Summary of Changes
Minor Changes:
- docs: clarify wording of remote-nodes in context of a clustermesh (Backport PR #38104, Upstream PR #37989, @oblazek)
- Increase granularity of the
api_duration_seconds
metric buckets (Backport PR #38104, Upstream PR #37365, @jaredledvina) - New agent option
--policy-restore-timeout
(default 3m) has been added to bound the maximum time Cilium agent waits for endpoint policies to regenerate before starting serving resources tocilium-envoy
proxy. (Backport PR #37904, Upstream PR #37658, @jrajahalme) - Set json output as default for
cilium-dbg endpoint get
(Backport PR #37648, Upstream PR #36537, @saiaunghlyanhtet) - Set json output as default for
cilium-dbg endpoint get
(Backport PR #37742, Upstream PR #36537, @saiaunghlyanhtet)
Bugfixes:
- Apply Egress bandwith-limiting only once for traffic that is matched by an Egress Gateway policy. (Backport PR #37904, Upstream PR #37674, @julianwiedmann)
- Auth policy is properly maintained also when covered by proxy redirects. (Backport PR #37904, Upstream PR #37685, @jrajahalme)
- Do not auto detect / auto select IPoIB devices (Backport PR #37648, Upstream PR #37553, @dylandreimerink)
- Egress route reconciliation (Backport PR #38118, Upstream PR #37962, @dylandreimerink)
- Fix a regression that made it impossible to disable Hubble via Helm charts (Backport PR #37648, Upstream PR #37587, @devodev)
- Fix bug causing
cilium-dbg bpf
commands to fail with a map not found error in IPv6-only clusters. (Backport PR #37904, Upstream PR #37787, @pchaigno) - Fix creating ServiceMonitor for Hubble when dynamic metrics are enabled in the Helm chart (Backport PR #37648, Upstream PR #37474, @dustinspecker)
- Fix creation and deletion of host port maps that would occasionally leave pods without them (Backport PR #37904, Upstream PR #37419, @javanthropus)
- Fix dropped NodePort traffic to hostNetwork backends with Geneve+DSR (Backport PR #37648, Upstream PR #36978, @tommasopozzetti)
- Fix envoy metrics could not be obtained on IPv6-only clusters (Backport PR #37904, Upstream PR #37818, @haozhangami)
- Fix helm charts to properly configure tls and peer service for dynamic Hubble metrics. (Backport PR #37904, Upstream PR #37543, @rectified95)
- Fix service id exceeds max limit (Backport PR #37648, Upstream PR #37191, @haozhangami)
- Fix the
--dns-policy-unload-on-shutdown
feature for restored endpoints (Backport PR #37648, Upstream PR #37532, @antonipp) - Fix the possible race condition caused by async update from aws to instance map in issue #36428 (Backport PR #38104, Upstream PR #37650, @liyihuang)
- Fix traffic not getting masqueraded with wildcard devices or egress-masquerade-interfaces when enable-masquerade-to-route-source flag is set. (Backport PR #37648, Upstream PR #37450, @liyihuang)
- fix(helm): multiPoolPreAllocation fix conditional avoid null (Backport PR #37742, Upstream PR #37585, @acelinkio)
- fix: cilium-config configmap was incorrectly resulting in values like
2.09715…2e+06
instead of2097152
(Backport PR #37648, Upstream PR #37236, @dee-kryvenko) - fix: duplicate label maps in helm chart templates and add missing commonlabels (Backport PR #37742, Upstream PR #37693, @cmergenthaler)
- Fix: Resolved an issue causing ArgoCD to report constant out-of-sync status due to the hasKey check in Helm. The condition has been simplified to ensure proper synchronization. No functional changes to deployments. (Backport PR #37648, Upstream PR #37536, @nicl-dev)
- Fixed Envoy JSON log format conversion in Helm, preventing crashes. (Backport PR #37742, Upstream PR #37656, @kahirokunn)
- helm: fix large number handling (Backport PR #37742, Upstream PR #37670, @justin0u0)
- hubble: escape terminal special characters from observe output (Backport PR #37648, Upstream PR #37401, @devodev)
- hubble: fix locking of hubble metrics registry for dynamically configured metrics (Backport PR #38104, Upstream PR #37923, @marseel)
- identity: fix bug where fromNodes/toNodes could be used to allow custom endpoint (Backport PR #38104, Upstream PR #36657, @oblazek)
- ipam/multi-pool: Periodically perform pool maintenance (Backport PR #38104, Upstream PR #37895, @gandro)
- operator: explicit controller-runtime controller names to avoid naming conflicts (Backport PR #37742, Upstream PR #37606, @mhofstetter)
- operator: Fix duplicate configurations (Backport PR #37648, Upstream PR #37293, @joestringer)
- Restore aggregration of network trace events for Egress Gateway reply traffic on the gateway node (Backport PR #38104, Upstream PR #38029, @julianwiedmann)
- Updated Gateway API and GAMMA processing to remove incorrect behavior when both parentRefs were present. (Backport PR #38154, Upstream PR #38143, @youngnick)
- Workaround for iptables 1.8.10, used in OpenShift 4.16, 4.17 and 4.18, returning a wrong error message
iptables: Incompatible with this kernel
toiptables -n -L CHAIN
when the chain does not exist. This prevents iptables configuration and induced unnecessary loops and log messages. (Backport PR #38104, Upstream PR #37749, @fgiloux)
CI Changes:
- .github: Remove misleading step from ipsec workflow (Backport PR #37742, Upstream PR #37681, @joestringer)
- .github: s/enbaled/enabled/ (Backport PR #37648, Upstream PR #37449, @chansuke)
- bgpv1: wait for watchers to be ready in tests (Backport PR #37904, Upstream PR #37884, @harsimran-pabla)
- CI: GKE backslash missing disable insecure kubelet (Backport PR #37904, Upstream PR #37850, @auriaave)
- CI: GKE, disable insecure kubelet readonly port (Backport PR #37904, Upstream PR #37844, @auriaave)
- ci: switch to monitor aggregation medium (Backport PR #38104, Upstream PR #38036, @marseel)
- gh: ci-e2e-upgrade: Add encryption leak checks for wireguard (Backport PR #37904, Upstream PR #37551, @jschwinger233)
- gh: ipsec-e2e: add concurrency for connectivity tests (Backport PR #37925, Upstream PR #37891, @julianwiedmann)
- gh: update naming for bpftrace leak detection script (Backport PR #37904, Upstream PR #37865, @julianwiedmann)
Misc Changes:
- always render enable-hubble in the Cilium configmap (Backport PR #37904, Upstream PR #37703, @kaworu)
- bpf: Add option to utilize core maps via BPF_F_NO_COMMON_LRU (Backport PR #38104, Upstream PR #38037, @borkmann)
- bpf: minor clean-ups for the ENI symmetric routing feature (Backport PR #37648, Upstream PR #37379, @julianwiedmann)
- chore(deps): update all github action dependencies (v1.17) (#37950, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.17) (#37944, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.17) (#38048, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.17.0 (v1.17) (#37793, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.18.0 (v1.17) (#37949, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.18.2 (v1.17) (#38057, @cilium-renovate[bot])
- chore(deps): update go to v1.23.7 (v1.17) (#37996, @cilium-renovate[bot])
- chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security] (v1.17) (#37833, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211 (v1.17) (#38148, @cilium-renovate[bot])
- cilium-dbg: output parentIfIndex in bpf endpoint list (Backport PR #37742, Upstream PR #37398, @Mahdi-BZ)
- cilium: Allow to configure tunnel source port range (Backport PR #37904, Upstream PR #37777, @borkmann)
- cilium: Pull in vxlan netlink Go fix and uncomment assertion in test (Backport PR #37904, Upstream PR #37808, @borkmann)
- docs: complete load balancer service manifest in kubeproxy-free (Backport PR #37648, Upstream PR #37466, @ybelleguic)
- docs: fix broken links (Backport PR #38104, Upstream PR #37995, @nueavv)
- docs: masquerading: mention that BPF masq also pulls in BPF Host-Routing (Backport PR #37648, Upstream PR #37604, @julianwiedmann)
- docs: use latest for rtd theme commit with fixed version selector (Backport PR #37614, Upstream PR #37421, @ayuspin)
- envoy: remove duplicated service/endpointslice informers when envoyConfig is enabled (Backport PR #37742, Upstream PR #37683, @marseel)
- Fix API generation and add trusted dependencies to renovate config (Backport PR #37648, Upstream PR #36957, @aanm)
- Fix API generation and add trusted dependencies to renovate config (Backport PR #37742, Upstream PR #36957, @aanm)
- Fix helm value for IPAM Multi-Pool (Backport PR #38104, Upstream PR #37963, @saintdle)
- fqdn/dnsproxy: use
netip.Addr
forDNSProxy.usedServers
(Backport PR #38104, Upstream PR #37985, @tklauser) - gha: Update the helm flag for TLS related test (Backport PR #37648, Upstream PR #37428, @sayboras)
- ipcache: Slightly optimize calls to fetch tunnel and encrypt metadata (Backport PR #38104, Upstream PR #38021, @christarazi)
- labels: fix TestNewFrom test (Backport PR #37904, Upstream PR #37846, @giorio94)
- Moves Unix socket listener configuration to a new file specifically for Linux builds. (Backport PR #37648, Upstream PR #37399, @ritwikranjan)
- operator: Explicitly init the FQDN regex LRU cache (Backport PR #37648, Upstream PR #37366, @christarazi)
- pkg/hive: always use default logger when decorating cells (Backport PR #37742, Upstream PR #37636, @aanm)
- policy: Skip iteration when proxy port priority is zero (Backport PR #37648, Upstream PR #37422, @jrajahalme)
- Remove grpc-health-probe binary from the Hubble Relay image as it is no longer used (Backport PR #37904, Upstream PR #37806, @rolinh)
- Update Hubble UI to v0.13.2 which contains security fixes, add the missing traffic direction in the flow table, and enhance the home namespace list. See v0.13.2 for more details (Backport PR #37742, Upstream PR #37631, @yannikmesserli)
- use runtime image set by env var action in build and lint (Backport PR #37648, Upstream PR #37253, @Artyop)
Other Changes:
- [v1.17] Revert "Fix dropped NodePort traffic to hostNetwork backends with Geneve+DSR" (#38101, @julianwiedmann)
- Backport set runtime action 1.17 (#37854, @Artyop)
- gha: Update GatewayAPI conformance report (#37671, @sayboras)
- install: Update image digests for v1.17.1 (#37580, @cilium-release-bot[bot])
- v1.17: gh/workflows: Remove conformance-externalworkloads (#37738, @brb)
Docker Manifests
cilium
quay.io/cilium/cilium:v1.17.2@sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1
quay.io/cilium/cilium:stable@sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.17.2@sha256:981250ebdc6e66e190992eaf75cfca169113a8f08d5c3793fe15822176980398
quay.io/cilium/clustermesh-apiserver:stable@sha256:981250ebdc6e66e190992eaf75cfca169113a8f08d5c3793fe15822176980398
docker-plugin
quay.io/cilium/docker-plugin:v1.17.2@sha256:a599893f1fc76fc31afad2bbb73af7e7f618adbf02043b2098fafeca4adf551c
quay.io/cilium/docker-plugin:stable@sha256:a599893f1fc76fc31afad2bbb73af7e7f618adbf02043b2098fafeca4adf551c
hubble-relay
quay.io/cilium/hubble-relay:v1.17.2@sha256:42a8db5c256c516cacb5b8937c321b2373ad7a6b0a1e5a5120d5028433d586cc
quay.io/cilium/hubble-relay:stable@sha256:42a8db5c256c516cacb5b8937c321b2373ad7a6b0a1e5a5120d5028433d586cc
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.17.2@sha256:7cb8c23417f65348bb810fe92fb05b41d926f019d77442f3fa1058d17fea7ffe
quay.io/cilium/operator-alibabacloud:stable@sha256:7cb8c23417f65348bb810fe92fb05b41d926f019d77442f3fa1058d17fea7ffe
operator-aws
quay.io/cilium/operator-aws:v1.17.2@sha256:955096183e22a203bbb198ca66e3266ce4dbc2b63f1a2fbd03f9373dcd97893c
quay.io/cilium/operator-aws:stable@sha256:955096183e22a203bbb198ca66e3266ce4dbc2b63f1a2fbd03f9373dcd97893c
operator-azure
quay.io/cilium/operator-azure:v1.17.2@sha256:455fb88b558b1b8ba09d63302ccce76b4930581be89def027184ab04335c20e0
quay.io/cilium/operator-azure:stable@sha256:455fb88b558b1b8ba09d63302ccce76b4930581be89def027184ab04335c20e0
operator-generic
quay.io/cilium/operator-generic:v1.17.2@sha256:81f2d7198366e8dec2903a3a8361e4c68d47d19c68a0d42f0b7b6e3f0523f249
quay.io/cilium/operator-generic:stable@sha256:81f2d7198366e8dec2903a3a8361e4c68d47d19c68a0d42f0b7b6e3f0523f249
operator
quay.io/cilium/operator:v1.17.2@sha256:697a7e6c4765ef053d33dd2d9d7f14642c01dfa7333ad7902de7ca5afbf3b419
quay.io/cilium/operator:stable@sha256:697a7e6c4765ef053d33dd2d9d7f14642c01dfa7333ad7902de7ca5afbf3b419