helm/cilium/cilium 1.14.0-snapshot.1

on Artifact Hub

We are pleased to release Cilium v1.14.0-snapshot.1.

Summary of Changes

Major Changes:

• Add mtls-spiffe as auth mode in the CiliumNetworkPolicy (#24263, @meyskens)
• cilium: fib lookup consolidation (#23884, @borkmann)
• The Cilium operator now taints nodes where Cilium is scheduled to run but is not running.
  This prevents pods from being scheduled on nodes without Cilium.
  The CNI configuration file is no longer removed on agent shutdown.
  This means that pod deletion will always succeed; previously it would fail if Cilium was down for an upgrade.
  This should help prevent nodes accidentally entering an unmanageable state.
  It also means that nodes are not removed from cloud LoadBalancer backends during Cilium upgrades. (#23486, @squeed)

Minor Changes:

• [SNAT] add "need to frag" ICMP support (#18414, @sahid)
• Add a SPIRE delegate API client to receive SPIFFE certificates for mTLS (#23968, @meyskens)
• Add hubble_lost_events_total metric for the number of events lost by Hubble. (#22865, @lambdanis)
• bpf, ipcache: unconditionally assume support for LPM trie maps (#24258, @tklauser)
• clustermesh: enable per-cluster RBAC in etcd server (#24284, @giorio94)
• cmd/service: unify service list/get output (#24136, @oblazek)
• Disable by default CNP Node Status GC in cilium-operator. (#24390, @marseel)
• dns: Set --tofqdns-min-ttl to zero by default (#21439, @michi-covalent)
• envoy: Bump envoy to 1.24.3 (#24148, @sayboras)
• feat: optional bpf mount (#24161, @frezbo)
• helm: simplify TLS configuration of clustermesh peers (#24222, @giorio94)
• Hide --install-iptables-rules agent flag and remove installIptablesRules Helm flag (#24081, @pchaigno)
• hubble: traffic direction filter (#24120, @kaworu)
• Improve cilium monitor output for dropped packets: display source file names instead of numerical ids (#24143, @aspsk)
• Increase the default CiliumEndpointSlice sync time from 0 to 500ms (#23615, @dlapcevic)
• Integration of sample dashboards with Helm chart (#23794, @jcpunk)
• Make Envoy sockets for tproxy and the xDS API and bind to localhost only (#24011, @meyskens)
• Move poststart eni script to agent pod from nodeinit pod (#24134, @nebril)
• policy: Derivative policies (policies for cloud provider-specific identities) for egress deny rules were not being generated, this has now been fixed. (#23927, @rockc2020)
• Prepare Cilium API for IPAM pools (#24248, @tklauser)
• Support L2-less devices with fast forward (bpf-based host routing) (#23935, @jschwinger233)

Bugfixes:

• Add missing xfrm-no-track rules for IPv6 IPSec. This fixes a connectivity issue for IPv6 IPSec with externalTrafficPolicy=local. (#24557, @jschwinger233)
• Add support for builtin kernel modules (#23953, @TheAifam5)
• Add the option to preserve CNI configuration file on agent shutdown. This can help prevent issues where pods can no longer be deleted. This may cause some transient error messages to be displayed if a pod is scheduled while Cilium is being upgraded. (#24009, @squeed)
• agent: rework clustermesh config watcher for increased robustness (#24163, @giorio94)
• Avoid k8s CiliumNode initialization problems when Cilium connects to the KVStore (#24156, @aanm)
• bpf: fix ipv6 extension header parsing error (#24309, @chenyuezhou)
• bpf: nodeport: fix handling of stale CT entry with CT_REPLY (#23894, @julianwiedmann)
• Correctly configure extra SANs for the clustermesh API server certificate when generated through certgen (#24339, @giorio94)
• daemon: fix panic when running with etcd with endpoint crd disabled (#24085, @tommyp1ckles)
• daemon: initialize datapath before compiling sockops programs (#24140, @jibi)
• endpoint: fix k8sNamespace log field when ep gets deleted (#24575, @mhofstetter)
• Fix a bug where users are unable to change a wrong remote etcd configuration (#24046, @oblazek)
• Fix a memory leak in the service cache, and possible missed service updates on scale to zero events in rare circumstances (#24619, @giorio94)
• Fix bug in BGP CP where changing the route-id of an existing router would cause announcements to disappear (#24304, @dylandreimerink)
• Fix bug that would prevent IPsec from working with GENEVE encapsulation. (#24116, @borkmann)
• Fix bug where ingress policies for remote-note identities are not applied correctly new nodes join the cluster, specifically when the nodes joining the cluster had IP addresses specified in CIDR policies (#23764, @christarazi)
• Fix Cilium crash during network policy computation (#24322, @joestringer)
• Fix Cilium Operator from crashing when encountering empty node pools on Azure (#24189, @forgems)
• Fix deadlock in cilium-operator when using CiliumEndpointSlices (#24343, @alan-kut)
• Fix enable-stale-cilium-endpoint-cleanup flag not actually disabling the cleanup init set when set to false. This provides a workaround for an existing panic that can occur when running using etcd kvstore. (#23874, @sjdot)
• Fix failure to load the datapath for new pods on latest kernel when (almost) all datapath features are enabled. (#24405, @borkmann)
• Fix FIB lookup for traffic to a L7 service backend, when BPF host-routing is enabled and multiple external devices are configured. (#24182, @julianwiedmann)
• Fix for disabled cloud provider rate limiting (#24413, @hemanthmalla)
• Fix incorrectly dropping in-cluster traffic for L7 ingress resources (#23984, @sayboras)
• Fix IPv6 policy enforcement for SNATed traffic from the Host (#24132, @ysksuzuki)
• Fix panic in hubble http v2 metrics (#24350, @chancez)
• Fix Pod connectivity interruption during agent restart (#24336, @ti-mo)
• Fix some test failures for bpf_nat_test.c (#24534, @YutaroHayakawa)
• init.sh: fix cgroup program detachment and detach multiple progs with retry (#24118, @ti-mo)
• install: don't render role / rolebinding when agent disabled (#23877, @squeed)
• Services backends with publishNotReadyAddresses are able to receive traffic independently if they are Terminating, since is the user intent to make them reachable despite its state. (#24174, @aojea)
• Set user-agent for k8s client with Cilium's version (#24275, @aanm)
• Solved an issue failing to forward traffic to Services if the Endpoint Slices had the same Address on different Slices (#24202, @aojea)
• When using KPR Nodeport with DSR, support backends in hostNetwork or with L7 policies. (#22978, @julianwiedmann)

CI Changes:

• .github/workflows: re-enable coverage in BPF tests (#23291, @tklauser)
• .github/workflows: run datapath complexity tests directly in VM (#24117, @tklauser)
• .github: Rename failure step in actions (#24437, @joestringer)
• Add 1.13 conformance test (#24033, @aanm)
• bpf,test: Add an option to disable coverage report per file (#24338, @YutaroHayakawa)
• bpf/Makefile: Cover VTEP in compile tests (#24106, @pchaigno)
• bpf/test: Add unit test to check whether netpol drops result in metric counter increament (#24469, @brb)
• bpf: Update checkpatch image (#24215, @qmonnet)
• bpf: Various fixes for MAX_*_OPTIONS and support for 5.10 (#24122, @pchaigno)
• ci: don't use ./contrib/scripts/kind.sh --xdp in 1.13 workflow (#24611, @tklauser)
• ci: fix datapath complexity workflow (#24528, @tklauser)
• ci: fix missing timeout in Cyclonus test (#24529, @nbusseneau)
• ci: quarantine K8sAgentIstioTest (#24476, @nbusseneau)
• cocci: Fix Python path for coccilib (#24430, @qmonnet)
• contrib/kind: no longer create local docker registry (#24541, @squeed)
• datapath/linux/route: fix CI expectations for rule string format (#24577, @NikAleksandrov)
• drop v1.10 support for eks tests (#24037, @aanm)
• egressgw: test: switch to WaitForEgressPolicyEntries (#24097, @jibi)
• Enable egress gateway in datapath CI (#24210, @lmb)
• Enable testing of BPF programs requiring XDP_TX in CI (#24250, @lmb)
• Fix broken target_url for conformance-clustermesh (#24315, @YutaroHayakawa)
• Fix execution of coccinelle checks (#24392, @qmonnet)
• Fix race conditions when deleting CNP / CCNP in e2e tests (#24484, @jschwinger233)
• Fixed flake in the TestRequestIPWithMismatchedLabel LB-IPAM tests. (#23297, @dylandreimerink)
• gateway-api: Fix flaky conformance tests (#24317, @sayboras)
• gh/workflows: Enable Host FW in ci-dp (#24429, @brb)
• gh/workflows: Split ci-dp encrypt tests into separate matrix configs (#24296, @brb)
• gha: Clean-up Ingress/GatewayAPI Conformance tests (#24025, @sayboras)
• gha: Run kubernetes Conformance and SIG-network tests (#24209, @aojea)
• Increase timeout waiting for resources in Ingress conformance test (#24388, @meyskens)
• Migrate L7 TLS Ginkgo tests to cilium-cli (#24414, @meyskens)
• renovate: Add packageRule group for Hubble CLI (#24637, @gandro)
• renovate: automate golangci-lint upgrades (#24664, @mhofstetter)
• renovate: Fix Hubble release digest regex (#24477, @gandro)
• Revert ".github/workflows: run datapath complexity tests directly in VM" (#24535, @tklauser)
• Run latest fuzzers in OSS-Fuzz (#22580, @AdamKorcz)
• test/k8s: remove k8s agent health tests (#24433, @tklauser)
• test/verifier: Fix compilation command (#24412, @pchaigno)
• test: add cluster mesh conformance tests with Kind (#23496, @giorio94)
• test: Enable conformance tests for non-SCTP traffic in conjunction with SCTP policies (#24144, @joestringer)
• test: gather containerd logs on failure (#24133, @squeed)
• test: Remove RuntimeDatapathLB (#24245, @brb)
• test: Remove some {DP,Services} Ginkgo test cases (#24223, @brb)
• test: Update 1.26 k8s version (#24569, @sayboras)
• workflow: enable pod-to-cidr tests (#23986, @brlbil)
• workflows/externalworkload: Avoid using --config when unnecessary (#24567, @pchaigno)
• workflows: Cover IPsec + GENEVE (#24125, @pchaigno)
• workflows: l4lb/verifier: fix skip-test-run job (#24072, @jibi)
• workflows: l4lb/verifier: replace tabs with spaces (#24108, @jibi)

Misc Changes:

• .gitattributes: Mark install/kubernetes/cilium/README.md as generated (#24295, @qmonnet)
• .github: set right project to track v1.13 backport PRs (#24157, @aanm)
• .github: skip confirmation prompts on cosign (#24456, @aanm)
• Add a hint about using Vagrant on Apple Silicon (#24626, @brandshaide)
• add better errors for our calls to Setsockopt() (#24287, @squeed)
• Add BPF test facility to test skb->cb (#24181, @YutaroHayakawa)
• add helm option to customize nodeinit scripts (#24375, @mblaschke)
• Add link to threat model in security policy (#24673, @ferozsalam)
• Add make commands for setting up clustermesh in kind (#24190, @marseel)
• Add Palark GmbH to USERS.md (#24421, @shurup)
• Add Proton to USERS (#24636, @MrFreezeex)
• Add User DaimlerTruck AG (#24408, @brandshaide)
• Add User doc to PR Template (#24186, @xmulligan)
• Added ClickHouse to users (#24532, @tsolodov)
• Adds a new NOTRACK rule for node-local-dns (#24230, @Weil0ng)
• agent: install CNI plugin binary in an InitContainer (#24075, @squeed)
• alignchecker: fully parse structures (#24365, @aspsk)
• auth: define auth handlers as private hive cell (#24074, @mhofstetter)
• Avoid clearing objects in conversion funcs (#24241, @odinuge)
• bgp: extract exportPodCIDRReconciler logic into a generic function (#24546, @jibi)
• bpf, datapath: unconditionally assume support for direct access to map values (#24504, @tklauser)
• bpf, datapath: unconditionally assume support for LRU hash maps (#24378, @tklauser)
• bpf, ebpf: remove GetMapType() and mock probing (#23634, @rgo3)
• bpf, ipcache: unconditionally assume LPM trie delete/dump support (#24377, @tklauser)
• bpf,test: Define BPF_TEST macro for map-in-map/prog-map initialization (#24127, @YutaroHayakawa)
• bpf/nat: remove unnecessary nexthdr variable (#24537, @sahid)
• bpf/wireguard: Skip encryption for cluster-external traffic (#24586, @pchaigno)
• bpf: dsr: don't track L2 addresses for DSR traffic (#24524, @julianwiedmann)
• bpf: Fix VTEP compilation error (#24152, @pchaigno)
• bpf: fixes for IPv6 revNAT (#24610, @julianwiedmann)
• bpf: Inter-cluster SNAT with ClusterIP global service (#24212, @YutaroHayakawa)
• bpf: lb: small cleanups (#24320, @julianwiedmann)
• bpf: misc cleanups (#24291, @julianwiedmann)
• bpf: nodeport cleanups (#23965, @julianwiedmann)
• bpf: nodeport: don't track L2 addr for connection to local backend (#24324, @julianwiedmann)
• bpf: remove a redundant IPcache lookup in from-host (#24107, @julianwiedmann)
• bpf: Remove fib_redirect's BPF_FIB_LOOKUP_DIRECT (#24271, @borkmann)
• Break import cycles and move the datapath cell to datapath/cell.go (#24337, @bimmlerd)
• bug: Fix Potential Nil Reference in GetLabels Implementation (#24416, @nathanjsweet)
• bugtool: Add ingress/egress tc filter dump (#24057, @joestringer)
• bugtool: simplify removeIfEmpty with more effiicient os.ReadDir (#24566, @Juneezee)
• Bump version in Readme and fix script (#24459, @aanm)
• Bumped CoverBee version to v0.3.2 (#24180, @dylandreimerink)
• Check IP Family for LB source range (#24273, @sugangli)
• checker: Fix incorrect checker for ExportedEqual() (#24373, @christarazi)
• chore(deps): update all github action dependencies (master) (minor) (#24280, @renovate[bot])
• chore(deps): update all github action dependencies (master) (patch) (#24278, @renovate[bot])
• chore(deps): update aws-actions/configure-aws-credentials action to v2 (master) (#24281, @renovate[bot])
• chore(deps): update base-images (master) (#24102, @renovate[bot])
• chore(deps): update base-images (master) (#24439, @renovate[bot])
• chore(deps): update dependency google/gops to v0.3.27 (master) (#24005, @renovate[bot])
• chore(deps): update docker.io/library/alpine:3.17.2 docker digest to ff6bdca (master) (#24354, @renovate[bot])
• chore(deps): update docker.io/library/golang docker tag to v1.20.2 (master) (#24231, @renovate[bot])
• chore(deps): update docker.io/library/golang docker tag to v1.20.2 (master) (#24232, @renovate[bot])
• chore(deps): update docker.io/library/golang:1.20.1 docker digest to 52921e6 (master) (#24103, @renovate[bot])
• chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 149531e (master) (#24614, @renovate[bot])
• chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to ddde70b (master) (#24254, @renovate[bot])
• chore(deps): update quay.io/cilium/hubble docker tag to v0.11.3 (master) (#24465, @renovate[bot])
• chore(deps): update sigstore/cosign-installer action to v3 (master) (#24282, @renovate[bot])
• chore: Update json-mock image (#24173, @sayboras)
• ci: only report status after matrix jobs are done (#23865, @spacewander)
• ci: update cilium-cli etcd version to v3.5.4 (#24028, @kahirokunn)
• cilium, docs: Move sig-datapath meeting to on-demand only (#24205, @borkmann)
• clustermesh-apiserver: ExternalTrafficPolicy and internalTrafficPolicy can now be changed. (#24166, @kahirokunn)
• clustermesh: fix client usage when setting the cluster configuration (#24591, @giorio94)
• clustermesh: reduce memory consumption due to non-shared services (#23948, @giorio94)
• cocci: Work around a bug in coccinelle to better check files, add a few missing const qualifiers to BPF code (#24606, @qmonnet)
• CODEOWNERS: include @cilium/sig-datapath for all datapath specific CI changes (#24487, @tklauser)
• contrib: Add support for snapshot releases (#24092, @joestringer)
• contrib: Remove deb,rpm packaging (#23081, @joestringer)
• daemon: Check for leaked goroutines from the agent cell (#24076, @joamaki)
• daemon: ignore EEXIST on NodeEnsureLocalIPRule (#24645, @tklauser)
• daemon: move circular initialization of policy.Repository to hive (#24073, @lmb)
• daemon: use the real err instead of a nil one (#24115, @spacewander)
• doc: Fixed CiliumNode CRD fields for cluster-pool doc (#24428, @PhilipSchmid)
• doc: kubeProxyReplacement=strict / kube-proxy co-existence (#24407, @PhilipSchmid)
• doc: update masquerading.rst to reflect new support for icmp (#24556, @sahid)
• Docs: Add policy_implementation_delay to metrics (#22998, @learnitall)
• docs: Add a comparison table for IPAM modes (#24285, @raphink)
• docs: Add contact link to threat model (#24674, @ferozsalam)
• docs: add note that there are two Cilium CLIs (#24435, @lizrice)
• docs: Add section on development and RC images (#24424, @borkmann)
• docs: Cleanup and update list of supported drivers for XDP (#24398, @pchaigno)
• docs: Document CONFIG_PERF_EVENTS requirement (#24055, @joestringer)
• docs: Document kernel requirement for L3 devices support (#24101, @pchaigno)
• docs: Document the threat model for Cilium (#24497, @ferozsalam)
• docs: Endpoints are local to the node on which the cilium agent is running. (#24017, @tnorlin)
• docs: Fix Makefile target name in CODEOWNERS update hint (#24583, @ferozsalam)
• docs: fix Rule spec document typos (#24319, @nrnrk)
• docs: fix Rule spec document typos (#24443, @nrnrk)
• docs: fix typo in operations/troubleshooting.rst (#24460, @NikAleksandrov)
• docs: Fixing typo in description of label release-note/ci (#24665, @mhofstetter)
• docs: Improve description of the installation steps to run cilium documentation locally (#24056, @kayceeDev)
• Docs: Move Maintainers to Committers (#24124, @xmulligan)
• docs: Revert Python version in docs-builder image to 3.7.9, downgrade sphinxcontrib-applehelp, to fix builds on Read The Docs (#24099, @qmonnet)
• docs: Update Cluster Mesh requirements to mention node InternalIP explicitly (#24164, @jspaleta)
• docs: Update egress gateway limitations (#24244, @pchaigno)
• docs: Update the documentation for the --conntrack-gc-interval flag (#24400, @pchaigno)
• Documentation: add migration document (#23751, @squeed)
• Documentation: add section to roadmap about modularization (#24096, @joamaki)
• documentation: remove release docs (#24463, @aanm)
• egressgateway: provide a very basic Cell (#24330, @lmb)
• Emit full verifier logs to agent logs and verifier.log in the endpoint directory (#24506, @ti-mo)
• endpoint: correctly log IPv6 addresses (#24255, @tklauser)
• endpoint: Update comments for ToMapState() usage (#24321, @joestringer)
• envoy: Avoid using deprecated field (#24043, @sayboras)
• envoy: remove unnecessary wait and log message after starting envoy (#24455, @mhofstetter)
• examples: setup HUBBLE_SERVER for the Hubble CLI Deployment (#24154, @kaworu)
• Fix a typo in pkg/option/config.go (#23731, @meyskens)
• Fix comment error about monitorNotify in pkg/datapath/ipcache/listener.go. (#23963, @hxysayhi)
• Fix duplicated logs for test-output.log (#24171, @romanspb80)
• Fix misleading use of bpf_ntohl (#24483, @lazybetrayer)
• Fix possible race condition in the clustermesh's users management test (#24652, @giorio94)
• fix(deps): pin dependencies (master) (#24147, @renovate[bot])
• fix(deps): pin dependencies (master) (#24277, @renovate[bot])
• fix(deps): pin dependencies (master) (#24299, @renovate[bot])
• fix(deps): pin dependencies (master) (#24438, @renovate[bot])
• fix(deps): pin dependencies (master) (#24659, @renovate[bot])
• fix(deps): update all go dependencies master (master) (#23987, @renovate[bot])
• fix(deps): update all go dependencies master (master) (patch) (#23982, @renovate[bot])
• fix(deps): update all go dependencies master (master) (patch) (#24149, @renovate[bot])
• fix(deps): update all go dependencies master (master) (patch) (#24279, @renovate[bot])
• fix(deps): update all go dependencies master to v2 (master) (major) (#24110, @renovate[bot])
• fix(deps): update module google.golang.org/protobuf to v1.29.1 [security] (master) (#24376, @renovate[bot])
• fix(deps): update module gopkg.in/yaml.v2 to v3 (master) (#24112, @renovate[bot])
• fix: Flag --ipv4-native-routing-cidr update in cli (#23643, @deepeshaburse)
• Fix: Link Security Team (#24135, @xmulligan)
• Fixed panic when generating code coverage report of eBPF tests (#24094, @dylandreimerink)
• Generate preprocessed C source with BPF tests (#24093, @YutaroHayakawa)
• Get CEP from k8s cache during initialization. (#24340, @marseel)
• gha: Skip flaky test HTTPRouteHeaderMatching in GatewayAPI (#24169, @sayboras)
• gha: Skip HTTPRouteListenerHostnameMatching test temporarily (#24521, @sayboras)
• go.mod, golangci-lint: update base Go version to 1.20 (#24113, @tklauser)
• golangci-lint: Update to v1.51.2 (#24153, @mhofstetter)
• helm: Add support of additional labels to hubble ui ingress (#24077, @ReillyBrogan)
• helm: Parameterize image registries in Makefile.values (#24635, @michi-covalent)
• hive: fix documentation for cell.Provide & cell.ProvidePrivate (#24238, @mhofstetter)
• hubble-ui: allow ingress from non root / urls (#23631, @geakstr)
• hubble: Use netip.Addr instead of net.IP in getter functions (#23143, @lambdanis)
• Implement GC for per-cluster CT/SNAT maps (#24576, @YutaroHayakawa)
• Increase logging verbosity of Kubernetes API Server in kind (#24384, @marseel)
• ingress: Avoid potential nil pointer during cleanup (#24444, @sayboras)
• ingress: Improve coverage with unit tests (#24684, @sayboras)
• Install fib rules and routes with proto kernel to avoid systemd messing with them (#24288, @NikAleksandrov)
• ipam: add method to get IP owner per pool (#24358, @tklauser)
• k8s api: remove status documentation from CRD CiliumIdentity (#24512, @mhofstetter)
• k8s/watchers: Fix calling Done() with proper error (#24616, @christarazi)
• kvstore/etcd: don't use atomic type for version check timeout (#24360, @tklauser)
• Makefile: new target kind-debug to debug cilium operator & agent in kind cluster (#23898, @mhofstetter)
• nodemanager: inject ipcache into nodemanager via hive (#24261, @mhofstetter)
• operator, hive, k8s: don't call workerpool.New from hive constructors (#24419, @tklauser)
• operator, k8s: Prevent CEC watcher goroutine leak (#24316, @yulng)
• operator/cmd: add goleak check to TestOperatorHive (#24431, @tklauser)
• operator: fix deadlock when running in kvstore mode (#24631, @giorio94)
• Operator: Move leader election to a separate Kubernetes client (#24267, @alexkats)
• operator: Remove duplicated package import (#24078, @pippolo84)
• Optimize PrefixString() (#23201, @christarazi)
• Optimize GetControllerName for CNP (#23717, @marseel)
• option: Skip NodeEncryptionOptOutLabels when marshalling to json (#24470, @gandro)
• pkg/ipcache: add ipcacher interface (#24274, @aanm)
• pkg/stream: Simplify ToChannel usage (#24432, @joamaki)
• policy: lazily start SelectorCache.handleUserNotifications (#24325, @lmb)
• policy: track policy rule origin per selector (#23811, @bimmlerd)
• policy: Utilize the DistillPolicy() code path in tests (#24402, @christarazi)
• Pprof modularization (#24114, @pippolo84)
• Preparatory refactoring for IPAM pools (#24247, @tklauser)
• README.rst: Fix broken link to L7 policies (#24488, @PriyaSharma9)
• README.rst: Fix timezones in details for community meeting (#24520, @qmonnet)
• Refactor CRD generation in Makefile (#24615, @christarazi)
• Refactor generate-k8s-api in Makefile (#24651, @mhofstetter)
• refactor: move CRD registration to separate cell (#24219, @knight42)
• renovate: Add stop updating label (#24065, @sayboras)
• renovate: fix config file format (#24109, @tklauser)
• renovate: update source import paths on Go module major updates (#24003, @tklauser)
• Revert "docs: fix Rule spec document typos" (#24418, @aditighag)
• Revert #24288 (#24676, @aanm)
• Service Mesh mTLS: auth request & response (#24159, @mhofstetter)
• Service Mesh mTLS: Inject IPCache into auth manager via hive (#24259, @mhofstetter)
• Service Mesh mTLS: introduce auth map (#24218, @mhofstetter)
• Service Mesh mTLS: suppress policy verdict notification for authenticated packets (#24352, @mhofstetter)
• test: bump upgrade tests to test 1.13 (#23790, @aanm)
• tools/maptool: correctly build with CGO_ENABLED=0 if not in RACE mode (#24142, @tklauser)
• use atomic.Pointer instead of bare LoadPointer (#23971, @lmb)
• Use resource for CNPs and CCNPs (#24509, @pippolo84)
• USERS.md: Add Polar Signals (#24158, @brancz)
• versioncheck: fix parsing of snapshot release versions (#24286, @tklauser)