Changelog
v1.15.0-pre.0
Summary of Changes
Major Changes:
- Add support for k8s 1.28 (#27361, @aanm)
- bgpv1: Add
bgp/routes
API endpoint andcilium bgp routes
CLI command (#27182, @rastislavs) - Introduce ability to specify SAFI/AFI for specific BGP peers. (#26940, @ldelossa)
- Module Health: Node Manager: First Iteration (#25994, @tommyp1ckles)
Minor Changes:
- *_kvstore_operations_duration_seconds metrics do not include client-side rate-limiting latency anymore. (#27396, @marseel)
- .github/workflows: don't error out if pkill finds no processes (#26357, @lmb)
- .github: dump buddyinfo and pagetypeinfo when ci-e2e fails (#26600, @lmb)
- Add
cilium bpf auth flush
command for debugging purposes (#27216, @meyskens) - Add an option to specify a filters and field mask for hubble-exporter (#26379, @AwesomePatrol)
- Add documentation of Hubble exporter - an option to save Hubble flows to a file (#27610, @AwesomePatrol)
- Add per-controller success/failure count metrics and a config option for these (#26850, @asauber)
- Add Prometheus map pressure metrics for NAT maps (#27001, @derailed)
- Add securityContext for spire pod in helm chart (#27363, @ishuar)
- Add source and destination workload_kind context labels (Hubble). (#27350, @marqc)
- Add SPIRE connection to
cilium status
(#26896, @meyskens) - Add strict mode for WireGuard Pod2Pod encryption (#21856, @3u13r)
- Added the EnableHealthCheckLoadBalancerIP flag to address health checks on LoadBalancerIP in Google Cloud Platform using KubeProxyReplacement. (#26728, @nberlee)
- api: Add extensions field to observer.GetFlowsRequest and flow.Flows types (#27577, @chancez)
- Augments
cilium status
CLI to report on agent modules health status. (#25714, @derailed) - bpf: allow overriding Makefile variables (#27492, @lmb)
- bpf: compile test ENABLE_EGRESS_GATEWAY_COMMON (#27515, @lmb)
- bpf: gate egressgw datapath on separate defines (#27189, @lmb)
- bpgv1: move the internal BGP signaler to a cell and allow other cells to depend on it. (#26745, @ldelossa)
- Change the Helm values configuration for SPIRE to match other images in the Helm charts (#27621, @weizhoublue)
- cilium/cmd: make output of 'cilium policy selectors' sorted. (#27803, @tommyp1ckles)
- cilium: export intermediate cobra.Commands (#26265, @lmb)
- cilium: use absolute path to include Makefile.defs (#27054, @lmb)
- cli: Update
cilium policy import
to allow policy replacement by label (#27103, @deverton-godaddy) - clustermesh-apiserver deployment support lifecycle and terminationGracePeriodSeconds. (#26945, @acgs771126)
- daemon: Do not require native routing CIDR if ipmasq-agent is enabled (#27747, @gandro)
- docs, cilium: Remove
cilium endpoint regenerate
command (#27326, @christarazi) - egressgw: inject datapath config via hive (#27414, @lmb)
- egressgw: refactor check for conflicting egress IPs (#27491, @lmb)
- egressgw: tidy up Config handling (#27221, @lmb)
- endpoint, endpointmanager: Publish max policymap size as metric (#27367, @christarazi)
- envoy: Bump envoy to 1.26.2 (#26851, @sayboras)
- envoy: Bump envoy version to v1.26.4 (#27104, @sayboras)
- envoy: Update envoy version to the latest build (#27819, @jrajahalme)
- Extend AWS metadata-based policy enforcement to work with any VPC-enabled service. (#27071, @spacepants)
- Fix LookupReservedIdentityByLabels function to return consistent results (#26795, @skmatti)
- gateway-api: Bump version to v0.8.0-rc1 (#27592, @sayboras)
- Hubble: improve security by adding an option to redact API key in Kafka requests (L7) (#25844, @ioandr)
- hubble: replace deprecated usage of grpc.WithInsecure. (#25631, @tommyp1ckles)
- Increase number of dnsproxy mutexes from 128 to 131. (#27147, @marseel)
- ipam, metrics: Add new capacity metric (#27710, @christarazi)
- Modular daemon and operator (#25986, @pippolo84)
- Refactor hubble redact settings schema (#26989, @ChrsMark)
- Refactor hubble redact settings schema [v2] (#27553, @ChrsMark)
- Remove deprecate clustermesh CA configuration from the helm chart (#27162, @giorio94)
- When BGP control plane is enabled and configured for service announcements, it will only advertise a matching service that has an unspecified loadbalancerClass or set for "io.cilium/bgp-control-plane". (#26905, @danehans)
Bugfixes:
- Add a 5 second timeout to the Mutual Auth TCP handshake (#26650, @meyskens)
- bgpv1: fix manager_test.go build error (#27543, @ldelossa)
- bpf: nat: set .from_local_endpoint for all inter-cluster SNAT traffic (#26853, @julianwiedmann)
- bpf: nodeport: add RevDNAT-based FIB lookup for reply traffic (#26638, @julianwiedmann)
- bug: In dual-stack mode (both IPv4 and IPv6 are enabled), Cilium incorrectly converted CIDRs that covered all possible addresses for an IP Family (e.g. 0.0.0.0/0) to the "reserved:world" entity. Both IP families must be completely covered for "reserved:world" to apply. This resulted in dual-stack mode network policies that could not distinguish between world IPv4 and IPv6 traffic, treating them as one entity instead. (#22625, @nathanjsweet)
- cleanup: can clean the bpf filters created by the cilium agent with lower version (#27373, @sofat1989)
- Do mutual authentication handshake again if mismatch between bpf map and cached map happens (#27241, @meyskens)
- egressgw: policy: ensure egressGateway field is not nil (#27802, @jibi)
- envoy: fix init order between accesslog and xDS server (#27617, @mhofstetter)
- Fix a bug that could cause an incorrect max. sequence number to be reported by
cilium encrypt status
when IPsec is enabled. (#27656, @pchaigno) - Fix cilium-envoy ServiceMonitor port name (#27207, @pixiono)
- Fix connection disruption for IPsec during downgrade to v1.14 by attaching correct bpf program to devices. (#27480, @jschwinger233)
- Fix connectivity issues caused by missing conntrack entry when service pod connects to itself via clusterIP. (#27602, @julianwiedmann)
- Fix endpoint logger not formatting logs as JSON when daemon log format is set to JSON (#27263, @leblowl)
- Fix Gateway managed services not exposing all ports (#27695, @Managarmrr)
- Fix possible cross-cluster connection drops on agents restart when clustermesh is enabled (#27575, @giorio94)
- Fix potential cross-node connectivity issue when IPsec is enabled with ENI or Azure IPAM modes. (#26663, @gandro)
- Fixes a issue that IPsec key rotation can't be triggered. (#27694, @jschwinger233)
- Fixes an issue where an empty ControlPlaneState was used during registration of BGP speakers. This would cause reconciliation issues as the current state would be unknown. (#27117, @ldelossa)
- Handle
.status.conditions
onService
s using in accordance with KEP-1623 (#27399, @addreas) - health: Update Cilium agent to listen on nodeip (#26845, @tamilmani1989)
- helm: fix envoy daemonset loglevel with multiple verbose debug groups (#27698, @mhofstetter)
- ingress: fix panic on ingress rule without HTTPIngressRule (#27818, @mhofstetter)
- ipam: when a CiliumNode is removed, delete node label from metrics. (#27713, @tommyp1ckles)
- metrics: fix potential conflict on metrics registration (#27007, @ysksuzuki)
- Prioritization of which DNS mappings to keep was suboptimal, leading to evictions of mappings related to alive connections, worsening performance of fqdn policies and causing spurious logging. (#27572, @bimmlerd)
- proxy: fix multiple envoy listeners for same proxyType (#27510, @mhofstetter)
- Read FQDNRejectResponseCode from config (#27362, @ayuspin)
- spire: add scheduling configurations to helm-chart (#27229, @tvonhacht-apple)
CI Changes:
- .github: Remove Loki action (#26676, @joestringer)
- Add missing ariane trigger phrases (#27822, @tklauser)
- bpf/tests: Cover IPsec key rotations (#27185, @pchaigno)
- bpf: test: pktgen cleanups (#26776, @julianwiedmann)
- bpf: tests: add helpers for boilerplate code (#27429, @julianwiedmann)
- bpf: tests: add helpers for common patterns (#27134, @julianwiedmann)
- bpf: tests: improve CT checks for observed TCP flags (#26802, @julianwiedmann)
- build(deps): bump tornado from 6.2 to 6.3.3 in /Documentation (#27497, @dependabot[bot])
- ci-ginkgo: conditionally skip fetching artifacts & junit report (#27081, @mhofstetter)
- ci-gke: adjust junit file names to matrix properties (#27072, @mhofstetter)
- CI: Add conn-disrupt-test action for reuse (#27567, @jschwinger233)
- CI: Add IPsec key rotation test (#27203, @jschwinger233)
- ci: add scheduled runs for Ariane workflows (#27687, @nbusseneau)
- ci: Automate generation and update of docs-builder image (#24121, @qmonnet)
- ci: fix checking
github.event.pull_request.head.sha
(#26775, @mhofstetter) - ci: increase junit artifact retention from 2 to 5 days (#27021, @mhofstetter)
- CI: Move IPsec CI jobs into separate pipelines (#26730, @jschwinger233)
- CI: Rename workflow names (#27391, @brlbil)
- ci: replace GHA action Sibz/github-status-action (#26976, @mhofstetter)
- ci: Run documentation workflow on README.rst updates (#26559, @qmonnet)
- ci: upload and publish JUnit test results for conformance-multi-pool (#27025, @mhofstetter)
- ci: use env variable to store branch name (#26779, @ferozsalam)
- datapath: Cover subnet encryption in XFRM leak test (#27212, @pchaigno)
- datapath: Fix TestNodeChurnXFRMLeaks (#27274, @brb)
- Disable the images digest when pushing the development helm chart (#27646, @giorio94)
- egressgw: back out test for policy conflict in ENI mode (#27432, @julianwiedmann)
- Extend Integration Test timeout (#27811, @YutaroHayakawa)
- Fix container scanning workflow (#26542, @ferozsalam)
- gh/actions: Customize cilium-config (#27416, @brb)
- gh/workflows: Fix setting endpoint routes in ci-e2e (#27384, @brb)
- Improve service unit test robustness (#26212, @strudelPi)
- ingress: Add conformance test for KPR=false (#27304, @sayboras)
- ipam: Fix race in NodeManager.Resync (#26963, @jaffcheng)
- jenkinsfiles: remove kubernetes upstream (#27349, @aanm)
- k8s: Replace generate-internal-groups.sh script (#27591, @sayboras)
- Make ci-ipsec-upgrade a part of /test (#27557, @jschwinger233)
- make: drop redundant
go vet ./...
from integration tests (#26565, @tklauser) - node: Integration test for XFRM leaks on node churn (#27187, @pchaigno)
- Remove validation timeout in controlplane testing (#26414, @pippolo84)
- renovate: Pin cilium-cli version for <v1.14 (#26716, @michi-covalent)
- Revert quarantine k8s datapath services test (#26400, @marseel)
- update upgrade tests to test from v1.14.0 to main (#27114, @aanm)
Misc Changes:
- .clang-format: Re-write and re-license .clang-format (#26640, @qmonnet)
- .github: add Dockerfile for hubble-relay image in Renovate config (#27404, @aanm)
- .github: add workflow to track replied issues (#27283, @aanm)
- .github: do not upgrade ubuntu runner for integration tests (#27829, @aanm)
- .github: fix renovate config (#27727, @aanm)
- .github: Remove master mirror (#25806, @joestringer)
- .github: Remove remaining references to v1.11 (#26681, @joestringer)
- .github: use kindest/node instead of quay.io/cilium/kindest-node (#27729, @aanm)
- .github: write the right regex for little-vm-images versioning (#27390, @aanm)
- Add a troubleshooting Gateway API part of the documentation (#25945, @meyskens)
- Add Berops to
USERS.md
(#27483, @bernardhalas) - Add checks to avoid use of logrus WithFields function in hot paths (#26327, @learnitall)
- Add deepcopy plugin (#26978, @AwesomePatrol)
- Add docs on first and last IP of LB-IPAM pool (#27110, @darox)
- Add G DATA CyberDefense AG as user (#27316, @farodin91)
- Add guidance for bumping the Golang version in Cilium (#26789, @ferozsalam)
- add links to enterprise support and slack to the issues page for easier discoverability (#26551, @xmulligan)
- add lint-go to merge queue check (#27542, @aanm)
- Add metrics for LB-IPAM (#26173, @dylandreimerink)
- Add note to the quick install documentation for increasing inotify limits (#27140, @leblowl)
- Add prerelease-testing issue template (#27766, @jspaleta)
- Add script to run GitHub ginkgo workflow locally (#26540, @qmonnet)
- add Twilio to Users list (#27755, @michaelsaah)
- Add workload label context (hubble metrics). (#25667, @marqc)
- Added metrics for jobs (#26077, @dylandreimerink)
- alibabacloud: Allocate from vswitches with the most IP addresses (#27696, @jaffcheng)
- Allow Golang bump to v1.20 on Cilium v1.12 and v1.13 (#27434, @ferozsalam)
- auth: depend on nodeIDHandler directly (#27106, @mhofstetter)
- bgp: fix up formatting in CiliumBGPPeeringPolicy (#27219, @julianwiedmann)
- bgpv1: Add GetRoutes method to Router interface and generic Path type (#26803, @rastislavs)
- bgpv1: Use Path type in AdvertisePath & WithdrawPath (#27223, @rastislavs)
- bpf: avoid calculating L4 offset (#27313, @julianwiedmann)
- bpf: ct: clean up tuple swapping for forward lookups (#26826, @julianwiedmann)
- bpf: ct: clean up unused .seen_non_syn flag for ICMP entries (#26754, @julianwiedmann)
- bpf: ct: document some unused fields in ct_entry struct (#27692, @julianwiedmann)
- bpf: ct: simplify ct_action parameter for CT lookup (#26527, @julianwiedmann)
- bpf: dsr: don't track ifindex of ingress interface (#27528, @julianwiedmann)
- bpf: dsr: ensure that Geneve options have correct size (#26707, @julianwiedmann)
- bpf: dsr: merge Ingress tail-calls into nodeport_lb*() (#27267, @julianwiedmann)
- bpf: exclude EgressGW logic in bpf_overlay (#26611, @julianwiedmann)
- bpf: install proxy routes using Go, remove init.sh (#27445, @ti-mo)
- bpf: lxc: clarify kube-proxy workaround in to-container path (#27604, @julianwiedmann)
- bpf: lxc: cleanups (#27044, @julianwiedmann)
- bpf: lxc: remove unused IPv6 loopback code (#27601, @julianwiedmann)
- bpf: minor ICMPv6 improvements (#26563, @julianwiedmann)
- bpf: minor loopback cleanups (#27764, @julianwiedmann)
- bpf: nat: Handle errors from snat_v(4|6)_prepare_state() (#26501, @qmonnet)
- bpf: nat: improve logic that creates the NAT entries (#26594, @julianwiedmann)
- bpf: nat: minor improvements (#26520, @julianwiedmann)
- bpf: nat: share rewrite logic in RevSNAT path (#27366, @julianwiedmann)
- bpf: nat: small Masquerading improvements (#26848, @julianwiedmann)
- bpf: nat: SNAT cleanups (#26889, @julianwiedmann)
- bpf: nat: use common set of rewrite helpers (#27509, @julianwiedmann)
- bpf: nodeport: consolidate packet rewrite in RevDNAT path (#26852, @julianwiedmann)
- bpf: nodeport: improve ICMP vs DSR co-existence (#26562, @julianwiedmann)
- bpf: nodeport: improve tracing for inlined RevDNAT processing (#27191, @julianwiedmann)
- bpf: nodeport: integrate Ingress RevSNAT and RevDNAT paths (#27488, @julianwiedmann)
- bpf: overlay: clarify delivery to local host (#27580, @julianwiedmann)
- bpf: overlay: remove unused code (#27026, @julianwiedmann)
- bpf: policy: cleanups to reduce program size (#27369, @julianwiedmann)
- bpf: Rename proxy_identity to src_sec_identity (#27517, @joestringer)
- bpf: small improvements in TTL / hoplimit handling (#27146, @julianwiedmann)
- bpf: snat: DSR-eligible traffic can skip check for Nodeport NAT conflict (#26674, @julianwiedmann)
- bpf: xdp: remove unused XFER_ENCAP_* enums (#27264, @julianwiedmann)
- build(deps): bump certifi from 2022.12.7 to 2023.7.22 in /Documentation (#27064, @dependabot[bot])
- build(deps): bump pygments from 2.14.0 to 2.15.0 in /Documentation (#26957, @dependabot[bot])
- Bump allowed Golang version for v1.11 and v1.12 (#26713, @ferozsalam)
- Bump controller-tools fork to v0.8.0-1 (#27063, @christarazi)
- Change makefile cache to rebuild on header changes (#27605, @dylandreimerink)
- chart: define the envoy image variable in the makefile (#27725, @weizhoublue)
- chore(deps): pin hramos/needs-attention action to 4d47f33 (main) (#27286, @renovate[bot])
- chore(deps): update actions/checkout action to v3.5.3 (main) (#26568, @renovate[bot])
- chore(deps): update all github action dependencies (main) (minor) (#26570, @renovate[bot])
- chore(deps): update all github action dependencies (main) (minor) (#26821, @renovate[bot])
- chore(deps): update all github action dependencies (main) (minor) (#27737, @renovate[bot])
- chore(deps): update all github action dependencies (main) (patch) (#26691, @renovate[bot])
- chore(deps): update all github action dependencies (main) (patch) (#26819, @renovate[bot])
- chore(deps): update all github action dependencies (main) (patch) (#27478, @renovate[bot])
- chore(deps): update all kind-images main (main) (#27477, @renovate[bot])
- chore(deps): update all kind-images main (main) (patch) (#27479, @renovate[bot])
- chore(deps): update all lvh-images main (main) (patch) (#27339, @renovate[bot])
- chore(deps): update all lvh-images main (main) (patch) (#27372, @renovate[bot])
- chore(deps): update all lvh-images main (main) (patch) (#27421, @renovate[bot])
- chore(deps): update aws-actions/configure-aws-credentials action to v3 (main) (#27743, @renovate[bot])
- chore(deps): update cilium/cilium-cli action to v0.15.4 (main) (#26971, @renovate[bot])
- chore(deps): update cilium/cilium-cli action to v0.15.6 (main) (#27600, @renovate[bot])
- chore(deps): update cilium/little-vm-helper action to v0.0.12 (main) (#26974, @renovate[bot])
- chore(deps): update cilium/little-vm-helper action to v0.0.12 (main) (#27257, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.15.0 (main) (#26571, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.15.2 (main) (#26784, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.15.3 (main) (#26875, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.15.4 (main) (#27127, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.15.5 (main) (#27258, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.15.5 (main) (#27261, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.15.6 (main) (#27613, @renovate[bot])
- chore(deps): update dependency google/gops to v0.3.28 (main) (#27412, @renovate[bot])
- chore(deps): update dependency ubuntu to v22 (main) (#27745, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.18.3 (main) (#27735, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.20.5 docker digest to 344193a (main) (#26481, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.20.6 docker digest to cfc9d1b (main) (#26818, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.21.0 docker digest to b490ae1 (main) (#27598, @renovate[bot])
- chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 0bced47 (main) (#26689, @renovate[bot])
- chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 6120be6 (main) (#26432, @renovate[bot])
- chore(deps): update docker.io/library/ubuntu:22.04 docker digest to ec050c3 (main) (#27529, @renovate[bot])
- chore(deps): update docker/setup-buildx-action action to v2.9.0 (main) (#26694, @renovate[bot])
- chore(deps): update github/codeql-action action to v2.21.2 (main) (#27265, @renovate[bot])
- chore(deps): update github/codeql-action action to v2.21.5 (main) (#27734, @renovate[bot])
- chore(deps): update go to v1.20.6 (main) (patch) (#26781, @renovate[bot])
- chore(deps): update go to v1.20.7 (main) (patch) (#27259, @renovate[bot])
- chore(deps): update go to v1.21.0 (main) (minor) (#27444, @renovate[bot])
- chore(deps): update golangci/golangci-lint docker tag to v1.54.0 (main) (#27385, @renovate[bot])
- chore(deps): update golangci/golangci-lint docker tag to v1.54.1 (main) (#27538, @renovate[bot])
- chore(deps): update golangci/golangci-lint docker tag to v1.54.2 (main) (#27619, @renovate[bot])
- chore(deps): update hubble cli to v0.12.0 (main) (minor) (#26762, @renovate[bot])
- chore(lint): Enable linting with gosimple (#26965, @mrueg)
- chore: Use xxx.String() instead of string(xxx.Bytes()) (#26165, @testwill)
- ci-e2e: Enable debug.verbose for envoy (#26860, @sayboras)
- ci: fix go mod step name (#27711, @nbusseneau)
- ci: set timeout on build images workflows (#27341, @mhofstetter)
- ci: skip cosign / sbom in case of building images during cache rebuild (#26786, @mhofstetter)
- ci: skip fetching sysdump in case of skipped LB test (#26774, @mhofstetter)
- ci: skip post-test info gathering in case of skipped cilium installation (#26729, @mhofstetter)
- cilium, docs: Add a note about KPR and nfs dependencies (#27678, @borkmann)
- cilium, docs: Add rc.0 to development releases (#26564, @borkmann)
- cilium, iptables: Extend to cover default route in enable-masquerade-… (#27664, @borkmann)
- cilium: Add option to masq to source route (#27618, @borkmann)
- cilium: Fix 16bit ifindex limitation (#27622, @borkmann)
- clean-up: remove check for permissive CCNPs (#27690, @shawnh2)
- cleanup: code cleanup to remove unused parameter from repository add api (#26943, @tamilmani1989)
- clustermesh: make extra ipcache watcher options configurable (#27336, @giorio94)
- cni: Follow CNI spec by using
(containerID, ifName)
as unique endpoint identifier (#26894, @gandro) - cni: log format byte array as string (#26740, @aojea)
- cocci: Re-license Coccinelle scripts as Apache 2.0 (#26629, @qmonnet)
- CODEOWNERS: assign bpf/lib/auth.h to sig-servicemesh (#27083, @mhofstetter)
- CODEOWNERS: assign egressgw control plane/datapath logic to egress-gateway team (#26952, @jibi)
- CODEOWNERS: assign pkg/backoff to @cilium/sig-agent (#26573, @jibi)
- codeowners: include sig-servicemesh into cilium envoy & spire helm (#27559, @mhofstetter)
- CODEOWNERS: remove stale cilium_egress_gateway_policy.go entry (#27234, @giorio94)
- Computed and propagated the value of OldEndpoints field when merging remote cluster information. (#26474, @akstron)
- config: Use String instead of StringVar method (#27794, @pippolo84)
- Configure the linux node config writer through Hive (#27180, @giorio94)
- contrib: add check for new files in check-(api|k8s)-code-gen scripts (#26790, @giorio94)
- contrib: Add support for X.Y.Z-pre.N releases (#27807, @joestringer)
- contrib: fix bump-readme script (#27648, @nebril)
- contrib: Make hint command copy and paste friendly (#27585, @sayboras)
- Correct cni path in k3s installation documentation for rancher desktop (#27702, @RichardoC)
- Creation of the /hello endpoint is delayed until the host datapath has been initialized. (#27392, @lmb)
- daemon: remove redundant wait on restoreComplete (#27603, @ti-mo)
- daemon: Use API server cell and adapt handlers (#25000, @joamaki)
- datapath/linux/probes: remove unused Have{Map,Program}Type wrappers (#26666, @tklauser)
- datapath: Devices table and controller (#24677, @joamaki)
- Disable StateDB metrics by default (#27657, @dylandreimerink)
- Do not log on errant release of reserved identity (#26768, @asauber)
- doc: Documented pitfall with NS labels in CNPs (#26134, @PhilipSchmid)
- doc: Improved Cilium ingress annotations table (#26381, @PhilipSchmid)
- docs: Add Conformance Badge for Gateway API (#27470, @sayboras)
- docs: Add docs structure recommendations, update style guide (#26632, @qmonnet)
- docs: Add Keploy to user list (#27244, @Sonichigo)
- docs: Add missing spelling exception (#26780, @qmonnet)
- docs: Document Potential Dual-Stack Upgrade Issues for 1.15 (#25204, @nathanjsweet)
- docs: Fix a typo and improve readability of a control plane architecture description in BGP Control Plane documentation (#27461, @distributethe6ix)
- Docs: Fix ipam_nodes metric description (#27217, @antonipp)
- docs: fix minor TOC issues (#26714, @networkop)
- docs: Fix the typo for SPIRE PVC installation option name (#27503, @haiyuewa)
- docs: fix typo in troubleshooting guide (#26811, @learnitall)
- docs: Fix unintentional boolean value in YAML (#26682, @dgl)
- docs: Improve wording for labels and services policies (#27171, @joestringer)
- docs: Improve wording in contributions guide (#27407, @joestringer)
- docs: optimize ingress default tls secret documentation (#26684, @mhofstetter)
- docs: Split, update, improve the contributing guide for reviewers and committers (#27085, @qmonnet)
- Document Kind Delve debugging workflow (#26506, @ti-mo)
- Documentation: Replace netperf images in StarWars demos (#26842, @hhoover)
- Don't retry one shot jobs during hive shutdown (#27395, @giorio94)
- Drop mock file support from clustermesh-apiserver (#27825, @giorio94)
- drop support for 1.11 (#27077, @aanm)
- egressgw: always set ifaceName in deriveFromPolicyGatewayConfig() (#26973, @julianwiedmann)
- egressgw: delete stale nexthop routes (#27105, @julianwiedmann)
- egressgw: detect conflicting configurations in ENI mode (#27281, @julianwiedmann)
- egressgw: use Resource[T] to consume CiliumEgressGatewayPolicy (#26960, @lmb)
- egressgw: use route.Upsert() for inserting nexthop / prefix IP route (#26990, @julianwiedmann)
- Enable strict validation of cluster config for clustermesh (#27246, @giorio94)
- endpoint/id: simplify TestSplitID (#26581, @tklauser)
- Endpoint: actually treat identifiers as immutable, remove lock (#26757, @squeed)
- endpoint: moveNewFilesTo performance and error handling improvements (#26238, @learnitall)
- endpointmanager: unexport and inline functions only used in the package (#27426, @tklauser)
- endpointslice: fix EndpointSlice import (#26938, @mhofstetter)
- envoy: Bump cilium proxy to latest version (#27555, @mhofstetter)
- envoy: set socket opts only if not already present in CEC (#27531, @mhofstetter)
- Fix restore of previous router IP due to missing VPC CIDR in Alibabacloud section of CiliumNode Spec (#26843, @haozhangami)
- Fix spelling for "WireGuard" (#26764, @qmonnet)
- fix(deps): update all go dependencies main (main) (#26567, @renovate[bot])
- fix(deps): update all go dependencies main (main) (#27348, @renovate[bot])
- fix(deps): update all go dependencies main (main) (#27440, @renovate[bot])
- fix(deps): update all go dependencies main (main) (minor) (#26695, @renovate[bot])
- fix(deps): update all go dependencies main (main) (minor) (#26822, @renovate[bot])
- fix(deps): update all go dependencies main (main) (minor) (#27266, @renovate[bot])
- fix(deps): update all go dependencies main (main) (minor) (#27742, @renovate[bot])
- fix(deps): update all go dependencies main (main) (patch) (#26569, @renovate[bot])
- fix(deps): update all go dependencies main (main) (patch) (#26693, @renovate[bot])
- fix(deps): update all go dependencies main (main) (patch) (#26820, @renovate[bot])
- fix(deps): update all go dependencies main (main) (patch) (#27135, @renovate[bot])
- fix(deps): update all go dependencies main (main) (patch) (#27260, @renovate[bot])
- fix(deps): update all go dependencies main (main) (patch) (#27441, @renovate[bot])
- fix(deps): update all go dependencies main (main) (patch) (#27736, @renovate[bot])
- fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.445 (main) (#26832, @renovate[bot])
- fix: add check if debug is enabled when adding trace levels to envoy deamonset. (#27161, @dreanor65)
- fix: platform typo (#27368, @testwill)
- Fixed conflicting PRs in main (#27209, @dylandreimerink)
- Fixes: typo (#27201, @weizhoublue)
- For services with
External Traffic Policy: Local
Service health returns http header "X-Load-Balancing-Endpoint-Weight" with number of local endpoints. The same information is still available in response body JSON payload.LocalEndpoints. (#27017, @cezarygerard) - Generalize ClusterID reservation mechanism for clustermesh (#27248, @giorio94)
- gh: feature template: s/request/proposal (#27023, @julianwiedmann)
- go.mod, renovate: specify and update Go toolchain version (#27820, @tklauser)
- go.mod, vendor: use github.com/cilium/dns fork directly (#27582, @tklauser)
- helm: Fix typo in cilium chart's description (#27389, @nu-wa)
- helm: Improve debug.verbose docs (#26463, @lgadban)
- helm: put extraConfig back to the end of ConfigMap cilium-config (#27556, @mhofstetter)
- helm: Updated description for Helm 'devices' flag (#26557, @PhilipSchmid)
- Hubble-ui now supports liveness and readiness probes (#27028, @mkilchhofer)
- images/builder: update dependencies (#27566, @rolinh)
- Import new version of forked controller-tools (#26918, @AwesomePatrol)
- improv: check for k8s backing before running sync (#27269, @kwakubiney)
- Improve documentation for review process for contributors and reviewers (#27324, @joestringer)
- Improve Hubble decoding performance for drop, debug, policy and tracesock events (#25751, @Jack-R-lantern)
- Improve Hubble decoding performance for trace events (#24162, @brancz)
- Improve translation of CIDRGroupRefs (#26369, @pippolo84)
- init.sh: move netlink device creation to Go (#27082, @rgo3)
- init.sh: move obsolete bpf_host removal to Go (#26539, @rgo3)
- Introduce resiliency package (#27614, @derailed)
- ipam,alibabacloud: Improve event driven instance resync (#25619, @jaffcheng)
- ipam: remove always-nil NewCIDRRange error return value (#26706, @tklauser)
- ipcache: Deprecate old API (#27576, @joestringer)
- ipcache: propagate cluster ID as part of the key (#27337, @giorio94)
- ipcache: Skip conflict logging for tunnelpeer if native routing (#27331, @christarazi)
- k8s/apis: refactor CRD registration helpers into a separate package (#26834, @tklauser)
- kvstore: drop unused deleteInvalidPrefixes variable (#27074, @giorio94)
- Log endpoint instead of pod names where appropriate (#27427, @tklauser)
- MAINTAINERS: Add Jussi Mäki (#26603, @michi-covalent)
- Make it easier to depend on clustermesh types outside of its package (#27242, @giorio94)
- Make the community team the owner of /USERS.md (#27321, @michi-covalent)
- make: allow to override values.yaml template name (#27235, @giorio94)
- Makefile: remove check-go-version target (#27460, @tklauser)
- maps: do not depend on global variable to initialize CT maps (#27275, @giorio94)
- maps: maglev_test: remove toleration for 4.9 kernel (#27046, @julianwiedmann)
- Misc updates in renovate configuration (#27328, @aanm)
- mlh: disable remove PR to project (#26863, @mhofstetter)
- mlh: use a regexp to check signed-off-by (#27732, @kaworu)
- netns: remove unused RemoveIfFromNetNSWithNameIfBothExist (#27411, @tklauser)
- node: introduce prefix cluster mutator (#27354, @giorio94)
- nodediscovery: support additional IP address sources for the local node (#27507, @tklauser)
- Operator: Add missing observability for Azure API calls (#26277, @hemanthmalla)
- pkg/aws: Improve event driven instance resync for AWS IPAM (#27791, @jaffcheng)
- pkg/cidr: Move linux specific variable references from netlink (#27638, @aditighag)
- pkg/policy: Convert benchmarks in resolve_test.go to std benchmarks (#27815, @christarazi)
- plugins/cilium-cni: cleanups around IPAM allocation and veth pair creation (#26595, @tklauser)
- plugins/cilium-cni: make error formatting consistent (#27535, @tklauser)
- plugins/cilium-cni: reduce string allocations of CNI command arguments (#27681, @tklauser)
- policy: Describe CIDR superset logic for denies and FQDN (#26720, @joestringer)
- Prepare for release v1.14.0-rc.0 (#26546, @joestringer)
- Prepare for v1.15 development cycle (#26516, @joestringer)
- Provide CT/NAT maps GC logic through hive (#27356, @giorio94)
- proxy: introduce envoy cell (#26657, @mhofstetter)
- proxy: refactor package global vars to proxy fields (#26619, @mhofstetter)
- proxy: refactor proxy.CreateOrUpdateRedirect (#26839, @mhofstetter)
- proxy: remove unused xds resource access timeout (#26747, @mhofstetter)
- README: Remove v1.11 from stable releases table (#27466, @joestringer)
- Refactor duplicate imports for Cilium v2alpha1 API (#26620, @dlapcevic)
- Refactor the per-cluster CT maps manager (#27448, @giorio94)
- Refactor the per-cluster NAT maps manager (#27430, @giorio94)
- Refactor watchstore/watchsync metrics (#27485, @marseel)
- Refactors the use of ControlPlaneState in the BGP-CP (#26992, @ldelossa)
- Register endpointmanager metrics via dependency injected registry (#26078, @dylandreimerink)
- relicense test/bpf/unit_test.c to not be GPL (#26618, @Joffref)
- Remove NodeSpecer and ControlPlaneState from BGP-CP. Rely on Hive/Cell for further ConfigReconciler dependencies. (#27285, @ldelossa)
- Remove unnecessary type conversions in fqdn zombies handling (#27047, @giorio94)
- removed unnecessary 'revert' parameter from Newk8sTranslator and updated api calls accordingly. (#26217, @akstron)
- Removes Unused TransformToNode() Func (#26743, @danehans)
- renovate: ignore all gops updates (#27631, @tklauser)
- Replace some usages of fmt.Sprintf with more efficient string concatenation (#27518, @schlosna)
- Replace StateDB with StateDB2 (#27628, @dylandreimerink)
- resource: Add support for custom Indexers (#27032, @pippolo84)
- Revert ".github: write the right regex for little-vm-images versioning" (#27415, @aanm)
- Revert "Refactor hubble redact settings schema" (#27352, @joamaki)
- Set RouteMTU for generic veth (#26495, @sugangli)
- SRv6: Add quality of life methods for SID map usage. (#27192, @ldelossa)
- statedb v2.0 with per-table locks and delete tracking (#27160, @joamaki)
- statedb: extract REST API handler to pkg (#26645, @bimmlerd)
- statedb: Rename statedb2 to statedb (#27643, @joamaki)
- Support for batch deletion of endpoints (#27351, @tklauser)
- test/controlplane: Fix hostport test after API change (#26685, @pippolo84)
- tests: replace more incorrect DeepEquals uses (#25829, @markpash)
- treewide: wrap multiple errors using the standard library (#26524, @rolinh)
- typo in the debug document (#27627, @weizhoublue)
- typo: the clustermesh secret name (#27658, @weizhoublue)
- Update Palantir usecases (#26633, @ungureanuvladvictor)
- Update prereleases (#26871, @joestringer)
- Update renovate configuration for ginkgo and kindest/node (#27347, @aanm)
- Update stable releases (#27112, @aanm)
- Update stable releases (#27126, @nathanjsweet)
- Update stable releases (#27637, @asauber)
- Update the TCP conntrack entry timeouts to a lower value, so that closed entries are garbage collected earlier, thus freeing up the conntrack map. (#27665, @aditighag)
- Use generic Set instead of specified Set (#26378, @bzsuni)
- Use generics in k8s factory functions (#26367, @AwesomePatrol)
- Use Go 1.19 atomic types (#27563, @tklauser)
- USERS: Add Trendyol (#26946, @eminaktas)
- vendor: downgrade github.com/shirou/gopsutil/v3 to v3.23.2 (#27623, @aanm)
- watchers: use resource for network policies (#26601, @bimmlerd)
Docker Manifests
cilium
docker.io/cilium/cilium:v1.15.0-pre.0@sha256:1304d3708e5a82a222f95993e19635e1db892cdc0c6ed7c07870953adc6afa7a
quay.io/cilium/cilium:v1.15.0-pre.0@sha256:1304d3708e5a82a222f95993e19635e1db892cdc0c6ed7c07870953adc6afa7a
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.15.0-pre.0@sha256:2e23459444d4422352a2f69aba5f2daa041f5fcbb4e0be83d339819ac44c60fd
quay.io/cilium/clustermesh-apiserver:v1.15.0-pre.0@sha256:2e23459444d4422352a2f69aba5f2daa041f5fcbb4e0be83d339819ac44c60fd
docker-plugin
docker.io/cilium/docker-plugin:v1.15.0-pre.0@sha256:e9bbb0e0ca7071a62a1b25ff4a5bfa296cd81622fa64f25853006272a607bd53
quay.io/cilium/docker-plugin:v1.15.0-pre.0@sha256:e9bbb0e0ca7071a62a1b25ff4a5bfa296cd81622fa64f25853006272a607bd53
hubble-relay
docker.io/cilium/hubble-relay:v1.15.0-pre.0@sha256:3221382f24e65d4e91d1849f7f59229303cda6bfd73b083196bd15efb14d876b
quay.io/cilium/hubble-relay:v1.15.0-pre.0@sha256:3221382f24e65d4e91d1849f7f59229303cda6bfd73b083196bd15efb14d876b
kvstoremesh
docker.io/cilium/kvstoremesh:v1.15.0-pre.0@sha256:99704026b6d03301dafe0582fe49f35f5bb27d118a8137ef172aa539663c5146
quay.io/cilium/kvstoremesh:v1.15.0-pre.0@sha256:99704026b6d03301dafe0582fe49f35f5bb27d118a8137ef172aa539663c5146
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.15.0-pre.0@sha256:423494d02450e3032d4faf7e8eb2d128e7aa8ff03a7345e9e501932eb4a8f626
quay.io/cilium/operator-alibabacloud:v1.15.0-pre.0@sha256:423494d02450e3032d4faf7e8eb2d128e7aa8ff03a7345e9e501932eb4a8f626
operator-aws
docker.io/cilium/operator-aws:v1.15.0-pre.0@sha256:8f1bbb26ce99c742ed7540f5743844af6af39aa1673b41d8f42575fa3f92b505
quay.io/cilium/operator-aws:v1.15.0-pre.0@sha256:8f1bbb26ce99c742ed7540f5743844af6af39aa1673b41d8f42575fa3f92b505
operator-azure
docker.io/cilium/operator-azure:v1.15.0-pre.0@sha256:cef7f3e08d2583ff2164619ee292f83a3f6080726aef234b668140e73af0b3c2
quay.io/cilium/operator-azure:v1.15.0-pre.0@sha256:cef7f3e08d2583ff2164619ee292f83a3f6080726aef234b668140e73af0b3c2
operator-generic
docker.io/cilium/operator-generic:v1.15.0-pre.0@sha256:70e4783222ccf4906fd28b404d7c64022af9262380fdbfc45f4f66c9892f7b82
quay.io/cilium/operator-generic:v1.15.0-pre.0@sha256:70e4783222ccf4906fd28b404d7c64022af9262380fdbfc45f4f66c9892f7b82
operator
docker.io/cilium/operator:v1.15.0-pre.0@sha256:87346a6675725fff13ebf07eb6f48f46385c1464d2ea5572d5a843784143c13d
quay.io/cilium/operator:v1.15.0-pre.0@sha256:87346a6675725fff13ebf07eb6f48f46385c1464d2ea5572d5a843784143c13d