helm/cilium/cilium 1.7.0

v1.7.0

on Artifact Hub

This is the release for v1.7.0, the summary of changes reflect the diff between tag v1.6.6 and v1.7.0

Upgrade Guide

https://docs.cilium.io/en/v1.7/install/upgrade/#upgrade-guide

Summary of Changes

Major Changes:

• Add direct server return (DSR) for NodePort BPF (#9473, @brb)
• Add support for k8s 1.17 (#9661, @aanm)
• Add support for k8s endpoint slice (#9762, @aanm)
• Add support for L7 visibility via pod annotations (#9210, @ianvernon)
• Clusterwide K8s Cilium Network Policies (#9381, #9669, @fristonio)
• Envoy TLS support with header imposition (#9486, @jrajahalme)

Minor Changes:

• Add --kube-proxy-replacement flag to control enabling of kube-proxy replacement in BPF (#9992, @brb)
• Add ability to create tags on the ENIs the cilium-operator creates. (#9412, @ungureanuvladvictor)
• Add cilium_version metric (#9623, @ChristineTChen)
• add CLI to introspect state of daemon's NameManager field (#9132, @ianvernon)
• Add enable-local-node-route option (#9505, @jraby)
• Add gops to cilium-cni (#9568, @jraby)
• Add more detailed proxy redirects status to cilium status (Backport PR #10132, Upstream PR #10082, @joestringer)
• add option to hold cilium agent after init container (Backport PR #10132, Upstream PR #10101, @aanm)
• add support for go modules (#8719, @aanm)
• Add support for HealthCheckNodePort in NodePort BPF (#9906, @gandro)
• Added CRD validation for ciliumnodes.cilium.io (#9655, @ungureanuvladvictor)
• Adding USERS directory to create a list of Cilium users (#9810, @tgraf)
• Adds --endpoint argument to fqdn cache list to show the cache just for a specific endpoint. (#9334, @ungureanuvladvictor)
• Adds a support for a service of the LoadBalancer type when running Cilium without kube-proxy. (#9694, @brb)
• agent: Mark --lb feature deprecated for removal in 1.7 (#8786, @tgraf)
• Allow icmp fragmentation needed agent option (#8218, @fristonio)
• Allow setting timeout on cilium status command (#9625, @ashrayjain)
• bpf: Add bind{4,6} programs to block NodePorts (#9880, @gandro)
• bpf: improve DumpReliablyWithCallback (#9972, @rolinh)
• bpf: Report original source IP in TRACE_TO_LXC (#9321, @tgraf)
• cilium cleanup removes previously installed NodePort BPF programs (Backport PR #10072, Upstream PR #10063, @brb)
• cilium: lock GC walks for global CT maps to serialize deletions (#9645, @borkmann)
• clustermesh: Add cilium status section (Backport PR #10212, Upstream PR #10169, @tgraf)
• cmd: add zsh as a option for completion (#9882, @tonyluj)
• Connection-based DNS policy (#9497, @raybejjani)
• daemon,cli: Improve kube-proxy-replacement status (Backport PR #10132, Upstream PR #10083, @brb)
• daemon: Add KubeProxyReplacement to cilium status cmd (Backport PR #10072, Upstream PR #10059, @brb)
• daemon: Fix race condition when syncing services with k8s (#9341, @brb)
• Deprecate/Delete support for monitor v1.0 socket (#9650, @soumynathan)
• docs: bump minimal k8s supported version to v1.11.0 (#9477, @aanm)
• docs: remove disable container runtime documentation (#9868, @aanm)
• docs: Update kube-router getting started guide (Backport PR #10183, Upstream PR #10159, @brb)
• docs: Upgrade about tofqdns-min-ttl default and zombies (#9737, @raybejjani)
• Documentation: Switch EKS documentation to default to ENI (Backport PR #10132, Upstream PR #10126, @tgraf)
• Enable provisioning of K8s services in ipv4 and ipv6 when running in dual-stack mode (#9760, @brb)
• ENI IPAM: Ensure that DeleteOnTermination defaults to true (#9406, @lbernail)
• eni: Allow overwriting AWS instance limit via agent configuration (#9236, @jaffcheng)
• Envoy is updated to release 1.12.1 (#9608, @jrajahalme)
• Fix implementation of k8s external IPs as described in kubernetes documentation (#9092, @aanm)
• Get rid of LB backend weights (#9254, @brb)
• Getting started guide to TLS-visibility (Backport PR #10072, Upstream PR #9808, @danwent)
• golang: update to 1.13.6 (#9872, @aanm)
• golang: update to 1.13.8 (Backport PR #10212, Upstream PR #10179, @aanm)
• HTTPS URL of kube-apiserver can be specified via "--k8s-api-server" from now on. (#9198, @brb)
• Improve monitor aggregation flexibility (#9177, @joestringer)
  Reduce cilium-agent binary size (#9306, @joestringer)
• Introduce identity for remote nodes (#8841, @tgraf)
• ipcache: Add cilium monitor events and expose it via API (#9268, @gandro)
• Istio support is updated to version 1.4.3 (#9968, @jrajahalme)
• k8s: Allow _ in CNP CRD toFQDNs validation (#9179, @raybejjani)
• kubernetes: Updated connectivity check (Backport PR #10153, Upstream PR #10104, @tgraf)
• logging: add way to configure logging level via cilium-agent option (#8607, @ianvernon)
• Make Agent Prometheus Exporter port configurable (#9584, @Antiarchitect)
• Make FirstInterfaceIndex a pointer on ENI spec (#9745, @ungureanuvladvictor)
• monitor/api: Export map of trace observation points (#9135, @tgraf)
• monitor/api: Export message type names (#9151, @tgraf)
• monitor: Export trace observation point via API (#9119, @tgraf)
• On-demand policy wildcarding (Backport PR #10153, Upstream PR #10054, @jrajahalme)
• pkg/endpoint: add policy visibility status into CiliumEndpoint (#9601, @aanm)
• pkg/k8s: add support for multi-stack (#9215, @aanm)
• pkg/k8s: use local stores to fetch pod information from k8s (#9586, @aanm)
• plugins/cilium-cni: disable CNI debug messages by default (#9493, @aanm)
• policy: Disable well-known identities for non-managed etcd (#9698, @tgraf)
• policy: Reject ingress rules with DNS policies (#8558, @iffyio)
• Relax limits for maximum number of CIDR prefixes (40 -> unlimited) (#9724, @joestringer)
• Remove /96 IPv6 CIDR constraint which makes cilium to work in k8s dual-stack mode (#9777, @brb)
• Remove bpf_lb.c and friends (#9199, @brb)
• Remove container runtime dependencies (#9447, @aanm)
• Rename "Policy denied (L3)" to "Policy denied" (#9951, @tgraf)
• Restrict ENI usage to IPv4 (#8843, @tgraf)
• RFC: k8s / operator: offload CNPNodeStatus updates to cilium-operator (#9384, @ianvernon)
• service: Notify monitor about service updates (#9574, @gandro)
• service: Store and expose service name and namespace (#9554, @gandro)
• ServiceMonitor should default to release namespace (Backport PR #10132, Upstream PR #10088, @dsexton)
• Support for externalTrafficPolicy=Local in NodePort BPF (#9764, @gandro)
• Support v4-in-v6 mapped addresses in BPF host reachable services. (#9923, @borkmann)
• Update to golang 1.13.1 (#9279, @aanm)
• Update to k8s libraries to 1.17.0 (#9744, @aanm)
• Use helm repository in docs (#9783, @ap4y)

Bugfixes:

• Add better mechanism to detect if k8s caches are synced against k8s (#9400, @aanm)
• api: Add missing annotations to generate DeepCopy for new status fields (Backport PR #10183, Upstream PR #10166, @tgraf)
• bpf: Fix proxy redirection for egress programs (Backport PR #10153, Upstream PR #10113, @tgraf)
• bpf: Remove POLICY_MAP from bpf_netdev and bpf_overlay (#9949, @tgraf)
• cilium: use %v for dumping frontend struct on error (#9845, @borkmann)
• Correct clustermesh identity sync kvstore backend usage (to actually use the remote) (Backport PR #10212, Upstream PR #10185, @raybejjani)
• daemon: Upgrade spf13/viper (#9796, @raybejjani)
• eni: Check instance existence before resolving deficit (#9676, @jaffcheng)
• Filter out bpftool probes emitting dmesg messages (Backport PR #10183, Upstream PR #10164, @mrostecki)
• Fix cilium daemonset deletion on AKS (#9519, @mlushpenko)
• Fix concurrent access of a variable used for metrics (Backport PR #10183, Upstream PR #10137, @aanm)
• Fix issue (#10092) which incorrectly configured route MTU with encryption and tunnel enabled. (Backport PR #10225, Upstream PR #10218, @jrfastab)
• Fix memory corruption on clusters with IPv6 and NodePort enabled (Backport PR #10212, Upstream PR #10192, @aanm)
• Fix node-port default route detection in case there multiple default entries with same ifindex. (#9844, @borkmann)
• Fix regression to avoid freeing alive IPs (Backport PR #10225, Upstream PR #10207, @tgraf)
• Fix regular service lookup in node-port range in case of host-reachable services. (#9843, @borkmann)
• Fix Unlock handling for kvstore locks (#9973, @aanm)
• Fix vishvananda/netlink library's VethPeerIndex() stack corruption with 4.20+ kernels. (#9588, @borkmann)
• fqdn: Support setting tofqdns-min-ttl to 0 (#9743, @raybejjani)
• health: add ipv6 health check status to cilium health status output (#8766, @fristonio)
• HostToContainer propagation for /sys/fs/bpf (#9575, @jraby)
• ipam: Protect release from releasing alive IP (Backport PR #10072, Upstream PR #10066, @tgraf)
• ipcache: Add probe to check for dump capability to support delete (Backport PR #10153, Upstream PR #10144, @tgraf)
• ipsec: fix connectivity after node reboots (#9866, @martin31821)
• k8s: Fix Service.DeepEquals for ExternalIP (#9690, @brb)
• kubernetes: Disable LocalNodeRoute while chaining (Backport PR #10072, Upstream PR #10057, @tgraf)
• node: Provide context in log when restoring router addresses (#9947, @tgraf)
• operator: only enable kvstore watcher if kvstore is enabled (#9963, @aanm)
• pkg/bpf: Protect each uintptr with runtime.KeepAlive (Backport PR #10212, Upstream PR #10168, @brb)
• pkg/endpoint: access endpoint state safely across go routines (Backport PR #10183, Upstream PR #10140, @aanm)
• pkg/ip: fix cilium status output for big CIDR ranges (#9936, @aanm)
• policy: Don't open localhost when allowing L7 traffic (#9162, @joestringer)
• policy: Expose L3 selectors within endpoint JSON (#8610, @iffyio)

CI Changes:

• [CI] add release name to helm template calls (Backport PR #10072, Upstream PR #10062, @nebril)
• [CI] add timeout to vm boot retries (#9816, @nebril)
• [CI] allow to specify focus via GH comment (#9667, @nebril)
• [CI] fallback to binary k8s install (#9271, @nebril)
• [CI] fix /var/log/journal mount in log gatherer (#9668, @nebril)
• [CI] Fix path to print-node-ip script in jenkinsfile (Backport PR #10132, Upstream PR #10112, @nebril)
• [CI] Mark runtime memcache tests as pending (#9955, @nebril)
• [CI] Mark TLS policy test as pending (Backport PR #10225, Upstream PR #10219, @nebril)
• [CI] move docker images to node local registry (#9329, @nebril)
• [CI] Node affinity based on labels not hostname (#9365, @nebril)
• [CI] parallel image build and cluster setup for eks (#9714, @nebril)
• [CI] Retry validating kubeconfig (#9931, @nebril)
• [CI] set $HOME in parallel builds to avoid cache pollution (#9932, @nebril)
• [CI] switch to new HOME only for ginkgo calls (#9971, @nebril)
• Add eks specific jenkinsfile (#9353, @nebril)
• add externalIPs and kube-proxy test matrix (#9849, @aanm)
• Add retry to curl call in basic TLS policy test (#9957, @nebril)
• Add support for running ginkgo tests in microk8s clusters (#9253, @joestringer)
• Add tests for a service annotated with externalTrafficPolicy=Local (#9728, @brb)
• Bump cilium/ubuntu-next version to 42 (#9926, @gandro)
• CI Fixups for EKS (#9675, @raybejjani)
• CI fixups to run on GKE (#9853, @raybejjani)
• CI Fixups to target other runtimes (#9189, @raybejjani)
• CI: Add CNI_INTEGRATION=minikube support (#9261, @raybejjani)
• CI: Add HTTP tests to DatapathConfiguration tests (#9233, @joestringer)
• CI: Delete then create namespaces in policy tests (#9706, @raybejjani)
• CI: Determine and set K8s version in GKE pipeline (#10025, @raybejjani)
• CI: ExecInPods returns an error when no pods are found (#9705, @raybejjani)
• CI: Fix typo setting kubeconfig variable from registry (#9520, @raybejjani)
• CI: Fixups for local runs (#9595, @raybejjani)
• CI: PolicyTest toEntities All (Backport PR #10072, Upstream PR #10051, @raybejjani)
• CI: Set CILIUM_REGISTRY in k8s provisioning scripts (#10006, @gandro)
• CI: Switch WaitforDeamonset/Deploy to shorter poll timeout (#8720, @raybejjani)
• eni: Deep copy CiliumNode resource before storing it in the node (#9893, @jrajahalme)
• Extend bpf verifier tests to test socket programs (#9339, @joestringer)
• Fix service restoration and extend CI for externalTrafficPolicy=Local services (#9778, @gandro)
• Fix upgrade guide for v1.7 and replicate it in a CI test (Backport PR #10153, Upstream PR #9993, @aanm)
• Fixup FQDN tests to run on GKE & EKS (#9990, @raybejjani)
• ginkgo.Jenkinsfile: set k8s nodes back to 2 (#9908, @aanm)
• GKE jenkinsfile (#9876, @nebril)
• Gopkg.toml: update kevinburke/ssh_config dependency (#8689, @kevinburke)
• Move GKE release cluster out of timeout block (#10022, @nebril)
• policy/api: Add tests for reserved:unmanaged match (#8725, @joestringer)
• Remove microscope helpers from testing packages (#9596, @mdevilliers)
• Revert "[CI] add timeout to vm boot retries" (#9967, @aanm)
• Revert "Revert "[CI] add timeout to vm boot retries"" (#9976, @nebril)
• Run CI tests with kube-proxy being disabled (#9901, @brb)
• Set CILIUM_REGISTRY in provisioning scritps (#9991, @nebril)
• Support local testing with one k8s VM. (#9681, @jrajahalme)
• Test against k8s 1.16.2 (#9448, @aanm)
• test/K8sServices: Add Tests for UDP connectivity (Backport PR #10072, Upstream PR #9997, @gandro)
• test/packet: fix packet terraform scripts (#9850, @aanm)
• test: add capability to specify images / skip K8s provisioning (#8748, @ianvernon)
• test: Add conntrack entry timeout validation tests. (#9771, @valas)
• test: Add Kubernetes Service CI tests for IPv6 (Backport PR #10153, Upstream PR #10115, @gandro)
• test: add script which pulls images which have not been pulled during VM provisioning (#8921, @ianvernon)
• test: add some extra narration statements / remove unneeded helper function call (#8846, @ianvernon)
• test: bpf: Fix load for cgroups progs (Backport PR #10183, Upstream PR #10156, @joestringer)
• test: Delete Cilium DS before changing startup options. (#9891, @jrajahalme)
• test: Extend MetalLB test case (#9723, @brb)
• test: Improve skipping of k8sT/Services.go tests (Backport PR #10072, Upstream PR #10047, @brb)
• test: Make helm fetch more quiet (#9799, @joestringer)
• test: Remove cilium DS before installing a new one (Backport PR #10132, Upstream PR #10039, @brb)
• test: remove microscope test (#9075, @ianvernon)
• test: skip installing Helm if user has skipped k8s provisioning (#8835, @ianvernon)
• test: Temporarily disable Istio CI test (#8821, @tgraf)
• tests: test nodeport connectivity via v4-in-v6 sockets (Backport PR #10072, Upstream PR #10053, @borkmann)
• tests: update complexity check script to include new calls (Backport PR #10183, Upstream PR #10106, @fristonio)
• update k8s test versions to 1.14.10, 1.15.7 and 1.16.4 (#9867, @aanm)
• Use proper helm value in CI clusters (#8973, @nebril)
• vagrant: remove unnecessary print statements (#9860, @rolinh)
• VMs: bump development VM images (#10001, @aanm)

Misc Changes:

• .github: add github actions to cilium (#9709, @aanm)
• .github: Clarify release-notes section (#9664, @joestringer)
• .travis: disable go modules when installing dependencies (#9462, @aanm)
• [CI] Fix log gathering (#9267, @nebril)
• add 2020 copyright (#9975, @aanm)
• Add a note on ignoring br_netfilter preflight check (#9229, @bai)
• Add ability to query EC2 ENI instance limits via ec2:DescribeInstanceTypes (#9699, @ungureanuvladvictor)
• Add Adobe to USERS.md (#9852, @dharmab)
• Add alignchecker tests for event notification format (#9426, @joestringer)
• Add cilium-monitor sidecar container for agent pods (#9815, @ap4y)
• add context.Context to Daemon (#9437, @ianvernon)
• Add Datadog to users (#9862, @lbernail)
• Add helm charts packaging steps to the release script (#9772, @ap4y)
• Add MAINTAINERS file (#9598, @tgraf)
• Add Palantir Technologies to USERS.md (#9836, @ungureanuvladvictor)
• Add required etcd version for external etcd guide (Backport PR #10153, Upstream PR #10147, @nebril)
• Add service manager (#9274, @brb)
• Add unit tests for pkg/service.Service (#9289, @brb)
• add uswitch to users.md (#9875, @Joseph-Irving)
• Added support for restartPods Helm chart option when running node-init on EKS. (#9740, @tom-hadlaw-hs)
• api/v1: update swagger to v0.20.1 (#9444, @aanm)
• api: Remove remnants of RedirectPort (#9082, @jrajahalme)
• backporting: add 'upstream-prs' tag for code block (#10033, @aanm)
• BPF and XDP reference guide: mention BPF Performance Tools in further readings (#9928, @brandshaide)
• BPF kernel probes based on bpftool (#9789, @mrostecki)
• bpf, nat: initially try snat by preserving source port (#9813, @borkmann)
• bpf, nodeport: add nodeport flag to nodeport services (#9857, @borkmann)
• bpf, sock: fix post-bind-sock{4,6} not found in ELF file (Backport PR #10132, Upstream PR #10124, @borkmann)
• bpf, sock: only attach v6 hooks in v4-only mode when v6 is available (#10027, @borkmann)
• bpf, sock: reduce xlation for externalTrafficPolicy=Local to host_id (#9930, @borkmann)
• bpf: Add unit tests for __ct_lookup() (#9304, @joestringer)
• bpf: Compile bpf_netdev.c with build permutations (#9861, @brb)
• bpf: compile out service lookup entirely on kubeProxyReplacement=disa… (Backport PR #10072, Upstream PR #10060, @borkmann)
• bpf: fix sock6_xlate when not all host service protocols are enabled (#9847, @borkmann)
• bpf: Fix space hack in Makefile (Backport PR #10183, Upstream PR #10173, @brb)
• bpf: Get rid of unused lb6_{key,service} structs (#9141, @brb)
• bpf: Remove bpf_netdev.o from previously used devices (Backport PR #10132, Upstream PR #10087, @brb)
• bpf: Remove unused BPF feature probes/macros (#9802, @mrostecki)
• bpf_sock fixes for nodeport (#10014, @borkmann)
• bugtool: Dump NAT BPF maps entries with bpftool (Backport PR #10212, Upstream PR #10190, @brb)
• bump golang to 1.13.3 (#9433, @aanm)
• bump k8s client libraries to v1.17.0-rc.2 (#9713, @aanm)
• charts: Generate versions from VERSION file (Backport PR #10183, Upstream PR #10171, @joestringer)
• CI: Add test for healthCheckNodePort in NodePort BPF (Backport PR #10072, Upstream PR #9977, @gandro)
• cilium: encryption fixes for ipv6 and tear down (#9649, @jrfastab)
• cilium: fix disconnects on operator restarts when using ipsec (#9612, @jrfastab)
• Clean up misc verifier-test.sh functionality (#9325, @joestringer)
• Clean up reference counting of ipcache prefix lengths (#9050, @joestringer)
• Cleanup service.UpsertService method (#9350, @brb)
• cli: Print node list header before the actual list of nodes. (#9295, @ungureanuvladvictor)
• cli: Warn if --rev flag is used with cilium service update (#9319, @brb)
• cmd: replace deprecated Command.SetOutput() (#9881, @tonyluj)
• cni: Try to enable IPv6 only if necessary (#9492, @mrostecki)
• CODEOWNERS: change Vagrant-related files to be owned by cilium/ci (#8788, @ianvernon)
• Connection aware DNS proxy fixups (#9648, @raybejjani)
• contrib/vagrant: change iptables helper message to tcp (#9884, @aanm)
• contrib/vagrant: fix reading VM_MEMORY/VM_CPUS from env vars (#9945, @rolinh)
• contrib: Fix 'reset' variable declaration (#9559, @joestringer)
• contrib: Update minikube script (#9216, @mrostecki)
• controller: add Context to ControllerParams (#9500, @ianvernon)
• controller: do not return controller from UpdateController (#8894, @ianvernon)
• Correct Contributing link in README (#9060, @cjmakes)
• Correct information about required Go version (#9091, @mrostecki)
• cosmetic: Improve identity / allocator logs (#9662, @joestringer)
• daemon: cancel context for daemon before running cleanup functions (#9487, @ianvernon)
• daemon: Check for no selector update need earlier. (#9396, @jrajahalme)
• daemon: don't hold endpoint BuildMutex while deleting (#8744, @ianvernon)
• daemon: Exit early if NodePort BPF and IPSec is enabled (#9946, @brb)
• daemon: factor out generation of endpoint labels model into pkg/endpoint (#8976, @ianvernon)
• daemon: factor out more code into files owned by more specific codeowners (#9122, @ianvernon)
• daemon: fix outdated comment (#9438, @ianvernon)
• daemon: group cleanup-related variables into type (#9524, @ianvernon)
• daemon: make policy repository member of policy get handler (#9440, @ianvernon)
• daemon: misc. cleanup and splitting up of code into separate files (#9048, @ianvernon)
• daemon: move base program compile to loader pkg (#9488, @ianvernon)
• daemon: Move some sysctl writes from bpf/init.sh (#9005, @brb)
• daemon: remove unneeded Daemon field from RuleReactionEvent (#9453, @ianvernon)
• datapath: Add DSR IPv6 implementation (#9895, @brb)
• datapath: Do not check rev_nat_id in IPv6 addr (#9952, @brb)
• datapath: Do not return len in find_dsr_v6 (#9933, @brb)
• datapath: make Datapath an IptablesManager (#9516, @ianvernon)
• datapath: Return error if default route is not found (#9859, @brb)
• dev-vm: update etcd to v3.4.2 and k8s to v1.16.2 (#9463, @aanm)
• dev: set tcp for NFS in development VMs (#9879, @aanm)
• doc: add note about adding the 'kind/backports' label when backporting (#9964, @rolinh)
• doc: Document L7 limitation in azure-cni chaining mode (Backport PR #10153, Upstream PR #10131, @tgraf)
• doc: Mark encryption as stable for direct-routing and ENI mode (Backport PR #10153, Upstream PR #10142, @tgraf)
• doc: the namespace is wrong when validating cilium on Azure CNI (#9717, @soumynathan)
• doc: update BPF instruction limit (#9727, @florianl)
• doc: update instructions about restarting pods after deployment (Backport PR #10072, Upstream PR #10028, @rolinh)
• Dockerfile: Bump cilium/iproute2 (#9911, @gandro)
• docs: add etcd related upgrade notes for v1.7 (#9109, @aanm)
• docs: add instructions to update VM images (#9999, @aanm)
• docs: add libelf-devel to development setup (#10032, @tklauser)
• docs: add policy visibility status documentation (#9670, @aanm)
• docs: add section for stable releases to readme (#9131, @borkmann)
• docs: add setup validation howto to kube-proxy-free guide (Backport PR #10132, Upstream PR #10086, @borkmann)
• docs: Describe how to read from tracing pipe (#9665, @joestringer)
• docs: document kube-proxy replacement modes (Backport PR #10072, Upstream PR #10073, @borkmann)
• docs: extend further readings section to a separate file (#9178, @fristonio)
• docs: Fix broken contributing links (#9077, @jaffcheng)
• docs: fix kubernetes configmap (#9824, @aanm)
• docs: fix link for Cilium-PR-Kubernetes-Upstream job (Backport PR #10212, Upstream PR #10178, @tklauser)
• docs: fix spelling issues in clusterwide policy docs (#9602, @fristonio)
• docs: Fix up gke install guide (#10037, @joestringer)
• docs: Fix up nodeport limitations (#9621, @joestringer)
• docs: fixed padding after code blocks (Backport PR #10153, Upstream PR #10143, @geakstr)
• docs: Include env variable in EKS e2e examples (#9726, @raybejjani)
• docs: Keep externalTrafficPolicy=Local limitation in NodePort BPF (#9674, @brb)
• docs: Mention direct routing mode requirement for DSR (Backport PR #10153, Upstream PR #10149, @gandro)
• docs: Minor improvements to GKE guide (Backport PR #10183, Upstream PR #10150, @pchaigno)
• docs: re-wrote wording for the behavior of 'fromEndpoints' (#9544, @aanm)
• docs: revamp kube-proxy-free gsg (Backport PR #10072, Upstream PR #10069, @borkmann)
• docs: update docs for --aws-release-excess-ips (#9569, @jaffcheng)
• docs: update supported k8s versions (#9310, @aanm)
• docs: Use kube-system namespace consistently in Encryption guide (Backport PR #10183, Upstream PR #10162, @pchaigno)
• Documentation: add proxy visibility information (#9530, @ianvernon)
• Documentation: add script to add misspelled words (#9578, @aanm)
• Documentation: Document potential conflict of ENI with DHCP agents (#9934, @tgraf)
• Documentation: improve CI documentation organization / remove stale information (#9457, @ianvernon)
• Documentation: Improve external etcd documentation wording (#9478, @mpeiffer)
• Documentation: remove LTS references (#9494, @ianvernon)
• Documentation: remove microscope reference (#9472, @ianvernon)
• Documentation: remove stale GH issue link (#9471, @ianvernon)
• Documentation: split up contributing guide into smaller, more focused documents (#9456, @ianvernon)
• Documentation: update release guide (#9496, @ianvernon)
• Documentation: update to account for new CNPNodeStatus capabilities (#9531, @ianvernon)
• endpoint: clean up exposure of functions / remove unneeded functions (#9121, @ianvernon)
• endpoint: cleanup how build permits are acquired (#9234, @ianvernon)
• endpoint: create distinct type for restoring (#8941, @ianvernon)
• endpoint: create separate interface for proxy (#9157, @ianvernon)
• endpoint: do not export EventQueue (#9080, @ianvernon)
• endpoint: do not export Status field (#9068, @ianvernon)
• endpoint: do not export additional fields (#9170, @ianvernon)
• endpoint: do not export endpoint locking functions (#9142, @ianvernon)
• endpoint: do not export various fields (#9012, @ianvernon)
• endpoint: factor out waiting for first regeneration during creation into separate function (#9073, @ianvernon)
• endpoint: hide restore operations inside Endpoint package (#8972, @ianvernon)
• endpoint: make policyMap private (#8863, @ianvernon)
• endpoint: move TestReadEpsFromDirNames to pkg/endpoint (#8997, @ianvernon)
• endpoint: move api-related functions to api.go (#8991, @ianvernon)
• endpoint: move deletion deadlock unit test to pkg/endpoint (#9067, @ianvernon)
• endpoint: move deletion into Endpoint package, remove acquisition of Endpoint locks in EndpointManager (#9025, @ianvernon)
• endpoint: move patching update functionality to pkg/endpoint (#8968, @ianvernon)
• endpoint: reduce exported functionality (#9191, @ianvernon)
• endpoint: refactor Docker + IPVLAN interactions (#8974, @ianvernon)
• endpoint: refactor how default policy enforcement configuration is performed (#9120, @ianvernon)
• endpoint: refactor proxy-related functioning to not access endpoint mutex directly (#9070, @ianvernon)
• endpoint: remove most cases of direct access to OpLabels (#9069, @ianvernon)
• endpoint: remove need to expose read-locking in updateEndpointsCaches (#8977, @ianvernon)
• endpoint: remove unused HealthCEPPrefix string (#8896, @ianvernon)
• endpoint: Remove useless restore log message (#9256, @joestringer)
• endpointmanager: add EndpointManager type and remove package-level variables (#8742, @ianvernon)
• endpointmanager: remove unneeded calls to UpdateLogger (#9158, @ianvernon)
• eni node_manager unit test improvements (#9756, @jaffcheng)
• Envoy has been updated to release 1.12. (#9542, @jrajahalme)
• Envoy TLS fixes (#9820, @jrajahalme)
• envoy: Use TypedConfig for Envoy filters (#9889, @jrajahalme)
• examples: Remove obsolete k8s-ingress example (#9419, @brb)
• Expands the CiliumNode ENI spec to include security-group-tags which allows selecting the security groups associated to the newly created ENI to be filtered by tags. (#9702, @ungureanuvladvictor)
• Extend coverage of connectivity test (Backport PR #10153, Upstream PR #10141, @tgraf)
• factor out conntrack GC into separate package (#9160, @ianvernon)
• Fix configuration of monitor aggregation flags (#9418, @joestringer)
• Fix helm subchart versions (#9826, @ap4y)
• Fix Service6ValueV2 padding and add missing align tags (#9286, @brb)
• Fix table markdown spacing issue (#9801, @dhsathiya)
• fix typo in bpf/lib/lb.h (#9378, @BSWANG)
• Fix typo in documentation (#9739, @vpnachev)
• Fixes #9470: Add clean Makefile target to Documentation (#9506, @rhcu)
• fqdn: Avoid races when updating global cache on GC (#9483, @raybejjani)
• github: remove github actions integration (#9731, @aanm)
• GO_VERSION: set golang version to 1.13.5 (#9761, @aanm)
• golang: update to 1.13.4 (#9565, @aanm)
• golang: update to 1.13.7 (#9985, @aanm)
• health: Quieten health launch log (#9538, @joestringer)
• helm: Add deps for quick-install.yaml target in Makefile (#9759, @brb)
• identity: create CachingIdentityAllocator type (#9066, @ianvernon)
• Improve 1.7 upgrade and nodeport documentation (#9634, @joestringer)
• Improve cilium getEndpointList function (#9240, @fristonio)
• Improve debuggability of custom chain flush/delete (#8692, @joestringer)
• improve kernel probe for host reachable services and fix compile warns (Backport PR #10132, Upstream PR #10111, @borkmann)
• Improve nodeinit uninstalls by reverting nodeinit changes (#9757, @ap4y)
• Improve policy documentation (#9763, @joestringer)
• Improve the 'Setting up Cluster Mesh' page. (#9725, @bmcstdio)
• Improve the uploadrev script (#9787, @joestringer)
• ipcache: Associate IPs with K8s namespace and pod name (#9237, @gandro)
• ipcache: Fix ipcache pod IP update (Backport PR #10132, Upstream PR #10098, @joestringer)
• k8s/types: fix missing deepcopy of SpecPodCIDRs in Node structure (#9239, @aanm)
• k8s: Remove unused types.Ingress (#9701, @brb)
• k8s: update libraries to v1.17.1 (#9883, @aanm)
• kubernetes: Remove obsolete scheduler annotation (#8829, @gandro)
• kvstore: clean up casting around kvstore.Encode (#9138, @borancar)
• kvstore: plumb context (#9512, @ianvernon)
• LB refactoring leftovers (#9320, @brb)
• Lower default FQDN TTLs and update docs (#9653, @raybejjani)
• make: Remove GOPATH from swagger command (#9632, @mrostecki)
• Makefile: add docker-plugin-image target (#9315, @ianvernon)
• Makefile: add automated way to update golang in Dockerfiles (#8927, @ianvernon)
• Makefile: add way to skip starting kvstores, running govet (#8758, @ianvernon)
• Makefile: remove deepcopy for configmap (#9098, @aanm)
• Makefile: remove patch for shell script (#9501, @aanm)
• maps: remove configmap (#8895, @ianvernon)
• meta: Combined bpf changes PR for #9323, #9317, #9324 (#9335, @joestringer)
• minor misc doc updates (#9865, @borkmann)
• Minor test documentation / make targets fixups (#9522, @joestringer)
• misc. daemon cleanup (#9498, @ianvernon)
• misc: Get rid of NEWS.rst (#9197, @brb)
• misc: plumb context throughout cilium codebase (#9523, @ianvernon)
• monitor: Add TraceNotify.DataOffset() (#9441, @joestringer)
• Move --aws-instance-limit-mapping flag to be on the operator (#9693, @ungureanuvladvictor)
• Move k8s_watcher.go to pkg/k8s/watchers (#9434, @aanm)
• node: Remove error return from SetIPv6NodeRange (#9954, @tgraf)
• node: Remove unused PublicAttrEquals func (#9758, @joestringer)
• nodediscovery: remove need for Configuration interface (#9499, @ianvernon)
• nodeport fixes (#10040, @borkmann)
• nodeport follow-up improvements for nat (#9822, @borkmann)
• operator/cilium-docker: build images with image arguments (#9312, @aanm)
• operator: Improve identity GC logging (#9804, @tgraf)
• pkg/bpf, pkg/endpoint/connector: use RLIM_INFINITY constant (#9283, @tklauser)
• pkg/lock: fix StoppableWaitGroup tests (#9465, @aanm)
• plumb context to policy, aws packages (#9511, @ianvernon)
• plumb daemon's context to various users of context (#9489, @ianvernon)
• policy: clean a duplicated code (Backport PR #10072, Upstream PR #10016, @zhiyuan0x)
• policy: correctly process "ANY" L4 protocol in annotation (#9425, @ianvernon)
• policy: Error out on missing secrets in policy computation (#9897, @jrajahalme)
• policy: generate explicit allow-all at L7 for DNS-based visibility policy (#9391, @ianvernon)
• policy: rename IsLabelBased to AllowsWildcarding (#9345, @ianvernon)
• pre-flight: set terminationGracePeriodSeconds to 1 (#8952, @ianvernon)
• Prepare for release v1.7.0-rc3 (#10043, @aanm)
• Rate limit ec2:DescribeSubnets in the EC2 client (#9700, @ungureanuvladvictor)
• README: Add link to Hubble (#9639, @gandro)
• README: update latest v1.6 version to v1.6.2 (#9275, @ianvernon)
• README: update released versions of Cilium (#9181, @ianvernon)
• README: update released versions of Cilium (#9373, @ianvernon)
• README: update weekly meeting hours (#9864, @aanm)
• refactor loader into a type and hide it behind Datapath interface (#8769, @ianvernon)
• Refine the clean up scripts for getting started guides (#9629, @denverdino)
• Restore SVC type after restart (#9896, @brb)
• Revert "Makefile: Fix 'make microk8s' privileges" (#9290, @joestringer)
• RFC: Update CODEOWNERS for specific packages and files (#9044, @ianvernon)
• Run make for install/kubernetes/quick-start.yaml (#9751, @frelon)
• SECURITY.md: update versions of supported releases (#9856, @rolinh)
• service: Remove global ID allocator (#9484, @brb)
• service: Remove optional revNat param and cleanup svc removal (#9227, @brb)
• service: Simplify logic of svc ID allocation (#9213, @brb)
• Small documentation fixes and add release candidate process (#9871, @aanm)
• Supported BPF map types probe based on bpftool (#9795, @mrostecki)
• test README: Fix the documentation link (#9941, @kAworu)
• test: fix ClusterIP IPv6 connectivity checks (Backport PR #10225, Upstream PR #10214, @borkmann)
• test: Fix getNodeInfo in NodePort tests (Backport PR #10225, Upstream PR #10211, @borkmann)
• test: Increase VM provisioning timeout for k8s-1.11 net-next job (#9980, @brb)
• Tidy up backporting documentation (#9560, @joestringer)
• TLS follow-up fixes (#9807, @jrajahalme)
• tools: Add maptool executable to .gitignore (#9420, @brb)
• toops/maptool: run GOCLEAN arguments as part of go clean (#9480, @aanm)
• ubuntu-dev: bump to v164 (#9466, @aanm)
• Unhide --k8s-namespace parameter (#9485, @timoreimann)
• Unit-test wildcard selector equality in rule creation (#9521, @joestringer)
• Update AWS SDK V2 to v0.18.0 (#9770, @ungureanuvladvictor)
• update cilium-runtime with golang 1.13.8 (Backport PR #10225, Upstream PR #10208, @aanm)
• update CODEOWNERS (#10041, @aanm)
• update golang to 1.13.5 (#9749, @aanm)
• Update references to latest releases and projects (#9774, @joestringer)
• update USERS.md: add link to Trip.com's post (#9927, @ArthurChiao)
• update USERS.md: add Trip.com to user list (#9885, @ArthurChiao)
• updates tested k8s version to 1.17.3 (Backport PR #10225, Upstream PR #10215, @aanm)
• use blang/semver for version checking (#9467, @aanm)
• Use config option for security identity swap cool-down period (#9349, @ungureanuvladvictor)
• Use sysctl library and remove redundant sysctl code (#9004, @mrostecki)
• USERS.md: add Sportradar (#9848, @yurrriq)
• vagrant: Install temporary forked bpftool (Backport PR #10212, Upstream PR #10186, @pchaigno)
• vagrant: Remove workaround to MASQ traffic from k8s2 (#9704, @brb)
• vendor: downgrade go-version library due regression (#9459, @aanm)
• vendor: update client-go to kubernetes v1.16.2 (#9445, @aanm)
• workloads: do not set pod name and namespace via workloads plugin (#8999, @ianvernon)
• workloads: remove WorkloadOwner from composing regeneration.Owner (#9221, @ianvernon)

Other Changes:

• .github: rename github-actions file (#9780, @aanm)
• [CI] Increase outer timeout of GKE job (#10009, @nebril)
• [CI] set registry in boot vagrant vms steps (#9618, @nebril)
• [CI] Use LocalExecutor if kubeconfig is defined (#8683, @nebril)
• [Docs] CI bisect documentation (#8782, @nebril)
• bpf, nodeport: fix CT GC race where syn/ack reply gets dropped locally (#9687, @borkmann)
• bump minimum supported kubernetes version to 1.11.0 (#8938, @ianvernon)
• cilium: K8s CI testing for sockops (#9685, @jrfastab)
• contrib: Improve rebase-bindata function (#8702, @joestringer)
• Dockerfile: Use Envoy image that always resumes NPDS (#9635, @jrajahalme)
• docs: Document running via kubeconfig on EKS (#9682, @raybejjani)
• endpoint: Check interface value of proxy field (#9479, @brb)
• eni: Fix AWS ENI allocation exceeding IP limits for smaller instances (#9732, @huntermassey)
• Fix 'make microk8s' target (#8984, @joestringer)
• fqdn: Add zombie limit (#9641, @raybejjani)
• Improve Getting Started guides by provide next steps sections (#9679, @genbit)
• lxcmap: refactor EndpointFrontend interface (#8877, @ianvernon)
• node/manager: Lock nodes slice during Subscribe (#9495, @joestringer)
• Prepare for release v1.7.0-rc4 (#10170, @joestringer)
• Prepare for v1.7 development (#8653, @ianvernon)
• readme: update info for latest stable branch releases (#9688, @borkmann)
• Revert "test: Temporarily disable Istio CI test" (#8844, @ianvernon)
• test: Add vagrant-local-start.sh with preloaded VM support (#9633, @jrajahalme)
• test: Install CoreDNS after Cilium is up (#8772, @tgraf)
• test: Support external DNS lookups also for k8s-1.16 (#9666, @jrajahalme)
• Update GO_VERSION to match builder version (#9995, @ap4y)
• Update USERS.md to include Rapyuta Robotics (#9909, @HackToHell)
• Updating AUTHORS (#9637, @aanm)
• Updating USERS.md to include CENGN (#9942, @mohahmed13)
• vendor: update etcd to v3.4.2 (#9461, @aanm)