github cilium/cilium v1.17.3
1.17.3
on GitHub

latest releases: v1.17.4, v1.16.10, v1.15.17...
one month ago

Summary of Changes

Minor Changes:

  • hubble: accurately report startup failure reason from cilium status (Backport PR #38526, Upstream PR #37567, @devodev)
  • Reject IPSec key rotation with mismatching key lengths to prevent IPv6 disruptions. (Backport PR #38399, Upstream PR #37936, @smagnani96)

Bugfixes:

  • Always detach BPF programs from cilium_wg0 when not needed. (Backport PR #38184, Upstream PR #38179, @smagnani96)
  • Avoid installing no-track rules when IP family is disabled (Backport PR #38526, Upstream PR #38438, @ysksuzuki)
  • bgpv2: Fix service reconciliation by BGP peer IP change (Backport PR #38700, Upstream PR #38620, @rastislavs)
  • bpf: wireguard: avoid ipcache lookup for source's security identity (Backport PR #38684, Upstream PR #38592, @julianwiedmann)
  • clustermesh: fix mcs-api count of clusters disagreeing with a conflict (the count was previously increased by one) (Backport PR #38298, Upstream PR #38267, @MrFreezeex)
  • Ensure that replies to world-to-pod ICMP in AWS ENI are routed via the correct parent interface. (Backport PR #38394, Upstream PR #38335, @gentoo-root)
  • Fix deadlock in compilation lock (Backport PR #38805, Upstream PR #38784, @dylandreimerink)
  • Fix panic caused in dual cluster setups where LRPs with skipRedirectFromBackend flag set to true are installed and IPv6 is disabled. (Backport PR #38700, Upstream PR #38656, @aditighag)
  • Fix the ipv6 only cluster doesn't work with multi pool in some k8s distribution(Openshift) (Backport PR #38526, Upstream PR #38472, @liyihuang)
  • Fix: cilium-operator no longer patches services on shutdown (Backport PR #38298, Upstream PR #37967, @rsafonseca)
  • Fixes an issue where the agent failed to start on clusters with large numbers of network policies. (Backport PR #38700, Upstream PR #38556, @squeed)
  • For configurations with --enable-identity-mark=false, don't attempt to retrieve the source identity from skb->mark. (Backport PR #38800, Upstream PR #38737, @julianwiedmann)
  • ingress: don't cleanup ingress status of unmanaged Ingress resources (Backport PR #38700, Upstream PR #38555, @mhofstetter)
  • ipam/aws: properly paginate Operator DescribeNetworkInterfaces AWS API calls in ENI IPAM mode in order to avoid throttling, timeouts and errors from the API (Backport PR #38298, Upstream PR #37983, @antonipp)
  • netkit: Fix issue where MAC addresses get changed by systemd in L2 mode causing health checks to fail (Backport PR #38526, Upstream PR #37812, @jrife)

CI Changes:

  • build: update golangci-lint to v2.0.0 (Backport PR #38629, Upstream PR #38473, @mhofstetter)
  • ci: build CI images within merge group (Backport PR #38526, Upstream PR #38065, @marseel)
  • ci: prepare CI Image build for being required (Backport PR #38526, Upstream PR #38320, @marseel)
  • cilium-cli: extend no-interrupted-connections to test Egress Gateway (Backport PR #38527, Upstream PR #38193, @ysksuzuki)
  • cilium-cli: extend no-interrupted-connections to test NodePort from outside (Backport PR #37797, Upstream PR #37294, @ysksuzuki)
  • Clear traced UDP v4/v6 connections on check-encryption-leak script. (Backport PR #38517, Upstream PR #38264, @smagnani96)
  • Ensure packet protocol before using L4 ports in the check-encryption-leak script. (Backport PR #38517, Upstream PR #38290, @smagnani96)
  • Extend tracing with IP length and whether src/dst pod are CiliumInternalIP in the check-encryption-leak script. (Backport PR #38740, Upstream PR #38281, @smagnani96)
  • Fix checked L4 port for UDP IPv6 packets in check-encryption-leak script. (Backport PR #38517, Upstream PR #38265, @smagnani96)
  • Fix endianness for WireGuard UDP traffic in the check-encryption-leak script. (Backport PR #38517, Upstream PR #38292, @smagnani96)
  • Fix erroneous TCP RST condition when no TCP packets in the check-encryption-leak script. (Backport PR #38517, Upstream PR #38291, @smagnani96)
  • gh: aws-cni: set --enable-identity-mark=false option (Backport PR #38800, Upstream PR #38738, @julianwiedmann)
  • gh: e2e-upgrade: also test NS & EGW disruptivity during downgrade (Backport PR #38527, Upstream PR #38511, @julianwiedmann)
  • gha: enable north/south conn-disrupt-test in clustermesh upgrade tests (Backport PR #38527, Upstream PR #38554, @giorio94)
  • Ignore encrypt interface field when validating option.Config after initialization (Backport PR #38298, Upstream PR #37184, @Artyop)
  • Introduce tracing log info for ICMP v4/v6 packets in the check-encryption-leak script. (Backport PR #38740, Upstream PR #38278, @smagnani96)
  • Manual encap checks for when $skb->encapsulation is unset in the check-encryption-leak script. (Backport PR #38517, Upstream PR #38293, @smagnani96)
  • Print skb pointer and correlate timestamp for subsequent trace logs in the check-encryption-leak script. (Backport PR #38740, Upstream PR #38266, @smagnani96)
  • proxy/proxyports: fix flake and data race in TestPortAllocator (Backport PR #38674, Upstream PR #38062, @tklauser)
  • proxy: fix flake in TestPortAllocator test (Backport PR #38674, Upstream PR #38646, @mhofstetter)
  • Refactoring and code comments for the check-encryption-leak script. (Backport PR #38740, Upstream PR #38263, @smagnani96)
  • Report masqueraded flow through proxy in the check-encryption-leak script. (Backport PR #38740, Upstream PR #38297, @smagnani96)
  • Shift header references when encap and move leak check on CiliumInternalIP in the check-encryption-leak script. (Backport PR #38517, Upstream PR #38280, @smagnani96)
  • Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #38517, Upstream PR #38289, @smagnani96)
  • Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #38526, Upstream PR #38289, @smagnani96)
  • Skip tracking TCP proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #38517, Upstream PR #38287, @smagnani96)
  • Split TCP-related leak report into a separate log line with also seq/ack n. in the check-encryption-leak script. (Backport PR #38740, Upstream PR #38268, @smagnani96)
  • test: Update FQDN related domain and IP (Backport PR #38769, Upstream PR #38754, @sayboras)

Misc Changes:

  • [v1.17] bpf: host: ipsec: check whether destination has tunnel_endpoint (#38802, @julianwiedmann)
  • [v1.17] bpf: ipsec: improve handling of source security identity in encrypted-overlay code (#38594, @julianwiedmann)
  • [v1.17] deps: bump package x/oauth2 (#38403, @ferozsalam)
  • [v1.17] deps: bump x/net to v0.38.0 (#38780, @ferozsalam)
  • bpf: host: identify Cilium's Wireguard traffic as from HOST (Backport PR #38684, Upstream PR #37956, @julianwiedmann)
  • bpf: let MARK_MAGIC_EGW_DONE carry source identity (Backport PR #38684, Upstream PR #38430, @julianwiedmann)
  • bpf: nodeport: preserve monitor aggregation in egress path (Backport PR #38526, Upstream PR #38312, @julianwiedmann)
  • bugtool: collect more detailed link statistics (Backport PR #38526, Upstream PR #38391, @julianwiedmann)
  • chore(deps): update all github action dependencies (v1.17) (#38353, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.17) (#38436, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.17) (#38612, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (v1.17) (#38303, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (v1.17) (#38542, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.18.3 (v1.17) (#38730, @cilium-renovate[bot])
  • chore(deps): update dependency protocolbuffers/protobuf to v30 (v1.17) (#38354, @cilium-renovate[bot])
  • chore(deps): update dependency protocolbuffers/protobuf to v30.2 (v1.17) (#38611, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/busybox:1.37.0 docker digest to 37f7b37 (v1.17) (#38350, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/golang:1.23.7 docker digest to cb45cf7 (v1.17) (#38351, @cilium-renovate[bot])
  • chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.20 (v1.17) (#38434, @cilium-renovate[bot])
  • chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.21 (v1.17) (#38608, @cilium-renovate[bot])
  • chore(deps): update go to v1.23.8 (v1.17) (#38713, @cilium-renovate[bot])
  • chore(deps): update kindest/node docker tag to v1.29.14 (v1.17) (#38352, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1742184290-6036296930bb05a4870ef40867ca33baec4489e6 (v1.17) (#38257, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.4-1742515734-d30064faed34d8936672353d4b6d6dbcfbaa7b2d (v1.17) (#38384, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.4-1742784301-90f2717e10fcd34f9aca97413fcd00ca2b8ccfee (v1.17) (#38441, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1743506100-0821ef0acdf9f824d47d34e02932be522b3e7233 (v1.17) (#38671, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744108394-d3be7c547203cd80d0c4902e4b9deac09c727456 (v1.17) (#38773, @cilium-renovate[bot])
  • chore(deps): update stable lvh-images (v1.17) (patch) (#38316, @cilium-renovate[bot])
  • chore(deps): update stable lvh-images (v1.17) (patch) (#38435, @cilium-renovate[bot])
  • chore(deps): update stable lvh-images (v1.17) (patch) (#38831, @cilium-renovate[bot])
  • cilium, status: Do not display annotations if KPR is disabled (Backport PR #38700, Upstream PR #38677, @borkmann)
  • doc(troubleshooting): add -verbose to cilium-health status (Backport PR #38298, Upstream PR #38169, @alagoutte)
  • doc: Envoy daemonset works on OpenShift (Backport PR #38298, Upstream PR #38236, @fgiloux)
  • docs: Add missing kernel options to system requirements documentation to help users with custom kernels. (Backport PR #38526, Upstream PR #38173, @yrsuthari)
  • docs: add per-node default pool example (Backport PR #38298, Upstream PR #38135, @acudovs)
  • docs: clarify hubble flow filter match semantics (Backport PR #38700, Upstream PR #38657, @devodev)
  • docs: Correct the envoy circuit-breaking example manifest (Backport PR #38298, Upstream PR #38158, @raphink)
  • docs: Document jitter applied to BGP ConnectRetryTimeSeconds (Backport PR #38526, Upstream PR #38231, @rastislavs)
  • docs: Update LLVM requirements to 18.1 (Backport PR #38526, Upstream PR #38294, @gentoo-root)
  • Documentation: "cilium config set" restarts by default (Backport PR #38298, Upstream PR #38114, @joamaki)
  • Documentation: fix mentions of per-node cilium-dbg tool (Backport PR #38298, Upstream PR #38276, @tklauser)
  • fix SBOM attestation documentation (Backport PR #38526, Upstream PR #38429, @jaehanbyun)
  • fix(Documentation/installationk0s.rst): adjust kuberouter naming in k0s documentation (Backport PR #38298, Upstream PR #38243, @RiRa12621)
  • images: bump distroless to static (Backport PR #38694, Upstream PR #38647, @kaworu)
  • ipcache: reduce labels map memory churn in resolveLabels a bit (Backport PR #38526, Upstream PR #38494, @tklauser)
  • maglev: Fix division by zero upon table recreation (Backport PR #38700, Upstream PR #38659, @borkmann)
  • pkg/controller: fix data race in update params locked (Backport PR #38526, Upstream PR #38327, @aanm)
  • pkg/endpoint: fix GetLabels data race access (Backport PR #38526, Upstream PR #38328, @aanm)
  • pkg/endpoint: fix race in unit test (Backport PR #38298, Upstream PR #38129, @squeed)
  • policy: sync policy map for fake endpoints (Backport PR #38526, Upstream PR #38367, @harsimran-pabla)
  • proxy: Fix data race in proxyports test (Backport PR #38674, Upstream PR #37890, @jrajahalme)
  • Removal logic for the new cil_from_wireguard program to handle Cilium Downgrades from v1.18. (#38187, @smagnani96)
  • remove the endpointRoutes for aws cni in the doc (Backport PR #38700, Upstream PR #38381, @liyihuang)
  • wireguard: cleanup cilium_calls map upon downgrading from v1.18 (#38595, @smagnani96)

Other Changes:

  • [v1.17] hubble/exporter: Fix logging exporter options as JSON (#38476, @devodev)
  • [v1.17] proxy: Bump envoy version to 1.32.x (#38306, @sayboras)
  • deps: Bump GoBGP to v3.35.0 (#38405, @rastislavs)
  • fix AWS ENI IPAM mode performance regression in the Operator when --update-ec2-adapter-limit-via-api is set to true (#38532, @antonipp)
  • Fix IPv6 for LocalRedirectPolicy with skipRedirectFromBackend option. (#38509, @julianwiedmann)
  • install: Update image digests for v1.17.2 (#38205, @cilium-release-bot[bot])
  • ipsec: backport minimal VinE support for upgrade scenarios (#37993, @ldelossa)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.3@sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873
quay.io/cilium/cilium:stable@sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.3@sha256:98d5feaf67dd9b5d8d219ff5990de10539566eedc5412bcf52df75920896ad42
quay.io/cilium/clustermesh-apiserver:stable@sha256:98d5feaf67dd9b5d8d219ff5990de10539566eedc5412bcf52df75920896ad42

docker-plugin

quay.io/cilium/docker-plugin:v1.17.3@sha256:aece31ec01842f78ae30009b5ca42ab5abd4b042a6fff49b48d06f0f37eddef9
quay.io/cilium/docker-plugin:stable@sha256:aece31ec01842f78ae30009b5ca42ab5abd4b042a6fff49b48d06f0f37eddef9

hubble-relay

quay.io/cilium/hubble-relay:v1.17.3@sha256:f8674b5139111ac828a8818da7f2d344b4a5bfbaeb122c5dc9abed3e74000c55
quay.io/cilium/hubble-relay:stable@sha256:f8674b5139111ac828a8818da7f2d344b4a5bfbaeb122c5dc9abed3e74000c55

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.3@sha256:e9a9ab227c6e833985bde6537b4d1540b0907f21a84319de4b7d62c5302eed5c
quay.io/cilium/operator-alibabacloud:stable@sha256:e9a9ab227c6e833985bde6537b4d1540b0907f21a84319de4b7d62c5302eed5c

operator-aws

quay.io/cilium/operator-aws:v1.17.3@sha256:40f235111fb2bca209ee65b12f81742596e881a0a3ee4d159776d78e3091ba7f
quay.io/cilium/operator-aws:stable@sha256:40f235111fb2bca209ee65b12f81742596e881a0a3ee4d159776d78e3091ba7f

operator-azure

quay.io/cilium/operator-azure:v1.17.3@sha256:6a3294ec8a2107048254179c3ac5121866f90d20fccf12f1d70960e61f304713
quay.io/cilium/operator-azure:stable@sha256:6a3294ec8a2107048254179c3ac5121866f90d20fccf12f1d70960e61f304713

operator-generic

quay.io/cilium/operator-generic:v1.17.3@sha256:8bd38d0e97a955b2d725929d60df09d712fb62b60b930551a29abac2dd92e597
quay.io/cilium/operator-generic:stable@sha256:8bd38d0e97a955b2d725929d60df09d712fb62b60b930551a29abac2dd92e597

operator

quay.io/cilium/operator:v1.17.3@sha256:169c137515459fe0ea4c483021f704dba8901ac5180bdee4e05f5901dbfd7115
quay.io/cilium/operator:stable@sha256:169c137515459fe0ea4c483021f704dba8901ac5180bdee4e05f5901dbfd7115

Check out latest releases or
releases around cilium/cilium v1.17.3

Don't miss a new cilium release

NewReleases is sending notifications on new releases.

Get notifications