We are pleased to release Cilium v1.13.17 that improves background resynchronization of nodes, improves the CLI to troubleshoot connectivity issues, lowers CPU consumption with IPsec for large clusters, and brings a number of additional fixes. Thanks to all contributors, reviewers, testers, and users! ❤️
Summary of Changes
Minor Changes:
- Improved background resynchronization of nodes. Before all nodes were being updated at the same time, now we spread updates over time to average out CPU usage. (Backport PR #32885, Upstream PR #32577, @marseel)
- Introduce CLI commands to troubleshoot connectivity issues to the etcd kvstore and clustermesh control plane (Backport PR #32573, Upstream PR #32336, @giorio94)
- ipsec: Improve CPU usage of cilum-agent in large clusters (Backport PR #32884, Upstream PR #32588, @marseel)
Bugfixes:
- .github/workflows: fix digests file creation (Backport PR #32887, Upstream PR #32860, @aanm)
- [v1.13] iptables: Do not install NOTRACK rules if IPv4NativeRoutingCIDR is nil (#32652, @pippolo84)
- cni: Reserve local ports for DNS proxy even if IPv6 is disabled (Backport PR #32786, Upstream PR #32725, @gandro)
- Fixes accidentally ignoring the preflight.nodeSelector Helm value. (Backport PR #32696, Upstream PR #32548, @squeed)
- ipsec: Safely delete Xfrm state (Backport PR #32705, Upstream PR #32450, @jschwinger233)
- Remove deprecated
hubble.ui.securityContext.enabled
from hubble-ui deployment template (Backport PR #32887, Upstream PR #32338, @stelucz)
CI Changes:
- ci: Filter supported versions of EKS (Backport PR #32887, Upstream PR #32304, @marseel)
- ci: Filter supported versions of GKE (Backport PR #32696, Upstream PR #32302, @marseel)
- ci: l4lb: Don't hang on gathering logs forever (Backport PR #32963, Upstream PR #32947, @joestringer)
- ci: l4lb: gather more infos about docker-in-docker issues (Backport PR #32696, Upstream PR #32570, @mhofstetter)
- ci: l4lb: restart docker-in-docker container on failure (Backport PR #32696, Upstream PR #32600, @mhofstetter)
- ci: update unsupported ci-aks k8s version from 1.26 to 1.27 (#32502, @mhofstetter)
- eks: Don't use spot instances (Backport PR #32696, Upstream PR #32553, @michi-covalent)
- GCP OIDC instead of SA creds. (Backport PR #32709, Upstream PR #30809, @viktor-kurchenko)
- gha: correctly trigger integration tests via ariane commands (#32843, @giorio94)
- Modify GitHub Actions Workflows to echo the inputs they are given when triggered by a
workflow_dispatch
event. (Backport PR #32504, Upstream PR #31424, @learnitall) - Use GH_RUNNER_EXTRA_POWER for CI image workflow (Backport PR #32504, Upstream PR #32402, @michi-covalent)
- workflows: ignore "No egress gateway found" drops (Backport PR #32696, Upstream PR #32564, @jibi)
- workflows: Remove stale CodeQL workflow (Backport PR #32696, Upstream PR #32084, @pchaigno)
Misc Changes:
- (v1.13) Bump golang.org/x/net (#32791, @ferozsalam)
- background-sync: fix bootstrap issue and edge-case with 1 node (Backport PR #32885, Upstream PR #32630, @marseel)
- bump cni plugins to v1.5.0 (Backport PR #32696, Upstream PR #32629, @antonipp)
- Bump timeout of lint-build-commits.yaml (Backport PR #32786, Upstream PR #32746, @YutaroHayakawa)
- chore(deps): update all github action dependencies (v1.13) (#32499, @renovate[bot])
- chore(deps): update all github action dependencies (v1.13) (#32742, @renovate[bot])
- chore(deps): update all github action dependencies (v1.13) (#32845, @renovate[bot])
- chore(deps): update cilium/little-vm-helper action to v0.0.18 (v1.13) (#32582, @renovate[bot])
- chore(deps): update dependency cilium/hubble to v0.13.5 (v1.13) (#32950, @cilium-renovate[bot])
- chore(deps): update docker.io/library/golang:1.21.10 docker digest to 16438a8 (v1.13) (#32740, @renovate[bot])
- chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 19478ce (v1.13) (#32926, @renovate[bot])
- chore(deps): update docker.io/library/ubuntu:22.04 docker digest to a6d2b38 (v1.13) (#32376, @renovate[bot])
- chore(deps): update github/codeql-action action to v3.25.5 (v1.13) (#32516, @renovate[bot])
- chore(deps): update go to v1.21.11 (v1.13) (#32896, @renovate[bot])
- chore(deps): update google/cloud-sdk docker tag to v479 (v1.13) (#32927, @renovate[bot])
- chore(deps): update hubble cli to v0.13.4 (v1.13) (#32837, @renovate[bot])
- chore(deps): update kindest/node docker tag to v1.26.15 (v1.13) (#32583, @renovate[bot])
- chore(deps): update stable lvh-images (v1.13) (patch) (#32844, @renovate[bot])
- contrib: Remove CHARTS_PATH dependency (Backport PR #32696, Upstream PR #32328, @joestringer)
- Docs: add note about AKS kube-apiserver entity (Backport PR #32696, Upstream PR #32464, @darox)
- Miscellaneous improvements to the clustermesh troubleshooting guide (Backport PR #32573, Upstream PR #32552, @giorio94)
- Remove release scripts (Backport PR #32963, Upstream PR #32938, @aanm)
Other Changes:
- [v1.13] bugtool: Avoid sensitive data in envoy config dump (#32966, @sayboras)
- [v1.13] envoy: Bump envoy version to v1.28.4 (#32911, @sayboras)
- [v1.13] images: update cilium-{runtime,builder} (#32449, @michi-covalent)
- envoy: Update envoy 1.27.x to 1.28.3 (#32540, @sayboras)
- install: Update image digests for v1.13.16 (#32547, @nebril)
v1.13.17
Docker Manifests
cilium
docker.io/cilium/cilium:v1.13.17@sha256:db7553ec384eeeb786aa3f7472bb8ecfc1b50d37a64a8309e94e4a82fda4882e
quay.io/cilium/cilium:v1.13.17@sha256:db7553ec384eeeb786aa3f7472bb8ecfc1b50d37a64a8309e94e4a82fda4882e
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.13.17@sha256:bce520cc4e234a63cf3eb58b51f18fb24c3a7c38365241ba59b395fa4bb07b38
quay.io/cilium/clustermesh-apiserver:v1.13.17@sha256:bce520cc4e234a63cf3eb58b51f18fb24c3a7c38365241ba59b395fa4bb07b38
docker-plugin
docker.io/cilium/docker-plugin:v1.13.17@sha256:ea64f2abca1271cf03904da37c123c3013926eb8610226c548a251f61343561e
quay.io/cilium/docker-plugin:v1.13.17@sha256:ea64f2abca1271cf03904da37c123c3013926eb8610226c548a251f61343561e
hubble-relay
docker.io/cilium/hubble-relay:v1.13.17@sha256:9398e764708197aee93f5ee3d6a42b087b9c777ef13c81b175be7235be1fb478
quay.io/cilium/hubble-relay:v1.13.17@sha256:9398e764708197aee93f5ee3d6a42b087b9c777ef13c81b175be7235be1fb478
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.13.17@sha256:5d8d5253339f1fba9404730a8f44aa6ea10439b97098e84325051c6877bfc9f7
quay.io/cilium/operator-alibabacloud:v1.13.17@sha256:5d8d5253339f1fba9404730a8f44aa6ea10439b97098e84325051c6877bfc9f7
operator-aws
docker.io/cilium/operator-aws:v1.13.17@sha256:a99201ecf60265f4a38cb78805023af12c19c9a309b86a73ffcd815a26962279
quay.io/cilium/operator-aws:v1.13.17@sha256:a99201ecf60265f4a38cb78805023af12c19c9a309b86a73ffcd815a26962279
operator-azure
docker.io/cilium/operator-azure:v1.13.17@sha256:b2f504420114da2f6f8138e9c7e4a8700684f15b9cce4304a8616649ed91aa4c
quay.io/cilium/operator-azure:v1.13.17@sha256:b2f504420114da2f6f8138e9c7e4a8700684f15b9cce4304a8616649ed91aa4c
operator-generic
docker.io/cilium/operator-generic:v1.13.17@sha256:caa8e0da2b3946463ed9206ff97a88115522999a8b276e09841f4bbd7974da3a
quay.io/cilium/operator-generic:v1.13.17@sha256:caa8e0da2b3946463ed9206ff97a88115522999a8b276e09841f4bbd7974da3a
operator
docker.io/cilium/operator:v1.13.17@sha256:febf6ffa2e44717165e985b6ef65d89f4d3caff6288750084c0a12013d2fdd81
quay.io/cilium/operator:v1.13.17@sha256:febf6ffa2e44717165e985b6ef65d89f4d3caff6288750084c0a12013d2fdd81