1.13.0-rc3
Pre-release
Pre-release
We are pleased to release Cilium v1.13.0-rc3.
Summary of Changes
Major Changes:
- Add LoadBalancer IP address management (LB-IPAM) (#21764, @dylandreimerink)
- Add support for k8s 1.26 (#22270, @thorn3r)
Minor Changes:
- Add "cilium map events " command that lists bpf map operation events" (#21235, @tommyp1ckles)
- Adjust CES bucket sizes for metrics (#21860, @AwesomePatrol)
- Allow users to specify hostports with localhost hostIP (#21366, @aspsk)
- Automatically adjust
bpf-policy-map-max
if the maximum value is exceeded (#22129, @vishal-chdhry) - bpf/tests: fix redundant usage of variable offset (#22390, @sahid)
- Cilium Network Policy can now have TLS termination and/or origination without L7 rules. (#21808, @jrajahalme)
- Disable and deprecate
force-local-policy-eval-at-source
(#22190, @pchaigno) - Disable eBPF host routing in cni chaining mode (#22044, @smwyzi)
- Fatal when enabling DSR and tunneling on KubeProxyReplacement (#22031, @Shunpoco)
- Get rid of KPR=probe and socket-LB protocols (#22083, @brb)
- hubble: Add support for SockLB tracing (#21685, @gandro)
- Improve policy deletion overhead by about 50% in large environments with a large number of policy rules (#22153, @odinuge)
- In ENI IPAM mode, try to allocate new ENIs in the same subnet as the primary ENI instead of the subnet with the most available addresses. (#22000, @bimmlerd)
- Introduce smarter internal cache to reduce memory consumption for FQDN / DNS policy usage, especially in environment with heavy FQDN / DNS policy usage (#21288, @odinuge)
- relay: Add Go runtime metrics and process metrics (#22316, @chancez)
- Traffic addressed to a service IP is dropped, if no backend is available. (#22388, @julianwiedmann)
Bugfixes:
- Added Agent init check that removes all CiliumEndpoints referencing local Node that are not managed. This fixes issues where sometimes CiliumEndpoints referencing still running Pods can become unmanaged during Cilium restart. (#20350, @tommyp1ckles)
- Clear stale CNP status nodes if updates have been disabled (#20366, @pippolo84)
- docs: Update Cilium Sphinx RTD Theme reference (#22321, @kimstacy)
- Fail validate-cnp preflight check if a CiliumClusterwideNetworkPolicy is using an empty toEndpoints/fromEndpoints selector (#21990, @thorn3r)
- Fix bug that could lead to inconsistent pod IP information between agents, sometimes leading to a failure to decrypt IPsec traffic. (#22127, @aanm)
- Fix bug where configuring the API rate limiter options could fail when providing multiple options (#22299, @thorn3r)
- Fix Cilium fatal "Could not create or update CiliumNode resource, despite retries" on environments with
enable-ipv4-egress-gateway
(#22298, @aanm) - Fix cilium-bugtool --k8s-mode (#22160, @tbalthazar)
- Fix forwarding of the security identity by the DNS proxy which could cause random policy denials (#22361, @aspsk)
- Fix GC of CEPs that were not GCed by kube-apiserver (#22213, @aanm)
- Fix label ordering in Hubble TCP metrics with contextOptions (#21824, @lambdanis)
- fix: missing clustermesh metrics when more than one remote cluster is configured (#22033, @rcanderson23)
- fix: some tofqdn flags not being parsed (#22346, @carloscastrojumo)
- helm: Add relabelings config to ServiceMonitors and re-introduce node label on cilium/hubble metrics (#22297, @chancez)
- Preserve instruction metadata when inlining global constants (#21933, @ti-mo)
- Prevent cilium operator crash in AWS region with IPv6-only ENIs without subnet filters. (#22075, @bimmlerd)
CI Changes:
- .github: Explicitly set build-commits job runner image version and install libtinfo5 (#22315, @chancez)
- .github: fix bpf-checks on ubuntu-latest runner (#22322, @julianwiedmann)
- Add CNPs stale node updates GC controlplane test (#22365, @pippolo84)
- ci: Do not connect to Hubble for tests where flow-validation is disabled (#22068, @gandro)
- CI: multi kernel DP conformance (#21465, @brb)
- CI: Revert "bpf_test: Skip instead of Fatal TestBPF when -bpf-test-path is not set" (#22043, @sahid)
- CI: update cilium-cli to v0.12.10, force deploy connectivity test pods on GKE (#22441, @tklauser)
- ci: update cilium-cli to v0.12.7 for master, v1.11 and v1.12 workflows (#22140, @tklauser)
- examples: Use https when testing connectivity to 1.1.1.1 (#22180, @brb)
- Fix ClusterMesh test flake (#22449, @aanm)
- Fix TestBPF (#22084, @tklauser)
- gh/workflows: Add 4.19 kernel to the CI DP conformance (#22022, @brb)
- gh/workflows: Enable kube-proxy in some of DP conformance tests (#22062, @brb)
- mlh: update Jenkins jobs following 1.26 support (#22415, @nbusseneau)
- pkg/monitor/format: add fuzzer (#21968, @AdamKorcz)
- Prune runtime/net_policies.go (#21140, @nebril)
- test: Allow rerunning K8sUpdates locally (#22149, @pchaigno)
- test: Collect CiliumNodes objects as part of the test artifacts (#22152, @pchaigno)
- test: Move log-gatherer image to Quay (#22363, @pchaigno)
- test: net_policies: delete custom IP routes after test completion (#21857, @julianwiedmann)
- test: Remove flaking test (#22403, @jrajahalme)
- test: remove kube-proxy-replacement: probe from upstream tests (#22353, @aanm)
- test: service: wait for frontend entry (#21859, @julianwiedmann)
- vagrant: Bump net-next VM image version (#22085, @pchaigno)
- workflows: aks: bump timeout to 60m (#22359, @jibi)
- workflows: aks: collect sysdumps for each failing test (#22291, @jibi)
- workflows: aks: enable debug (#22287, @jibi)
- workflows: Bump timeout of ConformanceKind workflow (#22072, @pchaigno)
- workflows: Bump timeout of master GKE workflow (#22087, @pchaigno)
Misc Changes:
- .clomonitor: Update CLOMonitor checks exemptions (#22371, @sandipanpanda)
- .github/dependabot.yaml: remove image updates (#22114, @aanm)
- .github/workflows: split the image tag update in two steps (#22268, @aanm)
- .github: add kind/community-report to newly open issues (#22058, @aanm)
- .github: pin alpine versions to 3.16 in stable branches (#22374, @aanm)
- A couple of changes in bpf/nat to help adding new support of ICMP types (#22004, @sahid)
- Add automatic creation of Cilium base images (#22179, @aanm)
- add commit Sign-Off for renovate commits (#22101, @aanm)
- add frsca to users.md (#22071, @pxp928)
- add missing bpftool vtep map dump in cilium bugtool (#21848, @vincentmli)
- add more configuration to .github/renovate.json (#22108, @aanm)
- Add option to configure the resources of the init container and the container of etcd in the apiserver pods. (#22392, @shaardie)
- add policy fuzzers (#22038, @AdamKorcz)
- add renovate (#22080, @aanm)
- Added Rafay Systems to the user list (#22250, @Saim-Safdar)
- Adding Polverio to Cilium users list (#22256, @stuartpreston)
- bgp: BGP Control Plane modularization (#22183, @dylandreimerink)
- bgp: BGP Control Plane modularization - revised (#22447, @dylandreimerink)
- bpf: Check for SRH type on SRv6 decapsulation (#21869, @pchaigno)
- bpf: egressgw: clarify IPSec key for tunnel encapsulation (#22284, @julianwiedmann)
- bpf: minor nodeport cleanups (#22342, @julianwiedmann)
- bpf: Remove FIB lookup for IPsec (#22069, @pchaigno)
- bpf: Remove unused
ENABLE_L7_PROXY
macro (#21896, @pchaigno) - bugtool: Fix URL to blog.ralch.com (#22283, @yanggangtony)
- build(deps): bump actions/setup-go from 3.3.0 to 3.3.1 (#22045, @dependabot[bot])
- build(deps): bump azure/setup-helm from 3.3 to 3.4 (#21910, @dependabot[bot])
- build(deps): bump cilium/little-vm-helper from 4f44430a3c7573023ec58959cd0f88e1d2c00e13 to 9bb7d6016e00968adff49dae192a0be87d9c3aef (#22135, @dependabot[bot])
- build(deps): bump cilium/little-vm-helper from 83d306aeb0b731c4d29f8762f576ff484aa7a69c to 0.0.2 (#22440, @dependabot[bot])
- build(deps): bump cilium/little-vm-helper from 9bb7d6016e00968adff49dae192a0be87d9c3aef to 83d306aeb0b731c4d29f8762f576ff484aa7a69c (#22423, @dependabot[bot])
- build(deps): bump github.com/coreos/go-systemd/v22 from 22.4.0 to 22.5.0 (#22210, @dependabot[bot])
- build(deps): bump github.com/docker/docker from 20.10.18+incompatible to 20.10.21+incompatible (#22231, @dependabot[bot])
- build(deps): bump github.com/fsnotify/fsnotify from 1.5.4 to 1.6.0 (#21880, @dependabot[bot])
- build(deps): bump github.com/go-openapi/runtime from 0.24.1 to 0.24.2 (#21911, @dependabot[bot])
- build(deps): bump github.com/hashicorp/consul/api from 1.15.3 to 1.17.0 (#22302, @dependabot[bot])
- build(deps): bump github.com/prometheus/client_golang from 1.13.0 to 1.14.0 (#22048, @dependabot[bot])
- build(deps): bump github.com/shirou/gopsutil/v3 from 3.22.9 to 3.22.10 (#21952, @dependabot[bot])
- build(deps): bump github.com/spf13/cobra from 1.5.0 to 1.6.1 (#21875, @dependabot[bot])
- build(deps): bump github.com/spf13/viper from 1.13.0 to 1.14.0 (#22267, @dependabot[bot])
- build(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (#21953, @dependabot[bot])
- build(deps): bump github/codeql-action from 2.1.29 to 2.1.30 (#21966, @dependabot[bot])
- build(deps): bump github/codeql-action from 2.1.30 to 2.1.32 (#22165, @dependabot[bot])
- build(deps): bump go.etcd.io/etcd/api/v3 from 3.5.5 to 3.5.6 (#22334, @dependabot[bot])
- build(deps): bump go.etcd.io/etcd/client/pkg/v3 from 3.5.5 to 3.5.6 (#22335, @dependabot[bot])
- build(deps): bump go.etcd.io/etcd/client/v3 from 3.5.5 to 3.5.6 (#22349, @dependabot[bot])
- build(deps): bump golang.org/x/crypto from 0.1.0 to 0.3.0 (#22229, @dependabot[bot])
- build(deps): bump golang.org/x/net from 0.1.0 to 0.2.0 (#22211, @dependabot[bot])
- build(deps): bump golang.org/x/tools from 0.2.0 to 0.3.0 (#22230, @dependabot[bot])
- build(deps): bump golangci/golangci-lint-action from 3.3.0 to 3.3.1 (#22110, @dependabot[bot])
- build(deps): bump google-github-actions/auth from 0.8.3 to 1.0.0 (#22059, @dependabot[bot])
- build(deps): bump google-github-actions/setup-gcloud from 0.6.2 to 1.0.0 (#22060, @dependabot[bot])
- build(deps): bump google-github-actions/setup-gcloud from 1.0.0 to 1.0.1 (#22079, @dependabot[bot])
- build(deps): bump google.golang.org/grpc from 1.50.1 to 1.51.0 (#22348, @dependabot[bot])
- build(deps): bump rstcheck from 3.3.1 to 6.1.1 in /Documentation/requirements-min (#22155, @dependabot[bot])
- build(deps): bump sphinxcontrib-spelling from 7.6.0 to 7.7.0 in /Documentation/requirements-min (#22159, @dependabot[bot])
- build: Update Swagger to 0.30.3 (#21947, @jrajahalme)
- chore(deps): update base-images (master) (#22109, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.16.2 (master) (#22094, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.16.3 (master) (#22130, @renovate[bot])
- chore(deps): update docker.io/library/alpine:3.16.2 docker digest to 65a2763 (master) (#22090, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.19.3 docker digest to 4198e0e (master) (#22188, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.19.3 docker digest to bf4b15c (master) (#22091, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.19.3 docker digest to dc76ef0 (master) (#22197, @renovate[bot])
- chore(deps): update docker.io/library/ubuntu docker tag to v22 (master) (#22120, @renovate[bot])
- chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 450e066 (master) (#22092, @renovate[bot])
- chore(deps): update module go to 1.19 (master) (#22096, @renovate[bot])
- CIDR errors in config: exit instead of panicking (#22020, @tbalthazar)
- cilium: minor follow-ups on stateless nat (#22389, @borkmann)
- clean package "io/ioutil" ,because "io" and "os" can replaced it totally (#22016, @yanggangtony)
- cli: Update regex for key-value validation to allow spaces in values (#21796, @johngmyers)
- CODEOWNERS: add ownership for SIG Hubble API team (#21950, @rolinh)
- CODEOWNERS: Assign
pkg/nodediscovery
to the agent team (#22042, @pchaigno) - ctmap: Add missing FromL7LB flag (#21997, @jrajahalme)
- daemon/cmd: Fix error handling for getting proxy port (#22296, @christarazi)
- daemon: convert Daemon.restoredCIDRs to netip.Prefix (#22209, @tklauser)
- daemon: Top-level composition into a hierarchy of cells (#21736, @joamaki)
- datapath: remove unused ENCRYPT_NODE macro (#22285, @julianwiedmann)
- doc: add section to show how to customize cilium-agent metrics (#22178, @ArthurChiao)
- Docker image build enhecements for kind (#21806, @jrajahalme)
- docker: Do not specify syntax (#21805, @jrajahalme)
- docs: Add Getting Started guide for Gateway API support (#21908, @sayboras)
- docs: add instructions to build the base images from external forks (#22304, @aanm)
- docs: add Seznam.cz to list of Cilium users (#22182, @oblazek)
- docs: clarifications about CNCF maintainer status (#22351, @lizrice)
- docs: Clarify wildcards and subdomains in FQDN policies (#22206, @felfa01)
- docs: describe Cilium Feature Proposals (#22443, @lizrice)
- docs: Fix
kubectl create
output in docs after some deployments have moved from K8s "extensions" to "apps". (#22002, @cleverhu) - docs: Hubble codeowners fix (#21995, @jrajahalme)
- docs: Regenerated
cilium-bugtool
docs to fix Travis CI (#22214, @dylandreimerink) - docs: Remove 1.12 and earlier upgrade docs (#22219, @joestringer)
- Docs: Remove
RUNTIME=docker
option in dev_setup, given that K8s 1.24+ no longer supports it (options: containerd (default), crio). (#21940, @Shunpoco) - docs: Update https.rst for Gateway API (#22184, @nvibert)
- docs: update roadmap for graduation application (#22422, @xmulligan)
- Document missing k8sService kubeConfigPath bpf.mapDynamicSizeRatio (#21817, @vincentmli)
- eni: fix new node not triggering creation of ENI with fix deadlock (#21830, @wu0407)
- envoy: Allow use of architecture-specific Envoy images for testing (#21804, @jrajahalme)
- fix 'egressIP' field indentation (#22303, @yulng)
- Fix CEP batching FCFS mode to group CEPs per namespace. (#22041, @dlapcevic)
- fixed broken gettingstarted link on helm chart README.md (#22218, @dotdc)
- gateway-api/model: Refactor envoy virtual host (#22369, @pippolo84)
- gha: Pin ubuntu-20.04 for conformance-test-ipv6 (#22324, @sayboras)
- go.mod, vendor: pin golang.org/x/* packages to tagged versions (#22051, @tklauser)
- Google Season of Docs is now over so it is removed from the docs (#22442, @xmulligan)
- helm/gateway-api: Add secret permission for agent (#22264, @sayboras)
- helm: Do not create Grafana dashboards by default (#22161, @chancez)
- helm: fix broken documentation URL in helm chart template (#22269, @nkrja)
- hive: Fix CodeQL lints in regex (#22471, @gandro)
- hive: Unwrap provider inputs and outputs in PrintObjects (#21976, @joamaki)
- images/runtime, go.mod, vendor: update gops to v0.3.26 (#22385, @tklauser)
- Implement Go-based kernel HZ (jiffy) measurement (#21833, @ti-mo)
- ingestion/gateway-api: Map backend weight to model (#22380, @sayboras)
- install/kubernetes: Re-order lines in Makefile.values (#22307, @aanm)
- k8s/client: respect QPS and burst setting for clientset (#22226, @tklauser)
- k8s: don't consider 4xx a successful interaction (#22393, @bimmlerd)
- k8s: use netip.Prefix for endpoint backed prefixes (#22181, @tklauser)
- labelsfilter: Improve sanitization (#22244, @joestringer)
- Made the
TestPodCIDRAllocatorOverlap
test more robust (#21957, @dylandreimerink) - MAINTAINERS: Add Bill Mulligan (#22204, @lizrice)
- Make fsnotify event more readable. (#22278, @yanggangtony)
- monitor: Always print ObservationSource for DNS events (#21882, @michi-covalent)
- mtu, node: fix build on all non-linux platforms (#22232, @tklauser)
- operator: Avoid spamming logs with entire identity object (#22258, @lvyanru8200)
- Optimize generateLabelString() (#21718, @youhonglian)
- option, datapath: Move
AreDevicesRequired
tooption
package (#22457, @pchaigno) - option: Fix Populate entries using "viper" package. (#22426, @jrajahalme)
- pkg/datapath: return specific error message (#22137, @aanm)
- policy: Replace RWMutex with Mutex to reduce locking times by a tiny bit. (#22106, @odinuge)
- Prepare for release v1.13.0-rc2 (#21949, @aanm)
- probes: refactor bpftool feature macros generation (#21451, @rgo3)
- relay: Add Go runtime metrics and process metrics (#22400, @chancez)
- remove scripts to update docker images (#22115, @aanm)
- Remove yaml parser from cilium policy trace (#22251, @rushi47)
- Removed
lb_services
bpfmap dump from bugtool (#22381, @vishal-chdhry) - resource: Fix queue entry coalescing (#22360, @joamaki)
- Retry loading BPF programs if verifier log buffer is too small (#21973, @ti-mo)
- Revert "bgp: BGP Control Plane modularization" (#22431, @joestringer)
- Revert "install: move cni config management to the agent" (#22012, @pchaigno)
- Revert "relay: Add Go runtime metrics and process metrics" (#22337, @joestringer)
- Revert "Test commit" (#22150, @pchaigno)
- Revert "WIP: 4.9 CI DP conformance" (#22061, @brb)
- Revert PR #21539 (#21981, @nbusseneau)
- Series of cleanups to ENI tests (#21975, @bimmlerd)
- Test tls flake (#22420, @jrajahalme)
- test/alibabacloud: Fix flake in TestPrepareIPAllocation (#21987, @jaffcheng)
- test/control-plane: Add nil checks to shutdown logic (#22225, @dylandreimerink)
- treewide: Refactor and simplify ipcache usage (#21774, @joestringer)
- Update documentation related to metrics; fix incorrect FQDN metrics reference (#22300, @christarazi)
- Update Go to 1.19.3 (#22024, @tklauser)
- Update Go version in backporting Dockerfile (#22030, @tbalthazar)
- Update stable releases (#22247, @michi-covalent)
- Update start-release.sh (#22193, @michi-covalent)
- Updated AWS ENI limits (#22405, @tsolodov)
- updates.go: bump stable version to 1.12 (#22134, @aanm)
- Use informer.NewInformer where appropriate (#22066, @tklauser)