Summary of Changes
Major Changes:
- Add per-node configuration overrides. There is a new Kubernetes resource type, CiliumNodeConfig, which allows for fine-grained configuration of Nodes based on label selectors. (Backport PR #22822, Upstream PR #22656, @squeed)
- Added capability to announce LoadBalancer services via BGP Control Plane (#22397, @dylandreimerink)
- CiliumNetworkPolicy now supports enforcement of SNI in TLS connections. (#22398, @jrajahalme)
Minor Changes:
- Add option to configure the resources of the cgroups automount init Container in the Cilium Agent DaemonSet. (#22384, @shaardie)
- Added 'envoy.filters.http.jwt_authn' and 'envoy.filters.http.oauth2' to the build to be used in CiliumEnvoyConfig resources. (#22562, @jrajahalme)
- bpf: nat: fix usage of ipv6_hdrlen() with unhandled Extension headers (#22544, @julianwiedmann)
- Bugtool: add flag to exclude object for endpoints (#22370, @tbalthazar)
- cilium: Add deprecation warning for service ids (Backport PR #22822, Upstream PR #22700, @joamaki)
- clustermesh: Add an infrastructure to connect time parameter exchange and capability negotiation (Backport PR #22822, Upstream PR #22553, @YutaroHayakawa)
- egressgw: drop support for CiliumEgressNATPolicy (#21874, @julianwiedmann)
- envoy: Support LB capability for existing k8s Service (Backport PR #22835, Upstream PR #21244, @sayboras)
- helm: Support configuring Cilium shared Ingress Service type and nodePorts (#22583, @chancez)
- install/kubernetes: make securityContext SELinux options configurable (Backport PR #22822, Upstream PR #22721, @tklauser)
- Load multiple programs for one CollectionSpec loading (#22025, @alexkats)
- Remove deprecated
spec.eni.{min-allocate,pre-allocate,max-above-watermark}
parameters (#21951, @obaranov1) - Traffic can now we redirected to Envoy listeners via Cilium Network Policy
listener
option. (Backport PR #22822, Upstream PR #21600, @jrajahalme)
Bugfixes:
- bpf: add drop notification for missed L7 LB tailcall in to-netdev (Backport PR #22822, Upstream PR #22679, @julianwiedmann)
- bpf: nodeport: fix drop notification in IPv6 revNAT (#22543, @julianwiedmann)
- bpf: nodeport: wire up trace aggregation for rev_nodeport_lb6() (Backport PR #22835, Upstream PR #22794, @julianwiedmann)
- daemon: Do not remove PERM L2 entries in L4LB (Backport PR #22822, Upstream PR #22676, @brb)
- Do not let the bandwidth manager decrease existing sysctl values. (#22468, @ArthurChiao)
- Fix a data race in dnsproxy which could lead to DNS requests drops. (Backport PR #22822, Upstream PR #22619, @aspsk)
- Fix bug that caused ingress policies to be enforced twice when running with tunneling and endpoint routes. (Backport PR #22822, Upstream PR #22333, @pchaigno)
- Fix race condition in DNS proxy when multiple DNS requests for the same name end up with policy drops, even though the traffic is allowed (Backport PR #22822, Upstream PR #22252, @christarazi)
- Fixes
semaphore_rejected_total
metric and adds newscope
toproxy_upstream_reply_seconds
metric. (#21267, @rahulkjoshi) - Improve garbage collection for FQDNs particularly with high-churn IP names such as Amazon S3. (#22510, @joestringer)
- ipam/crd: Fix router initialization fatal when ENI data race happens (Backport PR #22822, Upstream PR #22477, @jaffcheng)
CI Changes:
- .github/workflows: bump ubuntu version for code-ql (#22505, @aanm)
- .github: add debug for codeql (#22607, @aanm)
- ci: Replace deprecated
hubble observe -o json
with-o jsonpb
(Backport PR #22822, Upstream PR #22796, @gandro) - ci: update cilium-cli to v0.12.11 for master, v1.11 and v1.12 workflows (#22494, @tklauser)
- contrib/scripts: Add check for use of viper's default instance (#22445, @joamaki)
- daemon/cmd: improve stale cilium endpoint error handling. (Backport PR #22822, Upstream PR #22600, @tommyp1ckles)
- dependabot: monthly update of cloud provider SDK Go modules (#22489, @tklauser)
- Fix when install k8s-1.25 ,no need cni install (#22355, @yanggangtony)
- gh/workflows: Add DP CI for encryption (Backport PR #22822, Upstream PR #22418, @brb)
- gh/workflows: tune LVH VM params (#22425, @brb)
- gha: Add retry mechanism for conformance ingress (shared) (Backport PR #22822, Upstream PR #22673, @sayboras)
- Revert "dependabot: monthly update of cloud provider SDK Go modules" (#22571, @pippolo84)
- test/helpers: Fix retry condition for CiliumExecContext (Backport PR #22822, Upstream PR #22726, @christarazi)
- test/l4lb, nat64x46: pass k8s api server to the standalone proxy (Backport PR #22822, Upstream PR #22627, @squeed)
- test: Keep trying exec if killed (#22570, @jrajahalme)
- test: service: fix formatting of error msg in doFragmentedRequest() (Backport PR #22822, Upstream PR #22772, @julianwiedmann)
- test: Speify
test/k8s
directory onk8s_install.sh
to modify pulling images (#22530, @Shunpoco) - workflow: disable tests pod-to-world and pod-to-cidr (#22475, @brlbil)
- workflow: Reenable IPsec tests in EKS for v1.12 (#22618, @pchaigno)
- workflow: Workaround EKS flake (#22590, @pchaigno)
- workflows: add wait for no operation for cleaning up GKE (#22350, @brlbil)
- workflows: Collect a final sysdump on AKS (#22537, @pchaigno)
- workflows: Collect sysdumps on failures (#22538, @pchaigno)
- workflows: Reduce verbosity of connectivity tests (#22605, @pchaigno)
- workflows: Reduce verbosity of connectivity tests on AKS (#22536, @pchaigno)
Misc Changes:
- .github/workflows: print author association (#22606, @aanm)
- .github/workflows: use right event type for auto labeler (#22508, @aanm)
- .github: add PR labeler for external contributions (#22461, @aanm)
- Add --pprof-debug args to cilium-bugtool (#22282, @yanggangtony)
- Add per-node configuration overrides. There is a new Kubernetes resource type, CiliumNodeConfig, which allows for fine-grained configuration of Nodes based on label selectors. (#22163, @squeed)
- Add sphinxcontrib-googleanalytics to doc requirements (Backport PR #22822, Upstream PR #22821, @chalin)
- Add tests for hubble metrics handlers (Backport PR #22822, Upstream PR #22518, @marqc)
- backporting: leave
backport/author
PRs alone (Backport PR #22822, Upstream PR #22654, @bimmlerd) - bpf_sockops string constant can use const eSockops replace (#22490, @tanberBro)
- build(deps): bump actions/cache from 3.0.11 to 3.2.0 (#22843, @dependabot[bot])
- build(deps): bump actions/setup-go from 3.3.1 to 3.4.0 (#22483, @dependabot[bot])
- build(deps): bump actions/setup-go from 3.4.0 to 3.5.0 (#22718, @dependabot[bot])
- build(deps): bump actions/stale from 5.1.1 to 6.0.1 (#22499, @dependabot[bot])
- build(deps): bump github.com/go-openapi/runtime from 0.24.2 to 0.25.0 (#22413, @dependabot[bot])
- build(deps): bump github.com/hashicorp/consul/api from 1.17.0 to 1.18.0 (#22549, @dependabot[bot])
- build(deps): bump github.com/onsi/gomega from 1.23.0 to 1.24.1 (#22391, @dependabot[bot])
- build(deps): bump github.com/tidwall/gjson from 1.14.3 to 1.14.4 (#22395, @dependabot[bot])
- build(deps): bump github/codeql-action from 2.1.32 to 2.1.35 (#22498, @dependabot[bot])
- build(deps): bump github/codeql-action from 2.1.35 to 2.1.36 (#22633, @dependabot[bot])
- build(deps): bump github/codeql-action from 2.1.36 to 2.1.37 (#22736, @dependabot[bot])
- build(deps): bump go.opentelemetry.io/otel from 1.11.1 to 1.11.2 (#22621, @dependabot[bot])
- build(deps): bump golang.org/x/sys from 0.2.0 to 0.3.0 (#22548, @dependabot[bot])
- build(deps): bump helm/kind-action from 1.4.0 to 1.5.0 (#22720, @dependabot[bot])
- build(deps): bump KyleMayes/install-llvm-action from 1.6.0 to 1.6.1 (#22592, @dependabot[bot])
- chore(deps): update base-images (v1.13) (#22647, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.17.0 (master) (#22317, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.19.3 docker digest to 10e3c0f (master) (#22566, @renovate[bot])
- chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 27cb6e6 (v1.13) (#22661, @renovate[bot])
- contrib: exclude non-running pods in k8s-unmanaged script (#22515, @felfa01)
- contributing: Document CNCF DCO Guidelines v1.0 (#22509, @joestringer)
- daemon: Close the identityAllocator on shutdown (#22411, @joestringer)
- daemon: Do not fail CI runs for already deleted CEP (#22474, @jrajahalme)
- delete redundant type conversion (#22376, @tanberBro)
- Docs: Replace the way to install
golangci-lint
toNA(OS-specific)
(#22532, @Shunpoco) - docs: restructure bpf guide (#21922, @yoyo-go)
- docs: update cmdref with missing flag (#22525, @aanm)
- document helm conntrackGCInterval crdWaitTimeout identityChangeGracePeriod (#22352, @vincentmli)
- Enable Google Analytics 4 (Backport PR #22835, Upstream PR #22220, @chalin)
- envoy: Skip NPHDS upsert when IP is already included (#22289, @jrajahalme)
- examples: Add Envoy admin listener (#22386, @jrajahalme)
- Fix long-time failure of "ipcache-inject-labels" controller due to incorrect backoff time for retry (#21886, @ArthurChiao)
- Fix note for 'func numWorkerThreads()' (#22412, @yanggangtony)
- Fix prepare release process (#22487, @aanm)
- fix:omit comparison to bool constant (#22588, @yulng)
- fix:remove ioutil to accomodate newer Go versions (#22383, @yulng)
- fuzzing: bump go-fuzz-headers (#22501, @AdamKorcz)
- go.mod, vendor: drop client-go from replace directives (#22547, @tklauser)
- go.mod, vendor: update cloud provider SDK Go modules for December 2022 (#22469, @tklauser)
- hive: Allow multiple calls to
Hive.Shutdown
(#22551, @dylandreimerink) - hubble/metrics: ProcessFlow() is optional for metrics handlers (#20367, @chancez)
- Initial datapath support for Cilium mTLS has been added. (Backport PR #22822, Upstream PR #21822, @jrajahalme)
- Introduce v3 backend maps (Backport PR #22822, Upstream PR #21797, @YutaroHayakawa)
- ipcache: Fix IPcache leak of remote-node IP addresses (#21932, @pchaigno)
- Keep command help message capital (#22276, @yanggangtony)
- modify the deprecated label beta.kubernetes.io/instance-type (#21941, @my-git9)
- operator: Remove use of global vars in cilium node synchronizer (#22491, @joamaki)
- operator: Wait for informers to shut down when stopping (Backport PR #22835, Upstream PR #22761, @joamaki)
- pkg: Follow Go convention on capitalization (#22534, @yulng)
- Prepare for release v1.13.0-rc3 (#22481, @aanm)
- Prepare v1.13 stable branch (#22612, @joestringer)
- Remove unnecessary imports of pkg/policy (#21996, @jrajahalme)
- Revert "Mount host /boot into cilium-agent container" (#22326, @ti-mo)
- Revert "per-node configuration overrides" pull request (#22630, @pchaigno)
- support reset backoff period (#21937, @wu0407)
- test/control-plane: Add nil check for agentHandle.Close receiver (#22399, @dylandreimerink)
- Update Cilium install guide about EKS aws-node DaemonSet potential connectivity problem on uninstall (#22620, @NikAleksandrov)
- Update Go to 1.19.4 (#22589, @tklauser)
- update gops and ginkgo mod version for match the current go.mod (#22427, @yanggangtony)
- Update Layer 7 Protocol Visibility Document. (Backport PR #22835, Upstream PR #22807, @obaranov1)
- util: fix wrong comment of GetNumPossibleCPUs (#22540, @117503445)
Other Changes:
- build(deps): bump certifi from 2022.6.15 to 2022.12.7 in /Documentation (#22609, @dependabot[bot])
Docker Manifests
cilium
docker.io/cilium/cilium:v1.13.0-rc4@sha256:32acd47fd9bea9c0045222ba5d27f5fe9ad06dabd572a80b870b1f0e68c0e928
quay.io/cilium/cilium:v1.13.0-rc4@sha256:32acd47fd9bea9c0045222ba5d27f5fe9ad06dabd572a80b870b1f0e68c0e928
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.13.0-rc4@sha256:226d311b4daabbb68a97643c3fc6a82c49e09d25a82cb9cb3c326da8b9fd7073
quay.io/cilium/clustermesh-apiserver:v1.13.0-rc4@sha256:226d311b4daabbb68a97643c3fc6a82c49e09d25a82cb9cb3c326da8b9fd7073
docker-plugin
docker.io/cilium/docker-plugin:v1.13.0-rc4@sha256:8d2a7fb4d1757a00e0c60e7dd1426baa839d73617b1927752c6a20a02eaf8539
quay.io/cilium/docker-plugin:v1.13.0-rc4@sha256:8d2a7fb4d1757a00e0c60e7dd1426baa839d73617b1927752c6a20a02eaf8539
hubble-relay
docker.io/cilium/hubble-relay:v1.13.0-rc4@sha256:bbd8c5bec8cd41c7907cf7caed059b944985f2ba5c89def3f60c584b5a7f5c5c
quay.io/cilium/hubble-relay:v1.13.0-rc4@sha256:bbd8c5bec8cd41c7907cf7caed059b944985f2ba5c89def3f60c584b5a7f5c5c
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.13.0-rc4@sha256:c5b5cb1e5200b75d7b30cb9830365e92dbab8e05d1b00e0c46ccc07e21b4036c
quay.io/cilium/operator-alibabacloud:v1.13.0-rc4@sha256:c5b5cb1e5200b75d7b30cb9830365e92dbab8e05d1b00e0c46ccc07e21b4036c
operator-aws
docker.io/cilium/operator-aws:v1.13.0-rc4@sha256:d6a31dc00e9f15e6012670190c82ee6ed9732dcdd74682c2d4cd763fe7367eba
quay.io/cilium/operator-aws:v1.13.0-rc4@sha256:d6a31dc00e9f15e6012670190c82ee6ed9732dcdd74682c2d4cd763fe7367eba
operator-azure
docker.io/cilium/operator-azure:v1.13.0-rc4@sha256:105bccc4b486fd242f05c06e21e9928255906e2c6c5ace63c833c4d2a1371e0c
quay.io/cilium/operator-azure:v1.13.0-rc4@sha256:105bccc4b486fd242f05c06e21e9928255906e2c6c5ace63c833c4d2a1371e0c
operator-generic
docker.io/cilium/operator-generic:v1.13.0-rc4@sha256:19f612d4f1052e26edf33e26f60d64d8fb6caed9f03692b85b429a4ef5d175b2
quay.io/cilium/operator-generic:v1.13.0-rc4@sha256:19f612d4f1052e26edf33e26f60d64d8fb6caed9f03692b85b429a4ef5d175b2
operator
docker.io/cilium/operator:v1.13.0-rc4@sha256:6a7efade8fa722cfbb0e97353f7c97a35ba650d5e6cf374f73c417293c39f958
quay.io/cilium/operator:v1.13.0-rc4@sha256:6a7efade8fa722cfbb0e97353f7c97a35ba650d5e6cf374f73c417293c39f958