cilium/cilium v1.13.15

1.13.15

on GitHub

We are pleased to announce the release of Cilium v1.13.15.

This release includes a fix to the retry logic in the cilium health controllers, a fix to a race condition when updating L7 LB Services, and a fix for Node ID assignment in BPF maps for very large clusters. In addition, there were a variety of testing enhancements and documentation updates.

Security Advisories

This release addresses a security vulnerability. For more information, see GHSA-j654-3ccm-vfmm

Summary of Changes

Minor Changes:

• [v1.13] Bump envoy to v1.27.x (#31498, @sayboras)

Bugfixes:

• cilium-health: Fix broken retry loop in cilium-health-ep controller (Backport PR #31722, Upstream PR #31622, @gandro)
• Fixed a race condition in service updates for L7 LB. (Backport PR #31862, Upstream PR #31744, @jrajahalme)
• Fixed issue with assigning 0 nodeID when corresponding bpf map run out of space.
  Potentially it could have impacted connectivity in large clusters (>4k nodes) with IPSec or Mutual Auth enabled.
  Otherwise, it was merely generating unnecessary error log messages. (Backport PR #31657, Upstream PR #31380, @marseel)

CI Changes:

• ci/ipsec: Print more info to debug credentials removal check failures (Backport PR #31722, Upstream PR #31652, @qmonnet)
• controlplane: fix mechanism for ensuring watchers (Backport PR #31587, Upstream PR #31030, @bimmlerd)
• deflake endpointmanager tests (Backport PR #31722, Upstream PR #31488, @bimmlerd)
• Reduce flakiness of controlplane tests (Backport PR #31587, Upstream PR #30906, @bimmlerd)
• workflows: Debug info for key rotations (Backport PR #31722, Upstream PR #31627, @pchaigno)

Misc Changes:

• chore(deps): update all github action dependencies (v1.13) (#31835, @renovate[bot])
• chore(deps): update cilium/little-vm-helper action to v0.0.17 (v1.13) (#31709, @renovate[bot])
• chore(deps): update go to v1.21.9 (v1.13) (#31766, @renovate[bot])
• chore(deps): update stable lvh-images (v1.13) (patch) (#31710, @renovate[bot])
• docs: Document No node ID found drops in case of remote node deletion (Backport PR #31722, Upstream PR #31635, @pchaigno)
• docs: ipsec: document native-routing + Egress proxy case (Backport PR #31722, Upstream PR #31478, @julianwiedmann)
• helm: update nodeinit image using renovate (Backport PR #31722, Upstream PR #31641, @tklauser)
• Restructure OpenShift installation instructions to point to Red Hat Ecosystem Catalog (Backport PR #31722, Upstream PR #29300, @learnitall)
• v1.13: update cilium/certgen to v0.1.11 (#31884, @rolinh)

Other Changes:

• [v1.13] envoy: Bump envoy image for golang 1.21.9 (#31772, @sayboras)
• [v1.13] fix aws region being used twice (#31740, @brlbil)
• [v1.13] workflows: ipsec-e2e: clean up escaping artifacts (#31630, @julianwiedmann)
• Bump google.golang.org/grpc to v1.63.2 (v1.13) (#31878, @ferozsalam)
• CI: Remove no longer supported k8s v1.24 (#31830, @brlbil)
• envoy: Bump envoy version to v1.27.4 (#31809, @sayboras)
• fqdn: Fix minor restore bug that causes false negative checks against a restored DNS IP map. (#31872, @nathanjsweet)
• fqdn: Fixed bug that caused DNS Proxy to be overly restrictive on allowed DNS selectors. (#31713, @nathanjsweet)
• Update image digests for v1.13.14 (#31631, @thorn3r)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.13.15@sha256:3d77d6e463ccc462c7574399fe22f6177a6e484bc5c149c76b7d597163253eed
quay.io/cilium/cilium:v1.13.15@sha256:3d77d6e463ccc462c7574399fe22f6177a6e484bc5c149c76b7d597163253eed

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.13.15@sha256:9cfdc40a689fc087d19aff4944657ca98df7795ba1836744400f6b77e59e1e5c
quay.io/cilium/clustermesh-apiserver:v1.13.15@sha256:9cfdc40a689fc087d19aff4944657ca98df7795ba1836744400f6b77e59e1e5c

docker-plugin

docker.io/cilium/docker-plugin:v1.13.15@sha256:485857b80cb4c726aba7e8c41536db97b0558f05f22dce6f97c8db2c1792cf75
quay.io/cilium/docker-plugin:v1.13.15@sha256:485857b80cb4c726aba7e8c41536db97b0558f05f22dce6f97c8db2c1792cf75

hubble-relay

docker.io/cilium/hubble-relay:v1.13.15@sha256:40135c6b0e2034c9f06abfe0c85f7f088ac6ba2c619d5354d4af6179d33b9a1e
quay.io/cilium/hubble-relay:v1.13.15@sha256:40135c6b0e2034c9f06abfe0c85f7f088ac6ba2c619d5354d4af6179d33b9a1e

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.13.15@sha256:99c124f199f3cb48c41d43a423144bd9638d68705f347ec2326b34af50291a05
quay.io/cilium/operator-alibabacloud:v1.13.15@sha256:99c124f199f3cb48c41d43a423144bd9638d68705f347ec2326b34af50291a05

operator-aws

docker.io/cilium/operator-aws:v1.13.15@sha256:e09044b516be9ce9936253469411618d6790791dbe501829e6062244a24e815a
quay.io/cilium/operator-aws:v1.13.15@sha256:e09044b516be9ce9936253469411618d6790791dbe501829e6062244a24e815a

operator-azure

docker.io/cilium/operator-azure:v1.13.15@sha256:ea05ba909b573b4a52731aec36b91a0a582781a48c2ade7719dfbae05c21d268
quay.io/cilium/operator-azure:v1.13.15@sha256:ea05ba909b573b4a52731aec36b91a0a582781a48c2ade7719dfbae05c21d268

operator-generic

docker.io/cilium/operator-generic:v1.13.15@sha256:21f6707e99722b41a24e9bf4e24b7e4d00597cc7dbaef6e7588dedbf3b270101
quay.io/cilium/operator-generic:v1.13.15@sha256:21f6707e99722b41a24e9bf4e24b7e4d00597cc7dbaef6e7588dedbf3b270101

operator

docker.io/cilium/operator:v1.13.15@sha256:971c9b6294216df668881917132a4a41fcc43fba64315e91ed632f62eab9eac9
quay.io/cilium/operator:v1.13.15@sha256:971c9b6294216df668881917132a4a41fcc43fba64315e91ed632f62eab9eac9