github cilium/cilium v1.15.16
1.15.16
on GitHub

latest releases: v1.17.3, v1.16.9
6 days ago

Summary of Changes

Minor Changes:

  • datapath: Move WG skb mark check to to-netdev (Backport PR #38776, Upstream PR #31751, @brb)
  • Reject IPSec key rotation with mismatching key lengths to prevent IPv6 disruptions. (Backport PR #38401, Upstream PR #37936, @smagnani96)
  • Skip WireGuard traffic in the BPF SNAT processing, slightly reducing pressure on the BPF Connection tracking and NAT maps. (Backport PR #38776, Upstream PR #35900, @smagnani96)

Bugfixes:

  • bpf: wireguard: avoid ipcache lookup for source's security identity (Backport PR #38776, Upstream PR #38592, @julianwiedmann)
  • Fixed a bug where replies for pod-originating connections came into scope of HostFW Ingress Network policy. Applicable to configurations that use iptables for Masquerading. (Backport PR #38776, Upstream PR #35694, @julianwiedmann)
  • For configurations with --enable-identity-mark=false, don't attempt to retrieve the source identity from skb->mark. (Backport PR #38776, Upstream PR #38737, @julianwiedmann)

CI Changes:

  • build: update golangci-lint to v2.0.0 (Backport PR #38633, Upstream PR #38473, @mhofstetter)
  • ci: build CI images within merge group (Backport PR #38524, Upstream PR #38065, @marseel)
  • ci: prepare CI Image build for being required (Backport PR #38524, Upstream PR #38320, @marseel)
  • Clear traced UDP v4/v6 connections on check-encryption-leak script. (Backport PR #38522, Upstream PR #38264, @smagnani96)
  • Ensure packet protocol before using L4 ports in the check-encryption-leak script. (Backport PR #38522, Upstream PR #38290, @smagnani96)
  • Extend tracing with IP length and whether src/dst pod are CiliumInternalIP in the check-encryption-leak script. (Backport PR #38742, Upstream PR #38281, @smagnani96)
  • Fix checked L4 port for UDP IPv6 packets in check-encryption-leak script. (Backport PR #38522, Upstream PR #38265, @smagnani96)
  • Fix endianness for WireGuard UDP traffic in the check-encryption-leak script. (Backport PR #38522, Upstream PR #38292, @smagnani96)
  • Fix erroneous TCP RST condition when no TCP packets in the check-encryption-leak script. (Backport PR #38522, Upstream PR #38291, @smagnani96)
  • gh: aws-cni: set --enable-identity-mark=false option (Backport PR #38776, Upstream PR #38738, @julianwiedmann)
  • gh: ci-e2e-upgrade: Add encryption leak checks for wireguard (Backport PR #38522, Upstream PR #37551, @jschwinger233)
  • gh: update naming for bpftrace leak detection script (Backport PR #38522, Upstream PR #37865, @julianwiedmann)
  • Introduce tracing log info for ICMP v4/v6 packets in the check-encryption-leak script. (Backport PR #38742, Upstream PR #38278, @smagnani96)
  • Manual encap checks for when $skb->encapsulation is unset in the check-encryption-leak script. (Backport PR #38522, Upstream PR #38293, @smagnani96)
  • Print skb pointer and correlate timestamp for subsequent trace logs in the check-encryption-leak script. (Backport PR #38742, Upstream PR #38266, @smagnani96)
  • Refactoring and code comments for the check-encryption-leak script. (Backport PR #38742, Upstream PR #38263, @smagnani96)
  • Report masqueraded flow through proxy in the check-encryption-leak script. (Backport PR #38742, Upstream PR #38297, @smagnani96)
  • Shift header references when encap and move leak check on CiliumInternalIP in the check-encryption-leak script. (Backport PR #38522, Upstream PR #38280, @smagnani96)
  • Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #38522, Upstream PR #38289, @smagnani96)
  • Skip tracking TCP proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #38522, Upstream PR #38287, @smagnani96)
  • Split TCP-related leak report into a separate log line with also seq/ack n. in the check-encryption-leak script. (Backport PR #38742, Upstream PR #38268, @smagnani96)
  • test: Update FQDN related domain and IP (Backport PR #38771, Upstream PR #38754, @sayboras)

Misc Changes:

  • [v1.15] deps: bump package x/net (#38360, @ferozsalam)
  • [v1.15] Manually fix builder image (#38748, @smagnani96)
  • [v1.15] Update oauth to 0.27.0. (#38457, @kyle-c-simmons)
  • bpf: host: identify Cilium's Wireguard traffic as from HOST (Backport PR #38776, Upstream PR #37956, @julianwiedmann)
  • bpf: propagate src sec id from ingress bpf_overlay to egress bpf_host (Backport PR #38776, Upstream PR #32871, @jibi)
  • chore(deps): update all github action dependencies (v1.15) (#38332, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.15) (#38428, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.15) (#38719, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (v1.15) (#38305, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (v1.15) (#38443, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (v1.15) (#38697, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.18.3 (v1.15) (#38732, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/hubble to v1.17.2 (v1.15) (#38715, @cilium-renovate[bot])
  • chore(deps): update dependency protocolbuffers/protobuf to v30 (v1.15) (#38333, @cilium-renovate[bot])
  • chore(deps): update dependency protocolbuffers/protobuf to v30.2 (v1.15) (#38718, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/busybox:1.36.1 docker digest to e246aa2 (v1.15) (#38329, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/golang:1.23.7 docker digest to cb45cf7 (v1.15) (#38330, @cilium-renovate[bot])
  • chore(deps): update go to v1.23.8 (v1.15) (#38716, @cilium-renovate[bot])
  • chore(deps): update kindest/node docker tag to v1.29.14 (v1.15) (#38331, @cilium-renovate[bot])
  • chore(deps): update module github.com/containerd/containerd to v1.7.27 [security] (v1.15) (#38248, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1742184290-6036296930bb05a4870ef40867ca33baec4489e6 (v1.15) (#38259, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.6-1742515223-dd05ea7be73de22390a6542e87f1834ef0d61ec9 (v1.15) (#38386, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1743993953-6f87ef30cb1aca19e233099304bd08d689f380dd (v1.15) (#38775, @cilium-renovate[bot])
  • chore(deps): update stable lvh-images (v1.15) (patch) (#38318, @cilium-renovate[bot])
  • chore(deps): update stable lvh-images (v1.15) (patch) (#38717, @cilium-renovate[bot])
  • docs: Add missing kernel options to system requirements documentation to help users with custom kernels. (Backport PR #38524, Upstream PR #38173, @yrsuthari)
  • docs: clarify hubble flow filter match semantics (Backport PR #38702, Upstream PR #38657, @devodev)
  • Documentation: "cilium config set" restarts by default (Backport PR #38301, Upstream PR #38114, @joamaki)
  • Documentation: fix mentions of per-node cilium-dbg tool (Backport PR #38301, Upstream PR #38276, @tklauser)
  • images: bump distroless to static (Backport PR #38696, Upstream PR #38647, @kaworu)
  • pkg/endpoint: fix race in unit test (Backport PR #38301, Upstream PR #38129, @squeed)
  • remove the endpointRoutes for aws cni in the doc (Backport PR #38702, Upstream PR #38381, @liyihuang)
  • wireguard: attach Ingress program for native routing mode configurations (Backport PR #38301, Upstream PR #37108, @julianwiedmann)

Other Changes:

  • [v1.15] images: Update runtime and builder image (#38382, @sayboras)
  • install: Update image digests for v1.15.15 (#38206, @cilium-release-bot[bot])
  • proxy: Bump envoy version to 1.32.x (#38449, @sayboras)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.16@sha256:17dc69791a5d28a1ea88c149c6798cc9608ebb66c5e8b79a88453207f0cb55a1

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.16@sha256:6198f79a3f286ac2050349e78474e00ac1e28100b550e075cc724aa8283143af

docker-plugin

quay.io/cilium/docker-plugin:v1.15.16@sha256:e50b3c41b472d28a1cbc359b2365a6f657daf57eb38f67cff43b42c16602f870

hubble-relay

quay.io/cilium/hubble-relay:v1.15.16@sha256:e1e2c6740fc093dc6cf9c486ba66eb68e5ab1a58fe90a9669868cd24b5dc2a0e

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.16@sha256:1f314bba1c3e7d95a011fc0f0f3945fefc1cbbd3adae7e63e7fac3f923b2163e

operator-aws

quay.io/cilium/operator-aws:v1.15.16@sha256:5cc6fd7202470c53b06a155748cf3ebe169bac01199bc49e86040dad71d29f69

operator-azure

quay.io/cilium/operator-azure:v1.15.16@sha256:0d33a1564a0d30c10963c28e9ee1355371c62a2b4af6320b7bf80eb36210fb06

operator-generic

quay.io/cilium/operator-generic:v1.15.16@sha256:0467e7bc9929a4ed49d9d8a4dee8e0844ee5e711bb41cde63dc6ea0d0eb8f20a

operator

quay.io/cilium/operator:v1.15.16@sha256:059214812db468cc7b2dc04cde012f95c2e311a5acb5e2391d2656d7af0c8cfe

Check out latest releases or
releases around cilium/cilium v1.15.16

Don't miss a new cilium release

NewReleases is sending notifications on new releases.

Get notifications