Release v1.7.0 · cilium/cilium

This is the release for v1.7.0, the summary of changes reflect the diff between tag v1.6.6 and v1.7.0

Upgrade Guide

https://docs.cilium.io/en/v1.7/install/upgrade/#upgrade-guide

Summary of Changes

Major Changes:

Add direct server return (DSR) for NodePort BPF (#9473, @brb)
Add support for k8s 1.17 (#9661, @aanm)
Add support for k8s endpoint slice (#9762, @aanm)
Add support for L7 visibility via pod annotations (#9210, @ianvernon)
Clusterwide K8s Cilium Network Policies (#9381, #9669, @fristonio)
Envoy TLS support with header imposition (#9486, @jrajahalme)

Minor Changes:

Add --kube-proxy-replacement flag to control enabling of kube-proxy replacement in BPF (#9992, @brb)
Add ability to create tags on the ENIs the cilium-operator creates. (#9412, @ungureanuvladvictor)
Add cilium_version metric (#9623, @ChristineTChen)
add CLI to introspect state of daemon's NameManager field (#9132, @ianvernon)
Add enable-local-node-route option (#9505, @jraby)
Add gops to cilium-cni (#9568, @jraby)
Add more detailed proxy redirects status to cilium status (Backport PR #10132, Upstream PR #10082, @joestringer)
add option to hold cilium agent after init container (Backport PR #10132, Upstream PR #10101, @aanm)
add support for go modules (#8719, @aanm)
Add support for HealthCheckNodePort in NodePort BPF (#9906, @gandro)
Added CRD validation for ciliumnodes.cilium.io (#9655, @ungureanuvladvictor)
Adding USERS directory to create a list of Cilium users (#9810, @tgraf)
Adds --endpoint argument to fqdn cache list to show the cache just for a specific endpoint. (#9334, @ungureanuvladvictor)
Adds a support for a service of the LoadBalancer type when running Cilium without kube-proxy. (#9694, @brb)
agent: Mark --lb feature deprecated for removal in 1.7 (#8786, @tgraf)
Allow icmp fragmentation needed agent option (#8218, @fristonio)
Allow setting timeout on cilium status command (#9625, @ashrayjain)
bpf: Add bind{4,6} programs to block NodePorts (#9880, @gandro)
bpf: improve DumpReliablyWithCallback (#9972, @rolinh)
bpf: Report original source IP in TRACE_TO_LXC (#9321, @tgraf)
cilium cleanup removes previously installed NodePort BPF programs (Backport PR #10072, Upstream PR #10063, @brb)
cilium: lock GC walks for global CT maps to serialize deletions (#9645, @borkmann)
clustermesh: Add cilium status section (Backport PR #10212, Upstream PR #10169, @tgraf)
cmd: add zsh as a option for completion (#9882, @tonyluj)
Connection-based DNS policy (#9497, @raybejjani)
daemon,cli: Improve kube-proxy-replacement status (Backport PR #10132, Upstream PR #10083, @brb)
daemon: Add KubeProxyReplacement to cilium status cmd (Backport PR #10072, Upstream PR #10059, @brb)
daemon: Fix race condition when syncing services with k8s (#9341, @brb)
Deprecate/Delete support for monitor v1.0 socket (#9650, @soumynathan)
docs: bump minimal k8s supported version to v1.11.0 (#9477, @aanm)
docs: remove disable container runtime documentation (#9868, @aanm)
docs: Update kube-router getting started guide (Backport PR #10183, Upstream PR #10159, @brb)
docs: Upgrade about tofqdns-min-ttl default and zombies (#9737, @raybejjani)
Documentation: Switch EKS documentation to default to ENI (Backport PR #10132, Upstream PR #10126, @tgraf)
Enable provisioning of K8s services in ipv4 and ipv6 when running in dual-stack mode (#9760, @brb)
ENI IPAM: Ensure that DeleteOnTermination defaults to true (#9406, @lbernail)
eni: Allow overwriting AWS instance limit via agent configuration (#9236, @jaffcheng)
Envoy is updated to release 1.12.1 (#9608, @jrajahalme)
Fix implementation of k8s external IPs as described in kubernetes documentation (#9092, @aanm)
Get rid of LB backend weights (#9254, @brb)
Getting started guide to TLS-visibility (Backport PR #10072, Upstream PR #9808, @danwent)
golang: update to 1.13.6 (#9872, @aanm)
golang: update to 1.13.8 (Backport PR #10212, Upstream PR #10179, @aanm)
HTTPS URL of kube-apiserver can be specified via "--k8s-api-server" from now on. (#9198, @brb)
Improve monitor aggregation flexibility (#9177, @joestringer)
Reduce cilium-agent binary size (#9306, @joestringer)
Introduce identity for remote nodes (#8841, @tgraf)
ipcache: Add cilium monitor events and expose it via API (#9268, @gandro)
Istio support is updated to version 1.4.3 (#9968, @jrajahalme)
k8s: Allow _ in CNP CRD toFQDNs validation (#9179, @raybejjani)
kubernetes: Updated connectivity check (Backport PR #10153, Upstream PR #10104, @tgraf)
logging: add way to configure logging level via cilium-agent option (#8607, @ianvernon)
Make Agent Prometheus Exporter port configurable (#9584, @Antiarchitect)
Make FirstInterfaceIndex a pointer on ENI spec (#9745, @ungureanuvladvictor)
monitor/api: Export map of trace observation points (#9135, @tgraf)
monitor/api: Export message type names (#9151, @tgraf)
monitor: Export trace observation point via API (#9119, @tgraf)
On-demand policy wildcarding (Backport PR #10153, Upstream PR #10054, @jrajahalme)
pkg/endpoint: add policy visibility status into CiliumEndpoint (#9601, @aanm)
pkg/k8s: add support for multi-stack (#9215, @aanm)
pkg/k8s: use local stores to fetch pod information from k8s (#9586, @aanm)
plugins/cilium-cni: disable CNI debug messages by default (#9493, @aanm)
policy: Disable well-known identities for non-managed etcd (#9698, @tgraf)
policy: Reject ingress rules with DNS policies (#8558, @iffyio)
Relax limits for maximum number of CIDR prefixes (40 -> unlimited) (#9724, @joestringer)
Remove /96 IPv6 CIDR constraint which makes cilium to work in k8s dual-stack mode (#9777, @brb)
Remove bpf_lb.c and friends (#9199, @brb)
Remove container runtime dependencies (#9447, @aanm)
Rename "Policy denied (L3)" to "Policy denied" (#9951, @tgraf)
Restrict ENI usage to IPv4 (#8843, @tgraf)
RFC: k8s / operator: offload CNPNodeStatus updates to cilium-operator (#9384, @ianvernon)
service: Notify monitor about service updates (#9574, @gandro)
service: Store and expose service name and namespace (#9554, @gandro)
ServiceMonitor should default to release namespace (Backport PR #10132, Upstream PR #10088, @dsexton)
Support for externalTrafficPolicy=Local in NodePort BPF (#9764, @gandro)
Support v4-in-v6 mapped addresses in BPF host reachable services. (#9923, @borkmann)
Update to golang 1.13.1 (#9279, @aanm)
Update to k8s libraries to 1.17.0 (#9744, @aanm)
Use helm repository in docs (#9783, @ap4y)

Bugfixes:

Add better mechanism to detect if k8s caches are synced against k8s (#9400, @aanm)
api: Add missing annotations to generate DeepCopy for new status fields (Backport PR #10183, Upstream PR #10166, @tgraf)
bpf: Fix proxy redirection for egress programs (Backport PR #10153, Upstream PR #10113, @tgraf)
bpf: Remove POLICY_MAP from bpf_netdev and bpf_overlay (#9949, @tgraf)
cilium: use %v for dumping frontend struct on error (#9845, @borkmann)
Correct clustermesh identity sync kvstore backend usage (to actually use the remote) (Backport PR #10212, Upstream PR #10185, @raybejjani)
daemon: Upgrade spf13/viper (#9796, @raybejjani)
eni: Check instance existence before resolving deficit (#9676, @jaffcheng)
Filter out bpftool probes emitting dmesg messages (Backport PR #10183, Upstream PR #10164, @mrostecki)
Fix cilium daemonset deletion on AKS (#9519, @mlushpenko)
Fix concurrent access of a variable used for metrics (Backport PR #10183, Upstream PR #10137, @aanm)
Fix issue (#10092) which incorrectly configured route MTU with encryption and tunnel enabled. (Backport PR #10225, Upstream PR #10218, @jrfastab)
Fix memory corruption on clusters with IPv6 and NodePort enabled (Backport PR #10212, Upstream PR #10192, @aanm)
Fix node-port default route detection in case there multiple default entries with same ifindex. (#9844, @borkmann)
Fix regression to avoid freeing alive IPs (Backport PR #10225, Upstream PR #10207, @tgraf)
Fix regular service lookup in node-port range in case of host-reachable services. (#9843, @borkmann)
Fix Unlock handling for kvstore locks (#9973, @aanm)
Fix vishvananda/netlink library's VethPeerIndex() stack corruption with 4.20+ kernels. (#9588, @borkmann)
fqdn: Support setting tofqdns-min-ttl to 0 (#9743, @raybejjani)
health: add ipv6 health check status to cilium health status output (#8766, @fristonio)
HostToContainer propagation for /sys/fs/bpf (#9575, @jraby)
ipam: Protect release from releasing alive IP (Backport PR #10072, Upstream PR #10066, @tgraf)
ipcache: Add probe to check for dump capability to support delete (Backport PR #10153, Upstream PR #10144, @tgraf)
ipsec: fix connectivity after node reboots (#9866, @martin31821)
k8s: Fix Service.DeepEquals for ExternalIP (#9690, @brb)
kubernetes: Disable LocalNodeRoute while chaining (Backport PR #10072, Upstream PR #10057, @tgraf)
node: Provide context in log when restoring router addresses (#9947, @tgraf)
operator: only enable kvstore watcher if kvstore is enabled (#9963, @aanm)
pkg/bpf: Protect each uintptr with runtime.KeepAlive (Backport PR #10212, Upstream PR #10168, @brb)
pkg/endpoint: access endpoint state safely across go routines (Backport PR #10183, Upstream PR #10140, @aanm)
pkg/ip: fix cilium status output for big CIDR ranges (#9936, @aanm)
policy: Don't open localhost when allowing L7 traffic (#9162, @joestringer)
policy: Expose L3 selectors within endpoint JSON (#8610, @iffyio)

CI Changes:

[CI] add release name to helm template calls (Backport PR #10072, Upstream PR #10062, @nebril)
[CI] add timeout to vm boot retries (#9816, @nebril)
[CI] allow to specify focus via GH comment (#9667, @nebril)
[CI] fallback to binary k8s install (#9271, @nebril)
[CI] fix /var/log/journal mount in log gatherer (#9668, @nebril)
[CI] Fix path to print-node-ip script in jenkinsfile (Backport PR #10132, Upstream PR #10112, @nebril)
[CI] Mark runtime memcache tests as pending (#9955, @nebril)
[CI] Mark TLS policy test as pending (Backport PR #10225, Upstream PR #10219, @nebril)
[CI] move docker images to node local registry (#9329, @nebril)
[CI] Node affinity based on labels not hostname (#9365, @nebril)
[CI] parallel image build and cluster setup for eks (#9714, @nebril)
[CI] Retry validating kubeconfig (#9931, @nebril)
[CI] set $HOME in parallel builds to avoid cache pollution (#9932, @nebril)
[CI] switch to new HOME only for ginkgo calls (#9971, @nebril)
Add eks specific jenkinsfile (#9353, @nebril)
add externalIPs and kube-proxy test matrix (#9849, @aanm)
Add retry to curl call in basic TLS policy test (#9957, @nebril)
Add support for running ginkgo tests in microk8s clusters (#9253, @joestringer)
Add tests for a service annotated with externalTrafficPolicy=Local (#9728, @brb)
Bump cilium/ubuntu-next version to 42 (#9926, @gandro)
CI Fixups for EKS (#9675, @raybejjani)
CI fixups to run on GKE (#9853, @raybejjani)
CI Fixups to target other runtimes (#9189, @raybejjani)
CI: Add CNI_INTEGRATION=minikube support (#9261, @raybejjani)
CI: Add HTTP tests to DatapathConfiguration tests (#9233, @joestringer)
CI: Delete then create namespaces in policy tests (#9706, @raybejjani)
CI: Determine and set K8s version in GKE pipeline (#10025, @raybejjani)
CI: ExecInPods returns an error when no pods are found (#9705, @raybejjani)
CI: Fix typo setting kubeconfig variable from registry (#9520, @raybejjani)
CI: Fixups for local runs (#9595, @raybejjani)
CI: PolicyTest toEntities All (Backport PR #10072, Upstream PR #10051, @raybejjani)
CI: Set CILIUM_REGISTRY in k8s provisioning scripts (#10006, @gandro)
CI: Switch WaitforDeamonset/Deploy to shorter poll timeout (#8720, @raybejjani)
eni: Deep copy CiliumNode resource before storing it in the node (#9893, @jrajahalme)
Extend bpf verifier tests to test socket programs (#9339, @joestringer)
Fix service restoration and extend CI for externalTrafficPolicy=Local services (#9778, @gandro)
Fix upgrade guide for v1.7 and replicate it in a CI test (Backport PR #10153, Upstream PR #9993, @aanm)
Fixup FQDN tests to run on GKE & EKS (#9990, @raybejjani)
ginkgo.Jenkinsfile: set k8s nodes back to 2 (#9908, @aanm)
GKE jenkinsfile (#9876, @nebril)
Gopkg.toml: update kevinburke/ssh_config dependency (#8689, @kevinburke)
Move GKE release cluster out of timeout block (#10022, @nebril)
policy/api: Add tests for reserved:unmanaged match (#8725, @joestringer)
Remove microscope helpers from testing packages (#9596, @mdevilliers)
Revert "[CI] add timeout to vm boot retries" (#9967, @aanm)
Revert "Revert "[CI] add timeout to vm boot retries"" (#9976, @nebril)
Run CI tests with kube-proxy being disabled (#9901, @brb)
Set CILIUM_REGISTRY in provisioning scritps (#9991, @nebril)
Support local testing with one k8s VM. (#9681, @jrajahalme)
Test against k8s 1.16.2 (#9448, @aanm)
test/K8sServices: Add Tests for UDP connectivity (Backport PR #10072, Upstream PR #9997, @gandro)
test/packet: fix packet terraform scripts (#9850, @aanm)
test: add capability to specify images / skip K8s provisioning (#8748, @ianvernon)
test: Add conntrack entry timeout validation tests. (#9771, @valas)
test: Add Kubernetes Service CI tests for IPv6 (Backport PR #10153, Upstream PR #10115, @gandro)
test: add script which pulls images which have not been pulled during VM provisioning (#8921, @ianvernon)
test: add some extra narration statements / remove unneeded helper function call (#8846, @ianvernon)
test: bpf: Fix load for cgroups progs (Backport PR #10183, Upstream PR #10156, @joestringer)
test: Delete Cilium DS before changing startup options. (#9891, @jrajahalme)
test: Extend MetalLB test case (#9723, @brb)
test: Improve skipping of k8sT/Services.go tests (Backport PR #10072, Upstream PR #10047, @brb)
test: Make helm fetch more quiet (#9799, @joestringer)
test: Remove cilium DS before installing a new one (Backport PR #10132, Upstream PR #10039, @brb)
test: remove microscope test (#9075, @ianvernon)
test: skip installing Helm if user has skipped k8s provisioning (#8835, @ianvernon)
test: Temporarily disable Istio CI test (#8821, @tgraf)
tests: test nodeport connectivity via v4-in-v6 sockets (Backport PR #10072, Upstream PR #10053, @borkmann)
tests: update complexity check script to include new calls (Backport PR #10183, Upstream PR #10106, @fristonio)
update k8s test versions to 1.14.10, 1.15.7 and 1.16.4 (#9867, @aanm)
Use proper helm value in CI clusters (#8973, @nebril)
vagrant: remove unnecessary print statements (#9860, @rolinh)
VMs: bump development VM images (#10001, @aanm)

Misc Changes:

.github: add github actions to cilium (#9709, @aanm)
.github: Clarify release-notes section (#9664, @joestringer)
.travis: disable go modules when installing dependencies (#9462, @aanm)
[CI] Fix log gathering (#9267, @nebril)
Add a note on ignoring br_netfilter preflight check (#9229, @bai)
Add ability to query EC2 ENI instance limits via ec2:DescribeInstanceTypes (#9699, @ungureanuvladvictor)
Add Adobe to USERS.md (#9852, @dharmab)
Add alignchecker tests for event notification format (#9426, @joestringer)
Add cilium-monitor sidecar container for agent pods (#9815, @ap4y)
add context.Context to Daemon (#9437, @ianvernon)
Add Datadog to users (#9862, @lbernail)
Add helm charts packaging steps to the release script (#9772, @ap4y)
Add MAINTAINERS file (#9598, @tgraf)
Add Palantir Technologies to USERS.md (#9836, @ungureanuvladvictor)
Add required etcd version for external etcd guide (Backport PR #10153, Upstream PR #10147, @nebril)
Add service manager (#9274, @brb)
Add unit tests for pkg/service.Service (#9289, @brb)
add uswitch to users.md (#9875, @Joseph-Irving)
Added support for restartPods Helm chart option when running node-init on EKS. (#9740, @tom-hadlaw-hs)
api/v1: update swagger to v0.20.1 (#9444, @aanm)
api: Remove remnants of RedirectPort (#9082, @jrajahalme)
backporting: add 'upstream-prs' tag for code block (#10033, @aanm)
BPF and XDP reference guide: mention BPF Performance Tools in further readings (#9928, @brandshaide)
BPF kernel probes based on bpftool (#9789, @mrostecki)
bpf, nat: initially try snat by preserving source port (#9813, @borkmann)
bpf, nodeport: add nodeport flag to nodeport services (#9857, @borkmann)
bpf, sock: fix post-bind-sock{4,6} not found in ELF file (Backport PR #10132, Upstream PR #10124, @borkmann)
bpf, sock: only attach v6 hooks in v4-only mode when v6 is available (#10027, @borkmann)
bpf, sock: reduce xlation for externalTrafficPolicy=Local to host_id (#9930, @borkmann)
bpf: Add unit tests for __ct_lookup() (#9304, @joestringer)
bpf: Compile bpf_netdev.c with build permutations (#9861, @brb)
bpf: compile out service lookup entirely on kubeProxyReplacement=disa… (Backport PR #10072, Upstream PR #10060, @borkmann)
bpf: fix sock6_xlate when not all host service protocols are enabled (#9847, @borkmann)
bpf: Fix space hack in Makefile (Backport PR #10183, Upstream PR #10173, @brb)
bpf: Get rid of unused lb6_{key,service} structs (#9141, @brb)
bpf: Remove bpf_netdev.o from previously used devices (Backport PR #10132, Upstream PR #10087, @brb)
bpf: Remove unused BPF feature probes/macros (#9802, @mrostecki)
bpf_sock fixes for nodeport (#10014, @borkmann)
bugtool: Dump NAT BPF maps entries with bpftool (Backport PR #10212, Upstream PR #10190, @brb)
bump golang to 1.13.3 (#9433, @aanm)
bump k8s client libraries to v1.17.0-rc.2 (#9713, @aanm)
charts: Generate versions from VERSION file (Backport PR #10183, Upstream PR #10171, @joestringer)
CI: Add test for healthCheckNodePort in NodePort BPF (Backport PR #10072, Upstream PR #9977, @gandro)
cilium: encryption fixes for ipv6 and tear down (#9649, @jrfastab)
cilium: fix disconnects on operator restarts when using ipsec (#9612, @jrfastab)
Clean up misc verifier-test.sh functionality (#9325, @joestringer)
Clean up reference counting of ipcache prefix lengths (#9050, @joestringer)
Cleanup service.UpsertService method (#9350, @brb)
cli: Print node list header before the actual list of nodes. (#9295, @ungureanuvladvictor)
cli: Warn if --rev flag is used with cilium service update (#9319, @brb)
cmd: replace deprecated Command.SetOutput() (#9881, @tonyluj)
cni: Try to enable IPv6 only if necessary (#9492, @mrostecki)
CODEOWNERS: change Vagrant-related files to be owned by cilium/ci (#8788, @ianvernon)
Connection aware DNS proxy fixups (#9648, @raybejjani)
contrib/vagrant: change iptables helper message to tcp (#9884, @aanm)
contrib/vagrant: fix reading VM_MEMORY/VM_CPUS from env vars (#9945, @rolinh)
contrib: Fix 'reset' variable declaration (#9559, @joestringer)
contrib: Update minikube script (#9216, @mrostecki)
controller: add Context to ControllerParams (#9500, @ianvernon)
controller: do not return controller from UpdateController (#8894, @ianvernon)
Correct Contributing link in README (#9060, @cjmakes)
Correct information about required Go version (#9091, @mrostecki)
cosmetic: Improve identity / allocator logs (#9662, @joestringer)
daemon: cancel context for daemon before running cleanup functions (#9487, @ianvernon)
daemon: Check for no selector update need earlier. (#9396, @jrajahalme)
daemon: don't hold endpoint BuildMutex while deleting (#8744, @ianvernon)
daemon: Exit early if NodePort BPF and IPSec is enabled (#9946, @brb)
daemon: factor out generation of endpoint labels model into pkg/endpoint (#8976, @ianvernon)
daemon: factor out more code into files owned by more specific codeowners (#9122, @ianvernon)
daemon: fix outdated comment (#9438, @ianvernon)
daemon: group cleanup-related variables into type (#9524, @ianvernon)
daemon: make policy repository member of policy get handler (#9440, @ianvernon)
daemon: misc. cleanup and splitting up of code into separate files (#9048, @ianvernon)
daemon: move base program compile to loader pkg (#9488, @ianvernon)
daemon: Move some sysctl writes from bpf/init.sh (#9005, @brb)
daemon: remove unneeded Daemon field from RuleReactionEvent (#9453, @ianvernon)
datapath: Add DSR IPv6 implementation (#9895, @brb)
datapath: Do not check rev_nat_id in IPv6 addr (#9952, @brb)
datapath: Do not return len in find_dsr_v6 (#9933, @brb)
datapath: make Datapath an IptablesManager (#9516, @ianvernon)
datapath: Return error if default route is not found (#9859, @brb)
dev-vm: update etcd to v3.4.2 and k8s to v1.16.2 (#9463, @aanm)
dev: set tcp for NFS in development VMs (#9879, @aanm)
doc: add note about adding the 'kind/backports' label when backporting (#9964, @rolinh)
doc: Document L7 limitation in azure-cni chaining mode (Backport PR #10153, Upstream PR #10131, @tgraf)
doc: Mark encryption as stable for direct-routing and ENI mode (Backport PR #10153, Upstream PR #10142, @tgraf)
doc: the namespace is wrong when validating cilium on Azure CNI (#9717, @soumynathan)
doc: update BPF instruction limit (#9727, @florianl)
doc: update instructions about restarting pods after deployment (Backport PR #10072, Upstream PR #10028, @rolinh)
Dockerfile: Bump cilium/iproute2 (#9911, @gandro)
docs: add etcd related upgrade notes for v1.7 (#9109, @aanm)
docs: add instructions to update VM images (#9999, @aanm)
docs: add libelf-devel to development setup (#10032, @tklauser)
docs: add policy visibility status documentation (#9670, @aanm)
docs: add section for stable releases to readme (#9131, @borkmann)
docs: add setup validation howto to kube-proxy-free guide (Backport PR #10132, Upstream PR #10086, @borkmann)
docs: Describe how to read from tracing pipe (#9665, @joestringer)
docs: document kube-proxy replacement modes (Backport PR #10072, Upstream PR #10073, @borkmann)
docs: extend further readings section to a separate file (#9178, @fristonio)
docs: Fix broken contributing links (#9077, @jaffcheng)
docs: fix kubernetes configmap (#9824, @aanm)
docs: fix link for Cilium-PR-Kubernetes-Upstream job (Backport PR #10212, Upstream PR #10178, @tklauser)
docs: fix spelling issues in clusterwide policy docs (#9602, @fristonio)
docs: Fix up gke install guide (#10037, @joestringer)
docs: Fix up nodeport limitations (#9621, @joestringer)
docs: fixed padding after code blocks (Backport PR #10153, Upstream PR #10143, @geakstr)
docs: Include env variable in EKS e2e examples (#9726, @raybejjani)
docs: Keep externalTrafficPolicy=Local limitation in NodePort BPF (#9674, @brb)
docs: Mention direct routing mode requirement for DSR (Backport PR #10153, Upstream PR #10149, @gandro)
docs: Minor improvements to GKE guide (Backport PR #10183, Upstream PR #10150, @pchaigno)
docs: re-wrote wording for the behavior of 'fromEndpoints' (#9544, @aanm)
docs: revamp kube-proxy-free gsg (Backport PR #10072, Upstream PR #10069, @borkmann)
docs: update docs for --aws-release-excess-ips (#9569, @jaffcheng)
docs: update supported k8s versions (#9310, @aanm)
docs: Use kube-system namespace consistently in Encryption guide (Backport PR #10183, Upstream PR #10162, @pchaigno)
Documentation: add proxy visibility information (#9530, @ianvernon)
Documentation: add script to add misspelled words (#9578, @aanm)
Documentation: Document potential conflict of ENI with DHCP agents (#9934, @tgraf)
Documentation: improve CI documentation organization / remove stale information (#9457, @ianvernon)
Documentation: Improve external etcd documentation wording (#9478, @mpeiffer)
Documentation: remove LTS references (#9494, @ianvernon)
Documentation: remove microscope reference (#9472, @ianvernon)
Documentation: remove stale GH issue link (#9471, @ianvernon)
Documentation: split up contributing guide into smaller, more focused documents (#9456, @ianvernon)
Documentation: update release guide (#9496, @ianvernon)
Documentation: update to account for new CNPNodeStatus capabilities (#9531, @ianvernon)
endpoint: clean up exposure of functions / remove unneeded functions (#9121, @ianvernon)
endpoint: cleanup how build permits are acquired (#9234, @ianvernon)
endpoint: create distinct type for restoring (#8941, @ianvernon)
endpoint: create separate interface for proxy (#9157, @ianvernon)
endpoint: do not export EventQueue (#9080, @ianvernon)
endpoint: do not export Status field (#9068, @ianvernon)
endpoint: do not export additional fields (#9170, @ianvernon)
endpoint: do not export endpoint locking functions (#9142, @ianvernon)
endpoint: do not export various fields (#9012, @ianvernon)
endpoint: factor out waiting for first regeneration during creation into separate function (#9073, @ianvernon)
endpoint: hide restore operations inside Endpoint package (#8972, @ianvernon)
endpoint: make policyMap private (#8863, @ianvernon)
endpoint: move TestReadEpsFromDirNames to pkg/endpoint (#8997, @ianvernon)
endpoint: move api-related functions to api.go (#8991, @ianvernon)
endpoint: move deletion deadlock unit test to pkg/endpoint (#9067, @ianvernon)
endpoint: move deletion into Endpoint package, remove acquisition of Endpoint locks in EndpointManager (#9025, @ianvernon)
endpoint: move patching update functionality to pkg/endpoint (#8968, @ianvernon)
endpoint: reduce exported functionality (#9191, @ianvernon)
endpoint: refactor Docker + IPVLAN interactions (#8974, @ianvernon)
endpoint: refactor how default policy enforcement configuration is performed (#9120, @ianvernon)
endpoint: refactor proxy-related functioning to not access endpoint mutex directly (#9070, @ianvernon)
endpoint: remove most cases of direct access to OpLabels (#9069, @ianvernon)
endpoint: remove need to expose read-locking in updateEndpointsCaches (#8977, @ianvernon)
endpoint: remove unused HealthCEPPrefix string (#8896, @ianvernon)
endpoint: Remove useless restore log message (#9256, @joestringer)
endpointmanager: add EndpointManager type and remove package-level variables (#8742, @ianvernon)
endpointmanager: remove unneeded calls to UpdateLogger (#9158, @ianvernon)
eni node_manager unit test improvements (#9756, @jaffcheng)
Envoy has been updated to release 1.12. (#9542, @jrajahalme)
Envoy TLS fixes (#9820, @jrajahalme)
envoy: Use TypedConfig for Envoy filters (#9889, @jrajahalme)
examples: Remove obsolete k8s-ingress example (#9419, @brb)
Expands the CiliumNode ENI spec to include security-group-tags which allows selecting the security groups associated to the newly created ENI to be filtered by tags. (#9702, @ungureanuvladvictor)
Extend coverage of connectivity test (Backport PR #10153, Upstream PR #10141, @tgraf)
factor out conntrack GC into separate package (#9160, @ianvernon)
Fix configuration of monitor aggregation flags (#9418, @joestringer)
Fix helm subchart versions (#9826, @ap4y)
Fix Service6ValueV2 padding and add missing align tags (#9286, @brb)
Fix table markdown spacing issue (#9801, @dhsathiya)
fix typo in bpf/lib/lb.h (#9378, @BSWANG)
Fix typo in documentation (#9739, @vpnachev)
Fixes #9470: Add clean Makefile target to Documentation (#9506, @rhcu)
fqdn: Avoid races when updating global cache on GC (#9483, @raybejjani)
github: remove github actions integration (#9731, @aanm)
GO_VERSION: set golang version to 1.13.5 (#9761, @aanm)
golang: update to 1.13.4 (#9565, @aanm)
golang: update to 1.13.7 (#9985, @aanm)
health: Quieten health launch log (#9538, @joestringer)
helm: Add deps for quick-install.yaml target in Makefile (#9759, @brb)
identity: create CachingIdentityAllocator type (#9066, @ianvernon)
Improve 1.7 upgrade and nodeport documentation (#9634, @joestringer)
Improve cilium getEndpointList function (#9240, @fristonio)
Improve debuggability of custom chain flush/delete (#8692, @joestringer)
improve kernel probe for host reachable services and fix compile warns (Backport PR #10132, Upstream PR #10111, @borkmann)
Improve nodeinit uninstalls by reverting nodeinit changes (#9757, @ap4y)
Improve policy documentation (#9763, @joestringer)
Improve the 'Setting up Cluster Mesh' page. (#9725, @bmcstdio)
Improve the uploadrev script (#9787, @joestringer)
ipcache: Associate IPs with K8s namespace and pod name (#9237, @gandro)
ipcache: Fix ipcache pod IP update (Backport PR #10132, Upstream PR #10098, @joestringer)
k8s/types: fix missing deepcopy of SpecPodCIDRs in Node structure (#9239, @aanm)
k8s: Remove unused types.Ingress (#9701, @brb)
k8s: update libraries to v1.17.1 (#9883, @aanm)
kubernetes: Remove obsolete scheduler annotation (#8829, @gandro)
kvstore: clean up casting around kvstore.Encode (#9138, @borancar)
kvstore: plumb context (#9512, @ianvernon)
LB refactoring leftovers (#9320, @brb)
Lower default FQDN TTLs and update docs (#9653, @raybejjani)
make: Remove GOPATH from swagger command (#9632, @mrostecki)
Makefile: add docker-plugin-image target (#9315, @ianvernon)
Makefile: add automated way to update golang in Dockerfiles (#8927, @ianvernon)
Makefile: add way to skip starting kvstores, running govet (#8758, @ianvernon)
Makefile: remove deepcopy for configmap (#9098, @aanm)
Makefile: remove patch for shell script (#9501, @aanm)
maps: remove configmap (#8895, @ianvernon)
meta: Combined bpf changes PR for #9323, #9317, #9324 (#9335, @joestringer)
minor misc doc updates (#9865, @borkmann)
Minor test documentation / make targets fixups (#9522, @joestringer)
misc. daemon cleanup (#9498, @ianvernon)
misc: Get rid of NEWS.rst (#9197, @brb)
misc: plumb context throughout cilium codebase (#9523, @ianvernon)
monitor: Add TraceNotify.DataOffset() (#9441, @joestringer)
Move --aws-instance-limit-mapping flag to be on the operator (#9693, @ungureanuvladvictor)
Move k8s_watcher.go to pkg/k8s/watchers (#9434, @aanm)
node: Remove error return from SetIPv6NodeRange (#9954, @tgraf)
node: Remove unused PublicAttrEquals func (#9758, @joestringer)
nodediscovery: remove need for Configuration interface (#9499, @ianvernon)
nodeport fixes (#10040, @borkmann)
nodeport follow-up improvements for nat (#9822, @borkmann)
operator/cilium-docker: build images with image arguments (#9312, @aanm)
operator: Improve identity GC logging (#9804, @tgraf)
pkg/bpf, pkg/endpoint/connector: use RLIM_INFINITY constant (#9283, @tklauser)
pkg/lock: fix StoppableWaitGroup tests (#9465, @aanm)
plumb context to policy, aws packages (#9511, @ianvernon)
plumb daemon's context to various users of context (#9489, @ianvernon)
policy: clean a duplicated code (Backport PR #10072, Upstream PR #10016, @zhiyuan0x)
policy: correctly process "ANY" L4 protocol in annotation (#9425, @ianvernon)
policy: Error out on missing secrets in policy computation (#9897, @jrajahalme)
policy: generate explicit allow-all at L7 for DNS-based visibility policy (#9391, @ianvernon)
policy: rename IsLabelBased to AllowsWildcarding (#9345, @ianvernon)
pre-flight: set terminationGracePeriodSeconds to 1 (#8952, @ianvernon)
Prepare for release v1.7.0-rc3 (#10043, @aanm)
Rate limit ec2:DescribeSubnets in the EC2 client (#9700, @ungureanuvladvictor)
README: Add link to Hubble (#9639, @gandro)
README: update latest v1.6 version to v1.6.2 (#9275, @ianvernon)
README: update released versions of Cilium (#9181, @ianvernon)
README: update released versions of Cilium (#9373, @ianvernon)
README: update weekly meeting hours (#9864, @aanm)
refactor loader into a type and hide it behind Datapath interface (#8769, @ianvernon)
Refine the clean up scripts for getting started guides (#9629, @denverdino)
Restore SVC type after restart (#9896, @brb)
Revert "Makefile: Fix 'make microk8s' privileges" (#9290, @joestringer)
RFC: Update CODEOWNERS for specific packages and files (#9044, @ianvernon)
Run make for install/kubernetes/quick-start.yaml (#9751, @frelon)
SECURITY.md: update versions of supported releases (#9856, @rolinh)
service: Remove global ID allocator (#9484, @brb)
service: Remove optional revNat param and cleanup svc removal (#9227, @brb)
service: Simplify logic of svc ID allocation (#9213, @brb)
Small documentation fixes and add release candidate process (#9871, @aanm)
Supported BPF map types probe based on bpftool (#9795, @mrostecki)
test README: Fix the documentation link (#9941, @kaworu)
test: fix ClusterIP IPv6 connectivity checks (Backport PR #10225, Upstream PR #10214, @borkmann)
test: Fix getNodeInfo in NodePort tests (Backport PR #10225, Upstream PR #10211, @borkmann)
test: Increase VM provisioning timeout for k8s-1.11 net-next job (#9980, @brb)
Tidy up backporting documentation (#9560, @joestringer)
TLS follow-up fixes (#9807, @jrajahalme)
tools: Add maptool executable to .gitignore (#9420, @brb)
toops/maptool: run GOCLEAN arguments as part of go clean (#9480, @aanm)
ubuntu-dev: bump to v164 (#9466, @aanm)
Unhide --k8s-namespace parameter (#9485, @timoreimann)
Unit-test wildcard selector equality in rule creation (#9521, @joestringer)
Update AWS SDK V2 to v0.18.0 (#9770, @ungureanuvladvictor)
update cilium-runtime with golang 1.13.8 (Backport PR #10225, Upstream PR #10208, @aanm)
update CODEOWNERS (#10041, @aanm)
update golang to 1.13.5 (#9749, @aanm)
Update references to latest releases and projects (#9774, @joestringer)
update USERS.md: add link to Trip.com's post (#9927, @ArthurChiao)
update USERS.md: add Trip.com to user list (#9885, @ArthurChiao)
updates tested k8s version to 1.17.3 (Backport PR #10225, Upstream PR #10215, @aanm)
use blang/semver for version checking (#9467, @aanm)
Use config option for security identity swap cool-down period (#9349, @ungureanuvladvictor)
Use sysctl library and remove redundant sysctl code (#9004, @mrostecki)
USERS.md: add Sportradar (#9848, @yurrriq)
vagrant: Install temporary forked bpftool (Backport PR #10212, Upstream PR #10186, @pchaigno)
vagrant: Remove workaround to MASQ traffic from k8s2 (#9704, @brb)
vendor: downgrade go-version library due regression (#9459, @aanm)
vendor: update client-go to kubernetes v1.16.2 (#9445, @aanm)
workloads: do not set pod name and namespace via workloads plugin (#8999, @ianvernon)
workloads: remove WorkloadOwner from composing regeneration.Owner (#9221, @ianvernon)

Other Changes:

.github: rename github-actions file (#9780, @aanm)
[CI] Increase outer timeout of GKE job (#10009, @nebril)
[CI] set registry in boot vagrant vms steps (#9618, @nebril)
[CI] Use LocalExecutor if kubeconfig is defined (#8683, @nebril)
[Docs] CI bisect documentation (#8782, @nebril)
bpf, nodeport: fix CT GC race where syn/ack reply gets dropped locally (#9687, @borkmann)
bump minimum supported kubernetes version to 1.11.0 (#8938, @ianvernon)
cilium: K8s CI testing for sockops (#9685, @jrfastab)
contrib: Improve rebase-bindata function (#8702, @joestringer)
Dockerfile: Use Envoy image that always resumes NPDS (#9635, @jrajahalme)
docs: Document running via kubeconfig on EKS (#9682, @raybejjani)
endpoint: Check interface value of proxy field (#9479, @brb)
eni: Fix AWS ENI allocation exceeding IP limits for smaller instances (#9732, @huntermassey)
Fix 'make microk8s' target (#8984, @joestringer)
fqdn: Add zombie limit (#9641, @raybejjani)
Improve Getting Started guides by provide next steps sections (#9679, @genbit)
lxcmap: refactor EndpointFrontend interface (#8877, @ianvernon)
node/manager: Lock nodes slice during Subscribe (#9495, @joestringer)
Prepare for release v1.7.0-rc4 (#10170, @joestringer)
Prepare for v1.7 development (#8653, @ianvernon)
readme: update info for latest stable branch releases (#9688, @borkmann)
Revert "test: Temporarily disable Istio CI test" (#8844, @ianvernon)
test: Add vagrant-local-start.sh with preloaded VM support (#9633, @jrajahalme)
test: Install CoreDNS after Cilium is up (#8772, @tgraf)
test: Support external DNS lookups also for k8s-1.16 (#9666, @jrajahalme)
Update GO_VERSION to match builder version (#9995, @ap4y)
Update USERS.md to include Rapyuta Robotics (#9909, @HackToHell)
Updating AUTHORS (#9637, @aanm)
Updating USERS.md to include CENGN (#9942, @mohahmed13)
vendor: update etcd to v3.4.2 (#9461, @aanm)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v1.7.0

Choose a tag to compare

Sorry, something went wrong.

Sorry, something went wrong.

Uh oh!

No results found

Upgrade Guide

Summary of Changes

Uh oh!