1.11.0-rc1
Pre-release
Pre-release
v1.11.0-rc1
aanm
André Martins
This tag was signed with the committer’s verified signature.
aanm
André Martins
We are pleased to release Cilium v1.11.0-rc1.
Note: The summary of changes below reflect the diff between tag v1.11.0-rc0 and tag v1.11.0-rc1.
Summary of Changes
Major Changes:
- Enable CiliumEndpointSlice feature (#17658, @krishgobinath)
Minor Changes:
- Add flag to list all available configurations (#17303, @h3llix)
- Add WireGuard status to cilium encrypt. (#17684, @h3llix)
- crd: Add categories for cilium CRDs (#17162, @sayboras)
- datapath,daemon: Enable multi-dev XDP (#17655, @brb)
- datapath: Add a flag to set VXLAN and Geneve ports (#16874, @errordeveloper)
- Detect devices from global unicast routes in addition to only
looking for the device with the Kubernetes Node IP and the one with
default route. This expands the set of devices used for kube-proxy
replacement, host firewall and bandwidth manager and should reduce
the need to specify devices manually. (#17219, @joamaki) - feat: allow installing hubble ui as standalone (#17473, @eddycharly)
- helm: Use
batch/v1apiVersion for CronJob in K8s 1.21+ (#16635, @gandro) - option: Rename egress gateway flag to
enable-ipv4-egress-gateway(#17695, @pchaigno) - Pod visibility annotations are now supported for Kafka and other policies implemented via Cilium Go extensions for Envoy. (#16935, @trvll)
- Reduce bugtool memory usage (#17546, @tklauser)
- Support advertising Pod CIDRs via BGP (#16525, @christarazi)
- Support graceful termination for service load-balancing such that active connections don't break when endpoints are deleted. (#17716, @aditighag)
- Support TLS certificate auto-generation using certmanager (#17238, @dungdm93)
- vendor: Update k8s dependencies and tests to 1.22.0-rc.0 (#16989, @nathanjsweet)
- wireguard: Add fallback to userspace implementation (#17451, @gandro)
Bugfixes:
- Adds an
ACCEPTrule for untracked pkts infilter:CILIUM_OUTPUT(#17585, @Weil0ng) - bug/pkg/health: Fix Nil Address Issue in Node Update Mechanism (#17667, @nathanjsweet)
- Define operator feature flags to allow the operator to register related CRDs. (#17772, @pchaigno)
- egress gateway: fix non-tunnel (direct routing) mode (#17517, @kkourt)
- egressgateway: Allow several CENPs with same egress IP (#17773, @pchaigno)
- Envoy configuration is fixed to work also when IPv6 is disabled. (#17281, @rock-andy)
- Fix identity leak via FQDN selectors (#17699, @joestringer)
- fix incorrect application of egress gateway policy to internal cluster traffic.
require a 5.2 kernel or later for the egress gateway policy feature. (#17639, @kkourt) - Fix issue where local host IPs may be briefly associated with the remote-node identity, causing policy drops when policy should allow traffic from the host. (#17836, @joestringer)
- Fix several complexity and program size issues when only one of IPv4/IPv6 is enabled. (#17573, @pchaigno)
- Fixes a bug where IPv6 pod CIDRs with leading zeros where not supported (#17707, @gandro)
- L7 proxy redirection on IPv6 ingress to a pod is fixed to properly update IPv6 hop limit. (#17718, @jrajahalme)
- node-init: cleanup snat iptables rules when running in eni mode with masquerading disabled (#16840, @bmcustodio)
- node: Skip ipcache for remote node IPs if IPsec is enabled (#17511, @pchaigno)
- operator: only GC identity keys of its own cluster (#16825, @ArthurChiao)
- pkg/k8s: fix invalid memory address or nil pointer dereference (#17642, @aanm)
CI Changes:
- .github: Fix codeQL workflow skip logic (#17587, @joestringer)
- .travis.yml: Disable arm64-graviton2-race (#17650, @joamaki)
- aks: fix AKS cluster creation following new taint limitations (#17529, @nbusseneau)
- bpf: Define
EGRESS_MAPin dummynode_config.h(#17574, @pchaigno) - CI, docs: remove libelf-dev from dependencies (#17687, @tklauser)
- ci/multicluster: Test WireGuard in clustermesh (#17453, @gandro)
- CI: update cilium-cli to v0.9.2 (#17706, @tklauser)
- ci: update cilium-cli to v0.9.3 (#17834, @tklauser)
- dependabot: re-enable Ginkgo updates (#17742, @tklauser)
- docs: check updates for the Helm reference (#17613, @qmonnet)
- Enable CiliumEndpointSlice feature testing on Kuberneres version 1.21 (#17698, @krishgobinath)
- k8sT/Egress: fixes (#17581, @kkourt)
- mlh: update Jenkins jobs following 1.22 support (#17721, @nbusseneau)
- Pinned docker images by SHA within GitHub actions. (#17739, @nathan-415)
- test/K8sVerifier: Cover several datapath configurations (#17470, @pchaigno)
- test: Clean up hubble-ui clusterrole (#17702, @aditighag)
- test: Do not require netpols in 'waitNextPolicyRevisions()' (#17769, @jrajahalme)
- test: Test IPsec+VXLAN on 4.19 (#17512, @pchaigno)
- travis: login to Docker Hub (#17537, @nbusseneau)
- update go.mod dependencies (#17775, @aanm)
- Use cilium-cli sysdump in L4LB tests (#17719, @tklauser)
- vagrant: bump all Vagrant box versions (#17394, @tklauser)
- workflows: disable AKS testing with encryption enabled (#17645, @nbusseneau)
- workflows: retrieve 1.10 branch code for L4LB test (#17737, @nbusseneau)
Misc Changes:
- .github/workflows: checkout all git history for Image GC (#17622, @aanm)
- .github: Increase reporting threshold for new flakes (#17812, @pchaigno)
- Add documentation for vlan bpf bypass. (#17539, @kvaster)
- Add Kernel Misc Probe (#17541, @vincentmli)
- add scruffy to garbage collect CI images from quay.io (#17610, @aanm)
- Adds a warning in the upgrade doc about split cluster (#17755, @Weil0ng)
- Adds concept documentation for CiliumEndpointSlice (#17430, @Weil0ng)
- Adds Northflank as a user (#17855, @DeciderWill)
- all: remove unnecessary string(byteslice) when passed into fmt.*rintf("%s", string(b)) (#17577, @odeke-em)
- Allow to add custom labels to ServiceMonitors cilium-agent, cilium-operator, hubble in the Cilium Helm chart. (#17509, @canhnt)
- bpf, test/bpf: add generated files to .gitignore (#17551, @tklauser)
- bpf/Makefile: Default to
KERNEL=netnext(#17600, @pchaigno) - bpf: Add extension for running sock LB on MKE-related containers (#17513, @borkmann)
- bpf: avoid encrypt_key map lookup if IPsec is disabled (#17840, @tklauser)
- bpf: convert majority of
bpf_elf_mapdefinitions to BTF map definitions (#17640, @ti-mo) - bpf: Fix reset of CB_PROXY_MAGIC (#17592, @jrajahalme)
- bpf: Migrate map migration logic from C to Go (#16917, @nathanjsweet)
- bpf: Refactoring egress gateway datapath (#17868, @pchaigno)
- bpf: remove accidentally committed cilium-map-migrate binary (#17860, @tklauser)
- bpf: remove libelf dependency and unused nobpf.h (#17612, @ti-mo)
- bpf: use ctx_redirect{,_peer}() instead of redirect{,_peer}() (#17814, @tklauser)
- bugtool: dump all active configs and encryption status (#17304, @h3llix)
- build(deps): bump actions/checkout from 1 to 2.3.5 (#17632, @dependabot[bot])
- build(deps): bump actions/checkout from 2.3.5 to 2.4.0 (#17776, @dependabot[bot])
- build(deps): bump azure/CLI from 1.0.4 to 1.0.5 (#17843, @dependabot[bot])
- build(deps): bump azure/login from 1.3.0 to 1.4.0 (#17673, @dependabot[bot])
- build(deps): bump babel from 2.6.0 to 2.9.1 in /Documentation (#17662, @dependabot[bot])
- build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1317 to 1.61.1319 (#17786, @dependabot[bot])
- build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1319 to 1.61.1322 (#17795, @dependabot[bot])
- build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1322 to 1.61.1323 (#17826, @dependabot[bot])
- build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1323 to 1.61.1325 (#17863, @dependabot[bot])
- build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.9.0 to 1.10.0 (#17821, @dependabot[bot])
- build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.4.0 to 1.6.0 (#17602, @dependabot[bot])
- build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.7.0 to 1.8.0 (#17825, @dependabot[bot])
- build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.20.0 to 1.21.0 (#17817, @dependabot[bot])
- build(deps): bump github.com/Azure/azure-sdk-for-go from 54.0.0+incompatible to 54.3.0+incompatible (#17704, @dependabot[bot])
- build(deps): bump github.com/Azure/azure-sdk-for-go from 59.0.0+incompatible to 59.1.0+incompatible (#17787, @dependabot[bot])
- build(deps): bump github.com/Azure/azure-sdk-for-go from 59.1.0+incompatible to 59.2.0+incompatible (#17844, @dependabot[bot])
- build(deps): bump github.com/Azure/go-autorest/autorest from 0.11.17 to 0.11.21 (#17624, @dependabot[bot])
- build(deps): bump github.com/Azure/go-autorest/autorest from 0.11.21 to 0.11.22 (#17818, @dependabot[bot])
- build(deps): bump github.com/Azure/go-autorest/autorest/adal from 0.9.16 to 0.9.17 (#17827, @dependabot[bot])
- build(deps): bump github.com/Azure/go-autorest/autorest/azure/auth from 0.5.8 to 0.5.9 (#17831, @dependabot[bot])
- build(deps): bump github.com/containernetworking/plugins from 0.9.0 to 0.9.1 (#17518, @dependabot[bot])
- build(deps): bump github.com/go-openapi/errors from 0.20.0 to 0.20.1 (#17438, @dependabot[bot])
- build(deps): bump github.com/go-openapi/strfmt from 0.20.0 to 0.20.3 (#17568, @dependabot[bot])
- build(deps): bump github.com/onsi/gomega from 1.16.0 to 1.17.0 (#17816, @dependabot[bot])
- build(deps): bump github/codeql-action from 1.0.18 to 1.0.19 (#17641, @dependabot[bot])
- build(deps): bump github/codeql-action from 1.0.19 to 1.0.20 (#17710, @dependabot[bot])
- build(deps): bump github/codeql-action from 1.0.20 to 1.0.21 (#17743, @dependabot[bot])
- build(deps): bump github/codeql-action from 1.0.21 to 1.0.22 (#17783, @dependabot[bot])
- build(deps): bump gopkg.in/ini.v1 from 1.63.2 to 1.64.0 (#17864, @dependabot[bot])
- build(deps): bump KyleMayes/install-llvm-action from 1.4.1 to 1.5.0 (#17782, @dependabot[bot])
- build(deps): bump nick-invision/retry from 2.4.1 to 2.5.0 (#17555, @dependabot[bot])
- build(deps): bump nick-invision/retry from 2.5.0 to 2.5.1 (#17685, @dependabot[bot])
- checkpatch: update to latest image to ignore empty commit messages (#17523, @twpayne)
- cilium: Don't report health error when disabled (#17146, @joestringer)
- cilium: fix ipv6 neighbor discovery (#17842, @borkmann)
- cilium: Rework neighbor handling (#17713, @borkmann)
- CODEOWNERS: Assign egress gateway code to @cilium/bpf (#17774, @pchaigno)
- CODEOWNERS: No review from @cilium/build on
bpf/Makefile(#17601, @pchaigno) - codeql: Update CodeQL action version (#17579, @twpayne)
- contrib/backporting: Dockerize backporting scripts (#17157, @aditighag)
- contrib/backporting: Install PyGithub for user (#17627, @joamaki)
- contrib: Fix submit-release.sh regression (#17607, @joestringer)
- contrib: Support prereleases in release prep scripts (#17502, @joestringer)
- daemon: add K8sCacheIsSynced() method (#17651, @jibi)
- daemon: Skip bridge-like devices (#17560, @joamaki)
- daemons: name init functions and have one
init(#17616, @nebril) - datapath: Always use of wait argument on iptables commands. (#17593, @jrajahalme)
- datapath: Pass proxy port in to-proxy traces (#17595, @jrajahalme)
- dependabot: set pull-request limit to 5 (#17785, @aanm)
- doc: hubble configuration cleanup (#17522, @kaworu)
- docs: add clustermesh-apiserver description (#17025, @oblazek)
- docs: add K8s 1.22 compatibility (#17722, @nbusseneau)
- docs: clarify uses of --direct-routing-device (#17578, @kkourt)
- docs: Docker version requirement for external workloads (#17726, @wazir-ahmed)
- docs: Document limitation for kernels without netns cookie (#17575, @pchaigno)
- docs: fix a block directive in OpenShift GSG (#17760, @qmonnet)
- docs: fix docs following #17238 (#17530, @nbusseneau)
- docs: fix docs following #17526 (#17570, @nbusseneau)
- docs: Fix helm value when deploying pure ipvlan l3 mode (#17708, @chendotjs)
- docs: Mention about KubeVirt in KPR docs (#17847, @brb)
- docs: Remove instructions for nodeinit on various platforms (#17635, @joestringer)
- docs: Reword sentence on WireGuard limitation (#17822, @pchaigno)
- docs: small fixes to Getting Started Guides (#17583, @nbusseneau)
- docs: Update community page (#17599, @joestringer)
- docs: Update iproute2 requirements (#17830, @brb)
- docs: Use git+https in requirements.txt (#17756, @michi-covalent)
- Documentation/Makefile improve clean command (#17598, @kkourt)
- elf: skip BenchmarkWriteELF if ELF file wasn't built (#17536, @tklauser)
- Fix label shown as Unknown App in hubble ui for http-sw-app example (#17597, @hemslo)
- go.mod, vendor: update wireguard-go to latest version (#17740, @tklauser)
- helm: ensure defaultMode=0400 for projected volumes containing secrets (#17367, @rolinh)
- helm: Expose l2 neigh discovery related agent flags (#17526, @brb)
- helm: Fix hubble-ui clusterrole guard (#17846, @gandro)
- hubble-ca-cert ConfigMap cleanup (#17294, @kaworu)
- images/builder: update protoc-gen-go-json from v1.0.0 to v1.1.0 (#17269, @rolinh)
- install/kubernetes/cilium: reference stable docs for eBPF maps (#17757, @tklauser)
- iptables: Remove NOTRACK Netfilter target (#17751, @pchaigno)
- ipvlan: Avoid spammy dmesg info messages (#17709, @chendotjs)
- k8s/watchers: Add missing v1 EndpointSlice group on init (#17778, @christarazi)
- make: merge Go update targets (#17794, @tklauser)
- Minor egress gateway fixups (#17663, @pchaigno)
- monitor: Fix mismatching frontend service debug trace types (#16953, @christarazi)
- monitor: Improve the log output format of datapath log. (#17507, @leonliao)
- neigh: add runtime test for changing next hop address (#17862, @borkmann)
- operator: remove deprecated Azure cloud name flag (#17765, @tklauser)
- pkg/rate,proxylib: Use math.MaxInt constants (#17580, @twpayne)
- pkg: rename egresspolicy package to egressgateway (#17630, @jibi)
- podcidr: rename a variable, to remove its "v4" prefix in a context where it can refer either to IPv4 or IPv6 (#17763, @cndoit18)
- policy: Add a bpf compiling option when
enable-icmp-rulesflag is set (#17620, @chez-shanpu) - Prepare for release v1.11.0-rc0 (#17501, @joestringer)
- Remove unrelated labels from example node-local-dns yaml (#17564, @Weil0ng)
- Remove unused variable in test_tc_tunnel.c (#17683, @h3llix)
- Revert "operator: only GC identity keys of its own cluster" (#17549, @nbusseneau)
- Revert "travis: login to Docker Hub" (#17548, @nbusseneau)
- Revert PR #17145 (#17675, @nbusseneau)
- Speed up build image process for PRs (#17623, @aanm)
- test, images: update helm to 3.7.0 (#17488, @kaworu)
- test: Delete hubble-ca-secret when cleaning up (#17591, @jrajahalme)
- test: Disable unreliable K8sBookInfoDemoTest test (#17550, @twpayne)
- test: Enable debug for l4lb test (#17720, @jrajahalme)
- test: Quarantine K8sServicesTest Check services across nodes (#17514, @twpayne)
- Tidy up Kubernetes watcher synchronization (#17145, @joestringer)
- Tidy up Kubernetes watcher synchronization (#17677, @joestringer)
- treewide: Ensure that binaries are built with at least Go 1.17 (#17322, @twpayne)
- treewide: Fix problems identified by CodeQL (#17516, @twpayne)
- treewide: Use formatted logrus logs when possible (#17611, @pchaigno)
- Update bug_template.md to use "cilium sysdump" command (#17697, @michi-covalent)
- Update controller tools v0.6.2 (#17596, @jrajahalme)
- Update Go to 1.17.2 (#17565, @tklauser)
- Update Go to 1.17.3 (#17792, @tklauser)
- Update mailmap and latest authors (#17605, @joestringer)
- Update some dependencies to release versions (#17497, @tklauser)
- Update stable releases (#17609, @joestringer)
- Update stable releases (#17808, @joestringer)
- Use k8snodestore to perform node status GC of CCNP and CNP (#16430, @daemon1024)
- veth: Avoid spammy dmesg info messages (#17705, @borkmann)
Contributors
twpayne, gandro, and 46 other contributors