@tgraf tgraf released this Jul 24, 2017 · 4381 commits to master since this release

Assets 4

Major features

  • CIDR based filter for ingress and egress (#886)
  • New simplified encapsulation mode. No longer requires any network
    configuration, the IP of the VM/host is automatically used as tunnel
    endpoint across the mesh. There is no longer a need to configure any routes
    for the container prefixes in the cloud network or the underlying fabric.
    The node prefix to node ip mapping is automatically derived from the
    Kubernetes PodCIDR (#1020, #1013, #1039)
  • When accessing external networks, outgoing traffic is automatically
    masqueraded without requiring to install a masquerade rule manually.
    This behaviour can be disabled with --masquerade=false (#1020)
  • Support to handle arbitrary IPv4 cluster prefix sizes. This was previously
    required to be a /8 prefix. It can now be specified with
    --ipv4-cluster-cidr-mask-size (#1094)
  • Cilium monitor has been enabled with a neat one-liner mode which is on by
    default. It is similar to tcpdump but provides high level metadata such as
    container IDs, endpoint IDs, security identities (#1112)
  • The agent policy repository now includes a revision which is returned after each
    change of the policy. A new command cilium policy wait and be used to wait
    until all endpoints have been updated to enforce the new policy revision
  • cilium endpoint get now supports get -l <set of labels> and get <endpointID | pod-name:namespace:k8s-pod | container-name:name> (#1139)
  • Improve label source concept. Users can now match the source of a
    particular label (e.g. k8s:app=foo, container:app=foo) or match on any
    source (e.g. app=foo, any:app=foo) (#905)


  • CoreOS installation guide


  • Add support for CNI 0.2.x spec (#1036)
  • Initial support for Mesos labels (#1126)


  • Drop support for extensions/v1beta1/NetworkPolicy and support
    networking.k8s.io/v1/NetworkPolicy (#1150)
  • Allow fine grained inter namespace policy control. It is now possible to
    specify policy rules which allow individual pods from another namespace to
    access a pod (#1103)
  • The CiliumNetworkPolicy ThirdPartyResource now supports carrying a list of
    rules to update atomically (#1055)
  • The example DaemonSet now schedules Cilium pods onto nodes which are not
    ready to allow deploying Cilium on a cluster with a non functional CNI
    configuration. The Cilium pod will automatically configure CNI properly.
  • Automatically derive node address prefix from Kubernetes (PodCIDR) (#1026)
  • Automatically install CNI loopback driver if required (#860)
  • Do not overwrite existing 10-cilium.conf CNI configuration if it already
    exists (#871)
  • Full RBAC support (#873, #875)
  • Correctly implement ClusterIP portion of k8s service types LoadBalancer and
    NodePort (#1098)
  • The cilium and consul pod in the example DaemonSet now have health checks
    (#925, #938)
  • Correctly ignore headless services without a warning in the log (#932)
  • Derive node-name automatically (#1090)
  • Labels are now attached to endpoints instead of containers. This will allow
    to support labels attached to things other than containers (#1121)


  • Added Kubernetes getting started guide to CI test suite (#894)
  • L7 stress tests (#1108)
  • Automatically verify links documentation (#896)
  • Kubernetes multi node testing environment (#980)
  • Massively reduced build&test time (#982)
  • Gather logfiles on failure (#1017, #1045)
  • Guarantee isolation in between VMs for separate PRs CI runs (#1075)

More features

  • Cilium load balancer can now encapsulate packets and carry the service-ID in
    the packet (#912)
  • The filtering mechanism which decides which labels should be used for
    security identity determination now supports regular expressions (#918)
  • Extended logging information of L7 requests in proxy (#964, #973, #991,
    #998, #1002)
  • Improved rendering of cilium service list (#934)
  • Upgraded to etcd 3.2.1 (#959)
  • More factoring out of agent into separate packages (975, 985)
  • Reduced cgo usage (#1003, #1018)
  • Improve logging of BPF generation errors (#990)
  • cilium policy trace now supports verbose output (#1080)
  • Include bpf-map tool in cilium container image (#1088)
  • Carrying of security identities across the proxy (#1114)


  • Fixed use of IPv6 node addresses which are already configured on the
    systme (#819)
  • Enforce minimal etcd and consul versions (#911)
  • Connection tracking entries now get automatically cleaned if new policy no
    longer allows the connection (#794)
  • Report status message in cilium status if a component is in error state
  • Create L7 access log file if it does not exist (#881)
  • Report kernel/clang versions on compilation issues (#888)
  • Check that cilium binary is installed when agent starts up (#892)
  • Fix checksum error in service + proxy redirection (#1011)
  • Stricter connection tracking connection creation criteria (#1027)
  • Cleanup of leftover veth if endpoint setup failed midway (#1122)
  • Remove stale ids also from policy map (#1135)