Release 1.11.0 · cilium/cilium

The Cilium core team are excited to announce the Cilium 1.11 release. A total of 1395 new commits have been contributed to this release by a growing community of over 350 developers. 🎉

OpenTelemetry Support: Ability to export Hubble's L3-L7 observability data in OpenTelemetry tracing and metrics format
Simplified Policy to the Kubernetes API server: New policy entity for hassle-free policy modeling of communication from/to the Kubernetes API server.
Topology Aware Load-Balancing: Enhanced load-balancing with support for topology-aware hints to route traffic to the closest endpoint, or to keep traffic within a region.
BGP Pod CIDR Announcement: Advertise PodCIDR IP routes to your network using BGP.
Graceful Service Backend Termination: Support for graceful connection termination in order to drain network traffic when load-balancing to workloads and Pods that are being terminated.
Host Firewall Promotion: Host firewall functionality has been promoted to stable and is ready for production use.
Improved Load Balancer Scalability: Cilium load balancing now supports more than 64K backend endpoints.
Improved Load Balancer Device Support: The accelerated XDP fast-path for load-balancing can now be used with bonded devices and more generally also in multi-device setups.
Compatibility of kube-proxy Replacement with Istio: Cilium's kube-proxy replacement mode is now compatible with Istio sidecar deployments.
Egress Gateway Improvements: Enhancements to the egress gateway functionality, including support for additional datapath modes.
Managed Neighbor Discovery: Extensions to both the Linux kernel as well as Cilium's load-balancer in order to remove its internal ARP library and delegate the next hop discovery for IPv4 and now also IPv6 nodes to the kernel.
Simplified Device Detection: Improved user experience for multi-device setups with Cilium through route-based auto-detection of external-facing network devices.
Cgroup v2 Enhancements: Enhancements to Cilium's kube-proxy replacement integration for runtimes operating in pure cgroup v2 mode as well as Linux kernel improvements for Kubernetes mixed mode cgroup v1/v2 environments.
Cilium Endpoint Slices: Cilium is now more efficient in CRD mode with its control-plane interactions with Kubernetes, enabling 1000+ node scalability in a way that previously required a dedicated etcd instance to manage.
MKE Integration: Support for Mirantis Kubernetes Engine.

Known issues

ToFQDN network policy statements may become ineffective for a pod after modifying a network policy that selects the pod, for instance denying traffic that should be allowed by a ToFQDN rule. The mitigation is to apply all policies first and then restart the Cilium agent or restart the affected pods. (#18023)

The summary of changes below reflect the diff between the last stable release v1.10.5 and tag v1.11.0.

Summary of Changes

Major Changes:

Add Kubernetes Service Topology Aware Hints (Backport PR #18027, Upstream PR #17929, @brb)
Add support for k8s 1.23.0 (Backport PR #18027, Upstream PR #18008, @aanm)
Cilium Envoy integration is updated to Envoy release 1.18.4 (#17236, @jrajahalme)
Cilium Istio integration is updated to Istio release 1.9.6. (#16766, @jrajahalme)
New performance benchmarks and tuning guide (#15943, @tgraf)
New CiliumEndpointSlice feature for better scalability in CRD-only clusters (#17658, @krishgobinath)
Add ICMP and ICMPv6 support for CNP and CCNP policies with a feature flag (#16516, @chez-shanpu)
Provide new installation steps to deploy Cilium in managed kubernetes providers (GKE, EKS, AKS) to allow scale up and down node pools. (#16631, @aanm)
Support policy matching against kube-apiserver entity (#17823, @christarazi)
Support graceful termination for service load-balancing such that active connections don't break when endpoints are deleted. (#17716, @aditighag)

Minor Changes:

allow-any-ingress and allow-remotehost-ingress are now used instead of allow-localhost-ingress in policy rule derivedFrom list when appropriate. (#16972, @jrajahalme)
Add flag to list all available configurations (#17303, @h3llix)
Add Helm option to disable registering CRD from Cilium Operator (#15655, @Fedosin)
Add validation of agent flag values for ConfigMap (#16014, @romanspb80)
Add WireGuard status to cilium encrypt. (#17684, @h3llix)
Add workload name and workload kind to slim api and hubble api (#16514, @sugangli)
Adds new Cilium subcommand: cilium encrypt status and cilium encrypt flush (#16770, @h3llix)
Auto discover ipv6-mcast-device if not provided (#16692, @sarveshr7)
Auto-detect Azure cloud name via IMDS (#16515, @ungureanuvladvictor)
Auto-mount bpf file-system from within Cilium DaemonSet and remove the requirement of having it mounted in the host. (#16656, @aanm)
AWS eni: Support Instance Metadata Service Version 2 (IMDSv2) (#15828, @Smana)
bpf: Derive host netns cookie via SO_NETNS_COOKIE (#17018, @brb)
Cilium Istio integration is updated to Istio release 1.10.3. (#17037, @jrajahalme)
cilium: Improve user experience of policy trace with regard to port a… (#15929, @Maddy007-maha)
cilium: Make CLI more graceful on environments with IPv6 disabled (#16168, @Maddy007-maha)
cleanup helm chart (#16896, @dungdm93)
crd: Add categories for cilium CRDs (#17162, @sayboras)
daemon: Add option --bpf-lb-external-clusterip (#15650, @joamaki)
daemon: Add wildcard support to --devices ("eth+") (#15697, @joamaki)
daemon: make consecutive quorum errors threshold configurable (#16885, @ArthurChiao)
daemon: Make L2 neighbor discovery configurable. (#16974, @bjhaid)
datapath,daemon: Enable multi-dev XDP (#17655, @brb)
datapath: Add a flag to set VXLAN and Geneve ports (#16874, @errordeveloper)
datapath: Add a new option to skip socket lb when in pod ns (#17154, @brb)
datapath: optionally disable SIP verification (#16134, @oblazek)
Detect devices from global unicast routes in addition to only looking for the device with the Kubernetes Node IP and the one with default route. This expands the set of devices used for kube-proxy replacement, host firewall and bandwidth manager and should reduce the need to specify devices manually. (#17219, @joamaki)
Display host firewall status in cilium status (#17165, @pchaigno)
doc: Add more generic install section for egress gateway guide (#16087, @tgraf)
doc: Reword some results (#15955, @tgraf)
doc: Update diagrams in benchmark report (#16063, @tgraf)
docs: Remove firewall hack for OKD GSG (#17924, @errordeveloper)
docs: Revert host firewall to beta for kube-proxy setups (#16149, @pchaigno)
Envoy is updated to release 1.18.3 (#17024, @jrajahalme)
Extend cilium config to expose all active configurations. Add subcommand cilium config get to get configurations from CLI (#16519, @h3llix)
feat: allow installing hubble ui as standalone (#17473, @eddycharly)
feat: generate tls certs for ui on helm install (#16601, @yandzee)
Fixes connectivity issues when kube-proxy replacement is enabled, caused by ineffective socket based load balancing (aka host reachable services) in the private cgroup namespace mode of container runtimes (e.g., docker cgroupv2 configuration). (#16259, @aditighag)
health: Add flag to set HTTP port (#16926, @errordeveloper)
helm: add back 'wellKnownIdentities' (#16142, @bmcustodio)
helm: Add support for disable-endpoint-crd option (#16226, @dntosas)
helm: Disable BPF masquerading in v1.10+ (#17824, @pchaigno)
helm: Disable the bandwidth manager by default (#16380, @pchaigno)
helm: Use batch/v1 apiVersion for CronJob in K8s 1.21+ (#16635, @gandro)
HTTP response access logs no longer contain the request headers, except for 'x-request-id', which is still included for request/response correlation purposes. (#16211, @jrajahalme)
Hubble logs for HTTP responses now include HTTP response headers. (#16013, @jrajahalme)
hubble/recorder: Extend the API to allow stopping a recording automatically (#16473, @gandro)
hubble: bump protoc{,-gen-go} and dependencies (#16915, @rolinh)
hubble: Hubble node_name field should contain cluster name (#15933, @Maddy007-maha)
images: Bump Hubble CLI to v0.8.0 (#15983, @gandro)
images: Bump Hubble CLI to v0.9.0 (Backport PR #18119, Upstream PR #18077, @gandro)
Improve Hubble memory usage and performance on decoding events (#17482, @tklauser)
install: Disable kube-proxy-replacement by default (#15422, @tgraf)
Make NodePort BPF to work on VLAN devices (#16772, @kvaster)
node-neigh: Locking, logging, misc improvements (#15783, @brb)
option: Rename egress gateway flag to enable-ipv4-egress-gateway (#17695, @pchaigno)
pkg/aws/eni: new subnet-ids parameter (#16119, @mvisonneau)
Pod L7 visibility annotations are now supported also when policy enforcement is enabled. (#16258, @jrajahalme)
Pod visibility annotations are now supported for Kafka and other policies implemented via Cilium Go extensions for Envoy. (#16935, @trvll)
Reduce bugtool memory usage (#17546, @tklauser)
Remove deprecated --update-ec2-apdater-limit-via-api option (#16374, @twpayne)
Remove deprecated code (#16502, @pchaigno)
Rename hostFirewall and mark stable (#17221, @pchaigno)
service: Always allocate higher ID for svc/backend (Backport PR #18119, Upstream PR #18113, @brb)
Skip iptables masquerading for packets destined to remote nodes (#16603, @pchaigno)
Store the previous Cilium's configuration options in the host (#16017, @aanm)
Support advertising Pod CIDRs via BGP (#16525, @christarazi)
Support EndpointSlices with BGP mode by updating MetalLB to v0.10.0 (#16524, @christarazi)
Support non-default Azure clouds (#16043, @ungureanuvladvictor)
Support TLS certificate auto-generation using certmanager (#17238, @dungdm93)
Use correct tolerations value when deploying cilium-operator via helm. (#15992, @michaelpetrov)
vendor: Update k8s dependencies and tests to 1.22.0-rc.0 (#16989, @nathanjsweet)
wireguard: Add fallback to userspace implementation (#17451, @gandro)
wireguard: Set wireguard and route MTU to detected MTU (#16020, @joamaki)

Bugfixes:

cluster-pool-ipv4-cidr and cluster-pool-ipv6-cidr options now accept string slices and not just string (#17780, @cndoit18)
Add '*.mesh.cilium.io' to the list of SANs for the server certificate of 'clustermesh-apiserver'. (#17027, @bmcustodio)
Adds an ACCEPT rule for untracked pkts in filter:CILIUM_OUTPUT (#17585, @Weil0ng)
Adds IPv6 support for generic-veth chaining plugin (#16041, @Weil0ng)
alibabacloud: fix race (#16175, @l1b0k)
bpf: exclude pod's reply traffic from egress gateway logic (#17869, @jibi)
bpf: fix hw_csum issue for icmp probe packets (#16604, @borkmann)
bpf: fix iptables masquerading for node -> remote pod traffic (#16136, @jibi)
bug/pkg/health: Fix Nil Address Issue in Node Update Mechanism (#17667, @nathanjsweet)
bugtool: fix data race occurring when running commands (#17916, @rolinh)
bugtool: fix IP route debug gathering commands (Backport PR #18076, Upstream PR #18059, @tklauser)
change log level for lock failed: endpoint is in the process of being removed (#16773, @humancalico)
Cilium Istio integration is updated to Istio release 1.10.4 (#17275, @jrajahalme)
cilium: Encryption EKS 4.14 kernel (default) fixes (#15867, @jrfastab)
daemon, node: Fix faulty router IP restoration logic (#16672, @christarazi)
daemon, node: Remove old, discarded router IPs from cilium_host (Backport PR #18076, Upstream PR #17762, @christarazi)
daemon: Ignore cilium_* interfaces when deriving NodePort device (#16104, @eyanulis)
daemon: require BPF masq to enable --install-no-conntrack-iptables-rules (#16085, @jibi)
datapath: Do not SNAT replies to outside (#17168, @brb)
datapath: panic explicitly when IP of direct-routing-device not found (#17064, @ArthurChiao)
datapath: Use TUNNEL_MODE as indicator for tunnel mode (#16328, @anfernee)
Define operator feature flags to allow the operator to register related CRDs. (#17772, @pchaigno)
DNS proxy is now more available during Cilium restarts, including upgrades. (#16391, @jrajahalme)
Drop a @ in clustermesh-apiserver helm chart (#15934, @anthr76)
egress gateway: fix non-tunnel (direct routing) mode (#17517, @kkourt)
egressgateway: Allow several CENPs with same egress IP (#17773, @pchaigno)
egressgateway: fix manager logic (Backport PR #18027, Upstream PR #17813, @jibi)
endpoint: trigger k8s sync controller on identity update (#16381, @jibi)
eni: Fix Cilium overallocating network interfaces (#15911, @gandro)
Envoy configuration is fixed to work also when IPv6 is disabled. (#17281, @rock-andy)
Envoy configuration with --proxy-prometheus-port is fixed. (#16834, @jrajahalme)
Envoy is updated to release 1.17.3 (#16102, @jrajahalme)
External Workloads service access is enabled again. (#16662, @jrajahalme)
Fix "unable to update ipcache map entry on pod add" harmless log warnings (#16286, @aanm)
Fix 5.10+ complexity issue with kubeProxyReplacement=disabled (#16084, @pchaigno)
Fix a crash where user specifies incorrect service name in a local redirect policy config, or policy selected service is added after the policy is added. (#16216, @aditighag)
Fix aws-cni integration where pods were not being scheduled (#15915, @aanm)
Fix bug where Cilium allocates a new router (cilium_host) IP upon node reboot, breaking connectivity especially with IPsec (#16307, @christarazi)
Fix bug where IP addresses of devices in unknown state are resolved as remote-node (#17418, @jibi)
Fix bug where L7 ingress policies with IPsec dropped traffic in tunneling mode (#16057, @christarazi)
Fix bug where the agents would silently skip all IPv6 masquerading due to an incorrect configuration. (#17906, @pchaigno)
Fix bug where timers used for retries sometimes fired immediately (#16955, @gandro)
Fix bug where users were unable to use node-selectors in the BGP configuration when using BGP support (#16341, @christarazi)
Fix bug with Helm chart where a user could not enable BGP and set Operator resources. (#16273, @rkage)
Fix identity leak via FQDN selectors (#17699, #17788, @joestringer)
Fix incorrect application of egress gateway policy to internal cluster traffic. Require a 5.2 kernel or later for the egress gateway policy feature. (#17639, @kkourt)
Fix incorrect packet path with IPsec and endpoint routes, which can cause incorrect policy drops. (#17000, @pchaigno)
Fix issue where generating Hubble certs were broken (#16509, @alex1989hu)
Fix issue where local host IPs may be briefly associated with the remote-node identity, causing policy drops when policy should allow traffic from the host. (#17836, @joestringer)
Fix Linux slave interface detection (#17189, @pchaigno)
Fix memory leak that can occur with the presence of FQDN policies (#17432, @aanm)
Fix several complexity and program size issues when only one of IPv4/IPv6 is enabled. (#17573, @pchaigno)
Fix transient policy deny during agent restart (#17115, @jaffcheng)
Fixed bug causing policy realization being skipped in some scenarios with endpoint identity churn. (#16271, @jrajahalme)
Fixes a bug where IPv6 pod CIDRs with leading zeros where not supported (#17707, @gandro)
Fixes an issue which can cause traffic to be dropped when running Cilium in ENI mode due to the presence of iptables rules left over by the AWS VPC CNI plugin. Notable features that could be impacted include the egress gateway functionality. (#17845, @bmcustodio)
Fixes for IPsec and endpoint routes (#17865, @kkourt)
Fixes out-of-sycn CEP update (#17001, @Weil0ng)
helm: Fix operator cloud image digests (Backport PR #18119, Upstream PR #18116, @joestringer)
helm: Fix patch failure when updating hubble-generate-certs (#16373, @gandro)
helm: upgrade envoy to v1.18.4 for hubble-ui (#17439, @geakstr)
hubble/recorder: Refactor service implementation to fix multiple races (#16472, @gandro)
hubble: Display proxy redirects in policy verdict events (#17411, @pchaigno)
hubble: Never fail with ErrInvalidRead (#17046, @michi-covalent)
Ignore K8s namespace events that have the same labels (#16268, @aanm)
install: Allow setting enable-health-check-nodeport to 'false' (#16323, @dctrwatson)
ipam/crd: Fix spurious "Unable to update CiliumNode custom resource" failures in cilium-agent (Backport PR #18027, Upstream PR #17856, @gandro)
ipam: fix crd mode (#16493, @joamaki)
ipsec: Fix logging of SPI after key rotations (#16557, @pchaigno)
ipsec: Fix off-by-one error on max keyID (#16647, @pchaigno)
iptables: Remove leading zeroes (#16817, @jrajahalme)
L7 proxy redirection on IPv6 ingress to a pod is fixed to properly update IPv6 hop limit. (#17718, @jrajahalme)
lbmap: fix deletion and recreation logic for maglev maps (#16850, @jibi)
loader: Revert incorrect initialization of endpoints in chaining mode (#16227, @pchaigno)
lrp: Skip clusterIP service restore in service delete callback (#16548, @aditighag)
node-init: cleanup snat iptables rules when running in eni mode with masquerading disabled (#16840, @bmcustodio)
node: Fix race condition on labels' getter/setter (#17217, @pchaigno)
node: Skip ipcache for remote node IPs if IPsec is enabled (#17511, @pchaigno)
Operator gc incluster identities only (#17589, @ArthurChiao)
operator: only GC identity keys of its own cluster (#16825, @ArthurChiao)
Optimize memory consumption for clusters with high number of repeated FQDN matchPattern or matchNames (#17224, @aanm)
Perform reverse NAT at host interface (#15354, @krishgobinath)
pkg/identity: Add missing labels to well-known identities (#16585, @mauriciovasquezbernal)
pkg/k8s: fix invalid memory address or nil pointer dereference (#17642, @aanm)
pkg/option: Fix default assignment of EnableWellKnownIdentities (#16434, @mauriciovasquezbernal)
Plumb Azure interface's VPC / primary CIDR and set it as native routing CIDR in Azure IPAM mode (#16696, @christarazi)
policy: Fix cilium policy trace output when only deny rules are applied (#16991, @chez-shanpu)
Potential deadlock in pod identity updates has been fixed. (#16529, #16801, @jrajahalme)
Prometheus lint errors in operator metrics (Backport PR #18076, Upstream PR #17789, @krishgobinath)
Remove node.cilium.io/agent-not-ready node taints if they are re-added after Cilium has started (#17112, @aanm)
Remove CiliumNode deletion logic from CiliumNode watcher and guarantee CiliumNode's OwnerReference is always set (#17329, @christarazi)
Remove previous PERM ARP entries installed by Cilium when kube-proxy-replacement and IPSec are disabled. (#16359, @aanm)
Removes cilium daemonset's dependencies on utilities like sh and mount having installed in the underlying host distributions. (#16815, @aditighag)
routing: Fix incorrect interface selection for egress pod routes (#17169, @pchaigno)
Set right User Agent in Kubernetes client for all Cilium components. (#17417, @aanm)
ui envoy: fix config to keep grpc conn (#15938, @geakstr)
wireguard: Fix traffic counters in cilium debuginfo (#16178, @gandro)

CI Changes:

.github/workflows: install ginkgo for test suite build test (#16605, @tklauser)
.github/workflows: use latest stable cilium-cli release (#16892, @tklauser)
.github/workflows: verify that each commit builds for test suite changes (#16556, @tklauser)
.github: AWS-CNI end-to-end test (#16365, @pchaigno)
.github: Bump CLI version to v0.6 (#15948, @joestringer)
.github: Cancel outdated GitHub workflows (#16199, @pchaigno)
.github: Capture hubble flows when smoke test fails (#16968, @christarazi)
.github: Disable flow validation in flaky tests (#16388, @pchaigno)
.github: do not useDigest in conformance tests (#16836, @aanm)
.github: Don't persist credentials in repository (#16052, @pchaigno)
.github: Don't run CodeQL for every master push (#16241, @pchaigno)
.github: Don't wait for GKE cluster cleanup (#16319, @pchaigno)
.github: Fix codeQL workflow skip logic (#17587, @joestringer)
.github: Fix concurrency group comment triggers (#16310, @pchaigno)
.github: Fix error triggered by large comments (#16360, @pchaigno)
.github: Fix scheduled end-to-end tests (#16274, @pchaigno)
.github: Fix smoke tests sysdump collection from failing prematurely (#17032, @christarazi)
.github: harden permissions on GH workflows (#16941, @aanm)
.github: Limit CodeQL workflow to .go files (#16389, @pchaigno)
.github: Set commit status to error when workflow are cancelled (#16155, @pchaigno)
.github: Skip unnecessary workflow steps (#16157, @pchaigno)
.github: Speed up cluster cleanups in end-to-end tests (#16207, @pchaigno)
.github: Test IPsec with high value for keyID (#16113, @pchaigno)
.github: Update docs workflow to checkout v2 (#16135, @pchaigno)
.travis.yml: Disable arm64-graviton2-race (#17650, @joamaki)
Add workflows for stable branches (#16944, @aanm)
aks: fix AKS cluster creation following new taint limitations (#17529, @nbusseneau)
aws: Disable flaky test (Backport PR #18109, Upstream PR #18092, @joestringer)
bpf/Makefile: Enable setting complexity options (#17364, @pchaigno)
bpf: Add WireGuard to complexity and compile tests (Backport PR #18076, Upstream PR #18048, @pchaigno)
bpf: Define EGRESS_MAP in dummy node_config.h (#17574, @pchaigno)
Bump cilium-cli to v0.8.4 (#16799, @tklauser)
checkpatch: update to lastest image to fix checkpatch exit status (#17450, @qmonnet)
CI, docs: remove libelf-dev from dependencies (#17687, @tklauser)
ci-gke: Add -v=6 for kubectl get pods (#15994, @michi-covalent)
ci-multicluster: Fix post-test information gathering (#16712, @gandro)
ci/conformance: Various image-related fixes (#16715, @gandro)
ci/multicluster: Test WireGuard in clustermesh (#17453, @gandro)
ci/wireguard: Ensure allowedIPs are set as expected (#16011, @gandro)
ci: add slack notification to GH actions (#16218, @nebril)
ci: Bump cilium-cli version (#16617, @nebril)
ci: Bump ubuntu-next image (#16865, @brb)
ci: Disable NFS locking (#16554, @gandro)
ci: fix sysdump path (#17455, @nebril)
ci: Restart pods when toggling KPR switch (Backport PR #18076, Upstream PR #18031, @brb)
ci: restart portmap service on CI nodes (#16506, @nebril)
ci: update CI Vagrant VM IP addresses (#17733, @nbusseneau)
ci: update CI Vagrant VM IP addresses (#17900, @nbusseneau)
ci: update cilium-cli to 0.9.1 (#17464, @nebril)
CI: update cilium-cli to v0.9.2 (#17706, @tklauser)
ci: update cilium-cli to v0.9.3 (#17834, @tklauser)
cicd: skip codesql on forks (#16560, @ldelossa)
conformance tests: Use hubble-relay-ci image (#16363, @michi-covalent)
connectivity-check: Reduce chances of port conflict with proxy (#15988, @pchaigno)
dependabot: re-enable Ginkgo updates (#17742, @tklauser)
docs: check updates for the Helm reference (#17613, @qmonnet)
ebpf unit testing (#16862, @xinyuannn)
ebpf unit testing -- handle tailcalls and support user-space map emulation (#17114, @xinyuannn)
Enable CiliumEndpointSlice feature testing on Kuberneres version 1.21 (#17698, @krishgobinath)
examples, connectivity-check, test: Use even-numbered nodePort (#16158, @christarazi)
Fix and add more commands in CI sysdumps (#16721, @aanm)
Fix Azure-related data races (#17054, @christarazi)
Fix kubectl CI flakiness (Backport PR #18109, Upstream PR #18087, @aanm)
github: Misc improvements for the L4LB test suite (#17005, @brb)
helm,test: Add standalone L4LB XDP tests in a form of Github Action (#16338, @brb)
hubble/relay: Fix close of closed channel in unit test (#16958, @gandro)
Improve ipsec compile-time testing in CI (#15872, @joestringer)
jenkins: switch runtime tests from 4.9 to net-next on master (#17186, @nbusseneau)
jenkinsfiles: fix race detector pipelines (#16056, @nbusseneau)
k8sT/Egress: fixes (#17581, @kkourt)
Make LRP restore test logic robust and optimized (#16194, @aditighag)
mlh: update Jenkins jobs following 1.22 support (#17721, @nbusseneau)
mlh: update Jenkins jobs following 1.23 support (#18069, @nbusseneau)
node-neigh: Fix concurrent arping update unit test flake (#16578, @brb)
node-neigh: Fix unit test flake (#16072, @brb)
node-neigh: Wait instead of sleeping in unit tests (#17035, @aanm)
node: fix arpping test (#16432, @jibi)
NodePort health checks should be disabled when kube-proxy is installed (#16477, @pchaigno)
Pick up cilium-cli v0.8.2 (#16650, @michi-covalent)
Pick up cilium-cli v0.8.3 (#16689, @michi-covalent)
Pinned docker images by SHA within GitHub actions. (#17739, @nathan-415)
Quarantine frequent failures (Backport PR #18076, Upstream PR #18051, @joestringer)
rate: fix TestStressRateLimiter when run with race detector (#16262, @tklauser)
Remove tests/ and examples/demo/ (#17003, @brb)
Revert ".github: Create lint-rst.yaml" (#16786, @bmcustodio)
Revert "ci: update CI Vagrant VM IP addresses" (#17898, @ti-mo)
Switch ginkgo upgrade testing to upgrade from v1.10->latest (#16483, @joestringer)
test/Bookinfo: Collect full artifact in case of failure (#16775, @pchaigno)
test/contrib: Bump CoreDNS version to 1.8.3 (Backport PR #18109, Upstream PR #18018, @brb)
test/helpers: add the json output debug in case of failure (#17070, @aanm)
test/helpers: Fail test on errors (#16395, @pchaigno)
test/helpers: Fix incorrect count of endpoints (#16437, @pchaigno)
test/helpers: Fix panic due to missing CEP status (#16443, @pchaigno)
test/helpers: Save JSON artifacts as .json (#16442, @pchaigno)
test/K8sBookInfo: Readiness probes for test pods (#16869, @pchaigno)
test/K8sVerifier: Cover several datapath configurations (#17470, @pchaigno)
test/runtime: Look into log errors after test start (#17351, @joamaki)
test/runtime: Wait for endpoints to be ready before querying by labels (#15990, @pchaigno)
test: 5.4 CI job (#15765, @pchaigno)
test: Add klog lock error to allow-list (#16698, @pchaigno)
test: Adds test for BPF NAT engine handles unknown protocol packets (#15914, @navarrothiago)
test: bump coredns version to 1.7.0 (#17489, @aanm)
test: Clean up hubble-ui clusterrole (#17702, @aditighag)
test: Debug kubectl.GetPrivateIface failure (#16863, @pchaigno)
test: Debug IPsec test (#16700, @pchaigno)
test: Delete DNS pods in AfterAll for datapath tests (#16835, @joestringer)
test: Delete Istio resources if install does not complete (#16440, @jrajahalme)
test: Do not require netpols in 'waitNextPolicyRevisions()' (#17769, @jrajahalme)
test: do not useDigest in upstream tests (#16886, @aanm)
test: Don't pass namespace for CCNPs (#16768, @pchaigno)
test: Don't skip encapsulation tests on GKE (#16627, @pchaigno)
test: Enable verbose policy logs to help debug flake (#16748, @pchaigno)
test: Extend coredns clusterrole with additional resource permissions (Backport PR #18109, Upstream PR #18104, @aditighag)
test: Extend the clusterIP tests with policy (#15928, @aditighag)
test: Fix artifact collection for bad log failures (#16489, @pchaigno)
test: Fix artifact collection for FQDN matchPattern test (#16759, @pchaigno)
test: Fix flake in ValidateEndpointsAreCorrect (#16068, @pchaigno)
test: Fix fragment tracking test on GKE (#15959, @pchaigno)
test: Fix graceful termination test flake (Backport PR #18076, Upstream PR #18050, @aditighag)
test: Fix helper to retrieve tail call counters (#16803, @pchaigno)
test: Fix incorrect selector for netperf-service (Backport PR #18076, Upstream PR #18006, @christarazi)
test: Fix incorrect uninstall in K8sBandwidth (#16053, @pchaigno)
test: fix Infinite loop during VM provisioning (#17031, @h3llix)
test: Fix local runs of K8sUpdates (#16802, @pchaigno)
test: Fix missing artifacts for tests with parentheses (#16540, @pchaigno)
test: Fix the search for VIPs in cilium service list (#15968, @pchaigno)
test: Instrument LB IP via BGP test with debug-events (#16445, @christarazi)
test: Log input to json.Unmarshal when it fails (#16099, @pchaigno)
test: Misc improvements (#16064, @pchaigno)
test: Move instrumentation to AfterFailed instead of AfterAll (#16845, @christarazi)
test: Pass container to ExecPodCmdBackground() (#16435, @jrajahalme)
test: Quarantine fragment tracking test on GKE (#16051, @pchaigno)
test: Quarantine Secondary nodeport device tests (Backport PR #18109, Upstream PR #18091, @joestringer)
test: Redeploy DNS after endpointRoutes reconfiguration (#16767, @joestringer)
test: Remove outdated error msg from allowlist (#16998, @pchaigno)
test: Remove Services SCTP test case (#16895, @brb)
test: Remove special case for host identity when remote-node identity is disabled (#16450, @romanspb80)
test: Remove uptime reporting (#16486, @brb)
test: Retrieve the private interface in an Eventually (#16990, @christarazi)
test: Run WG with per-endpoint routes (#15906, @brb)
test: set kubeProxyReplacement=probe for upstream k8s tests (#16162, @aanm)
test: Skip Istio test on k8s <1.17 (#17445, @jrajahalme)
test: Specify node-selectors in BGP configmap (#16412, @christarazi)
test: Spring cleaning of K8sServicesTest (#16470, @brb)
test: Test IPsec+VXLAN on 4.19 (#17512, @pchaigno)
test: Tiny cleanup of k8s_install.sh (#16534, @brb)
test: Update list of allowed level=error logs (#16623, @pchaigno)
test: Use hubble observe's jsonpb output in artifacts (#16054, @pchaigno)
test: Use new test-verifier image in K8sVerifier (#16231, @pchaigno)
test: Wait for kube-dns before starting test (#16411, @jrajahalme)
tests: Disable K8s upstream tests that we do not support (#17828, @nathanjsweet)
tests: rework custom calls's AfterEach/AfterAll blocks to skip if needed (#16651, @qmonnet)
travis: login to Docker Hub (#17537, @nbusseneau)
Update cilium-cli to v0.9.0 (#17330, @tklauser)
update go.mod dependencies (#17775, @aanm)
Use cilium-cli sysdump in L4LB tests (#17719, @tklauser)
vagrant: Bump all Vagrant box versions (#16589, @pchaigno)
vagrant: bump all Vagrant box versions (#17394, @tklauser)
wireguard: Fix timeout in unit test (#16001, @gandro)
workflows/L4LB: Reprovision if vagrant up fails (#17339, @brb)
workflows: issue_comment triggers refactoring (#17419, @nbusseneau)
workflows: add external workload conformance test (#16789, @nbusseneau)
workflows: add test exceptions for failing L7 tests on EKS with IPsec (#17140, @nbusseneau)
workflows: disable no-policies/pod-to-service in clustermesh (#17894, @nbusseneau)
workflows: disable AKS testing with encryption enabled (#17645, @nbusseneau)
workflows: disable scheduled runs for 1.10 AKS workflow (#17053, @nbusseneau)
workflows: disable scheduled runs for 1.10 workflows (#17023, @nbusseneau)
workflows: filter out schedule events from forks (#16012, @nbusseneau)
workflows: fix build-and-push-with-qemu on v1.11 (#18071, @nbusseneau)
workflows: Fix change detection of comment-triggered jobs (#17171, @pchaigno)
workflows: fix concurrency group names (#16711, @nbusseneau)
workflows: Fix Hubble flow capture in smoke tests (#17137, @pchaigno)
workflows: fix L4LB test missing PR reporting on issue_comment (#16830, @nbusseneau)
workflows: fix permissions (#17008, @nbusseneau)
workflows: fix Relay pgrep check when using additional flags (#16831, @nbusseneau)
workflows: Fix use of paths-filter on master pushes (#16507, @pchaigno)
workflows: Improve the change check for issue_comment triggers (#16841, @pchaigno)
workflows: increase VM creation retry count on external workloads (#17138, @nbusseneau)
workflows: lessen clustermesh clusters names (#16029, @nbusseneau)
workflows: only gather artifacts on failure (#16010, @nbusseneau)
workflows: pin cilium-cli version to v0.8.6 (#17143, @nbusseneau)
workflows: remove label filters for testing workflows (#16735, @nbusseneau)
workflows: retrieve 1.10 branch code for L4LB test (#17737, @nbusseneau)
workflows: retry GCP VM creation up to 3 times (#17068, @nbusseneau)
workflows: Revert changes to comment-triggered workflows (#17173, @pchaigno)
workflows: Skip building cilium-operator image (#16501, @pchaigno)
workflows: Skip FQDN tests in AWS-CNI workflow (#16868, @pchaigno)
workflows: Skip jobs instead of workflows (#16487, @pchaigno)
workflows: Skip L7 test in AWS-CNI chaining mode (#17122, @pchaigno)
workflows: update cluster names and tags (#15944, @nbusseneau)
workflows: use !success() for sysdump and Slack notifications (#16899, @nbusseneau)
workflows: Use new cilium sysdump (#17428, @pchaigno)
workflows: various fixes & consistency passes (#16787, @nbusseneau)
workflows: various small fixes (#16311, @nbusseneau)

Misc Changes:

.gitattributes: Hide Documentation/_static. (#16929, @joestringer)
.github/workflows: checkout all git history for Image GC (#17622, @aanm)
.github/workflows: Fix typo (#16074, @christarazi)
.github: add bug_report form to submit Cilium bugs (#17933, @aanm)
.github: add external docs references to be updated after a release (#16177, @aanm)
.github: add instructions when releasing a new minor version (#16405, @aanm)
.github: add MLH config for flake tracking (#17040, @aanm)
.github: add more release steps (#16257, @aanm)
.github: add step to check for GH workflow when chart is released (#16851, @aanm)
.github: add workflow to build beta images (Backport PR #18076, Upstream PR #18052, @aanm)
.github: Create lint-rst.yaml (#16387, @geyslan)
.github: Fix image digest job printing (#16660, @joestringer)
.github: fix MLH configuration file for v1.11 branch (#18032, @aanm)
.github: ignore k8s deps in dependabot (#16240, @tklauser)
.github: Increase reporting threshold for new flakes (#17812, @pchaigno)
.github: Rename project/ci-force to ci/flake (#17344, @pchaigno)
.github: Rename maintainer's little helper's config file (#16458, @pchaigno)
.github: set link for GH issue feature template (#17214, @aanm)
Add arm64 support for the connectivity test (#15894, @aanm)
Add AWS & Yahoo (#17406, @tgraf)
Add cilium_egress_v4 to ignoredELFPrefixes (#16334, @Divya063)
Add Cognite to USERS (#17405, @tgraf)
Add developer build option to disable optimizations (#16923, @xyz-li)
Add documentation for vlan bpf bypass. (#17539, @kvaster)
Add eCHO (#16283, @lizrice)
Add few values in CiliumEndpointPropagation metric bucket. (#17957, @krishgobinath)
Add Form3 to users (#16643, @kevholditch-f3)
Add identity GC metrics for CRD allocation mode (#15905, @rscampos)
Add Kernel Misc Probe (#17541, @vincentmli)
Add missing bpftool map dumps (#16055, @h3llix)
Add neighbor discovery behavior docs to kubeproxy-free. (#17469, @bjhaid)
add note about selecting proper interface name for masquerading (#17443, @rootkamil)
add scruffy to garbage collect CI images from quay.io (#17610, @aanm)
add stable.txt (#16453, @rolinh)
Adding error checks for ctx_load_bytes. (#16138, @trvll)
Adds a locked function to do ipcache delete on metadata match (Backport PR #18076, Upstream PR #17909, @Weil0ng)
Adds a warning in the upgrade doc about split cluster (#17755, @Weil0ng)
Adds concept documentation for CiliumEndpointSlice (#17430, @Weil0ng)
Adds Northflank as a user (#17855, @DeciderWill)
all: remove unnecessary string(byteslice) when passed into fmt.*rintf("%s", string(b)) (#17577, @odeke-em)
Allow configuration of probe timers in Helm chart (#16584, @jonkerj)
Allow to add custom labels to ServiceMonitors cilium-agent, cilium-operator, hubble in the Cilium Helm chart. (#17509, @canhnt)
Avoid transitive dependency on github.com/miekg/dns in policy API (#16806, @tklauser)
backporting: Suggest only one related commit for a backport (#16907, @joestringer)
Better error reporting/catching in agent on nativeRoutingCIDR (#16646, @jibi)
bpf, test/bpf: add generated files to .gitignore (#17551, @tklauser)
bpf/Makefile: Default to KERNEL=netnext (#17600, @pchaigno)
bpf/pcap: Use CAPTURE{4,6}_RULES macros (#16809, @pchaigno)
bpf: Add extension for running sock LB on MKE-related containers (#17513, @borkmann)
bpf: avoid encrypt_key map lookup if IPsec is disabled (#17840, @tklauser)
bpf: Cleanup datapath macros (#17150, @pchaigno)
bpf: convert majority of bpf_elf_map definitions to BTF map definitions (#17640, @ti-mo)
bpf: ct: use union to hide the rx_bytes hack (#16471, @jibi)
bpf: Fix reset of CB_PROXY_MAGIC (#17592, @jrajahalme)
bpf: Fix stale map removal in agent logs (Backport PR #18027, Upstream PR #17973, @borkmann)
bpf: Migrate map migration logic from C to Go (#16917, @nathanjsweet)
bpf: Refactoring egress gateway datapath (#17868, @pchaigno)
bpf: remove accidentally committed cilium-map-migrate binary (#17860, @tklauser)
bpf: Remove duplicate define from MAX_BASE_OPTIONS (#16911, @christarazi)
bpf: remove libelf dependency and unused nobpf.h (#17612, @ti-mo)
bpf: rename variables with camel-case names (#16476, @qmonnet)
bpf: two small janitorial cleanups (#16198, @tklauser)
bpf: use ctx_redirect{,_peer}() instead of redirect{,_peer}() (#17814, @tklauser)
bpf_host: emit '-> network' traces for egress packets (#16082, @navarrothiago)
bugtool: Collect BPF cgroup programs related information (#16691, @aditighag)
bugtool: Default pprof to the agent's gops port (#17004, @glibsm)
bugtool: dump all active configs and encryption status (#17304, @h3llix)
bugtool: Dump xfrm policy stats (#17354, @pchaigno)
bugtool: Include listing of egress gateway map (#17378, @pchaigno)
bugtool: Update ip{6,}tables commands (#16778, @pchaigno)
build(deps): bump 8398a7/action-slack from 3.10.0 to 3.11.0 (#17886, @dependabot[bot])
build(deps): bump 8398a7/action-slack from 3.11.0 to 3.12.0 (#17966, @dependabot[bot])
build(deps): bump 8398a7/action-slack from 3.9.1 to 3.9.2 (#16995, @dependabot[bot])
build(deps): bump 8398a7/action-slack from 3.9.2 to 3.9.3 (#17383, @dependabot[bot])
build(deps): bump 8398a7/action-slack from 3.9.3 to 3.10.0 (#17447, @dependabot[bot])
build(deps): bump actions/cache from 2.1.5 to 2.1.6 (#16345, @dependabot[bot])
build(deps): bump actions/cache from 2.1.5 to 2.1.6 (#16357, @dependabot[bot])
build(deps): bump actions/cache from 2.1.6 to 2.1.7 (#17971, @dependabot[bot])
build(deps): bump actions/checkout from 1 to 2.3.5 (#17632, @dependabot[bot])
build(deps): bump actions/checkout from 2.3.5 to 2.4.0 (#17776, @dependabot[bot])
build(deps): bump actions/download-artifact from 2.0.9 to 2.0.10 (#16575, @dependabot[bot])
build(deps): bump actions/setup-go from 2.1.3 to 2.1.4 (#17247, @dependabot[bot])
build(deps): bump actions/upload-artifact from 2.2.3 to 2.2.4 (#16576, @dependabot[bot])
build(deps): bump aws-actions/configure-aws-credentials from 1.5.10 to 1.5.11 (#16942, @dependabot[bot])
build(deps): bump aws-actions/configure-aws-credentials from 1.5.10 to 1.5.11 (#16959, @dependabot[bot])
build(deps): bump aws-actions/configure-aws-credentials from 1.5.11 to 1.6.0 (#17999, @dependabot[bot])
build(deps): bump aws-actions/configure-aws-credentials from 1.5.8 to 1.5.9 (#16182, @dependabot[bot])
build(deps): bump aws-actions/configure-aws-credentials from 1.5.9 to 1.5.10 (#16413, @dependabot[bot])
build(deps): bump aws-actions/configure-aws-credentials from 1.5.9 to 1.5.10 (#16504, @dependabot[bot])
build(deps): bump azure/CLI from 1.0.4 to 1.0.5 (#17843, @dependabot[bot])
build(deps): bump azure/CLI from 1.0.5 to 1.0.6 (#17885, @dependabot[bot])
build(deps): bump azure/login from 1.3.0 to 1.4.0 (#17673, @dependabot[bot])
build(deps): bump azure/login from 1.4.0 to 1.4.1 (#17884, @dependabot[bot])
build(deps): bump babel from 2.6.0 to 2.9.1 in /Documentation (#17662, @dependabot[bot])
build(deps): bump docker/build-push-action from 2.4.0 to 2.5.0 (#16327, @dependabot[bot])
build(deps): bump docker/build-push-action from 2.5.0 to 2.6.1 (#16743, @dependabot[bot])
build(deps): bump docker/build-push-action from 2.6.1 to 2.7.0 (#17196, @dependabot[bot])
build(deps): bump docker/login-action from 1.9.0 to 1.10.0 (#16638, @dependabot[bot])
build(deps): bump docker/login-action from f3364599c6aa293cdc2b8391b1b56d0c30e45c8a to 1.9.0 (#15917, @dependabot[bot])
build(deps): bump docker/setup-buildx-action from 012185ccbeb554a7f5f987bea0f1a73519b3cdf5 to 1.3.0 (#15940, @dependabot[bot])
build(deps): bump docker/setup-buildx-action from 1.3.0 to 1.4.1 (#16682, @dependabot[bot])
build(deps): bump docker/setup-buildx-action from 1.4.1 to 1.5.0 (#16760, @dependabot[bot])
build(deps): bump docker/setup-buildx-action from 1.5.0 to 1.5.1 (#16853, @dependabot[bot])
build(deps): bump docker/setup-buildx-action from 1.5.1 to 1.6.0 (#17346, @dependabot[bot])
build(deps): bump docker/setup-qemu-action from 1.1.0 to 1.2.0 (#16326, @dependabot[bot])
build(deps): bump dorny/paths-filter from 2.10.1 to 2.10.2 (#16532, @dependabot[bot])
build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1095 to 1.61.1153 (#16606, @dependabot[bot])
build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1153 to 1.61.1214 (#17072, @dependabot[bot])
build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1317 to 1.61.1319 (#17786, @dependabot[bot])
build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1319 to 1.61.1322 (#17795, @dependabot[bot])
build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1322 to 1.61.1323 (#17826, @dependabot[bot])
build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1323 to 1.61.1325 (#17863, @dependabot[bot])
build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1325 to 1.61.1327 (#17891, @dependabot[bot])
build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1327 to 1.61.1331 (#17901, @dependabot[bot])
build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1331 to 1.61.1333 (#17937, @dependabot[bot])
build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1333 to 1.61.1334 (#17950, @dependabot[bot])
build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.957 to 1.61.1095 (#16215, @dependabot[bot])
build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.11.0 to 1.11.1 (#17946, @dependabot[bot])
build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.6.0 to 1.7.1 (#16905, @dependabot[bot])
build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.1.6 to 1.2.0 (#16143, @dependabot[bot])
build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.2.0 to 1.5.0 (#16927, @dependabot[bot])
build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.5.0 to 1.6.0 (#17096, @dependabot[bot])
build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.9.0 to 1.10.0 (#17821, @dependabot[bot])
build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.1.0 to 1.1.1 (#16452, @dependabot[bot])
build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.4.0 to 1.6.0 (#17602, @dependabot[bot])
build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.7.0 to 1.8.0 (#17825, @dependabot[bot])
build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.8.0 to 1.8.1 (#17951, @dependabot[bot])
build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.13.0 to 1.16.0 (#17347, @dependabot[bot])
build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.20.0 to 1.21.0 (#17817, @dependabot[bot])
build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.5.0 to 1.9.0 (#16625, @dependabot[bot])
build(deps): bump github.com/Azure/azure-sdk-for-go from 50.0.0+incompatible to 50.2.0+incompatible (#16077, @dependabot[bot])
build(deps): bump github.com/Azure/azure-sdk-for-go from 54.0.0+incompatible to 54.3.0+incompatible (#17704, @dependabot[bot])
build(deps): bump github.com/Azure/azure-sdk-for-go from 59.0.0+incompatible to 59.1.0+incompatible (#17787, @dependabot[bot])
build(deps): bump github.com/Azure/azure-sdk-for-go from 59.1.0+incompatible to 59.2.0+incompatible (#17844, @dependabot[bot])
build(deps): bump github.com/Azure/azure-sdk-for-go from 59.2.0+incompatible to 59.3.0+incompatible (#17938, @dependabot[bot])
build(deps): bump github.com/Azure/go-autorest/autorest from 0.11.17 to 0.11.21 (#17624, @dependabot[bot])
build(deps): bump github.com/Azure/go-autorest/autorest from 0.11.21 to 0.11.22 (#17818, @dependabot[bot])
build(deps): bump github.com/Azure/go-autorest/autorest/adal from 0.9.16 to 0.9.17 (#17827, @dependabot[bot])
build(deps): bump github.com/Azure/go-autorest/autorest/azure/auth from 0.5.8 to 0.5.9 (#17831, @dependabot[bot])
build(deps): bump github.com/containernetworking/plugins from 0.9.0 to 0.9.1 (#17518, @dependabot[bot])
build(deps): bump github.com/docker/docker from 20.10.10+incompatible to 20.10.11+incompatible (#17936, @dependabot[bot])
build(deps): bump github.com/go-openapi/errors from 0.19.9 to 0.20.0 (#16796, @dependabot[bot])
build(deps): bump github.com/go-openapi/errors from 0.20.0 to 0.20.1 (#17438, @dependabot[bot])
build(deps): bump github.com/go-openapi/loads from 0.20.0 to 0.20.2 (#16185, @dependabot[bot])
build(deps): bump github.com/go-openapi/runtime from 0.19.26 to 0.19.28 (#16242, @dependabot[bot])
build(deps): bump github.com/go-openapi/runtime from 0.19.28 to 0.19.29 (#17055, @dependabot[bot])
build(deps): bump github.com/go-openapi/runtime from 0.19.29 to 0.19.30 (#17101, @dependabot[bot])
build(deps): bump github.com/go-openapi/strfmt from 0.20.0 to 0.20.3 (#17568, @dependabot[bot])
build(deps): bump github.com/go-openapi/swag from 0.19.14 to 0.19.15 (#16351, @dependabot[bot])
build(deps): bump github.com/go-openapi/validate from 0.20.1 to 0.20.2 (#16808, @dependabot[bot])
build(deps): bump github.com/google/go-cmp from 0.5.5 to 0.5.6 (#16368, @dependabot[bot])
build(deps): bump github.com/google/renameio from 1.0.0 to 1.0.1 (#16921, @dependabot[bot])
build(deps): bump github.com/hashicorp/consul/api from 1.3.0 to 1.9.1 (#17188, @dependabot[bot])
build(deps): bump github.com/kr/pretty from 0.2.1 to 0.3.0 (#17117, @dependabot[bot])
build(deps): bump github.com/mattn/go-shellwords from 1.0.10 to 1.0.12 (#17061, @dependabot[bot])
build(deps): bump github.com/onsi/gomega from 1.16.0 to 1.17.0 (#17816, @dependabot[bot])
build(deps): bump github.com/shirou/gopsutil/v3 from 3.21.2 to 3.21.5 (#16410, @dependabot[bot])
build(deps): bump github.com/shirou/gopsutil/v3 from 3.21.5 to 3.21.7 (#17127, @dependabot[bot])
build(deps): bump github/codeql-action from 1.0.18 to 1.0.19 (#17641, @dependabot[bot])
build(deps): bump github/codeql-action from 1.0.19 to 1.0.20 (#17710, @dependabot[bot])
build(deps): bump github/codeql-action from 1.0.20 to 1.0.21 (#17743, @dependabot[bot])
build(deps): bump github/codeql-action from 1.0.21 to 1.0.22 (#17783, @dependabot[bot])
build(deps): bump github/codeql-action from 1.0.22 to 1.0.23 (#17920, @dependabot[bot])
build(deps): bump google.golang.org/protobuf from 1.26.0 to 1.27.1 (#17233, @dependabot[bot])
build(deps): bump gopkg.in/ini.v1 from 1.63.2 to 1.64.0 (#17864, @dependabot[bot])
build(deps): bump helm/kind-action from 1.1.0 to 1.2.0 (#16706, @dependabot[bot])
build(deps): bump KyleMayes/install-llvm-action from 1.3.0 to 1.4.0 (#16466, @dependabot[bot])
build(deps): bump KyleMayes/install-llvm-action from 1.4.0 to 1.4.1 (#16956, @dependabot[bot])
build(deps): bump KyleMayes/install-llvm-action from 1.4.1 to 1.5.0 (#17782, @dependabot[bot])
build(deps): bump nick-invision/retry from 2.4.1 to 2.5.0 (#17555, @dependabot[bot])
build(deps): bump nick-invision/retry from 2.5.0 to 2.5.1 (#17685, @dependabot[bot])
build(deps): bump Sibz/github-status-action from 1.1.5 to 1.1.6 (#17476, @dependabot[bot])
build(deps): update KyleMayes/install-llvm-action requirement to v1.3.0 (#16059, @dependabot[bot])
Bump github.com/aws/aws-sdk-go-v2/service/ec2 to v1.13.0 (#17113, @ungureanuvladvictor)
bwm: queue mapping & cong fixes (#15964, @borkmann)
byteorder: Simplify byteorder package (#16201, @twpayne)
checkpatch: update image to fix checks on commit object and message (#17067, @qmonnet)
checkpatch: update image to improve checks and extend to all commits (#16739, @qmonnet)
checkpatch: update to latest image to ignore empty commit messages (#17523, @twpayne)
Checks k8s metadata for pod before removing IP from ipcache (#17161, @Weil0ng)
choir: normalize error handling in kube_proxy_replacement.go (#16811, @ldelossa)
chore: normalize returning of errors in NewDaemon (#16861, @ldelossa)
ci: Increase the CI image wait timeout to 30 minutes (#17409, @michi-covalent)
ci: use git status instead of git diff to check for a clean state (#16619, @kaworu)
cilium: Don't report health error when disabled (#17146, @joestringer)
cilium: fix ipv6 neighbor discovery (#17842, @borkmann)
cilium: Rework neighbor handling (#17713, @borkmann)
Clarify one-time setup for backporting (#16016, @christarazi)
Cleanup Azure allocator cloud name detection code (#16888, @ungureanuvladvictor)
clustermesh: fix CEP status patch (#16986, @nbusseneau)
CODEOWNERS: add entries for health, recorder and relay APIs (#16522, @tklauser)
CODEOWNERS: Assign egress gateway code to @cilium/bpf (#17774, @pchaigno)
CODEOWNERS: Assign pkg/cgroups to cilium/bpf (#16758, @pchaigno)
CODEOWNERS: Give maintainer's code to github-sec team (#16426, @pchaigno)
CODEOWNERS: No review from @cilium/build on bpf/Makefile (#17601, @pchaigno)
codeql: Fix GitHub Action permissions (#17376, @twpayne)
codeql: Update CodeQL action version (#17579, @twpayne)
conditionally change hubble relay port in hubble-ui (#16511, @alex1989hu)
contrib/backporting: add environment variables to set ORG and REPO (#17424, @aanm)
contrib/backporting: Dockerize backporting scripts (#17157, @aditighag)
contrib/backporting: Install PyGithub for user (#17627, @joamaki)
contrib/docs: rename 'cilium-actions.yml' with 'maintainers-little-helper.yaml (#16750, @aanm)
contrib/vagrant/start.sh: add a NO_BUILD export (#17425, @kkourt)
contrib/vagrant: Use CRDs instead of kvstore if K8S=1 (#15913, @pchaigno)
contrib: Ensure release tag is upstream before push (#15903, @joestringer)
contrib: Explicitly set remote for backport branches (#16804, @twpayne)
contrib: Fix bump-readme.sh script (#17311, @joestringer)
contrib: fix dual-stack support in dev VMs (#15887, @aanm)
contrib: Fix scripts for v1.10 (#15898, @joestringer)
contrib: Fix submit-release.sh regression (#17607, @joestringer)
contrib: Identify upstream commits by author and date (#16572, @pchaigno)
contrib: Improve release script guard rails (#16936, @joestringer)
contrib: Make upstream commit check more generic (#16160, @joestringer)
contrib: Request author review during backports (#16484, @joestringer)
contrib: simplify check-docker-images script (#16176, @aanm)
contrib: Support prereleases in release prep scripts (#17502, @joestringer)
contrib: update etcd's dev VM version (#16193, @aanm)
Convert license headers to SPDX (#16887, @ldelossa)
correct comment Service6Key and Service4Key (#17271, @ChenYahui2019)
daemon, ipam, option: Introduce ability to bypass IP availability error (#17492, @christarazi)
daemon/cmd: Extend Cilium status with graceful termination config (Backport PR #18027, Upstream PR #17969, @aditighag)
daemon: Add --derive-masquerade-ip-addr-from-device opt (#17230, @brb)
daemon: add K8sCacheIsSynced() method (#17651, @jibi)
daemon: fix race in config handler (#17413, @h3llix)
daemon: Improve logging of device auto-detection (#16118, @brb)
daemon: log any error returned by RestoreServices() (#16666, @jibi)
daemon: Skip bridge-like devices (#17560, @joamaki)
daemon: Warn on disabling iptables (#16611, @joestringer)
daemons: name init functions and have one init (#17616, @nebril)
datapath/linux: enable neighbor discovery in unit tests (#17044, @aanm)
datapath: allow specifying cilium_host routes metric (#17544, @Frankkkkk)
datapath: Always use of wait argument on iptables commands. (#17593, @jrajahalme)
datapath: Pass proxy port in to-proxy traces (#17595, @jrajahalme)
datapath: Sort VLAN IDs in generated macros (#17105, @jrajahalme)
dependabot: set pull-request limit to 5 (#17785, @aanm)
dev-doctor: add check for the root directory (#16205, @twpayne)
dev-doctor: Add docker and docker buildx checks (#16265, @twpayne)
dev-doctor: Bump minimum hub version requirement for backporting (#16734, @twpayne)
dev-doctor: use default GOPATH when missing from env (#17385, @kaworu)
doc/encryption: improve consistency between ipsec and wireguard guides (#15965, @rolinh)
doc: add upgrade note about nativeRoutingCIDR deprecation (Backport PR #18119, Upstream PR #18095, @kaworu)
doc: hubble configuration cleanup (#17522, @kaworu)
doc: update Hubble/Hubble Relay guides for recent CLI changes (#15981, @rolinh)
doc: use ipv4NativeRoutingCIDR instead of nativeRoutingCIDR (Backport PR #18076, Upstream PR #18026, @kaworu)
Dockerfile: use alpine 3.12 (#15950, @aanm)
docs(k3s): add back the flag to disable network policies (#16755, @rio)
docs, bpf: fix llvm-objdump --no-show-raw-insn options (#16848, @claudiajkang)
docs, gsg: add link to plumbers talk on service lb mechanisms (#16171, @borkmann)
docs, gsg: minor edits to kpr guide and note on hybrid use (#16169, @borkmann)
docs/ipsec: misc improvements (#15978, @kaworu)
docs: account for bandwidth manager now being disabled by default (#16782, @bmcustodio)
docs: add 'endpointRoutes.enabled=true' to aws-cni (#16045, @bmcustodio)
docs: add a "Copy Commands" button for shell-session snippets (#16408, @qmonnet)
docs: add a reference of helm values (#16238, @bmcustodio)
docs: Add caveat for OpenShift (#16161, @christarazi)
docs: add cilium build depedency when regen'ing docs (#17155, @ldelossa)
docs: add clustermesh-apiserver description (#17025, @oblazek)
docs: add custom spelling filter to check WireGuard spelling (#16513, @qmonnet)
docs: add forking instructions + workflow + fix contributing notes (#16025, @nbusseneau)
docs: add guidelines for contributing to Cilium's documentation (#16738, @qmonnet)
docs: add ids to the list of special identities (#16123, @bmcustodio)
docs: add information about ConfigMap updates (#16141, @aanm)
docs: add K8s 1.22 compatibility (#17722, @nbusseneau)
docs: Add missed build tag flags in testing docs (#17160, @twpayne)
docs: add missing mount bpf fs on minikube GSG (#16324, @aanm)
docs: Add note about DNS-related policies on OpenShift (#16083, @twpayne)
docs: add registry (quay.io/) for pre-loading images for kind (Backport PR #18076, Upstream PR #18017, @adamzhoul)
docs: Add upgrade note regarding custom ports (Backport PR #18027, Upstream PR #17975, @errordeveloper)
Docs: Changed parameters for minikube start (#16570, @mauilion)
docs: Clarify coordination for backporting process (#15989, @christarazi)
docs: Clarify deprecated "prefilter-devices" (Backport PR #18119, Upstream PR #18112, @brb)
docs: Clarify exact requirements for the egress gateway (#17381, @pchaigno)
docs: clarify language on libceph and kernel 5.8 in kubeproxy-free GSG (#16969, @bluikko)
docs: Clarify LRP loop related note (#16342, @aditighag)
docs: Clarify SA target in KPR gsg (#16954, @brb)
docs: clarify upgrade impact for clients using an egress gateway (Backport PR #18119, Upstream PR #18097, @jibi)
docs: clarify uses of --direct-routing-device (#17578, @kkourt)
docs: cleanup and tidy up the 1.11 upgrade guide (Backport PR #18119, Upstream PR #18093, @aanm)
docs: clustermesh: fix output of "cilium clustermesh status" command (#15982, @jibi)
docs: deprecate native-routing-cidr from v1.10 (#16688, @jibi)
docs: Docker version requirement for external workloads (#17726, @wazir-ahmed)
docs: Document --debug-verbose=datapath in debugging datapath section (#16022, @navarrothiago)
docs: Document dns visibility limitations (#16822, @joestringer)
docs: Document limitation for kernels without netns cookie (#17575, @pchaigno)
docs: document the policy for backporting documentation changes (#16137, @qmonnet)
docs: ENIs should not be managed by the OS (#16186, @gandro)
docs: fix a block directive in OpenShift GSG (#17760, @qmonnet)
docs: fix a typo in Helm installation documentation (#16325, @netflash)
docs: Fix build failure (#16454, @pchaigno)
docs: fix check-crd-compat-table script (#16545, @aanm)
docs: fix code-block for bpf mount example (#16719, @aanm)
docs: fix code-block formatting for XDP load example (#16876, @claudiajkang)
docs: Fix command for overwriting iptables on kube-proxy replacement install (#16264, @Stijn98s)
docs: fix docs following #17238 (#17530, @nbusseneau)
docs: fix docs following #17526 (#17570, @nbusseneau)
docs: Fix egress gateway getting started guide (#15984, @gandro)
docs: fix eksctl ClusterConfig to allow copy (Backport PR #18119, Upstream PR #18110, @aanm)
docs: fix Helm documentation and doc checks (#16737, @qmonnet)
docs: Fix Helm instructions for BGP (#16263, @xentobias)
docs: Fix helm value when deploying pure ipvlan l3 mode (#17708, @chendotjs)
Docs: Fix maglev.hashSeed byte size documentation (#16690, @gaffneyd4)
docs: Fix missing quote in gcloud command for GKE (#17014, @christarazi)
docs: fix some dead links (#16336, @aanm)
docs: Fix typo in BGP GSG (#16563, @christarazi)
docs: Fix up broken minikube link (#17382, @joestringer)
docs: Fix up mailmap a bit and update authors (Backport PR #18027, Upstream PR #17983, @borkmann)
docs: Fix version sorting for CRD schema docs (#17288, @joestringer)
docs: fix warnings for documentation build, use a linter (#16407, @qmonnet)
docs: Fix WireGuard spelling (#16293, @gandro)
docs: gsg/operations - use parsed-literal for all blocks referring SCM_WEB (#15963, @ti-mo)
docs: Hubble UI does not show HTTP endpoints anymore (#16535, @gandro)
docs: ignore __pycache__ directory created by custom spelling filters (#16791, @qmonnet)
docs: improve and fix minor issues (#15975, @qmonnet)
docs: improve the aws-cni chaining page (#15979, @bmcustodio)
docs: improve the bandwidth manager page (#16783, @bmcustodio)
docs: Improve wording around Helm values in OKD GSG (#16069, @errordeveloper)
docs: include maintainers CODEOWNERS release process (#15924, @aanm)
docs: Instructions to upgrade aws-cni (#16431, @pchaigno)
docs: KUBECONFIG for cilium-cli with k3s (Backport PR #18076, Upstream PR #18068, @kkourt)
docs: mark node-to-node IPSec encryption as beta (#16200, @qmonnet)
docs: Mention about KubeVirt in KPR docs (#17847, @brb)
docs: minor improvements to tuning guide (#16024, @borkmann)
docs: Minor language tweak (#15923, @glibsm)
docs: remove 1.7 upgrade guide and add upgradeCompatibility for 1.9 (#16288, @aanm)
docs: Remove instructions for nodeinit on various platforms (#17635, @joestringer)
docs: remove mention of 250 nodes for kvstore (Backport PR #18027, Upstream PR #17995, @aanm)
docs: remove misplaced sentence from Quick Installation guide (#15971, @lfundaro)
docs: rename maintainers team to cilium-maintainers (#16591, @aanm)
docs: Reword sentence on WireGuard limitation (#17822, @pchaigno)
docs: run GitHub action when Charts are touched to check Helm values ref (#16577, @qmonnet)
docs: small fixes to Getting Started Guides (#17583, @nbusseneau)
docs: Some Wireguard improvements (#16023, @brb)
docs: tell how to deploy demo app in Hubble CLI guide (#15973, @lfundaro)
docs: Update community page (#17599, @joestringer)
docs: Update iproute2 requirements (#17830, @brb)
docs: Update link to be specific to Janitors (#16732, @pchaigno)
docs: update OpenShift getting started guide (#16006, @twpayne)
docs: Update packer-ci-build docs (#17395, @twpayne)
docs: update requirements (urllib3 1.26.5, requests 2.25.1) (#16396, @qmonnet)
docs: Update SIG-Datapath meeting time. (#16027, @joestringer)
docs: update the version specific notes table (#16710, @bmcustodio)
docs: Update troubleshooting for 1.10 (#16081, @twpayne)
docs: use .. code-block:: shell-session wherever relevant (#16474, @qmonnet)
docs: Use cilium sysdump instead of python sysdump (#17402, @michi-covalent)
docs: Use git+https in requirements.txt (#17756, @michi-covalent)
docs: various fixes to documentation, notably Getting Started Guides (#16126, @nbusseneau)
Document v1.11 feature deprecations (Backport PR #18027, Upstream PR #17993, @joestringer)
Documentation/gettingstarted: fix helm arguments (#17496, @AlexZzz)
Documentation/Makefile improve clean command (#17598, @kkourt)
Documentation: dont use docker for check-cmdref (#16939, @kkourt)
ebpf: delete existing pinned map if incompatible with the spec (#15832, @jibi)
elf: skip BenchmarkWriteELF if ELF file wasn't built (#17536, @tklauser)
Encryption docs update (#14940, @aditighag)
ethtool: use ioctl wrapper from golang.org/x/sys/unix (#17153, @tklauser)
examples: add an example of a hubble-cli Deployment (#16459, @kaworu)
examples: Fix up standalone-etcd.yaml (#17369, @joestringer)
Fix alias of cilium-health get (#16891, @xyz-li)
Fix documented EC2 IAM action (Backport PR #18076, Upstream PR #17958, @austince)
Fix encryption getting started guides for v1.10 (#15961, @jibi)
Fix label shown as Unknown App in hubble ui for http-sw-app example (#17597, @hemslo)
Fix logging for expired FQDN IPs (#16030, @youssefazrak)
fix warning log for list IPV6 address: move IPV4 to IPv6. (#16475, @lic17)
fix(docs): bandwidth-manager install error (#17338, @withlin)
Fixed a minor race condition on drop counts when hubble starts drops flows/events, because of a full channel. This change also will log the fact that drops are happening once, rather than a log message for every drop, and will log an additional comment after drops are no longer happening with the number of events/flows that were dropped. (#15967, @nathanjsweet)
Follow ups for host firewall support of endpoint routes (#15942, @pchaigno)
fqdn: add fqdn proxy interface (#17318, @nebril)
github: Fix external workloads test file syntax (#17019, @brb)
github: Increase workflow timeout (#16819, @jrajahalme)
go.mod, vendor: update wireguard-go to latest version (#17740, @tklauser)
health: Fix cluster-health-port for health endpoint (Backport PR #18076, Upstream PR #18061, @gandro)
helm: ensure defaultMode=0400 for projected volumes containing secrets (#17367, @rolinh)
helm: Expose l2 neigh discovery related agent flags (#17526, @brb)
helm: Fix hubble-ui clusterrole guard (#17846, @gandro)
helm: Remove redundant capabilities (#17131, @gandro)
helm: set correct versions of docker images in Makefile (#17477, @aanm)
hubble-ca-cert ConfigMap cleanup (#17294, @kaworu)
hubble: Fix data races in pkg/hubble.TestRingReader_NextFollow_WithEmptyRing (#17397, @gandro)
images/builder: update protoc-gen-go-json from v1.0.0 to v1.1.0 (#17269, @rolinh)
images/script: update the example hubble cli Deployment version (#16537, @kaworu)
images: Bump Hubble CLI to v0.8.2 (#17362, @kaworu)
images: Bump iproute2 image (#17222, @brb)
images: Move hubble-proto into cilium-builder (#16217, @gandro)
images: Remove trailing newlines before computing SHA256 (#16621, @pchaigno)
Improve author attribution scripts (#15899, @joestringer)
Improve logging when cgroupfs mount fails (#15999, @johngv2)
Improve output of development VM startup (#17343, @pchaigno)
Improve the Helm chart documentation. (#16469, @bmcustodio)
Improves the error logs during the bpf maps updating (#16034, @elfadel)
install/kubernetes/cilium: reference stable docs for eBPF maps (#17757, @tklauser)
install/kubernetes: fix helm generation for operator image digest (Backport PR #18027, Upstream PR #17968, @aanm)
install/kubernetes: remove duplicated 'key' in volumes (#17123, @aanm)
install: Fix hubble-ui-backend digest tracking (#15900, @joestringer)
install: Fix README links to getting started guides (#16947, @joestringer)
install: Update image digests for v1.11.0-rc3 (#17967, @aanm)
Introduce v2 backend map with u32 backend ID (#17235, @Weil0ng)
ipam/allocator/podcidr: fix old pod cidr logging error (#17372, @lrouter)
ipcache: Remove unused fields (#17356, @joestringer)
iptables: Add extra warning message listing missing IPV6 kernel modules (#16842, @oneiro-naut)
iptables: Remove NOTRACK Netfilter target (#17751, @pchaigno)
ipvlan: Avoid spammy dmesg info messages (#17709, @chendotjs)
issue_14922: Fixed the 429 response code handling (#15760, @Maddy007-maha)
jenkinsfiles: Don't display nulls in current build display name (#17258, @twpayne)
k8s/watchers: Add missing v1 EndpointSlice group on init (#17778, @christarazi)
k8s: Bump schema version for v1.11 development (#17289, @joestringer)
k8s: Fix logging (#16530, @jrajahalme)
lbmap: Log svc update after bpf() syscall invocation (#17017, @brb)
logging: enhanced log level setting interface (#16021, @mvisonneau)
MAINTAINERS: update MAINTAINERS.md (#17427, @nbusseneau)
Make backporting responsibility more clear (#15700, @joestringer)
Make go test ./... succeed by default (#16914, @twpayne)
make: merge Go update targets (#17794, @tklauser)
Makefile, contrib: Add script to create kind cluster (#12527, @christarazi)
Makefile: fix line continuation in docker build (#17059, @krsna1729)
Makefile: fix typo in helper message (#17128, @aanm)
maps: switch maglev to cilium/ebpf package (#15546, @jibi)
Minikube guide updates (#16346, @aditighag)
Minor egress gateway fixups (#17663, @pchaigno)
Minor fixes for OKD GSG (#16000, @errordeveloper)
Misc. GH workflow improvements and hardness (#16908, @aanm)
monitor: Fix mismatching frontend service debug trace types (#16953, @christarazi)
monitor: Improve the log output format of datapath log. (#17507, @leonliao)
monitor: Initialize agent in deamon early (#17407, @gandro)
monitor: print error message on failure to decode layer (#16397, @qmonnet)
neigh: add runtime test for changing next hop address (#17862, @borkmann)
neigh: Clean up stale/untracked non-GC'ed neighbors (#17918, @borkmann)
neigh: Init new neighbor for older kernel with NUD_STALE (#17932, @borkmann)
neigh: minor improvements for neigh tests to be less flaky (Backport PR #18076, Upstream PR #18057, @borkmann)
netns: Fix socket leak (#17051, @brb)
node-neigh: Avoid flooding the same next hop (#15882, @brb)
node: Add WireguardPubKey to ToCiliumNode (#16420, @gandro)
operator: Improve identity GC efficiency (#17359, @christarazi)
operator: misc. refactoring and code removal (#16918, @aanm)
operator: remove deprecated Azure cloud name flag (#17765, @tklauser)
option: Fix ipvlan master device config (#17130, @joestringer)
pkg/k8s: add pod IP event change (#16190, @aanm)
pkg/k8s: ignore overwrite source "custom-resource" with "k8s" errors (#16153, @aanm)
pkg/k8s: re-add CiliumIsUp Node condition even if removed (#16857, @aanm)
pkg/kvstore: fix concurrent access of var in testing (#16427, @aanm)
pkg/kvstore: fix TestRunLocksGC unit test (#16596, @aanm)
pkg/node: add comments for IPLen in getCiliumHostIPsFromFile (#16877, @aanm)
pkg/rate,proxylib: Use math.MaxInt constants (#17580, @twpayne)
pkg: rename egresspolicy package to egressgateway (#17630, @jibi)
podcidr: rename a variable, to remove its "v4" prefix in a context where it can refer either to IPv4 or IPv6 (#17763, @cndoit18)
policy: Add a bpf compiling option when enable-icmp-rules flag is set (#17620, @chez-shanpu)
Prepare for 1.11.0 development (#15870, @joestringer)
Prepare for release v1.11.0-rc0 (#17501, @joestringer)
Prepare for release v1.11.0-rc1 (#17876, @aanm)
Prepare for release v1.11.0-rc2 (#17934, @aanm)
Prepare for release v1.11.0-rc3 (#17960, @aanm)
proxy: Expose cachedSelectorREEntry type (#17341, @nebril)
proxylib/test: fix data race between StartAccessLogServer and Close (#16298, @tklauser)
proxylib: Fix data races in unit tests (#17141, @gandro)
README: fix the Weekly Community Meeting time (#17215, @tixxdz)
README: update link to docker images to quay.io (#16116, @jibi)
refactor cert-gen logic (#16900, @dungdm93)
Refactor logging package to split syslog functionality into separate file (#16600, @tklauser)
Refactored, renamed and small misc changes in GH workflows (#16312, @aanm)
Remove duplicate CiliumNode watcher (#17873, @aanm)
Remove unrelated labels from example node-local-dns yaml (#17564, @Weil0ng)
Remove unused variable in test_tc_tunnel.c (#17683, @h3llix)
Removes CEP subresource. (#15632, @Weil0ng)
replaced and removed useless field in RemoteCache (#16290, @sstoner)
Restrict Kubernetes access for hubble-relay (#16937, @jonkerj)
Restructure helm chart into components (#16795, @dungdm93)
Revert "config: Fix incorrect packet path with IPsec and endpoint rou… (#17057, @aanm)
Revert "docs: add 'endpointRoutes.enabled=true' to aws-cni" (#16756, @bmcustodio)
Revert "docs: deprecate native-routing-cidr from v1.10" (#16695, @jibi)
Revert "operator: only GC identity keys of its own cluster" (#17549, @nbusseneau)
Revert "Perform reverse NAT at Host Interface" (#17319, @nbusseneau)
Revert "policy: Make selectorcache callbacks lock-free" (#16769, @aanm)
Revert "travis: login to Docker Hub" (#17548, @nbusseneau)
Revert PR #17145 (#17675, @nbusseneau)
SECURITY.md: Update security policy for v1.10 release cycle (#16254, @joestringer)
sockops: Remove duplicate error logging (#16417, @pchaigno)
Specify scrape interval for Hubble metrics (#16214, @christian-2)
Speed up build image process for PRs (#17623, @aanm)
Support serviceAnnotations to helm-metrics service (#17366, @carloscastrojumo)
test, images: update helm to 3.7.0 (#17488, @kaworu)
test/bpf: Flag to continue in case of errors (#16793, @pchaigno)
test: Add HostPort conformance to upstream-k8s (#17048, @joestringer)
test: align filter for kubectl.GetPodsNodes() on kubectl.GetPodsIPs() (#16398, @qmonnet)
test: Delete hubble-ca-secret when cleaning up (#17591, @jrajahalme)
test: Delete the test namespace in CLI test (#17134, @jrajahalme)
test: Disable unreliable K8sBookInfoDemoTest test (#17550, @twpayne)
test: Enable debug for l4lb test (#17720, @jrajahalme)
test: Increase service/DNS timeout from 30 to 240 seconds (#16820, @jrajahalme)
test: Quarantine K8sServicesTest Check services across nodes (#17514, @twpayne)
tests: re-enable Host Firewall for AutoDirectNodeRoutes test and encryption + direct routing (#16652, @qmonnet)
Tidy up Kubernetes watcher synchronization (#17145, @joestringer)
Tidy up Kubernetes watcher synchronization (#17677, @joestringer)
Togroups policy fixup (#15987, @psinghal20)
tooling: introduce target for generating json compilation database (#17065, @ldelossa)
treewide: convert more license headers to SPDX (#17151, @twpayne)
treewide: Ensure that binaries are built with at least Go 1.17 (#17322, @twpayne)
treewide: Fix problems identified by CodeQL (#17516, @twpayne)
treewide: Use formatted logrus logs when possible (#17611, @pchaigno)
ui: v0.8.3 (Backport PR #18076, Upstream PR #18033, @geakstr)
update .github directory to be v1.11 branch specific (#17986, @aanm)
Update base images with most recent SHAs (#15895, @aanm)
Update bug_template.md to use "cilium sysdump" command (#17697, @michi-covalent)
Update CI infrastructure for v1.10 release (#15947, @christarazi)
Update controller tools v0.6.2 (#17596, @jrajahalme)
Update Go to 1.16.4 (#16058, @tklauser)
Update Go to 1.16.5 (#16428, @tklauser)
Update Go to 1.16.7 (#17116, @tklauser)
Update Go to 1.17 (#17190, @tklauser)
Update Go to 1.17.1 (#17360, @tklauser)
Update Go to 1.17.2 (#17565, @tklauser)
Update Go to 1.17.3 (#17792, @tklauser)
Update mailmap and latest authors (#17605, @joestringer)
Update some dependencies to release versions (#17497, @tklauser)
Update stable releases (#16184, @joestringer)
Update stable releases (#16355, @aanm)
Update stable releases (#16547, @aanm)
Update stable releases (#16765, @aanm)
Update stable releases (#16902, @aanm)
Update stable releases (#16948, @joestringer)
Update stable releases (#16988, @joestringer)
Update stable releases (#17310, @joestringer)
Update stable releases (#17609, @joestringer)
Update stable releases (#17808, @joestringer)
update stable releases in README (#16244, @aanm)
Update test/packet instructions for running CI tests on dedicated instances (#16423, @christarazi)
Update USERS.md (#17231, @acholt)
Update weekly community meeting timeslot (#15985, @joestringer)
Use iproute2 with libbpf for loading datapath BPF programs (#16727, @brb)
Use k8snodestore to perform node status GC of CCNP and CNP (#16430, @daemon1024)
vagrant: Disable KPR in development VM to match Helm default (#16152, @pchaigno)
vendor: bump etcd to v3.5.0 and grpc to v1.39.0 (#15123, @rolinh)
vendor: bump github.com/vishvananda/netlink to latest master (#16070, @tklauser)
vendor: Bump go.universe.tf/metallb (#16187, @christarazi)
vendor: Update go.universe.tf/metallb (#16523, @christarazi)
vendor: update k8s dependencies and tests to 1.21.1 (#16212, @aanm)
vendor: Update k8s dependencies and tests to 1.21.3 (#16608, @christarazi)
vendor: update mongo-driver to 1.5.1 to fix CVE-2021-20329 (#17234, @aanm)
vendor: update wireguard library (#16066, @aanm)
verifier-test.sh: allow for empty FOO_PROGS (#17408, @kkourt)
version, metrics: allow to build on non-unix platforms (#16679, @tklauser)
veth: Avoid spammy dmesg info messages (#17705, @borkmann)
docs: Delete old CRD create by ACK CNI (#16145, @l1b0k)
Update kind documentation (#18007, @aditighag)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.11.0@sha256:ea677508010800214b0b5497055f38ed3bff57963fa2399bcb1c69cf9476453a
quay.io/cilium/cilium:v1.11.0@sha256:ea677508010800214b0b5497055f38ed3bff57963fa2399bcb1c69cf9476453a

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.11.0@sha256:361942671ce067cc7f3e97c2114512283148bcee5ec29e4f0a828869aedd4ced
quay.io/cilium/clustermesh-apiserver:v1.11.0@sha256:361942671ce067cc7f3e97c2114512283148bcee5ec29e4f0a828869aedd4ced

docker-plugin

docker.io/cilium/docker-plugin:v1.11.0@sha256:2b7df46918ba832f7c55bc7255f8599af30aa8dc43d62f854b7f10b43f8387c9
quay.io/cilium/docker-plugin:v1.11.0@sha256:2b7df46918ba832f7c55bc7255f8599af30aa8dc43d62f854b7f10b43f8387c9

hubble-relay

docker.io/cilium/hubble-relay:v1.11.0@sha256:306ce38354a0a892b0c175ae7013cf178a46b79f51c52adb5465d87f14df0838
quay.io/cilium/hubble-relay:v1.11.0@sha256:306ce38354a0a892b0c175ae7013cf178a46b79f51c52adb5465d87f14df0838

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.11.0@sha256:e61929869d59c5093c6d129ca1c21386338e1387051779d499a988545680b00a
quay.io/cilium/operator-alibabacloud:v1.11.0@sha256:e61929869d59c5093c6d129ca1c21386338e1387051779d499a988545680b00a

operator-aws

docker.io/cilium/operator-aws:v1.11.0@sha256:5f60a4e17ab33a3dcd2a942802b15f9e7be3d18f24464f31bba81a65a117e094
quay.io/cilium/operator-aws:v1.11.0@sha256:5f60a4e17ab33a3dcd2a942802b15f9e7be3d18f24464f31bba81a65a117e094

operator-azure

docker.io/cilium/operator-azure:v1.11.0@sha256:c1b41e6cbf6f1e0bb417170ac79eb6d78a7e39b775f1131a1104546fd18d745f
quay.io/cilium/operator-azure:v1.11.0@sha256:c1b41e6cbf6f1e0bb417170ac79eb6d78a7e39b775f1131a1104546fd18d745f

operator-generic

docker.io/cilium/operator-generic:v1.11.0@sha256:b522279577d0d5f1ad7cadaacb7321d1b172d8ae8c8bc816e503c897b420cfe3
quay.io/cilium/operator-generic:v1.11.0@sha256:b522279577d0d5f1ad7cadaacb7321d1b172d8ae8c8bc816e503c897b420cfe3

operator

docker.io/cilium/operator:v1.11.0@sha256:c802c16b7ab561075c08779c0e4c53acdb97753c38f27424bc243e444aa524b9
quay.io/cilium/operator:v1.11.0@sha256:c802c16b7ab561075c08779c0e4c53acdb97753c38f27424bc243e444aa524b9

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

1.11.0