Skip to content

@aanm aanm released this Feb 19, 2020 · 94 commits to v1.7 since this release

This is the release for v1.7.0, the summary of changes reflect the diff between tag v1.6.6 and v1.7.0

Upgrade Guide

https://docs.cilium.io/en/v1.7/install/upgrade/#upgrade-guide

Summary of Changes

Major Changes:

Minor Changes:

  • Add --kube-proxy-replacement flag to control enabling of kube-proxy replacement in BPF (#9992, @brb)
  • Add ability to create tags on the ENIs the cilium-operator creates. (#9412, @ungureanuvladvictor)
  • Add cilium_version metric (#9623, @ChristineTChen)
  • add CLI to introspect state of daemon's NameManager field (#9132, @ianvernon)
  • Add enable-local-node-route option (#9505, @jraby)
  • Add gops to cilium-cni (#9568, @jraby)
  • Add more detailed proxy redirects status to cilium status (Backport PR #10132, Upstream PR #10082, @joestringer)
  • add option to hold cilium agent after init container (Backport PR #10132, Upstream PR #10101, @aanm)
  • add support for go modules (#8719, @aanm)
  • Add support for HealthCheckNodePort in NodePort BPF (#9906, @gandro)
  • Added CRD validation for ciliumnodes.cilium.io (#9655, @ungureanuvladvictor)
  • Adding USERS directory to create a list of Cilium users (#9810, @tgraf)
  • Adds --endpoint argument to fqdn cache list to show the cache just for a specific endpoint. (#9334, @ungureanuvladvictor)
  • Adds a support for a service of the LoadBalancer type when running Cilium without kube-proxy. (#9694, @brb)
  • agent: Mark --lb feature deprecated for removal in 1.7 (#8786, @tgraf)
  • Allow icmp fragmentation needed agent option (#8218, @fristonio)
  • Allow setting timeout on cilium status command (#9625, @ashrayjain)
  • bpf: Add bind{4,6} programs to block NodePorts (#9880, @gandro)
  • bpf: improve DumpReliablyWithCallback (#9972, @Rolinh)
  • bpf: Report original source IP in TRACE_TO_LXC (#9321, @tgraf)
  • cilium cleanup removes previously installed NodePort BPF programs (Backport PR #10072, Upstream PR #10063, @brb)
  • cilium: lock GC walks for global CT maps to serialize deletions (#9645, @borkmann)
  • clustermesh: Add cilium status section (Backport PR #10212, Upstream PR #10169, @tgraf)
  • cmd: add zsh as a option for completion (#9882, @tonyluj)
  • Connection-based DNS policy (#9497, @raybejjani)
  • daemon,cli: Improve kube-proxy-replacement status (Backport PR #10132, Upstream PR #10083, @brb)
  • daemon: Add KubeProxyReplacement to cilium status cmd (Backport PR #10072, Upstream PR #10059, @brb)
  • daemon: Fix race condition when syncing services with k8s (#9341, @brb)
  • Deprecate/Delete support for monitor v1.0 socket (#9650, @soumynathan)
  • docs: bump minimal k8s supported version to v1.11.0 (#9477, @aanm)
  • docs: remove disable container runtime documentation (#9868, @aanm)
  • docs: Update kube-router getting started guide (Backport PR #10183, Upstream PR #10159, @brb)
  • docs: Upgrade about tofqdns-min-ttl default and zombies (#9737, @raybejjani)
  • Documentation: Switch EKS documentation to default to ENI (Backport PR #10132, Upstream PR #10126, @tgraf)
  • Enable provisioning of K8s services in ipv4 and ipv6 when running in dual-stack mode (#9760, @brb)
  • ENI IPAM: Ensure that DeleteOnTermination defaults to true (#9406, @lbernail)
  • eni: Allow overwriting AWS instance limit via agent configuration (#9236, @jaffcheng)
  • Envoy is updated to release 1.12.1 (#9608, @jrajahalme)
  • Fix implementation of k8s external IPs as described in kubernetes documentation (#9092, @aanm)
  • Get rid of LB backend weights (#9254, @brb)
  • Getting started guide to TLS-visibility (Backport PR #10072, Upstream PR #9808, @danwent)
  • golang: update to 1.13.6 (#9872, @aanm)
  • golang: update to 1.13.8 (Backport PR #10212, Upstream PR #10179, @aanm)
  • HTTPS URL of kube-apiserver can be specified via "--k8s-api-server" from now on. (#9198, @brb)
  • Improve monitor aggregation flexibility (#9177, @joestringer)
    Reduce cilium-agent binary size (#9306, @joestringer)
  • Introduce identity for remote nodes (#8841, @tgraf)
  • ipcache: Add cilium monitor events and expose it via API (#9268, @gandro)
  • Istio support is updated to version 1.4.3 (#9968, @jrajahalme)
  • k8s: Allow _ in CNP CRD toFQDNs validation (#9179, @raybejjani)
  • kubernetes: Updated connectivity check (Backport PR #10153, Upstream PR #10104, @tgraf)
  • logging: add way to configure logging level via cilium-agent option (#8607, @ianvernon)
  • Make Agent Prometheus Exporter port configurable (#9584, @Antiarchitect)
  • Make FirstInterfaceIndex a pointer on ENI spec (#9745, @ungureanuvladvictor)
  • monitor/api: Export map of trace observation points (#9135, @tgraf)
  • monitor/api: Export message type names (#9151, @tgraf)
  • monitor: Export trace observation point via API (#9119, @tgraf)
  • On-demand policy wildcarding (Backport PR #10153, Upstream PR #10054, @jrajahalme)
  • pkg/endpoint: add policy visibility status into CiliumEndpoint (#9601, @aanm)
  • pkg/k8s: add support for multi-stack (#9215, @aanm)
  • pkg/k8s: use local stores to fetch pod information from k8s (#9586, @aanm)
  • plugins/cilium-cni: disable CNI debug messages by default (#9493, @aanm)
  • policy: Disable well-known identities for non-managed etcd (#9698, @tgraf)
  • policy: Reject ingress rules with DNS policies (#8558, @iffyio)
  • Relax limits for maximum number of CIDR prefixes (40 -> unlimited) (#9724, @joestringer)
  • Remove /96 IPv6 CIDR constraint which makes cilium to work in k8s dual-stack mode (#9777, @brb)
  • Remove bpf_lb.c and friends (#9199, @brb)
  • Remove container runtime dependencies (#9447, @aanm)
  • Rename "Policy denied (L3)" to "Policy denied" (#9951, @tgraf)
  • Restrict ENI usage to IPv4 (#8843, @tgraf)
  • RFC: k8s / operator: offload CNPNodeStatus updates to cilium-operator (#9384, @ianvernon)
  • service: Notify monitor about service updates (#9574, @gandro)
  • service: Store and expose service name and namespace (#9554, @gandro)
  • ServiceMonitor should default to release namespace (Backport PR #10132, Upstream PR #10088, @dsexton)
  • Support for externalTrafficPolicy=Local in NodePort BPF (#9764, @gandro)
  • Support v4-in-v6 mapped addresses in BPF host reachable services. (#9923, @borkmann)
  • Update to golang 1.13.1 (#9279, @aanm)
  • Update to k8s libraries to 1.17.0 (#9744, @aanm)
  • Use helm repository in docs (#9783, @ap4y)

Bugfixes:

  • Add better mechanism to detect if k8s caches are synced against k8s (#9400, @aanm)
  • api: Add missing annotations to generate DeepCopy for new status fields (Backport PR #10183, Upstream PR #10166, @tgraf)
  • bpf: Fix proxy redirection for egress programs (Backport PR #10153, Upstream PR #10113, @tgraf)
  • bpf: Remove POLICY_MAP from bpf_netdev and bpf_overlay (#9949, @tgraf)
  • cilium: use %v for dumping frontend struct on error (#9845, @borkmann)
  • Correct clustermesh identity sync kvstore backend usage (to actually use the remote) (Backport PR #10212, Upstream PR #10185, @raybejjani)
  • daemon: Upgrade spf13/viper (#9796, @raybejjani)
  • eni: Check instance existence before resolving deficit (#9676, @jaffcheng)
  • Filter out bpftool probes emitting dmesg messages (Backport PR #10183, Upstream PR #10164, @mrostecki)
  • Fix cilium daemonset deletion on AKS (#9519, @mlushpenko)
  • Fix concurrent access of a variable used for metrics (Backport PR #10183, Upstream PR #10137, @aanm)
  • Fix issue (#10092) which incorrectly configured route MTU with encryption and tunnel enabled. (Backport PR #10225, Upstream PR #10218, @jrfastab)
  • Fix memory corruption on clusters with IPv6 and NodePort enabled (Backport PR #10212, Upstream PR #10192, @aanm)
  • Fix node-port default route detection in case there multiple default entries with same ifindex. (#9844, @borkmann)
  • Fix regression to avoid freeing alive IPs (Backport PR #10225, Upstream PR #10207, @tgraf)
  • Fix regular service lookup in node-port range in case of host-reachable services. (#9843, @borkmann)
  • Fix Unlock handling for kvstore locks (#9973, @aanm)
  • Fix vishvananda/netlink library's VethPeerIndex() stack corruption with 4.20+ kernels. (#9588, @borkmann)
  • fqdn: Support setting tofqdns-min-ttl to 0 (#9743, @raybejjani)
  • health: add ipv6 health check status to cilium health status output (#8766, @fristonio)
  • HostToContainer propagation for /sys/fs/bpf (#9575, @jraby)
  • ipam: Protect release from releasing alive IP (Backport PR #10072, Upstream PR #10066, @tgraf)
  • ipcache: Add probe to check for dump capability to support delete (Backport PR #10153, Upstream PR #10144, @tgraf)
  • ipsec: fix connectivity after node reboots (#9866, @martin31821)
  • k8s: Fix Service.DeepEquals for ExternalIP (#9690, @brb)
  • kubernetes: Disable LocalNodeRoute while chaining (Backport PR #10072, Upstream PR #10057, @tgraf)
  • node: Provide context in log when restoring router addresses (#9947, @tgraf)
  • operator: only enable kvstore watcher if kvstore is enabled (#9963, @aanm)
  • pkg/bpf: Protect each uintptr with runtime.KeepAlive (Backport PR #10212, Upstream PR #10168, @brb)
  • pkg/endpoint: access endpoint state safely across go routines (Backport PR #10183, Upstream PR #10140, @aanm)
  • pkg/ip: fix cilium status output for big CIDR ranges (#9936, @aanm)
  • policy: Don't open localhost when allowing L7 traffic (#9162, @joestringer)
  • policy: Expose L3 selectors within endpoint JSON (#8610, @iffyio)

CI Changes:

Misc Changes:

Other Changes:

Assets 2
You can’t perform that action at this time.