1.12.0-rc3
Pre-release
Pre-release
We are pleased to release Cilium v1.12.0-rc3.
Summary of Changes
Major Changes:
- Add support for Kubernetes v1.24.0 (#19545, @aanm)
- add support for AKS BYOCNI (#19379, @nbusseneau)
- Delegated IPAM plugin (#19219, @wedaly)
- Enables ICMP network policy function by default (#20174, @chez-shanpu)
Minor Changes:
- Add concurrency limiting for DNS message processing (#19592, @nebril)
- Add config flag to add a prefix to AgentNotReadyNodeTaint value in order to enable the taint being ignored by cluster autoscaler. (#19247, @thejosephstevens)
- Add counter to track all datapath timeouts due to FQDN IP updates (#19809, @ungureanuvladvictor)
- Add emptyDir volume for frontend container of hubble-ui (#20027, @mkilchhofer)
- Add metric on datapath update latency due to FQDN IP updates (#19992, @rahulkjoshi)
- Add source filter for the cilium fqdn cache list command (#19980, @ungureanuvladvictor)
- Add support for getting earliest events from Observer API (#19819, @chancez)
- Add support for L7 policies with VTEP integration (#19473, @vincentmli)
- Add support to opt-in for using ENI's primary IP for allocations (#20050, @hemanthmalla)
- Add type label to the identity metric (#19999, @ungureanuvladvictor)
- bgp: Check the Condition.Ready field when adding ready endpoints (#20176, @ysksuzuki)
- Bugtool: Add additional Linux traffic-control (tc) data to cilium-bugtool output. (#19856, @tommyp1ckles)
- Change default agent health check port to avoid conflicts (#19830, @tklauser)
- Change default prometheus ports to new reserved Cilium ports (#20156, @knfoo)
- clustermesh: Add support for service-affinity (#19521, @sayboras)
- Dynamic Per Resource Timeouts (#19991, @tommyp1ckles)
- envoy: Bump cilium envoy to latest version v1.21.3 (#20142, @sayboras)
- feat(helm): allow to set Hubble Relay and UI service type and nodePort (#19450, @raphink)
- helm: add description for some Helm values (#19658, @my-git9)
- install/kubernetes: Add CAP_IPC_LOCK for mmap (#19812, @sayboras)
- Introduce a new CRD (CiliumEgressGatewayPolicy) for Egress Gateway configuration. Deprecate the previous CRD (CiliumEgressNATPolicy). (#19561, @julianwiedmann)
- IPSec key rotation without agent restart (#19814, @jibi)
- Move the BGP Control Plane to utilize CiliumNode objects. This enable support for IPAM driven PodCIDR announcements. (#19872, @ldelossa)
- Runtime device detection (#17460, @joamaki)
- Speed up identity lookup in Hubble and L7 proxy by no longer calculating SHA256 over labels. (#20104, @tklauser)
- ui: v0.9.0 images and drop envoy proxy container (#19565, @geakstr)
- Update to CNI spec version 1.0.0 (#19719, @tklauser)
- Use DeleteOnMetadataMatch instead of Delete for endpointUpdated (#19996, @kvaster)
Bugfixes:
- Add missing packet trace for some non-NodePort SNAT egress (#19158, @YutaroHayakawa)
- bpf: Use tunnel port flag instead of hardcoded value (#20115, @pchaigno)
- cilium: fix conflicting iptables-legacy and iptables-nft rules (#20123, @jrfastab)
- cli: Update regex for key value validation (#19794, @sayboras)
- cli: Use custom named map instead of StringToStringVar (#19968, @sayboras)
- clustermesh: Add ownerReferences for CiliumNodes (#19959, @sayboras)
- cmd: Allow more complicated patterns in map string type. (#19955, @sayboras)
- contrib: Fix passing ipFamily to kind.sh (#19707, @brb)
- datapath: Fix implicit-int-conversion err in common.h (#19832, @brb)
- endpoint: Fix packets to host dropped with the chaining mode and host firewall (#19734, @ysksuzuki)
- Fix agent panic in some cases when service matcher local redirect policy was deployed prior to the selected service. (#19522, @aditighag)
- Fix Azure IPAM 403 errors for Azure instances using Azure Compute Gallery images (#19697, @andrew-bulford-form3)
- Fix blackhole route error when cleanup (#20042, @soulseen)
- Fix bug where established host connections would be interrupted on agent restart if the host firewall was enabled. (#19998, @pchaigno)
- Fix Cilium bootstrapping regression with etcd without relying on DNS (#20106, @aanm)
- Fix Cilium initialization for clusters with etcd-operator (#20131, @aanm)
- Fix error propagation in bpf_lxc (#20144, @DolceTriade)
- Fix memory leak in the DNS cache when a long-lived endpoint makes many unique DNS lookups over time (#19925, @christarazi)
- Fix race condition leading to inconsistent CiliumNode that can cause the agent to fatal. (#19923, @pchaigno)
- Fixed SystemD >=245 sysctl(
rp_filter
) config incompatibility (#20072, @dylandreimerink) - Fixes a bug in the BGP control plane which causes the wrong BGP virtual servers to be selected for reconciliation or removal (#19659, @ldelossa)
- helm: Relax hubble ui image versions validation (#20039, @sayboras)
- iptables: ensure all rules are installed consistently (#19693, @jibi)
- iptables: fix typo in addProxyRule condition (#20109, @jibi)
- nodediscovery: ensure we cache the nodeResource correctly to avoid null pointer dereferencing (#20158, @odinuge)
- nodemanager: Fix bug where Cilium tried to reach stale health endpoints on kubeapi-server nodes (#20210, @gandro)
- operator: Add cilium node garbage collector (#19576, @sayboras)
CI Changes:
- .github/workflows: bump v1.10 workflows to cilium-cli v0.10.5 (#19897, @tklauser)
- .github/workflows: bump v1.10 workflows to cilium-cli v0.10.6 (#19935, @tklauser)
- .travis: Disable race build on master (#19773, @pchaigno)
- Add missing VTEP complexity tests (#19539, @vincentmli)
- Add support for tparse in go test targets (#20032, @joestringer)
- bpf: Reenable features disabled because of complexity issues (#19938, @pchaigno)
- build(deps): bump actions/setup-go from 3.1.0 to 3.2.0 (#19971, @dependabot[bot])
- checkpatch: Update image for "checkpatch" target, reuse target in CI (#19805, @qmonnet)
- ci-l4lb: Check out stable branch (#19905, @michi-covalent)
- ci: fix documentation workflow (#20025, @nbusseneau)
- ci: Increase retention for release image CI artifacts to 10 days (#20141, @michi-covalent)
- CI: merge NAT46x64 and L4LB GH actions (#19288, @brb)
- ci: pick up cilium-cli v0.11.9 for master/v1.11 workflows (#20234, @tklauser)
- ci: provide CI images with unstripped binaries (#20238, @tklauser)
- ci: set Cilium base version to v1.10.12 in v1.10 conformance tests (#19946, @tklauser)
- fix aws-cni conformance test (#20049, @aanm)
- ipcache: Fix failing controller check from SupportsDelete (#19751, @joamaki)
- jenkins: switch to ad-hoc GKE cluster creation/deletion (#19918, @nbusseneau)
- Load the dev operator image into kind/microk8s as well (#19995, @ungureanuvladvictor)
- master/v1.11 CI: Pick up the latest cilium-cli (#19873, @michi-covalent)
- mlh: update Jenkins jobs following 1.24 support (#19904, @nbusseneau)
- mlh: update Jenkins jobs following net-next fix for K8s 1.24 (#20220, @nbusseneau)
- Revert "ci: use CLI 0.11.8 for AKS workflow" (#20272, @tklauser)
- test: add git safe directory in test VMs (#19860, @tklauser)
- test: Add info which L4LB request fails (#19714, @brb)
- test: Add TS to each bash dbg output in L4LB (#20094, @brb)
- test: Also delete hubble-peer when cleaning up old tests. (#19979, @DolceTriade)
- test: Bump L4LB timeout from 30min to 45min (#20151, @brb)
- test: Do not completely quarantine E/W svc suite (#19960, @brb)
- test: Remove unused Nightly suites (#20128, @brb)
- test: Use more explicit key for k8s3's taint (#19951, @pchaigno)
- test: Wait for pod termination in K8sServicesTest (#19750, @brb)
- tests-l4lb: Use Helm chart from local branch (#19953, @michi-covalent)
- Update 5.4 VM image (#19842, @pchaigno)
- update bpf_ct_tests.c to use node_config.h (#20177, @sahid)
- vagrant: Bump 4.19 VM image (#20185, @pchaigno)
- vagrant: Bump net-next Vagrant box version (#19915, @pchaigno)
- vagrant: Fix IPv6 NAT setup (#19997, @pchaigno)
- workflow: aws-cni-v1.10: use helm chart from PR (#19952, @jibi)
- workflow: checkout correct ref in v1.10 and v1.11 l4lb workflows (#19898, @jibi)
- workflow: l4lb: pass correct path for PR checkout (#20007, @jibi)
- workflow: use correct bwm helm option for v1.11 AWS CNI test (#19895, @jibi)
- workflows: Downgrade to helm v3.8.2 to fix AWS CNI runs for v1.10 (#20073, @joamaki)
- workflows: Pin the kubectl version used with EKS workflows (#19716, @joamaki)
- workflows: update v1.10 workflows to v0.10.7 cilium CLI (#20020, @jibi)
Misc Changes:
- Add a note about conflicting node CIDRs #20204 (#20208, @wokalski)
- Add Deckhouse to users (#19804, @konstantin-axenov)
- Added ByteDance to users.md (#19823, @Jiang1155)
- Adding IKEA IT AB to the USERS.md (#20099, @knfoo)
- Adding Overstock to the USERS.md (#19762, @ntaylor1781)
- Allocate Ingress IPs for new
reserved:ingress
identity (#19764, @jrajahalme) - api: change "group not found" log to debug (#19927, @tklauser)
- api: generate markdown documentation for gRPC APIs (#18799, @rolinh)
- bpf: Don't hardcode
cb
CB_ENCRYPT_DST
index (#20105, @pchaigno) - bpf: Rename tail call targets (#19807, @pchaigno)
- bpf: specify handle_lxc_traffic return type to fix -Wimplicit-int error (#19891, @tklauser)
- bpf: Split bpf_lxc CT lookups to their own tail calls (#19818, @pchaigno)
- bugtool: Add structured node and health output (#20011, @gandro)
- build(deps): bump actions/cache from 3.0.2 to 3.0.3 (#20029, @dependabot[bot])
- build(deps): bump actions/cache from 3.0.3 to 3.0.4 (#20093, @dependabot[bot])
- build(deps): bump actions/setup-go from 3.0.0 to 3.1.0 (#19801, @dependabot[bot])
- build(deps): bump actions/upload-artifact from 3.0.0 to 3.1.0 (#19899, @dependabot[bot])
- build(deps): bump docker/build-push-action from 2.10.0 to 3 (#19725, @dependabot[bot])
- build(deps): bump docker/login-action from 1.14.1 to 2 (#19727, @dependabot[bot])
- build(deps): bump docker/setup-buildx-action from 1.7.0 to 2 (#19728, @dependabot[bot])
- build(deps): bump docker/setup-qemu-action from 1.2.0 to 2 (#19722, @dependabot[bot])
- build(deps): bump github.com/cilium/ebpf from 0.8.1 to 0.9.0 (#19972, @dependabot[bot])
- build(deps): bump github.com/containernetworking/cni from 1.1.0 to 1.1.1 (#20058, @dependabot[bot])
- build(deps): bump github.com/docker/docker from 20.10.14+incompatible to 20.10.16+incompatible (#19811, @dependabot[bot])
- build(deps): bump github.com/docker/docker from 20.10.16+incompatible to 20.10.17+incompatible (#20136, @dependabot[bot])
- build(deps): bump github.com/go-openapi/runtime from 0.24.0 to 0.24.1 (#19736, @dependabot[bot])
- build(deps): bump github.com/go-openapi/validate from 0.21.0 to 0.22.0 (#20119, @dependabot[bot])
- build(deps): bump github.com/google/gops from 0.3.22 to 0.3.23 (#19737, @dependabot[bot])
- build(deps): bump github.com/hashicorp/consul/api from 1.12.0 to 1.13.0 (#20121, @dependabot[bot])
- build(deps): bump github.com/osrg/gobgp/v3 from 3.1.0 to 3.2.0 (#19667, @dependabot[bot])
- build(deps): bump github.com/osrg/gobgp/v3 from 3.2.0 to 3.3.0 (#20071, @dependabot[bot])
- build(deps): bump github.com/shirou/gopsutil/v3 from 3.22.4 to 3.22.5 (#20044, @dependabot[bot])
- build(deps): bump github.com/spf13/cast from 1.4.1 to 1.5.0 (#19780, @dependabot[bot])
- build(deps): bump github.com/spf13/viper from 1.11.0 to 1.12.0 (#19988, @dependabot[bot])
- build(deps): bump github.com/stretchr/testify from 1.7.1 to 1.7.2 (#20120, @dependabot[bot])
- build(deps): bump github.com/stretchr/testify from 1.7.2 to 1.7.3 (#20253, @dependabot[bot])
- build(deps): bump github/codeql-action from 2.1.11 to 2.1.12 (#20057, @dependabot[bot])
- build(deps): bump github/codeql-action from 2.1.9 to 2.1.11 (#19853, @dependabot[bot])
- build(deps): bump golang.org/x/tools from 0.1.10 to 0.1.11 (#20159, @dependabot[bot])
- build(deps): bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (#19779, @dependabot[bot])
- build(deps): bump google.golang.org/grpc from 1.46.0 to 1.46.2 (#19835, @dependabot[bot])
- build(deps): bump google.golang.org/grpc from 1.46.2 to 1.47.0 (#20045, @dependabot[bot])
- build(deps): bump gopkg.in/ini.v1 from 1.66.4 to 1.66.6 (#20021, @dependabot[bot])
- build(deps): bump helm/kind-action from 1.2.0 to 1.3.0 (#20198, @dependabot[bot])
- build(deps): bump KyleMayes/install-llvm-action from 1.5.2 to 1.5.3 (#19865, @dependabot[bot])
- build(deps): bump library/alpine from 3.15.4 to 3.16.0 in /images/cache (#19943, @dependabot[bot])
- Capital One added to Users doc (#20084, @bradwhitfield)
- cilium: make tcp rebalance grace period configurable (#19800, @borkmann)
- CODEOWNERS: Extend proxy group to pkg/fqdn (#19874, @christarazi)
- contrib/scripts: Support env vars for kind script (#20035, @christarazi)
- contrib: Support contrib/scripts/kind.sh on macOS (#20096, @sayboras)
- daemon, option: remove deprecated native-routing-cidr option (#19677, @tklauser)
- daemon, option: remove deprecated prefilter-* options (#19913, @julianwiedmann)
- daemon: Fix build after VTEP routes conflict (#20077, @joestringer)
- datapath: Improve sysctl warning for bpf_jit_enable (#20018, @joamaki)
- datapath: Improved BPF testing framework (#20017, @dylandreimerink)
- datapath: Use FROM_NETDEV instead of FROM_LXC in nodeport.h (#19986, @brb)
- dependabot: Unignore prometheus/client_golang (#20075, @ti-mo)
- Do not disable peer service when hubble.listenAddress is empty (#19886, @chancez)
- doc: add note about checkpatch during dev workflow (#19879, @sahid)
- doc: update doc to inform about SERVER_BOX/VERSION (#19749, @sahid)
- doc: VTEP redirection and L7 policy partially incompatible (#19700, @vincentmli)
- docs(MAINTAINERS): fix link to commit_access.rst (#20081, @raphink)
- docs(README): add logo option for dark theme (#19920, @raphink)
- docs, ci, test/l4lb: use latest cilium-cli release according to stable.txt (#20203, @tklauser)
- docs: Add default conntrack gc interval (#19977, @aditighag)
- docs: Add developers guide page about BPF testing framework (#20165, @dylandreimerink)
- docs: Add docs-builder build as dependency to live preview (#19885, @qmonnet)
- docs: Add getting started docs for Ingress (#19760, @sayboras)
- docs: Add interactive help for
make
targets (Documentation/Makefile) (#20012, @qmonnet) - docs: add kube-apiserver to the special identity list (#20047, @kaworu)
- docs: add missing ingress special identity (#20060, @kaworu)
- docs: added GSoD technical writers (#19799, @xmulligan)
- docs: Document operator.unmanagedPodWatcher (#19820, @joestringer)
- docs: Fix and clean-up the build framework for the documentation (#19969, @qmonnet)
- docs: Fix build after etcd v3.5.4 version bump (#20171, @joestringer)
- docs: Fix incorrect command in IPsec GSG (#19767, @pchaigno)
- docs: Fix incorrect FQDN flag (#19930, @pchaigno)
- docs: Fix max SPI value for IPsec key rotations (#19893, @pchaigno)
- docs: Fix reference to upgrade guide (#20184, @joestringer)
- docs: Mark Git repo as safe in Docker build-docs container (#19861, @qmonnet)
- docs: Mention KPR in DR mode sec ID limitation (#19113, @brb)
- docs: minor fixes (#20218, @julianwiedmann)
- docs: Nit changes to steps for image building (#20153, @pchaigno)
- docs: Remove '\r' chars from grep result to parse Alpine image name (#19888, @qmonnet)
- docs: remove stale EgressGW limitation with CES (#20195, @julianwiedmann)
- docs: update egress gateway documentation and mark the feature stable (#19862, @jibi)
- Document that clustermesh cluster-id range is 1-255 (#19683, @stonith)
- Dynamic Cluster Pool follow-ups (#19777, @gandro)
- Expose metrics for active FQDN connections per endpoint (#19857, @christarazi)
- Fix missing capabilities when not running Cilium on containerd-based Kubernetes (#19903, @AtkinsChang)
- Fix running documentation make targets on MacOS (#19900, @chancez)
- Fixes:Added the declaration of license (#19834, @yulng)
- gha: Add ingress conformance test (#19742, @sayboras)
- gha: Add retry options for ingress sanity check (#19825, @sayboras)
- gha: Bump cilum cli version to v0.11.6 (#19828, @sayboras)
- go.mod, vendor: update cloud provider SDK Go modules for June 2022 (#20126, @tklauser)
- helm: don't generate the hubble-peer svc during preflight checks (#19759, @kaworu)
- helm: Expose agent DNS proxy parameters as chart values (#19967, @joaoubaldo)
- helm: Fix syntax error in Hubble UI className (#20056, @gandro)
- helm: Templatize preflight and clustermesh-apiserver repos (#20206, @michi-covalent)
- helm: use port 80/443 by default for the peer service (#19933, @rolinh)
- highlight
values.yaml.tmpl
as yaml (#20250, @kaworu) - hubble: Improve performance of identity getter (#20005, @gandro)
- hubble: remove unused local observer field (#19962, @kaworu)
- images/cilium: remove cilium group from Dockerfile (#19711, @aanm)
- images/runtime: update CNI plugins to 1.1.1 (#19690, @tklauser)
- images: Update cilium-bpftool (#20197, @NikAleksandrov)
- Improve Cilium DNS Proxy-related error metrics (#19702, @christarazi)
- ingress: Couple of cleanup and TODOs (#19647, @sayboras)
- install/cilium-operator: fix clusterrole rules (#19686, @aanm)
- install/kubernetes: Avoid quoting version twice (#20188, @joestringer)
- install/kubernetes: bump etcd to v3.5.4 (#20134, @aanm)
- install: Fix typos of cilium (#20113, @twpayne)
- ipam: Shutdown retry trigger on node deletion (#20140, @christarazi)
- ipcache: Error out from InjectLabels if Checker is nil (#19887, @jrajahalme)
- ipcache: Make SupportsDelete() more robust by using a separate map (#19641, @joamaki)
- ipsec: Rewrite parser for IPsec secret (#19824, @pchaigno)
- k8s: Move CiliumEnvoyConfig to v2 (#19688, @jrajahalme)
- maglev: use github.com/cilium/workerpool (#19940, @kaworu)
- MAINTAINERS: update committers (#20014, @tklauser)
- make: fix Makefile docker pull command to cause an error when using podman (#19748, @koba1t)
- Makefile: Add 'make kind-image' to 'make help' (#19963, @joestringer)
- Makefile: Measure unit test coverage by package (#20038, @joestringer)
- metrics: Fix NaN value for cilium metrics list CLI (#19987, @sayboras)
- Misc Makefile improvements for quiet mode V=0 (#20031, @joestringer)
- Optimize CIDR label functions (#19843, @christarazi)
- pkg/bpf: Include BPF map names during map creation (#20091, @christarazi)
- pkg/fqdn: Replace remaining usages of regex compile with LRU (#19875, @christarazi)
- pkg/policy/api: Optimize Decision MarshalJSON() (#19704, @MikeLing)
- pkg/policy/policy: Optimize SearchContext String() (#19661, @MikeLing)
- pkg/policy/rule: Optimize rule String() (#19822, @MikeLing)
- preallocate memory before looping over it (#19566, @florianl)
- Prepare for release v1.12.0-rc2 (#19694, @aanm)
- Prepare v1.12 stable branch (#20276, @aanm)
- Support builder image on arm64 (#19768, @chancez)
- Support for Cilium in Exoscale SKS (#20076, @retrack)
- Templatize helm template image references (#20066, @joestringer)
- test/bpf: Fix format of
check-complexity.sh
script (#19836, @pchaigno) - test/upgrade: use the unreleased helm chart of stable branches (#19710, @aanm)
- treewide: Fix typos of Kubernetes (#20114, @twpayne)
- Update cli-download.rst (#20181, @nvibert)
- Update Go to 1.18.2 (#19775, @tklauser)
- Update Go to 1.18.3, golangci-lint to 1.46.2 (#20061, @tklauser)
- Update stable releases (#19841, @joestringer)
- Update stable releases (#20224, @joestringer)
- Update USERS.md (#19837, @edude03)
- Update USERS.md (#20002, @FaKod)
- UPDATE users.md: Add CONNY (#19815, @ant31)
- update-docs : add details for how to enable/disable Policy Audit Mode by endpoint (#19876, @BryanStenson-okta)
- Use FQDN regex LRU everywhere (#19632, @christarazi)
- vagrant: add git exception in dev VMs for cilium repo for root user (#19855, @jibi)
- Various cleanups around pkg/datapath (#20041, @tklauser)