cilium/cilium v1.13.0-rc4

on GitHub

Summary of Changes

Major Changes:

• Add per-node configuration overrides. There is a new Kubernetes resource type, CiliumNodeConfig, which allows for fine-grained configuration of Nodes based on label selectors. (Backport PR #22822, Upstream PR #22656, @squeed)
• Added capability to announce LoadBalancer services via BGP Control Plane (#22397, @dylandreimerink)
• CiliumNetworkPolicy now supports enforcement of SNI in TLS connections. (#22398, @jrajahalme)

Minor Changes:

• Add option to configure the resources of the cgroups automount init Container in the Cilium Agent DaemonSet. (#22384, @shaardie)
• Added 'envoy.filters.http.jwt_authn' and 'envoy.filters.http.oauth2' to the build to be used in CiliumEnvoyConfig resources. (#22562, @jrajahalme)
• bpf: nat: fix usage of ipv6_hdrlen() with unhandled Extension headers (#22544, @julianwiedmann)
• Bugtool: add flag to exclude object for endpoints (#22370, @tbalthazar)
• cilium: Add deprecation warning for service ids (Backport PR #22822, Upstream PR #22700, @joamaki)
• clustermesh: Add an infrastructure to connect time parameter exchange and capability negotiation (Backport PR #22822, Upstream PR #22553, @YutaroHayakawa)
• egressgw: drop support for CiliumEgressNATPolicy (#21874, @julianwiedmann)
• envoy: Support LB capability for existing k8s Service (Backport PR #22835, Upstream PR #21244, @sayboras)
• helm: Support configuring Cilium shared Ingress Service type and nodePorts (#22583, @chancez)
• install/kubernetes: make securityContext SELinux options configurable (Backport PR #22822, Upstream PR #22721, @tklauser)
• Load multiple programs for one CollectionSpec loading (#22025, @alexkats)
• Remove deprecated spec.eni.{min-allocate,pre-allocate,max-above-watermark} parameters (#21951, @obaranov1)
• Traffic can now we redirected to Envoy listeners via Cilium Network Policy listener option. (Backport PR #22822, Upstream PR #21600, @jrajahalme)

Bugfixes:

• bpf: add drop notification for missed L7 LB tailcall in to-netdev (Backport PR #22822, Upstream PR #22679, @julianwiedmann)
• bpf: nodeport: fix drop notification in IPv6 revNAT (#22543, @julianwiedmann)
• bpf: nodeport: wire up trace aggregation for rev_nodeport_lb6() (Backport PR #22835, Upstream PR #22794, @julianwiedmann)
• daemon: Do not remove PERM L2 entries in L4LB (Backport PR #22822, Upstream PR #22676, @brb)
• Do not let the bandwidth manager decrease existing sysctl values. (#22468, @ArthurChiao)
• Fix a data race in dnsproxy which could lead to DNS requests drops. (Backport PR #22822, Upstream PR #22619, @aspsk)
• Fix bug that caused ingress policies to be enforced twice when running with tunneling and endpoint routes. (Backport PR #22822, Upstream PR #22333, @pchaigno)
• Fix race condition in DNS proxy when multiple DNS requests for the same name end up with policy drops, even though the traffic is allowed (Backport PR #22822, Upstream PR #22252, @christarazi)
• Fixes semaphore_rejected_total metric and adds new scope to proxy_upstream_reply_seconds metric. (#21267, @rahulkjoshi)
• Improve garbage collection for FQDNs particularly with high-churn IP names such as Amazon S3. (#22510, @joestringer)
• ipam/crd: Fix router initialization fatal when ENI data race happens (Backport PR #22822, Upstream PR #22477, @jaffcheng)

CI Changes:

• .github/workflows: bump ubuntu version for code-ql (#22505, @aanm)
• .github: add debug for codeql (#22607, @aanm)
• ci: Replace deprecated hubble observe -o json with -o jsonpb (Backport PR #22822, Upstream PR #22796, @gandro)
• ci: update cilium-cli to v0.12.11 for master, v1.11 and v1.12 workflows (#22494, @tklauser)
• contrib/scripts: Add check for use of viper's default instance (#22445, @joamaki)
• daemon/cmd: improve stale cilium endpoint error handling. (Backport PR #22822, Upstream PR #22600, @tommyp1ckles)
• dependabot: monthly update of cloud provider SDK Go modules (#22489, @tklauser)
• Fix when install k8s-1.25 ,no need cni install (#22355, @yanggangtony)
• gh/workflows: Add DP CI for encryption (Backport PR #22822, Upstream PR #22418, @brb)
• gh/workflows: tune LVH VM params (#22425, @brb)
• gha: Add retry mechanism for conformance ingress (shared) (Backport PR #22822, Upstream PR #22673, @sayboras)
• Revert "dependabot: monthly update of cloud provider SDK Go modules" (#22571, @pippolo84)
• test/helpers: Fix retry condition for CiliumExecContext (Backport PR #22822, Upstream PR #22726, @christarazi)
• test/l4lb, nat64x46: pass k8s api server to the standalone proxy (Backport PR #22822, Upstream PR #22627, @squeed)
• test: Keep trying exec if killed (#22570, @jrajahalme)
• test: service: fix formatting of error msg in doFragmentedRequest() (Backport PR #22822, Upstream PR #22772, @julianwiedmann)
• test: Speify test/k8s directory on k8s_install.sh to modify pulling images (#22530, @Shunpoco)
• workflow: disable tests pod-to-world and pod-to-cidr (#22475, @brlbil)
• workflow: Reenable IPsec tests in EKS for v1.12 (#22618, @pchaigno)
• workflow: Workaround EKS flake (#22590, @pchaigno)
• workflows: add wait for no operation for cleaning up GKE (#22350, @brlbil)
• workflows: Collect a final sysdump on AKS (#22537, @pchaigno)
• workflows: Collect sysdumps on failures (#22538, @pchaigno)
• workflows: Reduce verbosity of connectivity tests (#22605, @pchaigno)
• workflows: Reduce verbosity of connectivity tests on AKS (#22536, @pchaigno)

Misc Changes:

• .github/workflows: print author association (#22606, @aanm)
• .github/workflows: use right event type for auto labeler (#22508, @aanm)
• .github: add PR labeler for external contributions (#22461, @aanm)
• Add --pprof-debug args to cilium-bugtool (#22282, @yanggangtony)
• Add per-node configuration overrides. There is a new Kubernetes resource type, CiliumNodeConfig, which allows for fine-grained configuration of Nodes based on label selectors. (#22163, @squeed)
• Add sphinxcontrib-googleanalytics to doc requirements (Backport PR #22822, Upstream PR #22821, @chalin)
• Add tests for hubble metrics handlers (Backport PR #22822, Upstream PR #22518, @marqc)
• backporting: leave backport/author PRs alone (Backport PR #22822, Upstream PR #22654, @bimmlerd)
• bpf_sockops string constant can use const eSockops replace (#22490, @tanberBro)
• build(deps): bump actions/cache from 3.0.11 to 3.2.0 (#22843, @dependabot[bot])
• build(deps): bump actions/setup-go from 3.3.1 to 3.4.0 (#22483, @dependabot[bot])
• build(deps): bump actions/setup-go from 3.4.0 to 3.5.0 (#22718, @dependabot[bot])
• build(deps): bump actions/stale from 5.1.1 to 6.0.1 (#22499, @dependabot[bot])
• build(deps): bump github.com/go-openapi/runtime from 0.24.2 to 0.25.0 (#22413, @dependabot[bot])
• build(deps): bump github.com/hashicorp/consul/api from 1.17.0 to 1.18.0 (#22549, @dependabot[bot])
• build(deps): bump github.com/onsi/gomega from 1.23.0 to 1.24.1 (#22391, @dependabot[bot])
• build(deps): bump github.com/tidwall/gjson from 1.14.3 to 1.14.4 (#22395, @dependabot[bot])
• build(deps): bump github/codeql-action from 2.1.32 to 2.1.35 (#22498, @dependabot[bot])
• build(deps): bump github/codeql-action from 2.1.35 to 2.1.36 (#22633, @dependabot[bot])
• build(deps): bump github/codeql-action from 2.1.36 to 2.1.37 (#22736, @dependabot[bot])
• build(deps): bump go.opentelemetry.io/otel from 1.11.1 to 1.11.2 (#22621, @dependabot[bot])
• build(deps): bump golang.org/x/sys from 0.2.0 to 0.3.0 (#22548, @dependabot[bot])
• build(deps): bump helm/kind-action from 1.4.0 to 1.5.0 (#22720, @dependabot[bot])
• build(deps): bump KyleMayes/install-llvm-action from 1.6.0 to 1.6.1 (#22592, @dependabot[bot])
• chore(deps): update base-images (v1.13) (#22647, @renovate[bot])
• chore(deps): update docker.io/library/alpine docker tag to v3.17.0 (master) (#22317, @renovate[bot])
• chore(deps): update docker.io/library/golang:1.19.3 docker digest to 10e3c0f (master) (#22566, @renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 27cb6e6 (v1.13) (#22661, @renovate[bot])
• contrib: exclude non-running pods in k8s-unmanaged script (#22515, @felfa01)
• contributing: Document CNCF DCO Guidelines v1.0 (#22509, @joestringer)
• daemon: Close the identityAllocator on shutdown (#22411, @joestringer)
• daemon: Do not fail CI runs for already deleted CEP (#22474, @jrajahalme)
• delete redundant type conversion (#22376, @tanberBro)
• Docs: Replace the way to install golangci-lint to NA(OS-specific) (#22532, @Shunpoco)
• docs: restructure bpf guide (#21922, @yoyo-go)
• docs: update cmdref with missing flag (#22525, @aanm)
• document helm conntrackGCInterval crdWaitTimeout identityChangeGracePeriod (#22352, @vincentmli)
• Enable Google Analytics 4 (Backport PR #22835, Upstream PR #22220, @chalin)
• envoy: Skip NPHDS upsert when IP is already included (#22289, @jrajahalme)
• examples: Add Envoy admin listener (#22386, @jrajahalme)
• Fix long-time failure of "ipcache-inject-labels" controller due to incorrect backoff time for retry (#21886, @ArthurChiao)
• Fix note for 'func numWorkerThreads()' (#22412, @yanggangtony)
• Fix prepare release process (#22487, @aanm)
• fix:omit comparison to bool constant (#22588, @yulng)
• fix:remove ioutil to accomodate newer Go versions (#22383, @yulng)
• fuzzing: bump go-fuzz-headers (#22501, @AdamKorcz)
• go.mod, vendor: drop client-go from replace directives (#22547, @tklauser)
• go.mod, vendor: update cloud provider SDK Go modules for December 2022 (#22469, @tklauser)
• hive: Allow multiple calls to Hive.Shutdown (#22551, @dylandreimerink)
• hubble/metrics: ProcessFlow() is optional for metrics handlers (#20367, @chancez)
• Initial datapath support for Cilium mTLS has been added. (Backport PR #22822, Upstream PR #21822, @jrajahalme)
• Introduce v3 backend maps (Backport PR #22822, Upstream PR #21797, @YutaroHayakawa)
• ipcache: Fix IPcache leak of remote-node IP addresses (#21932, @pchaigno)
• Keep command help message capital (#22276, @yanggangtony)
• modify the deprecated label beta.kubernetes.io/instance-type (#21941, @my-git9)
• operator: Remove use of global vars in cilium node synchronizer (#22491, @joamaki)
• operator: Wait for informers to shut down when stopping (Backport PR #22835, Upstream PR #22761, @joamaki)
• pkg: Follow Go convention on capitalization (#22534, @yulng)
• Prepare for release v1.13.0-rc3 (#22481, @aanm)
• Prepare v1.13 stable branch (#22612, @joestringer)
• Remove unnecessary imports of pkg/policy (#21996, @jrajahalme)
• Revert "Mount host /boot into cilium-agent container" (#22326, @ti-mo)
• Revert "per-node configuration overrides" pull request (#22630, @pchaigno)
• support reset backoff period (#21937, @wu0407)
• test/control-plane: Add nil check for agentHandle.Close receiver (#22399, @dylandreimerink)
• Update Cilium install guide about EKS aws-node DaemonSet potential connectivity problem on uninstall (#22620, @NikAleksandrov)
• Update Go to 1.19.4 (#22589, @tklauser)
• update gops and ginkgo mod version for match the current go.mod (#22427, @yanggangtony)
• Update Layer 7 Protocol Visibility Document. (Backport PR #22835, Upstream PR #22807, @obaranov1)
• util: fix wrong comment of GetNumPossibleCPUs (#22540, @117503445)

Other Changes:

• build(deps): bump certifi from 2022.6.15 to 2022.12.7 in /Documentation (#22609, @dependabot[bot])

Docker Manifests

cilium

docker.io/cilium/cilium:v1.13.0-rc4@sha256:32acd47fd9bea9c0045222ba5d27f5fe9ad06dabd572a80b870b1f0e68c0e928
quay.io/cilium/cilium:v1.13.0-rc4@sha256:32acd47fd9bea9c0045222ba5d27f5fe9ad06dabd572a80b870b1f0e68c0e928

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.13.0-rc4@sha256:226d311b4daabbb68a97643c3fc6a82c49e09d25a82cb9cb3c326da8b9fd7073
quay.io/cilium/clustermesh-apiserver:v1.13.0-rc4@sha256:226d311b4daabbb68a97643c3fc6a82c49e09d25a82cb9cb3c326da8b9fd7073

docker-plugin

docker.io/cilium/docker-plugin:v1.13.0-rc4@sha256:8d2a7fb4d1757a00e0c60e7dd1426baa839d73617b1927752c6a20a02eaf8539
quay.io/cilium/docker-plugin:v1.13.0-rc4@sha256:8d2a7fb4d1757a00e0c60e7dd1426baa839d73617b1927752c6a20a02eaf8539

hubble-relay

docker.io/cilium/hubble-relay:v1.13.0-rc4@sha256:bbd8c5bec8cd41c7907cf7caed059b944985f2ba5c89def3f60c584b5a7f5c5c
quay.io/cilium/hubble-relay:v1.13.0-rc4@sha256:bbd8c5bec8cd41c7907cf7caed059b944985f2ba5c89def3f60c584b5a7f5c5c

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.13.0-rc4@sha256:c5b5cb1e5200b75d7b30cb9830365e92dbab8e05d1b00e0c46ccc07e21b4036c
quay.io/cilium/operator-alibabacloud:v1.13.0-rc4@sha256:c5b5cb1e5200b75d7b30cb9830365e92dbab8e05d1b00e0c46ccc07e21b4036c

operator-aws

docker.io/cilium/operator-aws:v1.13.0-rc4@sha256:d6a31dc00e9f15e6012670190c82ee6ed9732dcdd74682c2d4cd763fe7367eba
quay.io/cilium/operator-aws:v1.13.0-rc4@sha256:d6a31dc00e9f15e6012670190c82ee6ed9732dcdd74682c2d4cd763fe7367eba

operator-azure

docker.io/cilium/operator-azure:v1.13.0-rc4@sha256:105bccc4b486fd242f05c06e21e9928255906e2c6c5ace63c833c4d2a1371e0c
quay.io/cilium/operator-azure:v1.13.0-rc4@sha256:105bccc4b486fd242f05c06e21e9928255906e2c6c5ace63c833c4d2a1371e0c

operator-generic

docker.io/cilium/operator-generic:v1.13.0-rc4@sha256:19f612d4f1052e26edf33e26f60d64d8fb6caed9f03692b85b429a4ef5d175b2
quay.io/cilium/operator-generic:v1.13.0-rc4@sha256:19f612d4f1052e26edf33e26f60d64d8fb6caed9f03692b85b429a4ef5d175b2

operator

docker.io/cilium/operator:v1.13.0-rc4@sha256:6a7efade8fa722cfbb0e97353f7c97a35ba650d5e6cf374f73c417293c39f958
quay.io/cilium/operator:v1.13.0-rc4@sha256:6a7efade8fa722cfbb0e97353f7c97a35ba650d5e6cf374f73c417293c39f958