1.14.0-rc.0
Pre-release
Pre-release
·
5752 commits
to main
since this release
Summary of Changes
Minor Changes:
- Add a new set of flags for CES work queue limit and burst rates,
CESWriteQPSLimit
toand
CESWriteQPSBurst`. (#24675, @dlapcevic)
The processed work queue items always trigger a single CES create, update or write request to the kube-apiserver.
The work queue rate limiting effectively limits the rate of writes to the kube-apiserver for CES api objects. - Set the default
CESWriteQPSLimit
to10
andCESWriteQPSBurst
to20
. (#24675, @dlapcevic) - Set the maximums for qps
50
and burst100
. These values cannot be exceeded regardless of any configuration. (#24675, @dlapcevic) - Unhide
CESMaxCEPsInCES
andCESSlicingMode
flags from appearing in logs whenCES
is enabled. (#24675, @dlapcevic) - agent/helm: Deprecate --kpr=partial|strict|disabled and use --kpr=true|false instead (#26036, @brb)
- Allow to use a Secret for the caBundle (#25728, @farcaller)
- BGPv1: Set N-bit in graceful restart capability negotiation. (#26325, @harsimran-pabla)
- Cilium now waits longer before returning a failure in the event of a pod creation burst. (#25805, @squeed)
- envoy: Use embedded proxylib from cilium-proxy image (#26101, @sayboras)
- metrics: Add k8s client rate limiter latency metric (#25555, @ysksuzuki)
- Retire Cilium-Integrated Istio documentation (#25722, @networkop)
- Revert "Revert agent/helm: Deprecate --kpr=partial|strict|disabled and use --kpr=true|false instead" (#26496, @brb)
Bugfixes:
- bpf: ct: fix CT-based packet tracing for IPv6 (#26476, @julianwiedmann)
- Bypassing policy check for IPv6 NDP to fix broken pod-to-pod connectivity when per-endpoint route is enabled with policy. (#24919, @jschwinger233)
- CIDRGroup reference metric will not count nonexistent CIDRGroups (#26133, @akstron)
- datapath: bigtcp: Fix the IPv4 BIG TCP may not work (#26336, @haiyuewa)
- Fix a bug where datapath option DisableSipVerification can no longer be used. (#25533, @oblazek)
- Fix bug in AlibabaCloud where instance type limits could not be determined (#25387, @haozhangami)
- Fix bug where CNI gets installed even if cni.install=false (#26278, @joestringer)
- Fix compilation error when enabling Wireguard and XDP (#25734, @ysksuzuki)
- Fix crash of cilium-agent happening when a remote node without node IP addresses is removed. (#25851, @cyclinder)
- Fix: Return "Content-Type" and "X-Content-Type-Options" headers from Health Check Node Port (#26458, @cezarygerard)
- Handles nodeIP changes when CEPs are checkpointed to tmpfs and the nodeIP changes across a reboot. (#26281, @bprashanth)
- ipsec: Split removeStaleXFRMOnce to fix deprioritization issue (#26113, @jschwinger233)
- iptables: Fix wrong use of podCIDR in cluster node NAT exclusion (#26397, @gandro)
- Keep sync on deployed proxy ports when retrying proxy redirect creation. (#26343, @jrajahalme)
- nat: fix usage in nat.h of csum.h module (#25576, @sahid)
- test/controlplane: Disable endpoint GC (#26383, @pippolo84)
- test: bigtcp: Update the BIG TCP checking message (#26377, @haiyuewa)
- Updates TransformXXX Functions in k8s pkg (#26244, @danehans)
CI Changes:
- .github/workflows: let renovate update kind in ingress workflow (#26390, @tklauser)
- Add BPF unit tests for IPsec (#25699, @jschwinger233)
- Add container image scanning to Cilium images. (#26489, @ferozsalam)
- bpf: egressgw: refactor unit tests (#26376, @jibi)
- bpf: tests: pktgen infra for tunneling + GENEVE-DSR test (#26301, @julianwiedmann)
- CI Workflow: Add all AWS supported k8s versions (#26361, @brlbil)
- CI Workflow: Add all Azure supported k8s versions (#26356, @brlbil)
- CI Workflow: Add all GKE supported k8s version (#26364, @brlbil)
- CI Workflows: Fix matrix generation (#26406, @brlbil)
- CI Workflows: Fix sysdump file creation (#26402, @brlbil)
- CI Workflows: Fix sysdump name typo (#26415, @brlbil)
- ci-aks, ci-external-workloads: Use cilium-cli Helm mode (#26382, @michi-covalent)
- ci-e2e: Bump CLI version to v0.14.8 (#26475, @brb)
- ci-verifier: run verifier tests directly on VM instead of containerized (#26509, @ti-mo)
- ci: Add workflow for testing multi-pool IPAM (#26175, @gandro)
- CI: run integration-tests on test changes in PRs (#26405, @marseel)
- docs: Run rstcheck on the README.rst (#26454, @qmonnet)
- gateway-api: Add tests for standard CRD (#26372, @sayboras)
- gateway-api: Enable HTTPRouteListenerHostnameMatching test (#26226, @sayboras)
- gha: enable debug logs in conformance-clustermesh workflows (#26186, @giorio94)
- gha: test kvstoremesh in conformance-clustermesh (#26223, @giorio94)
- gha: test the different auth modes in conformance-clustermesh (#26252, @giorio94)
- Make CI test resources unique for retries. (#25990, @viktor-kurchenko)
- renovate: ignore ginkgo updates (#26423, @tklauser)
- Set CILIUM_CLI_MODE env variable at the top level (#26387, @michi-covalent)
- Set CILIUM_CLI_MODE env variable at the top level (#26404, @michi-covalent)
- test: Fix the attempted fix for the hostfw flake (#26362, @pchaigno)
Misc Changes:
- Add Back Market in the USERS list (#26413, @NitriKx)
- Add cilium bpf nodeid list to bugtool and print nodeid in hex in ipcache dump (#26130, @brb)
- Add documentation about kvstoremesh (#26348, @giorio94)
- Adding an AWS architecture diagram for AWS FTR review (#26016, @amitmavgupta)
- auth: delete cache-entry on ErrKeyNotExist (#26342, @mhofstetter)
- auth: display textual representation of auth type in authKey.String() (#26525, @mhofstetter)
- backporting: Fix pattern to handle commit subjects that begin with a space (#25653, @gentoo-root)
- BGP CP: Adds Intro to Docs (#26195, @danehans)
- bgpv1: pass router state to gobgp (#26194, @harsimran-pabla)
- bgpv1: skip invalid node selector config in policy selection (#26365, @harsimran-pabla)
- bpf: add new macro __section_entry (#26123, @Jack-R-lantern)
- bpf: nat: fix build error in snat_v6_prepare_state() (#26510, @julianwiedmann)
- bpf: remove unused type ProgType and ProgType* consts (#26360, @tklauser)
- bpf: Update IPv6 BPF masquerading code to bring it closer to IPv4's, fix SNAT for packets from local endpoints, for overlay (#26236, @qmonnet)
- Calling out support for Single-Region, Multi-Region, Multi-AZ for EKS (#26015, @amitmavgupta)
- Change wording on toServices limitations (see #20067) (#25796, @atykhyy)
- chore(deps): update actions/setup-go action to v4.0.1 (main) (#26313, @renovate[bot])
- chore(deps): update all github action dependencies (main) (minor) (#26306, @renovate[bot])
- chore(deps): update all github action dependencies (main) (patch) (#26425, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.14.8 (main) (#26482, @renovate[bot])
- chore(deps): update dependency kubernetes-sigs/kind to v0.20.0 (main) (#26428, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.18.2 (main) (#26297, @renovate[bot])
- chore(deps): update docker.io/library/golang docker tag to v1.20.5 (main) (#26304, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.20.5 docker digest to 8f958bf (main) (#26283, @renovate[bot])
- chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 9ecc53c (main) (#26285, @renovate[bot])
- cilium statedb dump command & bugtool (#26256, @joamaki)
- cilium, bigtcp: Add max gso/gro rates to sysdump (#26392, @borkmann)
- cilium, bigtcp: Make probing for GRO/GSO max size more graceful (#26385, @borkmann)
- cilium: enable bpf host routing with per endpoint routes for IPv6 as well (#26205, @borkmann)
- cilium: Repoint netlink lib back to upstream. (#26359, @borkmann)
- clustermesh: fix broken test due to merge race (#26389, @giorio94)
- clustermesh: improve reliability of TestClusterMesh (#26370, @giorio94)
- cni-plugin: Clean up code (#26505, @gandro)
- daemon: fix spelling in ipam-multi-pool-pre-allocation flag usage (#26529, @tklauser)
- datapath: Introduce helpers for __ctx_is checks (#23820, @spacewander)
- docs: clarify that L3 DNS policies require L7 proxy enabled (#26180, @wedaly)
- docs: Fix the cilium-cli default branch name (#26461, @michi-covalent)
- docs: Fix the cilium/proxy default branch name (#26464, @learnitall)
- docs: Mark IPv6 BPF masquerading as beta (#26499, @qmonnet)
- docs: reword incorrect L7 policy description (#26092, @peterj)
- docs: Update kvstore documentation with potential circular dependency. (#26353, @marseel)
- docu: add section about envoy daemonset deployment (#26033, @mhofstetter)
- Document multi-pool IPAM mode (#26308, @tklauser)
- Documentation: Add graceful restart section in BGP documentation (#26354, @harsimran-pabla)
- endpoint: don't hold the endpoint lock while generating policy (#26242, @squeed)
- envoy: Re-organize supported envoy resource import (#26469, @sayboras)
- etcd: start the status checker only after establishing the initial session (#26363, @giorio94)
- Fix some map handling logic as well as some issues with CLI commands related to ip-masq-agent, introduced with IPv6 support (#26435, @qmonnet)
- fix(deps): update all go dependencies main (main) (minor) (#26429, @renovate[bot])
- fix(deps): update all go dependencies main (main) (patch) (#26056, @renovate[bot])
- fix(deps): update all go dependencies main (main) (patch) (#26427, @renovate[bot])
- fix(deps): update module github.com/prometheus/procfs to v0.11.0 (main) (#26319, @renovate[bot])
- helm: add .extraEnv to cilium-agents config init container (#26408, @nberlee)
- identity: Make identity allocations observable (#26373, @mhofstetter)
- Improve reliability of kvstore-related tests (#26347, @giorio94)
- kafka: remove unused package (#26523, @tklauser)
- kvstore: share etcd client logger to reduce memory usage (#26485, @giorio94)
- kvstoremesh: mark the cilium-kvstoremesh secret as optional in the clustermesh-apiserver volume definition (#26318, @giorio94)
- Log error message on unhealthy /healthz check (#24683, @sjdot)
- plugins/cilium-cni: clean up code in cmdAdd (#26533, @tklauser)
- policy: Optimize getNets() (#26345, @jrajahalme)
- Prepare for release v1.14.0-snapshot.4 (#26324, @joestringer)
- Publish the 2022 Cilium security audits (#26213, @zacharysarah)
- README: Bump latest snapshot release version (#26326, @joestringer)
- Remove 'ip' shellout from setUpRoutingTable() (#26486, @ti-mo)
- Require binary.Size and unsafe.Sizeof of all types to match (#26340, @ti-mo)
- Revert "agent/helm: Deprecate --kpr=partial|strict|disabled and use --kpr=true|false instead" (#26493, @joestringer)
- This moves from the autogenerated badge from the deprecated
slackin
system hosted on heroku, to just a simple generated badge. (#26416, @thebsdbox) - This moves from the larger default code spaces logo, to a smaller logo in keeping with all existing links in the README. (#26417, @thebsdbox)
- treewide: fix some shebangs (#26293, @markpash)
- vendor: Update vishvananda/netlink/ and x/sys (#26410, @borkmann)