Releases: cilium/cilium
Releases · cilium/cilium
1.17.4
v1.17.4
This tag was signed with the committer’s verified signature.
Summary of Changes
Minor Changes:
- Add TRACE_{FROM/TO}_CRYPTO observation point and bpf metrics for packets forwarded-to/received-from Wireguard. (Backport PR #39260, Upstream PR #34958, @smagnani96)
- Cilium Agent liveness probe no longer fails if Kubernetes apiserver cannot be reached. Earlier the agent was restarted if the apiserver could not be reached for approximately 5 minutes. This avoids traffic disruptions on apiserver downtime (e.g. due to maintenance) for features such as L7 and FQDN proxy that require cilium-agent to always be up. (Backport PR #38703, Upstream PR #38458, @joamaki)
- Update kafka apiKey helm chart value to true (Backport PR #39214, Upstream PR #38963, @kyle-c-simmons)
Bugfixes:
- bpf: nodeport: avoid accidental NAT46x64 clash in from-container (Backport PR #39214, Upstream PR #38916, @julianwiedmann)
- Check the TLSRoute and HasServiceImportSupport through the CRD. (Backport PR #39377, Upstream PR #39122, @liyihuang)
- Fix a bug where a
CiliumNetworkPolicy/CiliumClusterwideNetworkPolicycontaining invalid rules would not be reported with invalid status. (Backport PR #38948, Upstream PR #38801, @tklauser) - Fix a bug where services would fail to match wildcard protocols after switching to Local traffic policy with protocol differentiation enabled. (Backport PR #39404, Upstream PR #39360, @pasteley)
- Fix a deadlock when a host has no IPv4 address. (Backport PR #39075, Upstream PR #38938, @EmilyShepherd)
- Fix a panic happening in the ipset reconciler when a previous reconciliation failed. (Backport PR #39075, Upstream PR #38890, @pippolo84)
- Fix bug that would cause the
cilium-dbg encrypt statuscommand to not list any decryption interfaces when KPR is enabled. (Backport PR #39214, Upstream PR #39170, @pchaigno) - Fixes a bug where layer-7 rules would override enableDefaultDeny: false, incorrectly dropping traffic. (Backport PR #39375, Upstream PR #38841, @nimishamehta5)
- gateway-api: Fix Gateway reconciler failure when TLSRoute CRD is not installed (Backport PR #39377, Upstream PR #38874, @syedazeez337)
- gateway-api: Fix parentRefMatched to check Group and Kind (Backport PR #39377, Upstream PR #39275, @syedazeez337)
- helm: fix hubble dynamic metrics config conflict (Backport PR #39075, Upstream PR #38893, @devodev)
- ipsec: Fix key derivation error in case of corrupted boot IDs (Backport PR #39214, Upstream PR #39059, @pchaigno)
- k8s: Fixed a case when delete event for service endpointslices might have been missed if connectivity to k8s apiserver was broken causing stale service cache for service. (Backport PR #38948, Upstream PR #38779, @marseel)
- wireguard:overlay: cleanup calls map when unused (Backport PR #38899, Upstream PR #38655, @smagnani96)
- xds: Fix a case in which after cilium-agent we were not sending updated resources to Envoy (Backport PR #38977, Upstream PR #38654, @marseel)
CI Changes:
- .github/workflows: Enable DualStack for conformance-kind-proxy-embedded (Backport PR #39377, Upstream PR #36398, @dylandreimerink)
- [v1.17] l4lb: Support environments with existing veth (#39408, @joestringer)
- Align main and stable branch workflows for availability of cilium-cli (Backport PR #38141, Upstream PR #38138, @joestringer)
- bpf: tests: fix ethertype when building inner headers of VXLAN packet (Backport PR #39075, Upstream PR #39060, @julianwiedmann)
- ci-aks: Enable dual-stack in Conformance AKS (Backport PR #39377, Upstream PR #37704, @gandro)
- gateway-api: Add translation tests for GAMMA (Backport PR #39221, Upstream PR #39207, @sayboras)
- gh: e2e-upgrade: check for unexpected drops from connectivity tests (Backport PR #39214, Upstream PR #39111, @julianwiedmann)
- gh: e2e-upgrade: generate config matrix from file (Backport PR #39058, Upstream PR #38512, @julianwiedmann)
- gh: e2e-upgrade: minor log output improvements (Backport PR #39058, Upstream PR #38011, @julianwiedmann)
- gh: use e2e-upgrade for IPsec minor upgrade testing (Backport PR #39058, Upstream PR #38757, @julianwiedmann)
- gha: always respect the given image tag in the wait-for-images action (Backport PR #38141, Upstream PR #37901, @giorio94)
- rate: Disable TestStressRateLimiter (Backport PR #38896, Upstream PR #38877, @YutaroHayakawa)
Misc Changes:
- [v1.17] deps: bump CNI plugins version (#39329, @ferozsalam)
- [v1.17] deps: bump golang-jwt to 4.5.2 (#39491, @ferozsalam)
- Add the doc for multi-pool ipam about how to update the existing ip pool (Backport PR #38948, Upstream PR #38539, @liyihuang)
- bpf: host: use MARK_MAGIC_EGW_DONE-embedded identity in to-netdev (Backport PR #38948, Upstream PR #38768, @julianwiedmann)
- bpf: nat: ICMP v4 improvements (Backport PR #39332, Upstream PR #36767, @julianwiedmann)
- bpf:hubble: update trace/drop notify for L2-less packets (Backport PR #39263, Upstream PR #37097, @smagnani96)
- chore(deps): update all github action dependencies (v1.17) (#39183, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.17) (#39316, @cilium-renovate[bot])
- chore(deps): update docker.io/library/golang:1.23.8 docker digest to 87bb940 (v1.17) (#38908, @cilium-renovate[bot])
- chore(deps): update docker.io/library/golang:1.23.8 docker digest to e54daaa (v1.17) (#39046, @cilium-renovate[bot])
- chore(deps): update docker.io/library/golang:1.24.2 docker digest to 30baaea (v1.17) (#39314, @cilium-renovate[bot])
- chore(deps): update docker.io/library/ubuntu:24.04 docker digest to 6015f66 (v1.17) (#39379, @cilium-renovate[bot])
- chore(deps): update go to v1.24.2 (v1.17) (#39113, @cilium-renovate[bot])
- chore(deps): update go to v1.24.3 (v1.17) (#39380, @cilium-renovate[bot])
- chore(deps): update google/cloud-sdk docker tag to v518 (v1.17) (#39048, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744328671-a8b58b35c03a3d100a2b026fc111417207183301 (v1.17) (#38909, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744798797-f7456c0c30336bbd437eff7743374370e415fc44 (v1.17) (#39047, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1745916268-e485bbc0c95e30aa233cb06a753789375b12ad18 (v1.17) (#39226, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1745971871-f98500f20b253684d483b783b29df2e4db05ea7c (v1.17) (#39248, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1746405645-719d708b1802ce417568d3eaae4c0677dd60e128 (v1.17) (#39324, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.6-1746661844-0f602c28cb2aa57b29078195049fb257d5b5246c (v1.17) (#39413, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#38911, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#38970, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#39182, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#39315, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#39475, @cilium-renovate[bot])
- chore: remove
retention-daysparam inbuild-images-releases.yaml(Backport PR #39435, Upstream PR #39431, @sekhar-isovalent) - cilium: Fix device controller's dependency on netfilter (Backport PR #38948, Upstream PR #38777, @borkmann)
- cilium: Fix ipip device mtu (Backport PR #38948, Upstream PR #38682, @borkmann)
- contrib/scripts: Fix IndexError in stacktrace script (Backport PR #39214, Upstream PR #39101, @christarazi)
- contrib: Remove kind.sh dependency on git (Backport PR #39377, Upstream PR #39154, @joestringer)
- docs: Add good kernel versions for the L7 policy IPv6 bug (Backport PR #39377, Upstream PR #39212, @gentoo-root)
- docs: add warning about l7 policy and EnableDefaultDeny (Backport PR #39075, Upstream PR #38675, @squeed)
- docs: Document L7 policy IPv6 bug (Backport PR #38948, Upstream PR #38591, @gentoo-root)
- docs: Document that traffic to the VPC in ENI mode is not masqueraded (#39156, @liyihuang)
- docs: Fix casing and formatting in L3 examples section (Backport PR #39377, Upstream PR #39065, @mikejoh)
- docs: Fix variable naming in EKS-to-EKS Clustermesh guide (Backport PR #39075, Upst 8000 ream PR #38821, @zzuckerfrei)
- docs: The Installation on OpenShift OKD document has been updated to link to maintained operators for Cilium (Isoval...
Contributors
gandro, tklauser, and 34 other contributors
Assets 2
1.16.10
v1.16.10
This tag was signed with the committer’s verified signature.
Summary of Changes
Minor Changes:
- daemon: Make cilium status independent from k8s status (Backport PR #38536, Upstream PR #32724, @tkna)
- Update kafka apiKey helm chart value to true (Backport PR #39215, Upstream PR #38963, @kyle-c-simmons)
Bugfixes:
- Fix a bug where a
CiliumNetworkPolicy/CiliumClusterwideNetworkPolicycontaining invalid rules would not be reported with invalid status. (Backport PR #38949, Upstream PR #38801, @tklauser) - Fix a deadlock when a host has no IPv4 address. (Backport PR #39077, Upstream PR #38938, @EmilyShepherd)
- Fix a panic happening in the ipset reconciler when a previous reconciliation failed. (Backport PR #38949, Upstream PR #38890, @pippolo84)
- Fix bug that would cause the
cilium-dbg encrypt statuscommand to not list any decryption interfaces when KPR is enabled. (Backport PR #39215, Upstream PR #39170, @pchaigno) - Fixes a bug where layer-7 rules would override enableDefaultDeny: false, incorrectly dropping traffic. (Backport PR #39382, Upstream PR #38841, @nimishamehta5)
- ipsec: Fix key derivation error in case of corrupted boot IDs (Backport PR #39077, Upstream PR #39059, @pchaigno)
- k8s: Fixed a case when delete event for service endpointslices might have been missed if connectivity to k8s apiserver was broken causing stale service cache for service. (Backport PR #38949, Upstream PR #38779, @marseel)
CI Changes:
- [v1.16] l4lb: Support environments with existing veth (#39409, @joestringer)
- bpf: tests: fix ethertype when building inner headers of VXLAN packet (Backport PR #39077, Upstream PR #39060, @julianwiedmann)
- integration: Bump ubuntu to 24.04 for arm runners (Backport PR #39215, Upstream PR #37042, @sayboras)
- rate: Disable TestStressRateLimiter (Backport PR #38895, Upstream PR #38877, @YutaroHayakawa)
Misc Changes:
- [v1.16] deps: bump CNI plugins version (#39331, @ferozsalam)
- [v1.16] deps: bump github.com/osrg/gobgp/v3 to v3.35.0 (#39225, @ferozsalam)
- [v1.16] deps: bump golang-jwt to 4.5.2 (#39495, @ferozsalam)
- Add the doc for multi-pool ipam about how to update the existing ip pool (Backport PR #38949, Upstream PR #38539, @liyihuang)
- chore(deps): update all github action dependencies (v1.16) (#39051, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.16) (#39185, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#39325, @cilium-renovate[bot])
- chore(deps): update docker.io/library/golang:1.23.8 docker digest to 87bb940 (v1.16) (#38912, @cilium-renovate[bot])
- chore(deps): update docker.io/library/golang:1.23.8 docker digest to e54daaa (v1.16) (#39049, @cilium-renovate[bot])
- chore(deps): update docker.io/library/golang:1.24.2 docker digest to 30baaea (v1.16) (#39317, @cilium-renovate[bot])
- chore(deps): update go to v1.24.3 (v1.16) (#39381, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744328671-a8b58b35c03a3d100a2b026fc111417207183301 (v1.16) (#38913, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744798797-f7456c0c30336bbd437eff7743374370e415fc44 (v1.16) (#39050, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1745916268-e485bbc0c95e30aa233cb06a753789375b12ad18 (v1.16) (#39227, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1745971871-f98500f20b253684d483b783b29df2e4db05ea7c (v1.16) (#39257, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.6-1746661844-0f602c28cb2aa57b29078195049fb257d5b5246c (v1.16) (#39414, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.16) (patch) (#38914, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.16) (patch) (#38971, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.16) (patch) (#39184, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.16) (patch) (#39319, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.16) (patch) (#39477, @cilium-renovate[bot])
- chore: remove
retention-daysparam inbuild-images-releases.yaml(Backport PR #39436, Upstream PR #39431, @sekhar-isovalent) - cilium: Fix device controller's dependency on netfilter (Backport PR #38949, Upstream PR #38777, @borkmann)
- contrib/scripts: Fix IndexError in stacktrace script (Backport PR #39215, Upstream PR #39101, @christarazi)
- contrib: Remove kind.sh dependency on git (Backport PR #39405, Upstream PR #39154, @joestringer)
- docs: Add good kernel versions for the L7 policy IPv6 bug (Backport PR #39405, Upstream PR #39212, @gentoo-root)
- docs: add warning about l7 policy and EnableDefaultDeny (Backport PR #39077, Upstream PR #38675, @squeed)
- docs: Document L7 policy IPv6 bug (Backport PR #38949, Upstream PR #38591, @gentoo-root)
- docs: Fix casing and formatting in L3 examples section (Backport PR #39405, Upstream PR #39065, @mikejoh)
- docs: Fix variable naming in EKS-to-EKS Clustermesh guide (Backport PR #39077, Upstream PR #38821, @zzuckerfrei)
- docs: The Installation on OpenShift OKD document has been updated to link to maintained operators for Cilium (Isovalent Enterprise for Cilium). This operator is validated on all current versions of OpenShift. (Backport PR #39405, Upstream PR #38886, @auriaave)
- Documentation : Modification of eks-clustermesh-prep.rst (Backport PR #39215, Upstream PR #39025, @rwinieski)
- documentation: fix get deployment cmd (Backport PR #39215, Upstream PR #39155, @g0gn)
- k8s/resource: Don't Add to WaitGroup asynchronously (Backport PR #38949, Upstream PR #38692, @joamaki)
- maglev: Fix division by zero upon table recreation (Backport PR #39077, Upstream PR #38659, @borkmann)
- make: fix golangci-lint version detection (Backport PR #39077, Upstream PR #38996, @mhofstetter)
- workflows: fix lint-workflows (Backport PR #39402, Upstream PR #39398, @aanm)
Other Changes:
- [v1.16] integration: Regenerate consul certs (#39351, @sayboras)
- chore(deps): update go to v1.24.2 (v1.16) (#39123, @sayboras)
- install: Update image digests for v1.16.9 (#38934, @cilium-release-bot[bot])
- ipsec,ci: test IPsec + Ingress on v1.16 (#38930, @ldelossa)
Docker Manifests
cilium
quay.io/cilium/cilium:v1.16.10@sha256:fc4ccc494c4a381439162fd3684c07ba9c26d3c2670a2b2e1623acee99097461
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.16.10@sha256:e1db8c139250a6d0405caeebd2e6a726b0128aa8f79e6b2923a489a81e9a6d6c
docker-plugin
quay.io/cilium/docker-plugin:v1.16.10@sha256:77fcdc5caa3737c23c004830ff82ee1d260f1180e961b63ba92ff5f9e250cb18
hubble-relay
quay.io/cilium/hubble-relay:v1.16.10@sha256:9fc781c5fb5183f18dd8c789e308fdc91b3343f9dd1f38c0eb002f3cb7611da1
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.16.10@sha256:029c166f9b9b90aa31a95632f9980e32da8d3e9b928baa1ce83c6ad0473b3432
operator-aws
quay.io/cilium/operator-aws:v1.16.10@sha256:82606b8724ebaf6812fe9c811b95fae5b7019e8755c7f393698d0bb8d2948758
operator-azure
quay.io/cilium/operator-azure:v1.16.10@sha256:c724ac8e030974e1565c02c8e70af324f12e46af4aae27dcc5a5f020e94d73e1
operator-generic
quay.io/cilium/operator-generic:v1.16.10@sha256:05e5f5e676aa51ae5e3bf6be3594ecf52958f46f07f9f55368a7a952012a13c1
operator
quay.io/cilium/operator:v1.16.10@sha256:54ee9bea865270dc16b30a7df754fca8ca0f0bc2007c264c496f3800891e0be1
Contributors
tklauser, squeed, and 26 other contributors
Assets 2
1.15.17
v1.15.17
This tag was signed with the committer’s verified signature.
Summary of Changes
Minor Changes:
- Update kafka apiKey helm chart value to true (Backport PR #39216, Upstream PR #38963, @kyle-c-simmons)
Bugfixes:
- Fix a deadlock when a host has no IPv4 address. (Backport PR #39078, Upstream PR #38938, @EmilyShepherd)
- Fix bug that would cause the
cilium-dbg encrypt statuscommand to not list any decryption interfaces when KPR is enabled. (Backport PR #39216, Upstream PR #39170, @pchaigno) - k8s: Fixed a case when delete event for service endpointslices might have been missed if connectivity to k8s apiserver was broken causing stale service cache for service. (Backport PR #38952, Upstream PR #38779, @marseel)
CI Changes:
- [v1.15] .github: provide correct env variables to api/v1 Makefile (#39286, @ferozsalam)
- [v1.15] go.mod, vendor: update github.com/cilium/linters to v0.20.0 (#39394, @tklauser)
- [v1.15] l4lb: Support environments with existing veth (#39410, @joestringer)
Misc Changes:
- Add the doc for multi-pool ipam about how to update the existing ip pool (Backport PR #38952, Upstream PR #38539, @liyihuang)
- chore(deps): update all github action dependencies (v1.15) (#39055, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.15) (#39189, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.15) (#39277, @cilium-renovate[bot])
- chore(deps): update dependency cilium/hubble to v1.17.3 (v1.15) (#39321, @cilium-renovate[bot])
- chore(deps): update docker.io/library/golang:1.23.8 docker digest to 87bb940 (v1.15) (#38915, @cilium-renovate[bot])
- chore(deps): update docker.io/library/golang:1.23.8 docker digest to e54daaa (v1.15) (#39052, @cilium-renovate[bot])
- chore(deps): update go to v1.24.3 (v1.15) (#39188, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744679528-43b5c0ea620b5fa8c2e32ed79f113aef89f30e6b (v1.15) (#38941, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744798797-f7456c0c30336bbd437eff7743374370e415fc44 (v1.15) (#39053, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1745916268-e485bbc0c95e30aa233cb06a753789375b12ad18 (v1.15) (#39228, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.6-1746661844-0f602c28cb2aa57b29078195049fb257d5b5246c (v1.15) (#39415, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.15) (patch) (#38972, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.15) (patch) (#39186, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.15) (patch) (#39478, @cilium-renovate[bot])
- chore: remove
retention-daysparam inbuild-images-releases.yaml(Backport PR #39437, Upstream PR #39431, @sekhar-isovalent) - contrib: Remove kind.sh dependency on git (Backport PR #39406, Upstream PR #39154, @joestringer)
- docs: Add good kernel versions for the L7 policy IPv6 bug (Backport PR #39406, Upstream PR #39212, @gentoo-root)
- docs: Document L7 policy IPv6 bug (Backport PR #38952, Upstream PR #38591, @gentoo-root)
- docs: Fix casing and formatting in L3 examples section (Backport PR #39406, Upstream PR #39065, @mikejoh)
- docs: The Installation on OpenShift OKD document has been updated to link to maintained operators for Cilium (Isovalent Enterprise for Cilium). This operator is validated on all current versions of OpenShift. (Backport PR #39406, Upstream PR #38886, @auriaave)
- Documentation : Modification of eks-clustermesh-prep.rst (Backport PR #39406, Upstream PR #39025, @rwinieski)
- documentation: fix get deployment cmd (Backport PR #39216, Upstream PR #39155, @g0gn)
- k8s/resource: Don't Add to WaitGroup asynchronously (Backport PR #38952, Upstream PR #38692, @joamaki)
- make: fix golangci-lint version detection (Backport PR #39078, Upstream PR #38996, @mhofstetter)
- workflows: fix lint-workflows (Backport PR #39401, Upstream PR #39398, @aanm)
Other Changes:
- [v1.15] deps: bump golang-jwt to 4.5.2 (#39496, @ferozsalam)
- [v1.15] integration: Regenerate consul certs (#39350, @sayboras)
- install: Update image digests for v1.15.16 (#38935, @cilium-release-bot[bot])
Docker Manifests
cilium
quay.io/cilium/cilium:v1.15.17@sha256:8824313a6f17d934b4e63902fee71e6ca36be6f69d68ae174df28f1b0705e587
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.15.17@sha256:b5ed33d4a9b006ee3ef367a1b3b23468aa6b32c028557e2c1a47dd2659f100a4
docker-plugin
quay.io/cilium/docker-plugin:v1.15.17@sha256:9910861a1d7d82a81f416d6d2f776d4195e1c3671999be14d44b12316fd22724
hubble-relay
quay.io/cilium/hubble-relay:v1.15.17@sha256:f46adc030903f2804e7c29d8da7cc9e9c4ef846de5eb84ba76cf74f2c483872e
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.15.17@sha256:74b07708a934fcf335a743d11296e98b32d32d7a79d0940eaba3652ca248960f
operator-aws
quay.io/cilium/operator-aws:v1.15.17@sha256:7a0fee345e04e99768269ec63511070a8cf0202a5c5ca723d1b2ab4fe4118276
operator-azure
quay.io/cilium/operator-azure:v1.15.17@sha256:d710a965d783c4294ac07f86ad3044ab1321cdafdec681b5d26b9ca3cfffabd7
operator-generic
quay.io/cilium/operator-generic:v1.15.17@sha256:a0f5b5dc8cecd4e5ead7d3bddb3756e4b34beba8e7aa089e7e2fb761725defe1
operator
quay.io/cilium/operator:v1.15.17@sha256:182e44c2533c6b18af64d914c3f7587940c091bb9fb360dacea6430b071b22de
Contributors
tklauser, gentoo-root, and 16 other contributors
Assets 2
1.18.0-pre.2
v1.18.0-pre.2
This tag was signed with the committer’s verified signature.
Summary of Changes
Major Changes:
- Add support for ordered IPv6 fragments (#38110, @gentoo-root)
- Add support for VXLAN in IPsec (VinE) (#37723, @ldelossa)
- Promote
CiliumLoadBalancerIPPoolCRD to v2 API version (#39090, @pippolo84) - Promote
CiliumCIDRGroupto v2 and deprecate v2alpha1 (#38940, @christarazi) - Support IPv6 as a tunneling underlay. (#38296, @pchaigno)
- Support IPv6 for delegated IPAM (#38249, @kadevu)
- Support KPR with IPv6 underlay (#39074, @pchaigno)
- The service load-balancing control-plane in the Cilium agent has been redesigned which reduces memory usage and improves future extensibility of load-balancing features. (#38469, @joamaki)
Minor Changes:
- Add
cilium shell -- healthcommand that takes a optional prefix and prints the reporter tree similar to currentcilium status --verboseoutput. (#38076, @tommyp1ckles) - Add
cilium-dbg bpf ipcache matchcommand to lookup ipcache entries using an exact match (#38579, @pippolo84) - Add serviceaccount label in the default labels list (#38017, @liyihuang)
- Add support for IPv6 egress gateway policies (#38452, @rgo3)
- agent: deprecate --bpf-lb-proto-diff (#39259, @julianwiedmann)
- AWS ENI IPAM: disable internal
aws-sdk-go-v2client rate-limiter which interfered with Cilium's rate-limiter (#38550, @antonipp) - bandwidth: Introduce bbrHostNamespaceOnly to allow limited use of BBR in legacy routing mode. (#38898, @jrife)
- bgp: Ensure reconciliation of services with externalTrafficPolicy=Local upon endpoint/endpointslice deletion. (#38966, @rastislavs)
- Cilium Agent liveness probe no longer fails if Kubernetes apiserver cannot be reached. Earlier the agent was restarted if the apiserver could not be reached for approximately 5 minutes. This avoids traffic disruptions on apiserver downtime (e.g. due to maintenance) for features such as L7 and FQDN proxy that require cilium-agent to always be up. (#38458, @joamaki)
- Cilium's CNI plugin now conforms to CNI v1.1 and reports per-route MTUs. (#38868, @squeed)
- cilium-cli: Fix ipv6 ping regex (#38814, @yrsuthari)
- helm: only expose the envoy admin debug port for cilium-agent when it is explicitly enabled (#39194, @becker-s)
- hubble: send server version using metadata in gRPC responses (#38668, @devodev)
- Introduce
--underlay-protocol(#38523, @pchaigno) - k8s/labels: Refactor
FindReservedto returnLabelArray(#39144, @doniacld) - policy: Add validation and docs for TLS SNI ServerNames (#38615, @sayboras)
- Remove deprecated CONNTRACK_LOCAL (#38687, @tklauser)
- Remove insertions and deletions to deprecated tunnel map (#38490, @pippolo84)
- Since pod CIDRs are now stored into the ipcache map, tunnel map is not needed anymore. Any reference to the tunnel map have been removed from cilium-dbg, cilium status and bugtool. (#38839, @pippolo84)
- The Grafana dashboard now displays policy drops in both directions. (#37445, @squeed)
- Update k8s tests and libraries to v1.33.0 (#39124, @sayboras)
- Update k8s tests and libraries to v1.33.0-rc.1 (#39080, @sayboras)
- Update kafka apiKey helm chart value to true (#38963, @kyle-c-simmons)
Bugfixes:
- An option was added to control SO_LINGER config on Envoy HTTP upstream connections that bind to the pod's original source address and port. This can be used to mitigate bind errors that could happen if the upstream HTTP connection can not be cleanly closed immediately. (#38500, @jrajahalme)
- bgpv2: Fix service reconciliation by BGP peer IP change (#38620, @rastislavs)
- bpf: nodeport: avoid accidental NAT46x64 clash in from-container (#38916, @julianwiedmann)
- Check the TLSRoute and HasServiceImportSupport through the CRD. (#39122, @liyihuang)
- cli: default to SPDY connection for exec (#38988, @asauber)
- Fix a bug where a
CiliumNetworkPolicy/CiliumClusterwideNetworkPolicycontaining invalid rules would not be reported with invalid status. (#38801, @tklauser) - Fix a deadlock when a host has no IPv4 address. (#38938, @EmilyShepherd)
- Fix a panic happening in the ipset reconciler when a previous reconciliation failed. (#38890, @pippolo84)
- Fix bug in multicast feature that may cause packets to be dropped due to an incorrect checksum when hardware offload is enabled. (#38746, @pchaigno)
- Fix bug that would cause the
cilium-dbg encrypt statuscommand to not list any decryption interfaces when KPR is enabled. (#39170, @pchaigno) - Fix connections to deleted service backends not getting terminated in certain cases involving services with multiple protocol ports. (#37745, @foyerunix)
- Fix deadlock in compilation lock (#38784, @dylandreimerink)
- Fix panic caused in dual cluster setups where LRPs with
skipRedirectFromBackendflag set to true are installed and IPv6 is disabled. (#38656, @aditighag) - Fix the options parsing logic for options with a map argument to allow multiple fields to be configured in a configmap, separated by commas (#37400, @skmatti)
- Fix two Helm resources that did not respect the namespaceOverride value. (#38927, @spiarh)
- Fixes a bug where layer-7 rules would override enableDefaultDeny: false, incorrectly dropping traffic. (#38841, @nimishamehta5)
- Fixes an issue where the agent failed to start on clusters with large numbers of network policies. (#38556, @squeed)
- For configurations with --enable-identity-mark=false, don't attempt to retrieve the source identity from skb->mark. (#38737, @julianwiedmann)
- gateway-api: Fix Gateway reconciler failure when TLSRoute CRD is not installed (#38874, @syedazeez337)
- helm: fix hubble dynamic metrics config conflict (#38893, @devodev)
- ingress: don't cleanup ingress status of unmanaged Ingress resources (#38555, @mhofstetter)
- ipsec: Fix key derivation error in case of corrupted boot IDs (#39059, @pchaigno)
- k8s: Fixed a case when delete event for service endpointslices might have been missed if connectivity to k8s apiserver was broken causing stale service cache for service. (#38779, @marseel)
- xds: Fix a case in which after cilium-agent we were not sending updated resources to Envoy (#38654, @marseel)
CI Changes:
- .github: Don't overwrite junit results (#39159, @joestringer)
- .github: Reduce builder workflow by one job (#39093, @joestringer)
- .github: Schedule go runtime,integration tests every 8h (#39100, @joestringer)
- Assign codeowners for no-errors-in-logs testcase (#38812, @marseel)
- bgp: Extend BGP component tests (#38778, @rastislavs)
- bpf/complexity-tests: bpf_xdp coverage improvements (#38561, @gentoo-root)
- bpf/complexity-tests: Fix missing coverage for IPv6 fragments (#39062, @pchaigno)
- bpf/tests: Add FILE:LINE prefix for test_log (#38755, @sancppp)
- bpf: tests: fix ethertype when building inner headers of VXLAN packet (#39060, @julianwiedmann)
- builder: Add tparse,junit tooling (#39092, @joestringer)
- ci: fix scalability tests (#39000, @marseel)
- cilium-cli/connectivity-tests: Add fake external targets (#38750, @dylandreimerink)
- cilium-cli: Add strict-mode-test v2 (#38566, @pippolo84)
- cilium-cli: connectivity: clean up any leftover egw routes. (#36651, @tommyp1ckles)
- cilium-cli: run IPv6 test with skipRedirectFromBackend=true on >=v1.17.3 (#38630, @ysksuzuki)
- cilium-cli:fix: account for current TunnelPort when building tcpdump overlay filters (#38680, @smagnani96)
- Cilium: Add LB Session Affinity Maglev BPF test (#38568, @carlos-abad)
- CLI: bump ConnectivityTestConnDisruptImage (#39200, @darox)
- cli: encryption: improve ICMPv6 NA detection (#39160, @julianwiedmann)
- cli: Generate each owners field separately (#38987, @joestringer)
- cli: Simplify junit representation of code owners (#39020, @joestringer)
- cli: sysdump: collect logs from restarted test pods. (#38796, @tommyp1ckles)
- connectivity: Correct version check for Ingress test (#38803, @sayboras)
- connectivity: encryption tests: filter when icmpv6.type == 136 (#38798, @tommyp1ckles)
- connectivity: Fix flow validation for wildcard tls sni (#38881, @sayboras)
- deps: update gateway-api to latest (#38617, @mhofstetter)
- Emit junit output from BPF unit tests (#39099, @joestringer)
- Extend tracing with IP length and whether src/dst pod are CiliumInternalIP in the check-encryption-leak script. (#38281, @smagnani96)
- gateway-api: Add translation tests for GAMMA (#39207, @sayboras)
- gh: ariane: don't trigger ipsec-upgrade on /test (#39011, @julianwiedmann)
- gh: aws-cni: set --enable-identity-mark=false option (#38738, @julianwiedmann)
- gh: e2e-upgrade: check for unexpected drops from connectivity tests (#39111, @julianwiedmann)
- gh: phase out testing with kernel-of-the-day LVH images (#38395, @julianwiedmann)
- gh: use e2e-upgrade for IPsec minor upgrade testing (#38757, @julianwie...
Contributors
kaworu, brb, and 70 other contributors
Assets 2
1.17.3
v1.17.3
This tag was signed with the committer’s verified signature.
Summary of Changes
Minor Changes:
- hubble: accurately report startup failure reason from cilium status (Backport PR #38526, Upstream PR #37567, @devodev)
- Reject IPSec key rotation with mismatching key lengths to prevent IPv6 disruptions. (Backport PR #38399, Upstream PR #37936, @smagnani96)
Bugfixes:
- Always detach BPF programs from cilium_wg0 when not needed. (Backport PR #38184, Upstream PR #38179, @smagnani96)
- Avoid installing no-track rules when IP family is disabled (Backport PR #38526, Upstream PR #38438, @ysksuzuki)
- bgpv2: Fix service reconciliation by BGP peer IP change (Backport PR #38700, Upstream PR #38620, @rastislavs)
- bpf: wireguard: avoid ipcache lookup for source's security identity (Backport PR #38684, Upstream PR #38592, @julianwiedmann)
- clustermesh: fix mcs-api count of clusters disagreeing with a conflict (the count was previously increased by one) (Backport PR #38298, Upstream PR #38267, @MrFreezeex)
- Ensure that replies to world-to-pod ICMP in AWS ENI are routed via the correct parent interface. (Backport PR #38394, Upstream PR #38335, @gentoo-root)
- Fix deadlock in compilation lock (Backport PR #38805, Upstream PR #38784, @dylandreimerink)
- Fix panic caused in dual cluster setups where LRPs with
skipRedirectFromBackendflag set to true are installed and IPv6 is disabled. (Backport PR #38700, Upstream PR #38656, @aditighag) - Fix the ipv6 only cluster doesn't work with multi pool in some k8s distribution(Openshift) (Backport PR #38526, Upstream PR #38472, @liyihuang)
- Fix: cilium-operator no longer patches services on shutdown (Backport PR #38298, Upstream PR #37967, @rsafonseca)
- Fixes an issue where the agent failed to start on clusters with large numbers of network policies. (Backport PR #38700, Upstream PR #38556, @squeed)
- For configurations with --enable-identity-mark=false, don't attempt to retrieve the source identity from skb->mark. (Backport PR #38800, Upstream PR #38737, @julianwiedmann)
- ingress: don't cleanup ingress status of unmanaged Ingress resources (Backport PR #38700, Upstream PR #38555, @mhofstetter)
- ipam/aws: properly paginate Operator
DescribeNetworkInterfacesAWS API calls in ENI IPAM mode in order to avoid throttling, timeouts and errors from the API (Backport PR #38298, Upstream PR #37983, @antonipp) - netkit: Fix issue where MAC addresses get changed by systemd in L2 mode causing health checks to fail (Backport PR #38526, Upstream PR #37812, @jrife)
CI Changes:
- build: update golangci-lint to v2.0.0 (Backport PR #38629, Upstream PR #38473, @mhofstetter)
- ci: build CI images within merge group (Backport PR #38526, Upstream PR #38065, @marseel)
- ci: prepare CI Image build for being required (Backport PR #38526, Upstream PR #38320, @marseel)
- cilium-cli: extend no-interrupted-connections to test Egress Gateway (Backport PR #38527, Upstream PR #38193, @ysksuzuki)
- cilium-cli: extend no-interrupted-connections to test NodePort from outside (Backport PR #37797, Upstream PR #37294, @ysksuzuki)
- Clear traced UDP v4/v6 connections on check-encryption-leak script. (Backport PR #38517, Upstream PR #38264, @smagnani96)
- Ensure packet protocol before using L4 ports in the check-encryption-leak script. (Backport PR #38517, Upstream PR #38290, @smagnani96)
- Extend tracing with IP length and whether src/dst pod are CiliumInternalIP in the check-encryption-leak script. (Backport PR #38740, Upstream PR #38281, @smagnani96)
- Fix checked L4 port for UDP IPv6 packets in check-encryption-leak script. (Backport PR #38517, Upstream PR #38265, @smagnani96)
- Fix endianness for WireGuard UDP traffic in the check-encryption-leak script. (Backport PR #38517, Upstream PR #38292, @smagnani96)
- Fix erroneous TCP RST condition when no TCP packets in the check-encryption-leak script. (Backport PR #38517, Upstream PR #38291, @smagnani96)
- gh: aws-cni: set --enable-identity-mark=false option (Backport PR #38800, Upstream PR #38738, @julianwiedmann)
- gh: e2e-upgrade: also test NS & EGW disruptivity during downgrade (Backport PR #38527, Upstream PR #38511, @julianwiedmann)
- gha: enable north/south conn-disrupt-test in clustermesh upgrade tests (Backport PR #38527, Upstream PR #38554, @giorio94)
- Ignore encrypt interface field when validating option.Config after initialization (Backport PR #38298, Upstream PR #37184, @Artyop)
- Introduce tracing log info for ICMP v4/v6 packets in the check-encryption-leak script. (Backport PR #38740, Upstream PR #38278, @smagnani96)
- Manual encap checks for when $skb->encapsulation is unset in the check-encryption-leak script. (Backport PR #38517, Upstream PR #38293, @smagnani96)
- Print skb pointer and correlate timestamp for subsequent trace logs in the check-encryption-leak script. (Backport PR #38740, Upstream PR #38266, @smagnani96)
- proxy/proxyports: fix flake and data race in TestPortAllocator (Backport PR #38674, Upstream PR #38062, @tklauser)
- proxy: fix flake in TestPortAllocator test (Backport PR #38674, Upstream PR #38646, @mhofstetter)
- Refactoring and code comments for the check-encryption-leak script. (Backport PR #38740, Upstream PR #38263, @smagnani96)
- Report masqueraded flow through proxy in the check-encryption-leak script. (Backport PR #38740, Upstream PR #38297, @smagnani96)
- Shift header references when encap and move leak check on CiliumInternalIP in the check-encryption-leak script. (Backport PR #38517, Upstream PR #38280, @smagnani96)
- Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #38517, Upstream PR #38289, @smagnani96)
- Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #38526, Upstream PR #38289, @smagnani96)
- Skip tracking TCP proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #38517, Upstream PR #38287, @smagnani96)
- Split TCP-related leak report into a separate log line with also seq/ack n. in the check-encryption-leak script. (Backport PR #38740, Upstream PR #38268, @smagnani96)
- test: Update FQDN related domain and IP (Backport PR #38769, Upstream PR #38754, @sayboras)
Misc Changes:
- [v1.17] bpf: host: ipsec: check whether destination has tunnel_endpoint (#38802, @julianwiedmann)
- [v1.17] bpf: ipsec: improve handling of source security identity in encrypted-overlay code (#38594, @julianwiedmann)
- [v1.17] deps: bump package x/oauth2 (#38403, @ferozsalam)
- [v1.17] deps: bump x/net to v0.38.0 (#38780, @ferozsalam)
- bpf: host: identify Cilium's Wireguard traffic as from HOST (Backport PR #38684, Upstream PR #37956, @julianwiedmann)
- bpf: let MARK_MAGIC_EGW_DONE carry source identity (Backport PR #38684, Upstream PR #38430, @julianwiedmann)
- bpf: nodeport: preserve monitor aggregation in egress path (Backport PR #38526, Upstream PR #38312, @julianwiedmann)
- bugtool: collect more detailed link statistics (Backport PR #38526, Upstream PR #38391, @julianwiedmann)
- chore(deps): update all github action dependencies (v1.17) (#38353, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.17) (#38436, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.17) (#38612, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.17) (#38303, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.17) (#38542, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.18.3 (v1.17) (#38730, @cilium-renovate[bot])
- chore(deps): update dependency protocolbuffers/protobuf to v30 (v1.17) (#38354, @cilium-renovate[bot])
- chore(deps): update dependency protocolbuffers/protobuf to v30.2 (v1.17) (#38611, @cilium-renovate[bot])
- chore(deps): update docker.io/library/busybox:1.37.0 docker digest to 37f7b37 (v1.17) (#38350, @cilium-renovate[bot])
- chore(deps): update docker.io/library/golang:1.23.7 docker digest to cb45cf7 (v1.17) (#38351, @cilium-renovate[bot])
- chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.20 (v1.17) (#38434, @cilium-renovate[bot])
- chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.21 (v1.17) (#38608, @cilium-renovate[bot])
- chore(deps): update go to v1.23.8 (v1.17) (#38713, @cilium-renovate[bot])
- chore(deps): update kindest/node docker tag to v1.29.14 (v1.17) (#38352, @...
Contributors
kaworu, tklauser, and 33 other contributors
Assets 2
1.16.9
v1.16.9
This tag was signed with the committer’s verified signature.
Summary of Changes
Minor Changes:
- Reject IPSec key rotation with mismatching key lengths to prevent IPv6 disruptions. (Backport PR #38400, Upstream PR #37936, @smagnani96)
- Skip WireGuard traffic in the BPF SNAT processing, slightly reducing pressure on the BPF Connection tracking and NAT maps. (Backport PR #38747, Upstream PR #35900, @smagnani96)
Bugfixes:
- bpf: wireguard: avoid ipcache lookup for source's security identity (Backport PR #38747, Upstream PR #38592, @julianwiedmann)
- Fix panic caused in dual cluster setups where LRPs with
skipRedirectFromBackendflag set to true are installed and IPv6 is disabled. (Backport PR #38701, Upstream PR #38656, @aditighag) - For configurations with --enable-identity-mark=false, don't attempt to retrieve the source identity from skb->mark. (Backport PR #38747, Upstream PR #38737, @julianwiedmann)
CI Changes:
- build: update golangci-lint to v2.0.0 (Backport PR #38631, Upstream PR #38473, @mhofstetter)
- ci: build CI images within merge group (Backport PR #38525, Upstream PR #38065, @marseel)
- ci: prepare CI Image build for being required (Backport PR #38525, Upstream PR #38320, @marseel)
- Clear traced UDP v4/v6 connections on check-encryption-leak script. (Backport PR #38521, Upstream PR #38264, @smagnani96)
- Ensure packet protocol before using L4 ports in the check-encryption-leak script. (Backport PR #38521, Upstream PR #38290, @smagnani96)
- Extend tracing with IP length and whether src/dst pod are CiliumInternalIP in the check-encryption-leak script. (Backport PR #38741, Upstream PR #38281, @smagnani96)
- Fix checked L4 port for UDP IPv6 packets in check-encryption-leak script. (Backport PR #38521, Upstream PR #38265, @smagnani96)
- Fix endianness for WireGuard UDP traffic in the check-encryption-leak script. (Backport PR #38521, Upstream PR #38292, @smagnani96)
- Fix erroneous TCP RST condition when no TCP packets in the check-encryption-leak script. (Backport PR #38521, Upstream PR #38291, @smagnani96)
- gh: aws-cni: set --enable-identity-mark=false option (Backport PR #38747, Upstream PR #38738, @julianwiedmann)
- gh: ci-e2e-upgrade: Add encryption leak checks for wireguard (Backport PR #38521, Upstream PR #37551, @jschwinger233)
- gh: update naming for bpftrace leak detection script (Backport PR #38521, Upstream PR #37865, @julianwiedmann)
- Introduce tracing log info for ICMP v4/v6 packets in the check-encryption-leak script. (Backport PR #38741, Upstream PR #38278, @smagnani96)
- Manual encap checks for when $skb->encapsulation is unset in the check-encryption-leak script. (Backport PR #38521, Upstream PR #38293, @smagnani96)
- Print skb pointer and correlate timestamp for subsequent trace logs in the check-encryption-leak script. (Backport PR #38741, Upstream PR #38266, @smagnani96)
- Refactoring and code comments for the check-encryption-leak script. (Backport PR #38741, Upstream PR #38263, @smagnani96)
- Report masqueraded flow through proxy in the check-encryption-leak script. (Backport PR #38741, Upstream PR #38297, @smagnani96)
- Shift header references when encap and move leak check on CiliumInternalIP in the check-encryption-leak script. (Backport PR #38521, Upstream PR #38280, @smagnani96)
- Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #38521, Upstream PR #38289, @smagnani96)
- Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #38525, Upstream PR #38289, @smagnani96)
- Skip tracking TCP proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #38521, Upstream PR #38287, @smagnani96)
- Split TCP-related leak report into a separate log line with also seq/ack n. in the check-encryption-leak script. (Backport PR #38741, Upstream PR #38268, @smagnani96)
- test: Update FQDN related domain and IP (Backport PR #38770, Upstream PR #38754, @sayboras)
Misc Changes:
- [v1.16] deps: bump github.com/containerd/containerd to v1.7.27 (#38496, @ferozsalam)
- [v1.16] deps: Bump package x/net (#38323, @ferozsalam)
- [v1.16] deps: bump package x/oauth2 (#38404, @ferozsalam)
- [v1.16]: deps: bump x/net to v0.38.0 (#38781, @ferozsalam)
- bpf: host: identify Cilium's Wireguard traffic as from HOST (Backport PR #38747, Upstream PR #37956, @julianwiedmann)
- bpf: let MARK_MAGIC_EGW_DONE carry source identity (Backport PR #38747, Upstream PR #38430, @julianwiedmann)
- chore(deps): update all github action dependencies (v1.16) (#38347, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.16) (#38515, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.16) (patch) (#38346, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#38304, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#38442, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#38543, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.18.3 (v1.16) (#38731, @cilium-renovate[bot])
- chore(deps): update dependency protocolbuffers/protobuf to v30 (v1.16) (#38348, @cilium-renovate[bot])
- chore(deps): update dependency protocolbuffers/protobuf to v30.2 (v1.16) (#38714, @cilium-renovate[bot])
- chore(deps): update docker.io/library/busybox:1.36.1 docker digest to e246aa2 (v1.16) (#38344, @cilium-renovate[bot])
- chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.21 (v1.16) (#38613, @cilium-renovate[bot])
- chore(deps): update go to v1.23.8 (v1.16) (#38345, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1742184290-6036296930bb05a4870ef40867ca33baec4489e6 (v1.16) (#38258, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.4-1742515734-d30064faed34d8936672353d4b6d6dbcfbaa7b2d (v1.16) (#38385, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1743506100-0821ef0acdf9f824d47d34e02932be522b3e7233 (v1.16) (#38672, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1743993953-6f87ef30cb1aca19e233099304bd08d689f380dd (v1.16) (#38774, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.16) (patch) (#38317, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.16) (patch) (#38614, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.16) (patch) (#38832, @cilium-renovate[bot])
- docs: Add missing kernel options to system requirements documentation to help users with custom kernels. (Backport PR #38525, Upstream PR #38173, @yrsuthari)
- docs: clarify hubble flow filter match semantics (Backport PR #38701, Upstream PR #38657, @devodev)
- docs: Document jitter applied to BGP ConnectRetryTimeSeconds (Backport PR #38525, Upstream PR #38231, @rastislavs)
- docs: Update LLVM requirements to 18.1 (Backport PR #38342, Upstream PR #38294, @gentoo-root)
- Documentation: "cilium config set" restarts by default (Backport PR #38299, Upstream PR #38114, @joamaki)
- Documentation: fix mentions of per-node
cilium-dbgtool (Backport PR #38299, Upstream PR #38276, @tklauser) - images: bump distroless to static (Backport PR #38695, Upstream PR #38647, @kaworu)
- pkg/controller: fix data race in update params locked (Backport PR #38525, Upstream PR #38327, @aanm)
- pkg/endpoint: fix race in unit test (Backport PR #38299, Upstream PR #38129, @squeed)
- remove the endpointRoutes for aws cni in the doc (Backport PR #38701, Upstream PR #38381, @liyihuang)
Other Changes:
- [v1.16] hubble: fix flowfilter flag parsing allowing only one filter (#38794, @devodev)
- [v1.16] proxy: Bump envoy version to 1.32.x (#38307, @sayboras)
- fix AWS ENI IPAM mode performance regression in the Operator when
--update-ec2-adapter-limit-via-apiis set totrue(#38533, @antonipp) - gha: Skip HTTPRouteServiceTypes test (#38343, @sayboras)
- install: Update image digests for v1.16.8 (#38207, @cilium-release-bot[bot])
Docker Manifests
cilium
quay.io/cilium/cilium:v1.16.9@sha256:98f8e547fd0720e042a1eb7bd6f50a521cbe0a8ea8e013f783f1709fc023c266
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.16.9@sha256:69b9b80046f2a293de96e228ffdf7803bdd387d2c8cc6fa836a240c4932d7066
docker-plugin
`quay.io/cilium/docker-plugin:v1.16.9@sha256:867b37f934411c11e9e50d0d691a2d1376e...
Contributors
kaworu, tklauser, and 17 other contributors
Assets 2
1.15.16
v1.15.16
This tag was signed with the committer’s verified signature.
Summary of Changes
Minor Changes:
- datapath: Move WG skb mark check to to-netdev (Backport PR #38776, Upstream PR #31751, @brb)
- Reject IPSec key rotation with mismatching key lengths to prevent IPv6 disruptions. (Backport PR #38401, Upstream PR #37936, @smagnani96)
- Skip WireGuard traffic in the BPF SNAT processing, slightly reducing pressure on the BPF Connection tracking and NAT maps. (Backport PR #38776, Upstream PR #35900, @smagnani96)
Bugfixes:
- bpf: wireguard: avoid ipcache lookup for source's security identity (Backport PR #38776, Upstream PR #38592, @julianwiedmann)
- Fixed a bug where replies for pod-originating connections came into scope of HostFW Ingress Network policy. Applicable to configurations that use iptables for Masquerading. (Backport PR #38776, Upstream PR #35694, @julianwiedmann)
- For configurations with --enable-identity-mark=false, don't attempt to retrieve the source identity from skb->mark. (Backport PR #38776, Upstream PR #38737, @julianwiedmann)
CI Changes:
- build: update golangci-lint to v2.0.0 (Backport PR #38633, Upstream PR #38473, @mhofstetter)
- ci: build CI images within merge group (Backport PR #38524, Upstream PR #38065, @marseel)
- ci: prepare CI Image build for being required (Backport PR #38524, Upstream PR #38320, @marseel)
- Clear traced UDP v4/v6 connections on check-encryption-leak script. (Backport PR #38522, Upstream PR #38264, @smagnani96)
- Ensure packet protocol before using L4 ports in the check-encryption-leak script. (Backport PR #38522, Upstream PR #38290, @smagnani96)
- Extend tracing with IP length and whether src/dst pod are CiliumInternalIP in the check-encryption-leak script. (Backport PR #38742, Upstream PR #38281, @smagnani96)
- Fix checked L4 port for UDP IPv6 packets in check-encryption-leak script. (Backport PR #38522, Upstream PR #38265, @smagnani96)
- Fix endianness for WireGuard UDP traffic in the check-encryption-leak script. (Backport PR #38522, Upstream PR #38292, @smagnani96)
- Fix erroneous TCP RST condition when no TCP packets in the check-encryption-leak script. (Backport PR #38522, Upstream PR #38291, @smagnani96)
- gh: aws-cni: set --enable-identity-mark=false option (Backport PR #38776, Upstream PR #38738, @julianwiedmann)
- gh: ci-e2e-upgrade: Add encryption leak checks for wireguard (Backport PR #38522, Upstream PR #37551, @jschwinger233)
- gh: update naming for bpftrace leak detection script (Backport PR #38522, Upstream PR #37865, @julianwiedmann)
- Introduce tracing log info for ICMP v4/v6 packets in the check-encryption-leak script. (Backport PR #38742, Upstream PR #38278, @smagnani96)
- Manual encap checks for when $skb->encapsulation is unset in the check-encryption-leak script. (Backport PR #38522, Upstream PR #38293, @smagnani96)
- Print skb pointer and correlate timestamp for subsequent trace logs in the check-encryption-leak script. (Backport PR #38742, Upstream PR #38266, @smagnani96)
- Refactoring and code comments for the check-encryption-leak script. (Backport PR #38742, Upstream PR #38263, @smagnani96)
- Report masqueraded flow through proxy in the check-encryption-leak script. (Backport PR #38742, Upstream PR #38297, @smagnani96)
- Shift header references when encap and move leak check on CiliumInternalIP in the check-encryption-leak script. (Backport PR #38522, Upstream PR #38280, @smagnani96)
- Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #38522, Upstream PR #38289, @smagnani96)
- Skip tracking TCP proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #38522, Upstream PR #38287, @smagnani96)
- Split TCP-related leak report into a separate log line with also seq/ack n. in the check-encryption-leak script. (Backport PR #38742, Upstream PR #38268, @smagnani96)
- test: Update FQDN related domain and IP (Backport PR #38771, Upstream PR #38754, @sayboras)
Misc Changes:
- [v1.15] deps: bump package x/net (#38360, @ferozsalam)
- [v1.15] Manually fix builder image (#38748, @smagnani96)
- [v1.15] Update oauth to 0.27.0. (#38457, @kyle-c-simmons)
- bpf: host: identify Cilium's Wireguard traffic as from HOST (Backport PR #38776, Upstream PR #37956, @julianwiedmann)
- bpf: propagate src sec id from ingress bpf_overlay to egress bpf_host (Backport PR #38776, Upstream PR #32871, @jibi)
- chore(deps): update all github action dependencies (v1.15) (#38332, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.15) (#38428, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.15) (#38719, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.15) (#38305, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.15) (#38443, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.15) (#38697, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.18.3 (v1.15) (#38732, @cilium-renovate[bot])
- chore(deps): update dependency cilium/hubble to v1.17.2 (v1.15) (#38715, @cilium-renovate[bot])
- chore(deps): update dependency protocolbuffers/protobuf to v30 (v1.15) (#38333, @cilium-renovate[bot])
- chore(deps): update dependency protocolbuffers/protobuf to v30.2 (v1.15) (#38718, @cilium-renovate[bot])
- chore(deps): update docker.io/library/busybox:1.36.1 docker digest to e246aa2 (v1.15) (#38329, @cilium-renovate[bot])
- chore(deps): update docker.io/library/golang:1.23.7 docker digest to cb45cf7 (v1.15) (#38330, @cilium-renovate[bot])
- chore(deps): update go to v1.23.8 (v1.15) (#38716, @cilium-renovate[bot])
- chore(deps): update kindest/node docker tag to v1.29.14 (v1.15) (#38331, @cilium-renovate[bot])
- chore(deps): update module github.com/containerd/containerd to v1.7.27 [security] (v1.15) (#38248, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1742184290-6036296930bb05a4870ef40867ca33baec4489e6 (v1.15) (#38259, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.6-1742515223-dd05ea7be73de22390a6542e87f1834ef0d61ec9 (v1.15) (#38386, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1743993953-6f87ef30cb1aca19e233099304bd08d689f380dd (v1.15) (#38775, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.15) (patch) (#38318, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.15) (patch) (#38717, @cilium-renovate[bot])
- docs: Add missing kernel options to system requirements documentation to help users with custom kernels. (Backport PR #38524, Upstream PR #38173, @yrsuthari)
- docs: clarify hubble flow filter match semantics (Backport PR #38702, Upstream PR #38657, @devodev)
- Documentation: "cilium config set" restarts by default (Backport PR #38301, Upstream PR #38114, @joamaki)
- Documentation: fix mentions of per-node
cilium-dbgtool (Backport PR #38301, Upstream PR #38276, @tklauser) - images: bump distroless to static (Backport PR #38696, Upstream PR #38647, @kaworu)
- pkg/endpoint: fix race in unit test (Backport PR #38301, Upstream PR #38129, @squeed)
- remove the endpointRoutes for aws cni in the doc (Backport PR #38702, Upstream PR #38381, @liyihuang)
- wireguard: attach Ingress program for native routing mode configurations (Backport PR #38301, Upstream PR #37108, @julianwiedmann)
Other Changes:
- [v1.15] images: Update runtime and builder image (#38382, @sayboras)
- install: Update image digests for v1.15.15 (#38206, @cilium-release-bot[bot])
- proxy: Bump envoy version to 1.32.x (#38449, @sayboras)
Docker Manifests
cilium
quay.io/cilium/cilium:v1.15.16@sha256:17dc69791a5d28a1ea88c149c6798cc9608ebb66c5e8b79a88453207f0cb55a1
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.15.16@sha256:6198f79a3f286ac2050349e78474e00ac1e28100b550e075cc724aa8283143af
docker-plugin
quay.io/cilium/docker-plugin:v1.15.16@sha256:e50b3c41b472d28a1cbc359b2365a6f657daf57eb38f67cff43b42c16602f870
hubble-relay
quay.io/cilium/hubble-relay:v1.15.16@sha256:e1e2c6740fc093dc6cf9c486ba66eb68e5ab1a58fe90a9669868cd24b5dc2a0e
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.15.16@sha256:1f314bba1c3e7d95a011fc0f0f3945fefc1cbbd3adae7e63e7fac3f923b2163e
operator-aws
quay.io/cilium/operator-aws:v1.15.16@sha256:5cc6fd7202470c53b06a155748cf3ebe169bac01199bc49e86040dad71d29f69
operator-azure
`quay.io/cilium/operator-azure:v1.15.16@sha256:0d33...
Contributors
jibi, kaworu, and 15 other contributors
Assets 2
1.18.0-pre.1
v1.18.0-pre.1
This tag was signed with the committer’s verified signature.
Summary of Changes
Major Changes:
- Add support for kube-apiserver high availability with kube-proxy replacement where the Cilium agent can fail over to an active kube-apiserver at runtime. (#37601, @aditighag)
- Promote
CiliumBGPClusterConfig,CiliumBGPPeerConfig,CiliumBGPAdvertisement,CiliumBGPNodeConfigandCiliumBGPNodeConfigOverrideCRDs to v2 API version. (#37765, @rastislavs)
Minor Changes:
- Add support for tunnel routing in multi-pool IPAM mode (#38483, @pippolo84)
- Add support to capture kernel profiles during performance testing (#38402, @giorio94)
- Added multi-device support to the L2 pod announcement feature (#38198, @dylandreimerink)
- Adding an option to disable L3/L4 network policy correlation of Hubble flows (#37986, @mereta)
- agent: Deprecate --enable-custom-calls (#38480, @brb)
- Bgp control plane: add route aggregation feature (#37275, @romanspb80)
- BGPv2: Rename the operator metric
cilium_operator_bgp_control_plane_cluster_config_error_counttocilium_operator_bgp_control_plane_reconcile_errors_totaland introduce new operator metric:cilium_operator_bgp_control_plane_reconcile_run_duration_seconds. Rename the agent metriccilium_agent_bgp_control_plane_reconcile_error_counttocilium_agent_bgp_control_plane_reconcile_errors_total. (#37898, @rastislavs) - Deprecate
CiliumBGPPeeringPolicyCRD in favor ofcilium.io/v2CRDs (CiliumBGPClusterConfig,CiliumBGPPeerConfig,CiliumBGPAdvertisement,CiliumBGPNodeConfigOverride) (#38397, @rastislavs) - Deprecate
v2alpha1version ofCiliumBGPClusterConfig,CiliumBGPPeerConfig,CiliumBGPAdvertisement,CiliumBGPNodeConfigandCiliumBGPNodeConfigOverrideCRDs in favor of thev2version (#38239, @rastislavs) - Display IPv4/IPv6 Exclusion CIDRs in cilium status (#38075, @roman-kiselenko)
- dnsproxy: respond with SERVFAIL for transient failures (#38002, @antonipp)
- docs: clarify wording of remote-nodes in context of a clustermesh (#37989, @oblazek)
- exp/lb: Add service.cilium.io/type annotation support (#38260, @brb)
- Harden against misuse of IPv4 fragments. (#38202, @gentoo-root)
- Helm: Add the
actionfield by default to ServiceMonitor relabelings (#38052, @logica0419) - Helm: Adding
conntrack_gc_interval_secondsmetric to monitor conntrack gc intervals (#38302, @parlakisik) - Increase granularity of the
api_duration_secondsmetric buckets (#37365, @jaredledvina) - loader: attach datapath to IPIP tunnel devices (#37346, @gyutaeb)
- Make Cilium CLI performance tests not depend on Cilium (#38245, @giorio94)
- operator: report metrics for internal CiliumNodeSynchronizer queues (#38286, @antonipp)
- proxy: Bump envoy version to v1.33.0 (#38340, @sayboras)
- Reject IPSec key rotation with mismatching key lengths to prevent IPv6 disruptions. (#37936, @smagnani96)
- Remove deprecated and disabled by default support for running the Cilium KVStore in pod network (#38040, @giorio94)
- Remove UpdateEC2AdapterLimitViaAPI option and static mapping between instance type and limits in AWS environment. Always fetch the limits via EC2API (#36922, @liyihuang)
- When creating a new ENI in AWS, trying the best to select a subnet with the same route table as the host's primary ENI to prevent unexpected routing behavior. (#37229, @liyihuang)
Bugfixes:
- Always detach BPF programs from cilium_wg0 when not needed. (#38179, @smagnani96)
- Avoid installing no-track rules when IP family is disabled (#38438, @ysksuzuki)
- bpf:nat: Restore ORG NAT entry if it's not found (#37747, @gyutaeb)
- cilium-cli: Fix logger busy loop (#38199, @jrajahalme)
- clustermesh: fix mcs-api count of clusters disagreeing with a conflict (the count was previously increased by one) (#38267, @MrFreezeex)
- Egress route reconciliation (#37962, @dylandreimerink)
- Ensure that replies to world-to-pod ICMP in AWS ENI are routed via the correct parent interface. (#38335, @gentoo-root)
- Fix Allocator leaking IDs in CID controller (#38196, @dlapcevic)
- Fix the ipv6 only cluster doesn't work with multi pool in some k8s distribution(Openshift) (#38472, @liyihuang)
- Fix: cilium-operator no longer patches services on shutdown (#37967, @rsafonseca)
- hubble/exporter: Fix logging exporter options as JSON (#38475, @devodev)
- hubble: fix locking of hubble metrics registry for dynamically configured metrics (#37923, @marseel)
- ipam/aws: properly paginate Operator
DescribeNetworkInterfacesAWS API calls in ENI IPAM mode in order to avoid throttling, timeouts and errors from the API (#37983, @antonipp) - ipam/multi-pool: Periodically perform pool maintenance (#37895, @gandro)
- netkit: Fix issue where MAC addresses get changed by systemd in L2 mode causing health checks to fail (#37812, @jrife)
- policy: Fix Endpoint Selector Policy Deadlock (#38139, @nathanjsweet)
- policy: Fix rare bug that prevented two endpoints that shared the same identity from being simultaneously updated. (#37910, @nathanjsweet)
- Restore aggregration of network trace events for Egress Gateway reply traffic on the gateway node (#38029, @julianwiedmann)
- Updated Gateway API and GAMMA processing to remove incorrect behavior when both parentRefs were present. (#38143, @youngnick)
- Workaround for iptables 1.8.10, used in OpenShift 4.16, 4.17 and 4.18, returning a wrong error message
iptables: Incompatible with this kerneltoiptables -n -L CHAINwhen the chain does not exist. This prevents iptables configuration and induced unnecessary loops and log messages. (#37749, @fgiloux)
CI Changes:
- Add parallel streams throughput tests, and enable them in the EGW workflow (#38027, @giorio94)
- Align main and stable branch workflows for availability of cilium-cli (#38138, @joestringer)
- bgpv2: Introduce script component tests for BGPv2 (#38359, @rastislavs)
- bpf/tests: Bump "occasional failures" threshold in NAT port alloc test (#38456, @gentoo-root)
- build: update golangci-lint to v2.0.0 (#38473, @mhofstetter)
- Centralize dynamic test ownership configuration (#38045, @joestringer)
- ci: build CI images within merge group (#38065, @marseel)
- ci: disable GW API mirroring conformance tests in conformance-profile too (#38546, @mhofstetter)
- ci: enable SDS in cloud provider tests (#37987, @marseel)
- ci: improve gateway api version (commit) evaluation (#38502, @mhofstetter)
- ci: prepare CI Image build for being required (#38320, @marseel)
- ci: switch to monitor aggregation medium (#38036, @marseel)
- ci: temporarily disable gateway api mirror feature tests (#38513, @mhofstetter)
- ci: use custom kubeconfig for cilium-cli cloud provider tests (#37970, @marseel)
- ci: wait for images before matrix generation for aws/aks/gke/netperf tests (#38061, @marseel)
- ci: wait for images in clustermesh/eks workflows (#37968, @marseel)
- cilium-cli: extend no-interrupted-connections to test Egress Gateway (#38193, @ysksuzuki)
- cilium-cli: Use distroless (#38189, @michi-covalent)
- Clear traced UDP v4/v6 connections on check-encryption-leak script. (#38264, @smagnani96)
- cli: Reduce the flood of the terminal with logs on failure during tests (#38240, @roman-kiselenko)
- cli: reverse finalizers of connectivity test (#38232, @marseel)
- connectivity tests: keep tcpdump alive by printing to stdout (#37984, @asauber)
- connectivity: Add test for source egress in Ingress (#38053, @sayboras)
- Drop WireGuard encryption strict mode Ginkgo test (#38538, @pippolo84)
- Egress gateway parallel connections testing (#37981, @giorio94)
- Ensure packet protocol before using L4 ports in the check-encryption-leak script. (#38290, @smagnani96)
- Fix checked L4 port for UDP IPv6 packets in check-encryption-leak script. (#38265, @smagnani96)
- Fix endianness for WireGuard UDP traffic in the check-encryption-leak script. (#38292, @smagnani96)
- Fix erroneous TCP RST condition when no TCP packets in the check-encryption-leak script. (#38291, @smagnani96)
- gh: e2e-upgrade: also test NS & EGW disruptivity during downgrade (#38511, @julianwiedmann)
- gh: e2e-upgrade: generate config matrix from file (#38512, @julianwiedmann)
- gh: e2e-upgrade: minor log output improvements (#38011, @julianwiedmann)
- gh: ipsec: pin bpf-next LVH image to older version (#38356, @julianwiedmann)
- gha/scale-egw: make masquerade delay thresholds configurable (#38295, @giorio94)
- gha: always respect the given image tag in the wait-for-images action (#37901, @giorio94)
- gha: bump timeout of K8s Network E2E tests test (#38035, @giorio94)
- Introduce tracing log info for ICMP v4/v6 packets in the check-encryption-leak script. (#38278, @smagnani96)
- Manual encap checks for when $skb->encapsulation is unset in the check-encryption-leak script. (#38293, @smagnani96)
- node/manager: Fix TestNodeManagerEmitStatus (cilium/ciliu...
1.17.2
v1.17.2
This tag was signed with the committer’s verified signature.
Summary of Changes
Minor Changes:
- docs: clarify wording of remote-nodes in context of a clustermesh (Backport PR #38104, Upstream PR #37989, @oblazek)
- Increase granularity of the
api_duration_secondsmetric buckets (Backport PR #38104, Upstream PR #37365, @jaredledvina) - New agent option
--policy-restore-timeout(default 3m) has been added to bound the maximum time Cilium agent waits for endpoint policies to regenerate before starting serving resources tocilium-envoyproxy. (Backport PR #37904, Upstream PR #37658, @jrajahalme) - Set json output as default for
cilium-dbg endpoint get(Backport PR #37648, Upstream PR #36537, @saiaunghlyanhtet) - Set json output as default for
cilium-dbg endpoint get(Backport PR #37742, Upstream PR #36537, @saiaunghlyanhtet)
Bugfixes:
- Apply Egress bandwith-limiting only once for traffic that is matched by an Egress Gateway policy. (Backport PR #37904, Upstream PR #37674, @julianwiedmann)
- Auth policy is properly maintained also when covered by proxy redirects. (Backport PR #37904, Upstream PR #37685, @jrajahalme)
- Do not auto detect / auto select IPoIB devices (Backport PR #37648, Upstream PR #37553, @dylandreimerink)
- Egress route reconciliation (Backport PR #38118, Upstream PR #37962, @dylandreimerink)
- Fix a regression that made it impossible to disable Hubble via Helm charts (Backport PR #37648, Upstream PR #37587, @devodev)
- Fix bug causing
cilium-dbg bpfcommands to fail with a map not found error in IPv6-only clusters. (Backport PR #37904, Upstream PR #37787, @pchaigno) - Fix creating ServiceMonitor for Hubble when dynamic metrics are enabled in the Helm chart (Backport PR #37648, Upstream PR #37474, @dustinspecker)
- Fix creation and deletion of host port maps that would occasionally leave pods without them (Backport PR #37904, Upstream PR #37419, @javanthropus)
- Fix dropped NodePort traffic to hostNetwork backends with Geneve+DSR (Backport PR #37648, Upstream PR #36978, @tommasopozzetti)
- Fix envoy metrics could not be obtained on IPv6-only clusters (Backport PR #37904, Upstream PR #37818, @haozhangami)
- Fix helm charts to properly configure tls and peer service for dynamic Hubble metrics. (Backport PR #37904, Upstream PR #37543, @rectified95)
- Fix service id exceeds max limit (Backport PR #37648, Upstream PR #37191, @haozhangami)
- Fix the
--dns-policy-unload-on-shutdownfeature for restored endpoints (Backport PR #37648, Upstream PR #37532, @antonipp) - Fix the possible race condition caused by async update from aws to instance map in issue #36428 (Backport PR #38104, Upstream PR #37650, @liyihuang)
- Fix traffic not getting masqueraded with wildcard devices or egress-masquerade-interfaces when enable-masquerade-to-route-source flag is set. (Backport PR #37648, Upstream PR #37450, @liyihuang)
- fix(helm): multiPoolPreAllocation fix conditional avoid null (Backport PR #37742, Upstream PR #37585, @acelinkio)
- fix: cilium-config configmap was incorrectly resulting in values like
2.09715…2e+06instead of2097152(Backport PR #37648, Upstream PR #37236, @dee-kryvenko) - fix: duplicate label maps in helm chart templates and add missing commonlabels (Backport PR #37742, Upstream PR #37693, @cmergenthaler)
- Fix: Resolved an issue causing ArgoCD to report constant out-of-sync status due to the hasKey check in Helm. The condition has been simplified to ensure proper synchronization. No functional changes to deployments. (Backport PR #37648, Upstream PR #37536, @nicl-dev)
- Fixed Envoy JSON log format conversion in Helm, preventing crashes. (Backport PR #37742, Upstream PR #37656, @kahirokunn)
- helm: fix large number handling (Backport PR #37742, Upstream PR #37670, @justin0u0)
- hubble: escape terminal special characters from observe output (Backport PR #37648, Upstream PR #37401, @devodev)
- hubble: fix locking of hubble metrics registry for dynamically configured metrics (Backport PR #38104, Upstream PR #37923, @marseel)
- identity: fix bug where fromNodes/toNodes could be used to allow custom endpoint (Backport PR #38104, Upstream PR #36657, @oblazek)
- ipam/multi-pool: Periodically perform pool maintenance (Backport PR #38104, Upstream PR #37895, @gandro)
- operator: explicit controller-runtime controller names to avoid naming conflicts (Backport PR #37742, Upstream PR #37606, @mhofstetter)
- operator: Fix duplicate configurations (Backport PR #37648, Upstream PR #37293, @joestringer)
- Restore aggregration of network trace events for Egress Gateway reply traffic on the gateway node (Backport PR #38104, Upstream PR #38029, @julianwiedmann)
- Updated Gateway API and GAMMA processing to remove incorrect behavior when both parentRefs were present. (Backport PR #38154, Upstream PR #38143, @youngnick)
- Workaround for iptables 1.8.10, used in OpenShift 4.16, 4.17 and 4.18, returning a wrong error message
iptables: Incompatible with this kerneltoiptables -n -L CHAINwhen the chain does not exist. This prevents iptables configuration and induced unnecessary loops and log messages. (Backport PR #38104, Upstream PR #37749, @fgiloux)
CI Changes:
- .github: Remove misleading step from ipsec workflow (Backport PR #37742, Upstream PR #37681, @joestringer)
- .github: s/enbaled/enabled/ (Backport PR #37648, Upstream PR #37449, @chansuke)
- bgpv1: wait for watchers to be ready in tests (Backport PR #37904, Upstream PR #37884, @harsimran-pabla)
- CI: GKE backslash missing disable insecure kubelet (Backport PR #37904, Upstream PR #37850, @auriaave)
- CI: GKE, disable insecure kubelet readonly port (Backport PR #37904, Upstream PR #37844, @auriaave)
- ci: switch to monitor aggregation medium (Backport PR #38104, Upstream PR #38036, @marseel)
- gh: ci-e2e-upgrade: Add encryption leak checks for wireguard (Backport PR #37904, Upstream PR #37551, @jschwinger233)
- gh: ipsec-e2e: add concurrency for connectivity tests (Backport PR #37925, Upstream PR #37891, @julianwiedmann)
- gh: update naming for bpftrace leak detection script (Backport PR #37904, Upstream PR #37865, @julianwiedmann)
Misc Changes:
- always render enable-hubble in the Cilium configmap (Backport PR #37904, Upstream PR #37703, @kaworu)
- bpf: Add option to utilize core maps via BPF_F_NO_COMMON_LRU (Backport PR #38104, Upstream PR #38037, @borkmann)
- bpf: minor clean-ups for the ENI symmetric routing feature (Backport PR #37648, Upstream PR #37379, @julianwiedmann)
- chore(deps): update all github action dependencies (v1.17) (#37950, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.17) (#37944, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.17) (#38048, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.17.0 (v1.17) (#37793, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.18.0 (v1.17) (#37949, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.18.2 (v1.17) (#38057, @cilium-renovate[bot])
- chore(deps): update go to v1.23.7 (v1.17) (#37996, @cilium-renovate[bot])
- chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security] (v1.17) (#37833, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211 (v1.17) (#38148, @cilium-renovate[bot])
- cilium-dbg: output parentIfIndex in bpf endpoint list (Backport PR #37742, Upstream PR #37398, @Mahdi-BZ)
- cilium: Allow to configure tunnel source port range (Backport PR #37904, Upstream PR #37777, @borkmann)
- cilium: Pull in vxlan netlink Go fix and uncomment assertion in test (Backport PR #37904, Upstream PR #37808, @borkmann)
- docs: complete load balancer service manifest in kubeproxy-free (Backport PR #37648, Upstream PR #37466, @ybelleguic)
- docs: fix broken links (Backport PR #38104, Upstream PR #37995, @nueavv)
- docs: masquerading: mention that BPF masq also pulls in BPF Host-Routing (Backport PR #37648, Upstream PR #37604, @julianwiedmann)
- docs: use latest for rtd theme commit with fixed version selector (Backport PR #37614, Upstream PR #37421, @ayuspin)
- envoy: remove duplicated service/endpointslice informers when envoyConfig is enabled (Backport PR #37742, Upstream PR #37683, @marseel)
- Fix API generation and add trusted dependencies to renovate config (Backport PR cilium/...
Contributors
gandro, kaworu, and 46 other contributors
Assets 2
1.16.8
v1.16.8
This tag was signed with the committer’s verified signature.
Summary of Changes
Minor Changes:
- docs: clarify wording of remote-nodes in context of a clustermesh (Backport PR #38106, Upstream PR #37989, @oblazek)
- Increase granularity of the
api_duration_secondsmetric buckets (Backport PR #38014, Upstream PR #37365, @jaredledvina)
Bugfixes:
- Do not auto detect / auto select IPoIB devices (Backport PR #37647, Upstream PR #37553, @dylandreimerink)
- Egress route reconciliation (Backport PR #38120, Upstream PR #37962, @dylandreimerink)
- Fix creation and deletion of host port maps that would occasionally leave pods without them (Backport PR #37900, Upstream PR #37419, @javanthropus)
- Fix envoy metrics could not be obtained on IPv6-only clusters (Backport PR #37900, Upstream PR #37818, @haozhangami)
- Fix the
--dns-policy-unload-on-shutdownfeature for restored endpoints (Backport PR #37647, Upstream PR #37532, @antonipp) - fix: cilium-config configmap was incorrectly resulting in values like
2.09715…2e+06instead of2097152(Backport PR #37647, Upstream PR #37236, @dee-kryvenko) - Fix: cilium-operator no longer patches services on shutdown (Backport PR #38106, Upstream PR #37967, @rsafonseca)
- helm: fix large number handling (Backport PR #37743, Upstream PR #37670, @justin0u0)
- hubble: escape terminal special characters from observe output (Backport PR #37647, Upstream PR #37401, @devodev)
- identity: fix bug where fromNodes/toNodes could be used to allow custom endpoint (Backport PR #38014, Upstream PR #36657, @oblazek)
- Restore aggregration of network trace events for Egress Gateway reply traffic on the gateway node (Backport PR #38106, Upstream PR #38029, @julianwiedmann)
CI Changes:
- .github: Remove misleading step from ipsec workflow (Backport PR #37743, Upstream PR #37681, @joestringer)
- bgpv1: wait for watchers to be ready in tests (Backport PR #38014, Upstream PR #37884, @harsimran-pabla)
- ci: add leak detection to conformance-ipsec-upgrade (Backport PR #36575, Upstream PR #36377, @smagnani96)
- CI: GKE backslash missing disable insecure kubelet (Backport PR #37900, Upstream PR #37850, @auriaave)
- CI: GKE, disable insecure kubelet readonly port (Backport PR #37900, Upstream PR #37844, @auriaave)
- ci: switch to monitor aggregation medium (Backport PR #38106, Upstream PR #38036, @marseel)
- Cleanups after LLVM upgrade. (Backport PR #37801, Upstream PR #32067, @gentoo-root)
Misc Changes:
- [v1.16] docs: Update requirements.txt dependencies (#37616, @joestringer)
- allocator: correctly propagate context to RunGC call (Backport PR #37743, Upstream PR #36034, @giorio94)
- chore(deps): update all github action dependencies (v1.16) (#37952, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#37997, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.16) (#38049, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.18.2 (v1.16) (#37951, @cilium-renovate[bot])
- chore(deps): update go to v1.23.7 (v1.16) (#37998, @cilium-renovate[bot])
- chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security] (v1.16) (#37834, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211 (v1.16) (#38149, @cilium-renovate[bot])
- docs: fix broken links (Backport PR #38106, Upstream PR #37995, @nueavv)
- Fix API generation and add trusted dependencies to renovate config (Backport PR #37647, Upstream PR #36957, @aanm)
- Fix helm value for IPAM Multi-Pool (Backport PR #38014, Upstream PR #37963, @saintdle)
- labels: fix TestNewFrom test (Backport PR #37900, Upstream PR #37846, @giorio94)
- Moves Unix socket listener configuration to a new file specifically for Linux builds. (Backport PR #37647, Upstream PR #37399, @ritwikranjan)
- Remove grpc-health-probe binary from the Hubble Relay image as it is no longer used (Backport PR #37900, Upstream PR #37806, @rolinh)
- wireguard: attach Ingress program for native routing mode configurations (Backport PR #38117, Upstream PR #37108, @julianwiedmann)
Other Changes:
- [v1.16] images: update cilium-{runtime,builder} (#38054, @julianwiedmann)
- install: Update image digests for v1.16.7 (#37709, @cilium-release-bot[bot])
- v1.16: gh/workflows: Remove conformance-externalworkloads (#37739, @brb)
Docker Manifests
cilium
quay.io/cilium/cilium:v1.16.8@sha256:569ec9056ef2e3b283edb508b31e4ff04058cb7bd551cc9433512ebdef07804d
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.16.8@sha256:5ea1c42de93879a853e35a1287dfc0c2bcf912fcdc8ce092dfb322819123c8ea
docker-plugin
quay.io/cilium/docker-plugin:v1.16.8@sha256:74664fa646f3fe6b8615830b21073602dece8b5397db7384b5aa0e585857265e
hubble-relay
quay.io/cilium/hubble-relay:v1.16.8@sha256:498c04894fc95b6792d713dfb5e11aad236d41433710ddf73425483e855170be
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.16.8@sha256:409009711eab9e0f97c13c67c9b18aa48be130d970f09b067e1ae35df24b2252
operator-aws
quay.io/cilium/operator-aws:v1.16.8@sha256:c596b30650899c5ecde8b114e0a4e8679f83122c2477056d8d437df78b7a981b
operator-azure
quay.io/cilium/operator-azure:v1.16.8@sha256:c9dc8757e5941c72764b4a73d39c270378f156cc005722db95c77e0d1897dd04
operator-generic
quay.io/cilium/operator-generic:v1.16.8@sha256:86c879ed25396a992fb8bf0297289f0b61f30f9a4a260f483abbdb39d919644d
operator
quay.io/cilium/operator:v1.16.8@sha256:c2b0716672ce2bf68c2679c8b98ddab4c80f2c6891560e538ce4e117240ba220
Contributors
dee-kryvenko, brb, and 22 other contributors