github cilium/cilium v1.8.2
1.8.2
on GitHub

latest releases: v1.13.15, v1.14.10, v1.15.4...
3 years ago

We are pleased to release Cilium v1.8.2. This version includes various bug fixes including many improvements to etcd and host firewall, and support for ingress FromCIDR + ToPorts policies.

Summary of Changes

Minor Changes:

  • Add a getting started guide for the host firewall (Backport PR #12600, Upstream PR #12537, @pchaigno)
  • Add an option to cilium-agent for disabling 'HealthCheckNodePort' (Backport PR #12442, Upstream PR #11236, @soumynathan)
  • Add heartbeat to etcd quorum check (Backport PR #12536, Upstream PR #12453, @tgraf)
  • Atomically replace endpoint header files to avoid corrupted or inconsistent state. (Backport PR #12400, Upstream PR #12380, @tklauser)
  • daemon: Add "datapath" opt to --debug-verbose flag to enable datapath debug messages (Backport PR #12627, Upstream PR #12568, @brb)
  • Fatal if the host firewall is used with per-endpoint routes (Backport PR #12536, Upstream PR #12495, @pchaigno)
  • Fatal if the host firewall is used without remote node identities (Backport PR #12536, Upstream PR #12495, @pchaigno)
  • gitignore: Add test/gke/registry-adder.yaml (Backport PR #12442, Upstream PR #12342, @jrajahalme)
  • hubble/relay: expose options to configure flows sorting (Backport PR #12600, Upstream PR #12572, @rolinh)
  • hubble/relay: improve peer connections handling (Backport PR #12627, Upstream PR #12556, @rolinh)
  • Improve etcd fail-over scenarios (Backport PR #12536, Upstream PR #12427, @tgraf)
  • Include BPF FS mount status in sysdump output (Backport PR #12536, Upstream PR #12191, @soumynathan)
  • operator: rate limit GC of security identities (Backport PR #12536, Upstream PR #12451, @aanm)
  • policy/api: Support unmanaged entity in policies (Backport PR #12536, Upstream PR #12474, @pchaigno)
  • policy: Enable ingress CIDR-dependent L3 policy (FromCIDR + ToPorts) (Backport PR #12600, Upstream PR #12482, @christarazi)

Bugfixes:

  • Adds TRACE_TO_NETWORK obs label and trace pkts in to-netdev prog. (Backport PR #12536, Upstream PR #12245, @Weil0ng)
  • avoid performing useless GETs of Cilium Endpoints (Backport PR #12600, Upstream PR #12595, @aanm)
  • bpf: explicitly set ttl in tunnel key (Backport PR #12536, Upstream PR #12529, @borkmann)
  • bpf: Fix BPF masq when running with non-hybrid DSR (Backport PR #12536, Upstream PR #12456, @brb)
  • bpf: Fix monitor aggregation for 'from-network' (Backport PR #12536, Upstream PR #12559, @joestringer)
  • clustermesh: Tidy up services connection on failure to reconnect (Backport PR #12536, Upstream PR #12526, @joestringer)
  • datapath/linux: protect against concurrent access in NodeValidateImplementation (Backport PR #12536, Upstream PR #12461, @tklauser)
  • etcd: Fix session renewal controllers (Backport PR #12600, Upstream PR #12553, @tgraf)
  • etcd: Fix several etcd related issues (Backport PR #12627, Upstream PR #12605, @tgraf)
  • Fix etcd failure behavior when user or client context ends (Backport PR #12600, Upstream PR #12587, @tgraf)
  • Fix potential host firewall drops on egress of the node in case of SNAT (Backport PR #12600, Upstream PR #12345, @pchaigno)
  • Fix incorrect host firewall enforcement when used with BPF-based NodePort services (Backport PR #12600, Upstream PR #12345, @pchaigno)
  • Fix host firewall ingress bypass on path from pods to local host (Backport PR #12600, Upstream PR #12345, @pchaigno)
  • Fix potential ingress host firewall bypass in tunneling mode for remote pods (Backport PR #12600, Upstream PR #12345, @pchaigno)
  • Fix handling of ICMPv6 messages by host firewall (Backport PR #12600, Upstream PR #12345, @pchaigno)
  • Fix failure to recognize established IPv6 connections on egress of the host firewall (Backport PR #12600, Upstream PR #12345, @pchaigno)
  • Fix manual endpoint regeneration via command line (Backport PR #12536, Upstream PR #12524, @christarazi)
  • Fix node label initialization with Operator IPAM (Backport PR #12600, Upstream PR #12573, @pchaigno)
  • Fix string slice type CLI arguments (Backport PR #12536, Upstream PR #12457, @JieJhih)
  • Fix toGroups CRD to address validation errors (Backport PR #12536, Upstream PR #12440, @lbernail)
  • hubble: Trim FQDN trailing dots in GetNames (Backport PR #12442, Upstream PR #12366, @gandro)
  • pkg/k8s: use copy of objectmeta when fetching from local stores (Backport PR #12536, Upstream PR #12470, @aanm)
  • Register "log-driver" and "log-opt" flags with the cilium-operator command. (Backport PR #12442, Upstream PR #12395, @ungureanuvladvictor)

CI Changes:

  • ci: Check for gke nodepool before locking cluster (Backport PR #12442, Upstream PR #12301, @nebril)
  • ci: delete gke cluster after test run (Backport PR #12442, Upstream PR #12270, @nebril)
  • Fix RuntimeKVStoreTest flake (Backport PR #12600, Upstream PR #12478, @pchaigno)
  • fqdn/dnsproxy/proxy_test: increase again timeout for DNS TCP exchanges (Backport PR #12627, Upstream PR #12606, @qmonnet)
  • test: retrieve pods based on node label, not name (Backport PR #12442, Upstream PR #12398, @nebril)
  • test: Simplify DNS proxy port / TFTP source port conflict test. (Backport PR #12536, Upstream PR #12462, @jrajahalme)

Misc Changes:

Check out latest releases or
releases around cilium/cilium v1.8.2

Don't miss a new cilium release

NewReleases is sending notifications on new releases.

Get notifications