cilium/cilium v1.14.0-snapshot.2

on GitHub

We are pleased to release Cilium v1.14.0-snapshot.2.

Summary of Changes

Major Changes:

• Add support for references to CiliumCIDRGroup inside FromCIDRSet for ingress rules in CNPs (#24638, @pippolo84)
• Assume Ingress identity for cluster internal traffic through Cilium Ingress for policy enforcement. (#24826, @jrajahalme)
• Support DSR with Geneve dispatch in CNI mode (#23890, @ysksuzuki)

Minor Changes:

• Add --hubble-monitor-events flag, to control the event types that get to the hubble subsystem. (#24828, @epk)
• Add a mechanism for the SPIRE server to signal rotated certificates for re-authenticating connections (#24300, @meyskens)
• Add flag to administratively enable APIs on bootstrap (#25009, @joestringer)
• Add network policy auth method "always-fail" (#24609, @meyskens)
• Add new logging format option, 'json-ts', for JSON formatted logs with timestamps (#24307, @learnitall)
• auth: Add spire identity registration for CiliumIdentity (#24471, @sayboras)
• Change cilium_host IPv6 address, use node router IPv6 instead of native node IPv6, and fixed several relative IPv6 issues. (#24208, @jschwinger233)
• Cilium L7 Proxy: Envoy config dump contains Cilium network policies (#25028, @mhofstetter)
• cmd: Add NodeEncryption status to the cilium status command (#24399, @romanspb80)
• daemon: remove deprecated force-local-policy-eval-at-source option (#24727, @tklauser)
• Deprecate --tunnel in favor of --routing-mode and --tunnel-protocol. (#24561, @pchaigno)
• Drop traffic matching an egress gateway policy when no gateway are found (#24835, @MrFreezeex)
• Enable endpoint routes + veth fast redirect support (#22006, @aspsk)
• Enable update-ec2-adapter-limit-via-api by default (#24564, @christarazi)
• Enabled cilium_bpf_map_pressure metric by default (#24721, @Vishal-Chdhry)
• endpoint: omit pre-1.11 compatibility restoration symlink (#24730, @tklauser)
• envoy: Bump envoy to v1.25.4 (#24649, @sayboras)
• envoy: Bump envoy version to v1.25.5 (#24893, @sayboras)
• envoy: Bump envoy version to v1.25.6 (#25165, @mhofstetter)
• Expose Cilium agent go runtime scheduler latency prometheus metric go_sched_latencies_seconds (#24745, @derailed)
• Fix broken IPv6 connectivity from outside to NodePort service when L7 ingress policy applied by removing PROXY_RT route table. (#24882, @jschwinger233)
• helm: Add CPU panel to Hubble L7 HTTP Workload dashboard (#24934, @chancez)
• helm: Add SA to nodeinit ds (#24836, @darox)
• Helm: Clean up deprecated values (#24214, @qmonnet)
• ingress: Add ownerReferences for shared mode (#24942, @sayboras)
• Introduce the support for specifying a CA bundle in the helm chart (#24862, @giorio94)
• ipsec, option: Make the IPsec key rotation delay configurable (#24811, @pchaigno)
• mtls: SPIRE server and agent installation (#24765, @sayboras)
• Provides operational state of BGP peers via CLI 'cilium bgp peers' (#24612, @harsimran-pabla)
• Remove sockops-enable and friends (#23606, @mohit-marathe)
• Rename the sec_label field in remote_endpoint_info structure to sec_identity (#25057, @ldelossa)
• Report the kernel error code in case of packet drops due to failures to create conntrack map entries. (#24716, @gentoo-root)
• Supports IPv4 ICMP "fragmentation needed" in egress SNAT (#25054, @liuyuan10)
• The Cilium agent now manages the CNI configuration file. This will allow for faster startup times when injecting Cilium as a chained plugin, such as with aws-cni. (#24389, @squeed)

Bugfixes:

• Address cilium-agent startup performance regression. (#25007, @bimmlerd)
• bpf: dsr: fix parsing of IPv6 AUTH extension header (#24792, @julianwiedmann)
• bpf: nodeport: fix up trace point in to-overlay NAT paths (#24886, @julianwiedmann)
• bpf: policy: fix handling of ICMPv6 packet with extension headers (#24797, @julianwiedmann)
• Bugfix: Invert --hubble-monitor-events logic to be an allowlist (#25167, @epk)
• cmd/cleanup: Fix cleanup of generic XDP programs (#25117, @pchaigno)
• Filter ipv6 advertisements when using metallb as BGP speaker. (#25043, @harsimran-pabla)
• Fix broken IPv4 connectivity from outside to NodePort service when using L7 ingress policy, by removing PROXY_RT route table. (#24807, @jschwinger233)
• Fix bug that causes enforcement of host policies on reply IPv6 pod traffic. (#25024, @pchaigno)
• Fix bug where Cilium configurations running with tunneling disabled, BPF-masq disabled, but with masquerading enabled, do not clean up ipset configuration when a node IP changes. This can lead to a lack of masquerading on those node IPs. (#24825, @christarazi)
• Fix connectivity issue if nodes share the same name across the clustermesh and wireguard is enabled (#24785, @giorio94)
• Fix incorrect network policy ebpf setup that may lead to incorrect packets denies when CEP is present in multiple CES (#24838, @alan-kut)
• Fix issues that caused SPIRE not to install properly (#25160, @meyskens)
• Fix operator startup delay caused by leader election lease not being released correctly (#24978, @giorio94)
• Fix panic due to assignment to nil BGP service announcements map. (#24985, @harsimran-pabla)
• Fix security-group-tags not working in ENI (#24951, @aanm)
• Fix the bug when long-living connections using egress gateway may be reset. (#24905, @gentoo-root)
• Fixed bug where L7 rules would be incorrectly merged between rules for the same (remote) endpoint. This bug could have caused L7 rules to be bypassed via a wildcard header rule being improperly appended to the set of HTTP rules when both a policy with HTTP header rules applying to multiple endpoints and an allow-all rule for only one of those endpoints are specified. (#24788, @jrajahalme)
• gateway-api: Re-queue gateway for namespace change (#24624, @sayboras)
• Handle leaked service backends that may lead to filling up of lb4_backends map and thereby connectivity issues. (#24681, @aditighag)
• helm: mandate issuer configuration when using cert-manager to generate certificates (#24666, @giorio94)
• ipcache don't short-circuit InjectLabels if source differs (#24875, @squeed)
• ipsec: Clean up stale XFRM policies and states (#24773, @pchaigno)
• pkg/kvstore: Fix for deadlock in etcd status checker (#24786, @hemanthmalla)
• Prevent egress gateway from adding and then immediately removing BPF policy entries for policies that don't match any gateway node (#24646, @MrFreezeex)
• Solve control-plane deadlock issues leading to outages. A typical log line indicative of this issue is probe=l7-proxy msg="No response from probe within 15 seconds" (#24672, @bimmlerd)
• The operator now reconciles duplicate entries in a CiliumEndpointSlice on startup. (#24596, @alan-kut)

CI Changes:

• Always use the 8.8.8.8 DNS resolver in kind (#24713, @aspsk)
• bpf: inline test functions with ctx as input (#24662, @anfernee)
• CI / Kind enhancements (#24714, @aanm)
• ci-datapath: Enable IPV6 masquerading when KPR=off (#25111, @brb)
• ci-datapath: Fix issue where test were wrongly reported as passing (#24813, @gandro)
• ci-datapath: Use QUAY_ORGANIZATION_DEV for Quay org name (#25052, @michi-covalent)
• ci: Disable wireguard in v1.13 conformance datapath (#24804, @pippolo84)
• ci: fix clustermesh worfklows on stable branches (#25089, @nbusseneau)
• ci: fix status reporting in the ci-multicluster test (#24784, @giorio94)
• ci: Mark skipped matrix workflows as successful (#24922, @gandro)
• ci: move 4.19 complexity tests to tests-datapath-verifier GHA workflow (#24517, @tklauser)
• ci: remove STATUS commands from upstream tests' Jenkinsfile (#25046, @nbusseneau)
• conformance-k8s-kind: disable kindnet, enable log dumping (#24982, @squeed)
• Drop the GKE-based multicluster GitHub actions workflow in favor of the kind-based one (#24996, @giorio94)
• Enable loadBalancer.acceleration=testing-only in some datapath conformance cases (#24738, @lmb)
• Enable previously disabled encryption tests on GKE (#24603, @brlbil)
• github/workflows: Enable DSR with WireGuard in ci-dp (#25039, @brb)
• jenkinsfiles: Fix order of ginkgo tests (#25002, @pchaigno)
• kind: Bump k8s version to 1.27.0 (#24841, @sayboras)
• Let renovatebot update Go toolchain version in a single PR (#24895, @tklauser)
• Mitigate GKE workflow flake (#24755, @brlbil)
• mlh: update Jenkins jobs following 1.27 support (#24983, @nbusseneau)
• mlh: update Jenkins jobs names (master > main) (#24958, @nbusseneau)
• Port verifier tests to Go (#24538, @ti-mo)
• renovate: Add explicit gitAuthor (#24739, @gandro)
• renovate: add packageRule group for cilium-cli (#24725, @tklauser)
• renovate: Update builder and runtime images once a week (#24846, @michi-covalent)
• renovate: Update Dockerfiles that use golang image weekly (#24877, @michi-covalent)
• Replace integration_tests build tag with INTEGRATION_TESTS env (#24925, @ti-mo)
• test/k8s: remove istio.go test (#24894, @aanm)
• test/Updates: Explicit error message on failure (#24920, @pchaigno)
• test: Avoid spamming logs in monitor aggregation test (#25152, @pchaigno)
• test: Block HubbleObserveFollow until ready (#25090, @pchaigno)
• test: Enable IPv6 masq for IPsec (#24885, @jschwinger233)
• test: Fix and unquarantine Skip conntrack test (#25038, @pchaigno)
• test: Fix consistent failure in IPv6 masquerading test (#25036, @pchaigno)
• test: Unquarantine host firewall + nodeport test (#25025, @pchaigno)
• test: Unquarantine IPv6 masquerading test (#25149, @pchaigno)
• tests: add exceptions for lease errors due to etcd (#24723, @jibi)
• tests: small fixups for the GENEVE-DSR e2e tests (#25062, @julianwiedmann)
• travis: Run on main branch (#25108, @pchaigno)
• Update EKS conformance tests to use both amd64 and arm64 hosts. (#24853, @chancez)
• Use cilium-cli latest stable version in conformance-datapath workflows (#24809, @pippolo84)
• vagrant: Bump Vagrant box versions (#24984, @pchaigno)
• vagrant: Default to 4.19 (#24950, @pchaigno)
• workflows/datapath: Fix always-passing step (#24918, @pchaigno)
• workflows/k8skind: Disable the flaky Aggregator test (#24989, @pchaigno)
• workflows: add the kind-based clustermesh conformance test for stable branches (#25029, @giorio94)
• workflows: Fix owner tag for stable branch workflows (#25158, @pchaigno)
• workflows: Run stable branches' L4LB workflows on a schedule (#25080, @pchaigno)
• workflows: Run stable branches' workflows on a schedule (#24991, @pchaigno)

Misc Changes:

• .github: Add mirror from main -> master (#24941, @joestringer)
• .github: Improve mirror workflow (#24962, @joestringer)
• Add a package for slices utilities (#25069, @pippolo84)
• Add Ascend.io to USERS.md (#24775, @thejosephstevens)
• Add Cistec User (#25104, @olinux-dev)
• Add Lorenz Bauer to committers (#24864, @xmulligan)
• Added a new job group system to manage the lifecycle of jobs within cells (#24558, @dylandreimerink)
• Adding United Cloud to adopters list (#25084, @carnerito)
• api: Add libraries to Pascalify API endpoints (#24967, @joestringer)
• auth: Enable ClusterFirstWithHostNet dnsPolicy conditionally (#24803, @sayboras)
• auth: Use authmap for auth_required policies (#24410, @jrajahalme)
• Avoid clearing objects in CiliumEndpoint conversion funcs (#24928, @aanm)
• bpf/Makefile: Delete duplicate LB_OPTIONS in Makefile (#24883, @jschwinger233)
• bpf: dsr: restore CB_SRC_LABEL across DSR-INGRESS tail-call (#24794, @julianwiedmann)
• bpf: init.sh: rename TUNNEL_MODE variable to TUNNEL_PROTOCOL (#24969, @julianwiedmann)
• bpf: minor LB cleanups (#25061, @julianwiedmann)
• bpf: nodeport: handle result from encap ctx_redirect() in revDNAT path (#25058, @julianwiedmann)
• bpf: nodeport: remove lb4_populate_ports() (#25063, @julianwiedmann)
• bpf: nodeport: trivial cleanups (#24732, @julianwiedmann)
• bpf: remove special handle for ICMPv6 echo targeting router IPv6 (#24921, @jschwinger233)
• bpf: simplify adding/removing types to alignchecker (#24736, @aspsk)
• bpf: small CT cleanups (#24686, @julianwiedmann)
• bpf: test: Fix the byte order in the IPV4 macro (#25114, @gentoo-root)
• bugtool: improve ss output (#24334, @squeed)
• build(deps): bump github.com/docker/docker from 23.0.1+incompatible to 23.0.3+incompatible (#24753, @dependabot[bot])
• chore(deps): update actions/setup-go action to v4 (main) (#24981, @renovate[bot])
• chore(deps): update actions/stale action to v8 (main) (#25047, @renovate[bot])
• chore(deps): update all github action dependencies (main) (minor) (#24995, @renovate[bot])
• chore(deps): update all github action dependencies (master) (patch) (#24513, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.13.2 (main) (#25027, @renovate[bot])
• chore(deps): update dependency cilium/hubble to v0.11.3 (master) (#24703, @renovate[bot])
• chore(deps): update docker.io/library/alpine docker tag to v3.17.3 (master) (#24639, @renovate[bot])
• chore(deps): update github/codeql-action action to v2.2.12 (main) (#25034, @renovate[bot])
• chore(deps): update go to v1.20.3 (main) (patch) (#24980, @renovate[bot])
• chore(deps): update golangci/golangci-lint docker tag to v1.52.2 (master) (#24722, @renovate[bot])
• clustermesh: remote services handling misc improvements (#24515, @giorio94)
• CODEOWNERS: Add cilium/ipcache for pkg/source (#25176, @christarazi)
• configmap & utime sync: provide via hive cell (#24830, @mhofstetter)
• contrib/kind: adapt clustermesh related make targets to recent changes (#24693, @giorio94)
• contrib: detect pre-release version correctly (#24708, @aanm)
• contrib: Fix codegen script to avoid double make (#24718, @joestringer)
• daemon, ipam: omit IPAM mode check before calling ipam.Allocator.RestoreFinished (#25041, @tklauser)
• daemon/cmd: fix a couple of func doc string (#25030, @cuishuang)
• daemon: Mark CES feature as beta in agent flag (#24850, @pchaigno)
• daemon: Remove execute bit from test (#25150, @joestringer)
• datapath: Switch to LPM policy map (#23885, @jrajahalme)
• docs/contributing: update CRD registration instructions (#25008, @tklauser)
• docs: Add matrix version between envoy and cilium (#25109, @sayboras)
• docs: Fix upgradeCompatibility references (#24711, @joestringer)
• docs: Mention caveats about kube-proxy replacement config changes (#24531, @aditighag)
• docs: Note that CiliumEndpointSlice and K8s' EndpointSlice are distinct (#24842, @qmonnet)
• docs: small fixes for k8s upgrade guide (#24869, @tklauser)
• Document known kube-apiserver policy bug (#24868, @squeed)
• egressgw: change special values for gatewayIP (#24449, @MrFreezeex)
• egressgw: policy: stop iterating through nodes after first match (#24898, @jibi)
• envoy: Debug log remote IDs for Envoy policies (#24939, @jrajahalme)
• envoy: Support more envoy image tag formats (#24750, @sayboras)
• Expose bpf-lb-sock-hostns-only in cilium status (#24570, @romanspb80)
• feat: add teuto.net to USERS (#25088, @cwrau)
• Fix bug that causes traffic not to be encrypted when WireGuard node encryption is enabled. (#24903, @3u13r)
• Fix missed clustermesh config change race condition with back-to-back changes (#24993, @giorio94)
• Fix typo in doc: network/concepts/ipam/crd.rst (#24908, @takp)
• fix(deps): pin dependencies (master) (#24881, @renovate[bot])
• helm: add clustermesh nodeport config warning about known bug #24692 (#25033, @giorio94)
• helm: Fix typo in dashboard path (#24733, @jcpunk)
• helm: Ignore .github folder in .helmignore (#24719, @darox)
• hive: Add support for config overrides in tests (#24597, @joamaki)
• hubble: improve hubble lost event log rate limit (#24720, @kaworu)
• identity/cache: don't panic in CachingIdentityAllocator.Close() (#24694, @lmb)
• images/builder: update proto dependencies (#24328, @rolinh)
• Implement commands for listing per-cluster CT/SNAT maps (#24629, @YutaroHayakawa)
• Improve clustermesh's users management test reliability (#24917, @giorio94)
• init.sh,loader: load overlay programs in Go (#24876, @rgo3)
• init.sh: move socketlb creation into own pkg (#23557, @rgo3)
• ipam/allocator: remove unused Allocator methods (#25053, @tklauser)
• k8s/watchers: Fix erroneous warning logs due to empty CIDRGroupRef (#25072, @christarazi)
• k8s: api: clean up CRD versioning (#24671, @julianwiedmann)
• k8s: remove unused singular CRD name consts (#25003, @tklauser)
• loader: Don't compile .asm files by default (#24769, @pchaigno)
• make: use vendored goimports to format generated APIs (#24810, @tklauser)
• Modularize API server (api/v1/server) (#24016, @joamaki)
• Move ct_lookup in bpf_host.c to a separate tailcall (#23831, @gentoo-root)
• Move policy package over to asynchronous IPCache API (#20116, @joestringer)
• node/manager: Only remove old IPs if they weren't already added (#25067, @christarazi)
• Operator api server modularization (#24228, @pippolo84)
• operator/cmd: Move Cilium Operator version log earlier (#25018, @christarazi)
• pkg/bandwidth: add error for bandwidth manager not being enabled (#24715, @aanm)
• pkg/cgroups: Prune excessive debug logging (#24815, @aditighag)
• pkg/service: Backends leak follow ups with revised fixes, debugging improvements and unit tests (#24770, @aditighag)
• pkg/service: Extend unit test cases (#24742, @aditighag)
• Prepare for release v1.14.0-snapshot.1 (#24695, @aanm)
• Remote node identities are enabled by default in the Cilium agent. They have already been enabled by default in the Helm charts since Cilium version 1.7. (#24874, @tklauser)
• Rename master branch to main (#24717, @joestringer)
• renovate: group golangci-lint updates (#24688, @mhofstetter)
• Revert "mlh: update Jenkins jobs following 1.27 support" (#25151, @pchaigno)
• Revert "Update k8s tests and libraries to v1.27.0" (#25044, @pchaigno)
• Service Mesh mTLS: BPF map auth provided by hive cell (#24406, @mhofstetter)
• source: Reorder sources based on strength (#25175, @christarazi)
• statedb: An in-memory database (#24523, @joamaki)
• test-l4lb: Use QUAY_ORGANIZATION_DEV as the Quay org name (#25050, @michi-covalent)
• treewide: Fix code comment stutters (#24940, @joestringer)
• Update NYTimes User (#25023, @abebars)
• update readme with v1.14.0-snapshot.1 (#24707, @aanm)
• Update stable releases (#24960, @michi-covalent)
• Update the documentation for required IAM policy rights needed for Cilium to work in EKS. (#25078, @toredash)
• Update threat model (#24760, @ferozsalam)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.14.0-snapshot.2@sha256:fb92067c1c5c031ae6a6581ef46c35304acb316850d718470fef58c5571f150b
quay.io/cilium/cilium:v1.14.0-snapshot.2@sha256:fb92067c1c5c031ae6a6581ef46c35304acb316850d718470fef58c5571f150b

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.14.0-snapshot.2@sha256:9e06603b72be5eff51930af3cbdd945d0b69f514531ba1569bb4a4b26fad2521
quay.io/cilium/clustermesh-apiserver:v1.14.0-snapshot.2@sha256:9e06603b72be5eff51930af3cbdd945d0b69f514531ba1569bb4a4b26fad2521

docker-plugin

docker.io/cilium/docker-plugin:v1.14.0-snapshot.2@sha256:d99c9216137b52bb40fcfd56ca422702235d61b7375175f3f404169826f79061
quay.io/cilium/docker-plugin:v1.14.0-snapshot.2@sha256:d99c9216137b52bb40fcfd56ca422702235d61b7375175f3f404169826f79061

hubble-relay

docker.io/cilium/hubble-relay:v1.14.0-snapshot.2@sha256:d7bca0ec8e6b0597b11d8ddca4e889fdab0057a0e7dcf4ea8e1faae69c20d5de
quay.io/cilium/hubble-relay:v1.14.0-snapshot.2@sha256:d7bca0ec8e6b0597b11d8ddca4e889fdab0057a0e7dcf4ea8e1faae69c20d5de

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.14.0-snapshot.2@sha256:1c896f17772ea7b37aca9aaab128e63e6598fdb607e54329525705e3f241b1a7
quay.io/cilium/operator-alibabacloud:v1.14.0-snapshot.2@sha256:1c896f17772ea7b37aca9aaab128e63e6598fdb607e54329525705e3f241b1a7

operator-aws

docker.io/cilium/operator-aws:v1.14.0-snapshot.2@sha256:5b07ff515077169459d41f527a5f45327e1a6f2ba41d0a41559ea416a880036e
quay.io/cilium/operator-aws:v1.14.0-snapshot.2@sha256:5b07ff515077169459d41f527a5f45327e1a6f2ba41d0a41559ea416a880036e

operator-azure

docker.io/cilium/operator-azure:v1.14.0-snapshot.2@sha256:8db15e6810d6fc3e1ac54dc4d29caf8c8566ec0c160695312b2540111438e278
quay.io/cilium/operator-azure:v1.14.0-snapshot.2@sha256:8db15e6810d6fc3e1ac54dc4d29caf8c8566ec0c160695312b2540111438e278

operator-generic

docker.io/cilium/operator-generic:v1.14.0-snapshot.2@sha256:ac6e3f6058c2692decba6d8b84f8b505b5b677ead8efc78c1ca234873fb92b63
quay.io/cilium/operator-generic:v1.14.0-snapshot.2@sha256:ac6e3f6058c2692decba6d8b84f8b505b5b677ead8efc78c1ca234873fb92b63

operator

docker.io/cilium/operator:v1.14.0-snapshot.2@sha256:16acb7bb9145dd998a046f3c46fc6ccd3585ae8de2a21f814a1e69bf8bf82874
quay.io/cilium/operator:v1.14.0-snapshot.2@sha256:16acb7bb9145dd998a046f3c46fc6ccd3585ae8de2a21f814a1e69bf8bf82874