Skip to content


Choose a tag to compare
@aanm aanm released this 10 Nov 17:00
· 7953 commits to master since this release

Summary of Changes

Note: The summary of changes represents the diff between v1.8.5 and v1.9.0

Major Changes:

  • Add deny policies (#12716, @aanm)
  • Add Maglev consistent hashing to kube-proxy replacement for NodePort/LoadBalancer/externalIPs services (#13131, @brb)
  • Add support for k8s 1.19 (#12611, @aanm)
  • build: Experimental multi-platform images (#12013, @errordeveloper)
  • change default docker image repository from to (Backport PR #13957, Upstream PR #13937, @aanm)
  • cilium: switch to mq/fq and add bandwidth manager (#12868, @borkmann)
  • Cilium operator HA mode (#12409, @fristonio)
  • Direct routing performance improvement through new tc/BPF-only based host forwarding mode w/o passing to upper stack. (#13330, @borkmann)
  • Helm charts have been fully re-structured to a single chart for cilium with no dependency on sub-charts. More than 170 global values have been properly scoped to the cilium chart with sane defaults defined. Users upgrading from prior versions of cilium should be sure to read the upgrade guide for specific instructions. (#13259, @seanmwinn)
  • Implement eBPF native redirect functionality (#12831, @aditighag)
  • Implement proxy redirection logic in eBPF (#11279, @joestringer)
  • Support for external workloads (e.g., VMs) has been added (beta) (Backport PR #13964, Upstream PR #13940, @jrajahalme)
  • Update Go to 1.15.4 (#13946, @tklauser)

Minor Changes:

  • Add a node label to agent metrics. (#12965, @diversario)
  • Add an alternative method to generate the Hubble mTLS certificates based on Kubernetes Jobs. (#13449, @gandro)
  • Add automatic generation of CRDs for CNP and CCNP (#11607, @christarazi)
  • Add blacklistConflictingRoutes parameter to config chart (#11368, @donch)
  • Add BPF map sizes to output of cilium status --verbose (#12660, @tklauser)
  • add CLI for checking kernel capabilities (#11339, @brandshaide)
  • Add config point to send bugtool to stdout (#12837, @willdeuschle)
  • Add configurable enable-k8s-endpoint-slice (#13029, @Antiarchitect)
  • Add detection of unknown fields for policies (CNP & CCNP) in preflight (#13180, @christarazi)
  • add hint to make use of CLI cilium kernel-check in system requirements (#13164, @brandshaide)
  • Add metric 'cilium_k8s_event_lag_seconds' for calculated lag of Kubernetes events (Backport PR #13751, Upstream PR #13702, @aanm)
  • Add Resource Quotas in Cilium Namespace for GKE installations (Backport PR #13957, Upstream PR #13878, @aanm)
  • Adds API for LRP introspection (Backport PR #13720, Upstream PR #13327, @Weil0ng)
  • api/v1: Add ability to query flows by HTTP method (#13328, @glibsm)
  • api/v1: Add drop_reason_desc enum to Flow API (#13301, @kaworu)
  • Automate generation of CiliumNode, CiliumIdentity, & CiliumEndpoint CRDs using controller-gen (#11476, @aanm)
  • Azure IPAM: don't install bogus "PodCIDR via cilium_host" route by default (#13098, @bpineau)
  • Azure IPAM: option to ignore primary addresses (#13415, @bpineau)
  • build: Skip 'clean' and 'clean-container' before docker image builds. (#12463, @jrajahalme)
  • cilium/build Add GOPATH check for generate-k8s-api (#12695, @aditighag)
  • cleanup/ipam: Remove hostscope-legacy IPAM option (#12984, @sayboras)
  • cli: Add cilium bpf lb maglev get $SVC_ID (#13586, @brb)
  • cmd: Allow to filter metrics with regexp (#12590, @mrostecki)
  • Create healthz HTTP endpoint for kube-proxy replacement (#11733, @soumynathan)
  • datapath: Decouple IPV4_MASQUERADE from IPV4_NODEPORT (Backport PR #13751, Upstream PR #13606, @brb)
    cilium can correctly differentiate protocols between services. (#12628, @nathanjsweet)and port), so that
  • docker: update Hubble CLI to v0.7.0 (Backport PR #13688, Upstream PR #13643, @rolinh)
  • Enable host firewall without remote-node identity (#12878, @pchaigno)
  • Enable support for user managed identities in the cilium-operator (#12592, @ungureanuvladvictor)
  • Envoy metrics from the Cilium host proxy are exported via a prometheus port. (#12949, @jrajahalme)
  • envoy: Add development support for Envoy filter metadata enforcement (#12500, @jrajahalme)
  • envoy: Move to Envoy API v3 (#12331, @jrajahalme)
  • envoy: Optimize list of allowed remote security IDs (#12926, @jrajahalme)
  • envoy: Stop using deprecated filter names (#13351, @jrajahalme)
  • envoy: Update to release 1.14.4 (#12484, @jrajahalme)
  • Fail to start if IPSec and devices are used together (#13069, @tobiaskohlbau)
  • Fix typo in AKS getting started guide (#12505, @ap4y)
  • fix(3891): mirror parent pod labels to cilium endpoints (#12406, @fristonio)
  • fix(9966): fix creation of multiple KVStore watchers for CNPs and CCNPs (#12323, @fristonio)
  • Follow-up for cilium ip list identity lookup (#13375, @tklauser)
  • helm: allow setting conntrack-gc-interval in cilium-config cm (#13061, @ghouscht)
  • helm: bump hubble-ui patch version in chart values (#13313, @genbit)
  • helm: configurable annotations for agent and operator pods (#12189, @mvisonneau)
  • helm: keep encryption interface value undefined (Backport PR #13688, Upstream PR #13677, @kkourt)
  • Helm: support affinity settings for operator (#13548, @youssefazrak)
  • hubble-relay: add support for (m)TLS (#12900, @rolinh)
  • hubble/metrics: Add protocol labels to flows_processed_total (#12742, @sayboras)
  • hubble: add support for (m)TLS (#12906, @rolinh)
  • hubble: Add support for PERF_RECORD_LOST (#12475, @gandro)
  • install/kubernetes: Allow update of "remote" secret (Backport PR #13812, Upstream PR #13784, @jrajahalme)
  • k8s: Only wait for the needed CRDs (Backport PR #13903, Upstream PR #13820, @jrajahalme)
    which adds egress policy enforcement support for Kafka L7 policies. (#12548, @jrajahalme)
  • lbmap: Sort backends before creating maglev lookup table (#13461, @brb)
  • maglev: Add native implementation of murmur3 (#13501, @brb)
  • maglev: Perf related follow up items (#13431, @brb)
  • Make pods IPv6 address discoverable on node's subnet (#12193, @anfernee)
  • Makes k8sNodeIP the preferred IP when initializing NodePort addresses. (#13223, @networkop)
  • metrics: Deprecate non-conventional prometheus metrics (#12826, @sayboras)
  • monitor: Add option to disable monitor independently of Hubble (#12540, @gandro)
  • operator: Remove options deprecated in v1.8 (#12676, @pchaigno)
  • pkg/hubble/filters: Add HTTP path filters (#13425, @twpayne)
  • pkg/option: add option to configure BPF lbmap size (#12843, @fristonio)
  • policy/trace: Support recent api versions for {Deployment, ReplicaSet} (#12903, @sayboras)
  • Remove "blacklist-conflicting-routes" option from cilium-agent. Get rid of automatic blacklisting of local routes that conflicts with cilium. It is now the responsibility of users is to make sure that the PodCIDR used on a node does not conflict with any existing routing or IPs on the node. (#12986, @fristonio)
  • Remove agent options deprecated in v1.8 (#12642, @tklauser)
  • Remove deprecated cilium bpf proxy commands (#12682, @tklauser)
  • Remove DNS poller after being deprecated in Cilium 1.8. (#13229, @tklauser)
  • Remove PodSecurityPolicy in helm due to deprecation and future removal in Kubernetes (#12469, @sayboras)
  • Removed helm 2 support. Move requirements.yaml to Chart.yaml and set min. helm version to helm 3 (#12412, @sayboras)
  • Rename IPAM API metrics to be ec2 specific. (#12502, @ungureanuvladvictor)
  • Services support for external workloads (Backport PR #13964, Upstream PR #13901, @jrajahalme)
  • Set GOPATH in CI VM (#12717, @aditighag)
  • Show names for reserved identities in cilium ip list. (#13304, @tklauser)
  • The metrics endpoint_regeneration_time_stats and policy_regeneration_time_stats had their 'buildTime' scopes renamed to 'total'. (#13323, @ti-mo)
  • TLS certificates hot reloading for Hubble and Relay (#13249, @kaworu)
  • Update Kubernetes dependencies to v1.19.1 and etcd to 3.4.13 (#13134, @aanm)
  • Update Kubernetes libraries to 1.19.2 (#13199, @aanm)
  • Upgrade CRDs (apiextensions) from v1beta1 to v1 (#11477, @aanm)
  • USERS: Add Alibaba Cloud usage (#13453, @tgraf)
  • VM Support Refinement (Backport PR #13786, Upstream PR #13666, @jrajahalme)


  • Add log when allocate nodecidr failure (Backport PR #13688, Upstream PR #13299, @konghui)
  • add missing '| quote' for disableEnvoyVersionCheck (Backport PR #13941, Upstream PR #13911, @rkage)
  • Add the update-ec2-apdater-limit-via-api flag to the cilium-operator-aws. (#12410, @ungureanuvladvictor)
  • agent: fix panic when clustermesh not set and cluster-id is non-zero (#12944, @ArthurChiao)
  • bpf: don't access TCP flags for non initial IPv4 fragments (Backport PR #13957, Upstream PR #13908, @jibi)
  • bpf: Fix --force-local-policy-eval-at-source=false (Backport PR #13812, Upstream PR #13769, @joestringer)
  • bpf: fix disable PolicyVerdictNotification broken (Backport PR #13941, Upstream PR #13921, @ArthurChiao)
  • build: bpf: Fix cross-compilation of gcc targets (Backport PR #13812, Upstream PR #13709, @mrostecki)
  • build: don't disable compiler optimizations and inlining on unstripped builds (Backport PR #13903, Upstream PR #13895, @tklauser)
  • cilium, ipsec: Do revalidate_data_pull() early in do_decrypt() case (#13500, @jrfastab)
  • cilium: allow encryption/decryption to coexist with bpf_host logic (#13238, @jrfastab)
  • endpoint: Avoid benign error messages on restoration (Backport PR #13720, Upstream PR #13667, @pchaigno)
  • Fix bug in cluster-pool IPAM mode where the user is never alerted of a node CIDR allocation failure (Backport PR #13957, Upstream PR #13916, @christarazi)
  • Fix bug where Cilium leaks a goroutine when an endpoint is deleted. This leak, if left running in a high pod churn environment, can cause Cilium to exceed its memory usage and get OOM killed. (Backport PR #13720, Upstream PR #13683, @christarazi)
  • Fix bug where events cannot be enqueued during endpoint restoration (#13608, @christarazi)
  • Fix dynamic NAT table size calculation if CT map sizes are configured statically. (Backport PR #13903, Upstream PR #13844, @tklauser)
  • Fix garbage collection of CEPs - delete them in tranches and not every 5 minutes. (Backport PR #13751, Upstream PR #13728, @aanm)
  • Fix panic on cilium-agent startup when restoring LB source range maps (Backport PR #13856, Upstream PR #13842, @aanm)
  • Fix potential bug in ENI IPAM when multiple updates at the same time are performed to the a CiliumNode resource (Backport PR #13688, Upstream PR #13612, @christarazi)
  • Fixed installation instructions for K3s and Kubernetes Network Policy enforcement (Backport PR #13812, Upstream PR #13783, @aanm)
  • Fixes panic when setting up encryption with azure IPAM (#13593, @aanm)
  • fqdn: Add a nil check for security id lookup (Backport PR #13941, Upstream PR #13886, @aditighag)
  • fqdn: keep IPs alive if their name is alive (Backport PR #13941, Upstream PR #13914, @kkourt)
  • go.mod: update cilium/ipam library with bug fixes (Backport PR #13856, Upstream PR #13810, @aanm)
  • Helm: Adapt Hubble ingress template to the new Ingress API (Backport PR #13751, Upstream PR #13682, @youssefazrak)
  • Hubble-relay now proxies the GRPC context to its servers. (#12865, @nathanjsweet)
  • hubble/relay: flush old flows when the buffer drain timeout is reached (Backport PR #13786, Upstream PR #13776, @rolinh)
  • hubble: Fix reply state unknown being interpreted as false (Backport PR #13786, Upstream PR #13750, @gandro)
  • Ignore "Failed to load program" errors when Cilium agent is being teared down (#13281, @mrostecki)
  • Increment the default value of maximum garbage collected security identities from 250 to 2500 per minute (Backport PR #13941, Upstream PR #13907, @aanm)
  • k8s/watchers: fix data race in (*K8sWatcher).addK8sServiceV1 (Backport PR #13688, Upstream PR #13604, @tklauser)
  • kvstore: Do not write to read-only keys in join-cluster mode (#13524, @jrajahalme)
  • lbmap: Correct issue that port info display error (Backport PR #13624, Upstream PR #13244, @Jianlin-lv)
  • lock: fix data race in (*SemaphoredMutexSuite).TestParallelism() (#13570, @tklauser)
  • redirectpolicy: Check lrp type before restoring lrp service (Backport PR #13786, Upstream PR #13741, @aditighag)
  • reduce cardinality of prometheus labels (Backport PR #13720, Upstream PR #13699, @aanm)
  • Valid CNP and CCNP 'matchLabel' values must be 63 characters or less and must be empty or begin and end with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between. (#12117, @aanm)

CI Changes:

Misc Changes: