We are pleased to announce Cilium v1.10.0. 🎉
The summary of changes below reflect the diff between the last stable release v1.9.7 and tag v1.10.0.
Blogpost announcement https://cilium.io/blog/2021/05/20/cilium-110
Summary of Changes
Major Changes:
- Add --datapath-mode=lb which allows cilium-agent to run as a standalone loadbalancer (#13670, @brb)
- Add AlibabaCloud Operator (#15160, @l1b0k)
- Add NodePort BPF support to L2-less devices (wireguard, tun, etc) (#14858, @brb)
- Add support for k8s 1.21 and set minimal k8s supported version to 1.16 (#15502, @aanm)
- Add the ability to masquerade IPv6 traffic when using iptables masquerading mode. This behavior can be enabled/disabled by using
enable-ipv6-masquerade
agent option. (#14124, @fristonio) - Cilium now builds and installs on ARM64 machines. (#14207, @jrajahalme)
- doc: Add Code of Conduct (#15305, @tgraf)
- doc: Deprecate managed etcd mode (#15464, @tgraf)
- doc: New performance benchmarks and tuning guide (Backport PR #16049, Upstream PR #15943, @tgraf)
- Implement external IP (LoadBalancer) allocation & announcement via BGP for services (#15340, @christarazi)
- Integrate Wireguard for pod2pod encryption (#15383, @brb)
- Rework Quick & Helm Installation Guide (#15695, @tgraf)
- Update to Kubernetes 1.20 (#14248, @aanm)
Minor Changes:
- Add digest flags to specify docker images digests in helm charts (#15185, @aanm)
- Add helm option enableEgressGateway (#15777, @anfernee)
- Add metrics for identity garbage collection in cilium-operator (#14254, @ArthurChiao)
- Add new
cilium_bpf_map_pressure
metric measuring the fill-up ratio of selected BPF maps. (#14131, @jcaamano) - Add startupProbe for Cilium-agent for faster readiness in Kubernetes >= 1.20 (#14518, @youssefazrak)
- Add support for agent events to Hubble API (#14168, @tklauser)
- Added --bpf-lb-bypass-fib-lookup flag, which toggles the BPF nodeport reverse NAT FIB lookup optimization (#14978, @skuffe)
- Adds an option to specify Cilium router device IP (#14800, @Weil0ng)
- Adds capability to filter events based on IP version. (#14556, @nyrahul)
- Agent: consistent 'containerID' field in the log of the requests EP-delete and EP-create (#14713, @romanspb80)
- agent: Silence some useless warnings (#15450, @tgraf)
- api/hubble: add AUDIT policy verdict (#14785, @jaffcheng)
- arp: Add retries to arping (#14601, @brb)
- AWS eni: Support Instance Metadata Service Version 2 (IMDSv2) (Backport PR #16210, Upstream PR #15828, @Smana)
- bpf: add LB ipip health check datapath (#14610, @borkmann)
- bpf: add option for RSS-friendly outer srcIP prefix w/ mixing for DSR (#14276, @borkmann)
- bpf: Adds support for drop IPv4 fragmented packet (#15733, @navarrothiago)
- bpf: bpf host routing for tunneling (#15148, @borkmann)
- Change default ENI property FirstInterfaceIndex to 0 and improve IPAM logic in ENI & Azure modes (#14801, @christarazi)
- CI 3.0: A New Hope (#15144, @tgraf)
- ci: Increase time limit from 15m to 30m (#15371, @tgraf)
- cilium/cmd: improve 'bpf metrics list' JSON output (#13731, @jibi)
- cilium: Add encryption mode to
cilium status
(#15833, @gandro) - cleanup/metrics: Cleanup deprecated metrics (#13659, @sayboras)
- cni-(un)install: don't touch CNI dir if CILIUM_CUSTOM_CNI_CONF is set (#14910, @ti-mo)
- Consolidate kernel options probing and provide brief descriptions for missing parameters, in logs or for "cilium kernel-check". (#12383, @brandshaide)
- Create top level eni block for Helm values and add more options to it (#14470, @ungureanuvladvictor)
- custom calls: add new metrics to count skipped tail calls to custom programs (#15475, @qmonnet)
- daemon: add new option --allocator-list-timeout (#15538, @ArthurChiao)
- daemon: Add wildcard support to --devices ("eth+") (Backport PR #15919, Upstream PR #15697, @joamaki)
- daemon: Allow to specify dev to inherit IP addr for LB devs (#14259, @brb)
- daemon: Remove --help flags grouping (#15564, @brb)
- datapath: add tail call hooks for custom metrics, bytecounter example (#13191, @qmonnet)
- datapath: Create MAC_BY_IFINDEX_MACRO in Go (#15267, @brb)
- doc: Add more generic install section for egress gateway guide (Backport PR #16150, Upstream PR #16087, @tgraf)
- doc: Reword some results (Backport PR #16049, Upstream PR #15955, @tgraf)
- doc: Update diagrams in benchmark report (Backport PR #16150, Upstream PR #16063, @tgraf)
- doc: Use Cilium CLI for Cluster Mesh documentation (#15359, @tgraf)
- docs: document --nodes and --since cilium-sysdump's options (#14058, @jibi)
- docs: Move host firewall out of beta (#15761, @pchaigno)
- docs: Update OpenShift (OKD) GSG to use OLM operator (#15608, @errordeveloper)
- Enable bandwidth-manager by default for new deployments (#13535, @qmonnet)
- Envoy proxy is updated to release 1.16.2 (#14680, @jrajahalme)
- Envoy use of original source address in upstream connetions is disabled when datapath is tunneling. (#14594, @jrajahalme)
- examples: remove obsolete Mesos example (#15377, @tklauser)
- Expose more syslog options (#15545, @jaffcheng)
- Extend cilium-operator binary to be used as command line tool (#14484, @fristonio)
- helm: add ca.crt to tls secrets (#15443, @kaworu)
- helm: consolidate IPSec and Wireguard encryption options (#15809, @jibi)
- helm: move IPSec options under encryption.ipsec (#15846, @jibi)
- helm: Replaced object-based extraArgs with array-based (#15233, @D1abloRUS)
- Helm: Using external serviceAccounts is now possible. (#14731, @youssefazrak)
- Honor
allocateLoadBalancerNodePorts
in Kubernetes LoadBalancer service spec. (#14465, @fristonio) - Hubble logs for HTTP responses now include HTTP response headers. (Backport PR #16150, Upstream PR #16013, @jrajahalme)
- Hubble-ui now supports imagePullSecrets being passed in (#15109, @domgoodwin)
- hubble/metrics: Add support for fallback labels, ip addresses and dns names (#14848, @gandro)
- hubble: Add a flag to write Hubble events to a rotated file (#15557, @michi-covalent)
- Hubble: add GetNodes rpc endpoint (#13979, @rolinh)
- hubble: Add node name filter (#13938, @twpayne)
- hubble: Add recorder API (#15680, @gandro)
- hubble: add separate API to get agent and debug events (#15715, @tklauser)
- hubble: Add support for Cilium debug events (#14602, @gandro)
- hubble: allow filtering by agent event subtypes (#14305, @tklauser)
- hubble: distinguish AUDIT policy verdict from FORWARDED (#14923, @jaffcheng)
- hubble: Extend IP filter to support CIDR ranges (#14316, @michi-covalent)
- hubble: Support for debug capture events (#14432, @gandro)
- images: Bump Hubble CLI to v0.8.0 (Backport PR #16049, Upstream PR #15983, @gandro)
- Improve scalability by reducing number of CEP watch events (#15230, @Weil0ng)
- install: Disable kube-proxy-replacement by default (Backport PR #16150, Upstream PR #15422, @tgraf)
- iptables: add support for NOTRACK rules for pod to pod traffic (#15264, @jibi)
- iptables: relax no CT rules to match all pod traffic (#15467, @jibi)
- Istio integration is updated to Istio release 1.8.2. (#14704, @jrajahalme)
- k8s: add support for ipFamilies to services (#14914, @fristonio)
- kubectl: print additional information for CiliumIdentities (#14496, @elfadel)
- maglev: Parallelize calculation of permutations (#14597, @brb)
- Make Cilium the only CNI configuration available in the host to avoid pods from being managed by other CNIs while performing Cilium upgrades. (#14192, @aanm)
- Merge monitor API types EndpointDeleteNotification and EndpointCreateNotification into type EndpointNotification (#14126, @tklauser)
- Minor README updates (#15372, @tgraf)
- node-neigh: Locking, logging, misc improvements (Backport PR #16049, Upstream PR #15783, @brb)
- operator: added --pprof flag/endpoint (#14903, @mvisonneau)
- Remove deprecated v1.10 options (#14291, @jibi)
- Remove legacy flannel integration (#15786, @tgraf)
- Remove some obsolete documentation (#15370, @tgraf)
- Remove the unused container runtime status and DNS poller names properties from Cilium API. (#14590, @tklauser)
- Report events that are lost in Hubble's ring buffer. (#14307, @rolinh)
- set cilium agent only run on linux nodes (#14495, @answer1991)
- Store the previous Cilium's configuration options in the host (Backport PR #16103, Upstream PR #16017, @aanm)
- Support host policies with per-endpoint routes (#15217, @pchaigno)
- Tag ENIs at creation time (#14500, @ungureanuvladvictor)
- TCP flags based filter for hubble. (#13826, @nyrahul)
- Updates & clarifications to Governance Rules (#15325, @tgraf)
- wireguard: Add pod2pod encryption support in tunnel mode and fix IPv6 for direct routing mode (#15716, @brb)
- wireguard: Add support for managed K8s (#15674, @gandro)
- wireguard: Set wireguard and route MTU to detected MTU (Backport PR #16103, Upstream PR #16020, @joamaki)
Bugfixes:
- Add iamRole option to eni in Helm chart values to allow using serviceaccounts for iam roles on cilium-operator (#14970, @bluestealth)
- Avoid exposing full Cilium API in LB-only mode (#14098, @christarazi)
- cilium: Encryption EKS 4.14 kernel (default) fixes (Backport PR #16049, Upstream PR #15867, @jrfastab)
- daemon, config: regenerate endpoint datapath on agent config change (#13971, @jaffcheng)
- daemon/ipam: correct total IP count in
cilium status
output (#15707, @ArthurChiao) - daemon: require BPF masq to enable --install-no-conntrack-iptables-rules (Backport PR #16210, Upstream PR #16085, @jibi)
- Decrease verbosity of error "Unable to update ipcache map entry on pod add" for certain conditions (#15757, @aanm)
- Drop a
@
in clustermesh-apiserver helm chart (Backport PR #16049, Upstream PR #15934, @anthr76) - encryption: Limit encryption keys to 2 bits (#15335, @tgraf)
- eni: Fix Cilium overallocating network interfaces (Backport PR #16049, Upstream PR #15911, @gandro)
- Envoy is updated to release 1.17.3 (Backport PR #16150, Upstream PR #16102, @jrajahalme)
- Fix 5.10+ complexity issue with
kubeProxyReplacement=disabled
(Backport PR #16150, Upstream PR #16084, @pchaigno) - Fix aws-cni integration where pods were not being scheduled (Backport PR #16049, Upstream PR #15915, @aanm)
- Fix backwards compatibility of status API (#15143, @tgraf)
- Fix bug where L7 ingress policies with IPsec dropped traffic in tunneling mode (Backport PR #16103, Upstream PR #16057, @christarazi)
- Fix ICMP Echo ID placement in CT maps (#15275, @brb)
- Fix rounding behavior when specifying a capacity for Hubble's buffer. (#13894, @rolinh)
- Helm: Respect serviceAccounts.*.create value (#14711, @youssefazrak)
- hubble: Fix numeric identity lookup for FQDN identities (#14477, @gandro)
- ipam/aws: fixed a bug causing the operator to hang indefinitely when the ENI limits for an instance type could not be determined (#14905, @mvisonneau)
- ipam/aws: updated EC2 instances ENI limits and added an helper function to make it easier to do so in the future (#14906, @mvisonneau)
- kvstore: Fix aborted delayed delete warning (#15409, @tgraf)
- lib/proxy.h: set variable as maybe unused to avoid compilation error (#15607, @johngv2)
- nat: Do not increment delete error metric on nat entry GC (#15587, @joamaki)
- operator: release leader lease lock on operator exit (#14554, @fristonio)
- service: Restore Maglev table when M changes (#14469, @brb)
- Treat empty NetworkPolicyPort as "all ports on TCP" during network policy parsing (#14720, @mattfenwick)
- ui envoy: fix config to keep grpc conn (Backport PR #16049, Upstream PR #15938, @geakstr)
- Use new metric names for cilium-operator dashboard (#14507, @ungureanuvladvictor)
- Wait for endpoints to be stopped on agent shutdown (#15447, @jaffcheng)
- wireguard: Fix traffic counters in
cilium debuginfo
(Backport PR #16210, Upstream PR #16178, @gandro)
CI Changes:
- .github, bpf: Update reference to cilium-checkpatch image (#14700, @pchaigno)
- .github/workflows: remove
go version
commands from golangci-lint job (#15238, @tklauser) - .github: fix kind GH action for encryption e2e tests (#15731, @aanm)
- .travis: Disable email notifications on master failures (#15373, @pchaigno)
- .travis: fail Travis if race detection builds also fail (#15199, @aanm)
- (#15659, @Ankurk99)
- (#15796, @michi-covalent)
- Add 'nilness' to golangci (#14066, @joestringer)
- Add CIIntegrationEKSENI CNI integration for ENI IPAM on EKS (#14423, @ungureanuvladvictor)
- Add cyclonus network policy tester. (#14889, @mattfenwick)
- bpf: Fix compilation of bpf_ct_tests (#14862, @pchaigno)
- ci-gke: Add -v=6 for
kubectl get pods
(Backport PR #16049, Upstream PR #15994, @michi-covalent) - ci/wireguard: Ensure allowedIPs are set as expected (Backport PR #16049, Upstream PR #16011, @gandro)
- ci: add AKS workflow (#15466, @nbusseneau)
- ci: add CodeQL analysis (#14514, @twpayne)
- ci: add EKS workflow (#15465, @nbusseneau)
- ci: add gke workflow (#15416, @nebril)
- ci: Add quarantine capabilities to k8s-all jenkinsfile (#14150, @nebril)
- ci: Bump vagrant boxes (#14982, @gandro)
- ci: change manifest path for perf test (#14183, @nebril)
- ci: Check gke cluster state before selecting it (#14130, @nebril)
- ci: Fix
BGP router does not have route for LB IP
(#15771, @gandro) - ci: fix checking for pr git sha in jenkinsfiles (#15007, @nebril)
- ci: Fix local files chmod in test vagrantfile (#15397, @nebril)
- ci: fix nightly image (#14170, @nebril)
- ci: Fix nightly image (#15605, @nebril)
- ci: fix nightly image sha (#15708, @nebril)
- ci: fix/update GKE workflow (#15482, @nbusseneau)
- ci: offload baremetal "K8s all" builds to sub-jobs (#14861, @nbusseneau)
- ci: push cilium-test image to quay.io, use it in nightly (#15569, @nebril)
- ci: push cilium-test-dev image to quay, accept tags in the test script (#14169, @nebril)
- ci: retry gke cluster scale up, don't clear cluster at start (#14819, @nebril)
- ci: skip gke clusters with ongoing operations (#14348, @nebril)
- ci: use host images in master job (#14311, @nebril)
- ci: use host kubectl in k8s-all (#14302, @nebril)
- ci: Use images built on host in k8s-all job (#14292, @nebril)
- ci: use images from quay.io (#14937, @nebril)
- ci: use separate Jenkins jobs for daily master tests + CI documentation overhaul (#14997, @nbusseneau)
- ci: wait for quay images and boot vms in parallel (#15300, @nebril)
- cilium: Add workflows for GKE in tunnel mode, with and without encryption (#15678, @jrfastab)
- cilium: test encryption workflows for GKE (#15595, @jrfastab)
- cilium: Use build-and-push-with-qemu for builder (#15679, @jrfastab)
- connectivity-check: Reduce chances of port conflict with proxy (Backport PR #16049, Upstream PR #15988, @pchaigno)
- contrib: Add integration testing shell helpers (#14404, @joestringer)
- daemon: Do not attach bpf_host to L3 dev if skb_change_head is unavailable (#15343, @brb)
- docs: Update trigger phrase for Cilium-PR-Ginkgo-Tests-Kernel-Focus (#14849, @pchaigno)
- DualStack kubernetes based IPv6 testing for Cilium (#14461, @fristonio)
- e2e: Make ginkgo default to verbose mode (#15184, @qmonnet)
- Enable identity + cli + health e2e tests on EKS (#14519, @ungureanuvladvictor)
- jenkinsfile: Increase timeout for k8s-all tests (#14583, @pchaigno)
- jenkinsfiles: fix race detector pipelines (Backport PR #16103, Upstream PR #16056, @nbusseneau)
- jenkinsfiles: remove unused environment variables (#15125, @aanm)
- labelsfilter: Fix test for default filters (#15024, @pchaigno)
- node-neigh: Fix unit test flake (Backport PR #16150, Upstream PR #16072, @brb)
- Remove docker-compose leftovers (#14426, @tklauser)
- Remove unused jenkinsfiles (#15578, @aanm)
- Removed unnecessarily redundant static analysis in CI to streamline CI running times. (#14400, @nathanjsweet)
- Revert "ci: push cilium-test image to quay.io, use it in nightly" (#15574, @pchaigno)
- Revert "refactor: Remove
time.After
from any Loops" (#14371, @tklauser) - run bpf_ct_tests as part of CI (#14916, @kkourt)
- test/gke: use correct cluster IPv4 CIDR (#15346, @jibi)
- test/helpers: fix GetBPFPacketsCount (#14663, @jibi)
- test/helpers: remove unused functions and consts (#15241, @tklauser)
- test/helpers: Support non-standard nodes names with NO_CILIUM_ON_NODE (#15384, @christarazi)
- test/k8sT/manifests: use image hash with cilium-builder image (#13982, @tklauser)
- test/provision: adjust Dockerfiles considered for image download (#15389, @tklauser)
- test/runtime: Wait for endpoints to be ready before querying by labels (Backport PR #16049, Upstream PR #15990, @pchaigno)
- test: 5.4 CI job (Backport PR #16049, Upstream PR #15765, @pchaigno)
- test: add e2e tests for fromEntities: cluster and all (#15398, @chez-shanpu)
- test: add iptables masquerading without random-fully test (#14476, @jibi)
- test: add nil check to CiliumReport to prevent segfaults (#14210, @nebril)
- test: Allow hostfw tests to run on GKE (#15479, @pchaigno)
- test: Always select nodes by label (#14867, @pchaigno)
- test: change accees of go dir in test vm (#15265, @nebril)
- test: CI pipeline with kube-proxy running alongside our replacement (#14543, @pchaigno)
- test: Collect object file artifacts for K8sVerifier (#14129, @pchaigno)
- test: disable fqdn connectivity test during restart (#13930, @tklauser)
- test: Disable host firewall in incompatible tests (#14545, @pchaigno)
- test: Disable K8sVerifier on 4.19 and net-next CI pipelines (#14162, @pchaigno)
- test: Disable unsupported features on 4.9 to reduce warnings (#15001, @pchaigno)
- test: Extend coverage for host policies enforcement (#14822, @pchaigno)
- test: Extend the clusterIP tests with policy (Backport PR #16049, Upstream PR #15928, @aditighag)
- test: Fix flake in ValidateEndpointsAreCorrect (Backport PR #16103, Upstream PR #16068, @pchaigno)
- test: Fix fragment tracking test on GKE (Backport PR #16049, Upstream PR #15959, @pchaigno)
- test: Fix incorrect uninstall in K8sBandwidth (Backport PR #16210, Upstream PR #16053, @pchaigno)
- test: Fix kube-proxy service tests when running with socket-level LB (#14699, @pchaigno)
- test: Fix local tests (#15130, @pchaigno)
- test: Fix the search for VIPs in
cilium service list
(Backport PR #16049, Upstream PR #15968, @pchaigno) - test: K8sUpdates: Remove deprecated code (#15349, @pchaigno)
- test: Make Wireguard tcpdump filter more fine grained (#15507, @brb)
- test: Mark GKE CI pipeline as running Linux 4.19 (#14639, @pchaigno)
- test: Misc improvements (Backport PR #16210, Upstream PR #16064, @pchaigno)
- test: Move RuntimeCLI to K8sCLI (#14017, @pchaigno)
- test: quarantine failing NodePort tests on 1.14 (#15415, @nebril)
- test: Quarantine flakes from k8s-all CI pipeline (#14151, @pchaigno)
- test: quarantine flaking datapathconfig tests on 1.17 (#14188, @nebril)
- test: Quarantine K8sUpdates on GKE (#13899, @pchaigno)
- test: quarantine K8sVerifier on k8s-all (#14409, @nebril)
- test: Quarantine test with secondary NodePort device (#15003, @pchaigno)
- test: Reduce build durations (#14223, @pchaigno)
- test: Reenable debug mode for monitor tests (#15127, @pchaigno)
- test: remove leftovers of running own registry in GKE tests (#15124, @tklauser)
- test: Remove spammy "Cilium DaemonSet not ready yet" logs (#14544, @pchaigno)
- test: Respect cilium.holdEnvironment on Cilium status check (#15219, @pchaigno)
- test: Respect cilium.holdEnvironment on DNS check (#14695, @pchaigno)
- test: Run WG with per-endpoint routes (Backport PR #16049, Upstream PR #15906, @brb)
- test: set kubeProxyReplacement=probe for upstream k8s tests (Backport PR #16150, Upstream PR #16162, @aanm)
- test: Un-Quarantine K8sUpdates on GKE (#14464, @gandro)
- test: Uncouple KPR from presence of kube-proxy (#15543, @pchaigno)
- test: Unquarantine K8sUpdates under GKE (#13793, @pchaigno)
- test: Unquarantine K8sVerifier on k8s-all (#15154, @pchaigno)
- test: Unquarantine the random-fully test (#15205, @pchaigno)
- test: Unquarantine tunneling + endpoint routes test (#15152, @pchaigno)
- test: update k8s testing versions to 1.18.18, 1.19.10 and 1.20.6 (#15755, @aanm)
- test: Use node labels when testing host policies (#15714, @pchaigno)
- test: Use stable tags instead of :latest (#14093, @pchaigno)
- test: Wait for cilium monitor to match expected output (#15848, @pchaigno)
- vagrant: bump all box versions (#14274, @jibi)
- vagrant: Bump all Vagrant box versions (#14167, @pchaigno)
- vagrant: Bump all Vagrant box versions (#15772, @pchaigno)
- vagrant: Bump all Vagrant box versions (#15812, @pchaigno)
- vagrant: Upgrade Vagrant box versions (#15356, @aditighag)
- wireguard: Add pod2pod encryption tests (#15573, @brb)
- wireguard: Fix timeout in unit test (Backport PR #16049, Upstream PR #16001, @gandro)
- workflows: add encryption for AKS testing (#15657, @nbusseneau)
- workflows: add multicluster CI 3.0 workflow (#15710, @nbusseneau)
- workflows: fix EKS encryption testing not using aws operator image (#15745, @nbusseneau)
- workflows: fix GKE
if
condition (#15788, @nbusseneau) - workflows: fix schedule triggers (#15813, @nbusseneau)
- workflows: improvements to CI 3.0 workflows (#15694, @nbusseneau)
- workflows: increase multicluster timeout to 30 minutes (#15811, @nbusseneau)
- workflows: small fixes to Kind (#15658, @nbusseneau)
Misc Changes:
- .dockerignore: add *.box files (#14045, @kkourt)
- .github: add GitHub actions to build images (#14917, @aanm)
- .github: Bump project for 1.9.0-rc4 (#13880, @joestringer)
- .github: change dependabot interval to daily (#15651, @aanm)
- .github: change step order (#14703, @aanm)
- .github: checkout right SHA for base images (#15069, @aanm)
- .github: Don't mark good-first-issues as stale (#14908, @pchaigno)
- .github: Fix cilium project management for v1.9 (#14065, @joestringer)
- .github: fix correct sha for images build (#15065, @aanm)
- .github: fix markdown typo (#15792, @aanm)
- .github: publish tags from master branch in official repositories (#15078, @aanm)
- .github: set :latest tag for merges into master branch (#14933, @aanm)
- .github: set different workflow IDs (#14932, @aanm)
- .github: update GH actions on stable branches (#15208, @aanm)
- .github: update release process (#14672, @aanm)
- .github: update steps for the release process of a RC (#15319, @aanm)
- .github: update v1.9 cilium-actions project number (#14683, @aanm)
- .github: use quay.io images in smoke tests (#15005, @aanm)
- .gitignore: add .vscode/ directory (#14664, @ti-mo)
- (#15113, @TrevorTaoARM)
- Add ability to mock kernel feature prober and expand BPF map tests (#14876, @christarazi)
- Add arm64 support for the connectivity test (Backport PR #15919, Upstream PR #15894, @aanm)
- Add custom resource for egress nat policies (#14998, @MasterZ40)
- Add dev-docker-operator-image makefile directive (#14387, @ungureanuvladvictor)
- add doc for AlibabaCloud ENI (#15512, @l1b0k)
- Add ebpf map cilium_egress_v4 for egress gateway (#14712, @anfernee)
- Add fuzzer with OSS-fuzz build script (#14202, @AdamKorcz)
- add GH action to push hot fix images into -dev repositories (#15061, @aanm)
- Add hubble relay docker images + fix k8s version for eks in contrib testing script (#14478, @ungureanuvladvictor)
- Add multi-arch support to all images (#15023, @aanm)
- add support for EndpointSlice V1 (#15524, @aanm)
- Add support to enable EndpointStatus in Helm chart (#15844, @carloscastrojumo)
- Add TagSpecifications to ec2:CreateNetworkInterface only when len > 0 (#14571, @ungureanuvladvictor)
- Add tunnel mode config and egress gateway config params (#14723, @MasterZ40)
- Add warning log when host enable SELinux (#15414, @konghui)
- add_vagrant_box.sh: Fix download issue and update help message (#14553, @qmonnet)
- add_vagrant_box.sh: Fix incorrect vagrant box updates (#14527, @pchaigno)
- add_vagrant_box.sh: remove downloaded files after installing a VM image (#14686, @qmonnet)
- Added ArangoDB Oasis to USERS list (#14697, @ewoutp)
- Added build comment to oss-fuzz build file (#14856, @AdamKorcz)
- Added flag
proxy.prometheus.enabled
to helm chart for disabling service (#14688, @yuriydzobak) - Added Tailor Brands to users (#14605, @liorrozen)
- Address #13894 nits (#13985, @jibi)
- Address shellcheck warnings in cni-(un)install.sh. (#14467, @ti-mo)
- Adds ipv6 support for local-router-ip (#15662, @Weil0ng)
- Adds pod annotation to manage iptables NOTRACK rules. (#13805, @Weil0ng)
- agent: Make intent of signaling channels clear and optimize memory (#14075, @aditighag)
- alignchecker: git should not ignore bpf_foo.o (#14046, @kkourt)
- all: bump Alpine base image to 3.13.1 and add meta image SHA256 sum (#14795, @rolinh)
- all: don't use the deprecated io/ioutil package (#15242, @tklauser)
- all: use UUIDv4 instead of UUIDv1 (#14351, @tklauser)
- allocator: Quieten local key allocation logging (#14804, @joestringer)
- api/hubble: Explicitly mark unused fields as reserved (#13809, @gandro)
- arp: Set deadline for each retry (#14651, @brb)
- Assign specific, unique ports for pprof (Agent, Operator, Hubble Relay) (#15441, @christarazi)
- AUTHORS: Update email (#15885, @jrajahalme)
- aws/eni/limits: lazily populate limits map (#15523, @tklauser)
- azure: Fix API rate limit test (#15493, @twpayne)
- bpf/lb: Skip service handling for ICMP packets (#12552, @pchaigno)
- bpf: allow prefix of /32 and /128 in RSS src CIDR (#14367, @borkmann)
- bpf: Comment BPF hook points, some tail calls, and local delivery code (#15204, @pchaigno)
- bpf: datapath: Fix fetching configured base devices (#14456, @mrostecki)
- bpf: datapath: Rewite base devices setup in Go (#13915, @mrostecki)
- bpf: fix health cilium_ipip6 collect_md mode (#15281, @borkmann)
- bpf: fixes for host routing (#15240, @borkmann)
- bpf: initial pcap exporter for lb (#15376, @borkmann)
- bpf: lb pmtu discovery support (#14980, @borkmann)
- bpf: lift port restriction and allow l4 dnat in ipip (#15396, @borkmann)
- bpf: option for selecting DSR L4 DNAT method for IPIP (#15880, @borkmann)
- bpf: use LB addr as srcIP for outer hdr in DSR/IPIP (#14260, @borkmann)
- bpf: Use optimized memset in send_trace_notify (#14450, @pchaigno)
- bpf_host: declare variables in the beginning of the block (#15560, @johngv2)
- build(deps): bump actions/cache from v2 to v2.1.4 (#14880, @dependabot[bot])
- build(deps): bump actions/cache from v2.1.4 to v2.1.5 (#15666, @dependabot[bot])
- build(deps): bump actions/download-artifact from 4a7a711286f30c025902c28b541c10e147a9b843 to 2.0.9 (#15582, @dependabot[bot])
- build(deps): bump actions/setup-go from v1 to v2.1.3 (#14715, @dependabot[bot])
- build(deps): bump aws-actions/configure-aws-credentials from 1.5.8 to 1.5.9 (#16109, @dependabot[bot])
- build(deps): Bump aws-sdk-v2 to official releases (#14794, @sayboras)
- build(deps): bump docker/build-push-action from 4a531fa5a603bab87dfa56578bd82b28508c9547 to 2.3.0 (#15049, @dependabot[bot])
- build(deps): bump docker/build-push-action from 9379083e426e2e84abb80c8c091f5cdeb7d3fd7a to 2.4.0 (#15586, @dependabot[bot])
- build(deps): bump docker/login-action from f3364599c6aa293cdc2b8391b1b56d0c30e45c8a to 1.9.0 (#15918, @dependabot[bot])
- build(deps): bump docker/setup-buildx-action from 012185ccbeb554a7f5f987bea0f1a73519b3cdf5 to 1.3.0 (#15941, @dependabot[bot])
- build(deps): bump docker/setup-buildx-action from 154c24e1f33dbb5865a021c99f1318cfebf27b32 to 1.1.2 (#15600, @dependabot[bot])
- build(deps): bump docker/setup-buildx-action from 2a4b53665e15ce7d7049afb11ff1f70ff1610609 to 1.2.0 (#15862, @dependabot[bot])
- build(deps): bump docker/setup-qemu-action from 25f0500ff22e406f7191a2a8ba8cda16901ca018 to 1.1.0 (#15854, @dependabot[bot])
- build(deps): bump docker/setup-qemu-action from 6520a2d2cb6db42c90c297c8025839c98e531268 to 1.0.2 (#15585, @dependabot[bot])
- build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.0.0 to 1.1.0 (#14881, @dependabot[bot])
- build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.0.0 to 1.0.2 (#15139, @dependabot[bot])
- build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.0.2 to 1.0.3 (#15358, @dependabot[bot])
- build(deps): bump github.com/Azure/go-autorest/autorest/adal from 0.9.10 to 0.9.13 (#15050, @dependabot[bot])
- build(deps): bump github.com/Azure/go-autorest/autorest/azure/auth from 0.5.5 to 0.5.6 (#14771, @dependabot[bot])
- build(deps): bump github.com/Azure/go-autorest/autorest/azure/auth from 0.5.6 to 0.5.7 (#15412, @dependabot[bot])
- build(deps): bump github.com/containernetworking/cni from 0.8.0 to 0.8.1 (#14976, @dependabot[bot])
- build(deps): bump github.com/go-openapi/runtime from 0.19.24 to 0.19.26 (#14836, @dependabot[bot])
- build(deps): bump github.com/go-openapi/spec from 0.20.0 to 0.20.2 (#14832, @dependabot[bot])
- build(deps): bump github.com/go-openapi/strfmt from 0.19.11 to 0.20.0 (#14768, @dependabot[bot])
- build(deps): bump github.com/go-openapi/validate from 0.20.0 to 0.20.1 (#14823, @dependabot[bot])
- build(deps): bump github.com/google/uuid from 1.1.4 to 1.2.0 (#14855, @dependabot[bot])
- build(deps): bump github.com/onsi/gomega from 1.10.3 to 1.10.5 (#14833, @dependabot[bot])
- build(deps): bump github.com/shirou/gopsutil from 2.20.4+incompatible to 2.20.9+incompatible (#14809, @dependabot[bot])
- build(deps): bump github.com/stretchr/testify from 1.6.1 to 1.7.0 (#14772, @dependabot[bot])
- build(deps): bump golangci/golangci-lint-action from v2 to v2.4.0 (#14975, @dependabot[bot])
- build(deps): bump golangci/golangci-lint-action from v2.5.0 to v2.5.1 (#15248, @dependabot[bot])
- build(deps): bump golangci/golangci-lint-action from v2.5.1 to v2.5.2 (#15552, @dependabot[bot])
- build(deps): bump helm/kind-action from v1.0.0 to v1.1.0 (#14716, @dependabot[bot])
- build(deps): bump jinja2 from 2.10.1 to 2.11.3 in /Documentation (#15407, @dependabot[bot])
- build(deps): bump k8s.io/apiextensions-apiserver from 0.20.1 to 0.20.2 (#14786, @dependabot[bot])
- build(deps): bump k8s.io/apimachinery from 0.20.1 to 0.20.2 (#14811, @dependabot[bot])
- build(deps): bump k8s.io/client-go from 0.20.1 to 0.20.2 (#14810, @dependabot[bot])
- build(deps): bump k8s.io/code-generator from 0.20.1 to 0.20.2 (#14769, @dependabot[bot])
- build(deps): bump k8s.io/klog/v2 from 2.4.0 to 2.5.0 (#14824, @dependabot[bot])
- build(deps): bump KyleMayes/install-llvm-action from 1.2.2 to 1.3.0 (#16090, @dependabot[bot])
- build(deps): bump KyleMayes/install-llvm-action from v1 to v1.1.1 (#15247, @dependabot[bot])
- build(deps): bump KyleMayes/install-llvm-action from v1.1.1 to v1.2.1 (#15571, @dependabot[bot])
- build(deps): bump KyleMayes/install-llvm-action from v1.2.1 to v1.2.2 (#15684, @dependabot[bot])
- build(deps): bump pyyaml from 5.3.1 to 5.4 in /Documentation (#15473, @dependabot[bot])
- build(deps): bump Sibz/github-status-action from e92e9076ba64fe070b6f06221720fc647d82e90e to 1.1.5 (#15584, @dependabot[bot])
- build(deps): update actions/upload-artifact requirement to ee69f02b3dfdecd58bb31b4d133da38ba6fe3700 (#15599, @dependabot[bot])
- build(deps): update docker/build-push-action requirement to 9379083e426e2e84abb80c8c091f5cdeb7d3fd7a (#15138, @dependabot[bot])
- build(deps): update helm/kind-action requirement to v1.1.0 (#15279, @dependabot[bot])
- build: Minor fixes to .gitignore and docs (#13626, @twpayne)
- Bump alpine base image to 3.13.0 (#14718, @tklauser)
- Bump aws-go-sdk-v2 to v0.30.0 (#14460, @ungureanuvladvictor)
- Bump aws-go-sdk-v2 to v0.31.0 (#14490, @ungureanuvladvictor)
- Bump gops to 0.3.16 (#15213, @tklauser)
- Bump hubble UI version and pinned digest for envoy proxy (#15889, @aanm)
- Bump vendored dependencies (#14572, @tklauser)
- Bump vendored dependencies (part 2) (#14606, @tklauser)
- bwm: queue mapping & cong fixes (Backport PR #16049, Upstream PR #15964, @borkmann)
- Centralize building of the aws.Config object (#14048, @ungureanuvladvictor)
- Check whether to setup proxy rules when init bpf (#14542, @ChangyuWang)
- ci/dependabot: fix labels (#14773, @rolinh)
- ci/docker: Add operator dir into Dockerfile.dockerignore (#14069, @sayboras)
- ci: Add initial dependabot configuration (#14694, @twpayne)
- ci: build race-detection images in GH actions (#14979, @nebril)
- CI: fix cron values for CodeQL analysis (#14575, @twpayne)
- ci: only run CodeQL analysis on cilium/cilium (#14633, @twpayne)
- ci: only run Nightly workflows on cilium/cilium (#14612, @kaworu)
- cilium/cmd, vendor: use github.com/russross/blackfriday/v2 (#14261, @tklauser)
- cilium/cmd: don't write copyright header in generated shell completion (#15845, @tklauser)
- cilium/cmd: Fix skipping of .git directories (#13760, @twpayne)
- cilium/cmd: mark tests as unprivileged (#13933, @tklauser)
- cilium/cmd: remove unnecessary parseLabels func (#13988, @tklauser)
- cilium/cmd: Replace exit code -1 with exit code 1 (#13761, @twpayne)
- cilium: Drop encryption with tunnel support beta tag (#13801, @jrfastab)
- cilium: error out in svc upsert on frontend/backend ports mismatch on IPIP (#14372, @borkmann)
- cilium: pcap recorder agent management (#15633, @borkmann)
- cilium: pcap recorder follow ups (#15782, @borkmann)
- cilium: Use strings, not byte slices, for JSON dumps (#14041, @twpayne)
- Clarify description of IPSec configuration format and encryption options (#14760, @Andrey9kin)
- cleanup/unused: Remove un-used code in codebase (#14113, @sayboras)
- cli: Add LB IP to cilium status (#14445, @brb)
- cli: Rename kpr Protocols status field (#14977, @brb)
- cocinelle: update to python3 (#14522, @kaworu)
- CODEOWNERS: Add @cilium/wireguard for pkg/wireguard (#15618, @brb)
- CODEOWNERS: add daemon/cmd/kube_proxy_* and pkg/bandwidth (#13818, @tklauser)
- CODEOWNERS: add maintainers to be codeowners of .github (#15925, @aanm)
- CODEOWNERS: Add pkg/bgp (#15663, @christarazi)
- CODEOWNERS: Add pkg/maglev to @cilium/loadbalancer (#14603, @brb)
- CODEOWNERS: Assign tools/ to cilium/contributing (#14433, @pchaigno)
- CODEOWNERS: Assign Travis files to ci-structure team (#15173, @pchaigno)
- CODEOWNERS: Create cilium/alibabacloud team (#15665, @l1b0k)
- CODEOWNERS: Create cilium/loader team (#15451, @pchaigno)
- CODEOWNERS: Remove @cilium/monitor team (#15368, @pchaigno)
- CODEOWNERS: Remove docs-structure review from helm (#14965, @joestringer)
- CODEOWNERS: Split codeowners for the documentation (#14076, @pchaigno)
- CODEOWNERS: Split test/ code owners (#14244, @pchaigno)
- CODEOWNERS: Update required reviews (#15009, @pchaigno)
- Complete kube-router documentation by mentioning that "ipam: kubernetes" should be used (#14161, @manuelbuil)
- Consistently use structured logging for errors (#13814, @tklauser)
- Consolidate ec2 client create call (#14121, @ungureanuvladvictor)
- contrib/k8s: Add 'nsexec' script to run commands in the network namespace of a POD (#14361, @jrajahalme)
- contrib: add dual-stack support for dev VMs (#15827, @aanm)
- contrib: Convert consolidate_go_stacktrace.py to python3 (#15140, @brb)
- contrib: Ensure release tag is upstream before push (Backport PR #15919, Upstream PR #15903, @joestringer)
- contrib: Fix scripts for v1.10 (Backport PR #15919, Upstream PR #15898, @joestringer)
- contrib: Make upstream commit check more generic (Backport PR #16210, Upstream PR #16160, @joestringer)
- Convert AWS API calls to use paginators (#14491, @ungureanuvladvictor)
- crypto/certloader: fix tests comparing crypto/x509.CertPool for Go 1.16 (#14789, @tklauser)
- custom calls: cleanup and improve a few elements (#15480, @qmonnet)
- daemon: Add hidden --cflags debug command (#15549, @joestringer)
- daemon: Avoid blocking datapath on node discovery (#14670, @pchaigno)
- daemon: Create RuntimePath if not equal to StateDir (#15711, @oblazek)
- daemon: don't install cilium-node-monitor symlink (#15054, @tklauser)
- daemon: Fatal on XDP + egress gateway (#15511, @pchaigno)
- daemon: log errors from bpf.TestDummyProg() (#15460, @rgo3)
- daemon: Make Hubble Recorder API opt-out (#15781, @gandro)
- daemon: Remove unnecessary log (#15776, @christarazi)
- daemon: Turn on policy debug logging if Cilium is started with --debug (#14352, @jrajahalme)
- daemon_main: fix comments error (#14194, @lrouter)
- datapath/iptables: de-duplicate program argument construction (#14007, @tklauser)
- datapath/linux/arp: avoid leaking sock fd if unix.SetNonblock fails in func listen (#15646, @tklauser)
- datapath/linux/probes: remove unused (*ProbeManager).GetMisc (#15647, @tklauser)
- datapath/linux: Fix clang version regex check (#14742, @christarazi)
- datapath/loader: fix privileged test build (#14335, @tklauser)
- datapath: always generate BTF debug information (#14166, @jibi)
- datapath: migrate off j-keck/arping (#13112, @vladdy)
- datapath: Move XDP handling from bpf/init.sh to agent (#15497, @brb)
- datapath: Remove IPV{4,6}_NODEPORT (#14431, @brb)
- datapath: Use SHA256 instead of SHA1 for datapath hash (#14279, @twpayne)
- dependabot: disable automatic rebasing of PRs (#14826, @tklauser)
- dependabot: Fix labels (#14717, @pchaigno)
- dependabot: ignore ginkgo updates (#14821, @tklauser)
- dependabot: ignore grpc and miekg/dns updates (#14790, @tklauser)
- dependabot: limit number of open PRs to 1 (#14837, @tklauser)
- dev-doctor: Add --backporting flag for backporters (#14016, @twpayne)
- dev-doctor: Add Helm check (#14001, @twpayne)
- dev-doctor: Add more checks (#14229, @twpayne)
- distinguish between FIN and RST on datapath (#14097, @kkourt)
- doc/encryption: improve consistency between ipsec and wireguard guides (Backport PR #16049, Upstream PR #15965, @rolinh)
- doc: Add Egress Gateway Getting Started Guide (#15661, @MasterZ40)
- doc: Add K8S flag to the example to add worker nodes (#14682, @aditighag)
- Doc: Add note to open tcp:4244 for Hubble Relay (#14758, @youssefazrak)
- doc: Update AUTHORS file (#14719, @kaworu)
- doc: update Hubble/Hubble Relay guides for recent CLI changes (Backport PR #16049, Upstream PR #15981, @rolinh)
- docker: bump cilium-iproute2 image (#14258, @jibi)
- Docker: Multi-arch & cross-compile build with docker buildx (#14208, @jrajahalme)
- docker: Pre-pull images correctly (#14759, @jrajahalme)
- Dockerfile image build process follow-ups (#15110, @aanm)
- Dockerfile: use alpine 3.12 (Backport PR #16049, Upstream PR #15950, @aanm)
- Dockerfiles: quote FROM images if they contain 'sha256' (#14887, @aanm)
- docs, gsg: add link to plumbers talk on service lb mechanisms (Backport PR #16210, Upstream PR #16171, @borkmann)
- docs, gsg: minor edits to kpr guide and note on hybrid use (Backport PR #16210, Upstream PR #16169, @borkmann)
- docs/contrib: Clarify the options for the Vagrant setup (#15835, @pchaigno)
- docs/encryption: Document limitations and workarounds (#15876, @gandro)
- docs/ipsec: misc improvements (Backport PR #16103, Upstream PR #15978, @kaworu)
- docs/release: add step to update dashboards to grafana.com (#14312, @aanm)
- docs/vagrant: Remove reference of libvirt to avoid confusion (#13745, @sayboras)
- docs: add 'endpointRoutes.enabled=true' to aws-cni (Backport PR #16103, Upstream PR #16045, @bmcustodio)
- docs: Add az login command to AKS getting started guide (#13926, @twpayne)
- docs: Add BGP GSG (#15519, @christarazi)
- docs: Add caveat for OpenShift (Backport PR #16210, Upstream PR #16161, @christarazi)
- docs: add cilium-operator technical overview documentation (#14530, @fristonio)
- docs: add ids to the list of special identities (Backport PR #16150, Upstream PR #16123, @bmcustodio)
- docs: Add info about Envoy smoke test (#14359, @jrajahalme)
- docs: add information about ConfigMap updates (Backport PR #16210, Upstream PR #16141, @aanm)
- docs: Add link from EKS mode to ec2 privileges (#14515, @joestringer)
- docs: Add missing Jobs to the Jenkins Trigger Phrases table (#14199, @kaworu)
- docs: Add note about DNS-related policies on OpenShift (Backport PR #16150, Upstream PR #16083, @twpayne)
- docs: Add section for filtering by subnet tags in ENI mode (#15635, @christarazi)
- docs: Add Wireguard Getting Started Guide (#15787, @gandro)
- docs: Advise running ginkgo in verbose for e2e tests (#15060, @pchaigno)
- docs: clarify janitor duties (#14127, @jibi)
- docs: Clarify that empty endpoint selectors implictly limit to namespace (#14580, @twpayne)
- docs: clustermesh: fix output of "cilium clustermesh status" command (Backport PR #16049, Upstream PR #15982, @jibi)
- docs: document final steps for nomination of new committers (#15378, @qmonnet)
- docs: Document update-cmdref make target usage (#14925, @nebril)
- docs: example cluster-wide health endpoint (#15348, @Shikugawa)
- docs: Expand triage description (#14235, @joestringer)
- docs: Fix commands to build dev. docker images (#15231, @pchaigno)
- docs: Fix egress gateway getting started guide (Backport PR #16049, Upstream PR #15984, @gandro)
- docs: Fix ginkgo commands for e2e tests in GKE/EKS (#15223, @pchaigno)
- docs: Fix hint for updating cmdref (#13795, @brb)
- docs: Fix invalid link for BPF Newsletter (#15746, @LiangZhou-CTY)
- docs: Fix link formatting to builder/runtime images (#14421, @joestringer)
- docs: fix llvm git repo and clang folder (#14812, @fnzv)
- docs: Fix pip installation (#15705, @brb)
- docs: Fix sed in OKD GSG (#15822, @christarazi)
- docs: gsg/operations - use parsed-literal for all blocks referring SCM_WEB (Backport PR #16049, Upstream PR #15963, @ti-mo)
- docs: improve and fix minor issues (Backport PR #16103, Upstream PR #15975, @qmonnet)
- docs: Improve DNS port documentation (#14144, @joestringer)
- docs: improve the aws-cni chaining page (Backport PR #16103, Upstream PR #15979, @bmcustodio)
- docs: Improve wording around Helm values in OKD GSG (Backport PR #16210, Upstream PR #16069, @errordeveloper)
- docs: Make cross-cluster policy more explicit (#15778, @jrajahalme)
- docs: Mention KUBEPROXY ENV var in e2e section (#15535, @brb)
- docs: minor improvements to tuning guide (Backport PR #16049, Upstream PR #16024, @borkmann)
- docs: Recommend use of backport scripts (#14011, @pchaigno)
- docs: Remove -noColor from ginkgo flags (#15224, @pchaigno)
- docs: Remove incorrect configuration advice for native routing (#15016, @cmacrae)
- docs: remove misplaced sentence from Quick Installation guide (Backport PR #16049, Upstream PR #15971, @lfundaro)
- docs: Rename priority/release-blocker to release-blocker/1.X (#14735, @pchaigno)
- docs: Some Wireguard improvements (Backport PR #16049, Upstream PR #16023, @brb)
- docs: tell how to deploy demo app in Hubble CLI guide (Backport PR #16049, Upstream PR #15973, @lfundaro)
- docs: Tweak backporting doc (#15369, @twpayne)
- docs: update dependency table to add links and download command (#15055, @kaitoii11)
- docs: update OpenShift getting started guide (Backport PR #16103, Upstream PR #16006, @twpayne)
- docs: Update SIG-Datapath meeting time. (Backport PR #16103, Upstream PR #16027, @joestringer)
- docs: Update testing docs with instructions to run specific tests (#14108, @aditighag)
- docs: Updates steps when using submit-backport (#14799, @pchaigno)
- docs: use dedicated Sphinx role to reference GitHub issue (#15814, @qmonnet)
- Documentation: update iproute2 git URL in bpf.rst (#15207, @dmitris)
- Documentation: Update list of Jenkins jobs (#14592, @twpayne)
- Drop GODEBUG='madvdontneed=1' setting with Go 1.16 (#15076, @tklauser)
- ebpf: delete existing pinned map if incompatible with the spec (Backport PR #16049, Upstream PR #15832, @jibi)
- Egress NAT control plane watchers and egress policy manager (#15134, @MasterZ40)
- Encryption docs update (Backport PR #16049, Upstream PR #14940, @aditighag)
- endpoint: Add named type for endpoint state (#15614, @ammmk)
- endpoint: Enhance policy map sync (#14370, @jrajahalme)
- endpoint: Fix typo in CT clean logic (#14137, @joestringer)
- endpoint: remove unused (*Endpoint).FinishIPVLANInit and depended on symbols (#14056, @tklauser)
- ENI migration followups (#15702, @christarazi)
- envoy: Update proxylib interface (#14560, @jrajahalme)
- envoy: use errors.Is(..., net.ErrClosed) instead of string matching (#15080, @tklauser)
- examples: Split host policies for dev. VMs (#15577, @pchaigno)
- Export and use agent event sub-types for Hubble (#14415, @tklauser)
- Extend endpoint related interfaces (#14743, @aditighag)
- Extend the monitor notification interface with endpoint id getter (#15391, @aditighag)
- Fix a typo in terminology documentation (#14181, @didier-durand)
- fix broken link on readme (#13981, @kaitoii11)
- Fix cilium typos (#14180, @twpayne)
- Fix encryption getting started guides for v1.10 (Backport PR #16049, Upstream PR #15961, @jibi)
- Fix error propagation in (*K8sWatcher).addK8sPodV1 (#14864, @tklauser)
- Fix integer conversions (#14561, @twpayne)
- Fix logging for expired FQDN IPs (Backport PR #16210, Upstream PR #16030, @youssefazrak)
- Fix rawgit links in README.rst (#14092, @vignesh-codes)
- Fix typo in grpc example (#14874, @teyuchang)
- Follow ups for host firewall support of endpoint routes (Backport PR #16103, Upstream PR #15942, @pchaigno)
- Fqdn: log misbehaving applications that do not respect DNS TTL (#14878, @youssefazrak)
- fqdn: Optimize KeepUniqueNames (#13920, @jrajahalme)
- fqdn: pass CIDR matcher to (*DNSZombieMappings).DumpAlive (#13990, @tklauser)
- gettingstarted: Corrected typos in memcached.rst (#15277, @unixdaddy)
- health: Disable routing in BPF when per-endpoint routes are enabled (#14741, @pchaigno)
- Helm: adjust comment in values.yaml to accomodate Vim users (#15334, @qmonnet)
- Helm: Allow enable-k8s-event-handover to be configured via Helm to control CNP Node status updates (#14555, @youssefazrak)
- hubble/parser/threefour: decode layers only if there is a packet (#14448, @tklauser)
- hubble/parser/threefour: ignore gopacket errors on unsupported layers (#14418, @tklauser)
- hubble: allow to filter agent events (#14242, @tklauser)
- hubble: Removal of legacy interfaces and minor cleanup of metrics (#14442, @gandro)
- hubble: Support --{last,since,until} on agent and debug events (#14739, @gandro)
- hubble: switch to google.golang.org/protobuf (#14635, @tklauser)
- images, vendor: update gops to 0.3.17 (#15299, @tklauser)
- images/cilium: set IMAGE_CROSS_TARGET_PLATFORM for right arch (#15074, @aanm)
- images/runtime: update ubuntu base image (#15615, @aanm)
- images: make update-golang-image.sh update hubble-proto Dockerfile (#14036, @kaworu)
- images: re-write README.md (#15108, @aanm)
- images: squash common operator images in a single Dockerfile (#15849, @aanm)
- Implement egress gateway datapath (#14830, @anfernee)
- Improve pod deletion resiliency (#14898, @joestringer)
- install/kubernetes: fix upgrade envoy to 1.18.2 for Hubble UI (#15879, @kaworu)
- install/kubernetes: remove quick-install from master branches (#15250, @aanm)
- install/kubernetes: set k8s min version manually (#14778, @aanm)
- install: Remove 1.9 RC workaround (#13863, @joestringer)
- iptables: GetProxyPort(): run iptables quietly (#15779, @kkourt)
- iptables: use CILIUM_* chains for per-endpoint no CT rules (#15411, @jibi)
- ipvlan: use github.com/cilium/ebpf to create map and load program (#14043, @tklauser)
- issue_14922: Fixed the 429 response code handling (Backport PR #15919, Upstream PR #15760, @Maddy007-maha)
- jenkinsfile: Remove stale symlinks (#14365, @pchaigno)
- k8s/api: More consistent field name capitalisation (#15521, @errordeveloper)
- k8s: Consolidate check for EndpointSlice support (#15561, @christarazi)
- k8s: Fix Wireguard with IPAM != ClusterPool (#15784, @gandro)
- k8s: Introduce subscriber package to simplify & consolidate K8s watcher callbacks / event handling (#15295, @christarazi)
- k8s: update k8s libraries to 1.19.4 (#14032, @aanm)
- k8s: update k8s libraries to 1.20.3 (#15030, @aanm)
- k8s: update k8s libraries to 1.20.4 (#15092, @aanm)
- k8s: Update libraries to v1.20.1 (#14481, @christarazi)
- kvstore: Fix event watcher serialization (#14101, @joestringer)
- lbmap: Add compile-time tests for interface satisfiability (#13868, @brb)
- loader : Log upsert and remove route errors (#15339, @h3llix)
- loader : Log upsert and remove route errors (#15525, @h3llix)
- maglev: Allocate permutations slice ahead of time (#14622, @christarazi)
- MAINTAINERS: update MAINTAINERS.md (#15603, @kaworu)
- make: add help target to root Makefile for printing info about availble targets (#15087, @fristonio)
- make: Use buildkit for docker targets by default (#14714, @jrajahalme)
- make: Use consistent Docker tag for dev-docker-image (#14062, @pchaigno)
- Makefile: do not depend on TARGET for install-bash-completion (#15147, @aanm)
- Makefile: Fix microk8s image target (#15516, @joestringer)
- Makefile: Fix missing BASE_IMAGE in docker builds (#14967, @christarazi)
- Makefile: Remove microk8s prepull script (#14148, @joestringer)
- Makefile: Remove microk8s.registry dependency (#15157, @joestringer)
- Makefile: Simplify to run faster (#13939, @jrajahalme)
- Metrics: Add cilium_datapath_dump_resets for dump_interrupts count (#14888, @youssefazrak)
- Minor fixes for OKD GSG (Backport PR #16049, Upstream PR #16000, @errordeveloper)
- Misc. cleanups in hubble and monitor packages (#14103, @tklauser)
- Modified path of fuzzer (#14813, @AdamKorcz)
- monitor, vendor: bump github.com/cilium/ebpf to v0.3.0 (#14200, @tklauser)
- monitor: Display human-readable identities (#13601, @pchaigno)
- node-neigh: Avoid flooding the same next hop (Backport PR #16049, Upstream PR #15882, @brb)
- node/manager: remove unused *Manager methods (#15106, @tklauser)
- node: Remove SetInternalIPv4From Method (#15873, @nathanjsweet)
- Observer to ignore unhandled debug event types (#14589, @anfernee)
- operator: use logfields in cilium operator logging (#14548, @fristonio)
- Optimize Label.String() (#15089, @michi-covalent)
- pkg/client/client.go: Set EnabledProtocols when pointer is nil (#15688, @johngv2)
- pkg/datapath: ignore certain error types on route delete (#15730, @aanm)
- pkg/k8s/watchers follow-up for #14864 (#15004, @tklauser)
- pkg/k8s: fix concurrent access in CNP field (#15518, @aanm)
- pkg/k8s: ignore overwrite source "custom-resource" with "k8s" errors (Backport PR #16210, Upstream PR #16153, @aanm)
- pkg/k8s: remove unused code (#14376, @aanm)
- pkg/k8s: set the right api group for EndpointSlice (#15631, @aanm)
- pkg/loadbalancer: Optimize L3n4Addr.Hash for performance (#14617, @gandro)
- pkg/loadbalancer: Optimize L3n4Addr.Hash for performance (2) (#15091, @rolinh)
- pkg/logging: do not repeat klog messages on all levels (#14503, @aanm)
- pkg/rate: Make parsing of positive values more strict (#14536, @twpayne)
- pkg/sysctl: Sanitize parameter names (#14533, @twpayne)
- pkg: Use strings.Builder instead of bytes.Buffer where possible (#13759, @twpayne)
- policy: Fix typo in issue link (#15251, @joestringer)
- policy: improve CNP initial sync (#15492, @jaffcheng)
- policy: Suppress any policy map updates when updating redirects if keeping the current policy (#14356, @jrajahalme)
- Prepare branch for v1.10 release cycle (#15868, @joestringer)
- Prepare for 1.10.0 development (#13617, @aanm)
- Prepare helm charts for v1.10.0-rc0 (#15322, @aanm)
- Prepare v1.10.0-rc0 (#15318, @aanm)
- README: update security releases (#13977, @aanm)
- Refactor endpoint management (#14745, @joestringer)
- refactor: Remove
time.After
from any Loops (#14265, @nathanjsweet) - refactor: Remove
time.After
from any Loops (#14380, @nathanjsweet) - release: Automate image digest PR creation (#15818, @joestringer)
- Remove duplicated ruleLabels in DerivedFromRules (#15280, @aanm)
- Remove NEEDS_RELAX_VERIFIER (#15610, @rscampos)
- Remove references for old k8s version from tests (#14471, @fristonio)
- remove xtables.lock and privileged=true from node-local-dns example (#14319, @ghouscht)
- rename ciliumNodeInformer to ciliumEndpointsInformer according to the context (#15806, @sstoner)
- Replace remaining exit codes -1 with exit code 1 (#13798, @twpayne)
- Revert "azure, policy: Add JSON tags to CRD fields" (#15093, @aanm)
- Revert "Dockerfiles: quote FROM images if they contain 'sha256'" (#14897, @aanm)
- Revert "encryption: Limit encryption keys to 2 bits" (#15487, @brb)
- Revert "loader : Log upsert and remove route errors" (#15517, @nbusseneau)
- Revert accidentally introduced port change (#14328, @brandshaide)
- Revert exported NoTrack rule function names. (#15505, @Weil0ng)
- Simplify runtime/builder image update (#15326, @tklauser)
- Small updates to image build doc to make it a bit clearer (#15816, @Weil0ng)
- source: Reorder AllowSource switch Statement and Comment Nits (#15696, @nathanjsweet)
- stale-bot: stale PRs with assignees (#14364, @aanm)
- Stub out some functionality on non-Linux platforms (#15355, @joestringer)
- Switch metrics map to cilium/ebpf (#14582, @jibi)
- test/helpers: Allow ssh.InsecureIgnoreHostKey in test code (#14535, @twpayne)
- test/Makefile: fix registryCredentials typo (#14051, @kkourt)
- test/packet: Default download to /tmp (#14055, @pchaigno)
- test: Allow test VMs have swap (#14506, @jrajahalme)
- test: Disable the host firewall in incompatible tests (#14037, @pchaigno)
- test: get cilium pods inside background closure (#14057, @kkourt)
- test: Only wait for one operator instance to be ready (#14360, @jrajahalme)
- test: Remove nop condition from tests (#15541, @pchaigno)
- test: update add_vagrant_box.sh (#15831, @twpayne)
- test: update k8s tested versions (#15528, @aanm)
- test: update k8s to 1.20 (#14315, @aanm)
- test: update k8s to 1.21.0 (#15616, @aanm)
- tools: Add initial dev-doctor (#13772, @twpayne)
- treewide: bump copyright year to 2021 in generated files (#14573, @tklauser)
- ui deployment: upgrade envoy to 1.18.2, fix config (#15847, @geakstr)
- Update authors file (#13866, @joestringer)
- Update AWS deps (#15759, @ungureanuvladvictor)
- Update base images with most recent SHAs (Backport PR #15919, Upstream PR #15895, @aanm)
- Update CI infrastructure for v1.10 release (Backport PR #15919, Upstream PR #15947, @christarazi)
- Update CNI network plugin to 0.9.0 (#14620, @tklauser)
- Update EKS e2e testing docs (#14482, @ungureanuvladvictor)
- Update Go to 1.15.5 (#14013, @tklauser)
- Update Go to 1.15.6 (#14298, @tklauser)
- Update Go to 1.15.7 (#14662, @tklauser)
- Update Go to 1.15.8 (#14983, @tklauser)
- Update Go to 1.16 (#15068, @tklauser)
- Update Go to 1.16.1 (#15314, @tklauser)
- Update Go to 1.16.2 (#15344, @tklauser)
- Update Go to 1.16.3 (#15566, @tklauser)
- Update gops to v0.3.18 and build it statically linked (#15853, @tklauser)
- Update kube-router YAML to a newer release in the guide (#15639, @weirdwiz)
- Update release process (#15034, @aanm)
- Update stable releases (#13804, @christarazi)
- Update stable releases (#14282, @aanm)
- Update stable releases (#14671, @aanm)
- Update stable releases (#14706, @aanm)
- Update stable releases (#14763, @joestringer)
- Update stable releases (#14896, @christarazi)
- Update stable releases (#15018, @joestringer)
- Update stable releases (#15122, @joestringer)
- Update stable releases (#15313, @joestringer)
- Update stable releases (#15805, @joestringer)
- Update USERS.md (#14831, @imathu)
- Update weekly community meeting timeslot (Backport PR #16049, Upstream PR #15985, @joestringer)
- Updates golang:1.16.3 digest (#15790, @Weil0ng)
- Use go embed and remove go-bindata dependency (#15834, @aanm)
- Use logging pkg to setup cilium-cni logging (#14253, @ungureanuvladvictor)
- Use time.Truncate of more recent Go (#14493, @youssefazrak)
- Use toRawJson + quote for storing eniTags into Cilium configmap (#14499, @ungureanuvladvictor)
- Use vishvananda/netlink instead of net.Interface* (#15296, @anfernee)
- v1.10: Update Go to 1.16.4 (#16061, @tklauser)
- Vagrant Script: Detect colliding active virtualbox VMs and warn users (#14584, @vsk-coding)
- Vagrant: Add support for .devvmrc (#14272, @jrajahalme)
- vagrant: bump all box versions (#14632, @tklauser)
- vagrant: Bump all Vagrant box versions (#14024, @pchaigno)
- vagrant: bump box versions (#14736, @tklauser)
- vagrant: bump box versions (#15090, @tklauser)
- vagrant: bump box versions, again (#15129, @tklauser)
- vagrant: bump bpf-next vagrant box version (#14600, @borkmann)
- vagrant: Follow cilium-agent options on development VM to Helm defaults (#15367, @Shikugawa)
- vagrant: make restart.sh executable (#13625, @twpayne)
- Vagrantfile: Add support for SHARE_PARENT=2 (#14559, @jrajahalme)
- Various documentation / comments fixes and improvements (#14439, @kaworu)
- vendor: bump github.com/google/gopacket to v1.1.19 (#14472, @tklauser)
- vendor: bump github.com/vishvananda/netlink to latest master (Backport PR #16103, Upstream PR #16070, @tklauser)
- vendor: Bump gopkg.in/yaml.v2 to v2.4.0 (#14230, @twpayne)
- vendor: Bump to latest vishvananda/netlink (#15461, @joestringer)
- vendor: Pin github.com/optiopay/kafka to commit before fork (#15159, @christarazi)
- vendor: switch github.com/shirou/gopsutil to v3 (#15161, @tklauser)
- vendor: Update sigs.k8s.io/structured-merge-diff to v4.1.0 (#15488, @christarazi)
- vendor: update wireguard library (Backport PR #16103, Upstream PR #16066, @aanm)
- vendor: Upgrade github.com/cilium/ebpf to v0.5.0 (#15386, @aditighag)
- vendor: use github.com/blang/semver/v4 (#14327, @tklauser)
- wireguard: Better error message if kernel support is lacking (#15825, @gandro)
- wireguard: Fix rp_filter setting (#15542, @brb)
- wireguard: Improve logging (#15807, @brb)
- wireguard: Remove operator and disable KPR encryption (#15565, @brb)
Other Changes:
- install: Update image digests for v1.10.0-rc1 (#15904, @joestringer)
- install: Update image digests for v1.10.0-rc2 (#16174, @aanm)
- Prepare for release v1.10.0-rc1 (#15897, @joestringer)
- Prepare for release v1.10.0-rc2 (#16167, @aanm)
- workflows: fix image workflows for v1.10 (#16009, @nbusseneau)
Docker Manifests
cilium
docker.io/cilium/cilium:v1.10.0@sha256:587627d909ffe0418c0bd907516496844867a21812946af82096d367760e4c1e
quay.io/cilium/cilium:v1.10.0@sha256:587627d909ffe0418c0bd907516496844867a21812946af82096d367760e4c1e
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.10.0@sha256:c5dbcb2708529e4a3ccc007183d99c5171df5ee1db7e7218d48d7660c8158193
quay.io/cilium/clustermesh-apiserver:v1.10.0@sha256:c5dbcb2708529e4a3ccc007183d99c5171df5ee1db7e7218d48d7660c8158193
docker-plugin
docker.io/cilium/docker-plugin:v1.10.0@sha256:52ccc5f5ab5d791c6f6b89dc57f7f0c2c202dfaef044dc61d4e276e693d43851
quay.io/cilium/docker-plugin:v1.10.0@sha256:52ccc5f5ab5d791c6f6b89dc57f7f0c2c202dfaef044dc61d4e276e693d43851
hubble-relay
docker.io/cilium/hubble-relay:v1.10.0@sha256:e92e6778c71aa9e181618d61e9403761ad061c3960a9203aa2cf8e6cde95c9d7
quay.io/cilium/hubble-relay:v1.10.0@sha256:e92e6778c71aa9e181618d61e9403761ad061c3960a9203aa2cf8e6cde95c9d7
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.10.0@sha256:ab68157bd70c6158ec5fc03f17de81639d5a3ee7acd64120c2788354fa6f1cfc
quay.io/cilium/operator-alibabacloud:v1.10.0@sha256:ab68157bd70c6158ec5fc03f17de81639d5a3ee7acd64120c2788354fa6f1cfc
operator-aws
docker.io/cilium/operator-aws:v1.10.0@sha256:c704c40862aa8eecd6ba66d456701f7514b9db57ae956a8e22f640eea89003ed
quay.io/cilium/operator-aws:v1.10.0@sha256:c704c40862aa8eecd6ba66d456701f7514b9db57ae956a8e22f640eea89003ed
operator-azure
docker.io/cilium/operator-azure:v1.10.0@sha256:eed06e79fd5efed2fc9ccebd98e5c38c610429334389a3da939a40f701c1f399
quay.io/cilium/operator-azure:v1.10.0@sha256:eed06e79fd5efed2fc9ccebd98e5c38c610429334389a3da939a40f701c1f399
operator-generic
docker.io/cilium/operator-generic:v1.10.0@sha256:65143311a62a95dbe23c69ff2f624e0fdf030eb225e6375d889da66a955dd828
quay.io/cilium/operator-generic:v1.10.0@sha256:65143311a62a95dbe23c69ff2f624e0fdf030eb225e6375d889da66a955dd828
operator
docker.io/cilium/operator:v1.10.0@sha256:d0ec430f14a39e0993abef058176c8e41387b58b4354e4bf658af47411867be7
quay.io/cilium/operator:v1.10.0@sha256:d0ec430f14a39e0993abef058176c8e41387b58b4354e4bf658af47411867be7