helm/cilium/cilium 1.10.0

on Artifact Hub

We are pleased to announce Cilium v1.10.0. 🎉

The summary of changes below reflect the diff between the last stable release v1.9.7 and tag v1.10.0.

Blogpost announcement https://cilium.io/blog/2021/05/20/cilium-110

Summary of Changes

Major Changes:

• Add --datapath-mode=lb which allows cilium-agent to run as a standalone loadbalancer (#13670, @brb)
• Add AlibabaCloud Operator (#15160, @l1b0k)
• Add NodePort BPF support to L2-less devices (wireguard, tun, etc) (#14858, @brb)
• Add support for k8s 1.21 and set minimal k8s supported version to 1.16 (#15502, @aanm)
• Add the ability to masquerade IPv6 traffic when using iptables masquerading mode. This behavior can be enabled/disabled by using enable-ipv6-masquerade agent option. (#14124, @fristonio)
• Cilium now builds and installs on ARM64 machines. (#14207, @jrajahalme)
• doc: Add Code of Conduct (#15305, @tgraf)
• doc: Deprecate managed etcd mode (#15464, @tgraf)
• doc: New performance benchmarks and tuning guide (Backport PR #16049, Upstream PR #15943, @tgraf)
• Implement external IP (LoadBalancer) allocation & announcement via BGP for services (#15340, @christarazi)
• Integrate Wireguard for pod2pod encryption (#15383, @brb)
• Rework Quick & Helm Installation Guide (#15695, @tgraf)
• Update to Kubernetes 1.20 (#14248, @aanm)

Minor Changes:

• Add digest flags to specify docker images digests in helm charts (#15185, @aanm)
• Add helm option enableEgressGateway (#15777, @anfernee)
• Add metrics for identity garbage collection in cilium-operator (#14254, @ArthurChiao)
• Add new cilium_bpf_map_pressure metric measuring the fill-up ratio of selected BPF maps. (#14131, @jcaamano)
• Add startupProbe for Cilium-agent for faster readiness in Kubernetes >= 1.20 (#14518, @youssefazrak)
• Add support for agent events to Hubble API (#14168, @tklauser)
• Added --bpf-lb-bypass-fib-lookup flag, which toggles the BPF nodeport reverse NAT FIB lookup optimization (#14978, @skuffe)
• Adds an option to specify Cilium router device IP (#14800, @Weil0ng)
• Adds capability to filter events based on IP version. (#14556, @nyrahul)
• Agent: consistent 'containerID' field in the log of the requests EP-delete and EP-create (#14713, @romanspb80)
• agent: Silence some useless warnings (#15450, @tgraf)
• api/hubble: add AUDIT policy verdict (#14785, @jaffcheng)
• arp: Add retries to arping (#14601, @brb)
• AWS eni: Support Instance Metadata Service Version 2 (IMDSv2) (Backport PR #16210, Upstream PR #15828, @Smana)
• bpf: add LB ipip health check datapath (#14610, @borkmann)
• bpf: add option for RSS-friendly outer srcIP prefix w/ mixing for DSR (#14276, @borkmann)
• bpf: Adds support for drop IPv4 fragmented packet (#15733, @navarrothiago)
• bpf: bpf host routing for tunneling (#15148, @borkmann)
• Change default ENI property FirstInterfaceIndex to 0 and improve IPAM logic in ENI & Azure modes (#14801, @christarazi)
• CI 3.0: A New Hope (#15144, @tgraf)
• ci: Increase time limit from 15m to 30m (#15371, @tgraf)
• cilium/cmd: improve 'bpf metrics list' JSON output (#13731, @jibi)
• cilium: Add encryption mode to cilium status (#15833, @gandro)
• cleanup/metrics: Cleanup deprecated metrics (#13659, @sayboras)
• cni-(un)install: don't touch CNI dir if CILIUM_CUSTOM_CNI_CONF is set (#14910, @ti-mo)
• Consolidate kernel options probing and provide brief descriptions for missing parameters, in logs or for "cilium kernel-check". (#12383, @brandshaide)
• Create top level eni block for Helm values and add more options to it (#14470, @ungureanuvladvictor)
• custom calls: add new metrics to count skipped tail calls to custom programs (#15475, @qmonnet)
• daemon: add new option --allocator-list-timeout (#15538, @ArthurChiao)
• daemon: Add wildcard support to --devices ("eth+") (Backport PR #15919, Upstream PR #15697, @joamaki)
• daemon: Allow to specify dev to inherit IP addr for LB devs (#14259, @brb)
• daemon: Remove --help flags grouping (#15564, @brb)
• datapath: add tail call hooks for custom metrics, bytecounter example (#13191, @qmonnet)
• datapath: Create MAC_BY_IFINDEX_MACRO in Go (#15267, @brb)
• doc: Add more generic install section for egress gateway guide (Backport PR #16150, Upstream PR #16087, @tgraf)
• doc: Reword some results (Backport PR #16049, Upstream PR #15955, @tgraf)
• doc: Update diagrams in benchmark report (Backport PR #16150, Upstream PR #16063, @tgraf)
• doc: Use Cilium CLI for Cluster Mesh documentation (#15359, @tgraf)
• docs: document --nodes and --since cilium-sysdump's options (#14058, @jibi)
• docs: Move host firewall out of beta (#15761, @pchaigno)
• docs: Update OpenShift (OKD) GSG to use OLM operator (#15608, @errordeveloper)
• Enable bandwidth-manager by default for new deployments (#13535, @qmonnet)
• Envoy proxy is updated to release 1.16.2 (#14680, @jrajahalme)
• Envoy use of original source address in upstream connetions is disabled when datapath is tunneling. (#14594, @jrajahalme)
• examples: remove obsolete Mesos example (#15377, @tklauser)
• Expose more syslog options (#15545, @jaffcheng)
• Extend cilium-operator binary to be used as command line tool (#14484, @fristonio)
• helm: add ca.crt to tls secrets (#15443, @kaworu)
• helm: consolidate IPSec and Wireguard encryption options (#15809, @jibi)
• helm: move IPSec options under encryption.ipsec (#15846, @jibi)
• helm: Replaced object-based extraArgs with array-based (#15233, @D1abloRUS)
• Helm: Using external serviceAccounts is now possible. (#14731, @youssefazrak)
• Honor allocateLoadBalancerNodePorts in Kubernetes LoadBalancer service spec. (#14465, @fristonio)
• Hubble logs for HTTP responses now include HTTP response headers. (Backport PR #16150, Upstream PR #16013, @jrajahalme)
• Hubble-ui now supports imagePullSecrets being passed in (#15109, @domgoodwin)
• hubble/metrics: Add support for fallback labels, ip addresses and dns names (#14848, @gandro)
• hubble: Add a flag to write Hubble events to a rotated file (#15557, @michi-covalent)
• Hubble: add GetNodes rpc endpoint (#13979, @rolinh)
• hubble: Add node name filter (#13938, @twpayne)
• hubble: Add recorder API (#15680, @gandro)
• hubble: add separate API to get agent and debug events (#15715, @tklauser)
• hubble: Add support for Cilium debug events (#14602, @gandro)
• hubble: allow filtering by agent event subtypes (#14305, @tklauser)
• hubble: distinguish AUDIT policy verdict from FORWARDED (#14923, @jaffcheng)
• hubble: Extend IP filter to support CIDR ranges (#14316, @michi-covalent)
• hubble: Support for debug capture events (#14432, @gandro)
• images: Bump Hubble CLI to v0.8.0 (Backport PR #16049, Upstream PR #15983, @gandro)
• Improve scalability by reducing number of CEP watch events (#15230, @Weil0ng)
• install: Disable kube-proxy-replacement by default (Backport PR #16150, Upstream PR #15422, @tgraf)
• iptables: add support for NOTRACK rules for pod to pod traffic (#15264, @jibi)
• iptables: relax no CT rules to match all pod traffic (#15467, @jibi)
• Istio integration is updated to Istio release 1.8.2. (#14704, @jrajahalme)
• k8s: add support for ipFamilies to services (#14914, @fristonio)
• kubectl: print additional information for CiliumIdentities (#14496, @elfadel)
• maglev: Parallelize calculation of permutations (#14597, @brb)
• Make Cilium the only CNI configuration available in the host to avoid pods from being managed by other CNIs while performing Cilium upgrades. (#14192, @aanm)
• Merge monitor API types EndpointDeleteNotification and EndpointCreateNotification into type EndpointNotification (#14126, @tklauser)
• Minor README updates (#15372, @tgraf)
• node-neigh: Locking, logging, misc improvements (Backport PR #16049, Upstream PR #15783, @brb)
• operator: added --pprof flag/endpoint (#14903, @mvisonneau)
• Remove deprecated v1.10 options (#14291, @jibi)
• Remove legacy flannel integration (#15786, @tgraf)
• Remove some obsolete documentation (#15370, @tgraf)
• Remove the unused container runtime status and DNS poller names properties from Cilium API. (#14590, @tklauser)
• Report events that are lost in Hubble's ring buffer. (#14307, @rolinh)
• set cilium agent only run on linux nodes (#14495, @answer1991)
• Store the previous Cilium's configuration options in the host (Backport PR #16103, Upstream PR #16017, @aanm)
• Support host policies with per-endpoint routes (#15217, @pchaigno)
• Tag ENIs at creation time (#14500, @ungureanuvladvictor)
• TCP flags based filter for hubble. (#13826, @nyrahul)
• Updates & clarifications to Governance Rules (#15325, @tgraf)
• wireguard: Add pod2pod encryption support in tunnel mode and fix IPv6 for direct routing mode (#15716, @brb)
• wireguard: Add support for managed K8s (#15674, @gandro)
• wireguard: Set wireguard and route MTU to detected MTU (Backport PR #16103, Upstream PR #16020, @joamaki)

Bugfixes:

• Add iamRole option to eni in Helm chart values to allow using serviceaccounts for iam roles on cilium-operator (#14970, @bluestealth)
• Avoid exposing full Cilium API in LB-only mode (#14098, @christarazi)
• cilium: Encryption EKS 4.14 kernel (default) fixes (Backport PR #16049, Upstream PR #15867, @jrfastab)
• daemon, config: regenerate endpoint datapath on agent config change (#13971, @jaffcheng)
• daemon/ipam: correct total IP count in cilium status output (#15707, @ArthurChiao)
• daemon: require BPF masq to enable --install-no-conntrack-iptables-rules (Backport PR #16210, Upstream PR #16085, @jibi)
• Decrease verbosity of error "Unable to update ipcache map entry on pod add" for certain conditions (#15757, @aanm)
• Drop a @ in clustermesh-apiserver helm chart (Backport PR #16049, Upstream PR #15934, @anthr76)
• encryption: Limit encryption keys to 2 bits (#15335, @tgraf)
• eni: Fix Cilium overallocating network interfaces (Backport PR #16049, Upstream PR #15911, @gandro)
• Envoy is updated to release 1.17.3 (Backport PR #16150, Upstream PR #16102, @jrajahalme)
• Fix 5.10+ complexity issue with kubeProxyReplacement=disabled (Backport PR #16150, Upstream PR #16084, @pchaigno)
• Fix aws-cni integration where pods were not being scheduled (Backport PR #16049, Upstream PR #15915, @aanm)
• Fix backwards compatibility of status API (#15143, @tgraf)
• Fix bug where L7 ingress policies with IPsec dropped traffic in tunneling mode (Backport PR #16103, Upstream PR #16057, @christarazi)
• Fix ICMP Echo ID placement in CT maps (#15275, @brb)
• Fix rounding behavior when specifying a capacity for Hubble's buffer. (#13894, @rolinh)
• Helm: Respect serviceAccounts.*.create value (#14711, @youssefazrak)
• hubble: Fix numeric identity lookup for FQDN identities (#14477, @gandro)
• ipam/aws: fixed a bug causing the operator to hang indefinitely when the ENI limits for an instance type could not be determined (#14905, @mvisonneau)
• ipam/aws: updated EC2 instances ENI limits and added an helper function to make it easier to do so in the future (#14906, @mvisonneau)
• kvstore: Fix aborted delayed delete warning (#15409, @tgraf)
• lib/proxy.h: set variable as maybe unused to avoid compilation error (#15607, @johngv2)
• nat: Do not increment delete error metric on nat entry GC (#15587, @joamaki)
• operator: release leader lease lock on operator exit (#14554, @fristonio)
• service: Restore Maglev table when M changes (#14469, @brb)
• Treat empty NetworkPolicyPort as "all ports on TCP" during network policy parsing (#14720, @mattfenwick)
• ui envoy: fix config to keep grpc conn (Backport PR #16049, Upstream PR #15938, @geakstr)
• Use new metric names for cilium-operator dashboard (#14507, @ungureanuvladvictor)
• Wait for endpoints to be stopped on agent shutdown (#15447, @jaffcheng)
• wireguard: Fix traffic counters in cilium debuginfo (Backport PR #16210, Upstream PR #16178, @gandro)

CI Changes:

• .github, bpf: Update reference to cilium-checkpatch image (#14700, @pchaigno)
• .github/workflows: remove go version commands from golangci-lint job (#15238, @tklauser)
• .github: fix kind GH action for encryption e2e tests (#15731, @aanm)
• .travis: Disable email notifications on master failures (#15373, @pchaigno)
• .travis: fail Travis if race detection builds also fail (#15199, @aanm)
• (#15659, @Ankurk99)
• (#15796, @michi-covalent)
• Add 'nilness' to golangci (#14066, @joestringer)
• Add CIIntegrationEKSENI CNI integration for ENI IPAM on EKS (#14423, @ungureanuvladvictor)
• Add cyclonus network policy tester. (#14889, @mattfenwick)
• bpf: Fix compilation of bpf_ct_tests (#14862, @pchaigno)
• ci-gke: Add -v=6 for kubectl get pods (Backport PR #16049, Upstream PR #15994, @michi-covalent)
• ci/wireguard: Ensure allowedIPs are set as expected (Backport PR #16049, Upstream PR #16011, @gandro)
• ci: add AKS workflow (#15466, @nbusseneau)
• ci: add CodeQL analysis (#14514, @twpayne)
• ci: add EKS workflow (#15465, @nbusseneau)
• ci: add gke workflow (#15416, @nebril)
• ci: Add quarantine capabilities to k8s-all jenkinsfile (#14150, @nebril)
• ci: Bump vagrant boxes (#14982, @gandro)
• ci: change manifest path for perf test (#14183, @nebril)
• ci: Check gke cluster state before selecting it (#14130, @nebril)
• ci: Fix BGP router does not have route for LB IP (#15771, @gandro)
• ci: fix checking for pr git sha in jenkinsfiles (#15007, @nebril)
• ci: Fix local files chmod in test vagrantfile (#15397, @nebril)
• ci: fix nightly image (#14170, @nebril)
• ci: Fix nightly image (#15605, @nebril)
• ci: fix nightly image sha (#15708, @nebril)
• ci: fix/update GKE workflow (#15482, @nbusseneau)
• ci: offload baremetal "K8s all" builds to sub-jobs (#14861, @nbusseneau)
• ci: push cilium-test image to quay.io, use it in nightly (#15569, @nebril)
• ci: push cilium-test-dev image to quay, accept tags in the test script (#14169, @nebril)
• ci: retry gke cluster scale up, don't clear cluster at start (#14819, @nebril)
• ci: skip gke clusters with ongoing operations (#14348, @nebril)
• ci: use host images in master job (#14311, @nebril)
• ci: use host kubectl in k8s-all (#14302, @nebril)
• ci: Use images built on host in k8s-all job (#14292, @nebril)
• ci: use images from quay.io (#14937, @nebril)
• ci: use separate Jenkins jobs for daily master tests + CI documentation overhaul (#14997, @nbusseneau)
• ci: wait for quay images and boot vms in parallel (#15300, @nebril)
• cilium: Add workflows for GKE in tunnel mode, with and without encryption (#15678, @jrfastab)
• cilium: test encryption workflows for GKE (#15595, @jrfastab)
• cilium: Use build-and-push-with-qemu for builder (#15679, @jrfastab)
• connectivity-check: Reduce chances of port conflict with proxy (Backport PR #16049, Upstream PR #15988, @pchaigno)
• contrib: Add integration testing shell helpers (#14404, @joestringer)
• daemon: Do not attach bpf_host to L3 dev if skb_change_head is unavailable (#15343, @brb)
• docs: Update trigger phrase for Cilium-PR-Ginkgo-Tests-Kernel-Focus (#14849, @pchaigno)
• DualStack kubernetes based IPv6 testing for Cilium (#14461, @fristonio)
• e2e: Make ginkgo default to verbose mode (#15184, @qmonnet)
• Enable identity + cli + health e2e tests on EKS (#14519, @ungureanuvladvictor)
• jenkinsfile: Increase timeout for k8s-all tests (#14583, @pchaigno)
• jenkinsfiles: fix race detector pipelines (Backport PR #16103, Upstream PR #16056, @nbusseneau)
• jenkinsfiles: remove unused environment variables (#15125, @aanm)
• labelsfilter: Fix test for default filters (#15024, @pchaigno)
• node-neigh: Fix unit test flake (Backport PR #16150, Upstream PR #16072, @brb)
• Remove docker-compose leftovers (#14426, @tklauser)
• Remove unused jenkinsfiles (#15578, @aanm)
• Removed unnecessarily redundant static analysis in CI to streamline CI running times. (#14400, @nathanjsweet)
• Revert "ci: push cilium-test image to quay.io, use it in nightly" (#15574, @pchaigno)
• Revert "refactor: Remove time.After from any Loops" (#14371, @tklauser)
• run bpf_ct_tests as part of CI (#14916, @kkourt)
• test/gke: use correct cluster IPv4 CIDR (#15346, @jibi)
• test/helpers: fix GetBPFPacketsCount (#14663, @jibi)
• test/helpers: remove unused functions and consts (#15241, @tklauser)
• test/helpers: Support non-standard nodes names with NO_CILIUM_ON_NODE (#15384, @christarazi)
• test/k8sT/manifests: use image hash with cilium-builder image (#13982, @tklauser)
• test/provision: adjust Dockerfiles considered for image download (#15389, @tklauser)
• test/runtime: Wait for endpoints to be ready before querying by labels (Backport PR #16049, Upstream PR #15990, @pchaigno)
• test: 5.4 CI job (Backport PR #16049, Upstream PR #15765, @pchaigno)
• test: add e2e tests for fromEntities: cluster and all (#15398, @chez-shanpu)
• test: add iptables masquerading without random-fully test (#14476, @jibi)
• test: add nil check to CiliumReport to prevent segfaults (#14210, @nebril)
• test: Allow hostfw tests to run on GKE (#15479, @pchaigno)
• test: Always select nodes by label (#14867, @pchaigno)
• test: change accees of go dir in test vm (#15265, @nebril)
• test: CI pipeline with kube-proxy running alongside our replacement (#14543, @pchaigno)
• test: Collect object file artifacts for K8sVerifier (#14129, @pchaigno)
• test: disable fqdn connectivity test during restart (#13930, @tklauser)
• test: Disable host firewall in incompatible tests (#14545, @pchaigno)
• test: Disable K8sVerifier on 4.19 and net-next CI pipelines (#14162, @pchaigno)
• test: Disable unsupported features on 4.9 to reduce warnings (#15001, @pchaigno)
• test: Extend coverage for host policies enforcement (#14822, @pchaigno)
• test: Extend the clusterIP tests with policy (Backport PR #16049, Upstream PR #15928, @aditighag)
• test: Fix flake in ValidateEndpointsAreCorrect (Backport PR #16103, Upstream PR #16068, @pchaigno)
• test: Fix fragment tracking test on GKE (Backport PR #16049, Upstream PR #15959, @pchaigno)
• test: Fix incorrect uninstall in K8sBandwidth (Backport PR #16210, Upstream PR #16053, @pchaigno)
• test: Fix kube-proxy service tests when running with socket-level LB (#14699, @pchaigno)
• test: Fix local tests (#15130, @pchaigno)
• test: Fix the search for VIPs in cilium service list (Backport PR #16049, Upstream PR #15968, @pchaigno)
• test: K8sUpdates: Remove deprecated code (#15349, @pchaigno)
• test: Make Wireguard tcpdump filter more fine grained (#15507, @brb)
• test: Mark GKE CI pipeline as running Linux 4.19 (#14639, @pchaigno)
• test: Misc improvements (Backport PR #16210, Upstream PR #16064, @pchaigno)
• test: Move RuntimeCLI to K8sCLI (#14017, @pchaigno)
• test: quarantine failing NodePort tests on 1.14 (#15415, @nebril)
• test: Quarantine flakes from k8s-all CI pipeline (#14151, @pchaigno)
• test: quarantine flaking datapathconfig tests on 1.17 (#14188, @nebril)
• test: Quarantine K8sUpdates on GKE (#13899, @pchaigno)
• test: quarantine K8sVerifier on k8s-all (#14409, @nebril)
• test: Quarantine test with secondary NodePort device (#15003, @pchaigno)
• test: Reduce build durations (#14223, @pchaigno)
• test: Reenable debug mode for monitor tests (#15127, @pchaigno)
• test: remove leftovers of running own registry in GKE tests (#15124, @tklauser)
• test: Remove spammy "Cilium DaemonSet not ready yet" logs (#14544, @pchaigno)
• test: Respect cilium.holdEnvironment on Cilium status check (#15219, @pchaigno)
• test: Respect cilium.holdEnvironment on DNS check (#14695, @pchaigno)
• test: Run WG with per-endpoint routes (Backport PR #16049, Upstream PR #15906, @brb)
• test: set kubeProxyReplacement=probe for upstream k8s tests (Backport PR #16150, Upstream PR #16162, @aanm)
• test: Un-Quarantine K8sUpdates on GKE (#14464, @gandro)
• test: Uncouple KPR from presence of kube-proxy (#15543, @pchaigno)
• test: Unquarantine K8sUpdates under GKE (#13793, @pchaigno)
• test: Unquarantine K8sVerifier on k8s-all (#15154, @pchaigno)
• test: Unquarantine the random-fully test (#15205, @pchaigno)
• test: Unquarantine tunneling + endpoint routes test (#15152, @pchaigno)
• test: update k8s testing versions to 1.18.18, 1.19.10 and 1.20.6 (#15755, @aanm)
• test: Use node labels when testing host policies (#15714, @pchaigno)
• test: Use stable tags instead of :latest (#14093, @pchaigno)
• test: Wait for cilium monitor to match expected output (#15848, @pchaigno)
• vagrant: bump all box versions (#14274, @jibi)
• vagrant: Bump all Vagrant box versions (#14167, @pchaigno)
• vagrant: Bump all Vagrant box versions (#15772, @pchaigno)
• vagrant: Bump all Vagrant box versions (#15812, @pchaigno)
• vagrant: Upgrade Vagrant box versions (#15356, @aditighag)
• wireguard: Add pod2pod encryption tests (#15573, @brb)
• wireguard: Fix timeout in unit test (Backport PR #16049, Upstream PR #16001, @gandro)
• workflows: add encryption for AKS testing (#15657, @nbusseneau)
• workflows: add multicluster CI 3.0 workflow (#15710, @nbusseneau)
• workflows: fix EKS encryption testing not using aws operator image (#15745, @nbusseneau)
• workflows: fix GKE if condition (#15788, @nbusseneau)
• workflows: fix schedule triggers (#15813, @nbusseneau)
• workflows: improvements to CI 3.0 workflows (#15694, @nbusseneau)
• workflows: increase multicluster timeout to 30 minutes (#15811, @nbusseneau)
• workflows: small fixes to Kind (#15658, @nbusseneau)

Misc Changes:

• .dockerignore: add *.box files (#14045, @kkourt)
• .github: add GitHub actions to build images (#14917, @aanm)
• .github: Bump project for 1.9.0-rc4 (#13880, @joestringer)
• .github: change dependabot interval to daily (#15651, @aanm)
• .github: change step order (#14703, @aanm)
• .github: checkout right SHA for base images (#15069, @aanm)
• .github: Don't mark good-first-issues as stale (#14908, @pchaigno)
• .github: Fix cilium project management for v1.9 (#14065, @joestringer)
• .github: fix correct sha for images build (#15065, @aanm)
• .github: fix markdown typo (#15792, @aanm)
• .github: publish tags from master branch in official repositories (#15078, @aanm)
• .github: set :latest tag for merges into master branch (#14933, @aanm)
• .github: set different workflow IDs (#14932, @aanm)
• .github: update GH actions on stable branches (#15208, @aanm)
• .github: update release process (#14672, @aanm)
• .github: update steps for the release process of a RC (#15319, @aanm)
• .github: update v1.9 cilium-actions project number (#14683, @aanm)
• .github: use quay.io images in smoke tests (#15005, @aanm)
• .gitignore: add .vscode/ directory (#14664, @ti-mo)
• (#15113, @TrevorTaoARM)
• Add ability to mock kernel feature prober and expand BPF map tests (#14876, @christarazi)
• Add arm64 support for the connectivity test (Backport PR #15919, Upstream PR #15894, @aanm)
• Add custom resource for egress nat policies (#14998, @MasterZ40)
• Add dev-docker-operator-image makefile directive (#14387, @ungureanuvladvictor)
• add doc for AlibabaCloud ENI (#15512, @l1b0k)
• Add ebpf map cilium_egress_v4 for egress gateway (#14712, @anfernee)
• Add fuzzer with OSS-fuzz build script (#14202, @AdamKorcz)
• add GH action to push hot fix images into -dev repositories (#15061, @aanm)
• Add hubble relay docker images + fix k8s version for eks in contrib testing script (#14478, @ungureanuvladvictor)
• Add multi-arch support to all images (#15023, @aanm)
• add support for EndpointSlice V1 (#15524, @aanm)
• Add support to enable EndpointStatus in Helm chart (#15844, @carloscastrojumo)
• Add TagSpecifications to ec2:CreateNetworkInterface only when len > 0 (#14571, @ungureanuvladvictor)
• Add tunnel mode config and egress gateway config params (#14723, @MasterZ40)
• Add warning log when host enable SELinux (#15414, @konghui)
• add_vagrant_box.sh: Fix download issue and update help message (#14553, @qmonnet)
• add_vagrant_box.sh: Fix incorrect vagrant box updates (#14527, @pchaigno)
• add_vagrant_box.sh: remove downloaded files after installing a VM image (#14686, @qmonnet)
• Added ArangoDB Oasis to USERS list (#14697, @ewoutp)
• Added build comment to oss-fuzz build file (#14856, @AdamKorcz)
• Added flag proxy.prometheus.enabled to helm chart for disabling service (#14688, @yuriydzobak)
• Added Tailor Brands to users (#14605, @liorrozen)
• Address #13894 nits (#13985, @jibi)
• Address shellcheck warnings in cni-(un)install.sh. (#14467, @ti-mo)
• Adds ipv6 support for local-router-ip (#15662, @Weil0ng)
• Adds pod annotation to manage iptables NOTRACK rules. (#13805, @Weil0ng)
• agent: Make intent of signaling channels clear and optimize memory (#14075, @aditighag)
• alignchecker: git should not ignore bpf_foo.o (#14046, @kkourt)
• all: bump Alpine base image to 3.13.1 and add meta image SHA256 sum (#14795, @rolinh)
• all: don't use the deprecated io/ioutil package (#15242, @tklauser)
• all: use UUIDv4 instead of UUIDv1 (#14351, @tklauser)
• allocator: Quieten local key allocation logging (#14804, @joestringer)
• api/hubble: Explicitly mark unused fields as reserved (#13809, @gandro)
• arp: Set deadline for each retry (#14651, @brb)
• Assign specific, unique ports for pprof (Agent, Operator, Hubble Relay) (#15441, @christarazi)
• AUTHORS: Update email (#15885, @jrajahalme)
• aws/eni/limits: lazily populate limits map (#15523, @tklauser)
• azure: Fix API rate limit test (#15493, @twpayne)
• bpf/lb: Skip service handling for ICMP packets (#12552, @pchaigno)
• bpf: allow prefix of /32 and /128 in RSS src CIDR (#14367, @borkmann)
• bpf: Comment BPF hook points, some tail calls, and local delivery code (#15204, @pchaigno)
• bpf: datapath: Fix fetching configured base devices (#14456, @mrostecki)
• bpf: datapath: Rewite base devices setup in Go (#13915, @mrostecki)
• bpf: fix health cilium_ipip6 collect_md mode (#15281, @borkmann)
• bpf: fixes for host routing (#15240, @borkmann)
• bpf: initial pcap exporter for lb (#15376, @borkmann)
• bpf: lb pmtu discovery support (#14980, @borkmann)
• bpf: lift port restriction and allow l4 dnat in ipip (#15396, @borkmann)
• bpf: option for selecting DSR L4 DNAT method for IPIP (#15880, @borkmann)
• bpf: use LB addr as srcIP for outer hdr in DSR/IPIP (#14260, @borkmann)
• bpf: Use optimized memset in send_trace_notify (#14450, @pchaigno)
• bpf_host: declare variables in the beginning of the block (#15560, @johngv2)
• build(deps): bump actions/cache from v2 to v2.1.4 (#14880, @dependabot[bot])
• build(deps): bump actions/cache from v2.1.4 to v2.1.5 (#15666, @dependabot[bot])
• build(deps): bump actions/download-artifact from 4a7a711286f30c025902c28b541c10e147a9b843 to 2.0.9 (#15582, @dependabot[bot])
• build(deps): bump actions/setup-go from v1 to v2.1.3 (#14715, @dependabot[bot])
• build(deps): bump aws-actions/configure-aws-credentials from 1.5.8 to 1.5.9 (#16109, @dependabot[bot])
• build(deps): Bump aws-sdk-v2 to official releases (#14794, @sayboras)
• build(deps): bump docker/build-push-action from 4a531fa5a603bab87dfa56578bd82b28508c9547 to 2.3.0 (#15049, @dependabot[bot])
• build(deps): bump docker/build-push-action from 9379083e426e2e84abb80c8c091f5cdeb7d3fd7a to 2.4.0 (#15586, @dependabot[bot])
• build(deps): bump docker/login-action from f3364599c6aa293cdc2b8391b1b56d0c30e45c8a to 1.9.0 (#15918, @dependabot[bot])
• build(deps): bump docker/setup-buildx-action from 012185ccbeb554a7f5f987bea0f1a73519b3cdf5 to 1.3.0 (#15941, @dependabot[bot])
• build(deps): bump docker/setup-buildx-action from 154c24e1f33dbb5865a021c99f1318cfebf27b32 to 1.1.2 (#15600, @dependabot[bot])
• build(deps): bump docker/setup-buildx-action from 2a4b53665e15ce7d7049afb11ff1f70ff1610609 to 1.2.0 (#15862, @dependabot[bot])
• build(deps): bump docker/setup-qemu-action from 25f0500ff22e406f7191a2a8ba8cda16901ca018 to 1.1.0 (#15854, @dependabot[bot])
• build(deps): bump docker/setup-qemu-action from 6520a2d2cb6db42c90c297c8025839c98e531268 to 1.0.2 (#15585, @dependabot[bot])
• build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.0.0 to 1.1.0 (#14881, @dependabot[bot])
• build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.0.0 to 1.0.2 (#15139, @dependabot[bot])
• build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.0.2 to 1.0.3 (#15358, @dependabot[bot])
• build(deps): bump github.com/Azure/go-autorest/autorest/adal from 0.9.10 to 0.9.13 (#15050, @dependabot[bot])
• build(deps): bump github.com/Azure/go-autorest/autorest/azure/auth from 0.5.5 to 0.5.6 (#14771, @dependabot[bot])
• build(deps): bump github.com/Azure/go-autorest/autorest/azure/auth from 0.5.6 to 0.5.7 (#15412, @dependabot[bot])
• build(deps): bump github.com/containernetworking/cni from 0.8.0 to 0.8.1 (#14976, @dependabot[bot])
• build(deps): bump github.com/go-openapi/runtime from 0.19.24 to 0.19.26 (#14836, @dependabot[bot])
• build(deps): bump github.com/go-openapi/spec from 0.20.0 to 0.20.2 (#14832, @dependabot[bot])
• build(deps): bump github.com/go-openapi/strfmt from 0.19.11 to 0.20.0 (#14768, @dependabot[bot])
• build(deps): bump github.com/go-openapi/validate from 0.20.0 to 0.20.1 (#14823, @dependabot[bot])
• build(deps): bump github.com/google/uuid from 1.1.4 to 1.2.0 (#14855, @dependabot[bot])
• build(deps): bump github.com/onsi/gomega from 1.10.3 to 1.10.5 (#14833, @dependabot[bot])
• build(deps): bump github.com/shirou/gopsutil from 2.20.4+incompatible to 2.20.9+incompatible (#14809, @dependabot[bot])
• build(deps): bump github.com/stretchr/testify from 1.6.1 to 1.7.0 (#14772, @dependabot[bot])
• build(deps): bump golangci/golangci-lint-action from v2 to v2.4.0 (#14975, @dependabot[bot])
• build(deps): bump golangci/golangci-lint-action from v2.5.0 to v2.5.1 (#15248, @dependabot[bot])
• build(deps): bump golangci/golangci-lint-action from v2.5.1 to v2.5.2 (#15552, @dependabot[bot])
• build(deps): bump helm/kind-action from v1.0.0 to v1.1.0 (#14716, @dependabot[bot])
• build(deps): bump jinja2 from 2.10.1 to 2.11.3 in /Documentation (#15407, @dependabot[bot])
• build(deps): bump k8s.io/apiextensions-apiserver from 0.20.1 to 0.20.2 (#14786, @dependabot[bot])
• build(deps): bump k8s.io/apimachinery from 0.20.1 to 0.20.2 (#14811, @dependabot[bot])
• build(deps): bump k8s.io/client-go from 0.20.1 to 0.20.2 (#14810, @dependabot[bot])
• build(deps): bump k8s.io/code-generator from 0.20.1 to 0.20.2 (#14769, @dependabot[bot])
• build(deps): bump k8s.io/klog/v2 from 2.4.0 to 2.5.0 (#14824, @dependabot[bot])
• build(deps): bump KyleMayes/install-llvm-action from 1.2.2 to 1.3.0 (#16090, @dependabot[bot])
• build(deps): bump KyleMayes/install-llvm-action from v1 to v1.1.1 (#15247, @dependabot[bot])
• build(deps): bump KyleMayes/install-llvm-action from v1.1.1 to v1.2.1 (#15571, @dependabot[bot])
• build(deps): bump KyleMayes/install-llvm-action from v1.2.1 to v1.2.2 (#15684, @dependabot[bot])
• build(deps): bump pyyaml from 5.3.1 to 5.4 in /Documentation (#15473, @dependabot[bot])
• build(deps): bump Sibz/github-status-action from e92e9076ba64fe070b6f06221720fc647d82e90e to 1.1.5 (#15584, @dependabot[bot])
• build(deps): update actions/upload-artifact requirement to ee69f02b3dfdecd58bb31b4d133da38ba6fe3700 (#15599, @dependabot[bot])
• build(deps): update docker/build-push-action requirement to 9379083e426e2e84abb80c8c091f5cdeb7d3fd7a (#15138, @dependabot[bot])
• build(deps): update helm/kind-action requirement to v1.1.0 (#15279, @dependabot[bot])
• build: Minor fixes to .gitignore and docs (#13626, @twpayne)
• Bump alpine base image to 3.13.0 (#14718, @tklauser)
• Bump aws-go-sdk-v2 to v0.30.0 (#14460, @ungureanuvladvictor)
• Bump aws-go-sdk-v2 to v0.31.0 (#14490, @ungureanuvladvictor)
• Bump gops to 0.3.16 (#15213, @tklauser)
• Bump hubble UI version and pinned digest for envoy proxy (#15889, @aanm)
• Bump vendored dependencies (#14572, @tklauser)
• Bump vendored dependencies (part 2) (#14606, @tklauser)
• bwm: queue mapping & cong fixes (Backport PR #16049, Upstream PR #15964, @borkmann)
• Centralize building of the aws.Config object (#14048, @ungureanuvladvictor)
• Check whether to setup proxy rules when init bpf (#14542, @ChangyuWang)
• ci/dependabot: fix labels (#14773, @rolinh)
• ci/docker: Add operator dir into Dockerfile.dockerignore (#14069, @sayboras)
• ci: Add initial dependabot configuration (#14694, @twpayne)
• ci: build race-detection images in GH actions (#14979, @nebril)
• CI: fix cron values for CodeQL analysis (#14575, @twpayne)
• ci: only run CodeQL analysis on cilium/cilium (#14633, @twpayne)
• ci: only run Nightly workflows on cilium/cilium (#14612, @kaworu)
• cilium/cmd, vendor: use github.com/russross/blackfriday/v2 (#14261, @tklauser)
• cilium/cmd: don't write copyright header in generated shell completion (#15845, @tklauser)
• cilium/cmd: Fix skipping of .git directories (#13760, @twpayne)
• cilium/cmd: mark tests as unprivileged (#13933, @tklauser)
• cilium/cmd: remove unnecessary parseLabels func (#13988, @tklauser)
• cilium/cmd: Replace exit code -1 with exit code 1 (#13761, @twpayne)
• cilium: Drop encryption with tunnel support beta tag (#13801, @jrfastab)
• cilium: error out in svc upsert on frontend/backend ports mismatch on IPIP (#14372, @borkmann)
• cilium: pcap recorder agent management (#15633, @borkmann)
• cilium: pcap recorder follow ups (#15782, @borkmann)
• cilium: Use strings, not byte slices, for JSON dumps (#14041, @twpayne)
• Clarify description of IPSec configuration format and encryption options (#14760, @Andrey9kin)
• cleanup/unused: Remove un-used code in codebase (#14113, @sayboras)
• cli: Add LB IP to cilium status (#14445, @brb)
• cli: Rename kpr Protocols status field (#14977, @brb)
• cocinelle: update to python3 (#14522, @kaworu)
• CODEOWNERS: Add @cilium/wireguard for pkg/wireguard (#15618, @brb)
• CODEOWNERS: add daemon/cmd/kube_proxy_* and pkg/bandwidth (#13818, @tklauser)
• CODEOWNERS: add maintainers to be codeowners of .github (#15925, @aanm)
• CODEOWNERS: Add pkg/bgp (#15663, @christarazi)
• CODEOWNERS: Add pkg/maglev to @cilium/loadbalancer (#14603, @brb)
• CODEOWNERS: Assign tools/ to cilium/contributing (#14433, @pchaigno)
• CODEOWNERS: Assign Travis files to ci-structure team (#15173, @pchaigno)
• CODEOWNERS: Create cilium/alibabacloud team (#15665, @l1b0k)
• CODEOWNERS: Create cilium/loader team (#15451, @pchaigno)
• CODEOWNERS: Remove @cilium/monitor team (#15368, @pchaigno)
• CODEOWNERS: Remove docs-structure review from helm (#14965, @joestringer)
• CODEOWNERS: Split codeowners for the documentation (#14076, @pchaigno)
• CODEOWNERS: Split test/ code owners (#14244, @pchaigno)
• CODEOWNERS: Update required reviews (#15009, @pchaigno)
• Complete kube-router documentation by mentioning that "ipam: kubernetes" should be used (#14161, @manuelbuil)
• Consistently use structured logging for errors (#13814, @tklauser)
• Consolidate ec2 client create call (#14121, @ungureanuvladvictor)
• contrib/k8s: Add 'nsexec' script to run commands in the network namespace of a POD (#14361, @jrajahalme)
• contrib: add dual-stack support for dev VMs (#15827, @aanm)
• contrib: Convert consolidate_go_stacktrace.py to python3 (#15140, @brb)
• contrib: Ensure release tag is upstream before push (Backport PR #15919, Upstream PR #15903, @joestringer)
• contrib: Fix scripts for v1.10 (Backport PR #15919, Upstream PR #15898, @joestringer)
• contrib: Make upstream commit check more generic (Backport PR #16210, Upstream PR #16160, @joestringer)
• Convert AWS API calls to use paginators (#14491, @ungureanuvladvictor)
• crypto/certloader: fix tests comparing crypto/x509.CertPool for Go 1.16 (#14789, @tklauser)
• custom calls: cleanup and improve a few elements (#15480, @qmonnet)
• daemon: Add hidden --cflags debug command (#15549, @joestringer)
• daemon: Avoid blocking datapath on node discovery (#14670, @pchaigno)
• daemon: Create RuntimePath if not equal to StateDir (#15711, @oblazek)
• daemon: don't install cilium-node-monitor symlink (#15054, @tklauser)
• daemon: Fatal on XDP + egress gateway (#15511, @pchaigno)
• daemon: log errors from bpf.TestDummyProg() (#15460, @rgo3)
• daemon: Make Hubble Recorder API opt-out (#15781, @gandro)
• daemon: Remove unnecessary log (#15776, @christarazi)
• daemon: Turn on policy debug logging if Cilium is started with --debug (#14352, @jrajahalme)
• daemon_main: fix comments error (#14194, @lrouter)
• datapath/iptables: de-duplicate program argument construction (#14007, @tklauser)
• datapath/linux/arp: avoid leaking sock fd if unix.SetNonblock fails in func listen (#15646, @tklauser)
• datapath/linux/probes: remove unused (*ProbeManager).GetMisc (#15647, @tklauser)
• datapath/linux: Fix clang version regex check (#14742, @christarazi)
• datapath/loader: fix privileged test build (#14335, @tklauser)
• datapath: always generate BTF debug information (#14166, @jibi)
• datapath: migrate off j-keck/arping (#13112, @vladdy)
• datapath: Move XDP handling from bpf/init.sh to agent (#15497, @brb)
• datapath: Remove IPV{4,6}_NODEPORT (#14431, @brb)
• datapath: Use SHA256 instead of SHA1 for datapath hash (#14279, @twpayne)
• dependabot: disable automatic rebasing of PRs (#14826, @tklauser)
• dependabot: Fix labels (#14717, @pchaigno)
• dependabot: ignore ginkgo updates (#14821, @tklauser)
• dependabot: ignore grpc and miekg/dns updates (#14790, @tklauser)
• dependabot: limit number of open PRs to 1 (#14837, @tklauser)
• dev-doctor: Add --backporting flag for backporters (#14016, @twpayne)
• dev-doctor: Add Helm check (#14001, @twpayne)
• dev-doctor: Add more checks (#14229, @twpayne)
• distinguish between FIN and RST on datapath (#14097, @kkourt)
• doc/encryption: improve consistency between ipsec and wireguard guides (Backport PR #16049, Upstream PR #15965, @rolinh)
• doc: Add Egress Gateway Getting Started Guide (#15661, @MasterZ40)
• doc: Add K8S flag to the example to add worker nodes (#14682, @aditighag)
• Doc: Add note to open tcp:4244 for Hubble Relay (#14758, @youssefazrak)
• doc: Update AUTHORS file (#14719, @kaworu)
• doc: update Hubble/Hubble Relay guides for recent CLI changes (Backport PR #16049, Upstream PR #15981, @rolinh)
• docker: bump cilium-iproute2 image (#14258, @jibi)
• Docker: Multi-arch & cross-compile build with docker buildx (#14208, @jrajahalme)
• docker: Pre-pull images correctly (#14759, @jrajahalme)
• Dockerfile image build process follow-ups (#15110, @aanm)
• Dockerfile: use alpine 3.12 (Backport PR #16049, Upstream PR #15950, @aanm)
• Dockerfiles: quote FROM images if they contain 'sha256' (#14887, @aanm)
• docs, gsg: add link to plumbers talk on service lb mechanisms (Backport PR #16210, Upstream PR #16171, @borkmann)
• docs, gsg: minor edits to kpr guide and note on hybrid use (Backport PR #16210, Upstream PR #16169, @borkmann)
• docs/contrib: Clarify the options for the Vagrant setup (#15835, @pchaigno)
• docs/encryption: Document limitations and workarounds (#15876, @gandro)
• docs/ipsec: misc improvements (Backport PR #16103, Upstream PR #15978, @kaworu)
• docs/release: add step to update dashboards to grafana.com (#14312, @aanm)
• docs/vagrant: Remove reference of libvirt to avoid confusion (#13745, @sayboras)
• docs: add 'endpointRoutes.enabled=true' to aws-cni (Backport PR #16103, Upstream PR #16045, @bmcustodio)
• docs: Add az login command to AKS getting started guide (#13926, @twpayne)
• docs: Add BGP GSG (#15519, @christarazi)
• docs: Add caveat for OpenShift (Backport PR #16210, Upstream PR #16161, @christarazi)
• docs: add cilium-operator technical overview documentation (#14530, @fristonio)
• docs: add ids to the list of special identities (Backport PR #16150, Upstream PR #16123, @bmcustodio)
• docs: Add info about Envoy smoke test (#14359, @jrajahalme)
• docs: add information about ConfigMap updates (Backport PR #16210, Upstream PR #16141, @aanm)
• docs: Add link from EKS mode to ec2 privileges (#14515, @joestringer)
• docs: Add missing Jobs to the Jenkins Trigger Phrases table (#14199, @kaworu)
• docs: Add note about DNS-related policies on OpenShift (Backport PR #16150, Upstream PR #16083, @twpayne)
• docs: Add section for filtering by subnet tags in ENI mode (#15635, @christarazi)
• docs: Add Wireguard Getting Started Guide (#15787, @gandro)
• docs: Advise running ginkgo in verbose for e2e tests (#15060, @pchaigno)
• docs: clarify janitor duties (#14127, @jibi)
• docs: Clarify that empty endpoint selectors implictly limit to namespace (#14580, @twpayne)
• docs: clustermesh: fix output of "cilium clustermesh status" command (Backport PR #16049, Upstream PR #15982, @jibi)
• docs: document final steps for nomination of new committers (#15378, @qmonnet)
• docs: Document update-cmdref make target usage (#14925, @nebril)
• docs: example cluster-wide health endpoint (#15348, @Shikugawa)
• docs: Expand triage description (#14235, @joestringer)
• docs: Fix commands to build dev. docker images (#15231, @pchaigno)
• docs: Fix egress gateway getting started guide (Backport PR #16049, Upstream PR #15984, @gandro)
• docs: Fix ginkgo commands for e2e tests in GKE/EKS (#15223, @pchaigno)
• docs: Fix hint for updating cmdref (#13795, @brb)
• docs: Fix invalid link for BPF Newsletter (#15746, @LiangZhou-CTY)
• docs: Fix link formatting to builder/runtime images (#14421, @joestringer)
• docs: fix llvm git repo and clang folder (#14812, @fnzv)
• docs: Fix pip installation (#15705, @brb)
• docs: Fix sed in OKD GSG (#15822, @christarazi)
• docs: gsg/operations - use parsed-literal for all blocks referring SCM_WEB (Backport PR #16049, Upstream PR #15963, @ti-mo)
• docs: improve and fix minor issues (Backport PR #16103, Upstream PR #15975, @qmonnet)
• docs: Improve DNS port documentation (#14144, @joestringer)
• docs: improve the aws-cni chaining page (Backport PR #16103, Upstream PR #15979, @bmcustodio)
• docs: Improve wording around Helm values in OKD GSG (Backport PR #16210, Upstream PR #16069, @errordeveloper)
• docs: Make cross-cluster policy more explicit (#15778, @jrajahalme)
• docs: Mention KUBEPROXY ENV var in e2e section (#15535, @brb)
• docs: minor improvements to tuning guide (Backport PR #16049, Upstream PR #16024, @borkmann)
• docs: Recommend use of backport scripts (#14011, @pchaigno)
• docs: Remove -noColor from ginkgo flags (#15224, @pchaigno)
• docs: Remove incorrect configuration advice for native routing (#15016, @cmacrae)
• docs: remove misplaced sentence from Quick Installation guide (Backport PR #16049, Upstream PR #15971, @lfundaro)
• docs: Rename priority/release-blocker to release-blocker/1.X (#14735, @pchaigno)
• docs: Some Wireguard improvements (Backport PR #16049, Upstream PR #16023, @brb)
• docs: tell how to deploy demo app in Hubble CLI guide (Backport PR #16049, Upstream PR #15973, @lfundaro)
• docs: Tweak backporting doc (#15369, @twpayne)
• docs: update dependency table to add links and download command (#15055, @kaitoii11)
• docs: update OpenShift getting started guide (Backport PR #16103, Upstream PR #16006, @twpayne)
• docs: Update SIG-Datapath meeting time. (Backport PR #16103, Upstream PR #16027, @joestringer)
• docs: Update testing docs with instructions to run specific tests (#14108, @aditighag)
• docs: Updates steps when using submit-backport (#14799, @pchaigno)
• docs: use dedicated Sphinx role to reference GitHub issue (#15814, @qmonnet)
• Documentation: update iproute2 git URL in bpf.rst (#15207, @dmitris)
• Documentation: Update list of Jenkins jobs (#14592, @twpayne)
• Drop GODEBUG='madvdontneed=1' setting with Go 1.16 (#15076, @tklauser)
• ebpf: delete existing pinned map if incompatible with the spec (Backport PR #16049, Upstream PR #15832, @jibi)
• Egress NAT control plane watchers and egress policy manager (#15134, @MasterZ40)
• Encryption docs update (Backport PR #16049, Upstream PR #14940, @aditighag)
• endpoint: Add named type for endpoint state (#15614, @ammmk)
• endpoint: Enhance policy map sync (#14370, @jrajahalme)
• endpoint: Fix typo in CT clean logic (#14137, @joestringer)
• endpoint: remove unused (*Endpoint).FinishIPVLANInit and depended on symbols (#14056, @tklauser)
• ENI migration followups (#15702, @christarazi)
• envoy: Update proxylib interface (#14560, @jrajahalme)
• envoy: use errors.Is(..., net.ErrClosed) instead of string matching (#15080, @tklauser)
• examples: Split host policies for dev. VMs (#15577, @pchaigno)
• Export and use agent event sub-types for Hubble (#14415, @tklauser)
• Extend endpoint related interfaces (#14743, @aditighag)
• Extend the monitor notification interface with endpoint id getter (#15391, @aditighag)
• Fix a typo in terminology documentation (#14181, @didier-durand)
• fix broken link on readme (#13981, @kaitoii11)
• Fix cilium typos (#14180, @twpayne)
• Fix encryption getting started guides for v1.10 (Backport PR #16049, Upstream PR #15961, @jibi)
• Fix error propagation in (*K8sWatcher).addK8sPodV1 (#14864, @tklauser)
• Fix integer conversions (#14561, @twpayne)
• Fix logging for expired FQDN IPs (Backport PR #16210, Upstream PR #16030, @youssefazrak)
• Fix rawgit links in README.rst (#14092, @vignesh-codes)
• Fix typo in grpc example (#14874, @teyuchang)
• Follow ups for host firewall support of endpoint routes (Backport PR #16103, Upstream PR #15942, @pchaigno)
• Fqdn: log misbehaving applications that do not respect DNS TTL (#14878, @youssefazrak)
• fqdn: Optimize KeepUniqueNames (#13920, @jrajahalme)
• fqdn: pass CIDR matcher to (*DNSZombieMappings).DumpAlive (#13990, @tklauser)
• gettingstarted: Corrected typos in memcached.rst (#15277, @unixdaddy)
• health: Disable routing in BPF when per-endpoint routes are enabled (#14741, @pchaigno)
• Helm: adjust comment in values.yaml to accomodate Vim users (#15334, @qmonnet)
• Helm: Allow enable-k8s-event-handover to be configured via Helm to control CNP Node status updates (#14555, @youssefazrak)
• hubble/parser/threefour: decode layers only if there is a packet (#14448, @tklauser)
• hubble/parser/threefour: ignore gopacket errors on unsupported layers (#14418, @tklauser)
• hubble: allow to filter agent events (#14242, @tklauser)
• hubble: Removal of legacy interfaces and minor cleanup of metrics (#14442, @gandro)
• hubble: Support --{last,since,until} on agent and debug events (#14739, @gandro)
• hubble: switch to google.golang.org/protobuf (#14635, @tklauser)
• images, vendor: update gops to 0.3.17 (#15299, @tklauser)
• images/cilium: set IMAGE_CROSS_TARGET_PLATFORM for right arch (#15074, @aanm)
• images/runtime: update ubuntu base image (#15615, @aanm)
• images: make update-golang-image.sh update hubble-proto Dockerfile (#14036, @kaworu)
• images: re-write README.md (#15108, @aanm)
• images: squash common operator images in a single Dockerfile (#15849, @aanm)
• Implement egress gateway datapath (#14830, @anfernee)
• Improve pod deletion resiliency (#14898, @joestringer)
• install/kubernetes: fix upgrade envoy to 1.18.2 for Hubble UI (#15879, @kaworu)
• install/kubernetes: remove quick-install from master branches (#15250, @aanm)
• install/kubernetes: set k8s min version manually (#14778, @aanm)
• install: Remove 1.9 RC workaround (#13863, @joestringer)
• iptables: GetProxyPort(): run iptables quietly (#15779, @kkourt)
• iptables: use CILIUM_* chains for per-endpoint no CT rules (#15411, @jibi)
• ipvlan: use github.com/cilium/ebpf to create map and load program (#14043, @tklauser)
• issue_14922: Fixed the 429 response code handling (Backport PR #15919, Upstream PR #15760, @Maddy007-maha)
• jenkinsfile: Remove stale symlinks (#14365, @pchaigno)
• k8s/api: More consistent field name capitalisation (#15521, @errordeveloper)
• k8s: Consolidate check for EndpointSlice support (#15561, @christarazi)
• k8s: Fix Wireguard with IPAM != ClusterPool (#15784, @gandro)
• k8s: Introduce subscriber package to simplify & consolidate K8s watcher callbacks / event handling (#15295, @christarazi)
• k8s: update k8s libraries to 1.19.4 (#14032, @aanm)
• k8s: update k8s libraries to 1.20.3 (#15030, @aanm)
• k8s: update k8s libraries to 1.20.4 (#15092, @aanm)
• k8s: Update libraries to v1.20.1 (#14481, @christarazi)
• kvstore: Fix event watcher serialization (#14101, @joestringer)
• lbmap: Add compile-time tests for interface satisfiability (#13868, @brb)
• loader : Log upsert and remove route errors (#15339, @h3llix)
• loader : Log upsert and remove route errors (#15525, @h3llix)
• maglev: Allocate permutations slice ahead of time (#14622, @christarazi)
• MAINTAINERS: update MAINTAINERS.md (#15603, @kaworu)
• make: add help target to root Makefile for printing info about availble targets (#15087, @fristonio)
• make: Use buildkit for docker targets by default (#14714, @jrajahalme)
• make: Use consistent Docker tag for dev-docker-image (#14062, @pchaigno)
• Makefile: do not depend on TARGET for install-bash-completion (#15147, @aanm)
• Makefile: Fix microk8s image target (#15516, @joestringer)
• Makefile: Fix missing BASE_IMAGE in docker builds (#14967, @christarazi)
• Makefile: Remove microk8s prepull script (#14148, @joestringer)
• Makefile: Remove microk8s.registry dependency (#15157, @joestringer)
• Makefile: Simplify to run faster (#13939, @jrajahalme)
• Metrics: Add cilium_datapath_dump_resets for dump_interrupts count (#14888, @youssefazrak)
• Minor fixes for OKD GSG (Backport PR #16049, Upstream PR #16000, @errordeveloper)
• Misc. cleanups in hubble and monitor packages (#14103, @tklauser)
• Modified path of fuzzer (#14813, @AdamKorcz)
• monitor, vendor: bump github.com/cilium/ebpf to v0.3.0 (#14200, @tklauser)
• monitor: Display human-readable identities (#13601, @pchaigno)
• node-neigh: Avoid flooding the same next hop (Backport PR #16049, Upstream PR #15882, @brb)
• node/manager: remove unused *Manager methods (#15106, @tklauser)
• node: Remove SetInternalIPv4From Method (#15873, @nathanjsweet)
• Observer to ignore unhandled debug event types (#14589, @anfernee)
• operator: use logfields in cilium operator logging (#14548, @fristonio)
• Optimize Label.String() (#15089, @michi-covalent)
• pkg/client/client.go: Set EnabledProtocols when pointer is nil (#15688, @johngv2)
• pkg/datapath: ignore certain error types on route delete (#15730, @aanm)
• pkg/k8s/watchers follow-up for #14864 (#15004, @tklauser)
• pkg/k8s: fix concurrent access in CNP field (#15518, @aanm)
• pkg/k8s: ignore overwrite source "custom-resource" with "k8s" errors (Backport PR #16210, Upstream PR #16153, @aanm)
• pkg/k8s: remove unused code (#14376, @aanm)
• pkg/k8s: set the right api group for EndpointSlice (#15631, @aanm)
• pkg/loadbalancer: Optimize L3n4Addr.Hash for performance (#14617, @gandro)
• pkg/loadbalancer: Optimize L3n4Addr.Hash for performance (2) (#15091, @rolinh)
• pkg/logging: do not repeat klog messages on all levels (#14503, @aanm)
• pkg/rate: Make parsing of positive values more strict (#14536, @twpayne)
• pkg/sysctl: Sanitize parameter names (#14533, @twpayne)
• pkg: Use strings.Builder instead of bytes.Buffer where possible (#13759, @twpayne)
• policy: Fix typo in issue link (#15251, @joestringer)
• policy: improve CNP initial sync (#15492, @jaffcheng)
• policy: Suppress any policy map updates when updating redirects if keeping the current policy (#14356, @jrajahalme)
• Prepare branch for v1.10 release cycle (#15868, @joestringer)
• Prepare for 1.10.0 development (#13617, @aanm)
• Prepare helm charts for v1.10.0-rc0 (#15322, @aanm)
• Prepare v1.10.0-rc0 (#15318, @aanm)
• README: update security releases (#13977, @aanm)
• Refactor endpoint management (#14745, @joestringer)
• refactor: Remove time.After from any Loops (#14265, @nathanjsweet)
• refactor: Remove time.After from any Loops (#14380, @nathanjsweet)
• release: Automate image digest PR creation (#15818, @joestringer)
• Remove duplicated ruleLabels in DerivedFromRules (#15280, @aanm)
• Remove NEEDS_RELAX_VERIFIER (#15610, @rscampos)
• Remove references for old k8s version from tests (#14471, @fristonio)
• remove xtables.lock and privileged=true from node-local-dns example (#14319, @ghouscht)
• rename ciliumNodeInformer to ciliumEndpointsInformer according to the context (#15806, @sstoner)
• Replace remaining exit codes -1 with exit code 1 (#13798, @twpayne)
• Revert "azure, policy: Add JSON tags to CRD fields" (#15093, @aanm)
• Revert "Dockerfiles: quote FROM images if they contain 'sha256'" (#14897, @aanm)
• Revert "encryption: Limit encryption keys to 2 bits" (#15487, @brb)
• Revert "loader : Log upsert and remove route errors" (#15517, @nbusseneau)
• Revert accidentally introduced port change (#14328, @brandshaide)
• Revert exported NoTrack rule function names. (#15505, @Weil0ng)
• Simplify runtime/builder image update (#15326, @tklauser)
• Small updates to image build doc to make it a bit clearer (#15816, @Weil0ng)
• source: Reorder AllowSource switch Statement and Comment Nits (#15696, @nathanjsweet)
• stale-bot: stale PRs with assignees (#14364, @aanm)
• Stub out some functionality on non-Linux platforms (#15355, @joestringer)
• Switch metrics map to cilium/ebpf (#14582, @jibi)
• test/helpers: Allow ssh.InsecureIgnoreHostKey in test code (#14535, @twpayne)
• test/Makefile: fix registryCredentials typo (#14051, @kkourt)
• test/packet: Default download to /tmp (#14055, @pchaigno)
• test: Allow test VMs have swap (#14506, @jrajahalme)
• test: Disable the host firewall in incompatible tests (#14037, @pchaigno)
• test: get cilium pods inside background closure (#14057, @kkourt)
• test: Only wait for one operator instance to be ready (#14360, @jrajahalme)
• test: Remove nop condition from tests (#15541, @pchaigno)
• test: update add_vagrant_box.sh (#15831, @twpayne)
• test: update k8s tested versions (#15528, @aanm)
• test: update k8s to 1.20 (#14315, @aanm)
• test: update k8s to 1.21.0 (#15616, @aanm)
• tools: Add initial dev-doctor (#13772, @twpayne)
• treewide: bump copyright year to 2021 in generated files (#14573, @tklauser)
• ui deployment: upgrade envoy to 1.18.2, fix config (#15847, @geakstr)
• Update authors file (#13866, @joestringer)
• Update AWS deps (#15759, @ungureanuvladvictor)
• Update base images with most recent SHAs (Backport PR #15919, Upstream PR #15895, @aanm)
• Update CI infrastructure for v1.10 release (Backport PR #15919, Upstream PR #15947, @christarazi)
• Update CNI network plugin to 0.9.0 (#14620, @tklauser)
• Update EKS e2e testing docs (#14482, @ungureanuvladvictor)
• Update Go to 1.15.5 (#14013, @tklauser)
• Update Go to 1.15.6 (#14298, @tklauser)
• Update Go to 1.15.7 (#14662, @tklauser)
• Update Go to 1.15.8 (#14983, @tklauser)
• Update Go to 1.16 (#15068, @tklauser)
• Update Go to 1.16.1 (#15314, @tklauser)
• Update Go to 1.16.2 (#15344, @tklauser)
• Update Go to 1.16.3 (#15566, @tklauser)
• Update gops to v0.3.18 and build it statically linked (#15853, @tklauser)
• Update kube-router YAML to a newer release in the guide (#15639, @weirdwiz)
• Update release process (#15034, @aanm)
• Update stable releases (#13804, @christarazi)
• Update stable releases (#14282, @aanm)
• Update stable releases (#14671, @aanm)
• Update stable releases (#14706, @aanm)
• Update stable releases (#14763, @joestringer)
• Update stable releases (#14896, @christarazi)
• Update stable releases (#15018, @joestringer)
• Update stable releases (#15122, @joestringer)
• Update stable releases (#15313, @joestringer)
• Update stable releases (#15805, @joestringer)
• Update USERS.md (#14831, @imathu)
• Update weekly community meeting timeslot (Backport PR #16049, Upstream PR #15985, @joestringer)
• Updates golang:1.16.3 digest (#15790, @Weil0ng)
• Use go embed and remove go-bindata dependency (#15834, @aanm)
• Use logging pkg to setup cilium-cni logging (#14253, @ungureanuvladvictor)
• Use time.Truncate of more recent Go (#14493, @youssefazrak)
• Use toRawJson + quote for storing eniTags into Cilium configmap (#14499, @ungureanuvladvictor)
• Use vishvananda/netlink instead of net.Interface* (#15296, @anfernee)
• v1.10: Update Go to 1.16.4 (#16061, @tklauser)
• Vagrant Script: Detect colliding active virtualbox VMs and warn users (#14584, @vsk-coding)
• Vagrant: Add support for .devvmrc (#14272, @jrajahalme)
• vagrant: bump all box versions (#14632, @tklauser)
• vagrant: Bump all Vagrant box versions (#14024, @pchaigno)
• vagrant: bump box versions (#14736, @tklauser)
• vagrant: bump box versions (#15090, @tklauser)
• vagrant: bump box versions, again (#15129, @tklauser)
• vagrant: bump bpf-next vagrant box version (#14600, @borkmann)
• vagrant: Follow cilium-agent options on development VM to Helm defaults (#15367, @Shikugawa)
• vagrant: make restart.sh executable (#13625, @twpayne)
• Vagrantfile: Add support for SHARE_PARENT=2 (#14559, @jrajahalme)
• Various documentation / comments fixes and improvements (#14439, @kaworu)
• vendor: bump github.com/google/gopacket to v1.1.19 (#14472, @tklauser)
• vendor: bump github.com/vishvananda/netlink to latest master (Backport PR #16103, Upstream PR #16070, @tklauser)
• vendor: Bump gopkg.in/yaml.v2 to v2.4.0 (#14230, @twpayne)
• vendor: Bump to latest vishvananda/netlink (#15461, @joestringer)
• vendor: Pin github.com/optiopay/kafka to commit before fork (#15159, @christarazi)
• vendor: switch github.com/shirou/gopsutil to v3 (#15161, @tklauser)
• vendor: Update sigs.k8s.io/structured-merge-diff to v4.1.0 (#15488, @christarazi)
• vendor: update wireguard library (Backport PR #16103, Upstream PR #16066, @aanm)
• vendor: Upgrade github.com/cilium/ebpf to v0.5.0 (#15386, @aditighag)
• vendor: use github.com/blang/semver/v4 (#14327, @tklauser)
• wireguard: Better error message if kernel support is lacking (#15825, @gandro)
• wireguard: Fix rp_filter setting (#15542, @brb)
• wireguard: Improve logging (#15807, @brb)
• wireguard: Remove operator and disable KPR encryption (#15565, @brb)

Other Changes:

• install: Update image digests for v1.10.0-rc1 (#15904, @joestringer)
• install: Update image digests for v1.10.0-rc2 (#16174, @aanm)
• Prepare for release v1.10.0-rc1 (#15897, @joestringer)
• Prepare for release v1.10.0-rc2 (#16167, @aanm)
• workflows: fix image workflows for v1.10 (#16009, @nbusseneau)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.10.0@sha256:587627d909ffe0418c0bd907516496844867a21812946af82096d367760e4c1e
quay.io/cilium/cilium:v1.10.0@sha256:587627d909ffe0418c0bd907516496844867a21812946af82096d367760e4c1e

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.10.0@sha256:c5dbcb2708529e4a3ccc007183d99c5171df5ee1db7e7218d48d7660c8158193
quay.io/cilium/clustermesh-apiserver:v1.10.0@sha256:c5dbcb2708529e4a3ccc007183d99c5171df5ee1db7e7218d48d7660c8158193

docker-plugin

docker.io/cilium/docker-plugin:v1.10.0@sha256:52ccc5f5ab5d791c6f6b89dc57f7f0c2c202dfaef044dc61d4e276e693d43851
quay.io/cilium/docker-plugin:v1.10.0@sha256:52ccc5f5ab5d791c6f6b89dc57f7f0c2c202dfaef044dc61d4e276e693d43851

hubble-relay

docker.io/cilium/hubble-relay:v1.10.0@sha256:e92e6778c71aa9e181618d61e9403761ad061c3960a9203aa2cf8e6cde95c9d7
quay.io/cilium/hubble-relay:v1.10.0@sha256:e92e6778c71aa9e181618d61e9403761ad061c3960a9203aa2cf8e6cde95c9d7

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.10.0@sha256:ab68157bd70c6158ec5fc03f17de81639d5a3ee7acd64120c2788354fa6f1cfc
quay.io/cilium/operator-alibabacloud:v1.10.0@sha256:ab68157bd70c6158ec5fc03f17de81639d5a3ee7acd64120c2788354fa6f1cfc

operator-aws

docker.io/cilium/operator-aws:v1.10.0@sha256:c704c40862aa8eecd6ba66d456701f7514b9db57ae956a8e22f640eea89003ed
quay.io/cilium/operator-aws:v1.10.0@sha256:c704c40862aa8eecd6ba66d456701f7514b9db57ae956a8e22f640eea89003ed

operator-azure

docker.io/cilium/operator-azure:v1.10.0@sha256:eed06e79fd5efed2fc9ccebd98e5c38c610429334389a3da939a40f701c1f399
quay.io/cilium/operator-azure:v1.10.0@sha256:eed06e79fd5efed2fc9ccebd98e5c38c610429334389a3da939a40f701c1f399

operator-generic

docker.io/cilium/operator-generic:v1.10.0@sha256:65143311a62a95dbe23c69ff2f624e0fdf030eb225e6375d889da66a955dd828
quay.io/cilium/operator-generic:v1.10.0@sha256:65143311a62a95dbe23c69ff2f624e0fdf030eb225e6375d889da66a955dd828

operator

docker.io/cilium/operator:v1.10.0@sha256:d0ec430f14a39e0993abef058176c8e41387b58b4354e4bf658af47411867be7
quay.io/cilium/operator:v1.10.0@sha256:d0ec430f14a39e0993abef058176c8e41387b58b4354e4bf658af47411867be7