github cilium/cilium v1.9.0-rc1
1.9.0-rc1
on GitHub

latest releases: v1.14.11, v1.13.16, v1.15.5...
pre-release3 years ago

We are pleased to announce Cilium v1.9.0-rc1. This release is not recommended for use in production clusters, but if you're in a position to pull it and try it out in staging / testing environments and report issues that you find, this will help us to put out a high-quality, stable final v1.9.0 release.

The summary of changes below reflect the diff between the last stable release (v1.8.4) and tag v1.9.0-rc1.

Summary of Changes

Major Changes:

  • Add deny policies (#12716, @aanm)
  • Add Maglev consistent hashing to kube-proxy replacement for NodePort/LoadBalancer/externalIPs services (#13131, @brb)
  • Add support for k8s 1.19 (#12611, @aanm)
  • Added support for non-k8s nodes to register to a k8s cluster via new option --join-cluster (#13309, @jrajahalme)
  • Add experimental multi-platform images (#12013, @errordeveloper)
  • Add bandwidth manager (#12868, @borkmann)
  • Direct routing performance improvement through new tc/BPF-only based host forwarding mode w/o passing to upper stack. (#13330, @borkmann)
  • Overhaul of Helm chart structure to simplify & improve upgrades (#13259, @seanmwinn)
  • Implement eBPF native local service redirect functionality (#12831, @aditighag)
  • Implement proxy redirection logic in eBPF (#11279, @joestringer)

Minor Changes:

  • Add blacklistConflictingRoutes parameter to config chart (#11368, @donch)
  • Add a node label to agent metrics. (#12965, @diversario)
  • Add automatic generation of CRDs for CNP and CCNP (#11607, @christarazi)
  • Add BPF map sizes to output of cilium status --verbose (#12660, @tklauser)
  • add CLI for checking kernel capabilities (#11339, @brandshaide)
  • Add config point to send bugtool to stdout (#12837, @willdeuschle)
  • Add configurable enable-k8s-endpoint-slice (#13029, @Antiarchitect)
  • Add detection of unknown fields for policies (CNP & CCNP) in preflight (#13180, @christarazi)
  • add hint to make use of CLI cilium kernel-check in system requirements (#13164, @brandshaide)
  • api/v1: Add ability to query flows by HTTP method (#13328, @glibsm)
  • api/v1: Add drop_reason_desc enum to Flow API (#13301, @kaworu)
  • Automate generation of CiliumNode, CiliumIdentity, & CiliumEndpoint CRDs using controller-gen (#11476, @aanm)
  • Azure IPAM: don't install bogus "PodCIDR via cilium_host" route by default (#13098, @bpineau)
  • build: Skip 'clean' and 'clean-container' before docker image builds. (#12463, @jrajahalme)
  • cilium/build Add GOPATH check for generate-k8s-api (#12695, @aditighag)
  • cleanup/ipam: Remove hostscope-legacy IPAM option (#12984, @sayboras)
  • cmd: Allow to filter metrics with regexp (#12590, @mrostecki)
  • Differentiate load-balancer keys in the datapath by protocol (in addition to address and port), so that cilium can correctly differentiate protocols between services. (#12628, @nathanjsweet)
  • Enable host firewall without remote-node identity (#12878, @pchaigno)
  • Enable support for user managed identities in the cilium-operator (#12592, @ungureanuvladvictor)
  • Envoy metrics from the Cilium host proxy are exported via a prometheus port. (#12949, @jrajahalme)
  • envoy: Add development support for Envoy filter metadata enforcement (#12500, @jrajahalme)
  • envoy: Move to Envoy API v3 (#12331, @jrajahalme)
  • envoy: Optimize list of allowed remote security IDs (#12926, @jrajahalme)
  • envoy: Stop using deprecated filter names (#13351, @jrajahalme)
  • envoy: Update to release 1.14.4 (#12484, @jrajahalme)
  • Fail to start if IPSec and devices are used together (#13069, @tobiaskohlbau)
  • Fix typo in AKS getting started guide (#12505, @ap4y)
  • fix(3891): mirror parent pod labels to cilium endpoints (#12406, @fristonio)
  • fix(9966): fix creation of multiple KVStore watchers for CNPs and CCNPs (#12323, @fristonio)
  • Follow-up for cilium ip list identity lookup (#13375, @tklauser)
  • helm: allow setting conntrack-gc-interval in cilium-config cm (#13061, @ghouscht)
  • helm: bump hubble-ui patch version in chart values (#13313, @genbit)
  • helm: configurable annotations for agent and operator pods (#12189, @mvisonneau)
  • hubble-relay: add support for (m)TLS (#12900, @rolinh)
  • hubble/metrics: Add protocol labels to flows_processed_total (#12742, @sayboras)
  • hubble: add support for (m)TLS (#12906, @rolinh)
  • hubble: Add support for PERF_RECORD_LOST (#12475, @gandro)
  • Kafka proxy is now implemented in Cilium Go extensions for Envoy, which adds egress policy enforcement support for Kafka L7 policies. (#12548, @jrajahalme)
  • lbmap: Sort backends before creating maglev lookup table (#13461, @brb)
  • maglev: Perf related follow up items (#13431, @brb)
  • Make pods IPv6 address discoverable on node's subnet (#12193, @anfernee)
  • Makes k8sNodeIP the preferred IP when initializing NodePort addresses. (#13223, @networkop)
  • metrics: Deprecate non-conventional prometheus metrics (#12826, @sayboras)
  • monitor: Add option to disable monitor independently of Hubble (#12540, @gandro)
  • operator: Remove options deprecated in v1.8 (#12676, @pchaigno)
  • pkg/hubble/filters: Add HTTP path filters (#13425, @twpayne)
  • pkg/option: add option to configure BPF lbmap size (#12843, @fristonio)
  • policy/trace: Support recent api versions for {Deployment, ReplicaSet} (#12903, @sayboras)
  • Remove "blacklist-conflicting-routes" option from cilium-agent. (#12986, @fristonio)
  • Remove agent options deprecated in v1.8 (#12642, @tklauser)
  • Remove deprecated cilium bpf proxy commands (#12682, @tklauser)
  • Remove DNS poller after being deprecated in Cilium 1.8. (#13229, @tklauser)
  • Remove PodSecurityPolicy in helm due to deprecation and future removal in Kubernetes (#12469, @sayboras)
  • Removed helm 2 support. Move requirements.yaml to Chart.yaml and set min. helm version to helm 3 (#12412, @sayboras)
  • Rename IPAM API metrics to be ec2 specific. (#12502, @ungureanuvladvictor)
  • Show names for reserved identities in cilium ip list. (#13304, @tklauser)
  • The metrics endpoint_regeneration_time_stats and policy_regeneration_time_stats had their 'buildTime' scopes renamed to 'total'. (#13323, @ti-mo)
  • TLS certificates hot reloading for Hubble and Relay (#13249, @kaworu)
  • Update Kubernetes dependencies to v1.19.1 and etcd to 3.4.13 (#13134, @aanm)
  • Update Kubernetes libraries to 1.19.2 (#13199, @aanm)
  • Upgrade CRDs (apiextensions) from v1beta1 to v1 (#11477, @aanm)

Bugfixes:

  • Add the update-ec2-apdater-limit-via-api flag to the cilium-operator-aws. (#12410, @ungureanuvladvictor)
  • agent: fix panic when clustermesh not set and cluster-id is non-zero (#12944, @ArthurChiao)
  • cilium: allow encryption/decryption to coexist with bpf_host logic (#13238, @jrfastab)
  • Hubble-relay now proxies the GRPC context to its servers. (#12865, @nathanjsweet)
  • Valid CNP and CCNP 'matchLabel' values must be 63 characters or less and must be empty or begin and end with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between. (#12117, @aanm)
  • Various other bugfixes already included in v1.8.5 or earlier releases

CI Changes:

Misc Changes:

Check out latest releases or
releases around cilium/cilium v1.9.0-rc1

Don't miss a new cilium release

NewReleases is sending notifications on new releases.

Get notifications