This is the release for v1.7.0
, the summary of changes reflect the diff between tag v1.6.6
and v1.7.0
Upgrade Guide
https://docs.cilium.io/en/v1.7/install/upgrade/#upgrade-guide
Summary of Changes
Major Changes:
- Add direct server return (DSR) for NodePort BPF (#9473, @brb)
- Add support for k8s 1.17 (#9661, @aanm)
- Add support for k8s endpoint slice (#9762, @aanm)
- Add support for L7 visibility via pod annotations (#9210, @ianvernon)
- Clusterwide K8s Cilium Network Policies (#9381, #9669, @fristonio)
- Envoy TLS support with header imposition (#9486, @jrajahalme)
Minor Changes:
- Add --kube-proxy-replacement flag to control enabling of kube-proxy replacement in BPF (#9992, @brb)
- Add ability to create tags on the ENIs the cilium-operator creates. (#9412, @ungureanuvladvictor)
- Add cilium_version metric (#9623, @ChristineTChen)
- add CLI to introspect state of daemon's
NameManager
field (#9132, @ianvernon) - Add enable-local-node-route option (#9505, @jraby)
- Add gops to cilium-cni (#9568, @jraby)
- Add more detailed proxy redirects status to
cilium status
(Backport PR #10132, Upstream PR #10082, @joestringer) - add option to hold cilium agent after init container (Backport PR #10132, Upstream PR #10101, @aanm)
- add support for go modules (#8719, @aanm)
- Add support for HealthCheckNodePort in NodePort BPF (#9906, @gandro)
- Added CRD validation for ciliumnodes.cilium.io (#9655, @ungureanuvladvictor)
- Adding USERS directory to create a list of Cilium users (#9810, @tgraf)
- Adds
--endpoint
argument tofqdn cache list
to show the cache just for a specific endpoint. (#9334, @ungureanuvladvictor) - Adds a support for a service of the LoadBalancer type when running Cilium without kube-proxy. (#9694, @brb)
- agent: Mark --lb feature deprecated for removal in 1.7 (#8786, @tgraf)
- Allow icmp fragmentation needed agent option (#8218, @fristonio)
- Allow setting timeout on cilium status command (#9625, @ashrayjain)
- bpf: Add bind{4,6} programs to block NodePorts (#9880, @gandro)
- bpf: improve DumpReliablyWithCallback (#9972, @rolinh)
- bpf: Report original source IP in TRACE_TO_LXC (#9321, @tgraf)
- cilium cleanup removes previously installed NodePort BPF programs (Backport PR #10072, Upstream PR #10063, @brb)
- cilium: lock GC walks for global CT maps to serialize deletions (#9645, @borkmann)
- clustermesh: Add cilium status section (Backport PR #10212, Upstream PR #10169, @tgraf)
- cmd: add zsh as a option for completion (#9882, @tonyluj)
- Connection-based DNS policy (#9497, @raybejjani)
- daemon,cli: Improve kube-proxy-replacement status (Backport PR #10132, Upstream PR #10083, @brb)
- daemon: Add KubeProxyReplacement to cilium status cmd (Backport PR #10072, Upstream PR #10059, @brb)
- daemon: Fix race condition when syncing services with k8s (#9341, @brb)
- Deprecate/Delete support for monitor v1.0 socket (#9650, @soumynathan)
- docs: bump minimal k8s supported version to v1.11.0 (#9477, @aanm)
- docs: remove disable container runtime documentation (#9868, @aanm)
- docs: Update kube-router getting started guide (Backport PR #10183, Upstream PR #10159, @brb)
- docs: Upgrade about tofqdns-min-ttl default and zombies (#9737, @raybejjani)
- Documentation: Switch EKS documentation to default to ENI (Backport PR #10132, Upstream PR #10126, @tgraf)
- Enable provisioning of K8s services in ipv4 and ipv6 when running in dual-stack mode (#9760, @brb)
- ENI IPAM: Ensure that DeleteOnTermination defaults to true (#9406, @lbernail)
- eni: Allow overwriting AWS instance limit via agent configuration (#9236, @jaffcheng)
- Envoy is updated to release 1.12.1 (#9608, @jrajahalme)
- Fix implementation of k8s external IPs as described in kubernetes documentation (#9092, @aanm)
- Get rid of LB backend weights (#9254, @brb)
- Getting started guide to TLS-visibility (Backport PR #10072, Upstream PR #9808, @danwent)
- golang: update to 1.13.6 (#9872, @aanm)
- golang: update to 1.13.8 (Backport PR #10212, Upstream PR #10179, @aanm)
- HTTPS URL of kube-apiserver can be specified via "--k8s-api-server" from now on. (#9198, @brb)
- Improve monitor aggregation flexibility (#9177, @joestringer)
Reduce cilium-agent binary size (#9306, @joestringer) - Introduce identity for remote nodes (#8841, @tgraf)
- ipcache: Add cilium monitor events and expose it via API (#9268, @gandro)
- Istio support is updated to version 1.4.3 (#9968, @jrajahalme)
- k8s: Allow
_
in CNP CRD toFQDNs validation (#9179, @raybejjani) - kubernetes: Updated connectivity check (Backport PR #10153, Upstream PR #10104, @tgraf)
- logging: add way to configure logging level via cilium-agent option (#8607, @ianvernon)
- Make Agent Prometheus Exporter port configurable (#9584, @Antiarchitect)
- Make FirstInterfaceIndex a pointer on ENI spec (#9745, @ungureanuvladvictor)
- monitor/api: Export map of trace observation points (#9135, @tgraf)
- monitor/api: Export message type names (#9151, @tgraf)
- monitor: Export trace observation point via API (#9119, @tgraf)
- On-demand policy wildcarding (Backport PR #10153, Upstream PR #10054, @jrajahalme)
- pkg/endpoint: add policy visibility status into CiliumEndpoint (#9601, @aanm)
- pkg/k8s: add support for multi-stack (#9215, @aanm)
- pkg/k8s: use local stores to fetch pod information from k8s (#9586, @aanm)
- plugins/cilium-cni: disable CNI debug messages by default (#9493, @aanm)
- policy: Disable well-known identities for non-managed etcd (#9698, @tgraf)
- policy: Reject ingress rules with DNS policies (#8558, @iffyio)
- Relax limits for maximum number of CIDR prefixes (40 -> unlimited) (#9724, @joestringer)
- Remove /96 IPv6 CIDR constraint which makes cilium to work in k8s dual-stack mode (#9777, @brb)
- Remove bpf_lb.c and friends (#9199, @brb)
- Remove container runtime dependencies (#9447, @aanm)
- Rename "Policy denied (L3)" to "Policy denied" (#9951, @tgraf)
- Restrict ENI usage to IPv4 (#8843, @tgraf)
- RFC: k8s / operator: offload CNPNodeStatus updates to cilium-operator (#9384, @ianvernon)
- service: Notify monitor about service updates (#9574, @gandro)
- service: Store and expose service name and namespace (#9554, @gandro)
- ServiceMonitor should default to release namespace (Backport PR #10132, Upstream PR #10088, @dsexton)
- Support for externalTrafficPolicy=Local in NodePort BPF (#9764, @gandro)
- Support v4-in-v6 mapped addresses in BPF host reachable services. (#9923, @borkmann)
- Update to golang 1.13.1 (#9279, @aanm)
- Update to k8s libraries to 1.17.0 (#9744, @aanm)
- Use helm repository in docs (#9783, @ap4y)
Bugfixes:
- Add better mechanism to detect if k8s caches are synced against k8s (#9400, @aanm)
- api: Add missing annotations to generate DeepCopy for new status fields (Backport PR #10183, Upstream PR #10166, @tgraf)
- bpf: Fix proxy redirection for egress programs (Backport PR #10153, Upstream PR #10113, @tgraf)
- bpf: Remove POLICY_MAP from bpf_netdev and bpf_overlay (#9949, @tgraf)
- cilium: use %v for dumping frontend struct on error (#9845, @borkmann)
- Correct clustermesh identity sync kvstore backend usage (to actually use the remote) (Backport PR #10212, Upstream PR #10185, @raybejjani)
- daemon: Upgrade spf13/viper (#9796, @raybejjani)
- eni: Check instance existence before resolving deficit (#9676, @jaffcheng)
- Filter out bpftool probes emitting dmesg messages (Backport PR #10183, Upstream PR #10164, @mrostecki)
- Fix cilium daemonset deletion on AKS (#9519, @mlushpenko)
- Fix concurrent access of a variable used for metrics (Backport PR #10183, Upstream PR #10137, @aanm)
- Fix issue (#10092) which incorrectly configured route MTU with encryption and tunnel enabled. (Backport PR #10225, Upstream PR #10218, @jrfastab)
- Fix memory corruption on clusters with IPv6 and NodePort enabled (Backport PR #10212, Upstream PR #10192, @aanm)
- Fix node-port default route detection in case there multiple default entries with same ifindex. (#9844, @borkmann)
- Fix regression to avoid freeing alive IPs (Backport PR #10225, Upstream PR #10207, @tgraf)
- Fix regular service lookup in node-port range in case of host-reachable services. (#9843, @borkmann)
- Fix Unlock handling for kvstore locks (#9973, @aanm)
- Fix vishvananda/netlink library's VethPeerIndex() stack corruption with 4.20+ kernels. (#9588, @borkmann)
- fqdn: Support setting tofqdns-min-ttl to 0 (#9743, @raybejjani)
- health: add ipv6 health check status to cilium health status output (#8766, @fristonio)
- HostToContainer propagation for /sys/fs/bpf (#9575, @jraby)
- ipam: Protect release from releasing alive IP (Backport PR #10072, Upstream PR #10066, @tgraf)
- ipcache: Add probe to check for dump capability to support delete (Backport PR #10153, Upstream PR #10144, @tgraf)
- ipsec: fix connectivity after node reboots (#9866, @martin31821)
- k8s: Fix Service.DeepEquals for ExternalIP (#9690, @brb)
- kubernetes: Disable LocalNodeRoute while chaining (Backport PR #10072, Upstream PR #10057, @tgraf)
- node: Provide context in log when restoring router addresses (#9947, @tgraf)
- operator: only enable kvstore watcher if kvstore is enabled (#9963, @aanm)
- pkg/bpf: Protect each uintptr with runtime.KeepAlive (Backport PR #10212, Upstream PR #10168, @brb)
- pkg/endpoint: access endpoint state safely across go routines (Backport PR #10183, Upstream PR #10140, @aanm)
- pkg/ip: fix cilium status output for big CIDR ranges (#9936, @aanm)
- policy: Don't open localhost when allowing L7 traffic (#9162, @joestringer)
- policy: Expose L3 selectors within endpoint JSON (#8610, @iffyio)
CI Changes:
- [CI] add release name to helm template calls (Backport PR #10072, Upstream PR #10062, @nebril)
- [CI] add timeout to vm boot retries (#9816, @nebril)
- [CI] allow to specify focus via GH comment (#9667, @nebril)
- [CI] fallback to binary k8s install (#9271, @nebril)
- [CI] fix /var/log/journal mount in log gatherer (#9668, @nebril)
- [CI] Fix path to print-node-ip script in jenkinsfile (Backport PR #10132, Upstream PR #10112, @nebril)
- [CI] Mark runtime memcache tests as pending (#9955, @nebril)
- [CI] Mark TLS policy test as pending (Backport PR #10225, Upstream PR #10219, @nebril)
- [CI] move docker images to node local registry (#9329, @nebril)
- [CI] Node affinity based on labels not hostname (#9365, @nebril)
- [CI] parallel image build and cluster setup for eks (#9714, @nebril)
- [CI] Retry validating kubeconfig (#9931, @nebril)
- [CI] set $HOME in parallel builds to avoid cache pollution (#9932, @nebril)
- [CI] switch to new HOME only for ginkgo calls (#9971, @nebril)
- Add eks specific jenkinsfile (#9353, @nebril)
- add externalIPs and kube-proxy test matrix (#9849, @aanm)
- Add retry to curl call in basic TLS policy test (#9957, @nebril)
- Add support for running ginkgo tests in microk8s clusters (#9253, @joestringer)
- Add tests for a service annotated with externalTrafficPolicy=Local (#9728, @brb)
- Bump cilium/ubuntu-next version to 42 (#9926, @gandro)
- CI Fixups for EKS (#9675, @raybejjani)
- CI fixups to run on GKE (#9853, @raybejjani)
- CI Fixups to target other runtimes (#9189, @raybejjani)
- CI: Add CNI_INTEGRATION=minikube support (#9261, @raybejjani)
- CI: Add HTTP tests to DatapathConfiguration tests (#9233, @joestringer)
- CI: Delete then create namespaces in policy tests (#9706, @raybejjani)
- CI: Determine and set K8s version in GKE pipeline (#10025, @raybejjani)
- CI: ExecInPods returns an error when no pods are found (#9705, @raybejjani)
- CI: Fix typo setting kubeconfig variable from registry (#9520, @raybejjani)
- CI: Fixups for local runs (#9595, @raybejjani)
- CI: PolicyTest toEntities All (Backport PR #10072, Upstream PR #10051, @raybejjani)
- CI: Set CILIUM_REGISTRY in k8s provisioning scripts (#10006, @gandro)
- CI: Switch WaitforDeamonset/Deploy to shorter poll timeout (#8720, @raybejjani)
- eni: Deep copy CiliumNode resource before storing it in the node (#9893, @jrajahalme)
- Extend bpf verifier tests to test socket programs (#9339, @joestringer)
- Fix service restoration and extend CI for externalTrafficPolicy=Local services (#9778, @gandro)
- Fix upgrade guide for v1.7 and replicate it in a CI test (Backport PR #10153, Upstream PR #9993, @aanm)
- Fixup FQDN tests to run on GKE & EKS (#9990, @raybejjani)
- ginkgo.Jenkinsfile: set k8s nodes back to 2 (#9908, @aanm)
- GKE jenkinsfile (#9876, @nebril)
- Gopkg.toml: update kevinburke/ssh_config dependency (#8689, @kevinburke)
- Move GKE release cluster out of timeout block (#10022, @nebril)
- policy/api: Add tests for reserved:unmanaged match (#8725, @joestringer)
- Remove microscope helpers from testing packages (#9596, @mdevilliers)
- Revert "[CI] add timeout to vm boot retries" (#9967, @aanm)
- Revert "Revert "[CI] add timeout to vm boot retries"" (#9976, @nebril)
- Run CI tests with kube-proxy being disabled (#9901, @brb)
- Set CILIUM_REGISTRY in provisioning scritps (#9991, @nebril)
- Support local testing with one k8s VM. (#9681, @jrajahalme)
- Test against k8s 1.16.2 (#9448, @aanm)
- test/K8sServices: Add Tests for UDP connectivity (Backport PR #10072, Upstream PR #9997, @gandro)
- test/packet: fix packet terraform scripts (#9850, @aanm)
- test: add capability to specify images / skip K8s provisioning (#8748, @ianvernon)
- test: Add conntrack entry timeout validation tests. (#9771, @valas)
- test: Add Kubernetes Service CI tests for IPv6 (Backport PR #10153, Upstream PR #10115, @gandro)
- test: add script which pulls images which have not been pulled during VM provisioning (#8921, @ianvernon)
- test: add some extra narration statements / remove unneeded helper function call (#8846, @ianvernon)
- test: bpf: Fix load for cgroups progs (Backport PR #10183, Upstream PR #10156, @joestringer)
- test: Delete Cilium DS before changing startup options. (#9891, @jrajahalme)
- test: Extend MetalLB test case (#9723, @brb)
- test: Improve skipping of k8sT/Services.go tests (Backport PR #10072, Upstream PR #10047, @brb)
- test: Make helm fetch more quiet (#9799, @joestringer)
- test: Remove cilium DS before installing a new one (Backport PR #10132, Upstream PR #10039, @brb)
- test: remove microscope test (#9075, @ianvernon)
- test: skip installing Helm if user has skipped k8s provisioning (#8835, @ianvernon)
- test: Temporarily disable Istio CI test (#8821, @tgraf)
- tests: test nodeport connectivity via v4-in-v6 sockets (Backport PR #10072, Upstream PR #10053, @borkmann)
- tests: update complexity check script to include new calls (Backport PR #10183, Upstream PR #10106, @fristonio)
- update k8s test versions to 1.14.10, 1.15.7 and 1.16.4 (#9867, @aanm)
- Use proper helm value in CI clusters (#8973, @nebril)
- vagrant: remove unnecessary print statements (#9860, @rolinh)
- VMs: bump development VM images (#10001, @aanm)
Misc Changes:
- .github: add github actions to cilium (#9709, @aanm)
- .github: Clarify release-notes section (#9664, @joestringer)
- .travis: disable go modules when installing dependencies (#9462, @aanm)
- [CI] Fix log gathering (#9267, @nebril)
- add 2020 copyright (#9975, @aanm)
- Add a note on ignoring br_netfilter preflight check (#9229, @bai)
- Add ability to query EC2 ENI instance limits via ec2:DescribeInstanceTypes (#9699, @ungureanuvladvictor)
- Add Adobe to USERS.md (#9852, @dharmab)
- Add alignchecker tests for event notification format (#9426, @joestringer)
- Add cilium-monitor sidecar container for agent pods (#9815, @ap4y)
- add context.Context to Daemon (#9437, @ianvernon)
- Add Datadog to users (#9862, @lbernail)
- Add helm charts packaging steps to the release script (#9772, @ap4y)
- Add MAINTAINERS file (#9598, @tgraf)
- Add Palantir Technologies to USERS.md (#9836, @ungureanuvladvictor)
- Add required etcd version for external etcd guide (Backport PR #10153, Upstream PR #10147, @nebril)
- Add service manager (#9274, @brb)
- Add unit tests for pkg/service.Service (#9289, @brb)
- add uswitch to users.md (#9875, @Joseph-Irving)
- Added support for
restartPods
Helm chart option when running node-init on EKS. (#9740, @tom-hadlaw-hs) - api/v1: update swagger to v0.20.1 (#9444, @aanm)
- api: Remove remnants of RedirectPort (#9082, @jrajahalme)
- backporting: add 'upstream-prs' tag for code block (#10033, @aanm)
- BPF and XDP reference guide: mention BPF Performance Tools in further readings (#9928, @brandshaide)
- BPF kernel probes based on bpftool (#9789, @mrostecki)
- bpf, nat: initially try snat by preserving source port (#9813, @borkmann)
- bpf, nodeport: add nodeport flag to nodeport services (#9857, @borkmann)
- bpf, sock: fix post-bind-sock{4,6} not found in ELF file (Backport PR #10132, Upstream PR #10124, @borkmann)
- bpf, sock: only attach v6 hooks in v4-only mode when v6 is available (#10027, @borkmann)
- bpf, sock: reduce xlation for externalTrafficPolicy=Local to host_id (#9930, @borkmann)
- bpf: Add unit tests for __ct_lookup() (#9304, @joestringer)
- bpf: Compile bpf_netdev.c with build permutations (#9861, @brb)
- bpf: compile out service lookup entirely on kubeProxyReplacement=disa… (Backport PR #10072, Upstream PR #10060, @borkmann)
- bpf: fix sock6_xlate when not all host service protocols are enabled (#9847, @borkmann)
- bpf: Fix space hack in Makefile (Backport PR #10183, Upstream PR #10173, @brb)
- bpf: Get rid of unused lb6_{key,service} structs (#9141, @brb)
- bpf: Remove bpf_netdev.o from previously used devices (Backport PR #10132, Upstream PR #10087, @brb)
- bpf: Remove unused BPF feature probes/macros (#9802, @mrostecki)
- bpf_sock fixes for nodeport (#10014, @borkmann)
- bugtool: Dump NAT BPF maps entries with bpftool (Backport PR #10212, Upstream PR #10190, @brb)
- bump golang to 1.13.3 (#9433, @aanm)
- bump k8s client libraries to v1.17.0-rc.2 (#9713, @aanm)
- charts: Generate versions from VERSION file (Backport PR #10183, Upstream PR #10171, @joestringer)
- CI: Add test for healthCheckNodePort in NodePort BPF (Backport PR #10072, Upstream PR #9977, @gandro)
- cilium: encryption fixes for ipv6 and tear down (#9649, @jrfastab)
- cilium: fix disconnects on operator restarts when using ipsec (#9612, @jrfastab)
- Clean up misc verifier-test.sh functionality (#9325, @joestringer)
- Clean up reference counting of ipcache prefix lengths (#9050, @joestringer)
- Cleanup service.UpsertService method (#9350, @brb)
- cli: Print node list header before the actual list of nodes. (#9295, @ungureanuvladvictor)
- cli: Warn if --rev flag is used with cilium service update (#9319, @brb)
- cmd: replace deprecated Command.SetOutput() (#9881, @tonyluj)
- cni: Try to enable IPv6 only if necessary (#9492, @mrostecki)
- CODEOWNERS: change Vagrant-related files to be owned by cilium/ci (#8788, @ianvernon)
- Connection aware DNS proxy fixups (#9648, @raybejjani)
- contrib/vagrant: change iptables helper message to tcp (#9884, @aanm)
- contrib/vagrant: fix reading VM_MEMORY/VM_CPUS from env vars (#9945, @rolinh)
- contrib: Fix 'reset' variable declaration (#9559, @joestringer)
- contrib: Update minikube script (#9216, @mrostecki)
- controller: add
Context
toControllerParams
(#9500, @ianvernon) - controller: do not return controller from
UpdateController
(#8894, @ianvernon) - Correct Contributing link in README (#9060, @cjmakes)
- Correct information about required Go version (#9091, @mrostecki)
- cosmetic: Improve identity / allocator logs (#9662, @joestringer)
- daemon: cancel context for daemon before running cleanup functions (#9487, @ianvernon)
- daemon: Check for no selector update need earlier. (#9396, @jrajahalme)
- daemon: don't hold endpoint BuildMutex while deleting (#8744, @ianvernon)
- daemon: Exit early if NodePort BPF and IPSec is enabled (#9946, @brb)
- daemon: factor out generation of endpoint labels model into
pkg/endpoint
(#8976, @ianvernon) - daemon: factor out more code into files owned by more specific codeowners (#9122, @ianvernon)
- daemon: fix outdated comment (#9438, @ianvernon)
- daemon: group cleanup-related variables into type (#9524, @ianvernon)
- daemon: make policy repository member of policy get handler (#9440, @ianvernon)
- daemon: misc. cleanup and splitting up of code into separate files (#9048, @ianvernon)
- daemon: move base program compile to loader pkg (#9488, @ianvernon)
- daemon: Move some sysctl writes from bpf/init.sh (#9005, @brb)
- daemon: remove unneeded Daemon field from
RuleReactionEvent
(#9453, @ianvernon) - datapath: Add DSR IPv6 implementation (#9895, @brb)
- datapath: Do not check rev_nat_id in IPv6 addr (#9952, @brb)
- datapath: Do not return len in find_dsr_v6 (#9933, @brb)
- datapath: make
Datapath
anIptablesManager
(#9516, @ianvernon) - datapath: Return error if default route is not found (#9859, @brb)
- dev-vm: update etcd to v3.4.2 and k8s to v1.16.2 (#9463, @aanm)
- dev: set tcp for NFS in development VMs (#9879, @aanm)
- doc: add note about adding the 'kind/backports' label when backporting (#9964, @rolinh)
- doc: Document L7 limitation in azure-cni chaining mode (Backport PR #10153, Upstream PR #10131, @tgraf)
- doc: Mark encryption as stable for direct-routing and ENI mode (Backport PR #10153, Upstream PR #10142, @tgraf)
- doc: the namespace is wrong when validating cilium on Azure CNI (#9717, @soumynathan)
- doc: update BPF instruction limit (#9727, @florianl)
- doc: update instructions about restarting pods after deployment (Backport PR #10072, Upstream PR #10028, @rolinh)
- Dockerfile: Bump cilium/iproute2 (#9911, @gandro)
- docs: add etcd related upgrade notes for v1.7 (#9109, @aanm)
- docs: add instructions to update VM images (#9999, @aanm)
- docs: add libelf-devel to development setup (#10032, @tklauser)
- docs: add policy visibility status documentation (#9670, @aanm)
- docs: add section for stable releases to readme (#9131, @borkmann)
- docs: add setup validation howto to kube-proxy-free guide (Backport PR #10132, Upstream PR #10086, @borkmann)
- docs: Describe how to read from tracing pipe (#9665, @joestringer)
- docs: document kube-proxy replacement modes (Backport PR #10072, Upstream PR #10073, @borkmann)
- docs: extend further readings section to a separate file (#9178, @fristonio)
- docs: Fix broken contributing links (#9077, @jaffcheng)
- docs: fix kubernetes configmap (#9824, @aanm)
- docs: fix link for Cilium-PR-Kubernetes-Upstream job (Backport PR #10212, Upstream PR #10178, @tklauser)
- docs: fix spelling issues in clusterwide policy docs (#9602, @fristonio)
- docs: Fix up gke install guide (#10037, @joestringer)
- docs: Fix up nodeport limitations (#9621, @joestringer)
- docs: fixed padding after code blocks (Backport PR #10153, Upstream PR #10143, @geakstr)
- docs: Include env variable in EKS e2e examples (#9726, @raybejjani)
- docs: Keep externalTrafficPolicy=Local limitation in NodePort BPF (#9674, @brb)
- docs: Mention direct routing mode requirement for DSR (Backport PR #10153, Upstream PR #10149, @gandro)
- docs: Minor improvements to GKE guide (Backport PR #10183, Upstream PR #10150, @pchaigno)
- docs: re-wrote wording for the behavior of 'fromEndpoints' (#9544, @aanm)
- docs: revamp kube-proxy-free gsg (Backport PR #10072, Upstream PR #10069, @borkmann)
- docs: update docs for
--aws-release-excess-ips
(#9569, @jaffcheng) - docs: update supported k8s versions (#9310, @aanm)
- docs: Use kube-system namespace consistently in Encryption guide (Backport PR #10183, Upstream PR #10162, @pchaigno)
- Documentation: add proxy visibility information (#9530, @ianvernon)
- Documentation: add script to add misspelled words (#9578, @aanm)
- Documentation: Document potential conflict of ENI with DHCP agents (#9934, @tgraf)
- Documentation: improve CI documentation organization / remove stale information (#9457, @ianvernon)
- Documentation: Improve external etcd documentation wording (#9478, @mpeiffer)
- Documentation: remove LTS references (#9494, @ianvernon)
- Documentation: remove microscope reference (#9472, @ianvernon)
- Documentation: remove stale GH issue link (#9471, @ianvernon)
- Documentation: split up contributing guide into smaller, more focused documents (#9456, @ianvernon)
- Documentation: update release guide (#9496, @ianvernon)
- Documentation: update to account for new CNPNodeStatus capabilities (#9531, @ianvernon)
- endpoint: clean up exposure of functions / remove unneeded functions (#9121, @ianvernon)
- endpoint: cleanup how build permits are acquired (#9234, @ianvernon)
- endpoint: create distinct type for restoring (#8941, @ianvernon)
- endpoint: create separate interface for proxy (#9157, @ianvernon)
- endpoint: do not export
EventQueue
(#9080, @ianvernon) - endpoint: do not export
Status
field (#9068, @ianvernon) - endpoint: do not export additional fields (#9170, @ianvernon)
- endpoint: do not export endpoint locking functions (#9142, @ianvernon)
- endpoint: do not export various fields (#9012, @ianvernon)
- endpoint: factor out waiting for first regeneration during creation into separate function (#9073, @ianvernon)
- endpoint: hide restore operations inside Endpoint package (#8972, @ianvernon)
- endpoint: make policyMap private (#8863, @ianvernon)
- endpoint: move
TestReadEpsFromDirNames
topkg/endpoint
(#8997, @ianvernon) - endpoint: move api-related functions to
api.go
(#8991, @ianvernon) - endpoint: move deletion deadlock unit test to
pkg/endpoint
(#9067, @ianvernon) - endpoint: move deletion into Endpoint package, remove acquisition of Endpoint locks in EndpointManager (#9025, @ianvernon)
- endpoint: move patching update functionality to pkg/endpoint (#8968, @ianvernon)
- endpoint: reduce exported functionality (#9191, @ianvernon)
- endpoint: refactor Docker + IPVLAN interactions (#8974, @ianvernon)
- endpoint: refactor how default policy enforcement configuration is performed (#9120, @ianvernon)
- endpoint: refactor proxy-related functioning to not access endpoint mutex directly (#9070, @ianvernon)
- endpoint: remove most cases of direct access to
OpLabels
(#9069, @ianvernon) - endpoint: remove need to expose read-locking in
updateEndpointsCaches
(#8977, @ianvernon) - endpoint: remove unused
HealthCEPPrefix
string (#8896, @ianvernon) - endpoint: Remove useless restore log message (#9256, @joestringer)
- endpointmanager: add EndpointManager type and remove package-level variables (#8742, @ianvernon)
- endpointmanager: remove unneeded calls to
UpdateLogger
(#9158, @ianvernon) - eni node_manager unit test improvements (#9756, @jaffcheng)
- Envoy has been updated to release 1.12. (#9542, @jrajahalme)
- Envoy TLS fixes (#9820, @jrajahalme)
- envoy: Use TypedConfig for Envoy filters (#9889, @jrajahalme)
- examples: Remove obsolete k8s-ingress example (#9419, @brb)
- Expands the CiliumNode ENI spec to include
security-group-tags
which allows selecting the security groups associated to the newly created ENI to be filtered by tags. (#9702, @ungureanuvladvictor) - Extend coverage of connectivity test (Backport PR #10153, Upstream PR #10141, @tgraf)
- factor out conntrack GC into separate package (#9160, @ianvernon)
- Fix configuration of monitor aggregation flags (#9418, @joestringer)
- Fix helm subchart versions (#9826, @ap4y)
- Fix Service6ValueV2 padding and add missing align tags (#9286, @brb)
- Fix table markdown spacing issue (#9801, @dhsathiya)
- fix typo in bpf/lib/lb.h (#9378, @BSWANG)
- Fix typo in documentation (#9739, @vpnachev)
- Fixes #9470: Add clean Makefile target to Documentation (#9506, @rhcu)
- fqdn: Avoid races when updating global cache on GC (#9483, @raybejjani)
- github: remove github actions integration (#9731, @aanm)
- GO_VERSION: set golang version to 1.13.5 (#9761, @aanm)
- golang: update to 1.13.4 (#9565, @aanm)
- golang: update to 1.13.7 (#9985, @aanm)
- health: Quieten health launch log (#9538, @joestringer)
- helm: Add deps for quick-install.yaml target in Makefile (#9759, @brb)
- identity: create
CachingIdentityAllocator
type (#9066, @ianvernon) - Improve 1.7 upgrade and nodeport documentation (#9634, @joestringer)
- Improve cilium getEndpointList function (#9240, @fristonio)
- Improve debuggability of custom chain flush/delete (#8692, @joestringer)
- improve kernel probe for host reachable services and fix compile warns (Backport PR #10132, Upstream PR #10111, @borkmann)
- Improve nodeinit uninstalls by reverting nodeinit changes (#9757, @ap4y)
- Improve policy documentation (#9763, @joestringer)
- Improve the 'Setting up Cluster Mesh' page. (#9725, @bmcstdio)
- Improve the uploadrev script (#9787, @joestringer)
- ipcache: Associate IPs with K8s namespace and pod name (#9237, @gandro)
- ipcache: Fix ipcache pod IP update (Backport PR #10132, Upstream PR #10098, @joestringer)
- k8s/types: fix missing deepcopy of SpecPodCIDRs in Node structure (#9239, @aanm)
- k8s: Remove unused types.Ingress (#9701, @brb)
- k8s: update libraries to v1.17.1 (#9883, @aanm)
- kubernetes: Remove obsolete scheduler annotation (#8829, @gandro)
- kvstore: clean up casting around kvstore.Encode (#9138, @borancar)
- kvstore: plumb context (#9512, @ianvernon)
- LB refactoring leftovers (#9320, @brb)
- Lower default FQDN TTLs and update docs (#9653, @raybejjani)
- make: Remove GOPATH from swagger command (#9632, @mrostecki)
- Makefile: add
docker-plugin-image
target (#9315, @ianvernon) - Makefile: add automated way to update golang in Dockerfiles (#8927, @ianvernon)
- Makefile: add way to skip starting kvstores, running govet (#8758, @ianvernon)
- Makefile: remove deepcopy for configmap (#9098, @aanm)
- Makefile: remove patch for shell script (#9501, @aanm)
- maps: remove configmap (#8895, @ianvernon)
- meta: Combined bpf changes PR for #9323, #9317, #9324 (#9335, @joestringer)
- minor misc doc updates (#9865, @borkmann)
- Minor test documentation / make targets fixups (#9522, @joestringer)
- misc. daemon cleanup (#9498, @ianvernon)
- misc: Get rid of NEWS.rst (#9197, @brb)
- misc: plumb context throughout cilium codebase (#9523, @ianvernon)
- monitor: Add TraceNotify.DataOffset() (#9441, @joestringer)
- Move --aws-instance-limit-mapping flag to be on the operator (#9693, @ungureanuvladvictor)
- Move k8s_watcher.go to pkg/k8s/watchers (#9434, @aanm)
- node: Remove error return from SetIPv6NodeRange (#9954, @tgraf)
- node: Remove unused PublicAttrEquals func (#9758, @joestringer)
- nodediscovery: remove need for
Configuration
interface (#9499, @ianvernon) - nodeport fixes (#10040, @borkmann)
- nodeport follow-up improvements for nat (#9822, @borkmann)
- operator/cilium-docker: build images with image arguments (#9312, @aanm)
- operator: Improve identity GC logging (#9804, @tgraf)
- pkg/bpf, pkg/endpoint/connector: use RLIM_INFINITY constant (#9283, @tklauser)
- pkg/lock: fix StoppableWaitGroup tests (#9465, @aanm)
- plumb context to policy, aws packages (#9511, @ianvernon)
- plumb daemon's context to various users of context (#9489, @ianvernon)
- policy: clean a duplicated code (Backport PR #10072, Upstream PR #10016, @zhiyuan0x)
- policy: correctly process "ANY" L4 protocol in annotation (#9425, @ianvernon)
- policy: Error out on missing secrets in policy computation (#9897, @jrajahalme)
- policy: generate explicit allow-all at L7 for DNS-based visibility policy (#9391, @ianvernon)
- policy: rename
IsLabelBased
toAllowsWildcarding
(#9345, @ianvernon) - pre-flight: set terminationGracePeriodSeconds to 1 (#8952, @ianvernon)
- Prepare for release v1.7.0-rc3 (#10043, @aanm)
- Rate limit ec2:DescribeSubnets in the EC2 client (#9700, @ungureanuvladvictor)
- README: Add link to Hubble (#9639, @gandro)
- README: update latest v1.6 version to v1.6.2 (#9275, @ianvernon)
- README: update released versions of Cilium (#9181, @ianvernon)
- README: update released versions of Cilium (#9373, @ianvernon)
- README: update weekly meeting hours (#9864, @aanm)
- refactor loader into a type and hide it behind Datapath interface (#8769, @ianvernon)
- Refine the clean up scripts for getting started guides (#9629, @denverdino)
- Restore SVC type after restart (#9896, @brb)
- Revert "Makefile: Fix 'make microk8s' privileges" (#9290, @joestringer)
- RFC: Update CODEOWNERS for specific packages and files (#9044, @ianvernon)
- Run make for install/kubernetes/quick-start.yaml (#9751, @frelon)
- SECURITY.md: update versions of supported releases (#9856, @rolinh)
- service: Remove global ID allocator (#9484, @brb)
- service: Remove optional revNat param and cleanup svc removal (#9227, @brb)
- service: Simplify logic of svc ID allocation (#9213, @brb)
- Small documentation fixes and add release candidate process (#9871, @aanm)
- Supported BPF map types probe based on bpftool (#9795, @mrostecki)
- test README: Fix the documentation link (#9941, @kAworu)
- test: fix ClusterIP IPv6 connectivity checks (Backport PR #10225, Upstream PR #10214, @borkmann)
- test: Fix getNodeInfo in NodePort tests (Backport PR #10225, Upstream PR #10211, @borkmann)
- test: Increase VM provisioning timeout for k8s-1.11 net-next job (#9980, @brb)
- Tidy up backporting documentation (#9560, @joestringer)
- TLS follow-up fixes (#9807, @jrajahalme)
- tools: Add maptool executable to .gitignore (#9420, @brb)
- toops/maptool: run GOCLEAN arguments as part of go clean (#9480, @aanm)
- ubuntu-dev: bump to v164 (#9466, @aanm)
- Unhide --k8s-namespace parameter (#9485, @timoreimann)
- Unit-test wildcard selector equality in rule creation (#9521, @joestringer)
- Update AWS SDK V2 to v0.18.0 (#9770, @ungureanuvladvictor)
- update cilium-runtime with golang 1.13.8 (Backport PR #10225, Upstream PR #10208, @aanm)
- update CODEOWNERS (#10041, @aanm)
- update golang to 1.13.5 (#9749, @aanm)
- Update references to latest releases and projects (#9774, @joestringer)
- update USERS.md: add link to Trip.com's post (#9927, @ArthurChiao)
- update USERS.md: add Trip.com to user list (#9885, @ArthurChiao)
- updates tested k8s version to 1.17.3 (Backport PR #10225, Upstream PR #10215, @aanm)
- use blang/semver for version checking (#9467, @aanm)
- Use config option for security identity swap cool-down period (#9349, @ungureanuvladvictor)
- Use sysctl library and remove redundant sysctl code (#9004, @mrostecki)
- USERS.md: add Sportradar (#9848, @yurrriq)
- vagrant: Install temporary forked bpftool (Backport PR #10212, Upstream PR #10186, @pchaigno)
- vagrant: Remove workaround to MASQ traffic from k8s2 (#9704, @brb)
- vendor: downgrade go-version library due regression (#9459, @aanm)
- vendor: update client-go to kubernetes v1.16.2 (#9445, @aanm)
- workloads: do not set pod name and namespace via workloads plugin (#8999, @ianvernon)
- workloads: remove
WorkloadOwner
from composingregeneration.Owner
(#9221, @ianvernon)
Other Changes:
- .github: rename github-actions file (#9780, @aanm)
- [CI] Increase outer timeout of GKE job (#10009, @nebril)
- [CI] set registry in boot vagrant vms steps (#9618, @nebril)
- [CI] Use LocalExecutor if kubeconfig is defined (#8683, @nebril)
- [Docs] CI bisect documentation (#8782, @nebril)
- bpf, nodeport: fix CT GC race where syn/ack reply gets dropped locally (#9687, @borkmann)
- bump minimum supported kubernetes version to 1.11.0 (#8938, @ianvernon)
- cilium: K8s CI testing for sockops (#9685, @jrfastab)
- contrib: Improve rebase-bindata function (#8702, @joestringer)
- Dockerfile: Use Envoy image that always resumes NPDS (#9635, @jrajahalme)
- docs: Document running via kubeconfig on EKS (#9682, @raybejjani)
- endpoint: Check interface value of proxy field (#9479, @brb)
- eni: Fix AWS ENI allocation exceeding IP limits for smaller instances (#9732, @huntermassey)
- Fix 'make microk8s' target (#8984, @joestringer)
- fqdn: Add zombie limit (#9641, @raybejjani)
- Improve Getting Started guides by provide next steps sections (#9679, @genbit)
- lxcmap: refactor
EndpointFrontend
interface (#8877, @ianvernon) - node/manager: Lock nodes slice during Subscribe (#9495, @joestringer)
- Prepare for release v1.7.0-rc4 (#10170, @joestringer)
- Prepare for v1.7 development (#8653, @ianvernon)
- readme: update info for latest stable branch releases (#9688, @borkmann)
- Revert "test: Temporarily disable Istio CI test" (#8844, @ianvernon)
- test: Add
vagrant-local-start.sh
with preloaded VM support (#9633, @jrajahalme) - test: Install CoreDNS after Cilium is up (#8772, @tgraf)
- test: Support external DNS lookups also for k8s-1.16 (#9666, @jrajahalme)
- Update GO_VERSION to match builder version (#9995, @ap4y)
- Update USERS.md to include Rapyuta Robotics (#9909, @HackToHell)
- Updating AUTHORS (#9637, @aanm)
- Updating USERS.md to include CENGN (#9942, @mohahmed13)
- vendor: update etcd to v3.4.2 (#9461, @aanm)