helm/cilium/cilium 1.8.0-rc3

on Artifact Hub

Note: The summary of changes represents the diff between v1.8.0-rc2 and v1.8.0-rc3

Summary of Changes

Major Changes:

• Add scalability report of Cilium on large clusters in CRD mode (Backport PR #11856, Upstream PR #11760, @aanm)

Minor Changes:

• Azure: support non VMSS instances (Backport PR #12027, Upstream PR #11571, @bpineau)
• cilium: fix up all --help sections properly (Backport PR #12027, Upstream PR #11007, @soumynathan)
• connectivity-check: Do not perform hostport in standard check (Backport PR #11856, Upstream PR #11715, @tgraf)
• daemon: Allow to fallback to iptables-based masquerading and friends (Backport PR #12039, Upstream PR #12026, @brb)
• daemon: Clarify log msg how to use only TCP socket-lb (Backport PR #11926, Upstream PR #11918, @brb)
• daemon: Fix detection of BPF/XDP NodePort, BPF masq and host-fw devices (Backport PR #12027, Upstream PR #11894, @brb)
• docker: add hubble CLI binary to the base cilium image (Backport PR #11856, Upstream PR #11784, @rolinh)
• Envoy is updated to release 1.13.2. (Backport PR #12027, Upstream PR #11973, @jrajahalme)
• grafana: Add Hubble dashboard (Backport PR #12039, Upstream PR #12004, @gandro)
• helm: added global.logOptions parameter (Backport PR #12039, Upstream PR #11861, @mvisonneau)
• Implement per-provider operator deployments in Helm (Backport PR #12039, Upstream PR #12029, @joestringer)
• Remove deprecated --flannel-manage-existing-containers option (Backport PR #12027, Upstream PR #12008, @tklauser)
• test: Do not set tty for preloaded VM (Backport PR #11926, Upstream PR #11877, @jrajahalme)
• test: set hubble-relay image in helm defaults if available (Backport PR #11926, Upstream PR #11904, @jrajahalme)

Bugfixes:

• Add anti-affinity for Cilium pods to prevent 2 pods being executed on the same node at the same time (Backport PR #11893, Upstream PR #11830, @nebril)
• Autodetection of the mtu correctly detects the mtu of the interface used for the kubernetes cluster communication. The mtu was incorrectly detected in cases where multiple interfaces were present and the gateway interface was not the one used for kubernetes cluster communication (Backport PR #11893, Upstream PR #10635, @manuelbuil)
• Avoid duplication of generated toCIDRs when using a toServices based CNP (or CCNP) (Backport PR #11926, Upstream PR #11901, @aanm)
• cilium: fix encryption flow labels in ip6 case (Backport PR #12039, Upstream PR #12015, @jrfastab)
• datapath: Accept proxy traffic if enable-endpoint-routes are enabled (Backport PR #11856, Upstream PR #11819, @tgraf)
• datapath: Only NOTRACK proxy return traffic going to Cilium datapath (Backport PR #11937, Upstream PR #11899, @jrajahalme)
• endpoint: Fix data races while accessing GetIdentity() (Backport PR #11984, Upstream PR #11941, @tgraf)
• eni: Fix potential deadlock (Backport PR #11856, Upstream PR #11831, @christarazi)
• Fix datarace issue in spanstat.go (Backport PR #11856, Upstream PR #11615, @sayboras)
• Fix issue when Cilium randomly stops doing service translation in k8s 1.18 (Backport PR #12027, Upstream PR #11947, @aanm)
• Fix leaking endpoint state metric (Backport PR #11937, Upstream PR #11884, @christarazi)
• Fix setting monitorAggregationLevel to max reflects via CLI (Backport PR #12039, Upstream PR #12014, @soumynathan)
• fix transparent encryption related bugs (Backport PR #12027, Upstream PR #11974, @jrfastab)
• Fix tunneling and ARP resolution when host firewall is enabled. (Backport PR #11893, Upstream PR #11795, @pchaigno)
• hubble/peer: handle burst of change notifications (Backport PR #12039, Upstream PR #12024, @rolinh)
• ipcache: Fix deadlock when ipcache GC results in datapath reload (Backport PR #11984, Upstream PR #11950, @tgraf)
• loader: Fix tunneling when device is set without NodePort (Backport PR #12027, Upstream PR #11980, @pchaigno)
• nodeinit: Fix for restarting kubenet managed pods (Backport PR #11856, Upstream PR #11779, @dctrwatson)
• Properly cancel endpoint creations as they become obsolete (Backport PR #11951, Upstream PR #11920, @tgraf)
• proxy: Keep DNS port allocated (Backport PR #11856, Upstream PR #11661, @jrajahalme)
• Remove default bpf map size values for new installations and use the dynamic calculation based on system's memory. (Backport PR #12039, Upstream PR #11991, @aanm)
• service: Fix wrong localEndpoints count in HealthCheckNodePort (Backport PR #11893, Upstream PR #11863, @gandro)

CI Changes:

• .travis: disable Documentation building on ARM64 (Backport PR #12039, Upstream PR #12043, @Jianlin-lv)
• ci: Change vagrant timeout mechanism (Backport PR #11893, Upstream PR #11858, @nebril)
• CI: fix bash complaining about "unexpected tokens" (parenthesis) (Backport PR #11937, Upstream PR #11307, @qmonnet)
• ci: fix timeout vagrant up timeout (Backport PR #11856, Upstream PR #11798, @nebril)
• ci: make docker images in ghaction (Backport PR #11893, Upstream PR #11693, @nebril)
• ci: outer vm boot timeout was smaller than inner (Backport PR #11856, Upstream PR #11758, @nebril)
• ci: retry docker build in jenkins (Backport PR #11856, Upstream PR #11796, @nebril)
• ci: run lscpu at end of build (Backport PR #11856, Upstream PR #11814, @nebril)
• ci: various gke script fixes (Backport PR #11926, Upstream PR #11864, @nebril)
• cilium, test: Only run sockops tests on 4.19 and bpf-next kernels (Backport PR #12027, Upstream PR #11998, @jrfastab)
• daemon: cancel daemon context on TearDownTest (Backport PR #11893, Upstream PR #11870, @aanm)
• Docs: update backport commands for jenkins builds (Backport PR #11893, Upstream PR #11860, @nebril)
• eni: Fix node manager test (Backport PR #11856, Upstream PR #11773, @errordeveloper)
• Fix flaky assertion on metrics (Backport PR #11984, Upstream PR #11966, @christarazi)
• ginkgo-ext: Fix data-race in Writer (Backport PR #12039, Upstream PR #12025, @gandro)
• test/helpers: allow passing custom number of requests to helpers.Ping() (Backport PR #11937, Upstream PR #11897, @qmonnet)
• test/k8s: keep configmap across upgrade test (Backport PR #12039, Upstream PR #12051, @aanm)
• test/K8sServices: disable fragment tracking test for kernel 4.19 (Backport PR #12039, Upstream PR #12041, @qmonnet)
• test/K8sServices: Skip checks for externalTrafficPolicy=Local with kube-proxy <1.15 (Backport PR #11951, Upstream PR #11965, @gandro)
• test: Add debugging info for potential flakes in NodePort services tests with L4 and L7 (Backport PR #12027, Upstream PR #11765, @jrajahalme)
• test: Add retries to curl command (Backport PR #12027, Upstream PR #11993, @christarazi)
• test: add retries to expected successful curl calls (Backport PR #11893, Upstream PR #11797, @nebril)
• test: Add simple retries for flaky Helm operations (Backport PR #11856, Upstream PR #11762, @christarazi)
• test: disable fqdn restart test (Backport PR #11856, Upstream PR #11776, @nebril)
• test: Fix and re-enable test reliant on managed etcd (Backport PR #11856, Upstream PR #11818, @errordeveloper)
• test: Gather combined Cilium logs as last resort (Backport PR #12027, Upstream PR #12007, @nebril)
• test: retry fqdn requests, increase curl timeout (Backport PR #11856, Upstream PR #11775, @nebril)
• test: use local copy of Cilium Star Wars Demo (Backport PR #11856, Upstream PR #11817, @tklauser)
• test: Wait for IPCache entries in testSessionAffinity (Backport PR #11856, Upstream PR #11771, @brb)
• test: Wait for POD policy revision increment in all cases. (Backport PR #12027, Upstream PR #11995, @jrajahalme)

Misc Changes:

• 1.8 Documentation updates (Backport PR #11926, Upstream PR #11892, @tgraf)
• Add audit action to the policy verdict log (Backport PR #11893, Upstream PR #11843, @ap4y)
• Add connectivity test to troubleshooting (Backport PR #11856, Upstream PR #11643, @jedsalazar)
• agent: Fix data race when accessing d.monitorAgent (Backport PR #11856, Upstream PR #11823, @tgraf)
• azure/ipam: Fix nil dereference with logger (Backport PR #11856, Upstream PR #11786, @christarazi)
• bpf, docs: add list of XDP supported drivers (Backport PR #11984, Upstream PR #11970, @borkmann)
• bpf: enable hairpin optimizations to avoid fib lookup also for tc (Backport PR #12027, Upstream PR #11989, @borkmann)
• bpf: Fix race when accessing m.fd (Backport PR #11856, Upstream PR #11812, @tgraf)
• bpf: more scalability improvements (Backport PR #11856, Upstream PR #11694, @borkmann)
• bpf: split off debug options and do not run it in ci (Backport PR #12039, Upstream PR #11977, @borkmann)
• bpf: various datapath follow-up optimisations and fixes (Backport PR #11984, Upstream PR #11924, @borkmann)
• cilium: downgrade kernel_hz clock probe warning to info message (Backport PR #11856, Upstream PR #11816, @borkmann)
• cilium: rename --node-port-acceleration=none to =disabled (Backport PR #11951, Upstream PR #11925, @borkmann)
• cocci: Detect unlogged missed tail calls (Backport PR #11893, Upstream PR #11808, @pchaigno)
• contrib/backporting: remove requires-janitor-review label (Backport PR #12039, Upstream PR #11986, @aanm)
• contrib: Fix submit-backport PR set-labels detection (Backport PR #11926, Upstream PR #11912, @joestringer)
• daemon/cli: Add SessionAffinity to cilium status (Backport PR #11951, Upstream PR #11927, @brb)
• daemon: Remove checkHostFirewallWithEgressLB() (Backport PR #12027, Upstream PR #11982, @pchaigno)
• datapath: Silent iptables removal on first init (Backport PR #11856, Upstream PR #11815, @tgraf)
• doc: add "observing flows with Hubble Relay" to troubleshooting section (Backport PR #11937, Upstream PR #11919, @rolinh)
• doc: fix up GKE install guide (Backport PR #11984, Upstream PR #11960, @rolinh)
• doc: Troubleshooting with Hubble (Backport PR #11893, Upstream PR #11827, @gandro)
• doc: uniformize name when referring to Hubble Relay (Backport PR #11937, Upstream PR #11923, @rolinh)
• doc: Update the EKS getting started guide (Backport PR #11893, Upstream PR #11697, @michi-covalent)
• doc: Update the Hubble section of getting started guides (Backport PR #12027, Upstream PR #11882, @michi-covalent)
• doc: Use --reuse-values option for helm upgrade (Backport PR #12027, Upstream PR #12020, @michi-covalent)
• docs/scalability: set right ipam option (Backport PR #11926, Upstream PR #11890, @aanm)
• docs: Add Hubble metrics reference (Backport PR #12027, Upstream PR #11996, @gandro)
• docs: Add session affinity to kubeproxy-free guide (Backport PR #11984, Upstream PR #11957, @brb)
• docs: add word to misspelled list (Backport PR #11856, Upstream PR #11822, @aanm)
• docs: Consolidate bpf-map-dynamic-size-ratio documentation (Backport PR #12039, Upstream PR #12028, @tklauser)
• docs: Improve session affinity section in kube-proxy free guide (Backport PR #11984, Upstream PR #11958, @brb)
• docs: Include directions to restart pods in the k3s install guide (Backport PR #11893, Upstream PR #11879, @seanmwinn)
• docs: k3s command missing sh - (Backport PR #11926, Upstream PR #11878, @glibsm)
• docs: Parameterize READTHEDOCS_VERSION (Backport PR #11856, Upstream PR #11840, @joestringer)
• docs: point cilium docs into a stable version of sphinx theme (Backport PR #12032, Upstream PR #12010, @genbit)
• docs: quote helm flags with brackets (Backport PR #11984, Upstream PR #11922, @nebril)
• docs: re-design cilium docs theme (Backport PR #12032, Upstream PR #11803, @genbit)
• docs: Remove redundant stable release instructions (Backport PR #11926, Upstream PR #11898, @joestringer)
• docs: Rework live-preview to use docker container (Backport PR #11951, Upstream PR #11940, @joestringer)
• Ensure endpoint validation occurs before initial regeneration (Backport PR #11856, Upstream PR #11714, @tgraf)
• envoy: Include detail in NACK warning (Backport PR #12027, Upstream PR #12016, @jrajahalme)
• etcd: propagate Context from higher-level calls (Backport PR #12027, Upstream PR #11891, @tklauser)
• Fix live preview with Python 3.8 (Backport PR #11893, Upstream PR #11838, @joestringer)
• Fix missing operator-generic in upstream k8s tests (Backport PR #12039, Upstream PR #12055, @aanm)
• fix(datarace): Fix possible nil pointer dereference (Backport PR #11856, Upstream PR #11804, @sayboras)
• fqdn: Fix missing IsNil checks in unit tests (Backport PR #11984, Upstream PR #11953, @pchaigno)
• helm: added global.cni.readCniConf parameter (Backport PR #12039, Upstream PR #11597, @mvisonneau)
• helm: Bump hubble-ui to v0.6.0 (Backport PR #11893, Upstream PR #11854, @gandro)
• helm: fixed hubble servicemonitor matchLabels parameter (Backport PR #11926, Upstream PR #11886, @mvisonneau)
• helm: Generate experimental-install.yaml (Backport PR #11984, Upstream PR #11907, @michi-covalent)
• helm: Simplify Hubble metrics values (Backport PR #11926, Upstream PR #11887, @gandro)
• helm: Use port 80 for service/hubble-ui (Backport PR #12027, Upstream PR #12023, @gandro)
• hubble/observer: increment 'numObservedFlows' atomically (Backport PR #11856, Upstream PR #11835, @aanm)
• hubble: enable metrics before starting server (Backport PR #11893, Upstream PR #11846, @aanm)
• Implement values for hubble-relay to properly control sub chart values (Backport PR #12027, Upstream PR #11757, @seanmwinn)
• install: Fix up version/pullPolicy for multiple values files (Backport PR #12027, Upstream PR #12030, @joestringer)
• iptables: carry on and log on failure to set up transient rules (Backport PR #12027, Upstream PR #12006, @qmonnet)
• k8s: Fix data race when setting node address (Backport PR #11893, Upstream PR #11851, @tgraf)
• loader: Attach bpf_host to cilium_net from Golang (Backport PR #11856, Upstream PR #11598, @pchaigno)
• logo: change SVG file used for the logo (Backport PR #12032, Upstream PR #12002, @qmonnet)
• Misc docs index & development section improvements (Backport PR #11856, Upstream PR #11839, @joestringer)
• nodeinit: Use newly built image (Backport PR #11893, Upstream PR #11876, @errordeveloper)
• pkg/clustermesh: protect tests against concurrent access (Backport PR #11893, Upstream PR #11852, @aanm)
• pkg/identity: protect LabelsSHA256 against concurrent initializations (Backport PR #11893, Upstream PR #11872, @aanm)
• pkg/ipcache: create a GetK8sMetadata for public access (Backport PR #11856, Upstream PR #11833, @aanm)
• pkg/k8s: decrease CEP status initialization (Backport PR #11893, Upstream PR #11829, @aanm)
• pkg/k8s: use node name from pkg/node instead of env variable (Backport PR #11856, Upstream PR #11834, @aanm)
• policy: Fix enforcement status for host endpoint (Backport PR #11856, Upstream PR #11759, @pchaigno)
• policy: Fix rule translation test flake (Backport PR #11926, Upstream PR #11913, @joestringer)
• release: Improve documentation around release process (Backport PR #12039, Upstream PR #11939, @joestringer)
• Remove hubble-cli sub-chart (Backport PR #11856, Upstream PR #11806, @seanmwinn)
• runtime: Update LLVM image (Backport PR #11984, Upstream PR #11968, @errordeveloper)
• service: Clean up HealthCheckNodePort server when traffic policy changes (Backport PR #11984, Upstream PR #11952, @gandro)
• test: Disable flaky RuntimeKVStoreTest tests (Backport PR #11984, Upstream PR #11945, @pchaigno)
• test: Fix NodePort acceleration param (Backport PR #11951, Upstream PR #11942, @brb)
• Update ENI limits list (Backport PR #11893, Upstream PR #11793, @bpineau)
• Update Go to 1.14.4 (Backport PR #11856, Upstream PR #11811, @tklauser)
• vagrant: bump net-next vagrant box version (Backport PR #11951, Upstream PR #11917, @borkmann)
• vagrant: Fix make in net-next dev. VM (Backport PR #12027, Upstream PR #11987, @pchaigno)