We are pleased to release Cilium v1.13.7.
Known IPsec related issues have been fixed. We encourage users to test this release and report any potentially remaining issues.
Summary of Changes
Minor Changes:
- Report the kernel error code in case of packet drops due to failures to create NAT map entries. (Backport PR #27652, Upstream PR #25883, @julianwiedmann)
Bugfixes:
- bpf: lxc: support Pod->Service->Pod hairpinning with endpoint routes (Backport PR #27998, Upstream PR #27798, @ti-mo)
- envoy: fix panic writing accesslog without L7 tags (Backport PR #27651, Upstream PR #27453, @mhofstetter)
- Fix a bug that affected the RevDNAT translation of IPv6 packets with extension headers. (Backport PR #27393, Upstream PR #27312, @julianwiedmann)
- Fix a bug that could cause an incorrect max. sequence number to be reported by
cilium encrypt status
when IPsec is enabled. (Backport PR #27925, Upstream PR #27656, @pchaigno) - Fix a bug where cilium host IP is not read from k8s node annotations (Backport PR #27651, Upstream PR #27590, @hemanthmalla)
- Fix bug limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #27393, Upstream PR #27168, @learnitall)
- Fix bug that could cause packet drops of type XfrmOutPolBlock while rotating the IPsec key. (Backport PR #27587, Upstream PR #27319, @jrfastab)
- Fix connectivity issues caused by missing conntrack entry when service pod connects to itself via clusterIP. (Backport PR #27998, Upstream PR #27602, @julianwiedmann)
- gateway-api: Merge externally annotations and labels for kubernetes types (Backport PR #27651, Upstream PR #27251, @farodin91)
- ingress: fix panic on ingress rule without HTTPIngressRule (Backport PR #27925, Upstream PR #27818, @mhofstetter)
- IPSec fix for race on init resulting in XfrmIn errors and dropped packets (Backport PR #28022, Upstream PR #28012, @jrfastab)
- k8s: Restrict configuring reserved:init policy via CNP (Backport PR #28039, Upstream PR #28007, @joestringer)
- Prioritization of which DNS mappings to keep was suboptimal, leading to evictions of mappings related to alive connections, worsening performance of fqdn policies and causing spurious logging. (Backport PR #27925, Upstream PR #27572, @bimmlerd)
- proxy: Ignore visibility annotation if proxy is disabled (Backport PR #27741, Upstream PR #27597, @sayboras)
CI Changes:
- .github/workflows: unify time to wait for images to become available (Backport PR #27925, Upstream PR #27706, @tklauser)
- ci-ipsec-upgrade: Bump CLI to v0.15.5 (Backport PR #27393, Upstream PR #27230, @brb)
- ci-ipsec-upgrade: Skip upon test/Documentation changes (Backport PR #27741, Upstream PR #27644, @brb)
- ci: fix and standardize checkouts in privileged workflows (Backport PR #27393, Upstream PR #27193, @nbusseneau)
- ci: increase connectivity test timeout in GHA external workload (Backport PR #27393, Upstream PR #26975, @mhofstetter)
- ci: remove unavailable K8s 1.22 from GKE config (Backport PR #27393, Upstream PR #27365, @mhofstetter)
- CI: Rename workflow names (Backport PR #27741, Upstream PR #27391, @brlbil)
- CI: Update tested k8s version for aks (Backport PR #27651, Upstream PR #27457, @brlbil)
- gh/actions: Customize cilium-config (Backport PR #27925, Upstream PR #27416, @brb)
- gh/workflows: Use cilium-config action in ci-ipsec-upgrade (Backport PR #27925, Upstream PR #27359, @brb)
- ginkgo: Remove K8sDatapathCustomCalls (Backport PR #27925, Upstream PR #27911, @brb)
Misc Changes:
- Add WireGuard to the firewall rules documentation (Backport PR #27925, Upstream PR #27170, @joestringer)
- bpf: egressgw: set trace reason for reply traffic (Backport PR #27526, Upstream PR #27218, @julianwiedmann)
- bpf: nat: enable CT-driven trace aggregation (Backport PR #27526, Upstream PR #27178, @julianwiedmann)
- chore(deps): update actions/checkout action to v4 (v1.13) (#27927, @renovate[bot])
- chore(deps): update all github action dependencies (v1.13) (minor) (#27782, @renovate[bot])
- chore(deps): update all lvh-images main (v1.13) (patch) (#27423, @renovate[bot])
- chore(deps): update all lvh-images main (v1.13) (patch) (#27780, @renovate[bot])
- chore(deps): update all lvh-images main (v1.13) (patch) (#27945, @renovate[bot])
- chore(deps): update aws-actions/configure-aws-credentials action to v3 (v1.13) (#27783, @renovate[bot])
- chore(deps): update cilium/coccicheck docker tag to v2.4 (v1.13) (#27947, @renovate[bot])
- chore(deps): update dependency ubuntu to v22 (v1.13) (#27784, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.17.5 (v1.13) (#27781, @renovate[bot])
- chore(deps): update docker.io/library/golang docker tag to v1.20.7 (v1.13) (#27486, @renovate[bot])
- chore(deps): update docker.io/library/golang docker tag to v1.20.8 (v1.13) (#27991, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.20.7 docker digest to 741d6f9 (v1.13) (#27779, @renovate[bot])
- chore(deps): update docker.io/library/ubuntu:22.04 docker digest to ec050c3 (v1.13) (#27554, @renovate[bot])
- chore(deps): update sigstore/cosign-installer action to v3.1.2 (v1.13) (#27946, @renovate[bot])
- docs: Document
DROP_NO_NODE_ID
for IPsec (Backport PR #27393, Upstream PR #27184, @pchaigno) - docs: Fix config option for spelling filters (Backport PR #27651, Upstream PR #27537, @qmonnet)
- docs: Fix Documentation Makefile to make Helm reference updates compatible with macOS (Backport PR #27651, Upstream PR #27495, @ishuar)
- docs: Harmonise references to Cilium Slack (Backport PR #27393, Upstream PR #27346, @qmonnet)
- docs: Have Makefile print generated image tags when running with V=0 (Backport PR #27393, Upstream PR #27250, @qmonnet)
- docs: Improve wording for labels and services policies (Backport PR #27925, Upstream PR #27171, @joestringer)
- docs: update L7 traffic CiliumClusterwideEnvoyConfig example (Backport PR #27651, Upstream PR #27409, @tanjunchen)
- docs: Update the microservices-demo link (Backport PR #27925, Upstream PR #27814, @haiyuewa)
- Update Cilium certgen from v0.1.8 to v0.1.9 (Backport PR #27651, Upstream PR #27511, @rolinh)
Other Changes: