1.10.9

We are pleased to release Cilium v1.10.9.

Summary of Changes

Important Bugfixes

• Prevent unmanaged pods in GKE's containerd flavors. (Backport PR #18835, Upstream PR #18486, @bmcustodio)
  Important: Users should update their node taints from node.cilium.io/agent-not-ready=true:NoSchedule to node.cilium.io/agent-not-ready=true:NoExecute.
  Important: During the first node reboot after the fix is applied pods may still get IPs from the default CNI as cilium-node-init is only run later in the node startup process. The fix will then be in place for all subsequent reboots.
• Clarify taint effects in the documentation. (Backport PR #19236, Upstream PR #19186, @bmcustodio)

Minor Changes:

• Adds support to connect Clustermesh clusters through Helm Chart. (Backport PR #18918, Upstream PR #17851, @samueltorres)
• docs: update Azure Service Principal / IPAM documentation (Backport PR #19023, Upstream PR #18891, @nbusseneau)

Bugfixes:

• Fix 'node-init' in GKE's 'cos' images. (Backport PR #19062, Upstream PR #19017, @bmcustodio)
• Fix concurrency issue while waiting for node-init DaemonSet to be ready (Backport PR #19062, Upstream PR #18897, @aanm)
• Fix connectivity outage periods with ENI IPAM mode and IPsec enabled when nodes are deleted from the cluster (Backport PR #19023, Upstream PR #18827, @christarazi)
• Fix IPsec in Azure's IPAM mode (Backport PR #19023, Upstream PR #18911, @pchaigno)
• Fix issue where StatefulSet pod restarts could trigger persistent connectivity issues for the pods due to overzealous CiliumEndpoint resource removal by cilium-agent instances (Backport PR #19127, Upstream PR #18864, @timoreimann)
• hubble: Added nil check in filterByTCPFlags() to avoid segfault (Backport PR #19023, Upstream PR #18877, @wazir-ahmed)
• ipam/crd: Fix spurious "Unable to update CiliumNode custom resource" failures in cilium-agent (Backport PR #19062, Upstream PR #17856, @gandro)

CI Changes:

• Fix EncryptStatusSuite.TestCountUniqueIPsecKeys (Backport PR #19023, Upstream PR #18506, @tklauser)
• jenkinsfiles: bump runtime tests VM boot timeout (Backport PR #19023, Upstream PR #18886, @nbusseneau)

Misc Changes:

• Alibabacloud fixes (Backport PR #18835, Upstream PR #18762, @jaffcheng)
• bpf: avoid encrypt_key map lookup if IPsec is disabled (Backport PR #19062, Upstream PR #17840, @tklauser)
• build(deps): bump actions/cache from 2.1.7 to 3 (#19210, @dependabot[bot])
• build(deps): bump actions/checkout from 2.4.0 to 3 (#18993, @dependabot[bot])
• build(deps): bump actions/download-artifact from 2.1.0 to 3 (#19012, @dependabot[bot])
• build(deps): bump actions/setup-go from 2.2.0 to 3 (#18964, @dependabot[bot])
• build(deps): bump actions/upload-artifact from 2.3.1 to 3 (#19028, @dependabot[bot])
• build(deps): bump docker/build-push-action from 2.9.0 to 2.10.0 (#19147, @dependabot[bot])
• build(deps): bump docker/login-action from 1.13.0 to 1.14.0 (#18968, @dependabot[bot])
• build(deps): bump docker/login-action from 1.14.0 to 1.14.1 (#18994, @dependabot[bot])
• build(deps): bump golangci/golangci-lint-action from 2.5.2 to 3 (#18949, @dependabot[bot])
• build(deps): bump golangci/golangci-lint-action from 3.0.0 to 3.1.0 (#18967, @dependabot[bot])
• build(deps): bump KyleMayes/install-llvm-action from 1.5.0 to 1.5.1 (#18950, @dependabot[bot])
• docs: fix tip about opening the Hubble server port on all nodes (Backport PR #19062, Upstream PR #19036, @rolinh)
• docs: Remove trailing step in AWS helm install (Backport PR #19023, Upstream PR #18893, @joestringer)
• helm: Enable offline deployments for OpenShift clusters (Backport PR #18918, Upstream PR #18849, @nathanjsweet)
• pkg/maps: Fix data races around accessing nat maps (Backport PR #19023, Upstream PR #18952, @aditighag)
• v1.10: Update Go to 1.16.15 (#19060, @tklauser)

Other Changes:

• install: Update image digests for v1.10.8 (#18926, @joestringer)
• v1.10: Update Cilium runtime dependencies (#19178, @joestringer)