github cilium/cilium v1.20.0-pre.3
1.20.0-pre.3
on GitHub

pre-release12 days ago

Summary of Changes

Major Changes:

  • Gateway API: ExternalAuth filter support for HTTPRoutes Cilium now supports the ExternalAuth filter type in HTTPRoutes (GEP-1494). Routes can delegate authorization decisions to an external service using either gRPC (Envoy ext_authz protocol) or HTTP. Configurable options include allowed request/response headers, request body forwarding, path prefix, and TLS-backed auth backends via BackendTLSPolicy. (#45739, @gauteoh)
  • proxy: Bump cilium-envoy to v1.37.x (#45851, @sayboras)

Minor Changes:

  • Add encryption.ztunnel.ca.type Helm value to select ztunnel's CA backend (spire|internal, default internal). (#45861, @nddq)
  • Add helm.sh/chart standard label (#45771, @chernetskyi)
  • Adds optional fields for subject and private key options in certificate template when cert-manager is used to generate clustermesh-apiserver and hubble TLS certificates. (#45972, @owayss)
  • alibabacloud: Migrate IP/CIDR fields to ip.Addr/Prefix wrappers (#46210, @HadrienPatte)
  • Azure IPAM: track subnet once per AzureInterface on CiliumNode status, matching AWS and AlibabaCloud IPAM models. The previous per-address addresses[].subnet and flat interfaces[].cidr fields are deprecated. (#45985, @jaredledvina)
  • azure: Remove duplicate GetInstance call in per-instance resync (#46192, @HadrienPatte)
  • azure: Skip listing NIC of empty VMSSs (#46129, @HadrienPatte)
  • bgp: Bump GoBGP from v3 to v4.5.0 (#45952, @rastislavs)
  • clustermesh/docs: Improve Cluster Mesh intro documentation (#46021, @MrFreezeex)
  • Extend default APIInteractions metric buckets from 10s to 2min (#46115, @kamilWyszynski1)
  • feat(sdp): Support DNS metrics from Standalone DNS Proxy (#44601, @vipul-21)
  • fqdn: Deprecate toFQDNs pre-cache flag and remove preflight poller (#45295, @HadrienPatte)
  • gateway-api: Add HTTPRoute CORS filter support. (#45924, @arybolovlev)
  • gateway-api: add support for disabling gRPC-web translation (#45984, @thorn3r)
  • helm: Remove loadBalancer.standalone option (#46070, @joestringer)
  • ipam: Add CIDR-based release mechanism for ENI multipool mode (#45958, @HadrienPatte)
  • ipam: Switch ENI IPAM from CRD to multi-pool allocator (#45154, @HadrienPatte)
  • lb: support EndpointSlice weights for Maglev backends (#46061, @mhofstetter)
  • policies that reference AWS VPC groups are now transformed in to a CiliumCIDRGroup. (#44704, @squeed)
  • Prevent premature LRU eviction of newly inserted socket reverse NAT entries by touching the entry after insertion to set the LRU reference bit. (#46228, @luoxuanqiang)
  • Relax DisableCiliumEndpointCRD to work with CES and operator slim mode (#45698, @kamilWyszynski1)
  • Replace boringcrypto with upstream Go crypto libraries (#46092, @HadrienPatte)
  • Shrink cilium-cni binary size by 80% (#45845, @giorio94)
  • Updates the CiliumPodIPPool CRD version to v2. Adds a new per-CIDR configuration option "reservedRanges". (#44383, @kyounghoonJang)
  • When IPv4 traffic exits an Egress Gateway node, it strictly uses the network interface specified in the CiliumEgressGatewayPolicy (or the default interface). This matches the behavior for IPv6 traffic. (#45833, @julianwiedmann)
  • wireguard:mtu: fix mtu calculation with potential padding (#45940, @smagnani96)

Bugfixes:

  • Always add cluster label to node when nodeSelectorLabels is enabled to fix CiliumNetworkPolicy with fromNodes/toNodes with policy-default-local-cluster enabled (enabled by default in 1.19+) (#46068, @MrFreezeex)
  • azure: Fix public IP reassignment failure loop on operator restart (#46240, @HadrienPatte)
  • bgp: Don't provide default_gateway reconciler when disabled (#45911, @YutaroHayakawa)
  • bgp: Reduce amount of soft peer resets by service reconciliation and fix potentially missed incorrect metadata update upon failed reconciliation. (#45927, @rastislavs)
  • bpf: don't silently drop packets with tcx hooks (#45740, @Andreagit97)
  • bpf: egressgw: don't use bpf_redirect_neigh() for L3 packets (#45703, @julianwiedmann)
  • bpf: fix host proxy packet routing to pods (#45916, @atykhyy)
  • bug: fixed weighted backend traffic splitting for TLSRoute passthrough listeners in Gateway API (#45937, @nickolaev)
  • cilium-dbg: cilium map list now displays "unknown" instead of 0 for maps that do not support cache-based entry counting. (#44951, @skymensch)
  • datapath/mtu: add altname to mark cilium owned interfaces and do skip changing MTU on interfaces not managed by cilium (#45799, @bersoare)
  • Fix a bug that causes the NamespaceSelector field in a CiliumEgressGatewayPolicy to be corrupted, and no longer effective. (#45926, @julianwiedmann)
  • Fix a rare bug in clustermesh-apiserver that triggers incorrect deletion of a valid endpoint entry from the etcd under high pod churn (#45780, @adamwathieu)
  • Fix allowedRoute namespace and kind restrictions on multi-listener Gateways. (#45693, @eufriction)
  • Fix BGP PeerConfig status cleanup so it no longer times out when there are no managed conditions to remove. (#45967, @ysksuzuki)
  • Fix BPF compilation failure on transient direct routing device address loss (#44894, @christarazi)
  • Fix BPF LB map key collision where HostPort/NodePort expansion could overwrite a LoadBalancer frontend when the node IP matches the LoadBalancer external IP (e.g. k3s/RKE2 L2 ServiceLB). Also fix a ~30-minute NodePort outage that occurred after deleting a LoadBalancer whose external IP was a node address with a port in the NodePort range. (#45314, @syedazeez337)
  • Fix bug that would disrupt node connectivity when ClusterIP/LoadBalancer VIPs overlapped with node-local IP addresses. (#45572, @ajmmm)
  • Fix Cilium node IPv6 selection silently picking an address that failed duplicate-address detection, which could result in the node advertising an address belonging to another node (#45868, @ssam18)
  • Fix dedicated Ingress reconciliation panic on invalid TLS passthrough rules (#45737, @weizhoublue)
  • Fix Hubble metrics labelsContext parsing: values must now be comma-separated (e.g. labelsContext=source_ip,destination_ip). Previously, mixing , and | in the value would silently produce invalid tokens. (#45809, @bitflicker64)
  • Fix Kubernetes ClusterNetworkPolicy (network-policy-api, alpha) match expressions (matchExpressions) being ignored when selecting endpoints. An "In" match selected no endpoints (e.g. a Deny rule would not block its intended traffic) and a "NotIn" match selected all endpoints, so policies using match expressions were not enforced as written. CiliumNetworkPolicy, CiliumClusterwideNetworkPolicy, and standard Kubernetes NetworkPolicy are not affected. (#46253, @aanm)
  • fix(gateway-api): set ready condition in endpointSlice to true (#46237, @ulrichgiraud)
  • fix: nil pointer dereference panic due to uninitialized logger (#45782, @weizhoublue)
  • Fixed unsolicited IPv6 L2 announcements ignored by receiving hosts, as not conformant to RFC 4861 (#46079, @giorio94)
  • Fixes a bug where policymap pressure was incorrectly being reported as 0. (#45791, @squeed)
  • gateway-api: fix GatewayClass field index (#46127, @thorn3r)
  • gateway-api: Fix silent drops of routes on multi listener gateways (#45821, @weizhoublue)
  • iptables: match wireguard packets by proto+port instead of packet mark (#45974, @bersoare)
  • multipool: Fix retries for CiliumNode Get errors (#46124, @pippolo84)
  • operator/ipam: Avoid short-lived ctx for allocators start (#46034, @pippolo84)
  • Revert Gateway-API/Ingress endpointslice removal (incl. restore of dummy ingress endpoint) (#45679, @mhofstetter)

CI Changes:

Misc Changes:

  • .github: Make release note instructions clearer (#45768, @joestringer)
  • Add documentation and warnings on DNS interception (#45525, @ferozsalam)
  • Add extension points for cilium-envoy container lifecycle hooks (#45857, @0xch4z)
  • Add schema to the "devices" helm option and expose it in docs. (#45830, @joamaki)
  • always render enable-host-firewall in configmap (#44748, @shibaPuppy)
  • Azure IPAM: Add tracking of the Primary IP per interface (#45976, @jaredledvina)
  • Azure: Merge subnets during resyncInstance instead of replacing them (#45715, @jaredledvina)
  • azure: Remove unused GetVpcsAndSubnets function (#46173, @HadrienPatte)
  • bgp: Handle errors from NewPathForPrefix (#46256, @rastislavs)
  • bgp: Use CreatedAt timestamp instead of AgeNanoseconds in the internal Path type (#46113, @rastislavs)
  • bpf/analyze: Always visit global functions (#45917, @pchaigno)
  • bpf: constify and minor NAT cleanups (#46244, @julianwiedmann)
  • bpf: egressgw: skip redirect checks in to-netdev for non-local traffic (#45955, @julianwiedmann)
  • bpf: Fix should_redirect_peer under netkit (#46037, @borkmann)
  • bpf: introduce pull_l3_hdr() helper for ethertype de-mux points (#45891, @saiaunghlyanhtet)
  • bpf: local_delivery: add CB flag for "use_redirect_peer" (#46169, @julianwiedmann)
  • bpf: local_delivery: condense usage of skb cb slots (#46064, @julianwiedmann)
  • bpf: lxc: pull L3 header at first ethertype de-mux point (#45639, @saiaunghlyanhtet)
  • bpf: nodeport: make l3_off in nodeport_lb4() static (#45797, @julianwiedmann)
  • bpf: Refuse legacy host routing when in netkit mode (#46032, @borkmann)
  • bpf: rename aux.h to avoid malformed file path error upon go get (#45804, @tklauser)
  • chore(deps): update all github action dependencies (main) (#45745, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (main) (#45992, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (main) (#46014, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (main) (patch) (#46133, @cilium-renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (#45390, @cilium-renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (#45879, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (main) (#45725, @cilium-renovate[bot])
  • chore(deps): update base-images (main) (#45991, @cilium-renovate[bot])
  • chore(deps): update base-images (main) (#46054, @cilium-renovate[bot])
  • chore(deps): update cilium/cilium digest to 6bbf438 (main) (#46011, @cilium-renovate[bot])
  • chore(deps): update cilium/cilium digest to e1b3ec8 (main) (#46005, @cilium-renovate[bot])
  • chore(deps): update cilium/cilium-cli action to v0.19.3 (main) (#46134, @cilium-renovate[bot])
  • chore(deps): update cilium/cilium-cli action to v0.19.4 (main) (#46263, @cilium-renovate[bot])
  • chore(deps): update dependency bufbuild/buf to v1.69.0 (main) (#45869, @cilium-renovate[bot])
  • chore(deps): update dependency bufbuild/buf to v1.70.0 (main) (#46265, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/little-vm-helper to v0.0.30 (main) (#46108, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/golang:1.26.3 docker digest to 2d6c802 (main) (#46163, @cilium-renovate[bot])
  • chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.11 (main) (#45900, @cilium-renovate[bot])
  • ci: add output option "skip" tests to derive config action (#45971, @smagnani96)
  • cilium-cli/sysdump: use bgp hive shell commands instead of the old rest API based commands (#45754, @martonra)
  • Clarify AI policy guidance in PR template (#46126, @joestringer)
  • clustermesh: add ClusterEndpointSlice type (#46160, @MrFreezeex)
  • clustermesh: update MCS-api dependency to v0.5.0 and adopt the yaml conformance output (#45934, @MrFreezeex)
  • cni: extract configuration into separate package (#46114, @giorio94)
  • CODEOWNERS: Assign ztunnel workflows to ztunnel (#45776, @joestringer)
  • completion: Prune pending completions after Wait (#46060, @jrajahalme)
  • daemon: Fix privileged integration policy test (#46056, @jrajahalme)
  • datapath: clean up USE_BPF_PROG_FOR_INGRESS_POLICY for endpoint programs (#46121, @julianwiedmann)
  • datapath: remove USE_BPF_PROG_FOR_INGRESS_POLICY (#46248, @julianwiedmann)
  • Deprecate Identity.StringID & Refactor callers to use String() instead (#46131, @furkan-asani)
  • deps: Bump GoBGP to most recent 4.5.1 pre-release commit (#46226, @rastislavs)
  • Do not pin Cilium GH actions (#45826, @aanm)
  • docs: Add caveats on Kubernetes versions when using host L7 DNS policies (#45843, @atykhyy)
  • docs: Add Gateway API default TLS certificate example (#45807, @arybolovlev)
  • docs: add small CiliumCIDRGroup scalability callout (#45763, @squeed)
  • docs: Document BTF as a requirement (#46063, @pchaigno)
  • docs: drop stale nodeinit from Azure CNI chaining guide (#46128, @vipul-21)
  • docs: Extend Azure IPAM documentation (#45575, @HadrienPatte)
  • docs: Fix DOCS_BUILDER_REPO env variable for BSD sed compatibility (#46033, @arybolovlev)
  • docs: fix Markdown-style hyperlink in mutual-authentication.rst (#45751, @bitflicker64)
  • docs: fix typo cillium -> cilium in encryption-ztunnel.rst (#45838, @kiranbabu09)
  • docs: Update docs-builder for Makefile usage (#45774, @joestringer)
  • Documentation: Update outdated datapath config docs (#46225, @dylandreimerink)
  • egressgw: minor changes for network interface detection (#45638, @julianwiedmann)
  • endpoint: set and get the value of the RTInfo's encoding (#45794, @ldelossa)
  • endpoint: Update BenchmarkWriteHeaderfile benchmark (#45592, @odinuge)
  • endpoint: use temporary directory for log file in TestPolicyLog (#45801, @tklauser)
  • envoy: Apply default config in standalone_envoy_test (#46052, @jrajahalme)
  • envoy: finalize policy update (#46066, @jrajahalme)
  • Envoy: Network policy cleanup (#46069, @jrajahalme)
  • Fix new golangci-lint findings (#45894, @HadrienPatte)
  • Fix schema for gatewayAPI.gatewayClass.create. (#45741, @reitermarkus)
  • Fix typo: StringID -> String in doc comment of Identity.String function (#46012, @furkan-asani)
  • fix(deps): update all go dependencies main (main) (#45993, @cilium-renovate[bot])
  • fix(deps): update all go dependencies main (main) (#46006, @cilium-renovate[bot])
  • fix(deps): update all go dependencies main (main) (#46136, @cilium-renovate[bot])
  • fix(deps): update all go dependencies main (main) (#46152, @cilium-renovate[bot])
  • fix(deps): update all go dependencies main (main) (#46264, @cilium-renovate[bot])
  • Fix: Prevent external-group hash collisions that can merge distinct policies (#45820, @weizhoublue)
  • gateway-api: Fix BackendTLSPolicy connections to TLS 1.3-only services (#45865, @weizhoublue)
  • gateway-api: remove ref of v1beta1 grpcroute (#45828, @mhofstetter)
  • gateway-api: remove some usages of v1alpha2 TLSRoute (#45825, @mhofstetter)
  • gateway-api: treat BackendTLSPolicy as required type (#46031, @mhofstetter)
  • gateway-api: treat TLSRoute as required type (#45930, @mhofstetter)
  • gw-api: add external auth example (#46098, @mhofstetter)
  • gw-api: cleanup cecTranslator (#46110, @mhofstetter)
  • health: Add health/history command (#46102, @joamaki)
  • helm: add minReadySeconds support to DaemonSets (#45808, @PhilipSchmid)
  • images: Fix Envoy update script (#46057, @jrajahalme)
  • images: relax dockerfile match when updating builder and runtime images (#45970, @giorio94)
  • ip: Add netip.Addr/Prefix wrappers for Kubernetes API types (#46047, @HadrienPatte)
  • ipam/multi-pool: Do not propagate errors in case of conflicts (#46172, @pippolo84)
  • ipam: Decorrelate agent and operator implementations (#45765, @HadrienPatte)
  • ipam: Migrate AllocationResult.{CIDRs,GatewayIP} to netip types (#45790, @HadrienPatte)
  • ipam: Migrate Allocator and AllocationResult to netip.Addr (#45647, @HadrienPatte)
  • ipam: Migrate operator-side IP-keyed maps to netip.Addr (#45859, @HadrienPatte)
  • ipam: Remove unused ForeachAddress abstraction (#46111, @HadrienPatte)
  • ipsec: misc agent fixes and cleanups (#45641, @smagnani96)
  • k8s/node: Remove NodeIdentity field from CiliumNode (#45685, @gandro)
  • k8s/portforward: avoid panic in case of service without ports (#46230, @tklauser)
  • k8s/tables: extract k8s StateDB tables out of daemon/k8s (#45786, @tklauser)
  • kpr/initializer: fix reserved port range validation (#46229, @tklauser)
  • lbipam: Apply fixes for bugs in LBIPAM refactor (#45800, @dylandreimerink)
  • loadbalancer: Fix resource-drain and transaction churn in the background zone watcher by caching zone state and precisely filtering zone-driven traffic distribution policies. (#45752, @08volt)
  • loadbalancer: proxy ports are now resolved per frontend instead of per service, preventing one port from losing its L7 redirect when multiple listeners share a service. (#45949, @eufriction)
  • loadbalancer: use structured logging in config (#45785, @statsops)
  • loadbalancing: Expose ReflectorWaitTime via flag (#46059, @brb)
  • mac: remove unused CArrayString (#45946, @tklauser)
  • MAINTAINERS: Add Simone Magnani (#46094, @pchaigno)
  • Miscellaneous improvements to the fake client (#45784, @giorio94)
  • operator/ipam: Consolidate cloud allocator bootstrap (#45975, @HadrienPatte)
  • operator/ipam: Miscellaneous improvements to allocators (#46035, @pippolo84)
  • pkg/node/sync: Add support for injecting init functions (#45921, @joamaki)
  • pkg/{aws,azure}: Use go 1.26's new() (#45862, @HadrienPatte)
  • pkg/{aws,azure}: Use k8s sets.Set type for string sets (#45813, @HadrienPatte)
  • Policy minor fixes (#46058, @jrajahalme)
  • policy: Add error logging when parsing invalid CIDRs in GetAsEndpointSelectors (#45781, @statsops)
  • policy: Fix data race in resolve tests under -race (#45941, @christarazi)
  • policy: remove unused EmptyStringLabels (#46044, @tklauser)
  • Prepare for release v1.20.0-pre.2 (#45772, @cilium-release-bot[bot])
  • README: Update releases (#45779, @joestringer)
  • README: Update releases (#45964, @thorn3r)
  • refactor(endpointmanager): use GetEndpointsByNamespace in namespace_updater (#45540, @zbb88888)
  • Remove defunct l2podAnnouncements.interface Helm value that rendered a configmap key the agent no longer recognises, causing crash-loops when L2 pod announcements were enabled. Users must use l2podAnnouncements.interfacePattern instead. (#46093, @salamidrus)
  • renovate: skip sphinx from being updated (#45812, @aanm)
  • Revert "tools/stackwhere: Add a tool to analyze BPF stack usage" (#45759, @dylandreimerink)
  • Split cloud providers into specific files (#45680, @aanm)
  • tools/cloud-dep-check: gitignore the built binary (#45892, @HadrienPatte)
  • tools: Add statedblint (#45896, @joamaki)
  • vendor: Update controller-runtime to v0.24.0 (#45919, @HadrienPatte)
  • vendor: Update controller-tools fork to v0.21.0-1 (#46039, @HadrienPatte)
  • ztunnel: consolidate MockEndpointManager into pkg/testutils (#46067, @nddq)
  • ztunnel: split CA server into its own package (#45664, @nddq)

Other Changes:

  • Fix Meeting Notes link in README (#46086, @parlakisik)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.20.0-pre.3@sha256:c25d38b048b90a1755437aa71e0e1e6b778a6c16532c49300a62b8690def2cd2

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.20.0-pre.3@sha256:7604a20140321f4f0abe84284db8ee16b7817edf6593cc73016dc24ac52edae5

docker-plugin

quay.io/cilium/docker-plugin:v1.20.0-pre.3@sha256:ea9eb75ef2aca3d03330d2332748765f12d2683251be16fa4a51e891434811da

hubble-relay

quay.io/cilium/hubble-relay:v1.20.0-pre.3@sha256:d9fa9e132a9bcd5fa554995d708e152bd4b0282ac131984536d260b4c8c3abc3

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.20.0-pre.3@sha256:67e73aed47b871cb475dfdf76abcf4ddc11f7848aa16c40c77cea19b1de12e6e

operator-aws

quay.io/cilium/operator-aws:v1.20.0-pre.3@sha256:d63bd21ed1a135c2e4ff714142e293cef3fda1ff192b19a89d5c6177293eb778

operator-azure

quay.io/cilium/operator-azure:v1.20.0-pre.3@sha256:1f854ea98a4131d17fb1f956e9c5e3d2abbf1ae478030d7a20cbd50c1f371d62

operator-generic

quay.io/cilium/operator-generic:v1.20.0-pre.3@sha256:5be513260832401fa50d2e112396130ac17585c8e30a2e6e4529282c7fc39fd9

operator

quay.io/cilium/operator:v1.20.0-pre.3@sha256:12a7c328625d88a3280139a2c868ecd945f0280a557513ffdfc670a6593992f6

Check out latest releases or
releases around cilium/cilium v1.20.0-pre.3

Don't miss a new cilium release

NewReleases is sending notifications on new releases.

Get notifications