We are pleased to release Cilium v1.13.0-rc2.
Summary of Changes
Major Changes:
- bpf: Add stateless RFC8215 NAT46/64 for standalone lb (#21777, @borkmann)
- gateway-api: Add support for gateway-api v0.5.1 (#21749, @sayboras)
- Sign Cilium container images using cosign (#21918, @sandipanpanda)
Minor Changes:
- Add --source-ranges option to
cilium bpf lb list
(#19705, @julianwiedmann) - ctmap: add support for GC of DSR orphaned entries (#21626, @jibi)
- Enable icmp error replies with enable-pmtu-discovery flag (#21825, @nnbu)
- Enable operator operation without kubernetes. (#21344, @pruiz)
- Fix behavior where packets leave node if there are no backends (#21539, @michaelasp)
- helm: Add validation for Ingress Controller (#21550, @sayboras)
- Helm: optionally use less permissive linux capabilities. (#21506, @jonkerj)
- helm: Remove chart fields planned for removal in 1.12 (#21881, @my-git9)
- hubble/metrics: Add source_ip/destination_ip labels to contextLabels (#21322, @chancez)
- hubble/metrics: Add workload-name and app options to sourceContext and destinationContext (#21320, @chancez)
- hubble: add support for filtering by trace ID (#21551, @rolinh)
- hubble: Extract traceIDs into exemplars in HTTP metrics (#21599, @chancez)
- ingress: Follow-up items for shared LB mode (#21493, @sayboras)
- ipam: Support custom owner IPs in CRD IPAM pool (#21379, @llhhbc)
- makefile: add a new target to run 'golangci-lint run --fix' (#21547, @aspsk)
- Prepend Envoy resources with CEC namespace and name (#21500, @pippolo84)
- Sign container images with cosign (#21739, @sandipanpanda)
- The CNI configuration file is now written only after the agent has successfully started up. Configuring a custom CNI configuration file is now simpler and more reliable. See the docs for more details. (#21375, @squeed)
- XDP NodePort Acceleration can also be used for clusters in tunnel mode. (#21364, @julianwiedmann)
Bugfixes:
- Add missing inner IP header in ICMP error-reply packet (#21234, @nnbu)
- alibabacloud: Fix create ENI failure: The specified parameter "SecondaryPrivateIpAddressCount" is not valid (#21828, @jaffcheng)
- bpf: always track egress gateway connections (#21499, @jibi)
- bugtool: Fix pprof default ports (#21497, @pippolo84)
- Fix agent deadlock caused by frequent kube-apiserver IP recycling (#21629, @joestringer)
- Fix bug in AlibabaCloud where vSwitches could not be matched (#21635, @haozhangami)
- Fix bug that can cause some traffic covered by an L7 policy to be dropped when IPsec is enabled on EKS. (#21595, @pchaigno)
- Fix overlapping/duplicate PodCIDR allocation when nodes are added while operator is down (#21526, @dylandreimerink)
- Fixed CCNP garbage collection (#21394, @zuzzas)
- Fixes a deadlock that can be exposed in high-churn clusters when Pods are deleted rapidly. (#21771, @squeed)
- Fixes cilium startup on certain AWS-VPC clusters. (#21444, @squeed)
- ipam/crd: Fix ENI leak due to miscounting of empty interface slots (#21800, @jaffcheng)
- ipcache: Fix metadata access from CIDR allocation (#21565, @joestringer)
- nodeinit: Move kubelet version check to expected branch (#21772, @dctrwatson)
CI Changes:
- CI: Add AKS helm overrides for E2E test (#21277, @vipul-21)
- CI: Using the same function for Native CIDR for GKE and AKS (#21701, @vipul-21)
- conformance-gke-v1.12: Miscellaneous fixes (#21613, @michi-covalent)
- fqdn/dnsproxy: Rewrite dnsproxy benchmark (#21895, @odinuge)
- gh/workflows: Pin lvh to v0.0.1 (#21525, @brb)
- kind.sh: Retry pulling docker registry image (#21566, @michi-covalent)
- Pin gcloud CLI version (#21885, @michi-covalent)
- Provide Go file patterns to
go test
, removing for loops in Makefile (#21560, @ti-mo) - Replace
privileged_tests
build tag withPRIVILEGED_TESTS
environment variable (#20769, @ti-mo) - Run 'go test' with CGO_ENABLED=0 (#21663, @ti-mo)
- Run tooling in module mode by removing GO111MODULE=off (#21606, @ti-mo)
- test: fix up the number of pods in DemoDaemonSet (#21588, @julianwiedmann)
Misc Changes:
- .github: add original authors of bugs as reviewers (#21478, @aspsk)
- Add a section with distro-specific considerations (#21064, @bmcustodio)
- Add Immerok to USERS.md (#21714, @austince)
- ADD to USERS.md Kilo and Sapian (#21503, @arpagon)
- bpf: minor cleanups (#21778, @julianwiedmann)
- build(deps): bump actions/cache from 3.0.10 to 3.0.11 (#21727, @dependabot[bot])
- build(deps): bump actions/cache from 3.0.8 to 3.0.10 (#21552, @dependabot[bot])
- build(deps): bump actions/checkout from 3.0.2 to 3.1.0 (#21572, @dependabot[bot])
- build(deps): bump actions/download-artifact from 3.0.0 to 3.0.1 (#21837, @dependabot[bot])
- build(deps): bump actions/setup-go from 3.3.0 to 3.3.1 (#21779, @dependabot[bot])
- build(deps): bump docker/build-push-action from 3.1.1 to 3.2.0 (#21687, @dependabot[bot])
- build(deps): bump docker/login-action from 2.0.0 to 2.1.0 (#21686, @dependabot[bot])
- build(deps): bump docker/setup-buildx-action from 2.0.0 to 2.1.0 (#21688, @dependabot[bot])
- build(deps): bump docker/setup-buildx-action from 2.1.0 to 2.2.0 (#21754, @dependabot[bot])
- build(deps): bump docker/setup-buildx-action from 2.2.0 to 2.2.1 (#21781, @dependabot[bot])
- build(deps): bump docker/setup-qemu-action from 2.0.0 to 2.1.0 (#21726, @dependabot[bot])
- build(deps): bump dorny/paths-filter from 2.10.2 to 2.11.1 (#21713, @dependabot[bot])
- build(deps): bump github.com/coreos/go-systemd/v22 from 22.3.2 to 22.4.0 (#21358, @dependabot[bot])
- build(deps): bump github.com/hashicorp/consul/api from 1.14.0 to 1.15.2 (#21658, @dependabot[bot])
- build(deps): bump github.com/hashicorp/consul/api from 1.15.2 to 1.15.3 (#21912, @dependabot[bot])
- build(deps): bump github.com/kr/pretty from 0.3.0 to 0.3.1 (#21634, @dependabot[bot])
- build(deps): bump github.com/onsi/gomega from 1.20.2 to 1.22.1 (#21690, @dependabot[bot])
- build(deps): bump github.com/shirou/gopsutil/v3 from 3.22.8 to 3.22.9 (#21645, @dependabot[bot])
- build(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0 (#21215, @dependabot[bot])
- build(deps): bump github/codeql-action from 2.1.26 to 2.1.27 (#21622, @dependabot[bot])
- build(deps): bump github/codeql-action from 2.1.27 to 2.1.28 (#21780, @dependabot[bot])
- build(deps): bump github/codeql-action from 2.1.28 to 2.1.29 (#21890, @dependabot[bot])
- build(deps): bump go.etcd.io/etcd/api/v3 from 3.5.4 to 3.5.5 (#21323, @dependabot[bot])
- build(deps): bump go.opentelemetry.io/otel/trace from 1.10.0 to 1.11.1 (#21879, @dependabot[bot])
- build(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.0 (#21836, @dependabot[bot])
- build(deps): bump google-github-actions/auth from 0.8.1 to 0.8.2 (#21728, @dependabot[bot])
- build(deps): bump google-github-actions/auth from 0.8.2 to 0.8.3 (#21741, @dependabot[bot])
- build(deps): bump google-github-actions/setup-gcloud from 0.6.0 to 0.6.1 (#21731, @dependabot[bot])
- build(deps): bump google-github-actions/setup-gcloud from 0.6.1 to 0.6.2 (#21742, @dependabot[bot])
- build(deps): bump google.golang.org/grpc from 1.49.0 to 1.50.1 (#21755, @dependabot[bot])
- build(deps): bump KyleMayes/install-llvm-action from 1.5.4 to 1.5.5 (#21406, @dependabot[bot])
- build(deps): bump KyleMayes/install-llvm-action from 1.5.5 to 1.6.0 (#21864, @dependabot[bot])
- build(deps): bump michi-covalent/push-to-loki from 0.2.1 to 0.2.2 (#21553, @dependabot[bot])
- build(deps): bump nick-invision/retry from 2.8.1 to 2.8.2 (#21748, @dependabot[bot])
- change slice declarations to array initialization (#21536, @mstrYoda)
- chore: Fix typo in contrib/script/kind-shell-helpers.sh (#21855, @sadikkuzu)
- ci: reenable goerr113 and unused linters across the codebase (#21578, @ti-mo)
- Clarify in documentation that Azure CNI chaining is different from Azure CNI powered by Cilium. (#21897, @wedaly)
- clustermesh-apiserver: Add support for pprof (#21584, @pippolo84)
- CODEOWNERS: Add ownerships for IPsec team (#21567, @pchaigno)
- consolidate_go_stacktrace.py: Add support for replacing Cilium source directory inline (#21518, @joestringer)
- consolidate_go_stacktrace.py: Use relative paths by default (#21673, @michi-covalent)
- consolidate_go_stacktrace: Fix relative paths (#21812, @joestringer)
- contrib: avoid reviews from non-collaborators (#21577, @bimmlerd)
- correct the stale documentation link (#21889, @dmitris)
- daemon, options: remove deprecated, ineffective options (#21524, @tklauser)
- dashboards: Enable exemplars for histogram queries in Hubble L7 workloads dashboard (#21773, @chancez)
- dev-doctor: Fix the docker buildx version regex (#21561, @gentoo-root)
- dns: Add DataSource field to ProxyRequestContext (#21854, @michi-covalent)
- docs/crd: Support master RCs in schema bump script (#21535, @joestringer)
- docs: cilium committers are also CNCF maintainers (#21802, @lizrice)
- docs: CNCF maintainer update process (#21649, @lizrice)
- docs: Document the workaround for the kernel bug on new Intel CPUs (#21803, @gentoo-root)
- docs: Fix 'interface' field indentation (#21798, @lou-lan)
- docs: merge Alibaba install guide into quick install guide (#21581, @yoyo-go)
- docs: Remove
autoDirectNodeRoutes
where not needed (#21831, @pchaigno) - docs: Update k8s NetworkPolicy descriptions (#21670, @joestringer)
- document missing bpf.hostLegacyRouting, bpf.tproxy, bpf.vlanBypass option (#21650, @vincentmli)
- Document missing bpf ctTcpMax ctAnyMax natMax neighMax helm option (#21627, @vincentmli)
- Documentation: Fix out-of-sync codeowners (#21583, @pchaigno)
- Egress Gateway: move code into its own header file, and remove the dependency on TUNNEL_MAP. (#21719, @julianwiedmann)
- Fix broken link to CNCF CoC (#21616, @xmulligan)
- Fix grpc-ingress.yaml path in Service Mesh docs (#21601, @pippolo84)
- Fix hubble metrics label ordering with contextOptions (#21732, @chancez)
- Fix incorrect env var name used in docs for Helm installation on Rancher Desktop (#21835, @ehausig)
- fix kernel config file and config option probe log (#20889, @vincentmli)
- Fix log level for "local-redirect service exists for frontend" error (#21898, @tbalthazar)
- Fix up and lint SPDX headers in all Go files (#21821, @ti-mo)
- fix: correction in PR #21825 (#21904, @nnbu)
- Fix: prevent goroutine leakage (#21913, @kerthcet)
- fqdn/dnsproxy, daemon: Define new error type for DNS notification (#21517, @christarazi)
- fqdn/dnsproxy: Add concurrency grace period parameter (#21668, @pippolo84)
- fqdn: convert map keys and internal types to
netip.Addr
(#21620, @tklauser) - gha: Update the names for ConformanceIngress jobs (#21494, @sayboras)
- helm: avoid generating ConfigMapList (#21750, @kaworu)
- hive: Add title to Module() and enforce format (#21915, @joamaki)
- hive: Reimplement on top of dig (#21562, @joamaki)
- hubble: Add "hubble-prefer-ipv6" option (#21751, @mKeRix)
- hubble: Add "syn-only" option to flows-to-world metric (#21571, @michi-covalent)
- ip: Simplify MustAddrFromIP (#21598, @christarazi)
- IPAM: fix ipam owner check (#21715, @llhhbc)
- ipcache: Plumb daemon context through IPCache (#21676, @joestringer)
- ipcache: Release metadata mutex in loop error condition (#21653, @joestringer)
- ipcache: Remove unsafe ipc.metadata.get (#21608, @gandro)
- ipsec: Fix slightly incorrect assumption in XFRM IN policies (#21621, @pchaigno)
- ipsec: Refactoring around
UpsertIPsecEndpoint
(#21461, @pchaigno) - ipsec: Simplify XFRM FWD policies (#21602, @pchaigno)
- k8s/{client,resource}: API improvements and support for custom retries (#21644, @joamaki)
- k8s: optimize API calls made to kube-apiserver (#21088, @aanm)
- k8s: Remove the global client getters in favor of Clientset (#21877, @joamaki)
- MAINTAINERS: add Chance Zibolski to the list of maintainers (#21792, @rolinh)
- maps/ctmap: convert to use netip.Addr internally (#21529, @tklauser)
- only setup ip rules when l7 policy enabled (#21636, @liuxu623)
- operator: Add leader lifecycle (#21457, @joamaki)
- pkg/k8s/resource: Fix test flake due to race between create and watch (#21681, @joamaki)
- pkg/labels: Optimize LabelArray {GetModel(),String()} (#21643, @odinuge)
- Prepare for release v1.13.0-rc1 (#21534, @joestringer)
- promise: Document the Resolve/Reject functions (#21827, @joestringer)
- Remove beta.kubernetes.io/arch as it's already deprecated (#21799, @my-git9)
- Remove unused sections for bpf_lxc from nodeport.h (#21505, @alexkats)
- Replace the hash function implementation to license it under the dual GPL/BSD license. (#21794, @gentoo-root)
- resource: Make the resource lazy by default (#21862, @joamaki)
- Revert "Sign container images" (#21846, @aanm)
- treewide: Switch ipcache interface to netip.Prefix (#21586, @joestringer)
- Update Go to 1.19.2 (#21591, @tklauser)
- Update stable releases (#21770, @qmonnet)
- Update the cert-manager's Certificate to fully qualify the duration (#21389, @farcaller)
- Use rate instead of irate in Hubble L7 workloads dashboard (#21791, @chancez)