github cilium/cilium v1.8.0

latest releases: v1.13.14, v1.14.9, 1.13.14...
3 years ago

We are excited to announce the Cilium 1.8 release. A total of 2162 commits have
been contributed by a community of 72 developers, many of whom made their first
contributions this cycle.

For more information, see the blog post:
https://cilium.io/blog/2020/06/22/cilium-18

Highlights

  • XDP Load Balancing Support
  • Cluster-wide flow visibility
  • Better policy visibility and control
  • Performance optimizations across the board
  • Native Azure IPAM
  • Initial ARM64 support
  • Making more functionality iptables-free

Upgrade guide

https://docs.cilium.io/en/v1.8/install/upgrade/#upgrade-guide

Summary of Changes

Note: The summary of changes represents the diff between v1.7.5 and v1.8.0

Major Changes:

  • Add a new DSR/SNAT hybrid mode which allows to work without MTU changes and enables DSR for TCP and SNAT for UDP workloads. Enable it by default for Cilium's kube-proxy replacement in probe and strict mode. (#10203, @borkmann)
  • Add a new event type for policy verdicts (#9943, @lzang)
  • Add BPF masquerading for veth mode, Add BPF-based ip-masq-agent (#11148, @brb)
  • Add Cilium Operator IPAM (#11083, @aanm)
  • Add DeepEquals generated code (#11435, @aanm)
  • Add scalability report of Cilium on large clusters in CRD mode (Backport PR #11856, Upstream PR #11760, @aanm)
  • add support for k8s 1.18 (#10654, @aanm)
  • Add support for services sessionAffinity (without and with kube-proxy) (#11085, @brb)
  • Allow attaching BPF NodePort and BPF masquerade to multiple devices (#11267, @brb)
  • Azure IPAM Support (#10089, @tgraf)
  • bpf: getpeername hook implementation for socket lb (#11617, @borkmann)
  • Embed Hubble (#10238, @michi-covalent)
  • Host endpoint (#10994, @pchaigno)
  • hubble-proxy: implement 'serve' command (#10653, @rolinh)
  • hubble-relay: add initial multi-node support (#11171, @rolinh)
  • hubble: implement peer service, enable it locally (#10969, @rolinh)
  • Implement policy audit mode for the daemon (#9970, @ap4y)
  • Merge all Hubble server-side code into Cilium (#10860, @tgraf)
  • Network policies for the host endpoint (#11507, @pchaigno)
  • Support for IPv4 fragments (#10264, @qmonnet)
  • Support for named k8s container ports is added to both K8s Network Policies and Cilium Network Policies. (#11092, @jrajahalme)
  • XDP-based NodePort LB handling for BPF-based DSR, SNAT and Hybrid mode. (#10877, @borkmann)

Minor Changes:

  • Accessing a NodePort service via cilium_host IP addr is no longer recommended. (#11692, @brb)
  • Add a flag to disable feeder installation on certain iptables tables (#10639, @Sh4d1)
  • Add command line option to dynamically size BPF maps based on total system memory. (#10780, @tklauser)
  • Add completion support for fish shell (#11284, @sayboras)
  • Add hubble helm charts to cilium install/kubernetes (#10648, @soumynathan)
  • Add informatin to docs about network interfaces in tunnelling mode (#11357, @cortopy)
  • Add more PriorityClassName fields in Helm charts (#10583, @johngmyers)
  • Add Pod as an owner of a CiliumEndpoint and remove useless Delete (#11195, @aanm)
  • Add PodSecurityPolicies to helm chart (#10330, @maxbischoff)
  • Add possibility to configure native-routing-cidr in helm chart. (#11132, @zbindenren)
  • Add priorityClassName to operator deployment in helm chart (#10285, @maxbischoff)
  • Add the data path filtering for policy verdict logs. (#10477, @lzang)
  • added a max-allocate flag on pkg/ipam to control the maximum amount of IPs being allocated to a node (#10786, @mvisonneau)
  • Added support for logging in JSON format (#11133, @mvisonneau)
  • agent: Remove awareness of IPv4 cluster-range (#10194, @tgraf)
  • Allow specifying on which interface the Azure IPAM should allocate IPs on (#10875, @ungureanuvladvictor)
  • api/v1: Add observation proto enum (Backport PR #12173, Upstream PR #12085, @glibsm)
  • azure: retrieve subscriptionID/resourceGroupName from Azure IMS if not provided via CLI flags (#10764, @ungureanuvladvictor)
  • Azure: support multiple pods subnets, and networks in different resource groups (#11268, @bpineau)
  • Azure: support non VMSS instances (Backport PR #12027, Upstream PR #11571, @bpineau)
  • bpf: Check native-routing-cidr in BPF masquerade (#11473, @brb)
  • bpf: don't answer ARP requests for endpoint IP (#11533, @jcaamano)
  • bpf: make socket lb progs netns aware (#10778, @borkmann)
  • bump k8s dependencies and test to v1.18.1 (#10924, @aanm)
  • bump k8s dependencies and test to v1.18.2 (#11047, @aanm)
  • Cilium host proxy has has been updated to Envoy release 1.13.1. (#10222, @jrajahalme)
  • Cilium Operator can now use the flags specified cilium-config k8s configuration map (#10347, @aanm)
  • cilium, docker: runtime dependency updates (#10542, @borkmann)
  • cilium-operator: support subnets filters (#10738, @bpineau)
  • cilium: bpf-based hostport implementation (#10592, @borkmann)
  • cilium: fix up all --help sections properly (Backport PR #12027, Upstream PR #11007, @soumynathan)
  • cli: Add Hubble section to cilium status output (#10879, @gandro)
  • cli: Clarify help of 'cilium map' (#10855, @pchaigno)
  • connectivity-check: Do not perform hostport in standard check (Backport PR #11856, Upstream PR #11715, @tgraf)
  • daemon: adding support for egress policy tracing (#10020, @wofanli)
  • daemon: Allow to fallback to iptables-based masquerading and friends (Backport PR #12039, Upstream PR #12026, @brb)
  • daemon: Clarify log msg how to use only TCP socket-lb (Backport PR #11926, Upstream PR #11918, @brb)
  • daemon: Fix detection of BPF/XDP NodePort, BPF masq and host-fw devices (Backport PR #12027, Upstream PR #11894, @brb)
  • daemon: Make build depend on Makefiles and Dockerfile (#10367, @jrajahalme)
  • datapath: Enable session affinity for older kernels (#11678, @brb)
  • Decrease CRD setup API calls when starting cilium-agent (#10676, @aanm)
  • Deprecate --disable-k8s-services cilium-agent flag (#10552, @soumynathan)
  • Deprecate DNS Poller in v1.8 (#10629, @soumynathan)
  • doc: Change machine-type to n1-standard-4 for GKE guide (#11529, @tgraf)
  • doc: Update LLVM/Clang requirement to 10.0 (#11686, @pchaigno)
  • docker: add hubble CLI binary to the base cilium image (Backport PR #11856, Upstream PR #11784, @rolinh)
  • docs: Extend BPF-based masquerading section (Backport PR #12203, Upstream PR #12145, @brb)
  • Envoy is updated to release 1.13.2. (Backport PR #12027, Upstream PR #11973, @jrajahalme)
  • Expose BPF kernel memory usage as a prometheus metric (#11682, @aanm)
  • golang: update to 1.14 (#10340, @aanm)
  • grafana: Add Hubble dashboard (Backport PR #12039, Upstream PR #12004, @gandro)
  • Handle audit mode in cilium endpoint list and kubectl get cep (#11011, @ap4y)
  • helm: Add hubble section (#10358, @michi-covalent)
  • helm: added global.logOptions parameter (Backport PR #12039, Upstream PR #11861, @mvisonneau)
  • helm: Allow for overriding the size of the managed etcd cluster. (#10644, @bmcustodio)
  • helm: Remove affinity from cilium-etcd-operator (Backport PR #12173, Upstream PR #12139, @brb)
  • helm: set hubble-ui securityContext (#11475, @alex1989hu)
  • hubble-proxy: add initial skeleton (#10545, @rolinh)
  • hubble-relay: add Dockerfile and make target to build hubble-relay image (#11192, @rolinh)
  • hubble-relay: enable gRPC reflection (#11616, @rolinh)
  • hubble-relay: implement flows reordering (#11397, @rolinh)
  • hubble-relay: persist connections to hubble peers (#11335, @rolinh)
  • hubble: Populate traffic direction for trace and drop events (#11062, @gandro)
  • hubble: Update uint size in flow proto (#11161, @matej-g)
  • Implement per-provider operator deployments in Helm (Backport PR #12039, Upstream PR #12029, @joestringer)
  • Improve 'cilium-agent --help' (#10795, @soumynathan)
  • ipmasq: Add default nonMasq CIDRs if config is empty (#11409, @brb)
  • Make resources in agent and operator helm chart configurable (#10296, @maxbischoff)
  • Makefile: Add multi-arch support for cilium images (#10021, @iecedge)
  • monitor: Support more verbosity levels (#10820, @joestringer)
  • operator: Ship slimmer binaries (#10972, @errordeveloper)
  • Optimize scalability of CiliumIdentity operation (#11275, @tgraf)
  • Pass native-routing-cidr to ENI CNI for route rules (#10887, @dctrwatson)
  • pkg/identity: Watch and update labels for the host (#11543, @pchaigno)
  • proxy: Remove access-log option (#10393, @tgraf)
  • Remove deprecated --container-runtime{,-endpoint} options (#11060, @tklauser)
  • Remove deprecated --flannel-manage-existing-containers option (Backport PR #12027, Upstream PR #12008, @tklauser)
  • Remove netstat from cilium-bugtool and replace with ss tool (#11667, @soumynathan)
  • Support on-disk etcd client certificate and key reload when using trusted-ca-file (#10754, @bpineau)
  • Switch k8s liveness/readiness probes to use HTTP /healthz endpoint instead of "cilium status --brief" command. (#11408, @tklauser)
  • test: Avoid panics due to dereferencing a nil error (#10390, @jrajahalme)
  • test: Do not set tty for preloaded VM (Backport PR #11926, Upstream PR #11877, @jrajahalme)
  • test: set hubble-relay image in helm defaults if available (Backport PR #11926, Upstream PR #11904, @jrajahalme)
  • The default maximum number of entries in the BPF TCP ctmap is reduced to 512K. (#10289, @tklauser)
  • Update the Cilium eBPF library to the latest version. (Backport PR #12103, Upstream PR #12068, @tklauser)
  • Updated grafana dashboard (#11744, @aanm)
  • Use bpftool for generating BPF feature macros (#10019, @mrostecki)
  • Use slimmer protobuf definitions on k8s structures (#11326, @aanm)
  • Watch for CEPs in the cluster instead of all pods (#11249, @aanm)

Bugfixes:

  • Add ability to detect iptables mode (nft/legacy) in cilium daemon image (#11199, @mskrocki)
  • Add anti-affinity for Cilium pods to prevent 2 pods being executed on the same node at the same time (Backport PR #11893, Upstream PR #11830, @nebril)
  • Add check for IPv6 before generating bpf headers (#10628, @christarazi)
  • Allow enabling ServiceMonitor without Prometheus installed. (#11261, @diversario)
  • Autodetection of the mtu correctly detects the mtu of the interface used for the kubernetes cluster communication. The mtu was incorrectly detected in cases where multiple interfaces were present and the gateway interface was not the one used for kubernetes cluster communication (Backport PR #11893, Upstream PR #10635, @manuelbuil)
  • Avoid duplication of generated toCIDRs when using a toServices based CNP (or CCNP) (Backport PR #11926, Upstream PR #11901, @aanm)
  • azure: fix excess/off-by-one addresses allocation (#11669, @bpineau)
  • bpf: clean up IPv4 fragments support (and bpf/), add option for map size (#10927, @qmonnet)
  • bpf: Set DIRECT_ROUTING_DEV* in routed mode (#11419, @brb)
  • bpf: Use nproc --all for NR_CPUS (Backport PR #12173, Upstream PR #12121, @gandro)
  • cilium-cni: Only start gops in debug mode (#11711, @aanm)
  • cilium-operator: Wait for CRDs before running Informers (Backport PR #12173, Upstream PR #10899, @mrostecki)
  • cilium/charts: set system-{node,cluster}-critical priorityClass for k8s >= 1.17 (Backport PR #12173, Upstream PR #12151, @aanm)
  • cilium: chaining mode skb->mark can be mangled by iptables allow opt-out (Backport PR #12196, Upstream PR #12185, @jrfastab)
  • cilium: fix encryption flow labels in ip6 case (Backport PR #12039, Upstream PR #12015, @jrfastab)
  • cilium: fix helm usage of enableIdentityMap -> enableIdentityMark (Backport PR #12196, Upstream PR #12194, @jrfastab)
  • cli: do not output shell completion copyright header on error (#10558, @rolinh)
  • cli: Fix JSON output for BPF conntrack & NAT tables dump (#10904, @qmonnet)
  • clustermesh: Ignore ..data directory of secrets mount (#10200, @tgraf)
  • daemon: Fix fallback to iptables-based masquerading (Backport PR #12103, Upstream PR #12081, @brb)
  • daemon: fix panic when starting Cilium (Backport PR #12173, Upstream PR #12101, @aanm)
  • daemon: Fix session affinity map creation (Backport PR #12173, Upstream PR #12134, @brb)
  • datapath,daemon: Fix initialization panics when IPv6 is enabled (Backport PR #12203, Upstream PR #12197, @brb)
  • datapath: Accept proxy traffic if enable-endpoint-routes are enabled (Backport PR #11856, Upstream PR #11819, @tgraf)
  • datapath: Fix back-edge in bpf_sock for older kernels (#11739, @brb)
  • datapath: Only NOTRACK proxy return traffic going to Cilium datapath (Backport PR #11937, Upstream PR #11899, @jrajahalme)
  • do not ignore Kubernetes event updates for CCNP and CNP with 'specs' field after being created (Backport PR #12173, Upstream PR #12143, @aanm)
  • doc: Ensure ConfigMap remains compatible across 1.7 -> 1.8 upgrade (Backport PR #12173, Upstream PR #12097, @tgraf)
  • Don't require (not supported on Azure) ipam.Cidrs when masquerade is disabled (Backport PR #12103, Upstream PR #11978, @bpineau)
  • endpoint: Fix data races while accessing GetIdentity() (Backport PR #11984, Upstream PR #11941, @tgraf)
  • eni: Fix potential deadlock (Backport PR #11856, Upstream PR #11831, @christarazi)
  • Fix Cilium blocking its initialization for nodes where the hostname was different that the Kubernetes node name. (#11717, @aanm)
  • Fix datarace issue in spanstat.go (Backport PR #11856, Upstream PR #11615, @sayboras)
  • Fix issue when Cilium randomly stops doing service translation in k8s 1.18 (Backport PR #12027, Upstream PR #11947, @aanm)
  • Fix leaking endpoint state metric (Backport PR #11937, Upstream PR #11884, @christarazi)
  • Fix setting monitorAggregationLevel to max reflects via CLI (Backport PR #12039, Upstream PR #12014, @soumynathan)
  • Fix several data races in unit tests (#10602, @tgraf)
  • Fix syslog hook missing in DefaultLogger (Backport PR #12216, Upstream PR #12170, @ArthurChiao)
  • fix transparent encryption related bugs (Backport PR #12027, Upstream PR #11974, @jrfastab)
  • Fix tunneling and ARP resolution when host firewall is enabled. (Backport PR #11893, Upstream PR #11795, @pchaigno)
  • Fix up ipcache access in datapath (#11525, @soumynathan)
  • Fix: resync IP addresses for instances that have been stopped for more than a minute (#11091, @willdeuschle)
  • GKE CI: Fix K8sDatapathConfig* tests (#10259, @tgraf)
  • Gracefully handle lost events from k8s without printing warnings (#11461, @aanm)
  • hubble/container: Properly deal with nil values in RingReader (#11323, @gandro)
  • hubble/parser/threefour: handle IPv6 CIDR labels (#11719, @rolinh)
  • hubble/peer: handle burst of change notifications (Backport PR #12039, Upstream PR #12024, @rolinh)
  • Hubble: fix unknown identities for some CIDR (#11703, @rolinh)
  • IPAM related bugfixes (#10587, @tgraf)
  • ipam/allocator: set missing v4 or v6 podCIDR in CiliumNode (Backport PR #12216, Upstream PR #12211, @aanm)
  • IPAM: dynamically fetch the allocatable ipv4 addresses amount from instance limits (AWS) (#10831, @mvisonneau)
  • ipcache: Fix deadlock when ipcache GC results in datapath reload (Backport PR #11984, Upstream PR #11950, @tgraf)
  • Istio integration is updated to Istio release 1.5.6. (Backport PR #12216, Upstream PR #12214, @jrajahalme)
  • k8s/identitybackend: exclude k8s namespace labels from CRD metadata (#11382, @rlenglet)
  • loader: Fix tunneling when device is set without NodePort (Backport PR #12027, Upstream PR #11980, @pchaigno)
  • nodeinit: Fix for restarting kubenet managed pods (Backport PR #11856, Upstream PR #11779, @dctrwatson)
  • operator: fix panic for non existing CEPs (#11749, @aanm)
  • operator: sync CiliumNodes into etcd instead of k8s nodes (Backport PR #12173, Upstream PR #12179, @aanm)
  • option: Require native-routing-cidr only if IPv4 is enabled (Backport PR #12203, Upstream PR #12198, @brb)
  • Properly cancel endpoint creations as they become obsolete (Backport PR #11951, Upstream PR #11920, @tgraf)
  • Protect ENI and Azure IPAM from misbehaving cloud APIs (#11231, @tgraf)
  • proxy: Keep DNS port allocated (Backport PR #11856, Upstream PR #11661, @jrajahalme)
  • Remove default bpf map size values for new installations and use the dynamic calculation based on system's memory. (Backport PR #12039, Upstream PR #11991, @aanm)
  • service: Fix wrong localEndpoints count in HealthCheckNodePort (Backport PR #11893, Upstream PR #11863, @gandro)
  • stop Cilium from hanging on CNP or CCNP events from Kubernetes if running with 'k8s-event-handover=true' and 'kvstore=""' (Backport PR #12173, Upstream PR #12146, @aanm)
  • Valid CNP and CCNP 'matchLabel' values must be 63 characters or less and must be empty or begin and end with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between. (Backport PR #12216, Upstream PR #12117, @aanm)

CI Changes:

Misc Changes:

Don't miss a new cilium release

NewReleases is sending notifications on new releases.