Note: The summary of changes below reflect the diff between the last stable
release (v1.10.4) and tag v1.11.0-rc0.
Summary of Changes
Major Changes:
- Cilium Istio integration is updated to Istio release 1.9.6. (#16766, @jrajahalme)
- doc: New performance benchmarks and tuning guide (#15943, @tgraf)
- policy: Add ICMP and ICMPv6 support for CNP and CCNP with a feature flag (#16516, @chez-shanpu)
- Provide new installation steps to deploy Cilium in managed kubernetes providers (GKE, EKS, AKS) to allow scale up and down node pools. (#16631, @aanm)
Minor Changes:
allow-any-ingress
andallow-remotehost-ingress
are now used instead ofallow-localhost-ingress
in policy rulederivedFrom
list when appropriate. (#16972, @jrajahalme)- Add Helm option to disable registering CRD from Cilium Operator (#15655, @Fedosin)
- Add validation of agent flag values for ConfigMap (#16014, @romanspb80)
- Add workload name and workload kind to slim api and hubble api (#16514, @sugangli)
- Adds new Cilium subcommand:
cilium encrypt status
andcilium encrypt flush
(#16770, @h3llix) - Auto discover ipv6-mcast-device if not provided (#16692, @sarveshr7)
- Auto-detect Azure cloud name via IMDS (#16515, @ungureanuvladvictor)
- Auto-mount bpf file-system from within Cilium DaemonSet and remove the requirement of having it mounted in the host. (#16656, @aanm)
- AWS eni: Support Instance Metadata Service Version 2 (IMDSv2) (#15828, @Smana)
- bpf: Derive host netns cookie via SO_NETNS_COOKIE (#17018, @brb)
- Cilium Istio integration is updated to Istio release 1.10.3. (#17037, @jrajahalme)
- cilium: Improve user experience of policy trace with regard to port a… (#15929, @Maddy007-maha)
- cilium: Make CLI more graceful on environments with IPv6 disabled (#16168, @Maddy007-maha)
- cleanup helm chart (#16896, @dungdm93)
- daemon: Add option --bpf-lb-external-clusterip (#15650, @joamaki)
- daemon: Add wildcard support to --devices ("eth+") (#15697, @joamaki)
- daemon: make consecutive quorum errors threshold configurable (#16885, @ArthurChiao)
- daemon: Make L2 neighbor discovery configurable. (#16974, @bjhaid)
- datapath: Add a new option to skip socket lb when in pod ns (#17154, @brb)
- datapath: optionally disable SIP verification (#16134, @oblazek)
- Display host firewall status in
cilium status
(#17165, @pchaigno) - doc: Add more generic install section for egress gateway guide (#16087, @tgraf)
- doc: Reword some results (#15955, @tgraf)
- doc: Update diagrams in benchmark report (#16063, @tgraf)
- docs: Revert host firewall to beta for kube-proxy setups (#16149, @pchaigno)
- Envoy is updated to release 1.18.3 (#17024, @jrajahalme)
- Extend
cilium config
to expose all active configurations. Add subcommandcilium config get
to get configurations from CLI (#16519, @h3llix) - feat: generate tls certs for ui on helm install (#16601, @yandzee)
- Fixes connectivity issues when kube-proxy replacement is enabled, caused by
ineffective socket based load balancing (aka host reachable services) in the private
cgroup namespace mode of container runtimes (e.g., docker cgroupv2 configuration). (#16259, @aditighag) - health: Add flag to set HTTP port (#16926, @errordeveloper)
- helm: add back 'wellKnownIdentities' (#16142, @bmcustodio)
- helm: Add support for disable-endpoint-crd option (#16226, @dntosas)
- helm: Disable the bandwidth manager by default (#16380, @pchaigno)
- HTTP response access logs no longer contain the request headers, except for 'x-request-id',
which is still included for request/response correlation purposes. (#16211, @jrajahalme) - Hubble logs for HTTP responses now include HTTP response headers. (#16013, @jrajahalme)
- hubble/recorder: Extend the API to allow stopping a recording automatically (#16473, @gandro)
- hubble: bump protoc{,-gen-go} and dependencies (#16915, @rolinh)
- hubble: Hubble node_name field should contain cluster name (#15933, @Maddy007-maha)
- images: Bump Hubble CLI to v0.8.0 (#15983, @gandro)
- Improve Hubble memory usage and performance on decoding events (#17482, @tklauser)
- install: Disable kube-proxy-replacement by default (#15422, @tgraf)
- Make NodePort BPF to work on VLAN devices (#16772, @kvaster)
- node-neigh: Locking, logging, misc improvements (#15783, @brb)
- pkg/aws/eni: new subnet-ids parameter (#16119, @mvisonneau)
- Pod L7 visibility annotations are now supported also when policy enforcement is enabled. (#16258, @jrajahalme)
- Remove deprecated --update-ec2-apdater-limit-via-api option (#16374, @twpayne)
- Remove deprecated code (#16502, @pchaigno)
- Rename
hostFirewall
and mark stable (#17221, @pchaigno) - Skip iptables masquerading for packets destined to remote nodes (#16603, @pchaigno)
- Store the previous Cilium's configuration options in the host (#16017, @aanm)
- Support EndpointSlices with BGP mode by updating MetalLB to v0.10.0 (#16524, @christarazi)
- Support non-default Azure clouds (#16043, @ungureanuvladvictor)
- Use correct tolerations value when deploying cilium-operator via helm. (#15992, @michaelpetrov)
- wireguard: Set wireguard and route MTU to detected MTU (#16020, @joamaki)
Bugfixes:
- Add '*.mesh.cilium.io' to the list of SANs for the server certificate of 'clustermesh-apiserver'. (#17027, @bmcustodio)
- Adds IPv6 support for generic-veth chaining plugin (#16041, @Weil0ng)
- alibabacloud: fix race (#16175, @l1b0k)
- bpf: fix hw_csum issue for icmp probe packets (#16604, @borkmann)
- bpf: fix iptables masquerading for node -> remote pod traffic (#16136, @jibi)
- change log level for
lock failed: endpoint is in the process of being removed
(#16773, @humancalico) - Cilium Envoy integration is updated to Envoy release 1.18.4 (#17236, @jrajahalme)
- Cilium Istio integration is updated to Istio release 1.10.4 (#17275, @jrajahalme)
- cilium: Encryption EKS 4.14 kernel (default) fixes (#15867, @jrfastab)
- daemon, node: Fix faulty router IP restoration logic (#16672, @christarazi)
- daemon: Ignore cilium_* interfaces when deriving NodePort device (#16104, @eyanulis)
- daemon: require BPF masq to enable --install-no-conntrack-iptables-rules (#16085, @jibi)
- datapath: Do not SNAT replies to outside (#17168, @brb)
- datapath: panic explicitly when IP of direct-routing-device not found (#17064, @ArthurChiao)
- datapath: Use TUNNEL_MODE as indicator for tunnel mode (#16328, @anfernee)
- DNS proxy is now more available during Cilium restarts, including upgrades. (#16391, @jrajahalme)
- Drop a
@
in clustermesh-apiserver helm chart (#15934, @anthr76) - endpoint: trigger k8s sync controller on identity update (#16381, @jibi)
- eni: Fix Cilium overallocating network interfaces (#15911, @gandro)
- Envoy configuration with
--proxy-prometheus-port
is fixed. (#16834, @jrajahalme) - Envoy is updated to release 1.17.3 (#16102, @jrajahalme)
- External Workloads service access is enabled again. (#16662, @jrajahalme)
- Fix "unable to update ipcache map entry on pod add" harmless log warnings (#16286, @aanm)
- Fix 5.10+ complexity issue with
kubeProxyReplacement=disabled
(#16084, @pchaigno) - Fix a crash where user specifies incorrect service name in a local redirect policy config, or policy selected service is added after the policy is added. (#16216, @aditighag)
- Fix aws-cni integration where pods were not being scheduled (#15915, @aanm)
- Fix bug where Cilium allocates a new router (
cilium_host
) IP upon node reboot, breaking connectivity especially with IPsec (#16307, @christarazi) - Fix bug where IP addresses of devices in unknown state are resolved as remote-node (#17418, @jibi)
- Fix bug where L7 ingress policies with IPsec dropped traffic in tunneling mode (#16057, @christarazi)
- Fix bug where timers used for retries sometimes fired immediately (#16955, @gandro)
- Fix bug where users were unable to use node-selectors in the BGP configuration when using BGP support (#16341, @christarazi)
- Fix bug with Helm chart where a user could not enable BGP and set Operator resources. (#16273, @rkage)
- Fix incorrect packet path with IPsec and endpoint routes, which can cause incorrect policy drops. (#17000, @pchaigno)
- Fix issue where generating Hubble certs were broken (#16509, @alex1989hu)
- Fix Linux slave interface detection (#17189, @pchaigno)
- Fix memory leak that can occur with the presence of FQDN policies (#17432, @aanm)
- Fix transient policy deny during agent restart (#17115, @jaffcheng)
- Fixed bug causing policy realization being skipped in some scenarios with endpoint identity churn. (#16271, @jrajahalme)
- Fixes out-of-sycn CEP update (#17001, @Weil0ng)
- helm: Fix patch failure when updating
hubble-generate-certs
(#16373, @gandro) - helm: upgrade envoy to v1.18.4 for hubble-ui (#17439, @geakstr)
- hubble/recorder: Refactor service implementation to fix multiple races (#16472, @gandro)
- hubble: Display proxy redirects in policy verdict events (#17411, @pchaigno)
- hubble: Never fail with ErrInvalidRead (#17046, @michi-covalent)
- Ignore K8s namespace events that have the same labels (#16268, @aanm)
- install: Allow setting enable-health-check-nodeport to 'false' (#16323, @dctrwatson)
- ipam: fix crd mode (#16493, @joamaki)
- ipsec: Fix logging of SPI after key rotations (#16557, @pchaigno)
- ipsec: Fix off-by-one error on max keyID (#16647, @pchaigno)
- iptables: Remove leading zeroes (#16817, @jrajahalme)
- lbmap: fix deletion and recreation logic for maglev maps (#16850, @jibi)
- loader: Revert incorrect initialization of endpoints in chaining mode (#16227, @pchaigno)
- lrp: Skip clusterIP service restore in service delete callback (#16548, @aditighag)
- node: Fix race condition on labels' getter/setter (#17217, @pchaigno)
- Optimize memory consumption for clusters with high number of repeated FQDN matchPattern or matchNames (#17224, @aanm)
- Perform reverse NAT at host interface (#15354, @krishgobinath)
- pkg/identity: Add missing labels to well-known identities (#16585, @mauriciovasquezbernal)
- pkg/option: Fix default assignment of EnableWellKnownIdentities (#16434, @mauriciovasquezbernal)
- Plumb Azure interface's VPC / primary CIDR and set it as native routing CIDR in Azure IPAM mode (#16696, @christarazi)
- policy: Fix
cilium policy trace
output when only deny rules are applied (#16991, @chez-shanpu) - Potential deadlock in pod identity updates has been fixed. (#16529, @jrajahalme)
- Potential deadlock in pod identity updates has been fixed. (#16801, @jrajahalme)
- Remove
node.cilium.io/agent-not-ready
node taints if they are re-added after Cilium has started (#17112, @aanm) - Remove CiliumNode deletion logic from CiliumNode watcher and guarantee CiliumNode's OwnerReference is always set (#17329, @christarazi)
- Remove previous PERM ARP entries installed by Cilium when kube-proxy-replacement and IPSec are disabled. (#16359, @aanm)
- Removes cilium daemonset's dependencies on utilities like
sh
andmount
having installed in the underlying host distributions. (#16815, @aditighag) - routing: Fix incorrect interface selection for egress pod routes (#17169, @pchaigno)
- Set right User Agent in Kubernetes client for all Cilium components. (#17417, @aanm)
- ui envoy: fix config to keep grpc conn (#15938, @geakstr)
- wireguard: Fix traffic counters in
cilium debuginfo
(#16178, @gandro)
CI Changes:
- .github/workflows: install ginkgo for test suite build test (#16605, @tklauser)
- .github/workflows: use latest stable cilium-cli release (#16892, @tklauser)
- .github/workflows: verify that each commit builds for test suite changes (#16556, @tklauser)
- .github: AWS-CNI end-to-end test (#16365, @pchaigno)
- .github: Bump CLI version to v0.6 (#15948, @joestringer)
- .github: Cancel outdated GitHub workflows (#16199, @pchaigno)
- .github: Capture hubble flows when smoke test fails (#16968, @christarazi)
- .github: Disable flow validation in flaky tests (#16388, @pchaigno)
- .github: do not useDigest in conformance tests (#16836, @aanm)
- .github: Don't persist credentials in repository (#16052, @pchaigno)
- .github: Don't run CodeQL for every master push (#16241, @pchaigno)
- .github: Don't wait for GKE cluster cleanup (#16319, @pchaigno)
- .github: Fix concurrency group comment triggers (#16310, @pchaigno)
- .github: Fix error triggered by large comments (#16360, @pchaigno)
- .github: Fix scheduled end-to-end tests (#16274, @pchaigno)
- .github: Fix smoke tests sysdump collection from failing prematurely (#17032, @christarazi)
- .github: harden permissions on GH workflows (#16941, @aanm)
- .github: Limit CodeQL workflow to .go files (#16389, @pchaigno)
- .github: Set commit status to error when workflow are cancelled (#16155, @pchaigno)
- .github: Skip unnecessary workflow steps (#16157, @pchaigno)
- .github: Speed up cluster cleanups in end-to-end tests (#16207, @pchaigno)
- .github: Test IPsec with high value for keyID (#16113, @pchaigno)
- .github: Update docs workflow to checkout v2 (#16135, @pchaigno)
- Add workflows for stable branches (#16944, @aanm)
- bpf/Makefile: Enable setting complexity options (#17364, @pchaigno)
- Bump cilium-cli to v0.8.4 (#16799, @tklauser)
- checkpatch: update to lastest image to fix checkpatch exit status (#17450, @qmonnet)
- ci-gke: Add -v=6 for
kubectl get pods
(#15994, @michi-covalent) - ci-multicluster: Fix post-test information gathering (#16712, @gandro)
- ci/conformance: Various image-related fixes (#16715, @gandro)
- ci/wireguard: Ensure allowedIPs are set as expected (#16011, @gandro)
- ci: add slack notification to GH actions (#16218, @nebril)
- ci: Bump cilium-cli version (#16617, @nebril)
- ci: Bump ubuntu-next image (#16865, @brb)
- ci: Disable NFS locking (#16554, @gandro)
- ci: fix sysdump path (#17455, @nebril)
- ci: restart portmap service on CI nodes (#16506, @nebril)
- ci: update cilium-cli to 0.9.1 (#17464, @nebril)
- cicd: skip codesql on forks (#16560, @ldelossa)
- conformance tests: Use hubble-relay-ci image (#16363, @michi-covalent)
- connectivity-check: Reduce chances of port conflict with proxy (#15988, @pchaigno)
- ebpf unit testing (#16862, @xinyuannn)
- ebpf unit testing -- handle tailcalls and support user-space map emulation (#17114, @xinyuannn)
- examples, connectivity-check, test: Use even-numbered nodePort (#16158, @christarazi)
- Fix and add more commands in CI sysdumps (#16721, @aanm)
- Fix Azure-related data races (#17054, @christarazi)
- github: Misc improvements for the L4LB test suite (#17005, @brb)
- helm,test: Add standalone L4LB XDP tests in a form of Github Action (#16338, @brb)
- hubble/relay: Fix close of closed channel in unit test (#16958, @gandro)
- Improve ipsec compile-time testing in CI (#15872, @joestringer)
- jenkins: switch runtime tests from 4.9 to net-next on master (#17186, @nbusseneau)
- jenkinsfiles: fix race detector pipelines (#16056, @nbusseneau)
- Make LRP restore test logic robust and optimized (#16194, @aditighag)
- node-neigh: Fix concurrent arping update unit test flake (#16578, @brb)
- node-neigh: Fix unit test flake (#16072, @brb)
- node-neigh: Wait instead of sleeping in unit tests (#17035, @aanm)
- node: fix arpping test (#16432, @jibi)
- NodePort health checks should be disabled when kube-proxy is installed (#16477, @pchaigno)
- Pick up cilium-cli v0.8.2 (#16650, @michi-covalent)
- Pick up cilium-cli v0.8.3 (#16689, @michi-covalent)
- rate: fix TestStressRateLimiter when run with race detector (#16262, @tklauser)
- Remove tests/ and examples/demo/ (#17003, @brb)
- Revert ".github: Create lint-rst.yaml" (#16786, @bmcustodio)
- Switch ginkgo upgrade testing to upgrade from v1.10->latest (#16483, @joestringer)
- test/Bookinfo: Collect full artifact in case of failure (#16775, @pchaigno)
- test/helpers: add the json output debug in case of failure (#17070, @aanm)
- test/helpers: Fail test on errors (#16395, @pchaigno)
- test/helpers: Fix incorrect count of endpoints (#16437, @pchaigno)
- test/helpers: Fix panic due to missing CEP status (#16443, @pchaigno)
- test/helpers: Save JSON artifacts as .json (#16442, @pchaigno)
- test/K8sBookInfo: Readiness probes for test pods (#16869, @pchaigno)
- test/runtime: Look into log errors after test start (#17351, @joamaki)
- test/runtime: Wait for endpoints to be ready before querying by labels (#15990, @pchaigno)
- test: 5.4 CI job (#15765, @pchaigno)
- test: Add klog lock error to allow-list (#16698, @pchaigno)
- test: Adds test for BPF NAT engine handles unknown protocol packets (#15914, @navarrothiago)
- test: bump coredns version to 1.7.0 (#17489, @aanm)
- test: Debug
kubectl.GetPrivateIface
failure (#16863, @pchaigno) - test: Debug IPsec test (#16700, @pchaigno)
- test: Delete DNS pods in AfterAll for datapath tests (#16835, @joestringer)
- test: Delete Istio resources if install does not complete (#16440, @jrajahalme)
- test: do not useDigest in upstream tests (#16886, @aanm)
- test: Don't pass namespace for CCNPs (#16768, @pchaigno)
- test: Don't skip encapsulation tests on GKE (#16627, @pchaigno)
- test: Enable verbose policy logs to help debug flake (#16748, @pchaigno)
- test: Extend the clusterIP tests with policy (#15928, @aditighag)
- test: Fix artifact collection for bad log failures (#16489, @pchaigno)
- test: Fix artifact collection for FQDN matchPattern test (#16759, @pchaigno)
- test: Fix flake in ValidateEndpointsAreCorrect (#16068, @pchaigno)
- test: Fix fragment tracking test on GKE (#15959, @pchaigno)
- test: Fix helper to retrieve tail call counters (#16803, @pchaigno)
- test: Fix incorrect uninstall in K8sBandwidth (#16053, @pchaigno)
- test: fix Infinite loop during VM provisioning (#17031, @h3llix)
- test: Fix local runs of K8sUpdates (#16802, @pchaigno)
- test: Fix missing artifacts for tests with parentheses (#16540, @pchaigno)
- test: Fix the search for VIPs in
cilium service list
(#15968, @pchaigno) - test: Instrument LB IP via BGP test with debug-events (#16445, @christarazi)
- test: Log input to
json.Unmarshal
when it fails (#16099, @pchaigno) - test: Misc improvements (#16064, @pchaigno)
- test: Move instrumentation to AfterFailed instead of AfterAll (#16845, @christarazi)
- test: Pass container to ExecPodCmdBackground() (#16435, @jrajahalme)
- test: Quarantine fragment tracking test on GKE (#16051, @pchaigno)
- test: Redeploy DNS after endpointRoutes reconfiguration (#16767, @joestringer)
- test: Remove outdated error msg from allowlist (#16998, @pchaigno)
- test: Remove Services SCTP test case (#16895, @brb)
- test: Remove special case for host identity when remote-node identity is disabled (#16450, @romanspb80)
- test: Remove uptime reporting (#16486, @brb)
- test: Retrieve the private interface in an Eventually (#16990, @christarazi)
- test: Run WG with per-endpoint routes (#15906, @brb)
- test: set kubeProxyReplacement=probe for upstream k8s tests (#16162, @aanm)
- test: Skip Istio test on k8s <1.17 (#17445, @jrajahalme)
- test: Specify node-selectors in BGP configmap (#16412, @christarazi)
- test: Spring cleaning of K8sServicesTest (#16470, @brb)
- test: Tiny cleanup of k8s_install.sh (#16534, @brb)
- test: Update list of allowed level=error logs (#16623, @pchaigno)
- test: Use hubble observe's jsonpb output in artifacts (#16054, @pchaigno)
- test: Use new test-verifier image in K8sVerifier (#16231, @pchaigno)
- test: Wait for kube-dns before starting test (#16411, @jrajahalme)
- tests: rework custom calls's
AfterEach
/AfterAll
blocks to skip if needed (#16651, @qmonnet) - Update cilium-cli to v0.9.0 (#17330, @tklauser)
- vagrant: Bump all Vagrant box versions (#16589, @pchaigno)
- wireguard: Fix timeout in unit test (#16001, @gandro)
- workflows/L4LB: Reprovision if vagrant up fails (#17339, @brb)
- workflows:
issue_comment
triggers refactoring (#17419, @nbusseneau) - workflows: add external workload conformance test (#16789, @nbusseneau)
- workflows: add test exceptions for failing L7 tests on EKS with IPsec (#17140, @nbusseneau)
- workflows: disable scheduled runs for 1.10 AKS workflow (#17053, @nbusseneau)
- workflows: disable scheduled runs for 1.10 workflows (#17023, @nbusseneau)
- workflows: filter out schedule events from forks (#16012, @nbusseneau)
- workflows: Fix change detection of comment-triggered jobs (#17171, @pchaigno)
- workflows: fix concurrency group names (#16711, @nbusseneau)
- workflows: Fix Hubble flow capture in smoke tests (#17137, @pchaigno)
- workflows: fix L4LB test missing PR reporting on issue_comment (#16830, @nbusseneau)
- workflows: fix permissions (#17008, @nbusseneau)
- workflows: fix Relay pgrep check when using additional flags (#16831, @nbusseneau)
- workflows: Fix use of paths-filter on master pushes (#16507, @pchaigno)
- workflows: Improve the change check for
issue_comment
triggers (#16841, @pchaigno) - workflows: increase VM creation retry count on external workloads (#17138, @nbusseneau)
- workflows: lessen clustermesh clusters names (#16029, @nbusseneau)
- workflows: only gather artifacts on failure (#16010, @nbusseneau)
- workflows: pin
cilium-cli
version to v0.8.6 (#17143, @nbusseneau) - workflows: remove label filters for testing workflows (#16735, @nbusseneau)
- workflows: retry GCP VM creation up to 3 times (#17068, @nbusseneau)
- workflows: Revert changes to comment-triggered workflows (#17173, @pchaigno)
- workflows: Skip building cilium-operator image (#16501, @pchaigno)
- workflows: Skip FQDN tests in AWS-CNI workflow (#16868, @pchaigno)
- workflows: Skip jobs instead of workflows (#16487, @pchaigno)
- workflows: Skip L7 test in AWS-CNI chaining mode (#17122, @pchaigno)
- workflows: update cluster names and tags (#15944, @nbusseneau)
- workflows: use
!success()
for sysdump and Slack notifications (#16899, @nbusseneau) - workflows: Use new
cilium sysdump
(#17428, @pchaigno) - workflows: various fixes & consistency passes (#16787, @nbusseneau)
- workflows: various small fixes (#16311, @nbusseneau)
Misc Changes:
- .gitattributes: Hide Documentation/_static. (#16929, @joestringer)
- .github/workflows: Fix typo (#16074, @christarazi)
- .github: add external docs references to be updated after a release (#16177, @aanm)
- .github: add instructions when releasing a new minor version (#16405, @aanm)
- .github: add MLH config for flake tracking (#17040, @aanm)
- .github: add more release steps (#16257, @aanm)
- .github: add step to check for GH workflow when chart is released (#16851, @aanm)
- .github: Create lint-rst.yaml (#16387, @geyslan)
- .github: Fix image digest job printing (#16660, @joestringer)
- .github: ignore k8s deps in dependabot (#16240, @tklauser)
- .github: Rename
project/ci-force
toci/flake
(#17344, @pchaigno) - .github: Rename maintainer's little helper's config file (#16458, @pchaigno)
- .github: set link for GH issue feature template (#17214, @aanm)
- Add arm64 support for the connectivity test (#15894, @aanm)
- Add AWS & Yahoo (#17406, @tgraf)
- Add cilium_egress_v4 to ignoredELFPrefixes (#16334, @Divya063)
- Add Cognite to USERS (#17405, @tgraf)
- Add developer build option to disable optimizations (#16923, @xyz-li)
- Add eCHO (#16283, @lizrice)
- Add Form3 to users (#16643, @kevholditch-f3)
- Add identity GC metrics for CRD allocation mode (#15905, @rscampos)
- Add missing bpftool map dumps (#16055, @h3llix)
- Add neighbor discovery behavior docs to kubeproxy-free. (#17469, @bjhaid)
- add note about selecting proper interface name for masquerading (#17443, @rootkamil)
- add stable.txt (#16453, @rolinh)
- Adding error checks for ctx_load_bytes. (#16138, @trvll)
- Allow configuration of probe timers in Helm chart (#16584, @jonkerj)
- Avoid transitive dependency on github.com/miekg/dns in policy API (#16806, @tklauser)
- backporting: Suggest only one related commit for a backport (#16907, @joestringer)
- Better error reporting/catching in agent on nativeRoutingCIDR (#16646, @jibi)
- bpf/pcap: Use
CAPTURE{4,6}_RULES
macros (#16809, @pchaigno) - bpf: Cleanup datapath macros (#17150, @pchaigno)
- bpf: ct: use union to hide the rx_bytes hack (#16471, @jibi)
- bpf: Remove duplicate define from MAX_BASE_OPTIONS (#16911, @christarazi)
- bpf: rename variables with camel-case names (#16476, @qmonnet)
- bpf: two small janitorial cleanups (#16198, @tklauser)
- bpf_host: emit '-> network' traces for egress packets (#16082, @navarrothiago)
- bugtool: Collect BPF cgroup programs related information (#16691, @aditighag)
- bugtool: Default pprof to the agent's gops port (#17004, @glibsm)
- bugtool: Dump xfrm policy stats (#17354, @pchaigno)
- bugtool: Include listing of egress gateway map (#17378, @pchaigno)
- bugtool: Update
ip{6,}tables
commands (#16778, @pchaigno) - build(deps): bump 8398a7/action-slack from 3.9.1 to 3.9.2 (#16995, @dependabot[bot])
- build(deps): bump 8398a7/action-slack from 3.9.2 to 3.9.3 (#17383, @dependabot[bot])
- build(deps): bump 8398a7/action-slack from 3.9.3 to 3.10.0 (#17447, @dependabot[bot])
- build(deps): bump actions/cache from 2.1.5 to 2.1.6 (#16345, @dependabot[bot])
- build(deps): bump actions/cache from 2.1.5 to 2.1.6 (#16357, @dependabot[bot])
- build(deps): bump actions/download-artifact from 2.0.9 to 2.0.10 (#16575, @dependabot[bot])
- build(deps): bump actions/setup-go from 2.1.3 to 2.1.4 (#17247, @dependabot[bot])
- build(deps): bump actions/upload-artifact from 2.2.3 to 2.2.4 (#16576, @dependabot[bot])
- build(deps): bump aws-actions/configure-aws-credentials from 1.5.10 to 1.5.11 (#16942, @dependabot[bot])
- build(deps): bump aws-actions/configure-aws-credentials from 1.5.10 to 1.5.11 (#16959, @dependabot[bot])
- build(deps): bump aws-actions/configure-aws-credentials from 1.5.8 to 1.5.9 (#16182, @dependabot[bot])
- build(deps): bump aws-actions/configure-aws-credentials from 1.5.9 to 1.5.10 (#16413, @dependabot[bot])
- build(deps): bump aws-actions/configure-aws-credentials from 1.5.9 to 1.5.10 (#16504, @dependabot[bot])
- build(deps): bump docker/build-push-action from 2.4.0 to 2.5.0 (#16327, @dependabot[bot])
- build(deps): bump docker/build-push-action from 2.5.0 to 2.6.1 (#16743, @dependabot[bot])
- build(deps): bump docker/build-push-action from 2.6.1 to 2.7.0 (#17196, @dependabot[bot])
- build(deps): bump docker/login-action from 1.9.0 to 1.10.0 (#16638, @dependabot[bot])
- build(deps): bump docker/login-action from f3364599c6aa293cdc2b8391b1b56d0c30e45c8a to 1.9.0 (#15917, @dependabot[bot])
- build(deps): bump docker/setup-buildx-action from 012185ccbeb554a7f5f987bea0f1a73519b3cdf5 to 1.3.0 (#15940, @dependabot[bot])
- build(deps): bump docker/setup-buildx-action from 1.3.0 to 1.4.1 (#16682, @dependabot[bot])
- build(deps): bump docker/setup-buildx-action from 1.4.1 to 1.5.0 (#16760, @dependabot[bot])
- build(deps): bump docker/setup-buildx-action from 1.5.0 to 1.5.1 (#16853, @dependabot[bot])
- build(deps): bump docker/setup-buildx-action from 1.5.1 to 1.6.0 (#17346, @dependabot[bot])
- build(deps): bump docker/setup-qemu-action from 1.1.0 to 1.2.0 (#16326, @dependabot[bot])
- build(deps): bump dorny/paths-filter from 2.10.1 to 2.10.2 (#16532, @dependabot[bot])
- build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1095 to 1.61.1153 (#16606, @dependabot[bot])
- build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1153 to 1.61.1214 (#17072, @dependabot[bot])
- build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.957 to 1.61.1095 (#16215, @dependabot[bot])
- build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.6.0 to 1.7.1 (#16905, @dependabot[bot])
- build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.1.6 to 1.2.0 (#16143, @dependabot[bot])
- build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.2.0 to 1.5.0 (#16927, @dependabot[bot])
- build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.5.0 to 1.6.0 (#17096, @dependabot[bot])
- build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.1.0 to 1.1.1 (#16452, @dependabot[bot])
- build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.13.0 to 1.16.0 (#17347, @dependabot[bot])
- build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.5.0 to 1.9.0 (#16625, @dependabot[bot])
- build(deps): bump github.com/Azure/azure-sdk-for-go from 50.0.0+incompatible to 50.2.0+incompatible (#16077, @dependabot[bot])
- build(deps): bump github.com/go-openapi/errors from 0.19.9 to 0.20.0 (#16796, @dependabot[bot])
- build(deps): bump github.com/go-openapi/loads from 0.20.0 to 0.20.2 (#16185, @dependabot[bot])
- build(deps): bump github.com/go-openapi/runtime from 0.19.26 to 0.19.28 (#16242, @dependabot[bot])
- build(deps): bump github.com/go-openapi/runtime from 0.19.28 to 0.19.29 (#17055, @dependabot[bot])
- build(deps): bump github.com/go-openapi/runtime from 0.19.29 to 0.19.30 (#17101, @dependabot[bot])
- build(deps): bump github.com/go-openapi/swag from 0.19.14 to 0.19.15 (#16351, @dependabot[bot])
- build(deps): bump github.com/go-openapi/validate from 0.20.1 to 0.20.2 (#16808, @dependabot[bot])
- build(deps): bump github.com/google/go-cmp from 0.5.5 to 0.5.6 (#16368, @dependabot[bot])
- build(deps): bump github.com/google/renameio from 1.0.0 to 1.0.1 (#16921, @dependabot[bot])
- build(deps): bump github.com/hashicorp/consul/api from 1.3.0 to 1.9.1 (#17188, @dependabot[bot])
- build(deps): bump github.com/kr/pretty from 0.2.1 to 0.3.0 (#17117, @dependabot[bot])
- build(deps): bump github.com/mattn/go-shellwords from 1.0.10 to 1.0.12 (#17061, @dependabot[bot])
- build(deps): bump github.com/shirou/gopsutil/v3 from 3.21.2 to 3.21.5 (#16410, @dependabot[bot])
- build(deps): bump github.com/shirou/gopsutil/v3 from 3.21.5 to 3.21.7 (#17127, @dependabot[bot])
- build(deps): bump google.golang.org/protobuf from 1.26.0 to 1.27.1 (#17233, @dependabot[bot])
- build(deps): bump helm/kind-action from 1.1.0 to 1.2.0 (#16706, @dependabot[bot])
- build(deps): bump KyleMayes/install-llvm-action from 1.3.0 to 1.4.0 (#16466, @dependabot[bot])
- build(deps): bump KyleMayes/install-llvm-action from 1.4.0 to 1.4.1 (#16956, @dependabot[bot])
- build(deps): bump Sibz/github-status-action from 1.1.5 to 1.1.6 (#17476, @dependabot[bot])
- build(deps): update KyleMayes/install-llvm-action requirement to v1.3.0 (#16059, @dependabot[bot])
- Bump github.com/aws/aws-sdk-go-v2/service/ec2 to v1.13.0 (#17113, @ungureanuvladvictor)
- bwm: queue mapping & cong fixes (#15964, @borkmann)
- byteorder: Simplify byteorder package (#16201, @twpayne)
- checkpatch: update image to fix checks on commit object and message (#17067, @qmonnet)
- checkpatch: update image to improve checks and extend to all commits (#16739, @qmonnet)
- Checks k8s metadata for pod before removing IP from ipcache (#17161, @Weil0ng)
- choir: normalize error handling in kube_proxy_replacement.go (#16811, @ldelossa)
- chore: normalize returning of errors in NewDaemon (#16861, @ldelossa)
- ci: Increase the CI image wait timeout to 30 minutes (#17409, @michi-covalent)
- ci: use git status instead of git diff to check for a clean state (#16619, @kaworu)
- Clarify one-time setup for backporting (#16016, @christarazi)
- Cleanup Azure allocator cloud name detection code (#16888, @ungureanuvladvictor)
- clustermesh: fix CEP status patch (#16986, @nbusseneau)
- CODEOWNERS: add entries for health, recorder and relay APIs (#16522, @tklauser)
- CODEOWNERS: Assign pkg/cgroups to cilium/bpf (#16758, @pchaigno)
- CODEOWNERS: Give maintainer's code to github-sec team (#16426, @pchaigno)
- codeql: Fix GitHub Action permissions (#17376, @twpayne)
- conditionally change hubble relay port in hubble-ui (#16511, @alex1989hu)
- contrib/backporting: add environment variables to set ORG and REPO (#17424, @aanm)
- contrib/docs: rename 'cilium-actions.yml' with 'maintainers-little-helper.yaml (#16750, @aanm)
- contrib/vagrant/start.sh: add a NO_BUILD export (#17425, @kkourt)
- contrib/vagrant: Use CRDs instead of kvstore if K8S=1 (#15913, @pchaigno)
- contrib: Ensure release tag is upstream before push (#15903, @joestringer)
- contrib: Explicitly set remote for backport branches (#16804, @twpayne)
- contrib: Fix bump-readme.sh script (#17311, @joestringer)
- contrib: fix dual-stack support in dev VMs (#15887, @aanm)
- contrib: Fix scripts for v1.10 (#15898, @joestringer)
- contrib: Identify upstream commits by author and date (#16572, @pchaigno)
- contrib: Improve release script guard rails (#16936, @joestringer)
- contrib: Make upstream commit check more generic (#16160, @joestringer)
- contrib: Request author review during backports (#16484, @joestringer)
- contrib: simplify check-docker-images script (#16176, @aanm)
- contrib: update etcd's dev VM version (#16193, @aanm)
- Convert license headers to SPDX (#16887, @ldelossa)
- correct comment Service6Key and Service4Key (#17271, @ChenYahui2019)
- daemon, ipam, option: Introduce ability to bypass IP availability error (#17492, @christarazi)
- daemon: Add --derive-masquerade-ip-addr-from-device opt (#17230, @brb)
- daemon: fix race in config handler (#17413, @h3llix)
- daemon: Improve logging of device auto-detection (#16118, @brb)
- daemon: log any error returned by RestoreServices() (#16666, @jibi)
- daemon: Warn on disabling iptables (#16611, @joestringer)
- datapath/linux: enable neighbor discovery in unit tests (#17044, @aanm)
- datapath: Sort VLAN IDs in generated macros (#17105, @jrajahalme)
- dev-doctor: add check for the root directory (#16205, @twpayne)
- dev-doctor: Add docker and docker buildx checks (#16265, @twpayne)
- dev-doctor: Bump minimum hub version requirement for backporting (#16734, @twpayne)
- dev-doctor: use default GOPATH when missing from env (#17385, @kaworu)
- doc/encryption: improve consistency between ipsec and wireguard guides (#15965, @rolinh)
- doc: update Hubble/Hubble Relay guides for recent CLI changes (#15981, @rolinh)
- Dockerfile: use alpine 3.12 (#15950, @aanm)
- docs(k3s): add back the flag to disable network policies (#16755, @rio)
- docs, bpf: fix llvm-objdump --no-show-raw-insn options (#16848, @ClaudiaJKang)
- docs, gsg: add link to plumbers talk on service lb mechanisms (#16171, @borkmann)
- docs, gsg: minor edits to kpr guide and note on hybrid use (#16169, @borkmann)
- docs/ipsec: misc improvements (#15978, @kaworu)
- docs: account for bandwidth manager now being disabled by default (#16782, @bmcustodio)
- docs: add 'endpointRoutes.enabled=true' to aws-cni (#16045, @bmcustodio)
- docs: add a "Copy Commands" button for shell-session snippets (#16408, @qmonnet)
- docs: add a reference of helm values (#16238, @bmcustodio)
- docs: Add caveat for OpenShift (#16161, @christarazi)
- docs: add cilium build depedency when regen'ing docs (#17155, @ldelossa)
- docs: add custom spelling filter to check WireGuard spelling (#16513, @qmonnet)
- docs: add forking instructions + workflow + fix contributing notes (#16025, @nbusseneau)
- docs: add guidelines for contributing to Cilium's documentation (#16738, @qmonnet)
- docs: add ids to the list of special identities (#16123, @bmcustodio)
- docs: add information about ConfigMap updates (#16141, @aanm)
- docs: Add missed build tag flags in testing docs (#17160, @twpayne)
- docs: add missing mount bpf fs on minikube GSG (#16324, @aanm)
- docs: Add note about DNS-related policies on OpenShift (#16083, @twpayne)
- Docs: Changed parameters for minikube start (#16570, @mauilion)
- docs: Clarify coordination for backporting process (#15989, @christarazi)
- docs: Clarify exact requirements for the egress gateway (#17381, @pchaigno)
- docs: clarify language on libceph and kernel 5.8 in kubeproxy-free GSG (#16969, @bluikko)
- docs: Clarify LRP loop related note (#16342, @aditighag)
- docs: Clarify SA target in KPR gsg (#16954, @brb)
- docs: clustermesh: fix output of "cilium clustermesh status" command (#15982, @jibi)
- docs: deprecate native-routing-cidr from v1.10 (#16688, @jibi)
- docs: Document
--debug-verbose=datapath
in debugging datapath section (#16022, @navarrothiago) - docs: Document dns visibility limitations (#16822, @joestringer)
- docs: document the policy for backporting documentation changes (#16137, @qmonnet)
- docs: ENIs should not be managed by the OS (#16186, @gandro)
- docs: fix a typo in Helm installation documentation (#16325, @netflash)
- docs: Fix build failure (#16454, @pchaigno)
- docs: fix check-crd-compat-table script (#16545, @aanm)
- docs: fix code-block for bpf mount example (#16719, @aanm)
- docs: fix code-block formatting for XDP load example (#16876, @ClaudiaJKang)
- docs: Fix command for overwriting iptables on kube-proxy replacement install (#16264, @Stijn98s)
- docs: Fix egress gateway getting started guide (#15984, @gandro)
- docs: fix Helm documentation and doc checks (#16737, @qmonnet)
- docs: Fix Helm instructions for BGP (#16263, @xentobias)
- Docs: Fix maglev.hashSeed byte size documentation (#16690, @gaffneyd4)
- docs: Fix missing quote in gcloud command for GKE (#17014, @christarazi)
- docs: fix some dead links (#16336, @aanm)
- docs: Fix typo in BGP GSG (#16563, @christarazi)
- docs: Fix up broken minikube link (#17382, @joestringer)
- docs: Fix version sorting for CRD schema docs (#17288, @joestringer)
- docs: fix warnings for documentation build, use a linter (#16407, @qmonnet)
- docs: Fix WireGuard spelling (#16293, @gandro)
- docs: gsg/operations - use parsed-literal for all blocks referring SCM_WEB (#15963, @ti-mo)
- docs: Hubble UI does not show HTTP endpoints anymore (#16535, @gandro)
- docs: ignore
__pycache__
directory created by custom spelling filters (#16791, @qmonnet) - docs: improve and fix minor issues (#15975, @qmonnet)
- docs: improve the aws-cni chaining page (#15979, @bmcustodio)
- docs: improve the bandwidth manager page (#16783, @bmcustodio)
- docs: Improve wording around Helm values in OKD GSG (#16069, @errordeveloper)
- docs: include maintainers CODEOWNERS release process (#15924, @aanm)
- docs: Instructions to upgrade aws-cni (#16431, @pchaigno)
- docs: mark node-to-node IPSec encryption as beta (#16200, @qmonnet)
- docs: minor improvements to tuning guide (#16024, @borkmann)
- docs: Minor language tweak (#15923, @glibsm)
- docs: remove 1.7 upgrade guide and add upgradeCompatibility for 1.9 (#16288, @aanm)
- docs: remove misplaced sentence from Quick Installation guide (#15971, @lfundaro)
- docs: rename maintainers team to cilium-maintainers (#16591, @aanm)
- docs: run GitHub action when Charts are touched to check Helm values ref (#16577, @qmonnet)
- docs: Some Wireguard improvements (#16023, @brb)
- docs: tell how to deploy demo app in Hubble CLI guide (#15973, @lfundaro)
- docs: Update link to be specific to Janitors (#16732, @pchaigno)
- docs: update OpenShift getting started guide (#16006, @twpayne)
- docs: Update packer-ci-build docs (#17395, @twpayne)
- docs: update requirements (urllib3 1.26.5, requests 2.25.1) (#16396, @qmonnet)
- docs: Update SIG-Datapath meeting time. (#16027, @joestringer)
- docs: update the version specific notes table (#16710, @bmcustodio)
- docs: Update troubleshooting for 1.10 (#16081, @twpayne)
- docs: use
.. code-block:: shell-session
wherever relevant (#16474, @qmonnet) - docs: Use cilium sysdump instead of python sysdump (#17402, @michi-covalent)
- docs: various fixes to documentation, notably Getting Started Guides (#16126, @nbusseneau)
- Documentation/gettingstarted: fix helm arguments (#17496, @AlexZzz)
- Documentation: dont use docker for check-cmdref (#16939, @kkourt)
- ebpf: delete existing pinned map if incompatible with the spec (#15832, @jibi)
- Encryption docs update (#14940, @aditighag)
- ethtool: use ioctl wrapper from golang.org/x/sys/unix (#17153, @tklauser)
- examples: add an example of a hubble-cli Deployment (#16459, @kaworu)
- examples: Fix up standalone-etcd.yaml (#17369, @joestringer)
- Fix alias of cilium-health get (#16891, @xyz-li)
- Fix encryption getting started guides for v1.10 (#15961, @jibi)
- Fix logging for expired FQDN IPs (#16030, @youssefazrak)
- fix warning log for list IPV6 address: move IPV4 to IPv6. (#16475, @lic17)
- fix(docs): bandwidth-manager install error (#17338, @withlin)
- Fixed a minor race condition on drop counts when hubble starts drops flows/events, because of a full channel. This change also will log the fact that drops are happening once, rather than a log message for every drop, and will log an additional comment after drops are no longer happening with the number of events/flows that were dropped. (#15967, @nathanjsweet)
- Follow ups for host firewall support of endpoint routes (#15942, @pchaigno)
- fqdn: add fqdn proxy interface (#17318, @nebril)
- github: Fix external workloads test file syntax (#17019, @brb)
- github: Increase workflow timeout (#16819, @jrajahalme)
- helm: Remove redundant capabilities (#17131, @gandro)
- helm: set correct versions of docker images in Makefile (#17477, @aanm)
- hubble: Fix data races in
pkg/hubble.TestRingReader_NextFollow_WithEmptyRing
(#17397, @gandro) - images/script: update the example hubble cli Deployment version (#16537, @kaworu)
- images: Bump Hubble CLI to v0.8.2 (#17362, @kaworu)
- images: Bump iproute2 image (#17222, @brb)
- images: Move hubble-proto into cilium-builder (#16217, @gandro)
- images: Remove trailing newlines before computing SHA256 (#16621, @pchaigno)
- Improve author attribution scripts (#15899, @joestringer)
- Improve logging when cgroupfs mount fails (#15999, @johngv2)
- Improve output of development VM startup (#17343, @pchaigno)
- Improve the Helm chart documentation. (#16469, @bmcustodio)
- Improves the error logs during the bpf maps updating (#16034, @elfadel)
- install/kubernetes: remove duplicated 'key' in volumes (#17123, @aanm)
- install: Fix hubble-ui-backend digest tracking (#15900, @joestringer)
- install: Fix README links to getting started guides (#16947, @joestringer)
- Introduce v2 backend map with u32 backend ID (#17235, @Weil0ng)
- ipam/allocator/podcidr: fix old pod cidr logging error (#17372, @lrouter)
- ipcache: Remove unused fields (#17356, @joestringer)
- iptables: Add extra warning message listing missing IPV6 kernel modules (#16842, @oneiro-naut)
- issue_14922: Fixed the 429 response code handling (#15760, @Maddy007-maha)
- jenkinsfiles: Don't display nulls in current build display name (#17258, @twpayne)
- k8s: Bump schema version for v1.11 development (#17289, @joestringer)
- k8s: Fix logging (#16530, @jrajahalme)
- lbmap: Log svc update after bpf() syscall invocation (#17017, @brb)
- logging: enhanced log level setting interface (#16021, @mvisonneau)
- MAINTAINERS: update MAINTAINERS.md (#17427, @nbusseneau)
- Make backporting responsibility more clear (#15700, @joestringer)
- Make go test ./... succeed by default (#16914, @twpayne)
- Makefile, contrib: Add script to create kind cluster (#12527, @christarazi)
- Makefile: fix line continuation in docker build (#17059, @krsna1729)
- Makefile: fix typo in helper message (#17128, @aanm)
- maps: switch maglev to cilium/ebpf package (#15546, @jibi)
- Minikube guide updates (#16346, @aditighag)
- Minor fixes for OKD GSG (#16000, @errordeveloper)
- Misc. GH workflow improvements and hardness (#16908, @aanm)
- monitor: Initialize agent in deamon early (#17407, @gandro)
- monitor: print error message on failure to decode layer (#16397, @qmonnet)
- netns: Fix socket leak (#17051, @brb)
- node-neigh: Avoid flooding the same next hop (#15882, @brb)
- node: Add WireguardPubKey to ToCiliumNode (#16420, @gandro)
- operator: Improve identity GC efficiency (#17359, @christarazi)
- operator: misc. refactoring and code removal (#16918, @aanm)
- option: Fix ipvlan master device config (#17130, @joestringer)
- pkg/k8s: add pod IP event change (#16190, @aanm)
- pkg/k8s: ignore overwrite source "custom-resource" with "k8s" errors (#16153, @aanm)
- pkg/k8s: re-add CiliumIsUp Node condition even if removed (#16857, @aanm)
- pkg/kvstore: fix concurrent access of var in testing (#16427, @aanm)
- pkg/kvstore: fix TestRunLocksGC unit test (#16596, @aanm)
- pkg/node: add comments for IPLen in getCiliumHostIPsFromFile (#16877, @aanm)
- Prepare for 1.11.0 development (#15870, @joestringer)
- proxy: Expose cachedSelectorREEntry type (#17341, @nebril)
- proxylib/test: fix data race between StartAccessLogServer and Close (#16298, @tklauser)
- proxylib: Fix data races in unit tests (#17141, @gandro)
- README: fix the Weekly Community Meeting time (#17215, @tixxdz)
- README: update link to docker images to quay.io (#16116, @jibi)
- refactor cert-gen logic (#16900, @dungdm93)
- Refactor logging package to split syslog functionality into separate file (#16600, @tklauser)
- Refactored, renamed and small misc changes in GH workflows (#16312, @aanm)
- Removes CEP subresource. (#15632, @Weil0ng)
- replaced and removed useless field in RemoteCache (#16290, @sstoner)
- Restrict Kubernetes access for hubble-relay (#16937, @jonkerj)
- Restructure helm chart into components (#16795, @dungdm93)
- Revert "config: Fix incorrect packet path with IPsec and endpoint rou… (#17057, @aanm)
- Revert "docs: add 'endpointRoutes.enabled=true' to aws-cni" (#16756, @bmcustodio)
- Revert "docs: deprecate native-routing-cidr from v1.10" (#16695, @jibi)
- Revert "Perform reverse NAT at Host Interface" (#17319, @nbusseneau)
- Revert "policy: Make selectorcache callbacks lock-free" (#16769, @aanm)
- SECURITY.md: Update security policy for v1.10 release cycle (#16254, @joestringer)
- sockops: Remove duplicate error logging (#16417, @pchaigno)
- Specify scrape interval for Hubble metrics (#16214, @christian-2)
- Support serviceAnnotations to helm-metrics service (#17366, @carloscastrojumo)
- test/bpf: Flag to continue in case of errors (#16793, @pchaigno)
- test: Add HostPort conformance to upstream-k8s (#17048, @joestringer)
- test: align filter for kubectl.GetPodsNodes() on kubectl.GetPodsIPs() (#16398, @qmonnet)
- test: Delete the test namespace in CLI test (#17134, @jrajahalme)
- test: Increase service/DNS timeout from 30 to 240 seconds (#16820, @jrajahalme)
- tests: re-enable Host Firewall for AutoDirectNodeRoutes test and encryption + direct routing (#16652, @qmonnet)
- Togroups policy fixup (#15987, @psinghal20)
- tooling: introduce target for generating json compilation database (#17065, @ldelossa)
- treewide: convert more license headers to SPDX (#17151, @twpayne)
- Update base images with most recent SHAs (#15895, @aanm)
- Update CI infrastructure for v1.10 release (#15947, @christarazi)
- Update Go to 1.16.4 (#16058, @tklauser)
- Update Go to 1.16.5 (#16428, @tklauser)
- Update Go to 1.16.7 (#17116, @tklauser)
- Update Go to 1.17 (#17190, @tklauser)
- Update Go to 1.17.1 (#17360, @tklauser)
- Update stable releases (#16184, @joestringer)
- Update stable releases (#16355, @aanm)
- Update stable releases (#16547, @aanm)
- Update stable releases (#16765, @aanm)
- Update stable releases (#16902, @aanm)
- Update stable releases (#16948, @joestringer)
- Update stable releases (#16988, @joestringer)
- Update stable releases (#17310, @joestringer)
- update stable releases in README (#16244, @aanm)
- Update test/packet instructions for running CI tests on dedicated instances (#16423, @christarazi)
- Update USERS.md (#17231, @acholt)
- Update weekly community meeting timeslot (#15985, @joestringer)
- Use iproute2 with libbpf for loading datapath BPF programs (#16727, @brb)
- vagrant: Disable KPR in development VM to match Helm default (#16152, @pchaigno)
- vendor: bump etcd to v3.5.0 and grpc to v1.39.0 (#15123, @rolinh)
- vendor: bump github.com/vishvananda/netlink to latest master (#16070, @tklauser)
- vendor: Bump go.universe.tf/metallb (#16187, @christarazi)
- vendor: Update go.universe.tf/metallb (#16523, @christarazi)
- vendor: update k8s dependencies and tests to 1.21.1 (#16212, @aanm)
- vendor: Update k8s dependencies and tests to 1.21.3 (#16608, @christarazi)
- vendor: update mongo-driver to 1.5.1 to fix CVE-2021-20329 (#17234, @aanm)
- vendor: update wireguard library (#16066, @aanm)
- verifier-test.sh: allow for empty FOO_PROGS (#17408, @kkourt)
- version, metrics: allow to build on non-unix platforms (#16679, @tklauser)
Other Changes:
Docker Manifests
cilium
docker.io/cilium/cilium:v1.11.0-rc0@sha256:95fa7c285f525cf1cf53921d39fccaede425e52e94033015ffa046ddb0edf461
quay.io/cilium/cilium:v1.11.0-rc0@sha256:95fa7c285f525cf1cf53921d39fccaede425e52e94033015ffa046ddb0edf461
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.11.0-rc0@sha256:498f9a2ac1df54c4597d63713a4b79a9e2bd33f71ad88d8341455fc6b4a8754b
quay.io/cilium/clustermesh-apiserver:v1.11.0-rc0@sha256:498f9a2ac1df54c4597d63713a4b79a9e2bd33f71ad88d8341455fc6b4a8754b
docker-plugin
docker.io/cilium/docker-plugin:v1.11.0-rc0@sha256:839e72fa61b333c9cdd02fd10979bcad3915d9d80552babbcd21ba5174e5b26d
quay.io/cilium/docker-plugin:v1.11.0-rc0@sha256:839e72fa61b333c9cdd02fd10979bcad3915d9d80552babbcd21ba5174e5b26d
hubble-relay
docker.io/cilium/hubble-relay:v1.11.0-rc0@sha256:6701a9d2368f02ba866c5e790b9df51920da1756de619701807151be1c6d8568
quay.io/cilium/hubble-relay:v1.11.0-rc0@sha256:6701a9d2368f02ba866c5e790b9df51920da1756de619701807151be1c6d8568
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.11.0-rc0@sha256:65b2a46838ab79547ab0bf92673e08e8350028a43394763118c883d85f84051a
quay.io/cilium/operator-alibabacloud:v1.11.0-rc0@sha256:65b2a46838ab79547ab0bf92673e08e8350028a43394763118c883d85f84051a
operator-aws
docker.io/cilium/operator-aws:v1.11.0-rc0@sha256:3ae7c52766640cdd4a3d0f0967109ecf9796f34c95caab3b4b121165fda71d85
quay.io/cilium/operator-aws:v1.11.0-rc0@sha256:3ae7c52766640cdd4a3d0f0967109ecf9796f34c95caab3b4b121165fda71d85
operator-azure
docker.io/cilium/operator-azure:v1.11.0-rc0@sha256:f9b0ef0ec8b9f2ab46254d217ad532350df3efb41417658afd408922c3a0b7c9
quay.io/cilium/operator-azure:v1.11.0-rc0@sha256:f9b0ef0ec8b9f2ab46254d217ad532350df3efb41417658afd408922c3a0b7c9
operator-generic
docker.io/cilium/operator-generic:v1.11.0-rc0@sha256:587a2c33c698b4900493e31aaded714480be7bde54ed9ce8e41d05a02af9ade5
quay.io/cilium/operator-generic:v1.11.0-rc0@sha256:587a2c33c698b4900493e31aaded714480be7bde54ed9ce8e41d05a02af9ade5
operator
docker.io/cilium/operator:v1.11.0-rc0@sha256:50f5197b356abff51c90c49b6fb185793f8ba49773a3c6bddb21f93bdb40aba6
quay.io/cilium/operator:v1.11.0-rc0@sha256:50f5197b356abff51c90c49b6fb185793f8ba49773a3c6bddb21f93bdb40aba6