helm/cilium/cilium 1.7.0-rc3

v1.7.0-rc3

on Artifact Hub

This is the third release candidate of v1.7.0, the summary of changes reflect the diff between tag v1.7.0-rc2 and tag v1.7.0-rc3

Upgrade Guide

https://docs.cilium.io/en/v1.7/install/upgrade/#upgrade-guide

Summary of Changes

Major Changes:

• Add direct server return (DSR) for NodePort BPF (#9473, @brb)
• add support for k8s endpoint slice (#9762, @aanm)

Minor Changes:

• cmd: add zsh as a option for completion (#9882, @tonyluj)
• golang: update to 1.13.6 (#9872, @aanm)
• docs: remove disable container runtime documentation (#9868, @aanm)
• bpf: improve DumpReliablyWithCallback (#9972, @rolinh)
• Istio support is updated to version 1.4.3 (#9968, @jrajahalme)
• Use helm repository in docs (#9783, @ap4y)
• Rename "Policy denied (L3)" to "Policy denied" (#9951, @tgraf)
• Add support for HealthCheckNodePort in NodePort BPF (#9906, @gandro)
• bpf: Add bind{4,6} programs to block NodePorts (#9880, @gandro)
• Support v4-in-v6 mapped addresses in BPF host reachable services. (#9923, @borkmann)
• Add --kube-proxy-replacement flag to control enabling of kube-proxy replacement in BPF (#9992, @brb)

Bugfixes:

• operator: only enable kvstore watcher if kvstore is enabled (#9963, @aanm)
• Fix Unlock handling for kvstore locks (#9973, @aanm)
• Fix regular service lookup in node-port range in case of host-reachable services. (#9843, @borkmann)
• ipsec: fix connectivity after node reboots (#9866, @martin31821)
• cni: Fix IP leak when CNI ADD times out (#9913, @tgraf)
• Fix cilium-operator deadlock for clusters with more than 128 services (#10010, @aanm)
• Fix node-port default route detection in case there multiple default entries with same ifindex. (#9844, @borkmann)
• eni: Fix releases of excess IPs (#9858, @tgraf)
• cni: Fix noisy warning "Unknown CNI chaining configuration" (#9937, @tgraf)
• cilium: use %v for dumping frontend struct on error (#9845, @borkmann)
• pkg/ip: fix cilium status output for big CIDR ranges (#9936, @aanm)
• Fix cilium installation in GCloud beta "rapid" channel (#9959, @joestringer)
• node: Provide context in log when restoring router addresses (#9947, @tgraf)
• bpf: Remove POLICY_MAP from bpf_netdev and bpf_overlay (#9949, @tgraf)
• garbage collect stale distributed locks (#9982, @aanm)

CI Changes:

• test/packet: fix packet terraform scripts (#9850, @aanm)
• [CI] set $HOME in parallel builds to avoid cache pollution (#9932, @nebril)
• [CI] Mark runtime memcache tests as pending (#9955, @nebril)
• Revert "Revert "[CI] add timeout to vm boot retries"" (#9976, @nebril)
• Add retry to curl call in basic TLS policy test (#9957, @nebril)
• Move GKE release cluster out of timeout block (#10022, @nebril)
• [CI] switch to new HOME only for ginkgo calls (#9971, @nebril)
• Fixup FQDN tests to run on GKE & EKS (#9990, @raybejjani)
• test: Delete Cilium DS before changing startup options. (#9891, @jrajahalme)
• vagrant: remove unnecessary print statements (#9860, @rolinh)
• Revert "[CI] add timeout to vm boot retries" (#9967, @aanm)
• ginkgo.Jenkinsfile: set k8s nodes back to 2 (#9908, @aanm)
• VMs: bump development VM images (#10001, @aanm)
• add externalIPs and kube-proxy test matrix (#9849, @aanm)
• GKE jenkinsfile (#9876, @nebril)
• Bump cilium/ubuntu-next version to 42 (#9926, @gandro)
• CI fixups to run on GKE (#9853, @raybejjani)
• Set CILIUM_REGISTRY in provisioning scritps (#9991, @nebril)
• CI: Determine and set K8s version in GKE pipeline (#10025, @raybejjani)
• [CI] add timeout to vm boot retries (#9816, @nebril)
• eni: Deep copy CiliumNode resource before storing it in the node (#9893, @jrajahalme)
• Run CI tests with kube-proxy being disabled (#9901, @brb)
• CI: Set CILIUM_REGISTRY in k8s provisioning scripts (#10006, @gandro)
• update k8s test versions to 1.14.10, 1.15.7 and 1.16.4 (#9867, @aanm)
• [CI] Retry validating kubeconfig (#9931, @nebril)

Misc Changes:

• USERS.md: add Sportradar (#9848, @yurrriq)
• contrib/vagrant: change iptables helper message to tcp (#9884, @aanm)
• README: update weekly meeting hours (#9864, @aanm)
• doc: add note about adding the 'kind/backports' label when backporting (#9964, @rolinh)
• docs: add instructions to update VM images (#9999, @aanm)
• Fix GC Locks bugs (#10005, @aanm)
• contrib/vagrant: fix reading VM_MEMORY/VM_CPUS from env vars (#9945, @rolinh)
• datapath: Do not check rev_nat_id in IPv6 addr (#9952, @brb)
• eni node_manager unit test improvements (#9756, @jaffcheng)
• test: Increase VM provisioning timeout for k8s-1.11 net-next job (#9980, @brb)
• nodeport fixes (#10040, @borkmann)
• datapath: Add DSR IPv6 implementation (#9895, @brb)
• bpf_sock fixes for nodeport (#10014, @borkmann)
• Update release process steps (#10035, @aanm)
• dev: set tcp for NFS in development VMs (#9879, @aanm)
• bpf, nodeport: add nodeport flag to nodeport services (#9857, @borkmann)
• Add Datadog to users (#9862, @lbernail)
• update USERS.md: add Trip.com to user list (#9885, @ArthurChiao)
• k8s: update libraries to v1.17.1 (#9883, @aanm)
• Dockerfile: Bump cilium/iproute2 (#9911, @gandro)
• add uswitch to users.md (#9875, @Joseph-Irving)
• Add cilium-monitor sidecar container for agent pods (#9815, @ap4y)
• minor misc doc updates (#9865, @borkmann)
• docs: add libelf-devel to development setup (#10032, @tklauser)
• datapath: Do not return len in find_dsr_v6 (#9933, @brb)
• Add Palantir Technologies to USERS.md (#9836, @ungureanuvladvictor)
• SECURITY.md: update versions of supported releases (#9856, @rolinh)
• daemon: Exit early if NodePort BPF and IPSec is enabled (#9946, @brb)
• Supported BPF map types probe based on bpftool (#9795, @mrostecki)
• Add Adobe to USERS.md (#9852, @dharmab)
• Restore SVC type after restart (#9896, @brb)
• docs: Fix up gke install guide (#10037, @joestringer)
• update USERS.md: add link to Trip.com's post (#9927, @ArthurChiao)
• Small documentation fixes and add release candidate process (#9871, @aanm)
• Misc project maintenance updates (#10042, @aanm)
• bpf: Compile bpf_netdev.c with build permutations (#9861, @brb)
• bpf, sock: reduce xlation for externalTrafficPolicy=Local to host_id (#9930, @borkmann)
• Envoy TLS fixes (#9820, @jrajahalme)
• backporting: add 'upstream-prs' tag for code block (#10033, @aanm)
• datapath: Return error if default route is not found (#9859, @brb)
• cmd: replace deprecated Command.SetOutput() (#9881, @tonyluj)
• Fix helm subchart versions (#9826, @ap4y)
• node: Remove error return from SetIPv6NodeRange (#9954, @tgraf)
• nodeinit/templates: fix indentation of sys-fs-bpf (#10008, @aanm)
• Added support for restartPods Helm chart option when running node-init on EKS. (#9740, @tom-hadlaw-hs)
• bpf: fix sock6_xlate when not all host service protocols are enabled (#9847, @borkmann)
• bpf, sock: only attach v6 hooks in v4-only mode when v6 is available (#10027, @borkmann)
• policy: Error out on missing secrets in policy computation (#9897, @jrajahalme)
• golang: update to 1.13.7 (#9985, @aanm)
• add 2020 copyright (#9975, @aanm)
• Documentation: Document potential conflict of ENI with DHCP agents (#9934, @tgraf)
• envoy: Use TypedConfig for Envoy filters (#9889, @jrajahalme)
• BPF and XDP reference guide: mention BPF Performance Tools in further readings (#9928, @brandshaide)
• test README: Fix the documentation link (#9941, @kaworu)

Other Changes:

• Update GO_VERSION to match builder version (#9995, @ap4y)
• [CI] Increase outer timeout of GKE job (#10009, @nebril)
• Update USERS.md to include Rapyuta Robotics (#9909, @HackToHell)
• Updating USERS.md to include CENGN (#9942, @mohahmed13)