helm/cilium/cilium 1.17.0-rc.0

on Artifact Hub

Summary of Changes

Major Changes:

• Add support for pod level Networking QoS classes with BW Manager and FQ (#36025, @hemanthmalla)
• bgp: remove metallb bgp integration. (#36191, @harsimran-pabla)
• CLI: cilium upgrade preserve prev config (#36347, @saiaunghlyanhtet)
• HTTP policies are now supported on port ranges. (#36056, @jrajahalme)

Minor Changes:

• Add option for user-supplied Envoy bootstrap configmaps in helm chart (#35597, @byxorna)
• Adds the ability to add labels to external CIDRs for policy selection and Hubble flows. (#36087, @squeed)
• Allow delegated IPAM to specify uplink interface (#34779, @ruicao93)
• Batch processing of Service and EndpointSlices up to 200 milliseconds to merge repeated changes to a single Service. This significantly reduces the amount of processing Cilium performs for Services with many EndpointSlices. (#36466, @joamaki)
• BGP: Introducing metrics for tracking health of BGP subsystem reconcile loop (#36369, @harsimran-pabla)
• bpffs: Use defaults.BPFFSRoot to distinguish default/custom BPF FS mount location (#36150, @rastislavs)
• CFP: Egress Gateway Additional NodeSelectors (#35421, @chaunceyjiang)
• cilium-cli: Derive the default version from cilium/charts (#36344, @michi-covalent)
• ciliumidentity: Fixes missing enqueue time tracker entries (#36548, @ovidiutirla)
• docs, daemon: Deprecate high-scale ipcache mode (#36373, @pchaigno)
• docs: Remove cassandra and memcached examples (#36477, @joestringer)
• Documentation: Add more details regarding svc lb map sizing. (#36217, @tommyp1ckles)
• endpoint: Add an option to lock endpoints down (that is, drop all traffic) when their policy maps overflow. (#35042, @nathanjsweet)
• envoy: Bump cilium-envoy to latest version (#36295, @sayboras)
• hive/metrics: Fix flaky test (#36418, @ovidiutirla)
• k8s: Bump k8s to v1.32.0 (#36534, @sayboras)
• k8s: Bump k8s to v1.32.rc-2 (#36412, @sayboras)
• operator: Add more common metrics to operator (kvstore, rate-limiting, version) (#36014, @odinuge)
• service: Cap number of backends included in monitor message (#36394, @joamaki)
• The agent now tries to deduplicate the strings and maps holding Kubernetes labels and annotations to reduce overall memory consumption. (#36294, @joamaki)

Bugfixes:

• Address potential connectivity disruption when using either L7 / DNS Network policies in combination with per-endpoint routes and hostLegacyRouting, or L7 / DNS network policies in combination with IPsec network encryption. (#36484, @julianwiedmann)
• bgpv2: Do not fail if PeerAddress is not configured for a peer (#36488, @rastislavs)
• Cilium no longer keeps old DNS-IP mappings alive while reaping newer ones, leading to spurious drops in connections to domains with many IPs associated. (#36252, @bimmlerd)
• cilium: LB source ranges fixes (#36517, @borkmann)
• DNS proxy port is no longer released when endpoint with a DNS policy fails to regenerate successfully. A potential deadlock between CEC/CCEC parser and endpoint policy update is removed. (#36142, @jrajahalme)
• Do not leak ipcache entries when apiserver entities are cluster external (#35868, @hemanthmalla)
• eni.subnetTagsFilter and eni.instanceTagsFilter are now templated to comma separated string (#36617, @sderoe)
• Fix connectivity issue caused by stale cilium eBPF program when using --bpf-filter-priority (#36176, @tamilmani1989)
• gateway-api: Fix gateway checks for namespace (#35452, @sayboras)
• helm: avoid setting bpf-lb-sock-terminate-pod-connections (#36508, @ysksuzuki)
• metrics/features: remove reporting metrics' defaults by default (#36298, @aanm)
• Restore the original flag semantics for --egress-masquerade-interfaces to the same as v1.17.0-pre.2 or earlier (#36504, @viktor-kurchenko)
• sysctlfix: close systemd config file before triggering reload (#36368, @dylandreimerink)
• ui: drop CORS headers from api response (#35762, @geakstr)

CI Changes:

• .github/workflows: Enable DualStack for conformance-kind-proxy-embedded (#36398, @dylandreimerink)
• ariane: don't run tests for renovate config changes (#36543, @tklauser)
• bpf/tests: test ipv6 udp packets when redirecting from l3 to l2 (#36536, @rgo3)
• ci/ipsec: Cilium agents in ci-ipsec-e2e no longer share host's boot ID (#35951, @jschwinger233)
• ci: add network policy scale test (#35278, @marseel)
• ci: configure connectivity test in delegated ipam e2e (#36475, @wedaly)
• ci: datapath-verifier: also run on 6.12 kernel (#36619, @julianwiedmann)
• ci: fix job names for various ci workflows (#36397, @marseel)
• cilium-cli/connectivity: disable warning log checks before v1.17 (#36358, @giorio94)
• cilium-cli/connectivity: fix IPv6 feature check for 2ndary node IPv6 (#36513, @tklauser)
• Fix cilium CLI connectivity tests in IPv6-only clusters. (#36026, @wedaly)
• gh: conformance-clustermesh: test with IPsec + BPF NodePort (#36384, @julianwiedmann)
• gh: e2e-upgrade: add coverage for 6.12 kernel (#36640, @julianwiedmann)
• gh: e2e-upgrade: add coverage for 6.6 kernel (#36626, @julianwiedmann)
• gh: e2e-upgrade: de-renovate the config example (#36463, @julianwiedmann)
• gha: always collect and upload sysdump if 100 nodes scale test fails (#36367, @giorio94)
• gha: always respect the given image-tag in the helm-default action (#36293, @giorio94)
• gha: configure environment in build-images-base/image-digests job (#36318, @giorio94)
• gha: default the helm-default image-tag also in pull request workflows (#36314, @giorio94)
• gha: Enable parallel requests for L7 tests (#36623, @sayboras)
• gha: extra Cilium agents CPU and Mem metrics in clustermesh scale test (#36481, @giorio94)
• gha: Use ubuntu-24.04 for integration-test (#36628, @sayboras)
• Quarantine of high-scale IPcache (#36376, @Artyop)
• test/k8s: remove unused migrate-svc manifests (#36388, @tklauser)
• Update oss-fuzz CI workflow (#36472, @joestringer)

Misc Changes:

• .gitattributes: Syntax highlight bpftrace script (#36512, @pchaigno)
• .github/workflows: do not fail ginkgo if unable to fetch features (#36461, @aanm)
• .github: fix conformance-k8s NP test (#36355, @aanm)
• Add documentation for feature metrics (#36579, @aanm)
• Add Kakao to USERS.md (#36630, @gyutaeb)
• Add policy-related features tracking in Cilium agent as prometheus metrics (#36203, @aanm)
• Add test for generation and extraction of debug symbols. Add debug symbol support for gdb. (#36515, @EricMountain)
• Add the tls:// prefix in the Hubble TLS doc (#36410, @liyihuang)
• Add versioning to drop notify events. (#35413, @sypakine)
• api: silence warning if API response failed due to connection closed (#36332, @giorio94)
• bgp: remove metallb-bgp documentation (#36306, @harsimran-pabla)
• bpf: add host_wg_encrypt hook (#36266, @rgo3)
• bpf: Avoid implicit shorten-64-to-32 in clang 19 (#36186, @sayboras)
• bpf: host: exit early when to-host handles to-proxy traffic (#36395, @julianwiedmann)
• bpf: host: minor cleanups (#36574, @julianwiedmann)
• bpf: host: misc improvements for cil_from_netdev() / cil_from_host() (#36360, @julianwiedmann)
• bpf: host: remove unused code in handle_netdev() (#36328, @julianwiedmann)
• bpf: nodeport: forward L7 svc traffic straight to proxy (#36383, @julianwiedmann)
• bpf: proxy: cleanup ctx_redirect_to_proxy_first_tproxy() (#36382, @julianwiedmann)
• bpf: proxy: split out the TPROXY parts from ctx_redirect_to_proxy_first() (#36327, @julianwiedmann)
• build(deps): bump tornado from 6.4.1 to 6.4.2 in /Documentation (#36586, @dependabot[bot])
• Bump github.com/mdlayher/arp to latest, adjust usage (#36571, @tklauser)
• Bump StateDB to v0.3.4 and refactor db command usages (#36325, @joamaki)
• certloader: prevent panic when Watcher.Stop is called multiple times (#36366, @devodev)
• chore(deps): update all github action dependencies (main) (#36439, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (#36501, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (#36605, @cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#36436, @cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#36606, @cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#36316, @cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#36440, @cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#36499, @cilium-renovate[bot])
• chore(deps): update cilium/cilium-cli action to v0.16.22 (main) (#36500, @cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.21 (main) (#36420, @cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.22 (main) (#36514, @cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.23.4 docker digest to 7003184 (main) (#36604, @cilium-renovate[bot])
• chore(deps): update go to v1.23.4 (main) (#36437, @cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.3-1733229491-16e43f505747e9351d9e96927f02d72eecffa3e4 (main) (#36348, @cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.4-1733710912-e119b3d3cbe9727886d0a502a5dcfc3d55acbe58 (main) (#36453, @cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.4-1734096493-fff09f16c2c269b22509c86dfc1d3e8f52eb3857 (main) (#36607, @cilium-renovate[bot])
• Cilium-cli connectivity test now supports use of parallel requests with curl (#35949, @jrajahalme)
• cilium: Dump supported svc annotations (#36353, @borkmann)
• cilium: streamline lb mode config to lb alg (#36297, @borkmann)
• CODEOWNERS: Add feature owners for masquerade (#36378, @joestringer)
• CODEOWNERS: create new group hubble-metrics (#35991, @rectified95)
• Connecticity tests with L7 policies and port ranges are skipped on Cilium releases prior to 1.17. (#36460, @jrajahalme)
• connectivity: run client-egress-to-cidrgroup-deny conditionally (#36426, @aanm)
• contrib: suppress noop taint removal (#36539, @nebril)
• daemon: disable dependent bpf-sock-lb options if bpf-sock-lb=false (#36396, @tklauser)
• datapath/linux: Fix neighbor table index conversions (#36429, @rastislavs)
• datapath/linux: Remove device's neighbors upon device deletion (#36424, @rastislavs)
• datapath/tables: Add Neighbor statedb table and populate it in Devices Controller (#36317, @rastislavs)
• Decouple orchestrator from the local node store multicast stream (#36331, @pippolo84)
• defaults: bump FQDN max ips per host (#36255, @bimmlerd)
• docs: Add missing default identity label in the description of identity-relevant labels' example (#36558, @liyihuang)
• docs: Clarify the behavior of CiliumNetworkPolicies toCIDRSet (#36549, @verysonglaa)
• docs: Fix typo in multi-pool section title (#36305, @joestringer)
• docs: system-requirements: require 5.4 kernel (#36386, @julianwiedmann)
• Don't mark KVstoreLeaseTTL flag as hidden (#36380, @hemanthmalla)
• Endpoint populate new policymap early if empty (#36361, @jrajahalme)
• endpoint: stop regenerating all endpoints on every identity allocation; switch to periodic regens instead. (#35815, @squeed)
• Ensure debug symbols are generated for the debug image even when stripping symbols for the release image. (#36417, @EricMountain)
• envoy: Pass tofqdns-proxy-response-max-delay to Envoy (#36330, @jrajahalme)
• envoy: remove incorrect comments (#36385, @tklauser)
• envoy: update to latest version (#36622, @mhofstetter)
• experimental: ShadowInstances from many sources (#35810, @DamianSawicki)
• fix(deps): update all go dependencies main (main) (#36272, @cilium-renovate[bot])
• fix(deps): update all go dependencies main (main) (#36454, @cilium-renovate[bot])
• fix(deps): update all go dependencies main (main) (#36550, @cilium-renovate[bot])
• fix(deps): update aws-sdk-go-v2 monorepo (main) (#36438, @cilium-renovate[bot])
• fix(deps): update module golang.org/x/crypto to v0.31.0 [security] (main) (#36529, @cilium-renovate[bot])
• fix: set netpol disablement values before disabling CEP (#36339, @jshr-w)
• images: Use cilium-builder image instead of golang to build hubble (#35697, @learnitall)
• ipcache: Remove metric for idempotent operations (#35367, @joestringer)
• Isolate node-to-node encryption tests to wireguard (#36556, @ldelossa)
• k8s: Bump k8s to v1.32.rc-1 (#36352, @sayboras)
• lock: Remove StoppableWaitGroup.Done(), return done function from Add() (#35892, @joamaki)
• Lower interval for icmp probes and stop on first success (#36400, @marseel)
• maglev: Cleanup implementation (#35885, @joamaki)
• make: Fix kind-image-fast-agent (#36545, @brb)
• make: Fix kind-image-fast-agent from scratch (#36587, @joestringer)
• make: Update cilium-bugtool upon fast target (#36516, @brb)
• metrics/features: enable ClusterMesh (#36402, @aanm)
• metrics: Sample metrics periodically and dump samples as part of sysdump (#35916, @joamaki)
• Miscellaneous improvements and fixes concerning the endpoints UID checks and surrounding logic (#36392, @giorio94)
• Miscellaneous improvements to the etcd ListAndWatch implementation (#36091, @giorio94)
• node: remove refresh parameter from NodeNeighborRefresh (#36319, @mhofstetter)
• nodemanager: cleanup clusternodesclient (#36315, @mhofstetter)
• pkg/endpoint: delete unused const backupDirectorySuffix in directory.go (#36601, @Sm0ckingBird)
• Policy: move ingestion to cell, batch updates (#36044, @squeed)
• Prepare for release v1.17.0-pre.3 (#36300, @cilium-release-bot[bot])
• Prepare v1.17 stable branch (#36627, @aanm)
• promise: Replace go routine with context.AfterFunc (#36185, @gandro)
• proxy: Take proxy port reference for new redirects immediately (#36435, @jrajahalme)
• proxyports: Resolve data races in test (#36399, @jrajahalme)
• proxyports: Sleep a bit longer in tests (#36389, @jrajahalme)
• README: Update releases (#36304, @aanm)
• renovate: do not pin digest for helm/kind-action (#36459, @aanm)
• renovate: re-enable updates for github.com/mdlayher/arp (#36542, @tklauser)
• Update documentation for egress masquerading behavior (#36267, @liyihuang)
• Update Service Mesh Makefile targets (#36350, @youngnick)
• Use bash syntax to consume env variable (#36544, @ferozsalam)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.0-rc.0@sha256:fd460ee60e3d5dc785128539aa4cf7e2f797b994602d27ec69146eb50fbf4b95

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.0-rc.0@sha256:f02419adf8265518f464a15a5434cbdab870b60930a2f0017a3bd0d9cd6f77d7

docker-plugin

quay.io/cilium/docker-plugin:v1.17.0-rc.0@sha256:79e817b338e9921c093d3dac80005054f37a3bf96f37b54cfbbe8a7f5e9920dc

hubble-relay

quay.io/cilium/hubble-relay:v1.17.0-rc.0@sha256:ecf1a7133c73603a59dacabb2ca3756b938465bc05d78396e3bca3afd63b90ed

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.0-rc.0@sha256:296eadb324441538049996ae3a780db1ac909d98c9f820fdeee110023fbf3a94

operator-aws

quay.io/cilium/operator-aws:v1.17.0-rc.0@sha256:f204409d9fb9e176a062c16eb9f6c564bbed450b06409f3f2afe9cbddb9af8fe

operator-azure

quay.io/cilium/operator-azure:v1.17.0-rc.0@sha256:9e77740f394b0ec27c6a51f6bee239e40fc9f5b3cd70bd7bcc4244c1ad538ea7

operator-generic

quay.io/cilium/operator-generic:v1.17.0-rc.0@sha256:2b60ecc195ed929113e49d648aad491981153693a905bff93d5939f93c97bd8f

operator

quay.io/cilium/operator:v1.17.0-rc.0@sha256:cdac6386e20e1520d42a9e1b94e8ce5d3736562c44fe4b0da35cb3ddbdeea68f