1.17.0-pre.1
Pre-release
Pre-release
·
3897 commits
to main
since this release
v1.17.0-pre.1
aanm
André Martins
This tag was signed with the committer’s verified signature.
Summary of Changes
Major Changes:
- feat: fast and standard queue in CES controller (#34199, @Kaczyniec)
Minor Changes:
- Added Helm Chart value for overriding target namespace. (#34624, @thewilli)
- Cilium now handles MTU changes to devices without restarting (#34314, @dylandreimerink)
- cilium-cli: Deprecate --disable-check flag (#34953, @michi-covalent)
- CiliumCIDRGroup now supports large numbers of CIDRs. CiliumCIDRGroup now integrates with Hubble flows. (#33441, @squeed)
- daemon: bpf: add --bpf-conntrack-accounting-enabled flag (#34921, @jibi)
- daemon: Make cilium status independent from k8s status (#32724, @tkna)
- Enables a new metric in the cilium operator to indicate unmanaged pods. (#34815, @nimishamehta5)
- envoy: Bump envoy version from v1.30.4 to v1.30.6 (#34967, @sayboras)
- feat(cilium-cli-clustermesh): Improve --destination-context option for connecting multiple remote contexts (#34510, @littlejo)
- Fix handling of route replace rules in ENI IPAM mode when
ipv4-native-routing-cidris set to0.0.0.0/0. (#34436, @chapsuk) - gateway-api: Add support for HTTP Retry (#34720, @sayboras)
- gateway-api: Add support for mirror fraction (#34602, @sayboras)
- gateway-api: Sync up with the latest upstream v1.2.0-rc1 (#34807, @sayboras)
- Implement
cilium-dbg bpf frag listcommand to list IPV4 datagram fragments. (#34751, @Huweicai) - k8s: Add "service.cilium.io/type" (#34772, @brb)
- k8s: Add support for 1.31.0 (#34463, @christarazi)
- Low-hanging fruit performance improvements of the hubble consumer module (#34535, @giorio94)
- metrics: add structured format for Hubble metrics and options. (#34849, @rectified95)
- Multi-Pool IPAM now allows the use of /32 or /128 CIDRs in CiliumPodIPPools (#34618, @juliusmh)
- Remove workaround for Azure CNI bridge mode from nodeinit script. (#34870, @wedaly)
- version: Don't create k8s client if --client is specified (#34914, @michi-covalent)
Bugfixes:
- bgpv2: Fix service reconciliation logic to update service advertisement metadata only after successful reconciliation (#34976, @rastislavs)
- bpf: nat: recreate a NAT entry if the packet hits the stale entry (#34913, @ysksuzuki)
- cli: fix a case when connectivity perf command was hanging if LRP was enabled in the cluster (#35063, @marseel)
- Correctly format
cilium status -o jsonCLI output for errors and warnings (#34654, @nimishamehta5) - Fix a low-probability issue where the DNS proxy could occasionally drop DNS queries due to "duplicate request id" errors. (#34941, @bimmlerd)
- Fix Hubble exporter config uses wrong separator (#34621, @chaunceyjiang)
- Fix issue where bpf packet buffer mark would in some cases set incorrect mark value resulting in incorrectly SNATed traffic. (#34789, @tommyp1ckles)
- Fix missing Helm chart version for status command (#34748, @pgils)
- Fix parameter check to forbid 8000 IPAM ENI with TUNNEL routing, and prevent agent segfault when also IPSec is enabled. (#34651, @smagnani96)
- Fix possible panic occurring in case errors are returned while updating/deleting IPv6 routes (#34721, @giorio94)
- Fix runtime panic with L2announcer name generation (#35031, @YutaroHayakawa)
- Fix services could not be removed in sync-lb-maps-with-k8s-services controller (#33885, @haozhangami)
- Fix the Egress Gateway reconciliation logic to make progress after setting the rp_filter sysctl failed. (#34775, @julianwiedmann)
- fix(clustermesh): mesh connection mode (#34932, @littlejo)
- Fixed bug in LB-IPAM where restarting the operator would unshare previously shared IPs between services (#34783, @dylandreimerink)
- Fixed bug where service id allocator would loop infinity when out of service ids (#35033, @WeeNews)
- Fixes deadlock in identity watcher. This fixes an issue where a kvstore disconnect can cause the event receiver to exit and the event sender to get stuck forever. (#34611, @dboslee)
- Fixes startup fatal error when updating CiliumNode resource. (#34862, @harsimran-pabla)
- gateway-api: Align GRPCRoute matchers with GEP specification (#34808, @cfsnyder)
- helm: Render valid image specs when tag is empty (#34891, @BenoitKnecht)
- ipcache: Yet another refcounting fix with mix of APIs (#34715, @gandro)
- lrp: define ENABLE_LOCAL_REDIRECT_POLICY regardless of socketLB setting (#34954, @ysksuzuki)
- Make initial nat gc async during Daemon initialization. (#34070, @tommyp1ckles)
- Metrics: Fix the reporting of bootstrap metric "overall" scope as it was not capturing a part of initialization (#34971, @marseel)
- The cilium dnsproxy now handles EDNS0 large buffersize advertisements better. (#34852, @bimmlerd)
- wireguard: Fix issue where updates to a WireGuard device's configuration caused connectivity blips. (#34612, @jrife)
CI Changes:
- .github/workflows: fix ci image cache cleaner (#34819, @aanm)
- .github: add missing export in variable (#34818, @aanm)
- .github: change nick-invision/retry -> nick-fields/retry. (#34718, @tommyp1ckles)
- .github: create cache directories on cache miss (#35088, @aanm)
- .github: install golang action after checkout (#34843, @aanm)
- .github: prevent failure when deleting GitHub Actions cache (#34844, @aanm)
- .github: re-enable configurations in e2e-upgrade (#34800, @aanm)
- .github: remove CI tests from PR runs if not required (#34726, @aanm)
- .github: specify cache-dependency-path in lint-workflows (#34845, @aanm)
- ariane: don't run full test suite for BPF test changes (#34931, @julianwiedmann)
- ariane: manage workflow exclusions for changes to CODEOWNERS and USERS.md (#34894, @julianwiedmann)
- bpf/complexity-tests: Add ENABLE_LOCAL_REDIRECT_POLICY (#35016, @ysksuzuki)
- bpf/complexity-tests: fix ENABLE_LOCAL_REDIRECT_POLICY (#35099, @ysksuzuki)
- ci: 100 node scale - alert on bootstrap/cpu/memory regressions (#34897, @marseel)
- ci: clean disk only on ubuntu-latest runners (#34711, @marseel)
- ci: conformance-[gateway-api|ginkgo|ingress] wait for images before matrix generation (#34820, @aanm)
- ci: Confromance E2E wait for images before matrix generation (#34707, @marseel)
- CI: Fix syntax error in Image Cache Cleaner (#35104, @brlbil)
- CI: l4lb allow extra opts (#34813, @tommyp1ckles)
- ci: Move CiliumEndpointSlice migration to schedule (#34828, @marseel)
- ci: Wait for images before generating test matrix (#34727, @marseel)
- cilium-cli: connectivity: fix the local-redirect-policy flow validation (#34919, @ysksuzuki)
- cilium-cli: Define CLI_MAIN_DIR Make variable (#34910, @michi-covalent)
- fix: repository nil value handled on workflow_dispatch context for renovate updates (#34902, @Artyop)
- gha: Enable Ingress Controller test in upgrade (#34185, @sayboras)
- gha: fix permissions of update label backport PR workflow (#35117, @giorio94)
- metrics: Add metrics config test for Hubble. (#34325, @rectified95)
- Miscellaneus improvements to the clustermesh scale test (#34704, @giorio94)
- Revert "ci: increase verbosity of print-downgrade-script.sh" (#34863, @marseel)
- Run scheduled workflows every 8h instead of 6h (#34898, @auriaave)
- test: add dual-stack to delegated IPAM E2E test (#34937, @wedaly)
- test: Add unit tests for directory policy watcher (#33920, @tamilmani1989)
- test: Cilium Identity management tests (#34743, @dlapcevic)
- test: e2e tests for delegated IPAM (#34839, @wedaly)
Misc Changes:
- .github/labeler: add exclusive cilium-cli label (#34771, @aanm)
- .github: add cache to cilium-cli and hubble-cli build workflows (#34847, @aanm)
- .github: do not update github runners for bpf workflows (#35105, @aanm)
- .github: fix lvh-kind warnings (#34811, @aanm)
- .github: fix runtime image digests (#35107, @aanm)
- .mailmap: Add entry for Quentin's email (#34708, @qmonnet)
- Add flag enabling LB IPAM (#34945, @nebril)
- Add Jar to the users.md (#34952, @rohan-changejar)
- Add Nutanix user (#34752, @tuxtof)
- agent: add flag to enable internal traffic policy (#34858, @nebril)
- agent: drop leftover logstash constant/field (#34722, @giorio94)
- AUTHORS: fix duplicate entries (#34714, @aanm)
- bgpv1: Add MatchFamilies option in RoutePolicyConditions (#34674, @rastislavs)
- bgpv1: Cleanup BGP reconcilers setup to ensure that no BGP CP jobs are started when BGP CP is disabled (#34836, @rastislavs)
- bgpv2/docs: add ebgp multihop documentation (#34951, @harsimran-pabla)
- bgpv2: cleanup service reconciliation logic (#34959, @rastislavs)
- Bitlpm fixes and improvements (#34781, @jrajahalme)
- bpf/lib/icmpv6.h: cleanup hardcoded ICMPv6 types (#34942, @msune)
- bpf: compile-test ENABLE_IP_MASQ_AGENT_IPV* (#34701, @julianwiedmann)
- bpf: tests: don't specify ETH_HLEN for L2 devices (#34906, @julianwiedmann)
- bpf: vxlan helper improvements (#34755, @julianwiedmann)
- bugtool: collect
cilium-dbg bpf frag listoutput (#34868, @julianwiedmann) - build-images-ci: skip SBOM for cilium-cli (#35116, @aanm)
- Bump k8s version to 1.31 in some missing files (#34778, @aanm)
- Bump StateDB to v0.3 with range-funcs (#34729, @joamaki)
- chore(deps): update all github action dependencies (main) (#34759, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (main) (#34877, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (main) (#35004, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (main) (#35078, @cilium-renovate[bot])
- chore(deps): update all-dependencies (main) (#34757, @cilium-renovate[bot])
- chore(deps): update all-dependencies (main) (#34872, @cilium-renovate[bot])
- chore(deps): update all-dependencies (main) (#34969, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.16.17 (main) (#34875, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.16.18 (main) (#34998, @cilium-renovate[bot])
- chore(deps): update dependency renovatebot/renovate to v38.80.0 (main) (#34882, @cilium-renovate[bot])
- chore(deps): update docker.io/library/golang:1.23.1 docker digest to 2fe82a3 (main) (#34873, @cilium-renovate[bot])
- chore(deps): update docker.io/library/golang:1.23.1 docker digest to 4f063a2 (main) (#35075, @cilium-renovate[bot])
- chore(deps): update go to v1.23.1 (main) (#34732, @cilium-renovate[bot])
- chore(deps): update golangci/golangci-lint docker tag to v1.61.0 (main) (#34826, @cilium-renovate[bot])
- chore(deps): update https://github.com/cilium/scaffolding digest to a97aaf1 (main) (#35100, @cilium-renovate[bot])
- chore(plugins): replace deprecated CNI function (#34561, @SkalaNetworks)
- chore: Add constants for cloud APIs (#34438, @jaffcheng)
- ci: fix ginkgo by replace k8s v1.27 with v1.31 (#34773, @mhofstetter)
- cilium-cli/status: sort status lines (#34927, @tklauser)
- cilium-cli/sysdump: export SubmitMetricsSubtask (#34864, @tklauser)
- cilium-cli: collect BGPv2 CRD resources in sysdump (#34684, @rastislavs)
- cilium-cli: remove copying of loop variables (#34944, @tklauser)
- cilium-dbg: Show deleted objects when watching StateDB tables (#34635, @joamaki)
- cilium: add minor annotation mode follow-ups (#35102, @borkmann)
- cilium: add option to configure service annotation-based dispatch (#35064, @borkmann)
- cilium: Enable health datapath also in annotation mode (#35124, @borkmann)
- cli/connectivity: improvements for echo-ingress-l7-via-hostport test (#34502, @julianwiedmann)
- clustermesh/endpointslicesync: fix panic on failure in Test_meshEndpointSlice_Reconcile (#34699, @tklauser)
- datapath: clarify comment for EncryptNode (#34924, @julianwiedmann)
- docs(users): add SDV Services (#34746, @sjoukedv)
- docs, LRP: add note regarding the KPR configuration (#35030, @ysksuzuki)
- docs: Clarify instructions for bumping K8s to avoid forks (#34791, @christarazi)
- docs: fix EKS Kubernetes compatibility link (#34922, @fjvela)
- docs: Improve warning on insecure global IPsec keys (#34846, @pchaigno)
- docs: move sig-policy to second Tuesday of the month (#35040, @squeed)
- Document about multicast sub-command of cilium-cli (#34987, @yushoyamaguchi)
- driftchecker: Allow agent to monitor configuration drifts (#34712, @ovidiutirla)
- egressgw: skip gateway config update on endpoint change events (#34795, @julianwiedmann)
- endpoint: Use nanoseconds in policy logs (#34679, @jrajahalme)
- envoy: Add configuration for OverloadManager (#34682, @sayboras)
- envoy: possibility to configure separate default log level for Envoy (#34728, @mhofstetter)
- envoy: update cilium/proxy to latest version (#34769, @mhofstetter)
- experimental: Benchmark reconciling tables and BPF (#34487, @DamianSawicki)
- feat(helm): allow setting resources for spire agent and server workloads (#34822, @sjoukedv)
- fix add spi=0 to ipSecKeysRemovalTime (#34652, @smagnani96)
- fix(deps): update all go dependencies main (main) (#34548, @cilium-renovate[bot])
- fix(deps): update all go dependencies main (main) (#34920, @cilium-renovate[bot])
- fix(deps): update all go dependencies main (main) (#35024, @cilium-renovate[bot])
- fix(deps): update aws-sdk-go-v2 monorepo (main) (#34758, @cilium-renovate[bot])
- fix(deps): update aws-sdk-go-v2 monorepo (main) (#35003, @cilium-renovate[bot])
- fix(deps): update aws-sdk-go-v2 monorepo (main) (#35077, @cilium-renovate[bot])
- fix(deps): update kubernetes packages to v0.31.1 (main) (#34853, @cilium-renovate[bot])
- fix(deps): update opentelemetry-go monorepo to v1.30.0 (main) (#34876, @cilium-renovate[bot])
- Fixed TestWatchAllKeys UT (#35009, @chaunceyjiang)
- gateway-api: Enable GatewayStaticAddresses test in CI (#34695, @sayboras)
- gateway-api: Sync up with latest version upstream (#35047, @sayboras)
- generic-veth will ignore the automatically generated link-local IPv6 addresses on the link. (#33959, @BSWANG)
- go: Replace x/maps package by respective standard libraries (#34649, @sayboras)
- helm: add client auth to hubble server certificate (#34934, @kaworu)
- helm: set key usages for hubble certificates with cert-manager (#34946, @kaworu)
- hive/k8s: Add OnDemand[T] and the OnDemandTable (#34799, @joamaki)
- hubble/filters: use netip types (#34803, @tklauser)
- hubble: add file name and line number info to dropped flows (#34616, @kaworu)
- images: fix path script (#34764, @aanm)
- Improve speed on lint commits GH workflow (#34848, @aanm)
- ingress: export Config[T] type. (#34812, @tommyp1ckles)
- job: Prepare job names for hive bump (#34838, @ovidiutirla)
- k8s: Convert service.cilium.io/node to annotation (#34739, @brb)
- kvstore: remove obsolete key encoding/decoding methods (#34925, @tklauser)
- kvstore: Remove SessionID from kvstore Value (#34895, @odinuge)
- lbipam: Remove init done callback hooks (#34785, @dylandreimerink)
- Link ariane triggers in testing/CI documentation. (#34869, @sypakine)
- loader: de-dup LinkByName() calls for overlay / wireguard setup (#34705, @julianwiedmann)
- Make flag that instructs LB-IPAM to only allocate IPs for services with .Spec.LoadBalancerClass specified functional (#34985, @simu)
- Makefile: retry on kind load docker-image errors (#34907, @jibi)
- operator: remove helper function
model.AddressOf(#34765, @mhofstetter) - pkg/ciliumidentity: Prevent updateCID from modifying the resource store (#34805, @ovidiutirla)
- pkg/ciliumidentity: Use hive cell context (#34565, @ovidiutirla)
- pkg/dynamicconfig: Add support for multiple sources (#34581, @ovidiutirla)
- policy: add flag enabling non-default-deny policy (#34940, @nebril)
- policy: Fix Key stringer port range output (#34842, @jrajahalme)
- Prepare for release v1.17.0-pre.0 (#34694, @cilium-release-bot[bot])
- Re-write GitHub cache usages across workflows (#34866, @aanm)
- README: Update releases (#34710, @aanm)
- README: Update releases (#35054, @nebril)
- Refactor the CiliumEndpointSlice subscriber public methods and increase test coverage (#34671, @sypakine)
- Remove conformance-e2e tests (#34742, @aanm)
- Remove note about TLSRoute being required by Cilium (#34817, @youngnick)
- renovate: Correct the regex for cilium-envoy image (#34886, @sayboras)
- renovate: Update allowedVersion for cilium-envoy (#34978, @sayboras)
- Reuse deny CIDR benchmark in allow CIDR benchmark (#34996, @christarazi)
- Services protocol differentiation: minor follow ups (#34955, @jibi)
- Set go version to v1.23 in go.mod and fix codegen issue (#34725, @joamaki)
- Show exact error message for "Error reading config file" (#34617, @jingyuanliang)
- Transactional selector cache (#34205, @jrajahalme)
- Use Go standard library slices package more extensively (#34796, @tklauser)
- vendor: Bump StateDB to v0.2.6 and fix usage (#34669, @joamaki)
- wireguard: Move private key generation to start (#34860, @joamaki)
Docker Manifests
cilium
quay.io/cilium/cilium:v1.17.0-pre.1@sha256:fa532628872a3b086d8658d93ff55e94035cb2a7d7f5f2411539eb51cceee617
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.17.0-pre.1@sha256:b019822aa0d968b4d4275fa0da7b77c9e05ad76bc5b93aeb89f67ce5278d3cce
docker-plugin
quay.io/cilium/docker-plugin:v1.17.0-pre.1@sha256:0a2e7aa1135e9c9ec9f72cf015bb5a39d4c0d651165a11195110b7e7cac657d3
hubble-relay
quay.io/cilium/hubble-relay:v1.17.0-pre.1@sha256:0f6450f567e998768f042894602a7a44f7146133c34cc2cbd5f5850effcef44a
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.17.0-pre.1@sha256:a1d68e285c88a8190003c45265d0f5269bf8984a9d8000611998131862ebc0e2
operator-aws
quay.io/cilium/operator-aws:v1.17.0-pre.1@sha256:54be54e2562e4c5ef7baf7e936fe7d7ecbd6fc2c35681ecdb688cd850966d84a
operator-azure
quay.io/cilium/operator-azure:v1.17.0-pre.1@sha256:05f362b927ad91e7fa4ff050444bd075e2b61d5b1108549b860a3357cb592891
operator-generic
quay.io/cilium/operator-generic:v1.17.0-pre.1@sha256:5b8e56c73c292285370296d5b71266bbe11ee02c4977c1d299c313a09cb72d42
operator
quay.io/cilium/operator:v1.17.0-pre.1@sha256:c099d3a5490f842f7b0ba0f9792631aa5c755fce04c82a6ce3c6c765dcc43c52
Contributors
gandro, jibi, and 65 other contributors