cilium/cilium v1.16.0-rc.0

1.16.0-rc.0

on GitHub

Summary of Changes

Major Changes:

• Cilium now supports the Gateway API GAMMA initiative, allowing configuration of east-west Layer 7 interception using simpler resources. (#32744, @youngnick)
• cilium: netkit support (#32429, @borkmann)
• Improved performance for DNS lookups (up to 5x reduction in tail latency) when using ToFQDN policies. To avoid drops during upgrades in clusters with ToFQDN policies, it is highly recommended to run Cilium v1.15.6 or newer before upgrading to Cilium v1.16 (#32769, @gandro)
• KVStoreMesh is now enabled by default in Clustermesh. (#32912, @marseel)
• policy: Add support to watch and read CNP files from directory (#32599, @tamilmani1989)
• Promote local redirect policy (LRP) feature to stable. (#33032, @aditighag)

Minor Changes:

• Add cilium_lb_act BPF map with counters of opened and closed connections (#32584, @AwesomePatrol)
• Adds "aws-enable-ipv6-prefix-delegation" operator option for configuring AWS ENI IPv6 prefix delegation. (#31145, @danehans)
• Allow configuring RAM-backed clustermesh-apiserver's etcd storage for improved performance in high-scale/high-churn environments (#32823, @giorio94)
• bpf: allow policy verdict notifications in bpf_host (#32934, @jibi)
• Change default Clustermesh control plane upgrade strategy to use surge strategy (#32999, @marseel)
• chore: Bump spire agent and server versions (#33136, @sayboras)
• Cilium now supports Kubernetes Service TrafficDistribution. To access this feature, use --enable-service-topology when running Cilium. (#32678, @robscott)
• datapath: Add support for skipping direct routes on different L2 networks (#32733, @jleeh)
• docs: Deprecate support for podnetwork etcd (#33030, @joestringer)
• envoy: Bump envoy version to v1.29.5 (#32915, @sayboras)
• etcd, clustermesh: generalize and untangle the custom dialer logic for automatic DNS name to service ClusterIP translation (#32916, @giorio94)
• externalTrafficPolicy support for Cilium Ingress and GatewayAPI (#32873, @PhilipSchmid)
• Formally define and validate the cluster name format (#32641, @giorio94)
• gateway-api: Bump to version v1.1.0 (#32233, @sayboras)
• helm: loadBalancerClass for Cluster Mesh APIserver (#33033, @PhilipSchmid)
• hubble: node labels (#32851, @kaworu)
• ingress: Support headless service (#32644, @sayboras)
• Introduce --force-device-detection option to apply the auto-detection criteria also when devices are explicitly listed with --devices. (#32730, @kvaps)
• Introduce granular etcd permissions to access KVstoreMesh cached data (#33082, @giorio94)
• More validation has been added to the CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy CRDs. Policies that may have been ignored by the Cilium agent will now be rejected by the Kubernetes API server. (#32814, @squeed)
• Remove etcd.managed Helm setting (#32921, @joestringer)
• Support Egress Gateway for endpoints that are also selected by a L7 Network Policy. (#32828, @ysksuzuki)
• Switch the RBAC used for hubble certificate generation in cronJob mode to namespace-scoped. (#33027, @giorio94)
• ui: v0.13.1 release (#32852, @geakstr)
• When upgrading, users can experience a change to their configuration if they were overriding the k8s-heartbeat-timeout flag. K8s client timeout and keep alive are no longer getting values from the k8s-heartbeat-timeout flag, but have default values (30 seconds). (#32625, @dlapcevic)

Bugfixes:

• .github/workflows: fix digests file creation (#32860, @aanm)
• Avoid race during RevSNAT mapping creation, resulting in packet drop with "No mapping for NAT masquerade". (#33115, @lmb)
• Cilium dnsproxy now retries forwarded request id allocation before failing for a duplicate request id. (#32870, @jrajahalme)
• Cilium restart now waits for Envoy resources to stabilize on restart before serving them to daemonset Envoy, reducing policy churn. (#32824, @jrajahalme)
• Datapath conntrack entries for reopened connections are fully reinitialized to fix rare L7 proxy redirect failures. (#32653, @jrajahalme)
• Envoy now reopens ipcache on agent restart and avoids upstream bind errors on concurrent access to a destination. (#32864, @jrajahalme)
• Fix #32587 concurrent hubble dynamic exporter stop and reload (#33000, @marqc)
• Fix bug that caused all nodes to report false errors when L2 Neighbor Discovery was enabled (#32890, @thorn3r)
• Fix release build SBOM generation (#33070, @ferozsalam)
• Fixes unencrypted traffic among nodes when IPsec is used with L7 egress proxy. (#32683, @jschwinger233)
• gateway-api: Check for matching controller name (#33050, @sayboras)
• helm: Decouple sysctlfix from cgroup.autoMount (#32866, @YutaroHayakawa)
• Ignore CiliumIdentity delete conflicts during the gc run (by skipping deletion and emitting a warning), allowing gc to continue if a subset of identities are conflicted. Prior to this change conflicts would cause gc to error, which could lead to an unexpected accumulation of stale CiliumIdentity objects. (#33143, @JacobHenner)
• iptables: Run an initial full reconciliation to avoid spurious startup errors (#33097, @pippolo84)

CI Changes:

• bpf, CI: Enable LRP connectivity tests (#32862, @aditighag)
• bpf: add test for encrypted overlay (#32627, @julianwiedmann)
• bpf: improve Wireguard test coverage (#33127, @julianwiedmann)
• ci-e2e: Add the coverage for Ingress + bpf.masquerade (#32761, @sayboras)
• ci: Add IPsec leak detection for ci-ipsec-e2e (#32930, @jschwinger233)
• ci: add tests for migration to CiliumEndpointSlice (#32268, @jshr-w)
• ci: fix ces migration test trigger and conn-disrupt usage (#33147, @jshr-w)
• ci: fix cluster name in CI tests (#33004, @marseel)
• ci: l4lb: Don't hang on gathering logs forever (#32947, @joestringer)
• ci: make runtime privileged tests not run in parallel (#33091, @marseel)
• ci: remove container scanning workflow (#32905, @ferozsalam)
• gh: e2e-upgrade: disable config 7 (#33096, @julianwiedmann)
• gha: Add more flags for Ingress Conformance test (#33185, @sayboras)
• gha: bump status wait timeouts in clustermesh upgrade/downgrade tests (#33061, @giorio94)
• gha: Correct skipped test name in GatewayAPI (#32881, @sayboras)
• gha: Grant write status permission (#33202, @sayboras)
• gha: Only retrieve IPv4 CIDR from docker network (#33093, @sayboras)
• Improve potential issues with tests that use the tunnel eBPF map to help prevent flakes. (#31233, @learnitall)
• Switch to self-hosted Renovate in GHA (#30185, @meyskens)
• workflows: e2e-upgrade: fix EXTRA parameters (#33150, @jibi)

Misc Changes:

• .github/workflows: pin renovate version (#33169, @aanm)
• .github: fix renovate GitHub workflow config (#32935, @aanm)
• Add securityContext & disable hostNetwork in cronjob helm template (#33077, @Sindvero)
• Add WSO2 to the cilium users (#32850, @isala404)
• bgp/configmap: remove unnecessary else statement (#32892, @harsimran-pabla)
• bgpv2: Allow empty advertisement (#32997, @YutaroHayakawa)
• bgpv2: pass types.Router in path and policy reconcilers (#33075, @harsimran-pabla)
• bgpv2: Remove node selector check from v2 PodCIDRReconciler (#33043, @rastislavs)
• bpf: clean up some unneeded includes (#33088, @julianwiedmann)
• bpf: encap: fix ifindex in TO_OVERLAY trace notification (#33083, @julianwiedmann)
• bpf: extract ethertype in to-netdev / to-overlay just once (#33117, @julianwiedmann)
• bpf: host: add host_egress_policy hook (#32879, @jibi)
• bpf: host: use security identities in to-netdev's trace notifications (#33081, @julianwiedmann)
• bpf: lxc: simplify RevNAT path for loopback replies (#32480, @julianwiedmann)
• bpf: move feature-specific maps into their header files (#33087, @julianwiedmann)
• bpf: propagate src sec id from ingress bpf_overlay to egress bpf_host (#32871, @jibi)
• bpf: Replace old school header guards with #pragma once (#32235, @dylandreimerink)
• bpf: s/NODE_MAC/THIS_INTERFACE_MAC (#32839, @julianwiedmann)
• bpf: transport source identity in MARK_MAGIC_OVERLAY (#32944, @julianwiedmann)
• build(deps): bump tornado from 6.3.3 to 6.4.1 in /Documentation (#32946, @dependabot[bot])
• Bump the certgen utility to v0.2.0, and adapt the associated configuration (#33057, @giorio94)
• cgroup manager: introduce hive cell (#32799, @mhofstetter)
• chore(deps): update all github action dependencies (main) (#32989, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (#33135, @cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#32984, @cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#33187, @cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#32983, @cilium-renovate[bot])
• chore(deps): update cilium/cilium-cli action to v0.16.10 (main) (#33131, @cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.10 (main) (#32985, @cilium-renovate[bot])
• chore(deps): update dependency grpc-ecosystem/grpc-health-probe to v0.4.27 (main) (#33132, @cilium-renovate[bot])
• chore(deps): update dependency renovatebot/renovate to v37.409.1 (main) (#33171, @cilium-renovate[bot])
• chore(deps): update dependency renovatebot/renovate to v37.409.2 (main) (#33199, @cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.4 docker digest to 0f76912 (main) (#33130, @cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.4 docker digest to c2010b9 (main) (#33170, @cilium-renovate[bot])
• chore(deps): update docker/build-push-action action to v5.4.0 (main) (#33006, @cilium-renovate[bot])
• chore(deps): update docker/build-push-action action to v6 (main) (#33197, @cilium-renovate[bot])
• chore(deps): update go to v1.22.4 (main) (#32893, @renovate[bot])
• chore(deps): update golangci/golangci-lint docker tag to v1.59.1 (main) (#32986, @cilium-renovate[bot])
• cilium, netkit: Add CI e2e coverage (#33005, @borkmann)
• cleanup: untangle unnecessarily complex policy initialization (#32813, @squeed)
• clustermesh: drain all known entries upon cluster ID change (#32996, @giorio94)
• clustermesh: drop clustermesh/remoteCluster circular reference (#32900, @giorio94)
• clustermesh: fix remote service deletion on endpointslicesync (#32961, @MrFreezeex)
• ClusterMesh: improve validation of remote endpoints and identities (#32785, @giorio94)
• clustermesh: periodically enforce cilium cluster configuration (#32867, @giorio94)
• CODEOWNERS: Move devcontainer to cilium/ci (#33029, @joestringer)
• ctmap: dump CT entry's BackendID (#32563, @julianwiedmann)
• daemon: cleanup daemon fields (#32880, @mhofstetter)
• daemon: remove unnecessary method DebugEnabled (#33106, @mhofstetter)
• daemon: remove unused method GetOptions (#33105, @mhofstetter)
• datapath/linux: Convert to slog logging (#33121, @joamaki)
• doc: List L2LB LB class to LB IPAM doc (#33031, @PhilipSchmid)
• doc: Update doc for CRD CiliumNodeConfig from v2alpha1 to v2 (#33167, @doniacld)
• docs: egressgw: remove kernel requirement (#33064, @julianwiedmann)
• docs: Fix CRD compatibility table references (#32859, @joestringer)
• docs: Fix literals formatting in Envoy documentation by replacing straight quotes with back quotes (#32953, @hacktivist123)
• docs: ipsec: mention dependency on transparent mode for DNS proxy (#33062, @julianwiedmann)
• docs: ipsec: remove limitation for native-routing with L7 egress policy (#32906, @julianwiedmann)
• docs: minor updates for Egress Gateway (#33060, @julianwiedmann)
• Document dev cycle and feature freeze (#32929, @joestringer)
• documentation: embed eCHO episodes in Cilium docs (#32907, @hacktivist123)
• egressgw: skip gressgw handling if the packet is from host (#33148, @ysksuzuki)
• egressgw: Stop CEGP parsing in case of non-empty invalid EgressIP (#32868, @pippolo84)
• endpoint: Fix Policy Sync Method (#33146, @nathanjsweet)
• endpoint: remove unused parameter from Add/NewEndpoint functions (#33071, @mhofstetter)
• envoy: Call given callback also when reusing a listener (#32974, @jrajahalme)
• envoy: Remove un-necessary warning log filtering (#33013, @sayboras)
• Extract clustermesh logic in the operator in a generic package (#32979, @MrFreezeex)
• Fix a few issues with the newly added MCS-API controllers (#32555, @MrFreezeex)
• Fix bandwidth manager reconciler config (#32952, @dylandreimerink)
• fix(deps): update all go dependencies main (main) (#32856, @renovate[bot])
• fix(deps): update all go dependencies main (main) (#32987, @cilium-renovate[bot])
• fix(deps): update all go dependencies main (main) (#33133, @cilium-renovate[bot])
• fix(deps): update all go dependencies main (main) (#33172, @cilium-renovate[bot])
• fix(deps): update aws-sdk-go-v2 monorepo (main) (#32988, @cilium-renovate[bot])
• fix(deps): update module github.com/aws/aws-sdk-go-v2/service/ec2 to v1.164.0 (main) (#33134, @cilium-renovate[bot])
• fix(deps): update module github.com/aws/aws-sdk-go-v2/service/ec2 to v1.164.1 (main) (#33173, @cilium-renovate[bot])
• fqdn: Exit go routines early if datapath update times out (#33086, @gandro)
• gateway-api: Update docs for v1.1.0 (#33119, @sayboras)
• helm: uniform CA generation for hubble and clustermesh (#33024, @giorio94)
• images: Regenerate api/v1 when updating builder (#32804, @joestringer)
• ImmSet optimisation for multi inserts or multi deletions (#33138, @DamianSawicki)
• Improve compatibility with LLVM 18. (#32918, @gentoo-root)
• Increase usability of Makefile.override (#32660, @learnitall)
• ingress: Add CNP example for default deny (#31436, @sayboras)
• ipcache: Fix orphaned ipcache entries when mixing Upsert and Inject (#33120, @squeed)
• ipsec: support EncryptedOverlay XFRM policies (#31757, @harsimran-pabla)
• iptables: Remove unneeded cell.Health param (#32853, @pippolo84)
• k8s: Fix usage of assert in TestWaitForCacheSyncWithTimeout (#33139, @pippolo84)
• k8s: modularize k8s watcher (#32878, @mhofstetter)
• k8s: remove unused method NewStandaloneClientset (#33055, @mhofstetter)
• kvstore: correctly assign permissions to single key, rather than prefix (#33140, @giorio94)
• loader: cache parsed CollectionSpec (#32962, @lmb)
• loader: remove datapathSHA256 (#32700, @lmb)
• logging: Pass debug to slog as well (#32982, @jrajahalme)
• LRP: Add explicit dependency to k8s ServiceCache (#32796, @mhofstetter)
• lrp: move api handler from daemon to lrp hive cell (#33102, @mhofstetter)
• maps: nat: remove rtp.log (#32945, @julianwiedmann)
• Miscellaneous fixes in the usage of Makefile.override and build modifiers (#33129, @giorio94)
• pkg/identity: Move GetCIDKeyFromK8sLabels to GlobalIdentity (#32960, @ovidiutirla)
• pkg/identitybackend: Make sanitizeK8sLabels method public (#32958, @ovidiutirla)
• Policy repository: use SelectorCache to determine subject pods (#32849, @squeed)
• policy: Fix Distillery Tests (#33037, @nathanjsweet)
• precheck: Avoid using unbounded io.ReadAll func (#32967, @sayboras)
• prefilter: move api handler from daemon to prefilter hive cell (#33104, @mhofstetter)
• Prepare for release v1.16.0-pre.3 (#32857, @aanm)
• Proxy persist proxy ports (#32973, @jrajahalme)
• README: Update releases (#32861, @aanm)
• README: Update releases (#33049, @qmonnet)
• recorder: hive cell (recorder & rest api handler) (#33114, @mhofstetter)
• Remove bpf map migration mechanism to minimize bpf file system operations during endpoint regeneration (#33067, @ti-mo)
• Remove release scripts (#32938, @aanm)
• remove tracking of backports with MLH (#33123, @aanm)
• Removed Cilium Operator options cnp-status-cleanup-burst and cnp-status-cleanup-qps (#32877, @marseel)
• removed depreacted calls and added nolint for strings.Title (#32936, @yogesh1801)
• renovate: Add the configuration for spire images (#33078, @sayboras)
• renovate: prevent upgrading certgen to v0.2 in stable branches (#32998, @giorio94)
• renovate: run post upgrade tasks on Makefile.values (#33165, @aanm)
• service: refactor monitoragent nil-checks (#33069, @mhofstetter)
• Some minor but helpful ipcache performance improvements: (#32876, @squeed)
• Test: fix invalid network policies (#32901, @squeed)
• Update CEPS watchdog bpf program loaded logger (#31936, @derailed)
• Update hint links of golangci-lint. (#33158, @renyunkang)
• vendor: pin StateDB to version v0.1.0 (#33186, @joamaki)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.0-rc.0@sha256:bc88ac635a871293d5d2837196e53adba1ea55f79cd3f5cba802dd488312fd2a

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.0-rc.0@sha256:dc7e3e67dbbd65b882e7d647e0de6dd7d03f692b844c464befed0158a4425be8

docker-plugin

quay.io/cilium/docker-plugin:v1.16.0-rc.0@sha256:5431f3a69ac5c4458a148d7230ee4233442fb49a1ba95bf5d04191a0163c0ba9

hubble-relay

quay.io/cilium/hubble-relay:v1.16.0-rc.0@sha256:22b7f87db6a7a00d10e4ad8c316324368693b0e7f158055b7f81f39fb27928e2

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.0-rc.0@sha256:b5e2ee8de5345bfaee60d279ec5e010c724d33c9f6a66b58c29d5500300caf56

operator-aws

quay.io/cilium/operator-aws:v1.16.0-rc.0@sha256:4724f2420488e73a2191a80ab190ab0efe6f2ca15f4b552d1f2ee1870bb8b0c2

operator-azure

quay.io/cilium/operator-azure:v1.16.0-rc.0@sha256:388192c967442fbfa791e152df1bfa55ff0d2ebcdbc57bb4b3f52c58dd8eb64e

operator-generic

quay.io/cilium/operator-generic:v1.16.0-rc.0@sha256:78b9951cd6d92e7c954b9d7d2791cf52c83895441147deec3906c03363fd1169

operator

quay.io/cilium/operator:v1.16.0-rc.0@sha256:2ed9f24581b6a39807a4ca01aecc8967b2beb91d5b2daa4d696e4e072121426a