1.13.0

Changelog

The Cilium core team are excited to announce the Cilium 1.13 release. 🎉

v1.13.0

Summary of Changes

Major Changes:

• Add IPv6 BIG TCP support (#20349, @NikAleksandrov)
• Add LoadBalancer IP address management (LB-IPAM) (#21764, @dylandreimerink)
• Add partial support for SCTP (#20033, @DolceTriade)
• Add per-node configuration overrides. There is a new Kubernetes resource type, CiliumNodeConfig, which allows for fine-grained configuration of Nodes based on label selectors. (Backport PR #22822, Upstream PR #22656, @squeed)
• Add support for k8s 1.26 (#22270, @thorn3r)
• Add tracing for socket-based load balancing. (#20492, @aditighag)
• Added capability to announce LoadBalancer services via BGP Control Plane (#22397, @dylandreimerink)
• bpf: Add stateless RFC8215 NAT46/64 for standalone lb (#21777, @borkmann)
• cilium: completion of nat46/64 gateway (Backport PR #22948, Upstream PR #22421, @borkmann)
• CiliumNetworkPolicy now supports enforcement of SNI in TLS connections. (#22398, @jrajahalme)
• Datapath support for Cilium mTLS (#21822 , @jrajahalme)
• gateway-api: Add support for gateway-api v0.5.1 (#21749, @sayboras)
• ingress: Support shared load balancer mode (#21386, @sayboras)
• Sign Cilium container images using cosign (#21918, @sandipanpanda)
• Support Kubernetes v1.21 new field internalTrafficPolicy=Local. (Backport PR #23001, Upstream PR #21871, @gentoo-root)

Minor Changes:

• [v1.13] hubble-relay: deprecate peer svc through local unix domain socket (#23442, @kaworu)
• add nonMasqueradeCIDRs configuration to the ipMasqAgent section in Helm Chart values. (#20137, @cyclinder)
• Add "cilium map events " command that lists bpf map operation events" (#21235, @tommyp1ckles)
• Add --source-ranges option to cilium bpf lb list (#19705, @julianwiedmann)
• Add ability to specify topologySpreadConstraints on all parts using kind Deployment.

This helps users to correctly spread the pods across failure-domains such as
regions, zones, nodes, and other user-defined topology domains to achieve
maximum high availability (HA) and efficient resource utilization. (#20046, @mkilchhofer)

• add an option to wait for kube-proxy (#20517, @michi-covalent)
• add helm option configuredMTU to overwrite auto-detected MTU and tunnelPort helm document (#20639, @vincentmli)
• Add metric on number of requests rejected by DNS Proxy semaphore (#20491, @rahulkjoshi)
• Add new ENI IPAM metrics for allocation, release (#20755, @wu0407)
• Add option to configure the resources of the cgroups automount init Container in the Cilium Agent DaemonSet. (#22384, @shaardie)
• Add Prometheus gRPC metrics for hubble and hubble-relay (#20376, @chancez)
• Add support for disabling ENI PD at node level (#20308, @hemanthmalla)
• add support for k8s 1.25.0 (#20995, @aanm)
• Add support to fallback from ENI PD if subnet is out of /28 prefixes (#20822, @hemanthmalla)
• Add the additional print columns CiliumInternalIP and InternalIP for kubectl get ciliumnode command. (#21258, @bavarianbidi)
• Add TraceID field to Hubble flow and populate it from L7/HTTP flow. (#21456, @rolinh)
• Add workload name and kind into L7 flows (#21039, @chancez)
• Added 'envoy.filters.http.jwt_authn' and 'envoy.filters.http.oauth2' to the build to be used in CiliumEnvoyConfig resources. (#22562, @jrajahalme)
• Added hubble.ui.frontend.server.ipv6.enabled helm flag to control nginx server ipv6 listener (#21127, @geakstr)
• Adjust CES bucket sizes for metrics (#21860, @AwesomePatrol)
• Allow users to specify hostports with localhost hostIP (#21366, @aspsk)
• Automatically adjust bpf-policy-map-max if the maximum value is exceeded (#22129, @vishal-chdhry)
• bpf/tests: fix redundant usage of variable offset (#22390, @sahid)
• bpf: Add missing identity to TRACE_TO_STACK packet traces (#21403, @pchaigno)
• bpf: Implement Segment Routing Header (SRH) support (#20764, @pchaigno)
• bpf: nat: fix usage of ipv6_hdrlen() with unhandled Extension headers (#22544, @julianwiedmann)
• Bugtool: add flag to exclude object for endpoints (#22370, @tbalthazar)
• Bump Linux minimum version to 4.19.57 (or equivalent) (Backport PR #23232, Upstream PR #23124, @joestringer)
• CA certificates in Envoy TLS validation contexts are supported via k8s Secrets with 'ca.crt' key. (#20458, @jrajahalme)
• Cilium Istio integration is updated to Istio release 1.10.6 (#18384, @jrajahalme)
• Cilium Network Policy can now have TLS termination and/or origination without L7 rules. (#21808, @jrajahalme)
• cilium, bwm: Disable slow start after idle under pacing (#21356, @borkmann)
• cilium: Add deprecation warning for service ids (Backport PR #22822, Upstream PR #22700, @joamaki)
• cilium: Remove attached bpf_xdp upon "cilium cleanup" (#19735, @zhanghe9702)
• clarify some docs around the kubeProxyReplacement=partial mode (#19831, @aecay)
• clustermesh: Add an infrastructure to connect time parameter exchange and capability negotiation (Backport PR #22822, Upstream PR #22553, @YutaroHayakawa)
• ctmap: add support for GC of DSR orphaned entries (#21626, @jibi)
• daemon: Deprecate SockOps (Backport PR #23687, Upstream PR #23555, @brb)
• daemon: Don't auto disable session affinity (#16179, @brb)
• daemon: Rename host-reachable services to socket LB (#20369, @brb)
• Default NodesGCInterval in CLI is 5m (0s before) to align with default helm value. (#20671, @hemslo)
• Disable and deprecate force-local-policy-eval-at-source (#22190, @pchaigno)
• Disable eBPF host routing in cni chaining mode (#22044, @smwyzi)
• DNS proxy: forward the original security identity (#20711, @aspsk)
• DNS Proxy: pass original security identity (#20859, @aspsk)
• dnsproxy: stop serving DNS traffic before agent shutdown (#20795, @nebril)
• docs: refactor AKS installation instructions (Backport PR #23687, Upstream PR #23304, @nbusseneau)
• document ipv4/ipv6 native routing cidr helm option missing in Documentation and helm reference (#21195, @vincentmli)
• egressgw: drop support for CiliumEgressNATPolicy (#21874, @julianwiedmann)
• Enable icmp error replies with enable-pmtu-discovery flag (#21825, @nnbu)
• Enable operator operation without kubernetes. (#21344, @pruiz)
• eni: Add garbage collector for leaked ENIs (#21409, @gandro)
• envoy: Bump envoy version to 1.21.5 (#20771, @sayboras)
• envoy: Bump envoy version to 1.22.7 (Backport PR #23644, Upstream PR #23502, @sayboras)
• envoy: Support LB capability for existing k8s Service (Backport PR #22835, Upstream PR #21244, @sayboras)
• Fatal when enabling DSR and tunneling on KubeProxyReplacement (#22031, @Shunpoco)
• feat(helm): allow adding extra containers to the cilium daemonset (#20343, @mhulscher)
• feat(hubble): add L7 verdicts to hubble_policy_verdicts_total metric (Backport PR #23147, Upstream PR #22622, @raphink)
• Fix behavior where packets leave node if there are no backends (#21539, @michaelasp)
• Fix crash of CES queue delay metric when CESTracker is nil (Backport PR #23147, Upstream PR #22884, @dlapcevic)
• fix empty message when tunnel and socketLB service missing in switch case (#21314, @vincentmli)
• fqdn/metrics: Fix ProxyUpstreamTime error=timeout (#20752, @joestringer)
• Get rid of KPR=probe and socket-LB protocols (#22083, @brb)
• helm: Add node-role.kubernetes.io/control-plane key (Backport PR #23001, Upstream PR #22893, @my-git9)
• helm: Add validation for Ingress Controller (#21550, @sayboras)
• helm: Document debug.verbose option (Backport PR #23284, Upstream PR #23178, @sayboras)
• Helm: optionally use less permissive linux capabilities. (#21506, @jonkerj)
• helm: Properly support passing subnet-tags/subnet-ids/instance-tags filters as a list (#21297, @slayer321)
• helm: Remove chart fields planned for removal in 1.12 (#21881, @my-git9)
• helm: Remove duplicated key hostAliases (#20278, @sayboras)
• helm: Set Linux nodeSelector for nodeinit and preflight (#20216, @gandro)
• helm: Support configuring Cilium shared Ingress Service type and nodePorts (#22583, @chancez)
• hubble/filter: add a new endpoint workload filter (#21296, @kaworu)
• hubble/metrics: Add source_ip/destination_ip labels to contextLabels (#21322, @chancez)
• hubble/metrics: Add workload-name and app options to sourceContext and destinationContext (#21320, @chancez)
• hubble: Add hubble_policy_verdicts_total metric (#20470, @michi-covalent)
• hubble: Add kafka metrics (#21318, @chancez)
• hubble: Add reserved-identity metric context (#20474, @michi-covalent)
• hubble: add support for filtering by trace ID (#21551, @rolinh)
• hubble: Add support for SockLB tracing (#21685, @gandro)
• hubble: Extract traceIDs into exemplars in HTTP metrics (#21599, @chancez)
• image: Bump base image to ubuntu 22.04 (#20943, @sayboras)
• image: Upgrade ubuntu base image to 22.04 (#21097, @sayboras)
• Improve policy deletion overhead by about 50% in large environments with a large number of policy rules (#22153, @odinuge)
• Improve verbosity of drop notification messages. (#20387, @aspsk)
• Improve verbosity of drop notification messages. (#20827, @aspsk)
• In ENI IPAM mode, try to allocate new ENIs in the same subnet as the primary ENI instead of the subnet with the most available addresses. (#22000, @bimmlerd)
• ingress: add websockets configuration (#20814, @nikhiljha)
• ingress: Follow-up items for shared LB mode (#21493, @sayboras)
• ingress: Propagate required annotations from Ingress to LB Service (#20860, @NikhilSharmaWe)
• ingress: Rename LB annotation to annotation prefixes (#21222, @sayboras)
• ingress: Support NodePort for dedicated Ingress (Backport PR #23284, Upstream PR #22974, @sayboras)
• install/kubernetes: make securityContext SELinux options configurable (Backport PR #22822, Upstream PR #22721, @tklauser)
• install: add TerminationMessagePolicy to cilium pods (#21012, @squeed)
• Introduce Hubble HTTP v2 metrics and dashboards (#21181, @chancez)
• Introduce smarter internal cache to reduce memory consumption for FQDN / DNS policy usage, especially in environment with heavy FQDN / DNS policy usage (#21288, @odinuge)
• ipam: Add exponential backoff when pool maintanance fails (#21473, @gandro)
• ipam: Change default rate limiting access to external APIs (#21387, @gandro)
• ipam: Support custom owner IPs in CRD IPAM pool (#21379, @llhhbc)
• K8s client as reusable cell (#21026, @joamaki)
• k8s/crds: Allow ingress entity in CNP (#20536, @sayboras)
• label all Cilium resources with "app.kubernetes.io/part-of: cilium" (#20213, @cyclinder)
• Load multiple programs for one CollectionSpec loading (#22025, @alexkats)
• maglev: support setting a weight of a backend in a service spec via new cmdline argument (#18306, @oblazek)
• makefile: add a new target to run 'golangci-lint run --fix' (#21547, @aspsk)
• Minor cleanups in FQDN name manager (#20886, @pippolo84)
• Move the clusterrole precheck inline script to one that can be ran locally. (#20786, @ldelossa)
• operator: Add RBAC permission for CiliumNodeConfigs resource (Backport PR #23001, Upstream PR #22824, @sayboras)
• pkg/metrics: include revision and arch info in cilium_version (Backport PR #23147, Upstream PR #22795, @ArthurChiao)
• Prepend Envoy resources with CEC namespace and name (#21500, @pippolo84)
• put stderr of iptables command into error instead of merging into stdout (#20895, @liuyuan10)
• relay: Add Go runtime metrics and process metrics (#22316, @chancez)
• Remove check on intSlice type from config map validation (#20638, @pippolo84)
• Remove deprecated spec.eni.{min-allocate,pre-allocate,max-above-watermark} parameters (#21951, @obaranov1)
• Remove IPVLAN support following the deprecation in v1.11. (#20453, @pchaigno)
• sctp: Handle SCTP when correlating Endpoints to services. (#21490, @DolceTriade)
• service: Improve memory usage when handling update of a big service. (#20410, @alan-kut)
• Sign container images with cosign (#21739, @sandipanpanda)
• Support configuring metricsRelabelings on ServiceMonitors (#21051, @chancez)
• Support L4 any port policy. (#21185, @liuxu623)
• Support new hubble metrics context: "labelsContext" (#21079, @chancez)
• The CNI configuration file is now written only after the agent has successfully started up. Configuring a custom CNI configuration file is now simpler and more reliable. See the docs for more details. (#21375, @squeed)
• The default CNI version is now v0.4.0. Cilium now supports the CNI CHECK action. (#20956, @squeed)
• Traffic addressed to a service IP is dropped, if no backend is available. (#22388, @julianwiedmann)
• Traffic can now we redirected to Envoy listeners via Cilium Network Policy listener option. (Backport PR #22822, Upstream PR #21600, @jrajahalme)
• Update cilium agent Grafana dashboard to filter by pod (#20307, @ungureanuvladvictor)
• Update connectivity tests for clusters running NodeLocal DNSCache with Local Redirect Policy. (#20086, @eminaktas)
• Update Helm Chart to use Hubble-UI v0.10.0 images by default. (Backport PR #23500, Upstream PR #23184, @pjbgf)
• When combining XDP Nodeport Acceleration with Egress Gateway, forwarding the EgressGW reply traffic no longer requires a specific iptables configuration on the Gateway node. (#20837, @julianwiedmann)
• XDP NodePort Acceleration can also be used for clusters in tunnel mode. (#21364, @julianwiedmann)

Full change log can be found in changelog