Release 1.14.0-rc.1 · cilium/cilium

Summary of Changes

Minor Changes:

Add tls-server-enforce-mtls flag to hubble-relay to enforce mTLS connection with clients. (Backport PR #26636, Upstream PR #25582, @marqc)
BPF NodePort is now enabled by default if CiliumEnvoyConfig is configured. (Backport PR #26636, Upstream PR #25901, @jrajahalme)
Fix endpoint slices filtering to ensure we filter out headless services and continue to support older k8s versions where service labels are not propagated to endpoint slices (Backport PR #26799, Upstream PR #25351, @odinuge)
helm: Allow node port allocation for Ingress LB service (Backport PR #26799, Upstream PR #26502, @sayboras)

Bugfixes:

Add host-side interface info to cni.Result, which allows bandwidth CNI to work with Cilium (Backport PR #26636, Upstream PR #26518, @nayihz)
auth: Switch to observing identity changes (Backport PR #26636, Upstream PR #26375, @mhofstetter)
bgpv1: Unconditionally select node when empty nodeSelector is given (Backport PR #26734, Upstream PR #26590, @YutaroHayakawa)
client, health/client: set dummy host header on unix:// local communication (Backport PR #26838, Upstream PR #26800, @tklauser)
egressgw: retry getIdentityLabels on failure (Backport PR #26734, Upstream PR #26457, @jibi)
Fix bug where bpf map entries may not be reliably dumped or garbage collected when the map is actively being updated. (Backport PR #26838, Upstream PR #26583, @tommyp1ckles)
Fix error propagation issue in clustermesh which prevented retrying on certain validation errors (Backport PR #26799, Upstream PR #26613, @giorio94)
Fix SNAT by the N/S load-balancer for fragmented IPv4 requests. (Backport PR #26636, Upstream PR #26550, @julianwiedmann)
Fixed double metric accounting for k8s events (Backport PR #26636, Upstream PR #26349, @dylandreimerink)
Fixed proxy redirect policy implementation when any deny rule prevents them. (Backport PR #26813, Upstream PR #26344, @jrajahalme)
Implement OnAddNode handlers for CiliumNodeUpdater and EndpointManager (Backport PR #26734, Upstream PR #26484, @pippolo84)
Policy auth precedence fix (Backport PR #26813, Upstream PR #26331, @jrajahalme)
Validate "ownership" of hostPort service being deleted (Backport PR #26734, Upstream PR #22587, @yasz24)

CI Changes:

.github/workflows: use Helm mode cilium-cli in K8sUpstreamNetConformance (Backport PR #26734, Upstream PR #26692, @tklauser)
.github: add 'name' field for the conformance-e2e job (Backport PR #26838, Upstream PR #26791, @aanm)
ariane: don't skip verifier and l4lb tests on vendor/ changes (Backport PR #26734, Upstream PR #26715, @tklauser)
ci-multi-pool: Use ip-masq-agent for masquerading (Backport PR #26636, Upstream PR #26538, @gandro)
docs: Update external workloads instructions (Backport PR #26734, Upstream PR #26607, @michi-covalent)
replace cilium/customvet by cilium/linters (Backport PR #26799, Upstream PR #26755, @rolinh)
v1.14: ci: use Ariane to trigger workflows (#26625, @nbusseneau)

Misc Changes:

Add helm values for K8s API server client rate limits and instructions on how to size them when using L2 announcements. (Backport PR #26799, Upstream PR #26711, @dylandreimerink)
Add L2 responder map dumping to sysdump (Backport PR #26734, Upstream PR #26667, @dylandreimerink)
Add the tunnel values to the config map even when the default values are used. (Backport PR #26838, Upstream PR #26712, @3u13r)
auth: optimize log output for pending auth (Backport PR #26734, Upstream PR #26642, @mhofstetter)
auth: use NodeManager instead of k8s.CiliumNodeResource in auth gc (Backport PR #26636, Upstream PR #26592, @mhofstetter)
bgpv1: set correct upper limits to BPG timers and GR restart time (Backport PR #26636, Upstream PR #26534, @harsimran-pabla)
bpf: dsr: fix IPIP health-encap on older kernels (Backport PR #26636, Upstream PR #26609, @julianwiedmann)
bpf: nodeport: only set outer src IP for tunnel encap in XDP (Backport PR #26799, Upstream PR #26726, @julianwiedmann)
bpf: Replace deprecated "-target bpf" with "--target=bpf" for clang (Backport PR #26636, Upstream PR #26553, @qmonnet)
chore(deps): update all github action dependencies (v1.14) (minor) (#26699, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (patch) (#26698, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.0 (v1.14) (#26700, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.2 (v1.14) (#26782, @renovate[bot])
chore(deps): update docker.io/library/golang:1.20.5 docker digest to fd9306e (v1.14) (#26696, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 0bced47 (v1.14) (#26697, @renovate[bot])
chore(deps): update hubble cli to v0.12.0 (v1.14) (minor) (#26763, @renovate[bot])
daemon: fix issue where IPAM options in custom CNI confs was ignored (Backport PR #26799, Upstream PR #26732, @squeed)
doc: Documented incompatibility of EgressGW and kvstore (Backport PR #26636, Upstream PR #26139, @PhilipSchmid)
docs, kpr, maglev: Move Maglev out of beta (Backport PR #26636, Upstream PR #19541, @borkmann)
docs/ipsec: Clarify limitation on number of nodes (Backport PR #26838, Upstream PR #26810, @pchaigno)
docs: Add debugging guide for inspecting gops / pprof profiles (Backport PR #26734, Upstream PR #26675, @christarazi)
docs: Add L2 Pod Announcements docs (Backport PR #26636, Upstream PR #26517, @markpash)
docs: HOWTO run cilium-cli e2e connectivity tests (Backport PR #26734, Upstream PR #25217, @brb)
docs: Ignore Helm values, update spelling list (Backport PR #26838, Upstream PR #26759, @qmonnet)
docs: Istio docs fix sidecar inject method (Backport PR #26636, Upstream PR #26526, @networkop)
docs: Mention --kube-proxy-replacement=boolean changes (Backport PR #26734, Upstream PR #26577, @brb)
docs: Multi-Pool IPAM now partially supports iptables-based NAT (Backport PR #26636, Upstream PR #26522, @gandro)
docs: remove no-longer-valid known policy issue (Backport PR #26799, Upstream PR #26660, @squeed)
docs: Update cluster mesh instructions (Backport PR #26734, Upstream PR #26608, @michi-covalent)
docs: Update Go Extension docs (Backport PR #26799, Upstream PR #26504, @sayboras)
docs: update KPR section on DSR (Backport PR #26636, Upstream PR #26582, @julianwiedmann)
docs: Update the docs for Helm mode Cilium CLI (Backport PR #26734, Upstream PR #26606, @michi-covalent)
docs: Upgrade Note For Deny Policy Fix (Backport PR #26636, Upstream PR #26245, @nathanjsweet)
Document cilium_host's IPv6 change in upgrade guide (Backport PR #26734, Upstream PR #26615, @jschwinger233)
Documentation/community: add multi-pool IPAM to list of beta features (Backport PR #26636, Upstream PR #26566, @tklauser)
Egress Gateway: make CiliumEndpoint reconciliation asynchronous from k8s watcher (Backport PR #26799, Upstream PR #26741, @jibi)
fix kind job with network policy failures (Backport PR #26799, Upstream PR #26639, @aojea)
helm: Use kubeProxyReplacement as string (Backport PR #26636, Upstream PR #26549, @jrajahalme)
hubble: Optimize namespace tracking (Backport PR #26799, Upstream PR #26547, @glibsm)
ipam/multipool: wait for restoration before releasing CIDRs (Backport PR #26734, Upstream PR #26668, @tklauser)
loader: check enabled L7 proxy via config property (Backport PR #26636, Upstream PR #26627, @mhofstetter)
make: rework kind-install-cilium-clustermesh for Cilium CLI Helm mode (Backport PR #26799, Upstream PR #26753, @giorio94)
monitor: update DBG_CT_LOOKUP4_2 / DBG_CT_LOOKUP6_2 output (Backport PR #26636, Upstream PR #26558, @julianwiedmann)
multi-pool: Document unsupported kvstore mode (Backport PR #26734, Upstream PR #26662, @gandro)
Prepare v1.14 stable branch (#26548, @joestringer)
Silence misleading log messages about service resolution in clustermesh (Backport PR #26734, Upstream PR #26614, @giorio94)
Update docs for Kubernetes 1.27 (Backport PR #26734, Upstream PR #26671, @christarazi)
vendor: Update go-restful (Backport PR #26636, Upstream PR #26560, @ferozsalam)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.14.0-rc.1@sha256:47c403975508dcf0f53f801f1fd0cf0804d4dc656ee01a136bd3805ed2ec14bb
quay.io/cilium/cilium:v1.14.0-rc.1@sha256:47c403975508dcf0f53f801f1fd0cf0804d4dc656ee01a136bd3805ed2ec14bb

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.14.0-rc.1@sha256:5dff8cba7b230294cbfe284222b1963e9c2e0d93baef19f0e565b957dac7749a
quay.io/cilium/clustermesh-apiserver:v1.14.0-rc.1@sha256:5dff8cba7b230294cbfe284222b1963e9c2e0d93baef19f0e565b957dac7749a

docker-plugin

docker.io/cilium/docker-plugin:v1.14.0-rc.1@sha256:ae6beb99ec85a2ccba9f96fe07ce8c0ca0d7d6a1aac696cd9d3c5f005c74279a
quay.io/cilium/docker-plugin:v1.14.0-rc.1@sha256:ae6beb99ec85a2ccba9f96fe07ce8c0ca0d7d6a1aac696cd9d3c5f005c74279a

hubble-relay

docker.io/cilium/hubble-relay:v1.14.0-rc.1@sha256:51627988e5df034e2b7a6291ed06593d0bc12a54f01549a2f5c7db46adc1ecfe
quay.io/cilium/hubble-relay:v1.14.0-rc.1@sha256:51627988e5df034e2b7a6291ed06593d0bc12a54f01549a2f5c7db46adc1ecfe

kvstoremesh

docker.io/cilium/kvstoremesh:v1.14.0-rc.1@sha256:69b385338771696036e2edce22626b98b84df63739bb56287f992ff169fa75c0
quay.io/cilium/kvstoremesh:v1.14.0-rc.1@sha256:69b385338771696036e2edce22626b98b84df63739bb56287f992ff169fa75c0

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.14.0-rc.1@sha256:c0840b26aaff7eb65415e05644cbcefbc47cdc67a35fabe37cc19dc72127d878
quay.io/cilium/operator-alibabacloud:v1.14.0-rc.1@sha256:c0840b26aaff7eb65415e05644cbcefbc47cdc67a35fabe37cc19dc72127d878

operator-aws

docker.io/cilium/operator-aws:v1.14.0-rc.1@sha256:32e6bd6863984be27433c3405f6e41074cc72a3a40cc3bf9d7bc1241552776a5
quay.io/cilium/operator-aws:v1.14.0-rc.1@sha256:32e6bd6863984be27433c3405f6e41074cc72a3a40cc3bf9d7bc1241552776a5

operator-azure

docker.io/cilium/operator-azure:v1.14.0-rc.1@sha256:359b7d84c1544ee3f91ef3eecdbf5a02bc0a5d5077791212a3e7ef2f7304d123
quay.io/cilium/operator-azure:v1.14.0-rc.1@sha256:359b7d84c1544ee3f91ef3eecdbf5a02bc0a5d5077791212a3e7ef2f7304d123

operator-generic

docker.io/cilium/operator-generic:v1.14.0-rc.1@sha256:36e0d2d4ba8f35031b65d0703a74e1dd68253589479f7007f84b245bc6ebc410
quay.io/cilium/operator-generic:v1.14.0-rc.1@sha256:36e0d2d4ba8f35031b65d0703a74e1dd68253589479f7007f84b245bc6ebc410

operator

docker.io/cilium/operator:v1.14.0-rc.1@sha256:3482914fa4c525daa8d6dd26dc60e845d00e5c64d917f1433ef4b1a4f31a3dca
quay.io/cilium/operator:v1.14.0-rc.1@sha256:3482914fa4c525daa8d6dd26dc60e845d00e5c64d917f1433ef4b1a4f31a3dca

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

1.14.0-rc.1