Update Helm release cilium to v1.16.1
This MR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
cilium (source) | HelmChart | minor |
1.15.6 -> 1.16.1
|
Release Notes
cilium/cilium (cilium)
v1.16.1
: 1.16.1
Security Advisories
This release addresses the following security vulnerabilities:
- https://github.com/cilium/cilium/security/advisories/GHSA-vwf8-q6fw-4wcm
- https://github.com/cilium/cilium/security/advisories/GHSA-qcm3-7879-xcww
Summary of Changes
Minor Changes:
- Deprecate providing Hubble TLS secrets in helm values (Backport MR #34297, Upstream MR #34114, @chancez)
- gateway-api: Add required labels and annotations (Backport MR #34215, Upstream MR #33990, @sayboras)
- helm: add config for nat-map-stats-{interval, entries} config. (Backport MR #34158, Upstream MR #33847, @tommyp1ckles)
- Internal listener references are now properly qualified with namespace and CEC name. (Backport MR #34158, Upstream MR #34104, @jrajahalme)
- Support configuring imagePullSecrets for spire agent/server pods (Backport MR #34158, Upstream MR #33952, @chancez)
Bugfixes:
- auth: Fix data race in Upsert (Backport MR #34158, Upstream MR #33905, @chaunceyjiang)
- BGPv1 + BGPv2: Fix incorrect service reconciliation in setups with multiple BGP instances (virtual routers) (Backport MR #34297, Upstream MR #34177, @rastislavs)
- bgpv1: Fix data race in bgppSelection (Backport MR #34158, Upstream MR #33904, @chaunceyjiang)
- bgpv2: Avoid duplicate route policy naming (Backport MR #34158, Upstream MR #34031, @rastislavs)
- BGPv2: Fix
Service
advertisement selector: do not require matchingCiliumLoadBalancerIPPool
(Backport MR #34201, Upstream MR #34182, @rastislavs) - Fix a nil dereference crash during cilium-agent initialization affecting setups with FQDN policies. The crash is triggered when a restored endpoint performs a DNS request just a the right time during early cilium-agent restoration. Problem is not expected to be persistent and the agent should get pass the problematic part of the initialization on restart. (Backport MR #34158, Upstream MR #34059, @joamaki)
- Fix appArmorProfile condition for CronJob helm template (Backport MR #34297, Upstream MR #34100, @sathieu)
- Fix bug causing etcd upsertion/deletion events to be potentially missed during the initial synchronization, when Cilium operates in KVStore mode, or Cluster Mesh is enabled. (Backport MR #34181, Upstream MR #34091, @giorio94)
- Fix issue in picking node IP addresses from the loopback device. This fixes a regression in v1.15 and v1.16 where VIPs assigned to the lo device were not considered by Cilium. Fix spurious updates node addresses to avoid unnecessary datapath reinitializations. (Backport MR #34085, Upstream MR #34012, @joamaki)
- Fix possible connection disruption on agent restart with WireGuard + kvstore (Backport MR #34158, Upstream MR #34062, @giorio94)
- Fixes DNS proxy "connect: cannot assign requested address" errors in transparent mode, which were due to opening multiple TCP connections to the upstream DNS server. (Backport MR #34201, Upstream MR #33989, @bimmlerd)
- gateway-api: Add HTTP method condition in sortable routes (Backport MR #34158, Upstream MR #34109, @sayboras)
- gateway-api: Enqueue gateway for Reference Grant changes (Backport MR #34158, Upstream MR #34032, @sayboras)
- lbipam: fixed bug in sharing key logic (Backport MR #34158, Upstream MR #34106, @dylandreimerink)
- policy: Fix policy cache covers context lookup. (#34322, @nathanjsweet)
- service: Relax protocol matching for L7 Service (Backport MR #34195, Upstream MR #34131, @sayboras)
CI Changes:
- .github: ginkgo: remove duplicate datapath ipv4only test in f09/f21. (Backport MR #34297, Upstream MR #34071, @tommyp1ckles)
- bpf: egressgw: don't install allow-all policy in to-netdev tests (Backport MR #34201, Upstream MR #34143, @julianwiedmann)
- ci: multi pool run tests concurrently (Backport MR #34297, Upstream MR #33945, @viktor-kurchenko)
- Fix workflow telemetry in ci-ipsec-upgrade (Backport MR #34158, Upstream MR #34097, @chancez)
- gha: Add extended features in gateway profile run (Backport MR #34215, Upstream MR #34098, @sayboras)
- gha: Free up Github runner disk space (Backport MR #34297, Upstream MR #34247, @sayboras)
- gha: lint absence of trailing spaces in workflow files (Backport MR #34158, Upstream MR #33908, @giorio94)
- gha: simplify the call-backport-label-updater workflow (Backport MR #34158, Upstream MR #33934, @giorio94)
- ginkgo-ci: split f09 into two groups to reduce timeouts & flakes (Backport MR #34297, Upstream MR #34038, @tommyp1ckles)
- test: use cgr.dev/chainguard/busybox:latest instead of docker.io image. (Backport MR #34158, Upstream MR #34004, @tommyp1ckles)
- tests-clustermesh-upgrade: Don't hardcode test namespace (Backport MR #34158, Upstream MR #34121, @michi-covalent)
Misc Changes:
- [v1.16] docs: Add note for CNP empty slices semantic under v1.16 section (#34008, @pippolo84)
- Add source IP visibility info to Ingress and Gateway API docs (Backport MR #34297, Upstream MR #34137, @youngnick)
- bgpv1: Reconcile with retry in BGP Controller (Backport MR #34158, Upstream MR #33971, @rastislavs)
- bgpv2: deprecate local port setting in transport config (Backport MR #34209, Upstream MR #33438, @harsimran-pabla)
- bgpv2: use correct path key in path reconciler (Backport MR #34158, Upstream MR #33947, @harsimran-pabla)
- bitlpm: Avoid allocs in CIDR trie lookups (Backport MR #34158, Upstream MR #33518, @jrajahalme)
- bitlpm: Simplify matchPrefix() (Backport MR #34158, Upstream MR #33517, @jrajahalme)
- bugtool: dump cilium_skip_lb{4,6} (Backport MR #34158, Upstream MR #34017, @ysksuzuki)
- bugtool: dumping more Envoy information (Backport MR #34158, Upstream MR #34110, @mhofstetter)
- chore(deps): update all github action dependencies (v1.16) (#34166, @cilium-renovate[bot])
- chore(deps): update dependency protocolbuffers/protobuf to v27.3 (v1.16) (#34165, @cilium-renovate[bot])
- chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.15 (v1.16) (#34049, @cilium-renovate[bot])
- Clean up documentation make targets for cases of nesting make builds inside container invocations (Backport MR #34297, Upstream MR #34151, @joestringer)
- doc: update slack channel reference (Backport MR #34158, Upstream MR #34044, @Huweicai)
- docs: Add warning on CRDs requirement for using the Gateway API (Backport MR #34297, Upstream MR #33974, @xtineskim)
- Documentation: Introduce support for redirects (Backport MR #34297, Upstream MR #34233, @chancez)
- Documentation: Update readthedocs configuration (Backport MR #34297, Upstream MR #34190, @joestringer)
- Fix two bugs in dnsproxy tcp conn reuse (Backport MR #34201, Upstream MR #34175, @bimmlerd)
- Improve documentation on configuring Hubble TLS (Backport MR #34297, Upstream MR #34115, @chancez)
- iptables: Support Envoy listener chaining (Backport MR #34297, Upstream MR #34105, @jrajahalme)
- Makefile: Fix docker flags for fast image targets (Backport MR #34297, Upstream MR #34132, @joestringer)
- policy: Sanitize DNS Rules to Disallow Port Ranges (Backport MR #34201, Upstream MR #34023, @nathanjsweet)
- Revert "fix: support validation of stringToString values in ConfigMap" (Backport MR #34305, Upstream MR #34277, @aanm)
- vendor: Bump StateDB to version v0.2.1 (Backport MR #34246, Upstream MR #33587, @joamaki)
Other Changes:
- install: Update image digests for v1.16.0 (#33994, @cilium-release-bot[bot])
- v1.16: Remove leftover backporter state file (#34210, @gandro)
Docker Manifests
cilium
quay.io/cilium/cilium:v1.16.1@​sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
quay.io/cilium/cilium:stable@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.16.1@​sha256:e9c77417cd474cc943b2303a76c5cf584ac7024dd513ebb8d608cb62fe28896f
quay.io/cilium/clustermesh-apiserver:stable@sha256:e9c77417cd474cc943b2303a76c5cf584ac7024dd513ebb8d608cb62fe28896f
docker-plugin
quay.io/cilium/docker-plugin:v1.16.1@​sha256:243fd7759818d990a7f9b33df3eb685a9f250a12020e22f660547f9516b76320
quay.io/cilium/docker-plugin:stable@sha256:243fd7759818d990a7f9b33df3eb685a9f250a12020e22f660547f9516b76320
hubble-relay
quay.io/cilium/hubble-relay:v1.16.1@​sha256:2e1b4c739a676ae187d4c2bfc45c3e865bda2567cc0320a90cb666657fcfcc35
quay.io/cilium/hubble-relay:stable@sha256:2e1b4c739a676ae187d4c2bfc45c3e865bda2567cc0320a90cb666657fcfcc35
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.16.1@​sha256:4381adf48d76ec482551183947e537d44bcac9b6c31a635a9ac63f696d978804
quay.io/cilium/operator-alibabacloud:stable@sha256:4381adf48d76ec482551183947e537d44bcac9b6c31a635a9ac63f696d978804
operator-aws
quay.io/cilium/operator-aws:v1.16.1@​sha256:e3876fcaf2d6ccc8d5b4aaaded7b1efa971f3f4175eaa2c8a499878d58c39df4
quay.io/cilium/operator-aws:stable@sha256:e3876fcaf2d6ccc8d5b4aaaded7b1efa971f3f4175eaa2c8a499878d58c39df4
operator-azure
quay.io/cilium/operator-azure:v1.16.1@​sha256:e55c222654a44ceb52db7ade3a7b9e8ef05681ff84c14ad1d46fea34869a7a22
quay.io/cilium/operator-azure:stable@sha256:e55c222654a44ceb52db7ade3a7b9e8ef05681ff84c14ad1d46fea34869a7a22
operator-generic
quay.io/cilium/operator-generic:v1.16.1@​sha256:3bc7e7a43bc4a4d8989cb7936c5d96675dd2d02c306adf925ce0a7c35aa27dc4
quay.io/cilium/operator-generic:stable@sha256:3bc7e7a43bc4a4d8989cb7936c5d96675dd2d02c306adf925ce0a7c35aa27dc4
operator
quay.io/cilium/operator:v1.16.1@​sha256:258b28fefc9f3fe1cbcb21a3b2c4c96dcc72f6ee258eed0afebe9b0ac47f462b
quay.io/cilium/operator:stable@sha256:258b28fefc9f3fe1cbcb21a3b2c4c96dcc72f6ee258eed0afebe9b0ac47f462b
v1.16.0
: 1.16.0
We are excited to announce the Cilium 1.16.0 release. A total of 2969 new commits have been contributed to this release by a growing community of over 750 developers and over 19300 GitHub stars! :star_struck:
To keep up to date with all the latest Cilium releases, join #release on Slack.
Here's what's new in v1.16.0:
-
🚠 Networking-
🚤 Cilium NetKit: container-network throughput and latency as fast as host-network. -
🌐 BGPv2: Fresh new API for Cilium's BGP feature. -
📢 BGP ClusterIP Advertisement: BGP advertisements of ExternalIP and Cluster IP Services. -
🔀 Service Traffic Distribution: Kubernetes 1.30 Service Traffic Distribution can be enabled directly in the Service spec instead of using annotations. -
🔄 Local Redirect Policy promoted to Stable: Redirecting the traffic bound for services to the local backend, such as node-local DNS. -
📡 Multicast Datapath: Define multicast groups in Cilium. -
🏷 Per-Pod Fixed MAC Address: Specify the MAC address used on a pod.
-
-
🕸 Service Mesh & Ingress/Gateway API- :compass: Gateway API GAMMA Support: East-west traffic management for the cluster via Gateway API.
-
⛩ Gateway API 1.1 Support: Cilium now supports Gateway API 1.1. -
🛂 ExternalTrafficPolicy support for Ingress/Gateway API: External traffic can now be routed to node-local or cluster-wide endpoints. -
🕸 L7 Envoy Proxy as dedicated DaemonSet: With a dedicated DaemonSet, Envoy and Cilium can have a separate life-cycle from each other. Now on by default for new installs. -
🗂 NodeSelector support for CiliumEnvoyConfig: Instead of being applied on all nodes, it's now possible to select which nodes a particular CiliumEnvoyConfig should select.
-
:guardswoman: Security
-
📶 Port Range support in Network Policies: This long-awaited feature has been implemented into Cilium. -
📋 Network Policy Validation Status: kubectl describe cnp will be able to tell if the Cilium Network Policy is valid or invalid. -
⛔ Control Cilium Network Policy Default Deny behavior: Policies usually enable default deny for the subject of the policies, but this can now be disabled on a per-policy basis. -
👥 CIDRGroups support for Egress and Deny rules: Add support for matching CiliumCIDRGroups in Egress policy rules. -
💾 Load "default" Network Policies from Filesystem: In addition to reading policies from Kubernetes, Cilium can be configured to read policies locally. -
🗂 Support to Select Nodes as Target of Cilium Network Policies: With new ToNodes/FromNodes selectors, traffic can be allowed or denied based on the labels of the target Node in the cluster.
-
-
🌅 Day 2 Operations and Scale- :elf: New ELF Loader Logic: With this new loader logic, the median memory usage of Cilium was decreased by 24%.
-
🚀 Improved DNS-based network policy performance: DNS-based network policies had up to 5x reduction in tail latency. -
🕸 KVStoreMesh default option for ClusterMesh: Introduced in Cilium 1.14, and after a lot of adoption and feedback from the community, KVStoreMesh is now the default way to deploy ClusterMesh.
-
:artificial_satellite: Hubble & Observability
-
🗣 CEL Filters Support: Hubble supports Common Express Language (CEL) giving support for more complex conditions that cannot be expressed using the existing flow filters. -
📊 Improved HTTP metrics: There are additional metrics to count the HTTP requests and their duration. -
📏 Improved BPF map pressure metrics: New metric to track the BPF map pressure metric for the Connection Tracking BPF map. -
👀 Improvements for Egress Traffic Path Observability: Some metrics were added on this release to help troubleshooting Cilium Egress Routing. -
🔬 K8S Event Generation on Packet Drop: Hubble is now able to generate a k8s event for a packet dropped from a pod and it that can be verified with kubectl get events. -
🗂 Filtering Hubble flows by node labels: Filter Hubble flows observed on nodes matching the given label.
-
-
:houses: Community:
-
❤ Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback!
-
And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you.
For a full summary of changes, see https://github.com/cilium/cilium/blob/v1.16.0/CHANGELOG.md.
Docker Manifests
cilium
quay.io/cilium/cilium:v1.16.0@​sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058
quay.io/cilium/cilium:stable@sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.16.0@​sha256:a1597b7de97cfa03f1330e6b784df1721eb69494cd9efb0b3a6930680dfe7a8e
quay.io/cilium/clustermesh-apiserver:stable@sha256:a1597b7de97cfa03f1330e6b784df1721eb69494cd9efb0b3a6930680dfe7a8e
docker-plugin
quay.io/cilium/docker-plugin:v1.16.0@​sha256:024a17aa8ec70d42f0ac1a4407ad9f8fd1411aa85fd8019938af582e20522efe
quay.io/cilium/docker-plugin:stable@sha256:024a17aa8ec70d42f0ac1a4407ad9f8fd1411aa85fd8019938af582e20522efe
hubble-relay
quay.io/cilium/hubble-relay:v1.16.0@​sha256:33fca7776fc3d7b2abe08873319353806dc1c5e07e12011d7da4da05f836ce8d
quay.io/cilium/hubble-relay:stable@sha256:33fca7776fc3d7b2abe08873319353806dc1c5e07e12011d7da4da05f836ce8d
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.16.0@​sha256:d2d9f450f2fc650d74d4b3935f4c05736e61145b9c6927520ea52e1ebcf4f3ea
quay.io/cilium/operator-alibabacloud:stable@sha256:d2d9f450f2fc650d74d4b3935f4c05736e61145b9c6927520ea52e1ebcf4f3ea
operator-aws
quay.io/cilium/operator-aws:v1.16.0@​sha256:8dbe47a77ba8e1a5b111647a43db10c213d1c7dfc9f9aab5ef7279321ad21a2f
quay.io/cilium/operator-aws:stable@sha256:8dbe47a77ba8e1a5b111647a43db10c213d1c7dfc9f9aab5ef7279321ad21a2f
operator-azure
quay.io/cilium/operator-azure:v1.16.0@​sha256:dd7562e20bc72b55c65e2110eb98dca1dd2bbf6688b7d8cea2bc0453992c121d
quay.io/cilium/operator-azure:stable@sha256:dd7562e20bc72b55c65e2110eb98dca1dd2bbf6688b7d8cea2bc0453992c121d
operator-generic
quay.io/cilium/operator-generic:v1.16.0@​sha256:d6621c11c4e4943bf2998af7febe05be5ed6fdcf812b27ad4388f47022190316
quay.io/cilium/operator-generic:stable@sha256:d6621c11c4e4943bf2998af7febe05be5ed6fdcf812b27ad4388f47022190316
operator
quay.io/cilium/operator:v1.16.0@​sha256:6aaa05737f21993ff51abe0ffe7ea4be88d518aa05266c3482364dce65643488
quay.io/cilium/operator:stable@sha256:6aaa05737f21993ff51abe0ffe7ea4be88d518aa05266c3482364dce65643488
v1.15.8
: 1.15.8
Security Advisories
This release addresses the following security vulnerabilities:
- https://github.com/cilium/cilium/security/advisories/GHSA-vwf8-q6fw-4wcm
- https://github.com/cilium/cilium/security/advisories/GHSA-qcm3-7879-xcww
- https://github.com/cilium/cilium/security/advisories/GHSA-q7w8-72mr-vpgw
Summary of Changes
Minor Changes:
- helm: Add validation to prevent users from using deprecated values that have been removed (#34213, @chancez)
- helm: Cleanup old k8s version check and deprecated atributes (Backport MR #34157, Upstream MR #31940, @sayboras)
- Make hubble-relay more resilient to transient errors (Backport MR #34157, Upstream MR #33894, @chancez)
Bugfixes:
- add support for validation of stringToString values in ConfigMap (Backport MR #33962, Upstream MR #33779, @alex-berger)
- auth: Fix data race in Upsert (Backport MR #34157, Upstream MR #33905, @chaunceyjiang)
- auth: fix fatal error: concurrent map iteration and map write (Backport MR #33809, Upstream MR #33634, @chaunceyjiang)
- cert: Adding H2 Protocol Support when Get gRPC Config For Client (Backport MR #33809, Upstream MR #33616, @mrproliu)
- DNS Proxy: Allow SO_LINGER to be set to the socket to upstream (Backport MR #33809, Upstream MR #33592, @gandro)
- Fix an issue in updates to node addresses which may have caused missing NodePort frontend IP addresses. May have affected NodePort/LoadBalancer services for users running with runtime device detection enabled when node's IP addresses were changed after Cilium had started. Node IP as defined in the Kubernetes Node is now preferred when selecting the NodePort frontend IPs. (Backport MR #33818, Upstream MR #33629, @joamaki)
- Fix bug causing etcd upsertion/deletion events to be potentially missed during the initial synchronization, when Cilium operates in KVStore mode, or Cluster Mesh is enabled. (Backport MR #34183, Upstream MR #34091, @giorio94)
- Fix issue in picking node IP addresses from the loopback device. This fixes a regression in v1.15 and v1.16 where VIPs assigned to the lo device were not considered by Cilium. Fix spurious updates node addresses to avoid unnecessary datapath reinitializations. (Backport MR #34086, Upstream MR #34012, @joamaki)
- Fix rare race condition afflicting clustermesh while stopping the retrieval of the remote cluster configuration, possibly causing a deadlock (Backport MR #33809, Upstream MR #33735, @giorio94)
- Fixes a race condition during agent startup that causes the k8s node label updates to not get propagated to the host endpoint. (Backport MR #33663, Upstream MR #33511, @skmatti)
- gateway-api: Add HTTP method condition in sortable routes (Backport MR #34157, Upstream MR #34109, @sayboras)
- gateway-api: Enqueue gateway for Reference Grant changes (Backport MR #34157, Upstream MR #34032, @sayboras)
- helm: remove duplicate metrics for Envoy pod (Backport MR #34157, Upstream MR #33803, @mhofstetter)
- lbipam: fixed bug in sharing key logic (Backport MR #34157, Upstream MR #34106, @dylandreimerink)
- pkg/metrics: fix data race warning on metrics init hook. (Backport MR #33962, Upstream MR #33823, @tommyp1ckles)
- Reduce conntrack lifetime for closing service connections. (Backport MR #33962, Upstream MR #33907, @julianwiedmann)
- Skip regenerating host endpoint on k8s node labels update if identity labels are unchanged (Backport MR #33809, Upstream MR #33306, @skmatti)
- The cilium agent will now recover from stale nodeID mappings which could occur in clusters with high node churn, possibly manifesting itself in dropped IPsec traffic. (Backport MR #34157, Upstream MR #33666, @bimmlerd)
CI Changes:
- [v1.15] ci/ipsec: add missing config for patch-upgrade test with 6.6 kernel (#33736, @julianwiedmann)
- [v1.15] gh/e2e: fix up config 15 to not use bpf-next (#33738, @julianwiedmann)
- gha: Add http client timeout in Ingress (Backport MR #33809, Upstream MR #33683, @sayboras)
- gha: don't fail if all cloud provider matrix entries are filtered out (Backport MR #33962, Upstream MR #33819, @giorio94)
- gha: ensure that helm values.schema.json is not accidentally backported (#33845, @giorio94)
- gha: lint absence of trailing spaces in workflow files (Backport MR #34157, Upstream MR #33908, @giorio94)
- gha: simplify the call-backport-label-updater workflow (Backport MR #33962, Upstream MR #33934, @giorio94)
- test: use cgr.dev/chainguard/busybox:latest instead of docker.io image. (Backport MR #34157, Upstream MR #34004, @tommyp1ckles)
- tests-clustermesh-upgrade: Don't hardcode test namespace (Backport MR #34157, Upstream MR #34121, @michi-covalent)
- workflow: Use per-tunnel keys for the IPsec upgrade test (Backport MR #33809, Upstream MR #33769, @pchaigno)
Misc Changes:
- [v1.15] Update Docker dependency (#34196, @ferozsalam)
- bugtool: dumping more Envoy information (Backport MR #34157, Upstream MR #34110, @mhofstetter)
- chore(deps): update all github action dependencies (v1.15) (#34170, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.15) (#33649, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.15) (#34168, @cilium-renovate[bot])
- chore(deps): update cilium/little-vm-helper action to v0.0.19 (v1.15) (#33793, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.16.13 (v1.15) (#33794, @cilium-renovate[bot])
- chore(deps): update dependency cilium/hubble to v1 (v1.15) (#34051, @cilium-renovate[bot])
- chore(deps): update docker.io/library/golang:1.21.12 docker digest to
7e0e13a
(v1.15) (#33792, @cilium-renovate[bot]) - chore(deps): update go to v1.22.5 (v1.15) (#33857, @cilium-renovate[bot])
- chore(deps): update go to v1.22.6 (v1.15) (#34167, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.15) (patch) (#33798, @cilium-renovate[bot])
- daemon/ipam: don't swallow parse error of CIDR (Backport MR #33809, Upstream MR #33283, @bimmlerd)
- doc: update slack channel reference (Backport MR #34157, Upstream MR #34044, @Huweicai)
- docs,LRP: Add steps to restart agent and operator pods and update feature roadmap status (Backport MR #33809, Upstream MR #33655, @aditighag)
- docs: Add node about socketLB.hostNamespaceOnly to Kata page (Backport MR #33809, Upstream MR #33725, @brb)
- docs: Extend LRP guide with troubleshooting section (Backport MR #33809, Upstream MR #33373, @aditighag)
- docs: generalize version specific notes section (Backport MR #33962, Upstream MR #33888, @giorio94)
- docs: Remove CNCF graduation from the roadmap (Backport MR #33809, Upstream MR #33680, @joestringer)
- docs: remove mention of outdated clustermesh + L7 policies + tunnel limitation (Backport MR #33809, Upstream MR #33626, @giorio94)
- docs: Update LVH VM image pull instructions (Backport MR #33809, Upstream MR #33621, @brb)
- Documentation: Add --set cni.exclusive=false for Azure Chain Mode (Backport MR #33809, Upstream MR #33708, @Mais316)
- helm: Allow socket linger timeout to be set to zero (Backport MR #33962, Upstream MR #33887, @gandro)
- policy: Fix
mapstate.Diff()
used in tests (Backport MR #33809, Upstream MR #33449, @jrajahalme) - Remove stable tags from v1.15 releases (#33985, @joestringer)
- renovate: onboard etcd image used in integration tests (Backport MR #33809, Upstream MR #33679, @giorio94)
- Revert "fix: support validation of stringToString values in ConfigMap" (Backport MR #34306, Upstream MR #34277, @aanm)
Other Changes:
- [v1.15] ci: use base and head SHAs from context in lint-build-commits workflow (#34267, @tklauser)
- [v1.15] Revert "docs: Update LRP feature status" (#34238, @ysksuzuki)
- Fix bug in Bandwidth Manager that caused it to not find native devices. (#33910, @joamaki)
- install: Update image digests for v1.15.7 (#33744, @cilium-release-bot[bot])
Docker Manifests
cilium
quay.io/cilium/cilium:v1.15.8@​sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.15.8@​sha256:4c1f33aae2b76392b57e867820471b5472f0886f7358513d47ee80c09af15a0e
docker-plugin
quay.io/cilium/docker-plugin:v1.15.8@​sha256:15b1b6e83e1c0eea97df179660c1898661c1d0da5d431c68f98c702581e29310
hubble-relay
quay.io/cilium/hubble-relay:v1.15.8@​sha256:47e8a19f60d0d226ec3d2c675ec63908f1f2fb936a39897f2e3255b3bab01ad6
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.15.8@​sha256:388ef72febd719bc9d16d5ee47fe6f846f73f0d8a6f9586ada04cb39eb2962d1
operator-aws
quay.io/cilium/operator-aws:v1.15.8@​sha256:3807dd23c2b5f90489824ddd13dca6e84e714dc9eae44e5718acfe86c855b7a1
operator-azure
quay.io/cilium/operator-azure:v1.15.8@​sha256:c517db3d12fcf038a9a4a81b88027a19672078bf8c2fcd6b2563f3eff9514d21
operator-generic
quay.io/cilium/operator-generic:v1.15.8@​sha256:e77ae6fc8a978f98363cf74d3c883dfaa6454c6e23ec417a60952f29408e2f18
operator
quay.io/cilium/operator:v1.15.8@​sha256:e9cf35fe3dc86933ccf3fdfdb7620d218c50aaca5f14e4ba5f422460ea4cb23c
v1.15.7
: 1.15.7
Summary of Changes
We are pleased to release Cilium v1.15.7, which makes the load balancer class of the Clustermesh API server configurable and includes stability and bug fixes. Thanks to all contributors, reviewers, testers, and users!
Minor Changes:
- helm: loadBalancerClass for Cluster Mesh APIserver (Backport MR #33342, Upstream MR #33033, @PhilipSchmid)
- ui: v0.13.1 release (Backport MR #33223, Upstream MR #32852, @geakstr)
Bugfixes:
- bgpv1: reorder neighbor creation and deletion steps (Backport MR #33378, Upstream MR #33262, @harsimran-pabla)
- datapath: Fix redirect from from L3 netdev to tunnel (Backport MR #33529, Upstream MR #33421, @brb)
- Datasource error fixed for Hubble DNS and Network dashboards (Backport MR #33631, Upstream MR #30580, @Pionerd)
- egress-gateway: Validate ep identity before fetching labels (Backport MR #33529, Upstream MR #33311, @pippolo84)
- envoy: Avoid short circuit backend filtering (Backport MR #33533, Upstream MR #33403, @sayboras)
- Fix #32587 concurrent hubble dynamic exporter stop and reload (Backport MR #33098, Upstream MR #33000, @marqc)
- Fix hubble metrics leak by using CiliumEndpoint watcher to remove stale metrics. (Backport MR #33529, Upstream MR #33260, @sgargan)
- Fix rare spurious double reconnection upon clustermesh configuration change for remote cluster (Backport MR #33378, Upstream MR #33248, @giorio94)
- Fix too many open Unix sockets (Backport MR #33631, Upstream MR #33569, @chaunceyjiang)
- gateway-api: Check for matching controller name (Backport MR #33223, Upstream MR #33050, @sayboras)
- Generate SBOM from the correct release image (#33052, @ferozsalam)
- helm: Decouple sysctlfix from cgroup.autoMount (Backport MR #33010, Upstream MR #32866, @YutaroHayakawa)
- ipsec: do not nil out EncryptInterface when using IPAM ENI on netlink… (Backport MR #33631, Upstream MR #33512, @jasonaliyetti)
- IPv6 and IPv4 '0.0.0.0/0' CIDR parsing in policy processing has been fixed (Backport MR #33529, Upstream MR #33448, @jrajahalme)
- Recreate CT entries for non-TCP to fix L7 proxy redirect failures. (Backport MR #33378, Upstream MR #33222, @ysksuzuki)
- Report the correct drop reason when a packet is dropped by the bpf_lxc program. (Backport MR #33631, Upstream MR #33551, @julianwiedmann)
- Revert MR #32244 which caused unintended side-effects that negatively impacted network performance. (Backport MR #33378, Upstream MR #33304, @learnitall)
- socketlb: tolerate cgroupv1 when detaching bpf programs (Backport MR #33631, Upstream MR #33599, @rgo3)
- Update IPsec to handle larger PSK values when using per-tunnel PSK (Backport MR #33631, Upstream MR #33472, @jasonaliyetti)
- When the Bandwidth Manager feature is enabled, don't apply Egress rate-limiting to "Port unreachable" ICMP replies by Cilium's North-South Loadbalancer. (Backport MR #33631, Upstream MR #33624, @julianwiedmann)
CI Changes:
- [v1.15] Disable release SBOM asset uploads (#33072, @ferozsalam)
- Bump CLI to v0.16.11 (Backport MR #33529, Upstream MR #33444, @brb)
- ci: Add IPsec leak detection for ci-ipsec-e2e (Backport MR #33047, Upstream MR #32930, @jschwinger233)
- ci: l4lb: Don't hang on gathering logs forever (Backport MR #33010, Upstream MR #32947, @joestringer)
- gh: ipsec: clarify check for leaked proxy traffic during key rotation (Backport MR #33631, Upstream MR #33509, @julianwiedmann)
- gha: Only retrieve IPv4 CIDR from docker network (Backport MR #33110, Upstream MR #33093, @sayboras)
- workflows: e2e-upgrade: fix EXTRA parameters (Backport MR #33223, Upstream MR #33150, @jibi)
Misc Changes:
- .github: add workflow for renovate to build base images (Backport MR #33346, Upstream MR #33326, @aanm)
- .github: fix cloud workflows for renovate (Backport MR #33321, Upstream MR #33320, @aanm)
- .github: fix worfklows used by renovate (Backport MR #33317, Upstream MR #33309, @aanm)
- [v1.15] remove tracking of backports with MLH (#33124, @aanm)
- Add auto-merge for renovate for trusted dependencies (Backport MR #33317, Upstream MR #33287, @aanm)
- bpf: ct: return actual error from CT lookup (Backport MR #33378, Upstream MR #33225, @julianwiedmann)
- bpf: encap: fix ifindex in TO_OVERLAY trace notification (Backport MR #33575, Upstream MR #33083, @julianwiedmann)
- bpf: lxc: fix ifindex in TO_ENDPOINT trace notification (Backport MR #33575, Upstream MR #33085, @julianwiedmann)
- bpf: lxc: prefer SECLABEL_IPV4 over SECLABEL in ipv4_policy() (Backport MR #33378, Upstream MR #33181, @julianwiedmann)
- build(deps): bump urllib3 from 2.0.7 to 2.2.2 in /Documentation (Backport MR #33378, Upstream MR #33218, @dependabot[bot])
- build-images-base: cancel github runs based on branch name (Backport MR #33378, Upstream MR #33353, @aanm)
- build-images-base: push to branch if pull request ref doesn't exist (Backport MR #33378, Upstream MR #33368, @aanm)
- build-images: fetch artifacts with specific pattern (Backport MR #33378, Upstream MR #33216, @aanm)
- chore(deps): update all github action dependencies (v1.15) (#33177, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.15) (#33338, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.15) (#33492, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.15) (#33175, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.15) (#33337, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.15) (#33571, @cilium-renovate[bot])
- chore(deps): update cilium/cilium-cli action to v0.16.11 (v1.15) (#33650, @cilium-renovate[bot])
- chore(deps): update cilium/scale-tests-action digest to
511e3d9
(v1.15) (#33208, @cilium-renovate[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.10 (v1.15) (#32990, @cilium-renovate[bot])
- chore(deps): update dependency eksctl-io/eksctl to v0.182.0 (v1.15) (#32991, @cilium-renovate[bot])
- chore(deps): update docker.io/library/golang:1.21.11 docker digest to
2eb85b8
(v1.15) (#33174, @cilium-renovate[bot]) - chore(deps): update docker.io/library/golang:1.21.11 docker digest to
b405b62
(v1.15) (#33336, @cilium-renovate[bot]) - chore(deps): update docker.io/library/golang:1.21.12 docker digest to
488f80a
(v1.15) (#33660, @cilium-renovate[bot]) - chore(deps): update docker/build-push-action action to v5.4.0 (v1.15) (#33018, @cilium-renovate[bot])
- chore(deps): update docker/build-push-action action to v6 (v1.15) (#33198, @cilium-renovate[bot])
- chore(deps): update go to v1.21.12 (v1.15) (#33539, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.15) (patch) (#33003, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.15) (patch) (#33176, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.15) (patch) (#33301, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.15) (patch) (#33657, @cilium-renovate[bot])
- daemon: Allow DNS transparent mode to be turned off with encryption (Backport MR #33631, Upstream MR #33420, @gandro)
- docs: Improve note on kube-apiserver entity limitations (Backport MR #33529, Upstream MR #33382, @gandro)
- docs: ipsec: mention dependency on transparent mode for DNS proxy (Backport MR #33098, Upstream MR #33062, @julianwiedmann)
- Documentation: accept ORG and REPO (Backport MR #33631, Upstream MR #33514, @aanm)
- examples: Fix subject selector in ingress policy (Backport MR #33378, Upstream MR #33292, @joestringer)
- Fix renovate's concurrency group (Backport MR #33559, Upstream MR #33528, @aanm)
- images: update cilium-{runtime,builder} (#33714, @aanm)
- Increase usability of Makefile.override (Backport MR #33098, Upstream MR #32660, @learnitall)
- install/kubernetes: update nodeinit image to latest version (Backport MR #33529, Upstream MR #33427, @marseel)
- ipcache: Fix orphaned ipcache entries when mixing Upsert and Inject (Backport MR #33152, Upstream MR #33120, @squeed)
- LRP: Misc fix-ups (Backport MR #33529, Upstream MR #33442, @aditighag)
- Miscellaneous fixes in the usage of Makefile.override and build modifiers (Backport MR #33098, Upstream MR #33129, @giorio94)
- Miscellaneous improvements to clustermesh-related troubleshooting tools (Backport MR #33378, Upstream MR #32951, @giorio94)
- Remove release scripts (Backport MR #33010, Upstream MR #32938, @aanm)
- Renovate changes (Backport MR #33559, Upstream MR #33519, @aanm)
- renovate: add auto-approve bot for renovate MRs (Backport MR #33642, Upstream MR #33604, @aanm)
Other Changes:
- (v1.15) Add permissions to read generated SBOMs (#33059, @ferozsalam)
- [v1.15] bpf: ct: return actual error from CT lookup (fixup) (#33484, @julianwiedmann)
- [v1.15] gh/workflows: fix skipping of no-frag test in ipsec-e2e workflow (#33671, @julianwiedmann)
- Bump GoBGP to v3.27.0 (#32993, @YutaroHayakawa)
- envoy: Bump golang version to v1.22.5 (#33555, @sayboras)
- envoy: Update envoy 1.28.x to v1.28.5 (#33483, @sayboras)
- install: Update image digests for v1.15.6 (#33015, @qmonnet)
Docker Manifests
cilium
quay.io/cilium/cilium:v1.15.7@​sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0
quay.io/cilium/cilium:stable@sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.15.7@​sha256:f8fc26060e0f0c131200b762667f91788a4499362fc72209ce30b4032e926c68
quay.io/cilium/clustermesh-apiserver:stable@sha256:f8fc26060e0f0c131200b762667f91788a4499362fc72209ce30b4032e926c68
docker-plugin
quay.io/cilium/docker-plugin:v1.15.7@​sha256:1091cd5586fd5bac23816a05f8828758442a134255e0f73f0ac384310395d304
quay.io/cilium/docker-plugin:stable@sha256:1091cd5586fd5bac23816a05f8828758442a134255e0f73f0ac384310395d304
hubble-relay
quay.io/cilium/hubble-relay:v1.15.7@​sha256:12870e87ec6c105ca86885c4ee7c184ece6b706cc0f22f63d2a62a9a818fd68f
quay.io/cilium/hubble-relay:stable@sha256:12870e87ec6c105ca86885c4ee7c184ece6b706cc0f22f63d2a62a9a818fd68f
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.15.7@​sha256:2dcd7e3305cb47e4b5fbbb9bc2451d6aacb18788a87cab95cf86aec65ec19329
quay.io/cilium/operator-alibabacloud:stable@sha256:2dcd7e3305cb47e4b5fbbb9bc2451d6aacb18788a87cab95cf86aec65ec19329
operator-aws
quay.io/cilium/operator-aws:v1.15.7@​sha256:bb4085da666a5c7a7c6f8135f0de10f0b6895dbf561e9fccda0e272b51bb936e
quay.io/cilium/operator-aws:stable@sha256:bb4085da666a5c7a7c6f8135f0de10f0b6895dbf561e9fccda0e272b51bb936e
operator-azure
quay.io/cilium/operator-azure:v1.15.7@​sha256:8e189549bc3c31a44a1171cc970b8e502ae8bf55cd07035735c4b3a24a16f80b
quay.io/cilium/operator-azure:stable@sha256:8e189549bc3c31a44a1171cc970b8e502ae8bf55cd07035735c4b3a24a16f80b
operator-generic
quay.io/cilium/operator-generic:v1.15.7@​sha256:6840a6dde703b3e73dd31e03390327a9184fcb888efbad9d9d098d65b9035b54
quay.io/cilium/operator-generic:stable@sha256:6840a6dde703b3e73dd31e03390327a9184fcb888efbad9d9d098d65b9035b54
operator
quay.io/cilium/operator:v1.15.7@​sha256:9a599861adc64631c134f86c95823321b59948f35ebc5af31586987d74166341
quay.io/cilium/operator:stable@sha256:9a599861adc64631c134f86c95823321b59948f35ebc5af31586987d74166341
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.