Release 1.8.0-rc1 · cilium/cilium

This is the first release candidate of v1.8.0. The summary of changes below reflect the diff between the last stable release (v1.7.4) and tag v1.8.0-rc1.

Summary of Changes

Major Changes:

Add a new DSR/SNAT hybrid mode which allows to work without MTU changes and enables DSR for TCP and SNAT for UDP workloads. Enable it by default for Cilium's kube-proxy replacement in probe and strict mode. (#10203, @borkmann)
Add a new event type for policy verdicts (#9943, @lzang)
Add BPF masquerading for veth mode (#11148, @brb)
Add BPF-based ip-masq-agent (#11148, @brb)
Add Cilium Operator IPAM (#11083, @aanm)
Add DeepEquals generated code (#11435, @aanm)
Add Kubernetes IPAM mode (#10407, @tgraf)
add support for k8s 1.18 (#10654, @aanm)
Add support for services sessionAffinity (without and with kube-proxy) (#11085, @brb)
Allow attaching BPF NodePort and BPF masquerade to multiple devices (#11267, @brb)
Azure IPAM Support (#10089, @tgraf)
Embed Hubble (#10238, @michi-covalent)
Host endpoint (#10994, @pchaigno)
hubble-proxy: implement 'serve' command (#10653, @rolinh)
hubble-relay: add initial multi-node support (#11171, @rolinh)
hubble: implement peer service, enable it locally (#10969, @rolinh)
Implement policy audit mode for the daemon (#9970, @ap4y)
Merge all Hubble server-side code into Cilium (#10860, @tgraf)
Network policies for the host endpoint (#11507, @pchaigno)
Support for IPv4 fragments (#10264, @qmonnet)
Support for named k8s container ports is added to both K8s Network Policies and Cilium Network Policies. (#11092, @jrajahalme)
Switch to native-routing in GKE guide (#11079, @tgraf)
XDP-based NodePort LB handling for BPF-based DSR, SNAT and Hybrid mode. (#10877, @borkmann)

Minor Changes:

Add a flag to disable feeder installation on certain iptables tables (#10639, @Sh4d1)
Add command line option to dynamically size BPF maps based on total system memory. (#10780, @tklauser)
Add completion support for fish shell (#11284, @sayboras)
add getting started guide for BIRD (#10326, @ArthurChiao)
Add helm NOTES file (#10641, @soumynathan)
Add hubble helm charts to cilium install/kubernetes (#10648, @soumynathan)
Add informatin to docs about network interfaces in tunnelling mode (#11357, @cortopy)
Add more detailed proxy redirects status to cilium status (#10082, @joestringer)
Add more PriorityClassName fields in Helm charts (#10583, @johngmyers)
add option to hold cilium agent after init container (#10101, @aanm)
Add option to retrieve pprof traces from running cilium-agents (#10666, @aanm)
Add Pod as an owner of a CiliumEndpoint and remove useless Delete (#11195, @aanm)
Add PodSecurityPolicies to helm chart (#10330, @maxbischoff)
Add possibility to configure native-routing-cidr in helm chart. (#11132, @zbindenren)
Add priorityClassName to operator deployment in helm chart (#10285, @maxbischoff)
Add the data path filtering for policy verdict logs. (#10477, @lzang)
added a max-allocate flag on pkg/ipam to control the maximum amount of IPs being allocated to a node (#10786, @mvisonneau)
Added support for logging in JSON format (#11133, @mvisonneau)
agent: Remove awareness of IPv4 cluster-range (#10194, @tgraf)
Allow specifying on which interface the Azure IPAM should allocate IPs on (#10875, @ungureanuvladvictor)
azure: retrieve subscriptionID/resourceGroupName from Azure IMS if not provided via CLI flags (#10764, @ungureanuvladvictor)
Azure: support multiple pods subnets, and networks in different resource groups (#11268, @bpineau)
bpf: Check native-routing-cidr in BPF masquerade (#11473, @brb)
bpf: don't answer ARP requests for endpoint IP (#11533, @jcaamano)
bpf: Fix native dev cleanup (#10352, @brb)
bpf: make socket lb progs netns aware (#10778, @borkmann)
bpf: significantly improve capacity of TCP CT tables (#10518, @borkmann)
bump k8s dependencies and test to v1.18.1 (#10924, @aanm)
bump k8s dependencies and test to v1.18.2 (#11047, @aanm)
cilium cleanup removes previously installed NodePort BPF programs (#10063, @brb)
Cilium host proxy has has been updated to Envoy release 1.13.1. (#10222, @jrajahalme)
Cilium Operator can now use the flags specified cilium-config k8s configuration map (#10347, @aanm)
cilium, docker: runtime dependency updates (#10542, @borkmann)
cilium-operator: support subnets filters (#10738, @bpineau)
cilium: Add CLI to introspect IP <-> Identity cache (#11566, @joestringer)
cilium: bpf-based hostport implementation (#10592, @borkmann)
cli: Add Hubble section to cilium status output (#10879, @gandro)
cli: Clarify help of 'cilium map' (#10855, @pchaigno)
clustermesh: Add cilium status section (#10169, @tgraf)
daemon,cli: Improve kube-proxy-replacement status (#10083, @brb)
daemon: Add KubeProxyReplacement to cilium status cmd (#10059, @brb)
daemon: adding support for egress policy tracing (#10020, @wofanli)
daemon: Make build depend on Makefiles and Dockerfile (#10367, @jrajahalme)
Decrease CRD setup API calls when starting cilium-agent (#10676, @aanm)
Deprecate --disable-k8s-services cilium-agent flag (#10552, @soumynathan)
Deprecate DNS Poller in v1.8 (#10629, @soumynathan)
Do not listen on any port by default for cilium-operator (#10368, @aanm)
doc: Change machine-type to n1-standard-4 for GKE guide (#11529, @tgraf)
docs: Drop k8s 1.10 from supported/tested versions (#10319, @jrajahalme)
Docs: Implements Documentation to install Cilium on k3s (#10476, @seanmwinn)
docs: Mention that a kv-store is optional with k8s. (#10321, @jrajahalme)
docs: Update kube-router getting started guide (#10159, @brb)
Documentation: Switch EKS documentation to default to ENI (#10126, @tgraf)
Fallback mode for a missing xt_socket kernel module is added where kernel's IP early demux functionality is disabled. This fallback is enabled by default if it is needed for correct policy enforcement and visibility functionality. This fallback may be disabled by setting enable-xt-socket-fallback=false. (#10299, @jrajahalme)
Getting started guide to TLS-visibility (#9808, @danwent)
golang: update to 1.13.8 (#10179, @aanm)
golang: update to 1.14 (#10340, @aanm)
Handle audit mode in cilium endpoint list and kubectl get cep (#11011, @ap4y)
helm: add bpf-policy-map-max option (#11478, @alex1989hu)
helm: Add hubble section (#10358, @michi-covalent)
helm: add option to enable automatic etcd name resolution (#10918, @aanm)
helm: Allow for overriding the size of the managed etcd cluster. (#10644, @bmcustodio)
helm: set hubble-ui securityContext (#11475, @alex1989hu)
hubble-proxy: add initial skeleton (#10545, @rolinh)
hubble-relay: add Dockerfile and make target to build hubble-relay image (#11192, @rolinh)
hubble-relay: enable gRPC reflection (#11616, @rolinh)
hubble-relay: implement flows reordering (#11397, @rolinh)
hubble-relay: persist connections to hubble peers (#11335, @rolinh)
hubble: Populate traffic direction for trace and drop events (#11062, @gandro)
hubble: Update uint size in flow proto (#11161, @matej-g)
Improve 'cilium-agent --help' (#10795, @soumynathan)
ipmasq: Add default nonMasq CIDRs if config is empty (#11409, @brb)
Istio integration has been updated to Istio release 1.4.6. (#10466, @jrajahalme)
Istio integration has been updated to release 1.5.0. (#10564, @jrajahalme)
Istio integration has been updated to release 1.5.2 (#11280, @jrajahalme)
Istio integration is simplified with Cilium build of istioctl. (#10851, @jrajahalme)
Istio integration is updated to release 1.5.1, with backported fix for GKE/COS. (#10730, @jrajahalme)
k8s: Disable several CiliumEndpoint status sections by default (#10490, @tgraf)
Keep Cluster IP service handling when accessed from pods when kubeProxyReplacement is set to "disabled" (pre-v1.6 behavior). (#10651, @brb)
kubernetes: Updated connectivity check (#10104, @tgraf)
Make resources in agent and operator helm chart configurable (#10296, @maxbischoff)
Makefile: Add multi-arch support for cilium images (#10021, @iecedge)
monitor: Support more verbosity levels (#10820, @joestringer)
On-demand policy wildcarding (#10054, @jrajahalme)
Optimize scalability of CiliumIdentity operation (#11275, @tgraf)
Pass native-routing-cidr to ENI CNI for route rules (#10887, @dctrwatson)
pkg/identity: Watch and update labels for the host (#11543, @pchaigno)
pkg/logging: redirect klog output to logrus (#10961, @aanm)
policymap, fragmap: clean up doc, map size configuration (#10964, @qmonnet)
Properly tear down gops agent on shutdown (#11471, @tklauser)
Protect NodePort port range by appending it to net.ipv4.ip_local_reserved_ports if the range clashes with ephemeral port range (#10782, @brb)
proxy: Remove access-log option (#10393, @tgraf)
Remove deprecated --container-runtime{,-endpoint} options (#11060, @tklauser)
ServiceMonitor should default to release namespace (#10088, @dsexton)
Support DNS matchPattern="*" to match "." (#11633, @joestringer)
Support on-disk etcd client certificate and key reload when using trusted-ca-file (#10754, @bpineau)
Switch k8s liveness/readiness probes to use HTTP /healthz endpoint instead of "cilium status --brief" command. (#11408, @tklauser)
Switch to upstream bpftool (#10353, @mrostecki)
test: Avoid panics due to dereferencing a nil error (#10390, @jrajahalme)
The default maximum number of entries in the BPF TCP ctmap is reduced to 512K. (#10289, @tklauser)
The deprecared --enable-legacy-service option was removed. (#10255, @tklauser)
Use bpftool for generating BPF feature macros (#10019, @mrostecki)
Use slimmer protobuf definitions on k8s structures (#11326, @aanm)
Watch for CEPs in the cluster instead of all pods (#11249, @aanm)

Bugfixes:

Add ability to detect iptables mode (nft/legacy) in cilium daemon image (#11199, @mskrocki)
Add check for IPv6 before generating bpf headers (#10628, @christarazi)
AKS: Fix dynamic reconfiguration of bridge mode (#10383, @tgraf)
api: Add missing annotations to generate DeepCopy for new status fields (#10166, @tgraf)
Auto detect EndpointSlice support by checking enabled APIs in Kubernetes. (#11206, @Weil0ng)
bpf: clean up IPv4 fragments support (and bpf/), add option for map size (#10927, @qmonnet)
BPF: fix missing "break" in nat46 switch, and minor cleanup (#11410, @qmonnet)
bpf: fix nodeport to avoid sending loopback address out to wire (#10841, @borkmann)
bpf: Fix proxy redirection for egress programs (#10113, @tgraf)
bpf: Preserve source identity for hairpin via stack (#10926, @tgraf)
bpf: Set DIRECT_ROUTING_DEV* in routed mode (#11419, @brb)
cilium: encryption, additional mtu fix for non-default 1500B MTU (#10551, @jrfastab)
cilium: encryption, segfaults if existing non-Cilium xfrm policy without mark set exists (#10268, @jrfastab)
cilium: fix node-port range parsing from helm and update docs (#10382, @borkmann)
cilium: set encrypt node route mtu in encryption table (#10741, @jrfastab)
cli: do not output shell completion copyright header on error (#10558, @rolinh)
cli: Fix JSON output for BPF conntrack & NAT tables dump (#10904, @qmonnet)
clustermesh: Emit identity-change events for remote clusters (#10290, @raybejjani)
clustermesh: Ignore ..data directory of secrets mount (#10200, @tgraf)
cni: fix interface sandbox in cmdAdd return value (#10482, @jaffcheng)
Correct clustermesh identity sync kvstore backend usage (to actually use the remote) (#10185, @raybejjani)
CRD: fix allocation logic of identities with the same set of labels (#11040, @aanm)
daemon: Fatal on startup when Identity CRD is enabled without k8s (#11015, @raybejjani)
daemon: fix cilium-agent helper message for disable-cnp-status-updates (#10414, @aanm)
daemon: Fix the "close of closed channel" panic (#11056, @Sen666666)
datapath/iptables: Masquerade hairpin traffic that traversed the stack (#10928, @tgraf)
datapath: Fix wrong rev-NAT xlation due to stale conntrack entry (#10984, @brb)
Do not depend on KUBERNETES_SERVICE_HOST nor KUBERNETES_SERVICE_PORT environment variables to detect if cilium is running in k8s mode (#11021, @aanm)
Do not skip datapath rewrites when an otherwise duplicate endpoint regeneration requires it. (#10949, @jrajahalme)
Do not throw errors for each new endpoint that is created (#10608, @aanm)
doc: Fix AKS guide regression (#10308, @tgraf)
endpoint: Avoid transient drops during policy map update (#10936, @jrajahalme)
eni: Fix unexpected IP release when agent restarts (#9888, @jaffcheng)
Envoy fixes for CVE-2020-8659, CVE-2020-8660, CVE-2020-8661, CVE-2020-8664 (#10434, @jrajahalme)
envoy: Take xds mutator lock for map access (#11541, @jrajahalme)
etcd: Fix gRPC load balancer issue (#10381, @tgraf)
Filter out bpftool probes emitting dmesg messages (#10164, @mrostecki)
Fix concurrent access of a variable used for metrics (#10137, @aanm)
Fix Docker getting started guide example. (#11023, @tklauser)
Fix eks restart pods helm (#10351, @tom-hadlaw-hs)
Fix fromCIDR policy on kernels 4.10 or older and extend test coverage (#11333, @willdeuschle)
Fix issue (#10092) which incorrectly configured route MTU with encryption and tunnel enabled. (#10218, @jrfastab)
Fix issue where --enable-remote-node-identity=false causes policy drops (#11006, @joestringer)
Fix issue where cilium-health cannot healthcheck remote endpoint in ENI mode (#11073, @christarazi)
Fix issue where lxc_config.h header disappears after some regenerations (#10630, @joestringer)
Fix memory corruption on clusters with IPv6 and NodePort enabled (#10192, @aanm)
Fix possible endpoint restore failure in CRD mode. (#10785, @aanm)
Fix pre-flight deployment for users upgrading from < 1.7 (#11599, @aanm)
Fix regression to avoid freeing alive IPs (#10207, @tgraf)
Fix several data races in unit tests (#10602, @tgraf)
Fix up ipcache access in datapath (#11525, @soumynathan)
Fix: resync IP addresses for instances that have been stopped for more than a minute (#11091, @willdeuschle)
Fixups for Correct clustermesh identity sync kvstore backend usage (#10243, @raybejjani)
fqdn: DNS proxy compresses DNS responses (#10366, @raybejjani)
GKE CI: Fix K8sDatapathConfig* tests (#10259, @tgraf)
Gracefully handle lost events from k8s without printing warnings (#11461, @aanm)
hubble/container: Properly deal with nil values in RingReader (#11323, @gandro)
Improve pod restarts on GKE (#10377, @ap4y)
IPAM related bugfixes (#10587, @tgraf)
IPAM: dynamically fetch the allocatable ipv4 addresses amount from instance limits (AWS) (#10831, @mvisonneau)
ipam: Protect release from releasing alive IP (#10066, @tgraf)
ipcache: Add probe to check for dump capability to support delete (#10144, @tgraf)
Istio integration has been updated to Istio release 1.5.4 (#11530, @jrajahalme)
k8s/identitybackend: exclude k8s namespace labels from CRD metadata (#11382, @rlenglet)
k8s: Defer marking node as ready to just API is served (#10767, @tgraf)
k8s: Do not send DeleteService event upon DeleteEndpoints (#11467, @brb)
k8s: Provide fallback for EndpointSlices detection if discovery API is not available (#11253, @tgraf)
Kubernetes connectivity check fixes (#10801, @tgraf)
kubernetes: Disable LocalNodeRoute while chaining (#10057, @tgraf)
kubernetes: do not disable node routes for portmap (#10415, @aanm)
kubernetes: do not set enable-endpoint-health-checking=false with portmap (#10566, @soumynathan)
Log more information for error 'Unable update CRD identity information with a reference for this node' (#10923, @aanm)
Make cilium bpf {ct, nat} {list, flush} to work when running in ipv6-only mode (#10193, @brb)
metrics: add missing metrics for cilium agent api handler (#10376, @fristonio)
node: Remove permanent ARP entry when remote node is deleted (#10227, @brb)
pkg/bpf: Protect each uintptr with runtime.KeepAlive (#10168, @brb)
pkg/endpoint: access endpoint state safely across go routines (#10140, @aanm)
pkg/k8s: add missing support for multi-stack (#11240, @aanm)
pkg/monitor: Add missing drop reasons (#10554, @Frankkkkk)
policy: fix innermap's flag error in eppolicymap (#10201, @zhiyuan0x)
policy: Keep NameManager locked during SelectorCache operations (#10501, @jrajahalme)
pre-flight: Correct tofqdns-precache container name (#10753, @raybejjani)
Remove stale rules for endpoints upon deletion in ENI mode (#11163, @christarazi)
Restore node IP behavior of Cilium < 1.7 (#11057, @tgraf)
service: Fix HealthCheckNodePort not displayed in API (#10240, @gandro)
set explicit liveness/readiness probe timeout for deny connectivity checks (#10581, @danwent)
Setting the agent.sleepAfterInit helm chart value to True will correctly configure the agent to sleep after Init (#11203, @seanmwinn)
Tight CNP and CCNP schema validation for badly formatted policies (yaml or json) (#10727, @aanm)
When running in Kubernetes, Cilium will run a periodic heartbeat and close all open Kubernetes client connections if the active connections become unresponsive. (#10184, @tom-hadlaw-hs)

CI Changes:

[CI] add release name to helm template calls (#10062, @nebril)
[CI] Fix path to print-node-ip script in jenkinsfile (#10112, @nebril)
[CI] Mark TLS policy test as pending (#10219, @nebril)
[CI] Randomize ns in policy tests (#10180, @nebril)
[CI] Replace jenkinsfiles with symlinks (#10262, @nebril)
Add CI flag -cilium.multinode[=true] (#11625, @joestringer)
Add timeout to docker prune after building images (#11359, @nebril)
bpf: Add test for __ct_lookup return value (#10064, @pchaigno)
build: Add bpf to PATH for privileged tests (#11515, @jrajahalme)
build: Few minor makefile and dockerfile improvements (#10970, @errordeveloper)
CI monitor reading (#10859, @raybejjani)
CI: Actually read in CILIUM_IMAGE when splitting it (#10963, @raybejjani)
ci: add comments to gke-specific scripts (#10898, @nebril)
ci: add gke cluster name to build name (#11422, @nebril)
ci: Add Hubble helpers (#11232, @gandro)
ci: Add runtime jenkinsfile (#11190, @nebril)
ci: Add tests for embedded Hubble (#11084, @gandro)
ci: adjust kernel jenkinsfile to be more versatile (#11061, @nebril)
ci: avoid null build names in master builds (#10803, @nebril)
ci: bump 4.19 image version (#10722, @nebril)
ci: Don't cleanup in gke job (#10901, @nebril)
ci: fix archiving artifacts in runtime jenkinsfile (#11585, @nebril)
ci: fix argument retrieval script for kernel specific builds on master (#10932, @nebril)
ci: Fix cleanup on gke job (#10995, @nebril)
CI: fix kubectl.CiliumPolicyAction() by casting "cilium policy wait" duration to integer (#11358, @qmonnet)
ci: Fix nightly image build (#10423, @nebril)
ci: Fix NightlyEpsMeasurement (#10514, @nebril)
ci: gather cilium-config configmap as part of ci logs (#10556, @nebril)
ci: Gather commands from local node (#11102, @nebril)
CI: GKE build only prunes docker images older than 6h (#11100, @raybejjani)
CI: GKE build prunes only docker images (fix filter) (#11135, @raybejjani)
CI: GKE more cleaning (#10965, @raybejjani)
CI: GKE terminating namespace hack find orphaned objects (#10570, @raybejjani)
CI: Increase GKE/EKS ginkgo timeout to 3 hours (#10809, @raybejjani)
ci: increase vm memory in kernel specific build (#10916, @nebril)
CI: integrate hubble-relay and add initial hubble-relay tests (#11549, @rolinh)
CI: K8sFQDNTest retry initial DNS lookups (#10871, @raybejjani)
CI: K8sKafkaPolicyTest kafka-broker starts up without errors (#10721, @raybejjani)
CI: K8sPolicyTest Shorter timeout for successful redirection policy tests (#11059, @raybejjani)
CI: Local CI runs don't set CILIUM_REGISTRY (#10077, @raybejjani)
ci: No error if there are no terminating ns (#10318, @nebril)
ci: overwrite jenkins build url in gke cluster lock (#11421, @nebril)
CI: PolicyTest toEntities All (#10051, @raybejjani)
ci: Prune only docker images built for current build (#11222, @nebril)
ci: remove correct temporary config file (#11145, @nebril)
CI: remove path filter in docs workflow (#10784, @errordeveloper)
CI: Restart all kube-system pods in GKE (#11136, @raybejjani)
CI: Retry KubeDNSPreflightCheck with timeout (#10866, @raybejjani)
CI: Rework how docs are built (#10572, @errordeveloper)
ci: Run GKE jobs only on gke nodes (#10715, @nebril)
ci: Set PR build name (#10696, @nebril)
CI: Skip Istio tests on GKE (#10707, @raybejjani)
ci: tag images built in CI (#11070, @nebril)
CI: Upgrade test on GKE (#10422, @raybejjani)
ci: Use already built nightly image to push to nightly (#10498, @nebril)
ci: use specified docker tag on gke tests (#10737, @nebril)
CI: Wait for cilium to regenerate when updating k8s network policies (#10779, @raybejjani)
datapath/test: Do not SNAT for WORLD_ID and enable BPF masquerading by default in CI (#11426, @brb)
docs: Add instructions for adding a new managed k8s provider (#10788, @raybejjani)
docs: Add instructions to run e2e tests on GKE (#10029, @raybejjani)
docs: Explain test-focus CI trigger (#10695, @raybejjani)
Dynamically determine native dev iface for NodePort/externalIPs (#10119, @brb)
Fix gke zone in release cluster script (#10109, @nebril)
Fix node ip script path (#10685, @nebril)
Fix upgrade guide for v1.7 and replicate it in a CI test (#9993, @aanm)
Forcibly remove namespace (#10265, @nebril)
iana: Hook up unit test (#11516, @jrajahalme)
ipmasq: Stop and wait until goroutine is finished in unit tests (#11387, @brb)
maps: remove old map names (#10992, @qmonnet)
Move GKE CI to US zone (#10091, @nebril)
pkg/k8s: fix heartbeat unit test (#10790, @aanm)
Re-enable Services test with l7 policy (#11623, @jrajahalme)
RenderTemplateToFile writes file to node (#11160, @David0922)
Revert "ci: Run GKE jobs only on gke nodes" (#10736, @nebril)
Run tests on 4.19 kernel (#10634, @nebril)
test/K8sServices: Add Tests for UDP connectivity (#9997, @gandro)
test: Add K8sServicesTest with L4-only policy (#11605, @jrajahalme)
test: Add Kubernetes Service CI tests for IPv6 (#10115, @gandro)
test: Annotate lock deployment with Jenkins $BUILD_URL (#11391, @errordeveloper)
test: Apply deployments in BeforeAll rather than BeforeEach (#11514, @jrajahalme)
test: bpf: Fix load for cgroups progs (#10156, @joestringer)
test: Check kubectl with 'which' instead of 'dpkg -l' (#10998, @jrajahalme)
test: Do not sleep in sessionAffinity tests (#11216, @brb)
test: Enable K8sUpdates for kube-proxy-free CI job (#10586, @brb)
test: Enable Prometheus metrics in K8sHubbleTest (#11508, @michi-covalent)
test: Extend "Checks service on same node" test case (#10687, @brb)
test: Extend RunsOnNetNext helper family (#10870, @brb)
test: Fix cleanup after PolicyAuditMode test (#10493, @joestringer)
test: Fix configuring the Cilium agent in dev VM (#10578, @joestringer)
test: fix k8s provisioning with feature gates (#10658, @aanm)
test: Fix looping tests (#11621, @jrajahalme)
test: fix nightly upgrade test (#10306, @aanm)
test: Fix operator param in ManagedEtcd suite (#10593, @brb)
test: Fix possible race in waitForNPods helper function (#10481, @brb)
test: Fix running CI on microk8s (#11604, @joestringer)
test: Fix some minor microk8s integration issues (#10577, @joestringer)
test: Fix typo that prevented GKE clusters from scaling down (#11494, @errordeveloper)
test: Fix waiting for PODs (#11506, @jrajahalme)
test: Improve gke/{select,release}-cluster.sh scripts (#11173, @errordeveloper)
test: Improve skipping of k8sT/Services.go tests (#10047, @brb)
test: Install Helm 3 (#10378, @jrajahalme)
test: Make sure the namespace for Cilium exists (#11350, @michi-covalent)
test: merge waitToDelete* functions (#10559, @aanm)
test: Override env variables after parsing command line (#11480, @michi-covalent)
test: Remove cilium DS before installing a new one (#10039, @brb)
test: Run kubectl in test VM for older K8s releases (#11072, @jrajahalme)
test: update k8s testing versions to 1.15.11, 1.16.8 and 1.17.4 (#10661, @aanm)
test: upgrade tests from v1.7 to master (#10239, @aanm)
test: Wait for Istio POD termination before deleting istio-system or cilium (#10325, @jrajahalme)
test: Wait for POD readiness before test steps (#11413, @jrajahalme)
tests: test nodeport connectivity via v4-in-v6 sockets (#10053, @borkmann)
tests: update complexity check script to include new calls (#10106, @fristonio)

Misc Changes:

.github: Add release issue template (#10452, @joestringer)
.github: fix doc links in PR template (#10287, @tklauser)
.github: Minor release issue fixups (#10475, @joestringer)
.github: Run GitHub Actions on master (#11439, @pchaigno)
.github: Tweak the release note label message (#10617, @pchaigno)
.github: update cilium-actions for latest 1.7 RC (#10172, @joestringer)
.gitignore: Ignore some more common output files (#11354, @joestringer)
.travis: Adjust travis related code (#10327, @iecedge)
.travis: delete allow_failures for Arm64 job (#10540, @Jianlin-lv)
.travis: fix failure to install clang-10 on Arm64 (#11418, @Jianlin-lv)
.travis: fix issue that etcd exited on Arm64 (#10527, @Jianlin-lv)
.travis:fix test failed caused by timeout (#10656, @Jianlin-lv)
[Doc] - Update link to the contribution guide (#10307, @manuelbuil)
Add a function to get connection info in a structure format from data (#11352, @lzang)
Add and use concurrency-safe PRNG source (#10997, @tklauser)
Add benchmark for pkg/bpf/binary (#10620, @tklauser)
Add deepcopy generator checker (#11165, @aanm)
Add DeepEqual on all K8s update events (#11510, @aanm)
Add detector and fix write access on read-only structures (#11020, @aanm)
Add GitLab to USERS.md (#10487, @whaber)
Add helm NOTES to the root folder (#10902, @soumynathan)
Add new cilium docker file target for linux developers (#10513, @aanm)
Add note about Cilium with CRIO on minikube (#10796, @christarazi)
Add pkg/ipmasq to CODEOWNERS (#11389, @brb)
Add RancherOS to documentation OS compatibility matrix (#10881, @nathanjsweet)
Add required etcd version for external etcd guide (#10147, @nebril)
Add SAP Concur to USERS.md (#11384, @dragan)
Add support for file based authorizer for Azure (#10876, @ashrayjain)
Added Sphere Knowledge as users (#10787, @mvisonneau)
Adds details about required kernel versions above 4.9.17, supported OS update (#10537, @seanmwinn)
Adds newline after unit-tests target. (#10837, @Weil0ng)
agent: Remove color support (#10392, @tgraf)
agent: Remove leftovers from IPv6 /96 prefix requirement (#10196, @tgraf)
alignchecker: split alignment checks for monitor types into own package (#10107, @tklauser)
all: convert package level vars to consts where possible (#10329, @tklauser)
all: don't use global PRNG state from math/rand (#10575, @tklauser)
all: fix remaining prealloc issues (#10913, @tklauser)
all: preallocate slices with known size (#10716, @tklauser)
all: remove unnecessary use of fmt.Sprintf (#10858, @tklauser)
Allow to configure bpf-nat-global-max using Helm (#10511, @tklauser)
Also garbage collect Azure IPAM routes on endpoint removal (#11452, @bpineau)
api, daemon: drop unnecessary dependency on github.com/go-openapi/runtime/flagext (#10905, @tklauser)
api, daemon: drop unused dependency on github.com/jessevdk/go-flags (#10890, @tklauser)
api: add namespace as part of endpoint external identifiers (#10038, @fristonio)
Avoid reallocations in loops (#10224, @tklauser)
aws/eni/types: move ENI-specific types to own package (#10282, @tklauser)
azure: Fix allocation of addresses (#10815, @tgraf)
BPF programs no longer depend on libc headers. (#10204, @tklauser)
bpf, maps: consistently use MapType (#10394, @tklauser)
bpf, sock: avoid allocating cilium_lb6_reverse_sk if v6 is disabled (#10573, @borkmann)
bpf, sock: fix post-bind-sock{4,6} not found in ELF file (#10124, @borkmann)
bpf, xdp: migrate prefilter program to generic __ctx_buff (#10404, @borkmann)
bpf, xdp: various optimizations for nodeport (#11082, @borkmann)
bpf: add -nostdinc and a few more misc compilation options (#11205, @borkmann)
bpf: add tail_call_{static,dynamic} helpers (#11484, @borkmann)
bpf: atomically replace XDP program when in same XDP mode (#10958, @borkmann)
bpf: check for cilium-map-migrate instead of cilium CLI client in ini… (#10670, @tklauser)
bpf: Coccinelle scripts for align_stack_8 and const qualifier (#11234, @pchaigno)
bpf: compile out service lookup entirely on kubeProxyReplacement=disa… (#10060, @borkmann)
bpf: constify pointer function arguments (#10825, @tklauser)
bpf: convert datapath over to generic ctx type (#10333, @borkmann)
bpf: Declare config. variables as volatile (#10557, @pchaigno)
bpf: do not drop unknown protos in nat handling (#10526, @borkmann)
bpf: Ensure build_all target always builds all bpf datapath permutations (#11274, @joestringer)
bpf: Fix build warning for unused parameter (#10611, @pchaigno)
bpf: Fix build warning in conntrack test (#10598, @joestringer)
bpf: fix circular dependency warning (#11479, @tklauser)
bpf: Fix name for example map (#10768, @joestringer)
bpf: Fix pointer-to-int-cast warning in newer Clang (#10522, @pchaigno)
bpf: Fix reversed ENABLE_EXTRA_HOST_DEV condition (#10843, @pchaigno)
bpf: Fix space hack in Makefile (#10173, @brb)
bpf: fix typo in function name (#10589, @tklauser)
bpf: Fix typo in max options for bpf_lb (#10386, @pchaigno)
bpf: Improve compilation coverage (#10712, @pchaigno)
bpf: make setting fifo policy non-fatal when probing hz (#11454, @borkmann)
bpf: only update nodeport neigh entry if stale or non-existant (#11371, @borkmann)
bpf: optmize builtin functions before we fallback to them (#11089, @borkmann)
bpf: really only enforce bind rejection when in hostns (#11210, @borkmann)
bpf: Refactor identity resolution on bpf_netdev egress (#10776, @pchaigno)
bpf: Refactor meta, ipsec/hostdev_ingress (#10766, @joestringer)
bpf: remap MARK_MAGIC_SNAT_DONE marker to avoid conflicts (#11008, @borkmann)
bpf: remove Map.DeleteWithErrno() (#10058, @rolinh)
bpf: Remove bpf_netdev.o from previously used devices (#10087, @brb)
bpf: Remove duplicate code in bpf_sock.c (#10862, @brb)
bpf: Remove unused code (#10671, @pchaigno)
bpf: remove unused GetProgNextID, GetProgFDByID and GetProgInfoByFD (#10187, @tklauser)
bpf: Remove unused variables (#10665, @pchaigno)
bpf: switch csum_l4_replace and ipv4_dec_ttl to csum_diff (#10521, @borkmann)
bpf: use per-cpu scratch space from xdp context to store meta data (#11595, @borkmann)
bpf: use syscall.BytePtrFromString instead of deprecated syscall.StringBytePtr (#10117, @tklauser)
bpf: xdp asm volatile fix in relation to reg spill (#11152, @borkmann)
bpf: xdp generalization prep work (#10491, @borkmann)
bugtool: Dump NAT BPF maps entries with bpftool (#10190, @brb)
build: Optionally use git for all docker builds with BUILDKIT (#11513, @jrajahalme)
build: Remove sysctl from Dockerfiles (#11017, @errordeveloper)
bump k8s libraries to 1.18.0 (#10713, @aanm)
byteorder: simplify type switches (#10463, @tklauser)
charts: Generate versions from VERSION file (#10171, @joestringer)
ci/hubble: Fully remove Cilium installation (#11141, @gandro)
CI/RuntimePolicies: Replace cilium monitor with hubble observe (#11474, @gandro)
CI: Add test for healthCheckNodePort in NodePort BPF (#9977, @gandro)
CI: Change trigger event for docs workflow, add filter (#10748, @errordeveloper)
CI: Improve ability to run tests on non-CI clusters (#11167, @tgraf)
CI: Improve bootstraping before each test (#11287, @tgraf)
CI: New deployment manager to ease deployment into random namespaces (#11170, @tgraf)
CI: Run coccicheck BPF target with GitHub Actions (#11306, @pchaigno)
ci: skip fqdn restart test (#11639, @nebril)
CI: update Go version in .travis.yml directly (#11252, @tklauser)
CI: use GitHub action to check Go module vendoring (#11254, @tklauser)
cilium, builder: declutter all unused packages in builder (#11346, @borkmann)
cilium, contrib: tighten permissions on systemd bpffs mount unit file (#10805, @borkmann)
cilium, docker: switch to {clang,llvm}-10.0 and externalize build deps (#11308, @borkmann)
cilium, tests: reenable BPF xdp/tc nodeport tests (#11347, @borkmann)
cilium.io/v2: move files around to reduce imports in API (#11077, @aanm)
cilium: add NodePortBindProtection to allow for opting out bind rejection (#11188, @borkmann)
cilium: add visibility for all flags in CT dump (#10967, @borkmann)
cilium: fix cell alignment in status output (#11031, @tklauser)
cilium: improve host-port generated service names (#11469, @borkmann)
cilium: optimize bpf to use jiffies for ct maps (#11434, @borkmann)
cilium: various xdp related follow-ups (#10910, @borkmann)
Clarify CRI-O installation (#10920, @aanm)
Cleanups in pkg/maps (#10872, @tklauser)
cli: remove hidden 'generate-bash-completion' command (#10584, @rolinh)
client, identity: remove unnecessary guards around delete() (#10148, @tklauser)
coccinelle: Enable patching of missing __align_stack_8 (#11285, @pchaigno)
coccinelle: Fix Docker image name printed on errors (#11403, @pchaigno)
coccinelle: Use Docker image to patch issues (#11370, @pchaigno)
CODEOWNERS: Add CI team as code-owner of vagrant_box_defaults.rb (#11404, @gandro)
CODEOWNERS: add cilium/agent to owners for pkg/option (#11407, @tklauser)
CODEOWNERS: add pkg/operator to cilium/operator (#10348, @aanm)
CODEOWNERS: Clean up (#10807, @pchaigno)
CODEOWNERS: fix path for contribution process docs (#10305, @tklauser)
CODEOWNERS: ignore auto-generated documentation (#11366, @aanm)
contrib, docs: fixes for the backporting guide and script README (#10672, @tklauser)
contrib/vagrant: enable hubble by default (#11337, @rolinh)
contrib/vagrant: enable hubble listener on :4244 (TCP) by default (#11618, @rolinh)
contrib/vagrant: Fix warning when K8S is unset (#10280, @pchaigno)
contrib/vagrant: only ssh to k8s1 if vagrant up suceeded (#10049, @tklauser)
contrib: Add backport submission script (#10642, @joestringer)
contrib: Add script to bump stable releases (#10711, @joestringer)
contrib: Fixes for backporting scripts (#10829, @pchaigno)
contrib: include branch name in file generated by start-backport (#10649, @rolinh)
Correct message for kvstore get (consul) (#11568, @sayboras)
daemon: Check nodePortMax < ephemeralPortMin in agent (#10260, @brb)
daemon: Create all global maps in cilium-agent (#10626, @pchaigno)
daemon: create directory with correct permissions in prepareEndpointDirs (#10397, @tklauser)
daemon: Do not auto enable hybrid DSR mode (#10332, @brb)
daemon: Fix TriggerReloadWithoutCompile comment (#10954, @joestringer)
daemon: Improve error msg for endpoint IP reallocation (#10494, @brb)
daemon: Move files into own go package (#10594, @gandro)
daemon: preallocate prefilter spec slices with known size (#10751, @tklauser)
daemon: remove deprecated and hidden --sidecar-http-proxy option (#10432, @tklauser)
daemon: remove deprecated conntrack-garbage-collector-interval option (#11134, @tklauser)
daemon: Remove old policy call map (#10845, @pchaigno)
daemon: remove unused type rulesManager (#10188, @tklauser)
daemon: set k8s options as soon as possible (#11101, @aanm)
daemon: silence log messages during cmdref generation (#10090, @tklauser)
datapath, service: Isolate runtime-specific types from widely imported types (#10610, @errordeveloper)
datapath/link: Add unit tests (#10613, @mrostecki)
datapath/linux,maps/ipcache: consistently use BackedByLPM() helper (#10122, @rolinh)
datapath/loader: always set all args to bpf/init.sh (#10230, @tklauser)
datapath: Abstract LoadBalancerNodeAddresses() via NodeAddressing (#10409, @tgraf)
datapath: Clarify loader interfaces (#10771, @joestringer)
datapath: convert global variables to consts where possible (#10176, @tklauser)
datapath: Do not log if svc is not found (#10668, @brb)
datapath: Remove unnecessary matching on internal IP in proxy rules (#10408, @tgraf)
datapath: use net.IP.IsLoopback instead of string comparison (#10195, @tklauser)
dns: Log WriteMsgIP details. (#11037, @jrajahalme)
doc: Add Cilium container networking control flow (#10387, @soumynathan)
doc: Add code overview section (#11150, @tgraf)
doc: add documentation section about Hubble internals (#11139, @rolinh)
doc: Add helm version requirements updated install URL to GKE install guide (#10315, @CybrPunk)
doc: Add make render-docs-live-preview target (#11536, @michi-covalent)
doc: Add NodePort tests to connectivity-check (#11087, @tgraf)
doc: Add SKIP_LINT option to render-docs target (#11383, @michi-covalent)
doc: Adjust documentation to renamed cilium-sysdump tool (#10165, @tgraf)
doc: Document L7 limitation in azure-cni chaining mode (#10131, @tgraf)
doc: Document render-docs target (#11298, @michi-covalent)
doc: Enable Netlify Deploy Preview (#11537, @michi-covalent)
Doc: Fix ipam crd backend getting started guide (#10553, @soumynathan)
doc: Fix links to contributing guide (#10322, @CybrPunk)
doc: Fix minor issue with rst syntax (#10453, @errordeveloper)
doc: Fix the kubectl create option in upgrade.rst (#11271, @soumynathan)
doc: Make Helm version requirements harder to miss, add notes on Helm 2+3 compatibility (#10479, @errordeveloper)
doc: Mark encryption as stable for direct-routing and ENI mode (#10142, @tgraf)
doc: minor typo fix CRD allocator guide (#11143, @mqasimsarfraz)
doc: Tidy up usage of Helm (#10435, @errordeveloper)
doc: Update EKS documentation to delete aws-node (#10461, @errordeveloper)
doc: Update End-To-End Testing Framework page (#11353, @michi-covalent)
doc: update instructions about restarting pods after deployment (#10028, @rolinh)
doc: Update spelling for Netlify (#11642, @michi-covalent)
doc: Upgrade dependency verisons to remove warnings (#11299, @michi-covalent)
doc: Upgrade MarkupSafe to 1.1.1 (#10579, @mrostecki)
doc: Use docker.io instead of quay.io (#11606, @michi-covalent)
docker, runtime: only build clang and llc targets (#10956, @tklauser)
docker, runtime: remove apt cache from runtime image (#10704, @tklauser)
Docker: Speed up dev image builds (#11443, @jrajahalme)
Dockerfile: Change WORKDIR, remove redundant logic (#10531, @errordeveloper)
Dockerfile:Add arm64 support for building images (#10618, @Jianlin-lv)
Dockerfiles: Add git log when checking out from git (#10819, @joestringer)
Docs fix for mounting bpf fs (#11001, @nathanjsweet)
Docs policy title rename (#10854, @danwent)
docs, bpf: Add description about bpftool btf command (#10947, @DanielTimLee)
Docs: Update EKS GSG to clarify deployment in ENI vs. overlay mode (#11068, @danwent)
docs: A few cosmetic improvements in GKE guide (#10550, @errordeveloper)
docs: add test-gke command to ci docs (#10996, @nebril)
docs: Add Further Readings section to kube-proxy-free getting started guide (#11137, @brb)
docs: add missing words to spelling word list (#10328, @tklauser)
docs: add NAT table to BPF map limitations table (#10968, @tklauser)
docs: add setup validation howto to kube-proxy-free guide (#10086, @borkmann)
Docs: Add step for mounting bpf filesystem on k3s installations (#10508, @seanmwinn)
docs: add Wildlife Studios to USERS.md (#10548, @guilhermeoki)
docs: adjust VM name and cilium status output in Docker GSG (#11032, @tklauser)
docs: bump minimum required clang version for development to 7.0 (#10524, @tklauser)
docs: Cilium multi-node (and mesh) Kind Guide (#11157, @dctrwatson)
docs: clarify recommendation around managing multiple policy types (#11343, @genbit)
docs: Clarify wording for cluster and init entities (#10536, @joestringer)
docs: de-duplicate AWS cluster scale up instructions (#10175, @tklauser)
docs: Document how to run tests on backport PRs (#11211, @joestringer)
docs: document kube-proxy replacement modes (#10073, @borkmann)
docs: document that policyMapMax overrides dynamic policy map size (#11558, @tklauser)
docs: Fix "make render-docs" permissions issue (#10922, @joestringer)
docs: fix bird dashboard image scale (#10480, @aanm)
docs: fix build in non-verbose mode (#11119, @tklauser)
docs: Fix documentation postchecks (#10585, @pchaigno)
docs: fix hyperlinks and other minor issues (#11080, @qmonnet)
docs: fix inconsistent ipv6 usage in getting started docker docs (#10428, @fristonio)
docs: fix issue link in k8s policy docs (#10971, @tklauser)
docs: fix link for Cilium-PR-Kubernetes-Upstream job (#10178, @tklauser)
docs: Fix multiple broken links (#10576, @errordeveloper)
docs: fix section heading level in upgrade guide (#10456, @tklauser)
docs: fix spelling of "primarily" in Kubernetes IPAM docs (#10458, @tklauser)
docs: Fix up backporting instructions. (#10155, @jrajahalme)
docs: fixed padding after code blocks (#10143, @geakstr)
docs: Improve policy visibility docs (#10597, @joestringer)
docs: Mention direct routing mode requirement for DSR (#10149, @gandro)
docs: Minor adjustments to the development dependencies (#10697, @pchaigno)
docs: Minor improvements to GKE guide (#10150, @pchaigno)
docs: Pin Hubble version to v0.5 branch (#11121, @gandro)
docs: Point GKE doc to the cluster name var (#11590, @glibsm)
docs: properly format code in NFS configuration note (#10071, @tklauser)
docs: Quieten cmdref generation (#10725, @joestringer)
docs: Refresh ginkgo CLI flags documentation (#11629, @joestringer)
docs: revamp kube-proxy-free gsg (#10069, @borkmann)
docs: update list of advanced kernel requirements: fragment tracking (#11501, @qmonnet)
docs: Update PR docs for split jobs (#11463, @nebril)
docs: Update SIG meeting notes (#10519, @joestringer)
docs: Update trigger phrases for CI (#10791, @pchaigno)
docs: updating contribution guide process (#11174, @aanm)
docs: Use kube-system namespace consistently in Encryption guide (#10162, @pchaigno)
docs: which k8s-kernel pairs are we testing (#10880, @nebril)
Documentation: Lock dependency to fix build (#10419, @Ropes)
Drop dependency on pkg/option in cilium-cni and cilium-docker (#11327, @tklauser)
early spring cleanup helper prep for xdp (#10344, @borkmann)
Enable -Wextra when compiling bpf programs (#10596, @tklauser)
Enable helm-check github action for master branch (#11482, @sayboras)
endpoint: Avoid logging about disconnected EPs during restore (#10974, @jrajahalme)
endpoint: Fix incorrect warning for stat(2) (#11281, @pchaigno)
envoy: Reduce logging verbosity. (#11349, @jrajahalme)
examples/getting-started: Bump Cilium version (#10459, @errordeveloper)
examples/getting-started: fix docker-compose getting started (#10108, @aanm)
examples/getting-started: revert bind mount for /var/lib/cilium (#11030, @tklauser)
expand 1.7.x upgrade guide on enable-remote-node-identity (#10853, @danwent)
Extend coverage of connectivity test (#10141, @tgraf)
Fix bpf unit test build in dev VM (#10735, @tklauser)
Fix comment typos (#10749, @ungureanuvladvictor)
Fix corrupted bpf_features.h (#10861, @pchaigno)
Fix dead link in 1.4->1.5 upgrade documentation (#10416, @Ropes)
Fix hubble metricsServer label in values.yaml (#10908, @soumynathan)
Fix incorrect name in sysctl_linux_test.go (#10729, @christarazi)
Fix make generate-k8s-api (#11468, @sayboras)
Fix missing newlines at end of file (#10334, @maxbischoff)
Fix off-by-one warning from LGTM and add tests for NodePort range (#10151, @christarazi)
Fix up install make target (#10320, @joestringer)
fix(helm): To fix un-expected {{end}} in helm template (#11400, @sayboras)
fqdn: Update high-level package docs (#11034, @raybejjani)
Further IPAM simplifcations (#10569, @tgraf)
git: ignore cilium yamls created by tests (#11509, @jrajahalme)
go-bindata is no longer used to install BPF assets. (#10177, @tklauser)
go-mod: remove unecessary go module helper scripts (#10221, @aanm)
Helm-charts: Fix the values.yaml comment that was misleading (#10515, @soumynathan)
helm: Add a chart for hubble-relay (#11244, @michi-covalent)
helm: Allow disabling xt_socket fallback (#10342, @brb)
helm: Clean up hubble-listen-addresses (#11264, @michi-covalent)
helm: Do not enable hubble-cli subchart by default (#11124, @gandro)
helm: enable prometheus metrics in cilium-operator (#10539, @aanm)
helm: Ensure hubble is enabled when hubble-{relay,ui} is deployed (#11577, @gandro)
helm: re-generate quick-install.yaml after PR #10289 (#10604, @tklauser)
helm: re-generate quick-install.yml after PR #10566 (#10694, @tklauser)
helm: Set --enable-hubble/--hubble-socket-path flags (#10794, @michi-covalent)
helm: Update hubble related configuration (#11090, @michi-covalent)
helm: Update hubble-ui chart (#11273, @michi-covalent)
hostport: read the hostport setting from viper (#11051, @wangli8850)
hubble-cli: Mount /var/run/cilium as a directory (#11129, @michi-covalent)
hubble-proxy: fix completion code (#10631, @rolinh)
hubble-proxy: remove explicit binary stripping (#11058, @tklauser)
hubble-relay: add an option to run pprof (#11465, @rolinh)
hubble-relay: Add gops agent (#11372, @gandro)
hubble: Add OnFlowDelivery and OnGetFlows (#10896, @tgraf)
hubble: Change the default event queue size (#10488, @michi-covalent)
hubble: Change uint64 -> uint32 in getters interfaces (#11242, @matej-g)
hubble: Enable grpc reflection (#11116, @michi-covalent)
hubble: Export FilterByLabelSelectors (#10937, @michi-covalent)
hubble: move hubble-serve out of daemon, re-organize packages (#10892, @rolinh)
hubble: remove pkg/hubble/logger and use cilium's default logger (#11576, @rolinh)
hubble: remove unused code (#11584, @rolinh)
hubble: Simplify unix domain socket listener setup (#11067, @gandro)
hubble: Use a single string to configure the server address (#11330, @michi-covalent)
identity: Recognize host and health identities as fixed (#11583, @pchaigno)
idpool: don't initialize ID cache in random order (#10546, @tklauser)
Improve Helm post-setup NOTES (#11269, @soumynathan)
Improve k8s client heartbeat capability (#10673, @aanm)
improve kernel probe for host reachable services and fix compile warns (#10111, @borkmann)
Improve tunnel identity notifications (#11027, @joestringer)
Improve unit test for kvstore (#11300, @sayboras)
install/kubernetes: re-generate quick-install.yaml (#10424, @tklauser)
install: Support generating vX.Y-dev charts (#10355, @joestringer)
IPAM cleanups (#10535, @tgraf)
ipam/metrics: mention interfaces instead of ENI (#10406, @tklauser)
ipam/types: fix missing deep copy fields (#10500, @aanm)
ipam: Adjust log format of FirstInterfaceIndex (#11010, @Jianlin-lv)
ipam: Ensure the package builds on macOS (#10755, @errordeveloper)
ipcache: Fix ipcache pod IP update (#10098, @joestringer)
iptables: de-duplicate code for forward chain rules (#10281, @tklauser)
k8s/identitybackend: use self validation function (#11427, @aanm)
k8s/informer: panic Cilium if k8s watcher panic (#11196, @aanm)
k8s/watchers: do not consider pods with empty podIPs (#11282, @aanm)
k8s: Initialize CRD version (#11156, @jrajahalme)
kubernetes/cilium: bump helm version to 1.7.90 (#10102, @aanm)
linux: check policy routing of running kernel (#10068, @iecedge)
loader: Fix "Skipping symbol substitution" warnings (#10934, @pchaigno)
loader: Fixes for map creation from daemon (#10728, @pchaigno)
loader: Remove unused arguments in DeleteDatapath (#11495, @pchaigno)
make: allow make docker-image with symbol table and debug info (#11445, @jaffcheng)
make: Allow to build documentation with podman (#10959, @mrostecki)
make: avoid building plugins/cni twice (#11309, @tklauser)
make: consistently use $(GO) to invoke the Go tool (#10181, @tklauser)
make: fix govet target after moving 'common' to 'pkg' (#11406, @tklauser)
make: fix govet target after renaming hubble-proxy to hubble-relay (#11178, @tklauser)
make: fix reference to CONTAINER_ENGINE_FULL variable (#11258, @rolinh)
make: pick up all privileged tests in make tests-privileged (#10734, @tklauser)
make: Remove CONTAINER_ENGINE_FULL, use QUIET and CONTAINER_ENGINE (#11128, @mrostecki)
make: silence more sub-make output in quiet mode (#10891, @tklauser)
make: silence sub-make output when building in quiet mode (#10664, @tklauser)
make: strip symbol tables from all binaries by default (#10167, @tklauser)
make: use microk8s.kubectl in microk8s target (#10533, @tklauser)
Makefile: Add hubble-proxy to govet target (#10989, @gandro)
Makefile: Fix --yaml arg for microk8s (#10839, @joestringer)
Makefile: fix deepcopy generation for pkg/service/store (#10921, @aanm)
Makefile: Fix errors when specifying RACE (#11631, @christarazi)
Makefile: fix generating coverage when specifiying TESTPKGS (#11318, @christarazi)
Makefile: fix test selection for privileged tests (#11005, @qmonnet)
Makefile: generate coverage for privileged unit tests (#11375, @christarazi)
Makefile: Move bpf 'build_all' to ci-precheck target (#11291, @joestringer)
Makefile: move cscope.files generation to its own target (#10182, @qmonnet)
Makefile: use $GOARCH instead of deriving it from $(shell uname -m) (#10605, @tklauser)
Makefiles: Disable CGO globally (#10724, @joestringer)
Makes k8s cert generation modular in vagrant startup scripts. (#10015, @Weil0ng)
maps/ctmap: unexport NewMap, MapType type and related consts (#10440, @tklauser)
metrics: Do not rely on global HTTP server (#11071, @gandro)
metricsmap: reduce MaxEntries to account for maximum key space (#10292, @tklauser)
Misc improvements for Session Affinity (#11251, @brb)
Misc ip-masq-agent improvements (#11317, @brb)
Misc project maintenance updates (#10042, @aanm)
Misc vagrant dev VM improvements (#10723, @joestringer)
misc: bump net-next vagrant box version (#9657, @borkmann)
modules, mountinfo: check scanner.Err after scanner.Scan (#10720, @tklauser)
monitor: Export policy verdict match type (#10705, @gandro)
monitor: Move PolicyMatchType into pkg/monitor/api (#10893, @tgraf)
monitor: Refactor listener registration logic (#9924, @michi-covalent)
monitor: Remove listener from monitor before calling Close() (#10300, @michi-covalent)
monitor: rename and use traceNotifyV[12]Len consts (#10863, @tklauser)
Move all 'common' code to 'pkg' (#11331, @soumynathan)
Move ALLOW_ICMP_FRAG_NEEDED into cDefinesMap (#10769, @soumynathan)
move bpf nodeport from hybrid to snat by default (#11120, @borkmann)
Move JSON/YAML precheck into Documentation target (#10952, @joestringer)
Moved the Node type from the main "node" package to the sub-package, "node/types". This continues the effort to decouple commonly used code from being Linux specific. So that the type, itself, may be imported easily by other packages. (#10849, @nathanjsweet)
Moved the sub package, "connector", from the "endpoint" package to the "datapath" package in order to continue to decouple common code from being linux specific. (#10822, @nathanjsweet)
Omit rendering resources when not supplied (#10363, @maxbischoff)
operator: Change AWS policy group provider registration (#10689, @errordeveloper)
operator: fix bugs on reading configuration from config-map (#10520, @aanm)
operator: Fix operator flags (#11270, @tgraf)
operator: populate CLI flags from cilium-operator (#10372, @aanm)
operator: Refactor AWS and Azure allocators (#10758, @errordeveloper)
operator: remove pod list of an entire cluster (#11376, @aanm)
option: re-use ToFQDNsMaxDeferredConnectionDeletes const in fatal log (#10483, @tklauser)
option: remove unused Config.KeepTemplates (#11489, @tklauser)
pkg/bpf: Fix KeepAlive usage for pathStr (#10288, @brb)
pkg/bpf: remove outdated godoc for UpdateElementFromPointers (#10403, @tklauser)
pkg/bpf: remove unused (Get|Set)MapPrefix funcs (#10529, @tklauser)
pkg/bpf: remove unused metrics labels (#10830, @tklauser)
pkg/datapath/linux/route: ensure the package compiles on macOS (#10824, @errordeveloper)
pkg/datapath/linux/route: reduce duplicate code (#10052, @florianl)
pkg/datapath/loader: log versions (#10096, @florianl)
pkg/endpoint: return NamedPorts model consistently (#11490, @aanm)
pkg/endpoint: Simplify search for C header file during restore (#11028, @pchaigno)
pkg/ipam: Don't let ENI IPAM override native-routing-cidr (#10886, @dctrwatson)
pkg/k8s: do not DeepCopy when converting to CiliumEndpoint (#10915, @aanm)
pkg/k8s: fix heartbeat unit test flake (#10690, @aanm)
pkg/k8s: remove unused consts and variables (#11177, @aanm)
pkg/mac: small cleanups in MAC address parsing (#10719, @tklauser)
pkg/maps/encrypt: allocate BPF map in MapCreate only if EnableIPSec is set (#10189, @tklauser)
pkg/option: do not log warnings if flag is not set (#10817, @aanm)
policy: clean a duplicated code (#10016, @zhiyuan0x)
policy: Fix incorrect comment (#10588, @pchaigno)
policy: Track policy rule labels from which map entries are derived from (#10512, @gandro)
Preparatory refactoring for dynamic BPF map sizing (#10957, @tklauser)
Prepare for GCP IPAM (#10691, @tgraf)
probes: Add more test cases for system config checks (#10612, @mrostecki)
proxy: remove write-only members from type Redirect (#10242, @tklauser)
README: Fix release date for v1.7.2 (#10868, @joestringer)
Refactor enirouting package to reduce code interdependence and add test coverage (#11208, @christarazi)
Refactor pkg/identity to minimize dependencies (#10960, @tgraf)
Refactor proxy handling and improve monitor messages (#10906, @joestringer)
Remove deprecated CiliumEndpoint fields (#10509, @tgraf)
Remove function queues from k8s watchers (#10914, @aanm)
remove k8s.io/kubernetes as a direct dependency (#10220, @aanm)
Remove leftover in Makefile (#10410, @manuelbuil)
Remove the deprecated CiliumExec method (#10973, @nathanjsweet)
Remove unused funcs, types and global vars (#10085, @tklauser)
Remove unused function arguments in bpf programs. (#10433, @tklauser)
Removed the netlink package dependency from the ip package to decouple common code from being linux specific. (#10885, @nathanjsweet)
Rename hubble-proxy to hubble-relay (#11122, @rolinh)
Replace almost all uses of 'syscall' with 'unix' pkg. (#10158, @Ropes)
Reuse existing port on Cilium Operator health api (#11575, @sayboras)
Rework netns handling in LinuxRoutingSuite privileged tests (#11620, @christarazi)
SECURITY.md: update versions of supported releases (#10313, @rolinh)
service/test: Fix waiting in testSessionAffinity and regroup affinity match map updates (#11519, @brb)
Shorten dummy device name in linuxrouting tests (#11555, @christarazi)
slim/k8s: add missing resourceVersion field (#11531, @aanm)
Small fixes for BPF dynamic map size flag (#11405, @tklauser)
Small fixes for docker getting-started example (#11022, @tklauser)
Small k8s fixes and optimizations (#11545, @aanm)
Split operator-only options into separate package (#11176, @tklauser)
Split out cleanups from #10806 (#10823, @tklauser)
Split various packages to reduce dependency chain (#10909, @tgraf)
Streamline upgrade docs (#10505, @joestringer)
Support service account annotations for helm charts (#11304, @sayboras)
Swagger generated APIs from master (#10336, @Ropes)
Switch from gopkg.in/inotify.v1 to github.com/fsnotify/fsnotify (#11138, @tklauser)
test/bpf: Fix BPF unit tests (#11158, @pchaigno)
test/bpf: remove unused event.h (#10202, @tklauser)
test/DatapathConfig: Remove obsolete service deletion workaround (#11169, @tgraf)
test/gke: Disable K8sServicesTest Checks service across nodes with L7 policy Tests NodePort with L7 Policy (#11290, @tgraf)
test/K8sServices: send datagrams in one block for fragment support tests (#11016, @qmonnet)
test/provision: copy all services before enabling/restarting (#10346, @tklauser)
test/provision: Fix cilium.provision on running VM (#10301, @pchaigno)
test/runtime: remove unused runtimeConnectivityTest (#10835, @tklauser)
test: Add bash aliases and completion for kubectl (#10726, @brb)
test: Allow kubectl label node to overwrite (#11182, @jrajahalme)
test: Avoid using global map for Cilium configuration (#10388, @brb)
test: bpf: Fix check for xdp support in ip (#10198, @pchaigno)
test: Check if the test is using Vagrant (#11355, @michi-covalent)
test: Cleanup default namespace before each Context() (#11600, @tgraf)
test: disable MetalLB service test until there's a drop-in replacement (#11596, @borkmann)
test: Disable Tests NodePort with L7 Policy (#11579, @tgraf)
test: Don't delete and redeploy Cilium at end of test context (#11602, @tgraf)
test: Enable embedded Hubble globally (#11378, @michi-covalent)
test: Fail in case of log buffer too small warning (#10699, @borkmann)
test: Fail in case of map property upgrade warning (#10680, @pchaigno)
test: Fix -cilium.holdEnvironment on badLogMessages (#10917, @pchaigno)
test: fix ClusterIP IPv6 connectivity checks (#10214, @borkmann)
test: Fix fragment tracking test under KUBEPROXY=1 (#11098, @pchaigno)
test: Fix getNodeInfo in NodePort tests (#10211, @borkmann)
test: Fix kubectl log retrieval for badLogMessages (#10717, @pchaigno)
test: Fix KubeProxyFree tests for Network unreachable case (#10732, @pchaigno)
test: Fix skipping of NodePort tests (#11186, @pchaigno)
test: Make "Checks that monitor aggregation restricts notifications" reliable (#11164, @tgraf)
test: Only call Fail() once for all error logs (#11184, @joestringer)
test: Overwrite existing taint when labeling nodes with NoSchedule (#11221, @tgraf)
test: Parallelize Cilium pre-flight check (#11392, @tgraf)
test: Print message when tests resume (#10686, @pchaigno)
test: Reduce length of log filenames (#10213, @pchaigno)
test: Remove duplicate test cases from K8sServicesTest (#11523, @brb)
test: Remove NodeCleanMetadata (#11574, @tgraf)
test: Remove runtime ipvlan tests (#10145, @brb)
test: Replace managed etcd test with generic etcd test (#11544, @tgraf)
test: Report CNI_INTEGRATION when running ginkgo (#11415, @joestringer)
test: Skip session-affinity tests from outside if no third node (#11288, @pchaigno)
test: Speed up K8sServicesTest (#11550, @brb)
test: Support singleton manifests (#11338, @tgraf)
test: Use CWD instead of making assumptions about GOPATH (#10561, @errordeveloper)
test: various cleanups found by staticcheck (#11390, @tklauser)
tests: disable base tests in xdp/tc nodeport lb test (#11054, @borkmann)
travis: Disable arm64 failures (#10978, @joestringer)
update cilium-runtime with golang 1.13.8 (#10208, @aanm)
Update CODEOWNERS and hide go.sum (#11125, @pchaigno)
Update Docker integration docs for IPv6 (#10746, @christarazi)
Update for release v1.7.0 (#10234, @aanm)
Update Go to 1.14.1 (#10646, @tklauser)
Update Go to 1.14.2 (#10912, @tklauser)
Update Go to 1.14.3 (#11542, @tklauser)
Update k8s-install-etcd-operator.rst (#10692, @johnzheng1975)
Update master branch for latest releases (#10474, @joestringer)
Update README for set-labels.py script (#10674, @christarazi)
Update release process and prepare 1.8 development cycle (#10044, @aanm)
Update stable releases (#10710, @joestringer)
Update stable releases (#10850, @joestringer)
Update stable releases (#11247, @joestringer)
Update stable releases (#11564, @joestringer)
Update USERS.md to include Acoss (#10360, @JrCs)
updates tested k8s version to 1.17.3 (#10215, @aanm)
Use -F flag in git log in check-stable script (#10283, @nebril)
Use feature probes to detect kernel support for sockops (#10941, @soumynathan)
Use Go stdlib context package instead of golang.org/x/net/context (#11187, @tklauser)
Use GO_VERSION as single source for the used Go version (#10163, @tklauser)
Use left-shift instead of math.Pow where appropriate (#11064, @tklauser)
Use slimmer protobuf structures for remaining k8s structures (#11374, @aanm)
USERS.md: Add Radio France (#10385, @joulaud)
vagrant/scripts: bump k8s to v1.18.2 (#11108, @aanm)
vagrant: Allow running several dev VMs concurrently (#10400, @pchaigno)
vagrant: Bump all vagrant box versions (#11402, @gandro)
vagrant: bump net-next vagrant image (#10907, @joestringer)
vagrant: bump server VM image for clang/llvm (#10703, @borkmann)
vagrant: bump server VM image for net-next updates (#10775, @borkmann)
vagrant: bump ubuntu-next VM image and increase jenkins timeouts (#11053, @brb)
vagrant: Do not define mount type when not using NFS (#11505, @mrostecki)
vagrant: Fix bootstrap commands (#10777, @gandro)
vagrant: Fix build in dev. VM (#11388, @pchaigno)
vagrant: Fix missing doc. dependency error (#10562, @pchaigno)
vagrant: Forward port 9081 for documentation server (#11292, @michi-covalent)
vagrant: Ignore failures of "chown -R vagrant:vagrant" command (#10549, @mrostecki)
vagrant: Improve command-line usability (#10933, @pchaigno)
vagrant: Improvements to provisioning (#10660, @pchaigno)
vagrant: Install temporary forked bpftool (#10186, @pchaigno)
vagrant: Only set K8S_NODE_NAME if K8S=1 (#11086, @jrajahalme)
vagrant: Remove installation of doc. dependencies (#10985, @pchaigno)
vagrant: Stop provisioning VM if one step fails (#10430, @pchaigno)
Validate when Cilium is in ENI mode that IPv4 is enabled (#11328, @soumynathan)
vendor: Bump github.com/cilium/hubble (#10701, @gandro)
vendor: pick up latest cilium/hubble (#10792, @rolinh)
vendor: Pick up the latest cilium/hubble (#10563, @michi-covalent)
vendor: Pick up the latest github.com/sasha-s/go-deadlock (#10298, @michi-covalent)
vendor: re-vendor golang.org/x/sys and github.com/vishvananda/netlink (#10138, @tklauser)
vendor: update github.com/go-openapi/loads (#10364, @tklauser)
vendor: update hubble dependency to get rid of gojay (#10484, @rolinh)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

1.8.0-rc1

Summary of Changes