1.11.9

We are pleased to release Cilium v1.11.9. It provides many bugfixes and several quality of life improvements.

Summary of Changes

Minor Changes:

• Added hubble.ui.frontend.server.ipv6.enabled helm flag to control nginx server ipv6 listener (Backport PR #21223, Upstream PR #21127, @geakstr)
• dnsproxy: stop serving DNS traffic before agent shutdown (Backport PR #21223, Upstream PR #20795, @nebril)
• install: add TerminationMessagePolicy to cilium pods (Backport PR #21291, Upstream PR #21012, @squeed)
• put stderr of iptables command into error instead of merging into stdout (Backport PR #21139, Upstream PR #20895, @liuyuan10)

Bugfixes:

• clustermesh-apiserver: fix key name for delete during k8s->kvstore sync (Backport PR #21139, Upstream PR #21078, @tklauser)
• datapath: allow local NodePort traffic for eni+ container interfaces with CNI chaining (Backport PR #21223, Upstream PR #21126, @ti-mo)
• Do not enable health checks if only Terminating backends are present on a Node which is selected by a Service with externalTrafficPolicy: Local Service (Backport PR #21211, Upstream PR #21062, @zuzzas)
• Fix conflicting routes for multiple ENIs in IPAM mode (Backport PR #21223, Upstream PR #20112, @recollir)
• Fix identity garbage collection in clustermesh environments (#20933, @aanm)
• Fix node label synchronization in the KVStore when IPSec configuration changes (Backport PR #21139, Upstream PR #21087, @aanm)
• Fix regression with cilium-health-probe controller in IPv6-only clusters (Backport PR #20939, Upstream PR #20849, @aanm)
• Fix Wireguard connectivity issues when using kvstore mode (Backport PR #21139, Upstream PR #21080, @aanm)
• Fixed PodCIDR announcement being overwritten by SVC announcement (Backport PR #20880, Upstream PR #20413, @dylandreimerink)
• Fixes typos in enabling fqdn_semaphore_rejected_total metric (Backport PR #20939, Upstream PR #20893, @rahulkjoshi)
• For configurations with Egress Gateway and Direct-Routing, avoid recreating the cilium_vxlan interface on every restart. (Backport PR #21139, Upstream PR #20780, @julianwiedmann)
• ipcache/kvstore: fix panic when processing ip= entries (Backport PR #20939, Upstream PR #20706, @ArthurChiao)
• ipsec: Fix incorrect parsing of SPI from mark (Backport PR #20939, Upstream PR #20900, @pchaigno)
• k8s/watchers: fix panic in CiliumEndpoint labels update (Backport PR #21139, Upstream PR #20865, @jaffcheng)
• kvstore/allocator: fix panic on receiving invalid identity entries (Backport PR #21291, Upstream PR #21213, @ArthurChiao)
• operator: do not GC kvstore nodes if CiliumNodes are not available (Backport PR #21223, Upstream PR #21133, @aanm)
• operator: update CiliumNode in kvstore without lease (Backport PR #21223, Upstream PR #21202, @tklauser)
• pkg/k8s/watcher: fix deadlock crash that occurs when handling endpoint and service updates. (Backport PR #21223, Upstream PR #21093, @tommyp1ckles)
• v1.11: operator: fix key name for delete during k8s->kvstore sync (#20983, @tklauser)
• When systemd-sysctl sets the rp_filter sysctl, tolerate missing lxc_* / cilium_* interfaces. (Backport PR #21223, Upstream PR #21146, @julianwiedmann)

CI Changes:

• backport v1.11: test: Switch to kindest/node:v1.24.3 (#20919, @brb)
• CI: Enable IPv6 in the L4LB suite (Backport PR #20939, Upstream PR #20821, @brb)
• config: Fix unit tests for native routing CIDR (Backport PR #20939, Upstream PR #20473, @pchaigno)
• gh/workflows: stop using ubuntu-18.04 runner (Backport PR #21139, Upstream PR #21015, @julianwiedmann)
• k8s: fix test flake in TestGenerateToCIDRFromEndpoint. (Backport PR #21223, Upstream PR #21220, @tommyp1ckles)
• k8s: fix test flake in TestGenerateToCIDRFromEndpoint. (Backport PR #21291, Upstream PR #21220, @tommyp1ckles)
• Update wrk2 repository (#21158, @michi-covalent)

Misc Changes:

• add kvstore TTL flag in cilium-operator (Backport PR #21139, Upstream PR #21006, @NikhilSharmaWe)
• bgp: Fixed broken bgp speaker unit tests (Backport PR #20880, Upstream PR #20521, @dylandreimerink)
• build(deps): bump 8398a7/action-slack from 3.13.0 to 3.13.2 (#21036, @dependabot[bot])
• build(deps): bump actions/cache from 3.0.7 to 3.0.8 (#21024, @dependabot[bot])
• build(deps): bump actions/setup-go from 3.2.1 to 3.3.0 (#21047, @dependabot[bot])
• build(deps): bump github/codeql-action from 2.1.18 to 2.1.19 (#20988, @dependabot[bot])
• build(deps): bump github/codeql-action from 2.1.19 to 2.1.20 (#21025, @dependabot[bot])
• build(deps): bump github/codeql-action from 2.1.20 to 2.1.21 (#21091, @dependabot[bot])
• build(deps): bump github/codeql-action from 2.1.21 to 2.1.22 (#21172, @dependabot[bot])
• Coalesce of health endpoint CIDRs (Backport PR #21223, Upstream PR #20848, @dezmodue)
• docs(bandwidth-manager): add note on per-pod limits (Backport PR #20939, Upstream PR #20916, @raphink)
• docs: fix check-crd-compat-table script (Backport PR #21291, Upstream PR #21208, @aanm)
• docs: Update ToServices docs section (Backport PR #21139, Upstream PR #21052, @joestringer)
• Document per-endpoint route requirement in aws-cni Helm snippet (Backport PR #21291, Upstream PR #21276, @ti-mo)
• Fix complaint about nil IP address on restore of cilium_host (Backport PR #20939, Upstream PR #20734, @christarazi)
• Improve CRD schema update automation during release process (Backport PR #20939, Upstream PR #20875, @joestringer)
• metallb: bump to latest metallb version (Backport PR #21223, Upstream PR #21131, @ldelossa)
• test: update k8s versions to the latest patched releases (#21101, @aanm)

Other Changes:

• Adding support for tracking instance hypervisor type in ENI limits pkg (#20930, @tommyp1ckles)
• install: Update image digests for v1.11.8 (#20927, @joestringer)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.11.9@sha256:a732e57cb4881abe4783562bbba0045209ef85542372b44ce61584c887c49878
quay.io/cilium/cilium:v1.11.9@sha256:a732e57cb4881abe4783562bbba0045209ef85542372b44ce61584c887c49878

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.11.9@sha256:7fdc72903f079a55a5906e64d01fcc7d86024b08d82425b5d63d392e4b21e1a2
quay.io/cilium/clustermesh-apiserver:v1.11.9@sha256:7fdc72903f079a55a5906e64d01fcc7d86024b08d82425b5d63d392e4b21e1a2

docker-plugin

docker.io/cilium/docker-plugin:v1.11.9@sha256:d627d49e18ddf9a343403328497e1c5fe6501c0841e31fc974439a06ef338d46
quay.io/cilium/docker-plugin:v1.11.9@sha256:d627d49e18ddf9a343403328497e1c5fe6501c0841e31fc974439a06ef338d46

hubble-relay

docker.io/cilium/hubble-relay:v1.11.9@sha256:0b2f19895de281e4a416700b17a4dc9b8d3b80eb7b5b65dac173880f5113084e
quay.io/cilium/hubble-relay:v1.11.9@sha256:0b2f19895de281e4a416700b17a4dc9b8d3b80eb7b5b65dac173880f5113084e

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.11.9@sha256:c179af970e6cffaafecd808f5aa3f5fe3a70151a6ff3192ffbdfa852ae7447c2
quay.io/cilium/operator-alibabacloud:v1.11.9@sha256:c179af970e6cffaafecd808f5aa3f5fe3a70151a6ff3192ffbdfa852ae7447c2

operator-aws

docker.io/cilium/operator-aws:v1.11.9@sha256:e07670cfed71007fd49c27c5a7805b8c949caedfc60296b9712b98dbaff82db8
quay.io/cilium/operator-aws:v1.11.9@sha256:e07670cfed71007fd49c27c5a7805b8c949caedfc60296b9712b98dbaff82db8

operator-azure

docker.io/cilium/operator-azure:v1.11.9@sha256:65d1c2a43af3700211290a46ee71dfff194475ac94175b5281dd2c839cf37b31
quay.io/cilium/operator-azure:v1.11.9@sha256:65d1c2a43af3700211290a46ee71dfff194475ac94175b5281dd2c839cf37b31

operator-generic

docker.io/cilium/operator-generic:v1.11.9@sha256:d98c1d94da2ef597981e16fe8d894103f49b5174e6b36f91341e9fbcd723668b
quay.io/cilium/operator-generic:v1.11.9@sha256:d98c1d94da2ef597981e16fe8d894103f49b5174e6b36f91341e9fbcd723668b

operator

docker.io/cilium/operator:v1.11.9@sha256:f6fad3a2c62e8406636976e13d90d852c9e64a353fb303edb492ee9bc6fa2f3f
quay.io/cilium/operator:v1.11.9@sha256:f6fad3a2c62e8406636976e13d90d852c9e64a353fb303edb492ee9bc6fa2f3f