1.13.0
Changelog
The Cilium core team are excited to announce the Cilium 1.13 release. 馃帀
v1.13.0
Summary of Changes
Major Changes:
- Add IPv6 BIG TCP support (#20349, @NikAleksandrov)
- Add LoadBalancer IP address management (LB-IPAM) (#21764, @dylandreimerink)
- Add partial support for SCTP (#20033, @DolceTriade)
- Add per-node configuration overrides. There is a new Kubernetes resource type, CiliumNodeConfig, which allows for fine-grained configuration of Nodes based on label selectors. (Backport PR #22822, Upstream PR #22656, @squeed)
- Add support for k8s 1.26 (#22270, @thorn3r)
- Add tracing for socket-based load balancing. (#20492, @aditighag)
- Added capability to announce LoadBalancer services via BGP Control Plane (#22397, @dylandreimerink)
- bpf: Add stateless RFC8215 NAT46/64 for standalone lb (#21777, @borkmann)
- cilium: completion of nat46/64 gateway (Backport PR #22948, Upstream PR #22421, @borkmann)
- CiliumNetworkPolicy now supports enforcement of SNI in TLS connections. (#22398, @jrajahalme)
- Datapath support for Cilium mTLS (#21822 , @jrajahalme)
- gateway-api: Add support for gateway-api v0.5.1 (#21749, @sayboras)
- ingress: Support shared load balancer mode (#21386, @sayboras)
- Sign Cilium container images using cosign (#21918, @sandipanpanda)
- Support Kubernetes v1.21 new field internalTrafficPolicy=Local. (Backport PR #23001, Upstream PR #21871, @gentoo-root)
Minor Changes:
- [v1.13] hubble-relay: deprecate peer svc through local unix domain socket (#23442, @kaworu)
- add
nonMasqueradeCIDRs
configuration to the ipMasqAgent section in Helm Chart values. (#20137, @cyclinder) - Add "cilium map events " command that lists bpf map operation events" (#21235, @tommyp1ckles)
- Add --source-ranges option to
cilium bpf lb list
(#19705, @julianwiedmann) - Add ability to specify topologySpreadConstraints on all parts using kind Deployment.
This helps users to correctly spread the pods across failure-domains such as
regions, zones, nodes, and other user-defined topology domains to achieve
maximum high availability (HA) and efficient resource utilization. (#20046, @mkilchhofer)
- add an option to wait for kube-proxy (#20517, @michi-covalent)
- add helm option configuredMTU to overwrite auto-detected MTU and tunnelPort helm document (#20639, @vincentmli)
- Add metric on number of requests rejected by DNS Proxy semaphore (#20491, @rahulkjoshi)
- Add new ENI IPAM metrics for allocation, release (#20755, @wu0407)
- Add option to configure the resources of the cgroups automount init Container in the Cilium Agent DaemonSet. (#22384, @shaardie)
- Add Prometheus gRPC metrics for hubble and hubble-relay (#20376, @chancez)
- Add support for disabling ENI PD at node level (#20308, @hemanthmalla)
- add support for k8s 1.25.0 (#20995, @aanm)
- Add support to fallback from ENI PD if subnet is out of /28 prefixes (#20822, @hemanthmalla)
- Add the additional print columns
CiliumInternalIP
andInternalIP
forkubectl get ciliumnode
command. (#21258, @bavarianbidi) - Add TraceID field to Hubble flow and populate it from L7/HTTP flow. (#21456, @rolinh)
- Add workload name and kind into L7 flows (#21039, @chancez)
- Added 'envoy.filters.http.jwt_authn' and 'envoy.filters.http.oauth2' to the build to be used in CiliumEnvoyConfig resources. (#22562, @jrajahalme)
- Added
hubble.ui.frontend.server.ipv6.enabled
helm flag to control nginx server ipv6 listener (#21127, @geakstr) - Adjust CES bucket sizes for metrics (#21860, @AwesomePatrol)
- Allow users to specify hostports with localhost hostIP (#21366, @aspsk)
- Automatically adjust
bpf-policy-map-max
if the maximum value is exceeded (#22129, @vishal-chdhry) - bpf/tests: fix redundant usage of variable offset (#22390, @sahid)
- bpf: Add missing identity to
TRACE_TO_STACK
packet traces (#21403, @pchaigno) - bpf: Implement Segment Routing Header (SRH) support (#20764, @pchaigno)
- bpf: nat: fix usage of ipv6_hdrlen() with unhandled Extension headers (#22544, @julianwiedmann)
- Bugtool: add flag to exclude object for endpoints (#22370, @tbalthazar)
- Bump Linux minimum version to 4.19.57 (or equivalent) (Backport PR #23232, Upstream PR #23124, @joestringer)
- CA certificates in Envoy TLS validation contexts are supported via k8s Secrets with 'ca.crt' key. (#20458, @jrajahalme)
- Cilium Istio integration is updated to Istio release 1.10.6 (#18384, @jrajahalme)
- Cilium Network Policy can now have TLS termination and/or origination without L7 rules. (#21808, @jrajahalme)
- cilium, bwm: Disable slow start after idle under pacing (#21356, @borkmann)
- cilium: Add deprecation warning for service ids (Backport PR #22822, Upstream PR #22700, @joamaki)
- cilium: Remove attached bpf_xdp upon "cilium cleanup" (#19735, @zhanghe9702)
- clarify some docs around the kubeProxyReplacement=partial mode (#19831, @aecay)
- clustermesh: Add an infrastructure to connect time parameter exchange and capability negotiation (Backport PR #22822, Upstream PR #22553, @YutaroHayakawa)
- ctmap: add support for GC of DSR orphaned entries (#21626, @jibi)
- daemon: Deprecate SockOps (Backport PR #23687, Upstream PR #23555, @brb)
- daemon: Don't auto disable session affinity (#16179, @brb)
- daemon: Rename host-reachable services to socket LB (#20369, @brb)
- Default
NodesGCInterval
in CLI is 5m (0s before) to align with default helm value. (#20671, @hemslo) - Disable and deprecate
force-local-policy-eval-at-source
(#22190, @pchaigno) - Disable eBPF host routing in cni chaining mode (#22044, @smwyzi)
- DNS proxy: forward the original security identity (#20711, @aspsk)
- DNS Proxy: pass original security identity (#20859, @aspsk)
- dnsproxy: stop serving DNS traffic before agent shutdown (#20795, @nebril)
- docs: refactor AKS installation instructions (Backport PR #23687, Upstream PR #23304, @nbusseneau)
- document ipv4/ipv6 native routing cidr helm option missing in Documentation and helm reference (#21195, @vincentmli)
- egressgw: drop support for CiliumEgressNATPolicy (#21874, @julianwiedmann)
- Enable icmp error replies with enable-pmtu-discovery flag (#21825, @nnbu)
- Enable operator operation without kubernetes. (#21344, @pruiz)
- eni: Add garbage collector for leaked ENIs (#21409, @gandro)
- envoy: Bump envoy version to 1.21.5 (#20771, @sayboras)
- envoy: Bump envoy version to 1.22.7 (Backport PR #23644, Upstream PR #23502, @sayboras)
- envoy: Support LB capability for existing k8s Service (Backport PR #22835, Upstream PR #21244, @sayboras)
- Fatal when enabling DSR and tunneling on KubeProxyReplacement (#22031, @Shunpoco)
- feat(helm): allow adding extra containers to the cilium daemonset (#20343, @mhulscher)
- feat(hubble): add L7 verdicts to hubble_policy_verdicts_total metric (Backport PR #23147, Upstream PR #22622, @raphink)
- Fix behavior where packets leave node if there are no backends (#21539, @michaelasp)
- Fix crash of CES queue delay metric when CESTracker is nil (Backport PR #23147, Upstream PR #22884, @dlapcevic)
- fix empty message when tunnel and socketLB service missing in switch case (#21314, @vincentmli)
- fqdn/metrics: Fix ProxyUpstreamTime error=timeout (#20752, @joestringer)
- Get rid of KPR=probe and socket-LB protocols (#22083, @brb)
- helm: Add
node-role.kubernetes.io/control-plane
key (Backport PR #23001, Upstream PR #22893, @my-git9) - helm: Add validation for Ingress Controller (#21550, @sayboras)
- helm: Document debug.verbose option (Backport PR #23284, Upstream PR #23178, @sayboras)
- Helm: optionally use less permissive linux capabilities. (#21506, @jonkerj)
- helm: Properly support passing subnet-tags/subnet-ids/instance-tags filters as a list (#21297, @slayer321)
- helm: Remove chart fields planned for removal in 1.12 (#21881, @my-git9)
- helm: Remove duplicated key hostAliases (#20278, @sayboras)
- helm: Set Linux nodeSelector for nodeinit and preflight (#20216, @gandro)
- helm: Support configuring Cilium shared Ingress Service type and nodePorts (#22583, @chancez)
- hubble/filter: add a new endpoint workload filter (#21296, @kaworu)
- hubble/metrics: Add source_ip/destination_ip labels to contextLabels (#21322, @chancez)
- hubble/metrics: Add workload-name and app options to sourceContext and destinationContext (#21320, @chancez)
- hubble: Add hubble_policy_verdicts_total metric (#20470, @michi-covalent)
- hubble: Add kafka metrics (#21318, @chancez)
- hubble: Add reserved-identity metric context (#20474, @michi-covalent)
- hubble: add support for filtering by trace ID (#21551, @rolinh)
- hubble: Add support for SockLB tracing (#21685, @gandro)
- hubble: Extract traceIDs into exemplars in HTTP metrics (#21599, @chancez)
- image: Bump base image to ubuntu 22.04 (#20943, @sayboras)
- image: Upgrade ubuntu base image to 22.04 (#21097, @sayboras)
- Improve policy deletion overhead by about 50% in large environments with a large number of policy rules (#22153, @odinuge)
- Improve verbosity of drop notification messages. (#20387, @aspsk)
- Improve verbosity of drop notification messages. (#20827, @aspsk)
- In ENI IPAM mode, try to allocate new ENIs in the same subnet as the primary ENI instead of the subnet with the most available addresses. (#22000, @bimmlerd)
- ingress: add websockets configuration (#20814, @nikhiljha)
- ingress: Follow-up items for shared LB mode (#21493, @sayboras)
- ingress: Propagate required annotations from Ingress to LB Service (#20860, @NikhilSharmaWe)
- ingress: Rename LB annotation to annotation prefixes (#21222, @sayboras)
- ingress: Support NodePort for dedicated Ingress (Backport PR #23284, Upstream PR #22974, @sayboras)
- install/kubernetes: make securityContext SELinux options configurable (Backport PR #22822, Upstream PR #22721, @tklauser)
- install: add TerminationMessagePolicy to cilium pods (#21012, @squeed)
- Introduce Hubble HTTP v2 metrics and dashboards (#21181, @chancez)
- Introduce smarter internal cache to reduce memory consumption for FQDN / DNS policy usage, especially in environment with heavy FQDN / DNS policy usage (#21288, @odinuge)
- ipam: Add exponential backoff when pool maintanance fails (#21473, @gandro)
- ipam: Change default rate limiting access to external APIs (#21387, @gandro)
- ipam: Support custom owner IPs in CRD IPAM pool (#21379, @llhhbc)
- K8s client as reusable cell (#21026, @joamaki)
- k8s/crds: Allow ingress entity in CNP (#20536, @sayboras)
- label all Cilium resources with "app.kubernetes.io/part-of: cilium" (#20213, @cyclinder)
- Load multiple programs for one CollectionSpec loading (#22025, @alexkats)
- maglev: support setting a weight of a backend in a service spec via new cmdline argument (#18306, @oblazek)
- makefile: add a new target to run 'golangci-lint run --fix' (#21547, @aspsk)
- Minor cleanups in FQDN name manager (#20886, @pippolo84)
- Move the clusterrole precheck inline script to one that can be ran locally. (#20786, @ldelossa)
- operator: Add RBAC permission for CiliumNodeConfigs resource (Backport PR #23001, Upstream PR #22824, @sayboras)
- pkg/metrics: include revision and arch info in cilium_version (Backport PR #23147, Upstream PR #22795, @ArthurChiao)
- Prepend Envoy resources with CEC namespace and name (#21500, @pippolo84)
- put stderr of iptables command into error instead of merging into stdout (#20895, @liuyuan10)
- relay: Add Go runtime metrics and process metrics (#22316, @chancez)
- Remove check on intSlice type from config map validation (#20638, @pippolo84)
- Remove deprecated
spec.eni.{min-allocate,pre-allocate,max-above-watermark}
parameters (#21951, @obaranov1) - Remove IPVLAN support following the deprecation in v1.11. (#20453, @pchaigno)
- sctp: Handle SCTP when correlating Endpoints to services. (#21490, @DolceTriade)
- service: Improve memory usage when handling update of a big service. (#20410, @alan-kut)
- Sign container images with cosign (#21739, @sandipanpanda)
- Support configuring metricsRelabelings on ServiceMonitors (#21051, @chancez)
- Support L4 any port policy. (#21185, @liuxu623)
- Support new hubble metrics context: "labelsContext" (#21079, @chancez)
- The CNI configuration file is now written only after the agent has successfully started up. Configuring a custom CNI configuration file is now simpler and more reliable. See the docs for more details. (#21375, @squeed)
- The default CNI version is now v0.4.0. Cilium now supports the CNI CHECK action. (#20956, @squeed)
- Traffic addressed to a service IP is dropped, if no backend is available. (#22388, @julianwiedmann)
- Traffic can now we redirected to Envoy listeners via Cilium Network Policy
listener
option. (Backport PR #22822, Upstream PR #21600, @jrajahalme) - Update cilium agent Grafana dashboard to filter by pod (#20307, @ungureanuvladvictor)
- Update connectivity tests for clusters running NodeLocal DNSCache with Local Redirect Policy. (#20086, @eminaktas)
- Update Helm Chart to use Hubble-UI v0.10.0 images by default. (Backport PR #23500, Upstream PR #23184, @pjbgf)
- When combining XDP Nodeport Acceleration with Egress Gateway, forwarding the EgressGW reply traffic no longer requires a specific iptables configuration on the Gateway node. (#20837, @julianwiedmann)
- XDP NodePort Acceleration can also be used for clusters in tunnel mode. (#21364, @julianwiedmann)