034, @kaworu)
  • Change GH runners to GH's default (Backport PR #35168, Upstream PR #33451, @aanm)
  • chore(deps): update all github action dependencies (v1.15) (#35027, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.15) (#35092, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.15) (#35251, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (v1.15) (#35026, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.18 (v1.15) (#35000, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.19 (v1.15) (#35202, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/hubble to v1.16.2 (v1.15) (#35241, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/golang:1.22.7 docker digest to ddad330 (v1.15) (#35091, @cilium-renovate[bot])
  • chore(deps): update go to v1.22.8 (v1.15) (#35203, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727272937-c0c0c5f38d338b330d891b304ab5ed6c6d7bcec4 (v1.15) (#35083, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727741018-e3a7412f65722ebbe34254b3582b89d315765d0d (v1.15) (#35138, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727997080-b094128ed01b784b63ada19b54f8c7fdc3042e6e (v1.15) (#35219, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1728346947-0d05e48bfbb8c4737ec40d5781d970a550ed2bbd (v1.15) (#35284, @cilium-renovate[bot])
  • helm: set key usages for hubble certificates with cert-manager (Backport PR #35037, Upstream PR #34946, @kaworu)
  • images/builder: get rid of annoying git ownership warnings (Backport PR #35276, Upstream PR #31538, @ti-mo)
  • Improve speed on lint commits GH workflow (Backport PR #35168, Upstream PR #34848, @aanm)
  • Re-write GitHub cache usages across workflows (Backport PR #35168, Upstream PR #34866, @aanm)
  • Remove conformance-e2e tests (Backport PR #35168, Upstream PR #34742, @aanm)

Other Changes:

  • [v1.15] test/k8s: replace L7 visibility Pod annotations by L7 visibility policy (#35152, @tklauser)
  • install: Update image digests for v1.15.9 (#35051, @cilium-release-bot[bot])
  • policy: Fix breakages on v1.15 branch (#35300, @christarazi)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.10@sha256:cd096a343861d48e2849b403f0c410bfbb36e64d042f0692b73b93c97d94d9bd

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.10@sha256:0d8d5490fa6097d4e7539ffcec705dd25f3f992f29528d6ec999497a02cb1399

docker-plugin

quay.io/cilium/docker-plugin:v1.15.10@sha256:2cb1f30f87c29d5f98b7a59f743c40a1474d2b1e615153a6799a92389d1aa074

hubble-relay

quay.io/cilium/hubble-relay:v1.15.10@sha256:d4378eb133a6bdf39f50d874b59b72f95d0da2e78bd545b3c053f3c479f593b2

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.10@sha256:c78ac42e043f9e77172250a1b6997bbcd8356bb8fe7a4784deaea049207ceb9f

operator-aws

quay.io/cilium/operator-aws:v1.15.10@sha256:c1af1bae559cd0dd9a1867a4ede95f1fef07e3de173b2b82638ebd7d91256ea0

operator-azure

quay.io/cilium/operator-azure:v1.15.10@sha256:6cd04b35320824a50b43aa5d7fbfa6d11826f6c5ec8e4853da04a28aa3531695

operator-generic

quay.io/cilium/operator-generic:v1.15.10@sha256:2f49dca6f9692e317601ae8b5bad7d2dc50cedad38cc8d410db14c1fc57719e4

operator

quay.io/cilium/operator:v1.15.10@sha256:d1c10ea451c3b3d6cd62984fa653974482ffe8e083497f4e4b011d8ab5dbe964

Contributors

kaworu, lmb, and 16 other contributors
Loading

1.14.16

16 Oct 11:57
@cilium-release-bot cilium-release-bot
v1.14.16
This tag was signed with the committer’s verified signature.
aanm André Martins
GPG key ID: A38D2FBA880D16AB
Verified
Learn about vigilant mode.
c2fcf1d
Compare
Choose a tag to compare
1.14.16

Summary of Changes

Bugfixes:

  • datapath: Fix redirect from from L3 netdev to tunnel (Backport PR #35265, Upstream PR #33421, @brb)
  • Fixed bug in tracking policy changes that could have resulted in revert not woking in failure cases as expected. (Backport PR #35279, Upstream PR #35109, @jrajahalme)
  • Fixed bug where service id allocator would loop infinity when out of service ids (Backport PR #35279, Upstream PR #35033, @WeeNews)
  • Fixes startup fatal error when updating CiliumNode resource. (Backport PR #34916, Upstream PR #34862, @harsimran-pabla)

CI Changes:

  • .github/lint-build-commits: fix workflow for push events (Backport PR #35279, Upstream PR #35264, @aanm)
  • .github: create cache directories on cache miss (Backport PR #35176, Upstream PR #35088, @aanm)
  • .github: do not push floating tag from PRs (Backport PR #35229, Upstream PR #35227, @aanm)
  • .github: install golang action after checkout (Backport PR #35176, Upstream PR #34843, @aanm)
  • .github: re-enable configurations in e2e-upgrade (Backport PR #35176, Upstream PR #34800, @aanm)
  • .github: specify cache-dependency-path in lint-workflows (Backport PR #35176, Upstream PR #34845, @aanm)
  • ci: conformance-[gateway-api|ginkgo|ingress] wait for images before matrix generation (Backport PR #34916, Upstream PR #34820, @aanm)
  • fix: repository nil value handled on workflow_dispatch context for renovate updates (Backport PR #34916, Upstream PR #34902, @Artyop)

Misc Changes:

  • .github: add cache to cilium-cli and hubble-cli build workflows (Backport PR #35176, Upstream PR #34847, @aanm)
  • .github: clean up disk for lint-build workflow (Backport PR #35176, Upstream PR #35141, @aanm)
  • .github: fix build image process to commit changes (Backport PR #35279, Upstream PR #35262, @aanm)
  • .github: fix lvh-kind warnings (Backport PR #35176, Upstream PR #34811, @aanm)
  • .github: fix runtime image digests (Backport PR #35119, Upstream PR #35107, @aanm)
  • .github: push floating tag for push events for stable branches (#35234, @aanm)
  • [v1.14] contrib/scripts: set 755 permissions for builder.sh (#35266, @aanm)
  • Change GH runners to GH's default (Backport PR #35176, Upstream PR #33451, @aanm)
  • chart: define the envoy image variable in the makefile (Backport PR #35113, Upstream PR #27725, @weizhoublue)
  • chore(deps): update all github action dependencies (v1.14) (#35029, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.14) (#35087, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.14) (#35252, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (v1.14) (#35028, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.18 (v1.14) (#35001, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.19 (v1.14) (#35204, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/hubble to v1.16.2 (v1.14) (#35242, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/golang:1.22.7 docker digest to ddad330 (v1.14) (#35093, @cilium-renovate[bot])
  • chore(deps): update go to v1.22.8 (v1.14) (#35205, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727272937-c0c0c5f38d338b330d891b304ab5ed6c6d7bcec4 (v1.14) (#35085, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727272937-c0c0c5f38d338b330d891b304ab5ed6c6d7bcec4 (v1.14) (#35108, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727997080-b094128ed01b784b63ada19b54f8c7fdc3042e6e (v1.14) (#35220, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1728346947-0d05e48bfbb8c4737ec40d5781d970a550ed2bbd (v1.14) (#35285, @cilium-renovate[bot])
  • helm: set key usages for hubble certificates with cert-manager (Backport PR #35038, Upstream PR #34946, @kaworu)
  • images/builder: get rid of annoying git ownership warnings (Backport PR #35279, Upstream PR #31538, @ti-mo)
  • Improve speed on lint commits GH workflow (Backport PR #35176, Upstream PR #34848, @aanm)
  • Re-write GitHub cache usages across workflows (Backport PR #35176, Upstream PR #34866, @aanm)

Other Changes:

  • [v1.14] image: Update runtime, builder images (#35097, @sayboras)
  • install: Update image digests for v1.14.15 (#35050, @cilium-release-bot[bot])

Docker Manifests

cilium

docker.io/cilium/cilium:v1.14.16@sha256:8a31c16a4b3fcd0fbfdbfe3348710bfb766a5bcc8225ee5c4057d3a7cbcbafb2
quay.io/cilium/cilium:v1.14.16@sha256:8a31c16a4b3fcd0fbfdbfe3348710bfb766a5bcc8225ee5c4057d3a7cbcbafb2

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.14.16@sha256:19c1318e555d8ee9dbec9d86fe8e7e6c43a2dd7eeb29eb88ea7af28d21971186
quay.io/cilium/clustermesh-apiserver:v1.14.16@sha256:19c1318e555d8ee9dbec9d86fe8e7e6c43a2dd7eeb29eb88ea7af28d21971186

docker-plugin

docker.io/cilium/docker-plugin:v1.14.16@sha256:ccb1aee7af60693fe434924b0bbbb0a625382335ca2767d485a0bc855df5943d
quay.io/cilium/docker-plugin:v1.14.16@sha256:ccb1aee7af60693fe434924b0bbbb0a625382335ca2767d485a0bc855df5943d

hubble-relay

docker.io/cilium/hubble-relay:v1.14.16@sha256:ba715eaa50036c45ac39b2e4d08ee1794ac8dbfe6af339c48dba1402416da8f9
quay.io/cilium/hubble-relay:v1.14.16@sha256:ba715eaa50036c45ac39b2e4d08ee1794ac8dbfe6af339c48dba1402416da8f9

kvstoremesh

docker.io/cilium/kvstoremesh:v1.14.16@sha256:c22860631b97e671d08a21524da5283322ec6b7750760e78df5718169a987fa0
quay.io/cilium/kvstoremesh:v1.14.16@sha256:c22860631b97e671d08a21524da5283322ec6b7750760e78df5718169a987fa0

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.14.16@sha256:a647eae904c9210c3fa566a540c28bc6de525a92fd5049de1a3331c0b224d8b7
quay.io/cilium/operator-alibabacloud:v1.14.16@sha256:a647eae904c9210c3fa566a540c28bc6de525a92fd5049de1a3331c0b224d8b7

operator-aws

docker.io/cilium/operator-aws:v1.14.16@sha256:013da30c41a2ca04c56b3b4b51ebda57bac2aec8a0107031e445d636e913dca1
quay.io/cilium/operator-aws:v1.14.16@sha256:013da30c41a2ca04c56b3b4b51ebda57bac2aec8a0107031e445d636e913dca1

operator-azure

docker.io/cilium/operator-azure:v1.14.16@sha256:91b811091e98456543b4b7569039213bef954881a079a9796481275430994448
quay.io/cilium/operator-azure:v1.14.16@sha256:91b811091e98456543b4b7569039213bef954881a079a9796481275430994448

operator-generic

docker.io/cilium/operator-generic:v1.14.16@sha256:21243c0dcbc3d505ddf661835fc9a6aa6393e439893cbfd86c20b381c709d2b8
quay.io/cilium/operator-generic:v1.14.16@sha256:21243c0dcbc3d505ddf661835fc9a6aa6393e439893cbfd86c20b381c709d2b8

operator

docker.io/cilium/operator:v1.14.16@sha256:d5f68e5238d9fa608537f05abfa1296c188715439329128a9f78a7d0f6c078ef
quay.io/cilium/operator:v1.14.16@sha256:d5f68e5238d9fa608537f05abfa1296c188715439329128a9f78a7d0f6c078ef

Contributors

kaworu, brb, and 8 other contributors
Loading

1.17.0-pre.1

01 Oct 08:18
@cilium-release-bot cilium-release-bot
v1.17.0-pre.1
This tag was signed with the committer’s verified signature.
aanm André Martins
GPG key ID: A38D2FBA880D16AB
Verified
Learn about vigilant mode.
50d97dd
Compare
Choose a tag to compare
1.17.0-pre.1 Pre-release
Pre-release

Summary of Changes

Major Changes:

Minor Changes:

  • Added Helm Chart value for overriding target namespace. (#34624, @thewilli)
  • Cilium now handles MTU changes to devices without restarting (#34314, @dylandreimerink)
  • cilium-cli: Deprecate --disable-check flag (#34953, @michi-covalent)
  • CiliumCIDRGroup now supports large numbers of CIDRs. CiliumCIDRGroup now integrates with Hubble flows. (#33441, @squeed)
  • daemon: bpf: add --bpf-conntrack-accounting-enabled flag (#34921, @jibi)
  • daemon: Make cilium status independent from k8s status (#32724, @tkna)
  • Enables a new metric in the cilium operator to indicate unmanaged pods. (#34815, @nimishamehta5)
  • envoy: Bump envoy version from v1.30.4 to v1.30.6 (#34967, @sayboras)
  • feat(cilium-cli-clustermesh): Improve --destination-context option for connecting multiple remote contexts (#34510, @littlejo)
  • Fix handling of route replace rules in ENI IPAM mode when ipv4-native-routing-cidr is set to 0.0.0.0/0. (#34436, @chapsuk)
  • gateway-api: Add support for HTTP Retry (#34720, @sayboras)
  • gateway-api: Add support for mirror fraction (#34602, @sayboras)
  • gateway-api: Sync up with the latest upstream v1.2.0-rc1 (#34807, @sayboras)
  • Implement cilium-dbg bpf frag list command to list IPV4 datagram fragments. (#34751, @Huweicai)
  • k8s: Add "service.cilium.io/type" (#34772, @brb)
  • k8s: Add support for 1.31.0 (#34463, @christarazi)
  • Low-hanging fruit performance improvements of the hubble consumer module (#34535, @giorio94)
  • metrics: add structured format for Hubble metrics and options. (#34849, @rectified95)
  • Multi-Pool IPAM now allows the use of /32 or /128 CIDRs in CiliumPodIPPools (#34618, @juliusmh)
  • Remove workaround for Azure CNI bridge mode from nodeinit script. (#34870, @wedaly)
  • version: Don't create k8s client if --client is specified (#34914, @michi-covalent)

Bugfixes:

  • bgpv2: Fix service reconciliation logic to update service advertisement metadata only after successful reconciliation (#34976, @rastislavs)
  • bpf: nat: recreate a NAT entry if the packet hits the stale entry (#34913, @ysksuzuki)
  • cli: fix a case when connectivity perf command was hanging if LRP was enabled in the cluster (#35063, @marseel)
  • Correctly format cilium status -o json CLI output for errors and warnings (#34654, @nimishamehta5)
  • Fix a low-probability issue where the DNS proxy could occasionally drop DNS queries due to "duplicate request id" errors. (#34941, @bimmlerd)
  • Fix Hubble exporter config uses wrong separator (#34621, @chaunceyjiang)
  • Fix issue where bpf packet buffer mark would in some cases set incorrect mark value resulting in incorrectly SNATed traffic. (#34789, @tommyp1ckles)
  • Fix missing Helm chart version for status command (#34748, @pgils)
  • Fix parameter check to forbid IPAM ENI with TUNNEL routing, and prevent agent segfault when also IPSec is enabled. (#34651, @smagnani96)
  • Fix possible panic occurring in case errors are returned while updating/deleting IPv6 routes (#34721, @giorio94)
  • Fix runtime panic with L2announcer name generation (#35031, @YutaroHayakawa)
  • Fix services could not be removed in sync-lb-maps-with-k8s-services controller (#33885, @haozhangami)
  • Fix the Egress Gateway reconciliation logic to make progress after setting the rp_filter sysctl failed. (#34775, @julianwiedmann)
  • fix(clustermesh): mesh connection mode (#34932, @littlejo)
  • Fixed bug in LB-IPAM where restarting the operator would unshare previously shared IPs between services (#34783, @dylandreimerink)
  • Fixed bug where service id allocator would loop infinity when out of service ids (#35033, @WeeNews)
  • Fixes deadlock in identity watcher. This fixes an issue where a kvstore disconnect can cause the event receiver to exit and the event sender to get stuck forever. (#34611, @dboslee)
  • Fixes startup fatal error when updating CiliumNode resource. (#34862, @harsimran-pabla)
  • gateway-api: Align GRPCRoute matchers with GEP specification (#34808, @cfsnyder)
  • helm: Render valid image specs when tag is empty (#34891, @BenoitKnecht)
  • ipcache: Yet another refcounting fix with mix of APIs (#34715, @gandro)
  • lrp: define ENABLE_LOCAL_REDIRECT_POLICY regardless of socketLB setting (#34954, @ysksuzuki)
  • Make initial nat gc async during Daemon initialization. (#34070, @tommyp1ckles)
  • Metrics: Fix the reporting of bootstrap metric "overall" scope as it was not capturing a part of initialization (#34971, @marseel)
  • The cilium dnsproxy now handles EDNS0 large buffersize advertisements better. (#34852, @bimmlerd)
  • wireguard: Fix issue where updates to a WireGuard device's configuration caused connectivity blips. (#34612, @jrife)

CI Changes:

Misc Changes:

Read more

Contributors

gandro, jibi, and 65 other contributors
Loading

1.16.2

26 Sep 12:38
@cilium-release-bot cilium-release-bot
v1.16.2
This tag was signed with the committer’s verified signature.
nebril Maciej Kwiek
GPG key ID: 436B9694E3F0E75D
Verified
Learn about vigilant mode.
3261be3
Compare
Choose a tag to compare
1.16.2

We are happy to release Cilium v1.16.2!

This release brings us improved validation for updating from v1.15, fixed panics, race conditions and deadlocks, CI fixes and many many more changes!

Check out the summary below for details.

Summary of Changes

Minor Changes:

  • Add validation to prevent users from using deprecated values that have been removed in v1.15 and v1.16 (Backport PR #34452, Upstream PR #34229, @chancez)
  • bgpv2: update status field of CiliumBGPNodeConfig CRD (Backport PR #34580, Upstream PR #33411, @harsimran-pabla)
  • docs: Update examples for CNP L7 Host (Backport PR #34644, Upstream PR #34578, @sayboras)
  • egressgw: drop traffic when gateway node is not configured for policy (Backport PR #34452, Upstream PR #33625, @julianwiedmann)

Bugfixes:

  • add support for validation of stringToString values in ConfigMap (Backport PR #34586, Upstream PR #34279, @alex-berger)
  • bgpv2: correct service reconciler initialization (Backport PR #34452, Upstream PR #34415, @harsimran-pabla)
  • bgpv2: fix cilium-dbg bgp filtering by ASN & route-policy dump format (Backport PR #34452, Upstream PR #34335, @rastislavs)
  • bpf: Fix Prune map operation leaking BPF map entries (Backport PR #34586, Upstream PR #34476, @gandro)
  • config: fix disabling config 'Debug' (Backport PR #34469, Upstream PR #34401, @mhofstetter)
  • daemon: Create IPsec and LRP maps early on startup (Backport PR #34452, Upstream PR #34388, @pchaigno)
  • daemon: Fix error logic flow for pod store being out of date (Backport PR #34586, Upstream PR #34389, @christarazi)
  • envoy: fix log level mapping when changing log level via API (Backport PR #34452, Upstream PR #34400, @mhofstetter)
  • Fix "invalid sysctl parameter" error when Cilium needs to modify a sysctl with capital letters in its name. (Backport PR #34586, Upstream PR #34298, @julianwiedmann)
  • Fix a bug in Cilium's kube-proxy replacement, where replies by a local backend are dropped with DROP_NO_FIB. (Backport PR #34452, Upstream PR #34303, @julianwiedmann)
  • Fix a race condition that would cause errors related to maps LB{4,6}_SKIP_MAP when loading programs. (Backport PR #34586, Upstream PR #34453, @pchaigno)
  • Fix agent panic when IPsec is enabled but XFRM stats are not exposed by the kernel. (Backport PR #34831, Upstream PR #34647, @chaunceyjiang)
  • Fix issue where a hostport service would be created on an incorrect node when cilium-agent is configured with disable-endpoint-crd (Backport PR #34644, Upstream PR #34385, @haozhangami)
  • Fix operator deployment connecting to clustermesh kvstoremesh when endpointslice sync or MCS-API Service exports is enabled (Backport PR #34586, Upstream PR #34295, @MrFreezeex)
  • Fix parsing of complex api-rate-limit options. The parsing failed when rate limits were configured for multiple API endpoints with multiple options, for example: "endpoint-create=rate-limit:1/s,rate-burst=1,endpoint-delete=rate-limit:2/s,rate-burst=2". The ability to also specify the rate limits as JSON strings was also returned. (Backport PR #34586, Upstream PR #34249, @joamaki)
  • Fix possible connection disruption on agent restart with WireGuard + native routing (Backport PR #34831, Upstream PR #34095, @giorio94)
  • Fix possible panic occurring in case errors are returned while updating/deleting IPv6 routes (Backport PR #34831, Upstream PR #34721, @giorio94)
  • Fix the Egress Gateway reconciliation logic to make progress after setting the rp_filter sysctl failed. (Backport PR #34831, Upstream PR #34775, @julianwiedmann)
  • Fixes broken pod-to-remote-hostport connectivity when IPsec is used with L7 ingress policy and KPR. (Backport PR #34586, Upstream PR #33805, @jschwinger233)
  • Fixes deadlock in identity watcher. This fixes an issue where a kvstore disconnect can cause the event receiver to exit and the event sender to get stuck forever. (Backport PR #34831, Upstream PR #34611, @dboslee)
  • helm: fix envoy prometheus metrics scraping with servicemonitor (Backport PR #34472, Upstream PR #34448, @mhofstetter)
  • ingress: Avoid opening of port 80 for TLSPassthrough only (Backport PR #34586, Upstream PR #34474, @sayboras)
  • ingress: Remove generated CEC if empty (Backport PR #34644, Upstream PR #34576, @sayboras)
  • lbipam: fix panic when changing the shared key & req. ip annotation (Backport PR #34452, Upstream PR #34236, @mhofstetter)
  • policy: Fixed CIDRGroupRef breaking the sanitization (Backport PR #34452, Upstream PR #34076, @chaunceyjiang)
  • Replace dotted sysctl names with string slices (Backport PR #34831, Upstream PR #34527, @dylandreimerink)

CI Changes:

Misc Changes:

  • .github: remove installation steps for arm64 (Backport PR #34452, Upstream PR #34336 10000 , @aanm)
  • [v1.16] deps: update Docker dependency (#34354, @ferozsalam)
  • bgpv2: correct error message log (Backport PR #34586, Upstream PR #34276, @harsimran-pabla)
  • chore(deps): update all github action dependencies (v1.16) (#34569, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.16) (#34749, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.16) (patch) (#34568, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (v1.16) (#34687, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (v1.16) (#34883, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.15 (v1.16) (#34118, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.16 (v1.16) (#34497, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.17 (v1.16) (#34878, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/busybox:1.36.1 docker digest to 34b191d (v1.16) (#34760, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/golang:1.22.7 docker digest to 4594271 (v1.16) (#34887, @cilium-renovate[bot])
  • chore(deps): update go to v1.22.7 (v1.16) (#34797, @cilium-renovate[bot])
  • chore: Avoid docker warning due to casing (Backport PR #34856, Upstream PR #34125, @sayboras)
  • cilium-dbg: add Envoy admin commands (Backport PR #34586, Upstream PR #34398, @mhofstetter)
  • clustermesh/endpointslicesync: fix panic on failure in Test_meshEndpointSlice_Reconcile (Backport PR #34831, Upstream PR #34699, @tklauser)
  • contrib: allow l7proxy in egressgw config (Backport PR #34831, Upstream PR #34636, @julianwiedmann)
  • docs: Avoid using wildcard TLS certificate (Backport PR #34831, Upstream PR #34609, @sayboras)
  • docs: Improve disk based policy documentation (Backport PR #34452, Upstream PR #34234, @tamilmani1989)
  • docs: Update LB-IPAM allowFirstLastIPs documentation (Backport PR #34452, Upstream PR #34227, @dylandreimerink)
  • Documentation: Add instructions on accessing the Hubble API with TLS (Backport PR #34452, Upstream PR #34361, @chancez)
  • Documentation: Add section to validate Hubble TLS is enabled (Backport PR #34644, Upstream PR #34416, @chancez)
  • endpoint: Do not pass a function to WithFields (Backport PR #34452, Upstream PR #34346, @jrajahalme)
  • fix: base image update workflow will now be triggered on renovate branches with a workflow_call event type (Backport PR #34452, Upstream PR #34372, @Artyop)
  • images: fix path script (Backport PR #34768, Upstream PR #34764, @aanm)
  • ipsec: Document a new cause of XfrmInStateProtoError (Backport PR #34586, Upstream PR #34221, @jschwinger233)
  • pkg/endpointmanager: don't hold lock while iterating over subscribers (Backport PR #34586, Upstream PR #33896, @aanm)
  • Reorganize Hubble docs (Backport PR #34452, Upstream PR #34282, @chancez)
  • Use exponential backoff for etcd connection retries during quorum loss (Backport PR #34452, Upstream PR #34231, @hemanthmalla)
  • wireguard: minor improvements (Backport PR #34452, Upstream PR #34285, @julianwiedmann)

Other Changes:

  • [v1.16] CODEOWNERS: switch cilium/tophat to cilium/committers (#34338, @julianwiedmann)
  • [v1.16] envoy: Bump envoy version from v1.29.7 to v1.29.9 (#34966, @sayboras)
  • [v1.16] envoy: Switch to image with timestamp tag (#34395, @sayboras)
  • envoy: Bump golang version (#34328, @sayboras)
  • Fix panic in endpoint regeneration when DNS requests are processed during early initialization. (#34892, @joamaki)
  • install: Update image digests for v1.16.1 (#34378, @cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.2@sha256:4386a8580d8d86934908eea022b0523f812e6a542f30a86a47edd8bed90d51ea
quay.io/cilium/cilium:stable@sha256:4386a8580d8d86934908eea022b0523f812e6a542f30a86a47edd8bed90d51ea

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.2@sha256:cc84190fed92e03a2b3a33bc670b2447b521ee258ad9b076baaad13be312ea73
`...

Read more

Contributors

gandro, tklauser, and 25 other contributors
Loading

1.15.9

26 Sep 12:35
@cilium-release-bot cilium-release-bot
v1.15.9
This tag was signed with the committer’s verified signature.
nebril Maciej Kwiek
GPG key ID: 436B9694E3F0E75D
Verified
Learn about vigilant mode.
2ea0cf3
Compare
Choose a tag to compare
1.15.9

We are happy to release Cilium v1.15.9!

This release brings us upstream filter chains for L7 LB policy enforcement, BGP (and other!) bugfixes, CI changes and many many more!

Check out the summary below for details.

Summary of Changes

Minor Changes:

  • cilium-envoy now uses upstream filter chains for L7 LB policy enforcement. (Backport PR #34457, Upstream PR #32119, @jrajahalme)
  • docs: Update examples for CNP L7 Host (Backport PR #34645, Upstream PR #34578, @sayboras)

Bugfixes:

  • BGPv1 + BGPv2: Fix incorrect service reconciliation in setups with multiple BGP instances (virtual routers) (#34331, @rastislavs)
  • config: fix disabling config 'Debug' (Backport PR #34470, Upstream PR #34401, @mhofstetter)
  • daemon: Fix error logic flow for pod store being out of date (Backport PR #34587, Upstream PR #34389, @christarazi)
  • envoy: fix log level mapping when changing log level via API (Backport PR #34456, Upstream PR #34400, @mhofstetter)
  • Fix synchronization of CiliumEndpointSlices when running the Cilium Operator in identity-based slicing mode. (Backport PR #34456, Upstream PR #32239, @thorn3r)
  • Fix the Egress Gateway reconciliation logic to make progress after setting the rp_filter sysctl failed. (Backport PR #34830, Upstream PR #34775, @julianwiedmann)
  • helm: fix envoy prometheus metrics scraping with servicemonitor (Backport PR #34473, Upstream PR #34448, @mhofstetter)
  • ingress: Avoid opening of port 80 for TLSPassthrough only (Backport PR #34598, Upstream PR #34474, @sayboras)
  • ipcache: Yet another refcounting fix with mix of APIs (Backport PR #34933, Upstream PR #34715, @gandro)
  • lbipam: fix panic when changing the shared key & req. ip annotation (Backport PR #34456, Upstream PR #34236, @mhofstetter)

CI Changes:

Misc Changes:

  • Add source IP visibility info to Ingress and Gateway API docs (Backport PR #34299, Upstream PR #34137, @youngnick)
  • Add source IP visibility info to Ingress and Gateway API docs (Backport PR #34367, Upstream PR #34137, @youngnick)
  • chore(deps): update all github action dependencies (v1.15) (#34571, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.15) (#34750, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.15) (patch) (#34570, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (v1.15) (#34696, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (v1.15) (#34904, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.15 (v1.15) (#34119, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.16 (v1.15) (#34507, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.17 (v1.15) (#34884, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/hubble to v1.16.1 (v1.15) (#34851, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/alpine docker tag to v3.19.4 (v1.15) (#34761, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/golang:1.22.7 docker digest to 4594271 (v1.15) (#34900, @cilium-renovate[bot])
  • chore(deps): update go to v1.22.7 (v1.15) (#34733, @cilium-renovate[bot])
  • chore: Avoid docker warning due to casing (Backport PR #34857, Upstream PR #34125, @sayboras)
  • cilium-dbg: add Envoy admin commands (Backport PR #34587, Upstream PR #34398, @mhofstetter)
  • docs: Avoid using wildcard TLS certificate (Backport PR #34830, Upstream PR #34609, @sayboras)
  • docs: Improve Ingress documentation (Backport PR #34367, Upstream PR #33698, @youngnick)
  • Documentation: Update readthedocs configuration (Backport PR #34299, Upstream PR #34190, @joestringer)
  • endpoint: Do not pass a function to WithFields (Backport PR #34456, Upstream PR #34346, @jrajahalme)
  • fix: base image update workflow will now be triggered on renovate branches with a workflow_call event type (Backport PR #34456, Upstream PR #34372, @Artyop)
  • images: fix path script (Backport PR #34767, Upstream PR #34764, @aanm)
  • ipsec: Document a new cause of XfrmInStateProtoError (Backport PR #34587, Upstream PR #34221, @jschwinger233)
  • pkg/endpointmanager: don't hold lock while iterating over subscribers (Backport PR #34587, Upstream PR #33896, @aanm)

Other Changes:

  • [v1.15] CODEOWNERS: switch cilium/tophat to cilium/committers (#34889, @julianwiedmann)
  • [v1.15] envoy: Bump envoy version from v1.29.7 to v1.29.9 (#34965, @sayboras)
  • [v1.15] envoy: Switch to image with timestamp tag (#34394, @sayboras)
  • envoy: Bump golang version (#34327, @sayboras)
  • install: Update image digests for v1.15.8 (#34376, @cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.9@sha256:c2a4c57a6baf758e975fbefbf638476906d1bb0c970e9547d216d9ea7b6471e3

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.9@sha256:ec82fb96dd0fbac4c6de333aaf8f7964a74c2194a3afdf765b3c260433a4aeed

docker-plugin

quay.io/cilium/docker-plugin:v1.15.9@sha256:1a86463fd5b38b5930069045af141ee577ead4c26f8ba4d4a532d1aa3f38a709

hubble-relay

quay.io/cilium/hubble-relay:v1.15.9@sha256:421afd9f4e46a7b9834f0542ceca6e8652ec0598982126dc2dd1dcf0dd690631

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.9@sha256:9fe2c3c6d49d4f501067ec525a3d792da17d055ebcefa37f4fbb5698109d217b

operator-aws

quay.io/cilium/operator-aws:v1.15.9@sha256:8c2b4a4d4d6ebf1c37a6ae72da2279286729a4982bf124d98f4bcc2db5eeb5e6

operator-azure

quay.io/cilium/operator-azure:v1.15.9@sha256:9b02e12c56b08d50eb1540d6cbb1119eee639a9795c752c4904311d03889d7fe

operator-generic

quay.io/cilium/operator-generic:v1.15.9@sha256:0ec30b4df0d097aedcbcb41748f10ce397f9656c128bea7e227b6bfd820f6d76

operator

quay.io/cilium/operator:v1.15.9@sha256:9ed87c339762c5b5422bd284e9672f6fedcee2aba376a5aa1328223c39bd9914

Contributors

gandro, joestringer, and 14 other contributors
Loading

1.14.15

26 Sep 12:34
@cilium-release-bot cilium-release-bot
v1.14.15
This tag was signed with the committer’s verified signature.
nebril Maciej Kwiek
GPG key ID: 436B9694E3F0E75D
Verified
Learn about vigilant mode.
279685f
Compare
Choose a tag to compare
1.14.15

We are happy to release Cilium v1.14.15!

This release brings us upstream filter chains for L7 LB policy enforcement, bugfixes, CI fixes and many many more! See summary of changes below!

Summary of Changes

Minor Changes:

  • cilium-envoy now uses upstream filter chains for L7 LB policy enforcement. (Backport PR #34458, Upstream PR #32119, @jrajahalme)
  • docs: Update examples for CNP L7 Host (Backport PR #34646, Upstream PR #34578, @sayboras)

Bugfixes:

CI Changes:

Misc Changes:

  • [v1.14] hive: prevent goleak error due to race condition (#34658, @marseel)
  • Add source IP visibility info to Ingress and Gateway API docs (Backport PR #34369, Upstream PR #34137, @youngnick)
  • Add source IP visibility info to Ingress and Gateway API docs (Backport PR #34459, Upstream PR #34137, @youngnick)
  • chore(deps): update all github action dependencies (v1.14) (#34572, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.14) (#34763, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.15 (v1.14) (#34120, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.16 (v1.14) (#34508, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.17 (v1.14) (#34885, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/hubble to v1.16.1 (v1.14) (#34854, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/alpine docker tag to v3.18.9 (v1.14) (#34762, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/golang:1.22.7 docker digest to 4594271 (v1.14) (#34901, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to adbb901 (v1.14) (#34697, @cilium-renovate[bot])
  • chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.16 (v1.14) (#34905, @cilium-renovate[bot])
  • chore(deps): update go to v1.22.7 (v1.14) (#34734, @cilium-renovate[bot])
  • chore(deps): update kindest/node docker tag to v1.27.16 (v1.14) (#34509, @cilium-renovate[bot])
  • chore: Avoid docker warning due to casing (Backport PR #34859, Upstream PR #34125, @sayboras)
  • cilium-dbg: add Envoy admin commands (Backport PR #34495, Upstream PR #34398, @mhofstetter)
  • docs: Avoid using wildcard TLS certificate (Backport PR #34829, Upstream PR #34609, @sayboras)
  • docs: Improve Ingress documentation (Backport PR #34369, Upstream PR #33698, @youngnick)
  • docs: Improve Ingress documentation (Backport PR #34459, Upstream PR #33698, @youngnick)
  • Documentation: Update readthedocs configuration (Backport PR #34364, Upstream PR #34190, @joestringer)
  • fix: base image update workflow will now be triggered on renovate branches with a workflow_call event type (Backport PR #34459, Upstream PR #34372, @Artyop)
  • images: fix path script (Backport PR #34766, Upstream PR #34764, @aanm)
  • ipsec: Document a new cause of XfrmInStateProtoError (Backport PR #34495, Upstream PR #34221, @jschwinger233)

Other Changes:

  • [v1.14] CODEOWNERS: switch cilium/tophat to cilium/committers (#34888, @julianwiedmann)
  • [v1.14] envoy: Bump envoy version from v1.29.7 to v1.29.9 (#34963, @sayboras)
  • [v1.14] envoy: Switch to image with timestamp tag (#34393, @sayboras)
  • envoy: Bump golang version (#34329, @sayboras)
  • install: Update image digests for v1.14.14 (#34377, @cilium-release-bot[bot])

Docker Manifests

cilium

docker.io/cilium/cilium:v1.14.15@sha256:9a7977e8a685ac8ef8477c6be76a10d2aabf680bfe13916fa8ba7fec4429705d
quay.io/cilium/cilium:v1.14.15@sha256:9a7977e8a685ac8ef8477c6be76a10d2aabf680bfe13916fa8ba7fec4429705d

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.14.15@sha256:1254404bd6a9c9cd0702727f5fe9bf26477a3dac3fa6cb144a57c84b328d079b
quay.io/cilium/clustermesh-apiserver:v1.14.15@sha256:1254404bd6a9c9cd0702727f5fe9bf26477a3dac3fa6cb144a57c84b328d079b

docker-plugin

docker.io/cilium/docker-plugin:v1.14.15@sha256:5d123a4fd747b42a5ea3153930b23b93b0803ea881a6dbac26531deeb926cb9f
quay.io/cilium/docker-plugin:v1.14.15@sha256:5d123a4fd747b42a5ea3153930b23b93b0803ea881a6dbac26531deeb926cb9f

hubble-relay

docker.io/cilium/hubble-relay:v1.14.15@sha256:f104b07f38d0fa206bc41d5bd7a02ea42e32b18de7022f8401492bad35bbedc7
quay.io/cilium/hubble-relay:v1.14.15@sha256:f104b07f38d0fa206bc41d5bd7a02ea42e32b18de7022f8401492bad35bbedc7

kvstoremesh

docker.io/cilium/kvstoremesh:v1.14.15@sha256:93d81162805edf7145a9b6f2b22790c51a730f439f7644399d55cfc083c665e0
quay.io/cilium/kvstoremesh:v1.14.15@sha256:93d81162805edf7145a9b6f2b22790c51a730f439f7644399d55cfc083c665e0

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.14.15@sha256:db526ebf79874a0376c37fa987a820ff572a5a9b9c23697c393ab5d8721a20dd
quay.io/cilium/operator-alibabacloud:v1.14.15@sha256:db526ebf79874a0376c37fa987a820ff572a5a9b9c23697c393ab5d8721a20dd

operator-aws

docker.io/cilium/operator-aws:v1.14.15@sha256:e17ee0a65edf75f13e9fb380ef2dc4c80096d8a08581f8b8a65386e35589a175
quay.io/cilium/operator-aws:v1.14.15@sha256:e17ee0a65edf75f13e9fb380ef2dc4c80096d8a08581f8b8a65386e35589a175

operator-azure

docker.io/cilium/operator-azure:v1.14.15@sha256:e4ce4f4bce9431493efc59aba38277dd831836c3112af34e48e97c3d6bf4d668
quay.io/cilium/operator-azure:v1.14.15@sha256:e4ce4f4bce9431493efc59aba38277dd831836c3112af34e48e97c3d6bf4d668

operator-generic

docker.io/cilium/operator-generic:v1.14.15@sha256:233c4ab72cd6a06e8b4c8bed4991d625df8389e6225b27bc72f088c10036b870
quay.io/cilium/operator-generic:v1.14.15@sha256:233c4ab72cd6a06e8b4c8bed4991d625df8389e6225b27bc72f088c10036b870

operator

docker.io/cilium/operator:v1.14.15@sha256:064d2449a4ceaaf8bab2f14fb49544061bb4a9d508d78ea3596b3be03c20b82f
quay.io/cilium/operator:v1.14.15@sha256:064d2449a4ceaaf8bab2f14fb49544061bb4a9d508d78ea3596b3be03c20b82f

Contributors

gandro, joestringer, and 11 other contributors
Loading

1.17.0-pre.0

05 Sep 09:42
@cilium-release-bot cilium-release-bot
v1.17.0-pre.0
This tag was signed with the committer’s verified signature.
aanm André Martins
GPG key ID: A38D2FBA880D16AB
Verified
Learn about vigilant mode.
d41440c
Compare
Choose a tag to compare
1.17.0-pre.0 Pre-release
Pre-release

Summary of Changes

Major Changes:

  • Add "Double Write" Identity Allocation Mode for seamless KVStore <-> CRD identity migration (#31920, @antonipp)
  • Enable L7 DNS proxy for nodes (#34024, @atykhyy)
  • service: differentiate UDP and TCP protocols (#33434, @jibi)

Minor Changes:

  • Add a flag that instruct LB-IPAM to only allocate IPs for services with .Spec.LoadBalancerClass specified (#33351, @dylandreimerink)
  • Add cilium_act_{new,active,failed}_connections_total metrics with service and zone labels (#33094, @AwesomePatrol)
  • Add option to limit r 10000 ate of messages written to the events map in BPF to prevent high CPU utilization by cilium-agent. 2 new fields, bpf-events-map-rate-limit and bpf-events-map-burst-limit, were added to Cilium config map, to be used to configure BPF event rate limiting. (#29711, @siwiutki)
  • alibabacloud: Support instance-tags-filter (#33428, @jaffcheng)
  • bugtool: scrape heap profiles in protocol buffer format by default (#33707, @giorio94)
  • Cilium Gateway supports Addresses provided by the Gateway API specification (#33042, @chaunceyjiang)
  • cilium-cli: Improve network performance command (#34547, @marseel)
  • Cleanup clustermesh-related deprecated flag and kvstore key (#33730, @giorio94)
  • cli: Allow changing Kube Service type for connectivity tests (#34498, @antonipp)
  • clustermesh: add service export read path in clustermesh/operator (#34025, @MrFreezeex)
  • clustermesh: switch to the "local" user to access kvstoremesh data (#33137, @giorio94)
  • connectivity: test namespace param (#34428, @viktor-kurchenko)
  • Deny rule processing has been improved to run faster, especially on larger policies. (#33313, @jrajahalme)
  • Deprecate ConntrackLocal runtime option (#34358, @pchaigno)
  • docs: Update examples for CNP L7 Host (#34578, @sayboras)
  • Don't create sessions when connecting to etcd in the clustermesh context (#33696, @giorio94)
  • Drop support for the ca-file field in etcd client config, deprecated in Cilium 1.7. (#34511, @tklauser)
  • envoy: Bump envoy minor version to 1.30.x (#33607, @sayboras)
  • envoy: Bump golang version (#34326, @sayboras)
  • Experimental Gateway API CRDs are no longer required to run Cilium. For example, TLSRoute will now be automatically detected and used if present. (#34212, @youngnick)
  • Export MCS-API data to clustermesh etcd to prepare for the ServiceImport auto creation (#32972, @MrFreezeex)
  • Fix log message when instance limits are unavailable (#33379, @nebril)
  • gateway-api: Bump version to latest upstream (#33433, @sayboras)
  • helm: Allow setting loadBalancerSourceRanges for clustermesh-apiserver kubernetes service (#33489, @mantoine96)
  • helm: Allow user to configure the namespace used to look up the kube-api server address and port. (#33776, @tchellomello)
  • images: Bump ubuntu version to 24.04 (#33264, @sayboras)
  • Increase default rate limit of CiliumEndpointSlice controller for large clusters (#33946, @thorn3r)
  • ipsec: Remove deprecated secret parsing code (#33494, @pchaigno)
  • iptables: periodically run rules reconciliation to fix possible drifts (#34661, @giorio94)
  • kvstore: Remove Consul support (#34300, @pchaigno)
  • kvstoremesh: add configuration options for logging (#34108, @antonipp)
  • metrics: deprecate node_connectivity metrics in favor of new lower-cardinality node_health_connectivity metrics (#33103, @jshr-w)
  • nat/stats: add 5s delay to initial snat to avoid ct scan timeout (#34072, @tommyp1ckles)
  • pkg/ciliumidentity: Add CID OP metrics (#34128, @ovidiutirla)
  • Policy correlation:
  • include policy API Kind in the policy correlation result
  • correlate cluster-scoped APIs (e.g. CCNP)
  • correctly correlate L4 and protocol-only policies (#33913, @sypakine)
  • Policy validity is now included in kubectl get output. (#34585, @squeed)
  • Preserve failed connection counts to restore the correct cilium_act_{new,active,failed}_connections_total values after agent restart (#33836, @AwesomePatrol)
  • Update Cilium Gateway API implementation to Stable (#33958, @youngnick)

Bugfixes:

  • Addresses attached to dummy devices aren't ignored from node addresses even if the device is down, unblocking usage of host network nodelocaldns with eBPF host routing. (#34228, @hemanthmalla)
  • bpf-tproxy: don't look for local 'established' UDP sockets (#34591, @atykhyy)
  • Fix agent panic when IPsec is enabled but XFRM stats are not exposed by the kernel. (#34647, @chaunceyjiang)
  • Fix clustermesh endpointslice synchronization connectivity test (#34455, @giorio94)
  • Fix error in Cilium-cli that caused the encryption status per-node command to retrieve only the status of the 1st node. (#34637, @smagnani96)
  • Fix issue where a hostport service would be created on an incorrect node when cilium-agent is configured with disable-endpoint-crd (#34385, @haozhangami)
  • Fix loopback with LRP when per-packet LB is used. (#33721, @pravk03)
  • Fix possible connection disruption on agent restart with WireGuard + native routing (#34095, @giorio94)
  • Fix race condition on cilium_ratelimit map (#34554, @pchaigno)
  • ingress: Remove generated CEC if empty (#34576, @sayboras)
  • l4lb: fix inability to properly update service after agent restart (#34077, @oblazek)
  • Policy rule labels are tracked more accurately in endpoint policy maps. (#34437, @jrajahalme)
  • Reopened connections are now correctly counted towards opened in Active Connection Tracking (#34082, @AwesomePatrol)
  • Replace dotted sysctl names with string slices (#34527, @dylandreimerink)

CI Changes:

Read more

Contributors

jibi, byxorna, and 83 other contributors
Loading

1.16.1

14 Aug 13:07
@cilium-release-bot cilium-release-bot
v1.16.1
This tag was signed with the committer’s verified signature.
jrajahalme Jarno Rajahalme
GPG key ID: 263F7D984804D3FE
Verified
Learn about vigilant mode.
6857905
Compare
Choose a tag to compare
1.16.1

Security Advisories

This release addresses the following security vulnerabilities:

Summary of Changes

Minor Changes:

  • Deprecate providing Hubble TLS secrets in helm values (Backport PR #34297, Upstream PR #34114, @chancez)
  • gateway-api: Add required labels and annotations (Backport PR #34215, Upstream PR #33990, @sayboras)
  • helm: add config for nat-map-stats-{interval, entries} config. (Backport PR #34158, Upstream PR #33847, @tommyp1ckles)
  • Internal listener references are now properly qualified with namespace and CEC name. (Backport PR #34158, Upstream PR #34104, @jrajahalme)
  • Support configuring imagePullSecrets for spire agent/server pods (Backport PR #34158, Upstream PR #33952, @chancez)

Bugfixes:

  • auth: Fix data race in Upsert (Backport PR #34158, Upstream PR #33905, @chaunceyjiang)
  • BGPv1 + BGPv2: Fix incorrect service reconciliation in setups with multiple BGP instances (virtual routers) (Backport PR #34297, Upstream PR #34177, @rastislavs)
  • bgpv1: Fix data race in bgppSelection (Backport PR #34158, Upstream PR #33904, @chaunceyjiang)
  • bgpv2: Avoid duplicate route policy naming (Backport PR #34158, Upstream PR #34031, @rastislavs)
  • BGPv2: Fix Service advertisement selector: do not require matching CiliumLoadBalancerIPPool (Backport PR #34201, Upstream PR #34182, @rastislavs)
  • Fix a nil dereference crash during cilium-agent initialization affecting setups with FQDN policies. The crash is triggered when a restored endpoint performs a DNS request just a the right time during early cilium-agent restoration. Problem is not expected to be persistent and the agent should get pass the problematic part of the initialization on restart. (Backport PR #34158, Upstream PR #34059, @joamaki)
  • Fix appArmorProfile condition for CronJob helm template (Backport PR #34297, Upstream PR #34100, @sathieu)
  • Fix bug causing etcd upsertion/deletion events to be potentially missed during the initial synchronization, when Cilium operates in KVStore mode, or Cluster Mesh is enabled. (Backport PR #34181, Upstream PR #34091, @giorio94)
  • Fix issue in picking node IP addresses from the loopback device. This fixes a regression in v1.15 and v1.16 where VIPs assigned to the lo device were not considered by Cilium.
    Fix spurious updates node addresses to avoid unnecessary datapath reinitializations. (Backport PR #34085, Upstream PR #34012, @joamaki)
  • Fix possible connection disruption on agent restart with WireGuard + kvstore (Backport PR #34158, Upstream PR #34062, @giorio94)
  • Fixes DNS proxy "connect: cannot assign requested address" errors in transparent mode, which were due to opening multiple TCP connections to the upstream DNS server. (Backport PR #34201, Upstream PR #33989, @bimmlerd)
  • gateway-api: Add HTTP method condition in sortable routes (Backport PR #34158, Upstream PR #34109, @sayboras)
  • gateway-api: Enqueue gateway for Reference Grant changes (Backport PR #34158, Upstream PR #34032, @sayboras)
  • lbipam: fixed bug in sharing key logic (Backport PR #34158, Upstream PR #34106, @dylandreimerink)
  • policy: Fix policy cache covers context lookup. (#34322, @nathanjsweet)
  • service: Relax protocol matching for L7 Service (Backport PR #34195, Upstream PR #34131, @sayboras)

CI Changes:

Misc Changes:

  • [v1.16] docs: Add note for CNP empty slices semantic under v1.16 section (#34008, @pippolo84)
  • Add source IP visibility info to Ingress and Gateway API docs (Backport PR #34297, Upstream PR #34137, @youngnick)
  • bgpv1: Reconcile with retry in BGP Controller (Backport PR #34158, Upstream PR #33971, @rastislavs)
  • bgpv2: deprecate local port setting in transport config (Backport PR #34209, Upstream PR #33438, @harsimran-pabla)
  • bgpv2: use correct path key in path reconciler (Backport PR #34158, Upstream PR #33947, @harsimran-pabla)
  • bitlpm: Avoid allocs in CIDR trie lookups (Backport PR #34158, Upstream PR #33518, @jrajahalme)
  • bitlpm: Simplify matchPrefix() (Backport PR #34158, Upstream PR #33517, @jrajahalme)
  • bugtool: dump cilium_skip_lb{4,6} (Backport PR #34158, Upstream PR #34017, @ysksuzuki)
  • bugtool: dumping more Envoy information (Backport PR #34158, Upstream PR #34110, @mhofstetter)
  • chore(deps): update all github action dependencies (v1.16) (#34166, @cilium-renovate[bot])
  • chore(deps): update dependency protocolbuffers/protobuf to v27.3 (v1.16) (#34165, @cilium-renovate[bot])
  • chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.15 (v1.16) (#34049, @cilium-renovate[bot])
  • Clean up documentation make targets for cases of nesting make builds inside container invocations (Backport PR #34297, Upstream PR #34151, @joestringer)
  • doc: update slack channel reference (Backport PR #34158, Upstream PR #34044, @Huweicai)
  • docs: Add warning on CRDs requirement for using the Gateway API (Backport PR #34297, Upstream PR #33974, @xtineskim)
  • Documentation: Introduce support for redirects (Backport PR #34297, Upstream PR #34233, @chancez)
  • Documentation: Update readthedocs configuration (Backport PR #34297, Upstream PR #34190, @joestringer)
  • Fix two bugs in dnsproxy tcp conn reuse (Backport PR #34201, Upstream PR #34175, @bimmlerd)
  • Improve documentation on configuring Hubble TLS (Backport PR #34297, Upstream PR #34115, @chancez)
  • iptables: Support Envoy listener chaining (Backport PR #34297, Upstream PR #34105, @jrajahalme)
  • Makefile: Fix docker flags for fast image targets (Backport PR #34297, Upstream PR #34132, @joestringer)
  • policy: Sanitize DNS Rules to Disallow Port Ranges (Backport PR #34201, Upstream PR #34023, @nathanjsweet)
  • Revert "fix: support validation of stringToString values in ConfigMap" (Backport PR #34305, Upstream PR #34277, @aanm)
  • vendor: Bump StateDB to version v0.2.1 (Backport PR #34246, Upstream PR #33587, @joamaki)

Other Changes:

  • install: Update image digests for v1.16.0 (#33994, @cilium-release-bot[bot])
  • v1.16: Remove leftover backporter state file (#34210, @gandro)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
quay.io/cilium/cilium:stable@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.1@sha256:e9c77417cd474cc943b2303a76c5cf584ac7024dd513ebb8d608cb62fe28896f
quay.io/cilium/clustermesh-apiserver:stable@sha256:e9c77417cd474cc943b2303a76c5cf584ac7024dd513ebb8d608cb62fe28896f

docker-plugin

quay.io/cilium/docker-plugin:v1.16.1@sha256:243fd7759818d990a7f9b33df3eb685a9f250a12020e22f660547f9516b76320
quay.io/cilium/docker-plugin:stable@sha256:243fd7759818d990a7f9b33df3eb685a9f250a12020e22f660547f9516b76320

hubble-relay

quay.io/cilium/hubble-relay:v1.16.1@sha256:2e1b4c739a676ae187d4c2bfc45c3e865bda2567cc0320a90cb666657fcfcc35
quay.io/cilium/hubble-relay:stable@sha256:2e1b4c739a676ae187d4c2bfc45c3e865bda2567cc0320a90cb666657fcfcc35

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.1@sha256:4381adf48d76ec482551183947e537d44bcac9b6c31a635a9ac63f696d978804
quay.io/cilium/operator-alibabacloud:stable@sha256:4381adf48d76ec482551183947e537d44bcac9b6c31a635a9ac63f696d978804

operator-aws

quay.io/cilium/operator-aws:v1.16.1@sha256:e3876fcaf2d6ccc8d5b4aaaded7b1efa971f3f4175eaa2c8a499878d58c39df4
quay.io/cilium/operator-aws:stable@sha256:e3876fcaf2d6ccc8d5b4aaaded7b1efa971f3f4175eaa2c8a499878d58c39df4

operator-azure

quay.io/cilium/operator-azure:v1.16.1@sha256:e55c222654a44ceb52db7ade3a7b9e8ef05681ff84c14ad1d46fea34869a7a22
quay.io/cilium/operator-azure:stable@sha256:e55c222654a44ceb52db7ade3a7b9e8ef05681ff84c14ad1d46fea34869a7a22

operator-generic

quay.io/cilium/operator-generic:v1.16.1@sha256:3bc7e7a43bc4a4d8989cb7936c5d96675dd2d02c306adf925ce0a7c35aa27dc4
quay.io/cilium/operator-generic:stable@sha256:3bc7e7a43bc4a4d8989cb7936c5d96675dd2d02c306adf925ce0a7c35aa27dc4

operator

quay.io/cilium/operator:v1.16.1@sha256:258b28fefc9f3fe1cbcb21a3b2c4c96dcc72f6ee258eed0afebe9b0ac47f462b
quay.io/cilium/operator:stable@sha256:258b28fefc9f3fe1cbcb21a3b2c4c96dcc72f6ee258eed0afebe9b0ac47f462b

Contributors

gandro, nathanjsweet, and 23 other contributors
Loading

1.15.8

14 Aug 13:06
@cilium-release-bot cilium-release-bot
v1.15.8
This tag was signed with the committer’s verified signature.
jrajahalme Jarno Rajahalme
GPG key ID: 263F7D984804D3FE
Verified
Learn about vigilant mode.
e629157
Compare
Choose a tag to compare
1.15.8

Security Advisories

This release addresses the following security vulnerabilities:

Summary of Changes

Minor Changes:

  • helm: Add validation to prevent users from using deprecated values that have been removed (#34213, @chancez)
  • helm: Cleanup old k8s version check and deprecated atributes (Backport PR #34157, Upstream PR #31940, @sayboras)
  • Make hubble-relay more resilient to transient errors (Backport PR #34157, Upstream PR #33894, @chancez)

Bugfixes:

  • add support for validation of stringToString values in ConfigMap (Backport PR #33962, Upstream PR #33779, @alex-berger)
  • auth: Fix data race in Upsert (Backport PR #34157, Upstream PR #33905, @chaunceyjiang)
  • auth: fix fatal error: concurrent map iteration and map write (Backport PR #33809, Upstream PR #33634, @chaunceyjiang)
  • cert: Adding H2 Protocol Support when Get gRPC Config For Client (Backport PR #33809, Upstream PR #33616, @mrproliu)
  • DNS Proxy: Allow SO_LINGER to be set to the socket to upstream (Backport PR #33809, Upstream PR #33592, @gandro)
  • Fix an issue in updates to node addresses which may have caused missing NodePort frontend IP addresses. May have affected NodePort/LoadBalancer services for users running with runtime device detection enabled when node's IP addresses were changed after Cilium had started.
    Node IP as defined in the Kubernetes Node is now preferred when selecting the NodePort frontend IPs. (Backport PR #33818, Upstream PR #33629, @joamaki)
  • Fix bug causing etcd upsertion/deletion events to be potentially missed during the initial synchronization, when Cilium operates in KVStore mode, or Cluster Mesh is enabled. (Backport PR #34183, Upstream PR #34091, @giorio94)
  • Fix issue in picking node IP addresses from the loopback device. This fixes a regression in v1.15 and v1.16 where VIPs assigned to the lo device were not considered by Cilium.
    Fix spurious updates node addresses to avoid unnecessary datapath reinitializations. (Backport PR #34086, Upstream PR #34012, @joamaki)
  • Fix rare race condition afflicting clustermesh while stopping the retrieval of the remote cluster configuration, possibly causing a deadlock (Backport PR #33809, Upstream PR #33735, @giorio94)
  • Fixes a race condition during agent startup that causes the k8s node label updates to not get propagated to the host endpoint. (Backport PR #33663, Upstream PR #33511, @skmatti)
  • gateway-api: Add HTTP method condition in sortable routes (Backport PR #34157, Upstream PR #34109, @sayboras)
  • gateway-api: Enqueue gateway for Reference Grant changes (Backport PR #34157, Upstream PR #34032, @sayboras)
  • helm: remove duplicate metrics for Envoy pod (Backport PR #34157, Upstream PR #33803, @mhofstetter)
  • lbipam: fixed bug in sharing key logic (Backport PR #34157, Upstream PR #34106, @dylandreimerink)
  • pkg/metrics: fix data race warning on metrics init hook. (Backport PR #33962, Upstream PR #33823, @tommyp1ckles)
  • Reduce conntrack lifetime for closing service connections. (Backport PR #33962, Upstream PR #33907, @julianwiedmann)
  • Skip regenerating host endpoint on k8s node labels update if identity labels are unchanged (Backport PR #33809, Upstream PR #33306, @skmatti)
  • The cilium agent will now recover from stale nodeID mappings which could occur in clusters with high node churn, possibly manifesting itself in dropped IPsec traffic. (Backport PR #34157, Upstream PR #33666, @bimmlerd)

CI Changes:

Misc Changes:

  • [v1.15] Update Docker dependency (#34196, @ferozsalam)
  • bugtool: dumping more Envoy information (Backport PR #34157, Upstream PR #34110, @mhofstetter)
  • chore(deps): update all github action dependencies (v1.15) (#34170, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (v1.15) (#33649, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (v1.15) (#34168, @cilium-renovate[bot])
  • chore(deps): update cilium/little-vm-helper action to v0.0.19 (v1.15) (#33793, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.13 (v1.15) (#33794, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/hubble to v1 (v1.15) (#34051, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/golang:1.21.12 docker digest to 7e0e13a (v1.15) (#33792, @cilium-renovate[bot])
  • chore(deps): update go to v1.22.5 (v1.15) (#33857, @cilium-renovate[bot])
  • chore(deps): update go to v1.22.6 (v1.15) (#34167, @cilium-renovate[bot])
  • chore(deps): update stable lvh-images (v1.15) (patch) (#33798, @cilium-renovate[bot])
  • daemon/ipam: don't swallow parse error of CIDR (Backport PR #33809, Upstream PR #33283, @bimmlerd)
  • doc: update slack channel reference (Backport PR #34157, Upstream PR #34044, @Huweicai)
  • docs,LRP: Add steps to restart agent and operator pods and update feature roadmap status (Backport PR #33809, Upstream PR #33655, @aditighag)
  • docs: Add node about socketLB.hostNamespaceOnly to Kata page (Backport PR #33809, Upstream PR #33725, @brb)
  • docs: Extend LRP guide with troubleshooting section (Backport PR #33809, Upstream PR #33373, @aditighag)
  • docs: generalize version specific notes section (Backport PR #33962, Upstream PR #33888, @giorio94)
  • docs: Remove CNCF graduation from the roadmap (Backport PR #33809, Upstream PR #33680, @joestringer)
  • docs: remove mention of outdated clustermesh + L7 policies + tunnel limitation (Backport PR #33809, Upstream PR #33626, @giorio94)
  • docs: Update LVH VM image pull instructions (Backport PR #33809, Upstream PR #33621, @brb)
  • Documentation: Add --set cni.exclusive=false for Azure Chain Mode (Backport PR #33809, Upstream PR #33708, @Mais316)
  • helm: Allow socket linger timeout to be set to zero (Backport PR #33962, Upstream PR #33887, @gandro)
  • policy: Fix mapstate.Diff() used in tests (Backport PR < 93A4 a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2408308180" data-permission-text="Title is private" data-url="https://github.com/cilium/cilium/issues/33809" data-hovercard-type="pull_request" data-hovercard-url="/cilium/cilium/pull/33809/hovercard" href="https://github.com/cilium/cilium/pull/33809">#33809, Upstream PR #33449, @jrajahalme)
  • Remove stable tags from v1.15 releases (#33985, @joestringer)
  • renovate: onboard etcd image used in integration tests (Backport PR #33809, Upstream PR #33679, @giorio94)
  • Revert "fix: support validation of stringToString values in ConfigMap" (Backport PR #34306, Upstream PR #34277, @aanm)

Other Changes:

  • [v1.15] ci: use base and head SHAs from context in lint-build-commits workflow (#34267, @tklauser)
  • [v1.15] Revert "docs: Update LRP feature status" (#34238, @ysksuzuki)
  • Fix bug in Bandwidth Manager that caused it to not find native devices. (#33910, @joamaki)
  • install: Update image digests for v1.15.7 (#33744, @cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.8@sha256:4c1f33aae2b76392b57e867820471b5472f0886f7358513d47ee80c09af15a0e

docker-plugin

quay.io/cilium/docker-plugin:v1.15.8@sha256:15b1b6e83e1c0eea97df179660c1898661c1d0da5d431c68f98c702581e29310

hubble-relay

quay.io/cilium/hubble-relay:v1.15.8@sha256:47e8a19f60d0d226ec3d2c675ec63908f1f2fb936a39897f2e3255b3bab01ad6

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.8@sha256:388ef72febd719bc9d16d5ee47fe6f846f73f0d8a6f9586ada04cb39eb2962d1

operator-aws

quay.io/cilium/operator-aws:v1.15.8@sha256:3807dd23c2b5f90489824ddd13dca6e84e714dc9eae44e5718acfe86c855b7a1

operator-azure

quay.io/cilium/operator-azure:v1.15.8@sha256:c517db3d12fcf038a9a4a81b88027a19672078bf8c2fcd6b2563f3eff9514d21

operator-generic

quay.io/cilium/operator-generic:v1.15.8@sha256:e77ae6fc8a978f98363cf74d3c883dfaa6454c6e23ec417a60952f29408e2f18

operator

quay.io/cilium/operator:v1.15.8@sha256:e9cf35fe3dc86933ccf3fdfdb7620d218c50aaca5f14e4ba5f422460ea4cb23c

Contributors

gandro, brb, and 24 other contributors
Loading
0