We are pleased to release Cilium v1.9.10. This release updates Envoy to release 1.18.4 which fixes CVE-2021-32777, CVE-2021-32779, CVE-2021-32781 and CVE-2021-32778 and various other bugs reported on recent releases. For more details and details of other bugs fixed, see the description below.
Summary of Changes
Minor Changes:
- Cilium Envoy integration is updated to release 1.18.4. (#17201, @jrajahalme)
Bugfixes:
- Add '*.mesh.cilium.io' to the list of SANs for the server certificate of 'clustermesh-apiserver'. (Backport PR #17120, Upstream PR #17027, @bmcustodio)
- Fix a crash where user specifies incorrect service name in a local redirect policy config, or policy selected service is added after the policy is added. (Backport PR #17175, Upstream PR #16216, @aditighag)
- Fix Linux slave interface detection (Backport PR #17175, Upstream PR #17189, @pchaigno)
- routing: Fix incorrect interface selection for egress pod routes (Backport PR #17175, Upstream PR #17169, @pchaigno)
CI Changes:
- bpf: remove bandwidth manager from 5.4 MAX_BASE_OPTIONS (#16924, @jibi)
- ci: Fix local files chmod in test vagrantfile (Backport PR #17016, Upstream PR #15397, @nebril)
- hubble/relay: Fix close of closed channel in unit test (Backport PR #16994, Upstream PR #16958, @gandro)
- node-neigh: Wait instead of sleeping in unit tests (Backport PR #17120, Upstream PR #17035, @aanm)
- test: Fix artifact collection for bad log failures (Backport PR #16949, Upstream PR #16489, @pchaigno)
- test: Fix artifact collection for FQDN matchPattern test (Backport PR #16949, Upstream PR #16759, @pchaigno)
- test: Fix missing artifacts for tests with parentheses (Backport PR #16949, Upstream PR #16540, @pchaigno)
- vagrant: Bump all Vagrant box versions (Backport PR #17016, Upstream PR #16589, @pchaigno)
Misc Changes:
- .github: add MLH config for flake tracking (#17042, @aanm)
- backporting: Suggest only one related commit for a backport (Backport PR #17012, Upstream PR #16907, @joestringer)
- build(deps): bump 8398a7/action-slack from 3.9.1 to 3.9.2 (#16996, @dependabot[bot])
- build(deps): bump actions/setup-go from 2.1.3 to 2.1.4 (#17248, @dependabot[bot])
- build(deps): bump docker/build-push-action from 2.6.1 to 2.7.0 (#17198, @dependabot[bot])
- build(deps): bump KyleMayes/install-llvm-action from 1.4.0 to 1.4.1 (#16957, @dependabot[bot])
- contrib: Explicitly set remote for backport branches (Backport PR #16949, Upstream PR #16804, @twpayne)
- contrib: Improve release script guard rails (Backport PR #16994, Upstream PR #16936, @joestringer)
- docs: Clarify SA target in KPR gsg (Backport PR #17012, Upstream PR #16954, @brb)
- docs: improve the bandwidth manager page (Backport PR #16994, Upstream PR #16783, @bmcustodio)
- Misc. GH workflow improvements and hardness (Backport PR #16961, Upstream PR #16908, @aanm)
- Restrict Kubernetes access for hubble-relay (Backport PR #16994, Upstream PR #16937, @jonkerj)
- update Cilium base images (#17208, @aanm)
- v1.9: Update cilium base images (#17267, @joestringer)
- v1.9: Update Go to 1.15.15 (#17133, @tklauser)
Other Changes:
- github: fix GH workflows to handle push events to stable branches (#16980, @aanm)
- install: Update image digests for v1.9.9 (#16934, @joestringer)
Docker Manifests
cilium
docker.io/cilium/cilium:v1.9.10@sha256:e249feb8ffcb2de24f7d7d691181d543c0d34a8d28f8617ed17ed5f933a08fed
quay.io/cilium/cilium:v1.9.10@sha256:e249feb8ffcb2de24f7d7d691181d543c0d34a8d28f8617ed17ed5f933a08fed
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.9.10@sha256:b991551eafe9267f07abe94e19c74fc21acbf20c935ceb9f12b6714c9a93e585
quay.io/cilium/clustermesh-apiserver:v1.9.10@sha256:b991551eafe9267f07abe94e19c74fc21acbf20c935ceb9f12b6714c9a93e585
docker-plugin
docker.io/cilium/docker-plugin:v1.9.10@sha256:110cacee75eb10bd99083983ad77a5b4f6bb613a32ea428237ab827a5c905d29
quay.io/cilium/docker-plugin:v1.9.10@sha256:110cacee75eb10bd99083983ad77a5b4f6bb613a32ea428237ab827a5c905d29
hubble-relay
docker.io/cilium/hubble-relay:v1.9.10@sha256:f15bc1a1127be143c957158651141443c9fa14683426ef8789cf688fb94cae55
quay.io/cilium/hubble-relay:v1.9.10@sha256:f15bc1a1127be143c957158651141443c9fa14683426ef8789cf688fb94cae55
operator-aws
docker.io/cilium/operator-aws:v1.9.10@sha256:7c11ce73da73a580de712ddf96529cdf4fc2c882814243a1c045b586f58be844
quay.io/cilium/operator-aws:v1.9.10@sha256:7c11ce73da73a580de712ddf96529cdf4fc2c882814243a1c045b586f58be844
operator-azure
docker.io/cilium/operator-azure:v1.9.10@sha256:46c98ceb5fed0bd899eef8b1bc87e50c124fe48caee601b6a066e6c9f2ff1cfa
quay.io/cilium/operator-azure:v1.9.10@sha256:46c98ceb5fed0bd899eef8b1bc87e50c124fe48caee601b6a066e6c9f2ff1cfa
operator-generic
docker.io/cilium/operator-generic:v1.9.10@sha256:e0b265f5a739f55c463ac6a09f63bb3cc374599de597eb85b64518d02ccde777
quay.io/cilium/operator-generic:v1.9.10@sha256:e0b265f5a739f55c463ac6a09f63bb3cc374599de597eb85b64518d02ccde777
operator
docker.io/cilium/operator:v1.9.10@sha256:52a75724a2d6ddbb53b7512b105db98a2eb6868578a1d462bbb8041c23b381e7
quay.io/cilium/operator:v1.9.10@sha256:52a75724a2d6ddbb53b7512b105db98a2eb6868578a1d462bbb8041c23b381e7