The Cilium core team is pleased to release Cilium v1.9.4. This release includes fixes for routing, MTU handling, and improvements around BPF LB map handling and node ARP handling. For more details, see the summary of changes below.
Summary of Changes
Minor Changes:
- Helm Chart: add checksum to configmap to ensure pods roll when configmap is updated (Backport PR #14783, Upstream PR #14540, @travisghansen)
Bugfixes:
- bpf: Correctly use revalidate_data_pull() in do_decrypt() (Backport PR #14783, Upstream PR #14689, @tgraf)
- cilium-cni: Fix error handling for bad netns (Backport PR #14783, Upstream PR #14645, @joestringer)
- Fix a route MTU issue where pods cannot receive large packets from outside the cluster
when the sender sets the "don't fragment" (DF) bit. (Backport PR #14783, Upstream PR #14679, @aditighag) - Fix bug where Cilium did not respect
--bpf-lb-map-max
and wouldn't update the maximum size of BPF LB maps (Backport PR #14798, Upstream PR #14607, @christarazi) - Fix missing loopback CNI plugin in multi-arch images (Backport PR #14839, Upstream PR #14828, @aanm)
- hubble: parser: Set Encrypted bit correctly (Backport PR #14783, Upstream PR #14677, @tgraf)
- node-neigh: Fix node removal and invalid neigh entry due to buggy arping response correlation (Backport PR #14839, Upstream PR #14709, @brb)
- routing: Fix route collisions in AWS ENI (Backport PR #14846, Upstream PR #14269, @christarazi)
CI Changes:
- Extend K8sVerifier to maximize program sizes on 4.19 and net-next kernels (Backport PR #14798, Upstream PR #14451, @pchaigno)
- test: Enable K8sVerifier on 4.19 and net-next CI (Backport PR #14798, Upstream PR #13953, @pchaigno)
Misc Changes:
- [v1.9] release: Fix script to check presence of docker images (#14780, @joestringer)
- bpf: do not enable host routing when kpr is disabled (Backport PR #14783, Upstream PR #14737, @borkmann)
- bpf: Replace CALLS_MAP symbol in compile-tested binaries (Backport PR #14798, Upstream PR #13934, @pchaigno)
- bpf: Send packet drop notify for ipv6 lb nat mode failures. (Backport PR #14783, Upstream PR #14730, @hzhou8)
- bpf: Send packet drop notify for LB DSR mode failures. (Backport PR #14783, Upstream PR #14649, @hzhou8)
- contrib/release: clarify project number for release process (Backport PR #14783, Upstream PR #14684, @aanm)
- contrib: Add script to fetch docker manifests (Backport PR #14783, Upstream PR #14707, @joestringer)
- docker: Pull llvm-objcopy in cilium-builder (Backport PR #14798, Upstream PR #13958, @pchaigno)
- docs: Add section in external etcd about identity-allocation-mode (Backport PR #14783, Upstream PR #14673, @christarazi)
- docs: fix typo (Backport PR #14783, Upstream PR #14647, @sslavic)
- Fix wrong url (Backport PR #14839, Upstream PR #14818, @manuelbuil)
- helm: set dnsPolicy based on etcd.k8sService (Backport PR #14783, Upstream PR #14626, @aanm)
- Remove SNAT maps entries to support the case when the user toggles off from using BPF to kube-proxy. (Backport PR #14839, Upstream PR #14721, @mazzy89)
- runtime: specify ICMP ids on connectivity test (Backport PR #14839, Upstream PR #13989, @kkourt)
- v1.9: Update Go to 1.15.7 (#14665, @tklauser)
Other Changes:
Docker Manifests
cilium
docker.io/cilium/cilium@sha256:e8be6885713fb13ab7261134bb8a7b3a31e239518d9b0c1de4272c5ee7023be7
quay.io/cilium/cilium@sha256:97daafddef3b6180b7dbfa7f45e07c673ee50441dc271b75779a689be22b3882
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver@sha256:a7a5459682059a5343341313882342d485025368353e4e7d93323670cf35529c
quay.io/cilium/clustermesh-apiserver@sha256:a7a5459682059a5343341313882342d485025368353e4e7d93323670cf35529c
docker-plugin
docker.io/cilium/docker-plugin@sha256:0f735dd5ff1d3578d49c6fe0414fe37f35cea7880179b0fd3221bbe8e0d8ec9e
quay.io/cilium/docker-plugin@sha256:0f735dd5ff1d3578d49c6fe0414fe37f35cea7880179b0fd3221bbe8e0d8ec9e
hubble-relay
docker.io/cilium/hubble-relay@sha256:f7b0658c18ee3d21d299d70d2b94ceda2533e5d3e88aa1786483ce4cc05b7af2
quay.io/cilium/hubble-relay@sha256:f7b0658c18ee3d21d299d70d2b94ceda2533e5d3e88aa1786483ce4cc05b7af2
operator
docker.io/cilium/operator@sha256:3f638f0897c19288bc922014fa00aba1b374735fa2fb11c2dfa13426fdf7d39a
quay.io/cilium/operator@sha256:3f638f0897c19288bc922014fa00aba1b374735fa2fb11c2dfa13426fdf7d39a
operator-generic
docker.io/cilium/operator-generic@sha256:50763ddc7180342abd7de5102bc7e3204070ae601c2d4ed1c1775d418d4d2fdd
quay.io/cilium/operator-generic@sha256:50763ddc7180342abd7de5102bc7e3204070ae601c2d4ed1c1775d418d4d2fdd
operator-aws
docker.io/cilium/operator-aws@sha256:3821dee52fa0dade84dbb56aefc88857fb0258041aeeb57492ce349f89a4eabf
quay.io/cilium/operator-aws@sha256:3821dee52fa0dade84dbb56aefc88857fb0258041aeeb57492ce349f89a4eabf
operator-azure
docker.io/cilium/operator-azure@sha256:692065cbab1ee356f717aaed6a095f2b9a3c4d725a8b7a37ddd21fb8f88ca29a
quay.io/cilium/operator-azure@sha256:692065cbab1ee356f717aaed6a095f2b9a3c4d725a8b7a37ddd21fb8f88ca29a