diff --git a/.github/cilium-actions.yml b/.github/cilium-actions.yml index e0ad3382692c..4014c05e0a88 100644 --- a/.github/cilium-actions.yml +++ b/.github/cilium-actions.yml @@ -1,4 +1,4 @@ -project: "https://github.com/cilium/cilium/projects/137" +project: "https://github.com/cilium/cilium/projects/140" column: "In progress" auto-label: - "kind/backports" diff --git a/.mailmap b/.mailmap index 5a5f855a5d2d..8e1e6cfd02fd 100644 --- a/.mailmap +++ b/.mailmap @@ -34,6 +34,7 @@ Junli Ou Karl Heins Liu Qun Madhu Challa +Mandar U Jog Matthew Gumport Michael Vorburger Peiqi Shi diff --git a/AUTHORS b/AUTHORS index 1ec4a98d1736..2f9a1597ec1d 100644 --- a/AUTHORS +++ b/AUTHORS @@ -133,6 +133,7 @@ Madhu Challa madhu@cilium.io MaiReo sawako.saki@gmail.com Maksym Lushpenko iviakciivi@gmail.com Manali Bhutiyani manali@covalent.io +Mandar U Jog mjog@google.com Manuel Buil mbuil@suse.com Marcin Skarbek git@skarbek.name Marius Gerling marius.gerling@uniberg.com @@ -173,6 +174,7 @@ Peter Slovak slovak.peto@gmail.com Philippe Lafoucrière philippe.lafoucriere@gmail.com Philipp Gniewosz philipp.gniewosz@posteo.de Pierre-Yves Aillet pyaillet@users.noreply.github.com +Pranavi Roy pranvyr@gmail.com Qasim Sarfraz qasim.sarfraz@esailors.de Quentin Monnet quentin@isovalent.com Raghu Gyambavantha raghug@bld-ml-loan4.olympus.f5net.com diff --git a/CHANGELOG.md b/CHANGELOG.md index 2836a9d345a7..8245d3f06f4e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,92 @@ # Changelog +## v1.9.1 + +Summary of Changes +------------------ + +**Minor Changes:** +* bpf: add metrics for fragmented ipv4 packets (Backport PR #14088, Upstream PR #13347, @jibi) +* helm: Add extraConfig in configmap template (Backport PR #14270, Upstream PR #14077, @michi-covalent) +* helm: Correct nodeSelector values (Backport PR #14212, Upstream PR #14104, @sayboras) +* helm: fix usage of `hostPath` and add `hostPathType` in `extraHostPathMounts` (Backport PR #14212, Upstream PR #14134, @errordeveloper) +* install: Disable operator HA for quick/experimental install YAMLs (Backport PR #14116, Upstream PR #14102, @joestringer) +* k8s: update k8s libraries to 1.19.4 (#14033, @aanm) +* node: Handle arpinging when remote node is in different L2 (Backport PR #14246, Upstream PR #14201, @brb) + +**Bugfixes:** +* bpf: Don't compile unused BPF sections (Backport PR #14212, Upstream PR #14141, @pchaigno) +* ctmap: GC orphan SNAT entries (Backport PR #14060, Upstream PR #13912, @brb) +* Fix bug where Cilium on smaller instance types cannot allocate IPs (Backport PR #14060, Upstream PR #13865, @christarazi) +* Fix etcd's auth token invalid after watch reconnects (Backport PR #14270, Upstream PR #14238, @aanm) +* Fixed Goroutine leak for unresponded ARP pings. (Backport PR #14246, Upstream PR #14222, @jrajahalme) +* FQDN rule restoration IP limit has been made configurable (`--tofqdns-max-ips-per-restored-rule`, default 1000). (Backport PR #14060, Upstream PR #13992, @jrajahalme) +* fqdn: Delay ipcache upserts until policies have been updated (Backport PR #14212, Upstream PR #14110, @jrajahalme) +* hubble/parser: Always preserve datapath numeric identity (Backport PR #14212, Upstream PR #14090, @gandro) +* kpr: ensure DirectRoutingDevice is in devices (Backport PR #14246, Upstream PR #14054, @kkourt) +* metricsmap: fix Prometheus exporter (Backport PR #14270, Upstream PR #14220, @jibi) +* Trim spaces from loadBalancerSourceRanges when parsing its values. (Backport PR #14060, Upstream PR #13996, @aanm) + +**CI Changes:** +* .travis: Run race detection builds on master commits only (Backport PR #14270, Upstream PR #14189, @pchaigno) +* build, ci: extend API checks to include Hubble API (Backport PR #14116, Upstream PR #14091, @tklauser) +* checkpatch: update image tag to latest (Backport PR #14060, Upstream PR #13976, @qmonnet) +* checkpatch: update image tag to latest (Backport PR #14212, Upstream PR #14135, @qmonnet) +* ci/helpers: Delete CRDs in CleanupCiliumComponents (Backport PR #14246, Upstream PR #14187, @gandro) +* ci: log in to docker in vagrant boxes (Backport PR #14060, Upstream PR #13969, @nebril) +* daemon: Fix netns usage in kpr privileged unit tests (Backport PR #14212, Upstream PR #14171, @brb) +* Revert commits that skip running tests on CI with EKS (Backport PR #14088, Upstream PR #13961, @christarazi) +* test: Avoid installing Cilium for K8sBandwidth if tests are skipped (Backport PR #14212, Upstream PR #14185, @pchaigno) +* test: Avoid use of install with NFS (Backport PR #14212, Upstream PR #14191, @pchaigno) +* test: Bump migrate-svc-test image (Backport PR #14060, Upstream PR #14044, @brb) +* test: Don't wait for network to schedule test-verifier (Backport PR #14116, Upstream PR #14074, @pchaigno) +* test: Switch from Cilium test logger to Ginkgo (Backport PR #14060, Upstream PR #13754, @manuelbuil) +* test: Use NFS by default in test VMs (Backport PR #14212, Upstream PR #13983, @pchaigno) + +**Misc Changes:** +* Add Registry Credentials to Tests (Backport PR #14010, Upstream PR #13959, @nathanjsweet) +* Added new Cilium agent option --debug-verbose=policy to log policy map updates. (Backport PR #14212, Upstream PR #14112, @jrajahalme) +* bpf: don't override DROP_FRAG_NOT_FOUND error (Backport PR #14088, Upstream PR #13936, @jibi) +* bpf: Fix IS_BPF_HOST macro (Backport PR #14270, Upstream PR #14255, @pchaigno) +* bpf: Fix program size issue with host firewall in IPv4-only mode (Backport PR #14246, Upstream PR #14232, @pchaigno) +* bpf: revert changes to metrics directions contants (Backport PR #14246, Upstream PR #14217, @jibi) +* bugtool: Add lsmod (Backport PR #14212, Upstream PR #14145, @joestringer) +* ci/github: Replace set-env command by echo command (Backport PR #14060, Upstream PR #14053, @sayboras) +* cilium: disable bind-protection in kube-proxy free probe mode (Backport PR #14212, Upstream PR #14182, @borkmann) +* cilium: fix redirect limits on multi dev case (Backport PR #14060, Upstream PR #13884, @borkmann) +* contrib: Add script to bump stable docker image tags (Backport PR #14088, Upstream PR #13364, @joestringer) +* dnsproxy: print total number of rules if too many (Backport PR #14060, Upstream PR #13991, @kkourt) +* doc/hubble-internals: update Hubble Relay section to reflect current state (Backport PR #14060, Upstream PR #14042, @Rolinh) +* doc: Link hubble metrics to L7 visibility (Backport PR #14212, Upstream PR #13923, @mandarjog) +* docs: Correct typo in upgrade notes (Backport PR #14246, Upstream PR #14214, @sayboras) +* docs: encryption: interface clarifications (Backport PR #14088, Upstream PR #13660, @kkourt) +* docs: Fix helm install command in kubeadm getting started guide (Backport PR #14088, Upstream PR #14061, @pchaigno) +* docs: Fix wording around labels configuration (Backport PR #14088, Upstream PR #14064, @joestringer) +* docs: Improve visibility limitations docs (Backport PR #14116, Upstream PR #14073, @joestringer) +* docs: Replace outdated backporting docs with link (Backport PR #14060, Upstream PR #13986, @twpayne) +* fqdn: Fix confusion of ToFQDNs vs. DNS rules. (Backport PR #14088, Upstream PR #14012, @jrajahalme) +* fqdn: Fix unit test (Backport PR #14116, Upstream PR #14085, @jrajahalme) +* helm/hubble-relay: fixed indentation error (Backport PR #14088, Upstream PR #14029, @PranaviRoy) +* helm/hubble-ui: fixed ingress configuration on EKS clusters (Backport PR #14060, Upstream PR #14023, @mvisonneau) +* helm: 'upgradeCompatibility' needs to be a string, not a float64 (Backport PR #14088, Upstream PR #14019, @mvisonneau) +* helm: Fix description for clustermesh (Backport PR #14212, Upstream PR #14163, @joestringer) +* Hubble-Relay: proxy metadata from originating client (Backport PR #14060, Upstream PR #13994, @nathanjsweet) +* Improve the Helm readme (Backport PR #14116, Upstream PR #14083, @joestringer) +* Improve the Helm readme (Backport PR #14139, Upstream PR #14083, @joestringer) +* ipam: Remove unnecessary deep copies (Backport PR #14116, Upstream PR #14078, @christarazi) +* kvstore: add tests for etcd ratelimiter implementation (Backport PR #14116, Upstream PR #14063, @fristonio) +* Log host routing fallback & document kernel requirement (Backport PR #14270, Upstream PR #14263, @pchaigno) +* Mention kernel MTU bug in IPv4 fragmentation document (Backport PR #14088, Upstream PR #14030, @liuyuan10) +* metrics: add cilium_datapath_nat_gc_entries (Backport PR #14116, Upstream PR #12832, @ArthurChiao) +* node: Fix ineffectual assignment (Backport PR #14270, Upstream PR #14256, @brb) +* node: Misc neighbor related changes (Backport PR #14116, Upstream PR #14070, @brb) +* test: use kubectl helper for cilium cleanup in upgrade tests (Backport PR #14212, Upstream PR #14165, @fristonio) +* Update troubleshooting docs for cilium-sysdump (Backport PR #14139, Upstream PR #14111, @christarazi) + +**Other Changes:** +* Fix potential panic in Hubble when applying time range on non-flow events, e.g. LostEvent. (#14197, @tklauser) +* v1.9: Update Go to 1.15.5 (#14014, @tklauser) + ## v1.9.0 Summary of Changes diff --git a/Documentation/concepts/kubernetes/compatibility-table.rst b/Documentation/concepts/kubernetes/compatibility-table.rst index ab815665f60a..dd7a3acd72fa 100644 --- a/Documentation/concepts/kubernetes/compatibility-table.rst +++ b/Documentation/concepts/kubernetes/compatibility-table.rst @@ -76,6 +76,8 @@ +-----------------+----------------+ | v1.7.11 | 1.18.1 | +-----------------+----------------+ +| v1.7.12 | 1.18.1 | ++-----------------+----------------+ | v1.7 | 1.18.1 | +-----------------+----------------+ | v1.8.0-rc1 | 1.19 | @@ -98,6 +100,8 @@ +-----------------+----------------+ | v1.8.5 | 1.21.2 | +-----------------+----------------+ +| v1.8.6 | 1.21.2 | ++-----------------+----------------+ | v1.8 | 1.21.2 | +-----------------+----------------+ | v1.9.0-rc0 | 1.22.1 | @@ -110,6 +114,8 @@ +-----------------+----------------+ | v1.9.0 | 1.22.3 | +-----------------+----------------+ +| v1.9.1 | 1.22.3 | ++-----------------+----------------+ | v1.9 | 1.22.3 | +-----------------+----------------+ | latest / master | 1.22.3 | diff --git a/VERSION b/VERSION index f8e233b27332..9ab8337f3962 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.9.0 +1.9.1 diff --git a/install/kubernetes/cilium/Chart.yaml b/install/kubernetes/cilium/Chart.yaml index 3cef6ed3cf9c..a1c02f0fcaff 100644 --- a/install/kubernetes/cilium/Chart.yaml +++ b/install/kubernetes/cilium/Chart.yaml @@ -2,10 +2,10 @@ apiVersion: v2 name: cilium displayName: Cilium home: https://cilium.io/ -version: 1.9.0 -appVersion: 1.9.0 +version: 1.9.1 +appVersion: 1.9.1 kubeVersion: ">= 1.12.0-0" -icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.9.0/Documentation/images/logo-solo.svg +icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.9.1/Documentation/images/logo-solo.svg description: eBPF-based Networking, Security, and Observability keywords: - BPF diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md index 49ffb33612b6..dc2b145a8590 100644 --- a/install/kubernetes/cilium/README.md +++ b/install/kubernetes/cilium/README.md @@ -1,6 +1,6 @@ # cilium -![Version: 1.9.0](https://img.shields.io/badge/Version-1.9.0-informational?style=flat-square) ![AppVersion: 1.9.0](https://img.shields.io/badge/AppVersion-1.9.0-informational?style=flat-square) +![Version: 1.9.1](https://img.shields.io/badge/Version-1.9.1-informational?style=flat-square) ![AppVersion: 1.9.1](https://img.shields.io/badge/AppVersion-1.9.1-informational?style=flat-square) Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as @@ -73,7 +73,7 @@ contributors across the globe, there is almost always someone available to help. | cluster.id | int | `nil` | Unique ID of the cluster. Must be unique across all connected clusters and in the range of 1 to 255. Only required for Cluster Mesh. | | cluster.name | string | `"default"` | Name of the cluster. Only required for Cluster Mesh. | | clustermesh.apiserver.etcd.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/coreos/etcd","tag":"v3.4.13"}` | Clustermesh API server etcd image. | -| clustermesh.apiserver.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.9.0"}` | Clustermesh API server image. | +| clustermesh.apiserver.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.9.1"}` | Clustermesh API server image. | | clustermesh.apiserver.nodeSelector | object | `{}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ | | clustermesh.apiserver.podAnnotations | object | `{}` | Annotations to be added to clustermesh-apiserver pods | | clustermesh.apiserver.replicas | int | `1` | Number of replicas run for the clustermesh-apiserver deployment. | @@ -167,7 +167,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.metricsServer | string | `""` | | | hubble.relay.dialTimeout | string | `nil` | Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). | | hubble.relay.enabled | bool | `false` | Enable Hubble Relay (requires hubble.enabled=true) | -| hubble.relay.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.9.0"}` | Hubble-relay container image. | +| hubble.relay.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.9.1"}` | Hubble-relay container image. | | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. | | hubble.relay.listenPort | string | `"4245"` | Port to listen to. | | hubble.relay.nodeSelector | object | `{}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ | @@ -208,7 +208,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ | | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. | | identityAllocationMode | string | `"crd"` | | -| image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.9.0"}` | Agent container image. | +| image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.9.1"}` | Agent container image. | | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images | | installIptablesRules | bool | `true` | | | ipMasqAgent | object | `{"enabled":false}` | Configure the eBPF-based ip-masq-agent | @@ -264,7 +264,7 @@ contributors across the globe, there is almost always someone available to help. | operator.extraInitContainers | list | `[]` | Additional InitContainers to initialize the pod | | operator.identityGCInterval | string | `"15m0s"` | | | operator.identityHeartbeatTimeout | string | `"30m0s"` | | -| operator.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","tag":"v1.9.0"}` | cilium-operator image. | +| operator.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","tag":"v1.9.1"}` | cilium-operator image. | | operator.nodeSelector | object | `{}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ | | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods | | operator.podDisruptionBudget | object | `{"enabled":false,"maxUnavailable":1}` | PodDisruptionBudget settings ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | @@ -288,7 +288,7 @@ contributors across the globe, there is almost always someone available to help. | preflight.extraEnv | object | `{}` | | | preflight.extraHostPathMounts | list | `[]` | | | preflight.extraInitContainers | list | `[]` | | -| preflight.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.9.0"}` | Cilium pre-flight image. | +| preflight.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.9.1"}` | Cilium pre-flight image. | | preflight.nodeSelector | object | `{}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ | | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods | | preflight.podDisruptionBudget | object | `{"enabled":true,"maxUnavailable":2}` | PodDisruptionBudget settings ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml index 224f4eb7e94f..4750db587005 100644 --- a/install/kubernetes/cilium/values.yaml +++ b/install/kubernetes/cilium/values.yaml @@ -67,7 +67,7 @@ name: cilium # -- Agent container image. image: repository: quay.io/cilium/cilium - tag: v1.9.0 + tag: v1.9.1 pullPolicy: IfNotPresent # -- Pod affinity for cilium-agent. @@ -539,7 +539,7 @@ hubble: # -- Hubble-relay container image. image: repository: quay.io/cilium/hubble-relay - tag: v1.9.0 + tag: v1.9.1 pullPolicy: IfNotPresent # -- Specifies the resources for the hubble-relay pods @@ -1049,7 +1049,7 @@ operator: # -- cilium-operator image. image: repository: quay.io/cilium/operator - tag: v1.9.0 + tag: v1.9.1 pullPolicy: IfNotPresent # -- Number of replicas to run for the cilium-operator deployment @@ -1254,7 +1254,7 @@ preflight: # -- Cilium pre-flight image. image: repository: quay.io/cilium/cilium - tag: v1.9.0 + tag: v1.9.1 pullPolicy: IfNotPresent priorityClassName: "" @@ -1362,7 +1362,7 @@ clustermesh: # -- Clustermesh API server image. image: repository: quay.io/cilium/clustermesh-apiserver - tag: v1.9.0 + tag: v1.9.1 pullPolicy: IfNotPresent etcd: diff --git a/install/kubernetes/experimental-install.yaml b/install/kubernetes/experimental-install.yaml index 169b81e0b89e..2012e5c9b07d 100644 --- a/install/kubernetes/experimental-install.yaml +++ b/install/kubernetes/experimental-install.yaml @@ -797,7 +797,7 @@ spec: key: custom-cni-conf name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.9.0 + image: quay.io/cilium/cilium:v1.9.1 imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -868,7 +868,7 @@ spec: key: wait-bpf-mount name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.9.0 + image: quay.io/cilium/cilium:v1.9.1 imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -1016,7 +1016,7 @@ spec: key: debug name: cilium-config optional: true - image: quay.io/cilium/operator-generic:v1.9.0 + image: quay.io/cilium/operator-generic:v1.9.1 imagePullPolicy: IfNotPresent name: cilium-operator livenessProbe: @@ -1080,7 +1080,7 @@ spec: topologyKey: "kubernetes.io/hostname" containers: - name: hubble-relay - image: quay.io/cilium/hubble-relay:v1.9.0 + image: quay.io/cilium/hubble-relay:v1.9.1 imagePullPolicy: IfNotPresent command: - hubble-relay diff --git a/install/kubernetes/quick-install.yaml b/install/kubernetes/quick-install.yaml index 5650aca849dc..ad08ec277644 100644 --- a/install/kubernetes/quick-install.yaml +++ b/install/kubernetes/quick-install.yaml @@ -469,7 +469,7 @@ spec: key: custom-cni-conf name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.9.0 + image: quay.io/cilium/cilium:v1.9.1 imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -532,7 +532,7 @@ spec: key: wait-bpf-mount name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.9.0 + image: quay.io/cilium/cilium:v1.9.1 imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -663,7 +663,7 @@ spec: key: debug name: cilium-config optional: true - image: quay.io/cilium/operator-generic:v1.9.0 + image: quay.io/cilium/operator-generic:v1.9.1 imagePullPolicy: IfNotPresent name: cilium-operator livenessProbe: