github cilium/cilium v1.16.4
1.16.4
on GitHub

latest releases: v1.14.17, v1.15.11
3 days ago

Summary of Changes

Minor Changes:

  • Added Helm option 'envoy.initialFetchTimeoutSeconds' (default 30 seconds) to override the Envoy default (15 seconds). (Backport PR #35908, Upstream PR #35809, @jrajahalme)
  • clustermesh: add guardrails for known broken ENI/aws-chaining + cluster ID combination (Backport PR #35543, Upstream PR #35349, @giorio94)
  • helm: Lower default hubble.tls.auto.certValidityDuration to 365 days (Backport PR #35781, Upstream PR #35630, @chancez)
  • helm: New socketLB.tracing flag (Backport PR #35781, Upstream PR #35747, @pchaigno)
  • hubble-relay: Return underlying connection errors when connecting to peer manager (Backport PR #35781, Upstream PR #35632, @chancez)
  • netkit: Fix issue where traffic originating from the host namespace fails to reach the pod when using endpoint routes and network policies. (Backport PR #35543, Upstream PR #35306, @jrife)

Bugfixes:

  • Avoid duplicate errors in health status for node-neighbor-link-updater (Backport PR #35468, Upstream PR #35179, @wedaly)
  • bgpv1: fix reconciliation of services with shared VIPs (Backport PR #35468, Upstream PR #35333, @rastislavs)
  • bgpv2,operator: Fix the race condition in the nodeSelector conflict detection logic (Backport PR #35863, Upstream PR #35690, @YutaroHayakawa)
  • bgpv2: set local peering address when specified (Backport PR #35781, Upstream PR #35552, @harsimran-pabla)
  • Cilium datapath now gives precedence for the more specific allow rule with L7 rules when rules with port ranges are present. (Backport PR #35603, Upstream PR #35150, @jrajahalme)
  • Cilium's DNS proxy no longer gets stuck for a specific five-tuple if an timeout waiting for response error is encountered. (Backport PR #35781, Upstream PR #35589, @bimmlerd)
  • config: Remove superfluous warning on native routing CIDR (Backport PR #35781, Upstream PR #35738, @gandro)
  • Fix missing flowlabel hash on SRv6 traffic. (Backport PR #35781, Upstream PR #35498, @akaliwod)
  • Fix packet drops for pod-to-pod connections that pass through ingress & egress proxy when using IPsec, caused by MTU misconfiguration. (Backport PR #35543, Upstream PR #35173, @smagnani96)
  • Fix possible disruption of long running pod to node traffic on agent restart in kvstore mode (Backport PR #35781, Upstream PR #35673, @giorio94)
  • Fix redirect from L3 device to remote endpoint via overlay network. (Backport PR #35468, Upstream PR #35165, @julianwiedmann)
  • Fixed a bug where replies for pod-originating connections came into scope of HostFW Ingress Network policy. Applicable to configurations that use iptables for Masquerading. (Backport PR #35908, Upstream PR #35694, @julianwiedmann)
  • Fixes a bug where the operator incorrectly flagged CiliumNetworkPolicies containing ICMP rules as invalid. (Backport PR #35781, Upstream PR #35599, @squeed)
  • Fixes a performance regression when ingesting network policies in clusters with large numbers of Services. (Backport PR #35543, Upstream PR #35293, @squeed)
  • Fixes a potential deadlock when restarting cilium agent with pods with DNS interception configured (Backport PR #35906, Upstream PR #35890, @squeed)
  • Fixes BPF Masquerading exclusion CIDR for IPAM modes "eni", "azure" and "alibabacloud". (#35611, @pippolo84)
  • helm: Fix configmap unmarshal error on egressGateway.maxPolicyEntries (Backport PR #35319, Upstream PR #35301, @hox)
  • helm: fix duplicate configmap key for bpf-lb-sock-terminate-pod-connections (Backport PR #35781, Upstream PR #35703, @solidDoWant)
  • helm: set automountServiceAccountToken to false for hubble-relay sa (Backport PR #35781, Upstream PR #35674, @ayuspin)
  • hubble: fix endpoint cluster name (Backport PR #35781, Upstream PR #35415, @kaworu)
  • hubble: Lock exporters while gathering metrics (Backport PR #35908, Upstream PR #35860, @joestringer)
  • Ingress endpoint is now included in the lxcmap so that ARP and ND6 work for them. (Backport PR #35781, Upstream PR #35143, @jrajahalme)
  • ipam: Validate CiliumNode resource in ENI mode (Backport PR #35792, Upstream PR #35784, @sayboras)
  • l7lb: fix registration of flag loadbalancer-l7 (Backport PR #35781, Upstream PR #35623, @mhofstetter)
  • Log errors when reloading hubble exporter configuration dynamically and do not attempt to close os.Stdout (Backport PR #35319, Upstream PR #35069, @chancez)
  • option: Reduce log level for WG strict mode + IPv6 (Backport PR #35908, Upstream PR #35763, @pchaigno)
  • Policy properly propagates proxy listener name and priority from a L3 wildcard rule with policies requiring authentication. (Backport PR #35468, Upstream PR #35381, @jrajahalme)
  • treewide: Add wrapper for netlink functions that may fail with ErrDumpInterrupted (Backport PR #35654, Upstream PR #35614, @gandro)
  • wireguard: Fix connectivity issues following node reboots. (Backport PR #35908, Upstream PR #35750, @jrife)

CI Changes:

Misc Changes:

  • .github/build-images-base: checkout base branch to get scripts (Backport PR #35319, Upstream PR #35236, @aanm)
  • .github: remove retention days for image digests (Backport PR #35468, Upstream PR #35457, @aanm)
  • bpf: vxlan helper improvements (Backport PR #35543, Upstream PR #34755, @julianwiedmann)
  • chore(deps): update all github action dependencies (v1.16) (#35382, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.16) (#35439, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.16) (#35573, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.16) (#35710, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (v1.16) (#35438, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/golang:1.22.8 docker digest to 0ca97f4 (v1.16) (#35730, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/golang:1.22.8 docker digest to b274ff1 (v1.16) (#35379, @cilium-renovate[bot])
  • chore(deps): update go to v1.22.9 (v1.16) (#35854, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1729635771-fa4efeff33a344a45e14a4068c61dc438b3d2270 (v1.16) (#35491, @cilium-renovate[bot])
  • chore(deps): update stable lvh-images (v1.16) (patch) (#35731, @cilium-renovate[bot])
  • cilium, docs: Extend requirements for L7 proxy (Backport PR #35781, Upstream PR #35669, @borkmann)
  • cilium: add probe for netkit for more user friendly error when not supported (Backport PR #35781, Upstream PR #35551, @borkmann)
  • ctrl-runtime: lower severity of retryable reconcile errors (Backport PR #35592, Upstream PR #35364, @giorio94)
  • daemon: Reduce level of socket LB tracing warning (Backport PR #35908, Upstream PR #35798, @pchaigno)
  • datapath: move policy map value prefix length to flags (Backport PR #35603, Upstream PR #35534, @jrajahalme)
  • dnsproxy: fix error when sessionUDPFactory fails (Backport PR #35543, Upstream PR #33998, @marseel)
  • docs/ipsec: Remove KPR limitation (Backport PR #35908, Upstream PR #35743, @pchaigno)
  • docs/xfrm: Fix incorrect statement regarding XFRM IN policies (Backport PR #35781, Upstream PR #35626, @pchaigno)
  • docs: Change invalid Helm option --agent.enabled with --agent=false in upgrade documentation (Backport PR #35319, Upstream PR #35288, @oneumyvakin)
  • docs: clean up stale kernel requirements (Backport PR #35582, Upstream PR #35575, @julianwiedmann)
  • docs: Fix incorrect link to RFC 4271 for BGP control plane timers. (Backport PR #35781, Upstream PR #35725, @nvibert)
  • docs: kpr: update error message regarding SocketLB tracing (Backport PR #35468, Upstream PR #35337, @julianwiedmann)
  • docs: tuning: XDP LB also supports tunnel routing (Backport PR #35582, Upstream PR #35574, @julianwiedmann)
  • docs: update 1.16 upgrade note for LRP (#35944, @ysksuzuki)
  • docs: update default identity label filters (Backport PR #35468, Upstream PR #35422, @marseel)
  • docs: XFRM reference guide for IPsec development (Backport PR #35582, Upstream PR #35322, @pchaigno)
  • Envoy simplify listener setup (Backport PR #35764, Upstream PR #35642, @jrajahalme)
  • envoy: Configure internal_address_config to avoid warning log (Backport PR #35471, Upstream PR #35090, @sayboras)
  • envoy: Limit started serving logging to the typeURL of the stream (Backport PR #35781, Upstream PR #35736, @jrajahalme)
  • Fix wrongly spelled config option in error message (Backport PR #35543, Upstream PR #35390, @baurmatt)
  • helm: clarify text for serviceNoBackendResponse (Backport PR #35908, Upstream PR #35734, @julianwiedmann)
  • hubble: Add 'release' Make target (Backport PR #35781, Upstream PR #35561, @michi-covalent)
  • image: Use cilium-builder instead of golang as operator builder image (Backport PR #35781, Upstream PR #35351, @learnitall)
  • iptables: always warn about missing xt_socket module (Backport PR #35781, Upstream PR #35591, @julianwiedmann)
  • makefile: add target to install Cilium in kvstore mode (Backport PR #35905, Upstream PR #35646, @giorio94)
  • proxy: Ensure proxy ports are written on shutdown (Backport PR #35908, Upstream PR #35839, @jrajahalme)
  • Silence spurious clustermesh-related warnings (Backport PR #35850, Upstream PR #35867, @giorio94)

Other Changes:

  • [v1.16] envoy: Add configuration for OverloadManager (#35787, @sayboras)
  • [v1.16] envoy: Bump envoy version from 1.29.x to 1.30.x (#35563, @sayboras)
  • [v1.16] policy/correlation: Fix PolicyMatch{L3Proto,L4Only} case (#35681, @gandro)
  • chore(deps): update cilium-envoy dependency (#35920, @sayboras)
  • install: Update image digests for v1.16.3 (#35361, @cilium-release-bot[bot])
  • Policy add deny rule test and benchmark (#35714, @jrajahalme)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
quay.io/cilium/cilium:stable@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.4@sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2
quay.io/cilium/clustermesh-apiserver:stable@sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2

docker-plugin

quay.io/cilium/docker-plugin:v1.16.4@sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e
quay.io/cilium/docker-plugin:stable@sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e

hubble-relay

quay.io/cilium/hubble-relay:v1.16.4@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2
quay.io/cilium/hubble-relay:stable@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.4@sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686
quay.io/cilium/operator-alibabacloud:stable@sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686

operator-aws

quay.io/cilium/operator-aws:v1.16.4@sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be
quay.io/cilium/operator-aws:stable@sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be

operator-azure

quay.io/cilium/operator-azure:v1.16.4@sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de
quay.io/cilium/operator-azure:stable@sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de

operator-generic

quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5
quay.io/cilium/operator-generic:stable@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5

operator

quay.io/cilium/operator:v1.16.4@sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff
quay.io/cilium/operator:stable@sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff

Check out latest releases or
releases around cilium/cilium v1.16.4

Don't miss a new cilium release

NewReleases is sending notifications on new releases.

Get notifications