1.9.5

We are pleased to release Cilium v1.9.5. This release addresses GHSA-c66w-hq56-4q97, addresses a memory leak found in clusters with high pod churn, fixes some issues when enabling encryption mode, and includes a variety of other fixes described below.

Summary of Changes

Major Changes:

• Move Azure IPAM out of beta (Backport PR #15104, Upstream PR #14993, @tgraf)

Minor Changes:

• daemon: do not allow --auto-direct-node-routes when tunneling is enabled (Backport PR #15243, Upstream PR #15196, @jibi)
• datapath: Do not log when kernel config not found (Backport PR #15006, Upstream PR #14902, @brb)
• Envoy is updated to release 1.15.3. (Backport PR #15254, Upstream PR #14462, @jrajahalme)
• Envoy is updated to release 1.17.1 (Backport PR #15220, Upstream PR #14754, @jrajahalme)
• helm: Fix and add missing podLabels (Backport PR #15104, Upstream PR #14943, @Subreptivus)
• Install Cilium in kube-system on GKE (Backport PR #15006, Upstream PR #14899, @pchaigno)
• k8s: update k8s libraries to 1.19.8 (#15029, @aanm)
• Make Go runtime to return unused memory to OS more often (Backport PR #14961, Upstream PR #14634, @aanm)
• Make pod-to-pod encryption functional in the IPAM ENI mode. (Backport PR #14961, Upstream PR #14924, @aditighag)
• Revert kernel-check CLI (Backport PR #15006, Upstream PR #14966, @joestringer)
• Support kube-proxy-replacement when running on Kind (Backport PR #15104, Upstream PR #14951, @brb)

Bugfixes:

• [1.9] doc: Fix masquerade option in AKS/Azure guides (#15245, @tgraf)
• Avoid an empty instanceID on EC2 (Backport PR #15047, Upstream PR #15012, @kkourt)
• bpf: Fix bpf masquerade issue when host connecting to remote pod (Backport PR #15243, Upstream PR #15206, @borkmann)
• cilium: encryption fix, ipv4-pod-subnets without encryptnode fails (Backport PR #15164, Upstream PR #14999, @jrfastab)
• cilium: encryption, fixes for ENI & Azure mode with shared podIPs and networkIPs (Backport PR #15164, Upstream PR #15048, @jrfastab)
• Fix a bug that affects connectivity to NodePort service via ExternalIP of the local k8s node. (Backport PR #14961, Upstream PR #14793, @AnishShah)
• Fix bug where PolicyAuditMode could not be changed at runtime if it was enabled at startup (Backport PR #15243, Upstream PR #15218, @ArthurChiao)
• Fix connectivity to externalTrafficPolicy=Local services when using the host firewall with kube-proxy (Backport PR #14961, Upstream PR #14756, @pchaigno)
• Fix ENI compatibility regression between 1.7 <-> 1.8 (Backport PR #15006, Upstream PR #14991, @tgraf)
• Fix failing bpf-map-sync-cilium_snat_v{4,6}_external controllers when BPF NodePort is disabled (Backport PR #15298, Upstream PR #15175, @pchaigno)
• Fix ICMP Echo ID placement in CT maps (#15274, @brb)
• Fix ipsec+vxlan bug where egressing packets would bypass masquerading on their way to remote nodes (Backport PR #14961, Upstream PR #14611, @jrfastab)
• Fix memory leak on stable policy identity churn. (Backport PR #15047, Upstream PR #15042, @jrajahalme)
• Fix possible deadlock when querying network interfaces for arping (#15227, @brb)
• Fix potential panic on clustermesh environments (Backport PR #15164, Upstream PR #15107, @aanm)
• Fix remote pod connectivity through VIP in tunneling mode with kube-proxy and per-endpoint routes. Fix IPv6 connectivity to BPF HostPort when kube-proxy is installed (Backport PR #14961, Upstream PR #14675, @pchaigno)
• ipsec: Use 64bits for XFRM output sequence number (Backport PR #15164, Upstream PR #15039, @pchaigno)
• iptables: Fix incorrect SNAT bypass with endpoint routes and tunneling (Backport PR #14961, Upstream PR #14913, @pchaigno)
• labelsfilter: add reserved labels to default identity label list (Backport PR #14930, Upstream PR #14114, @ArthurChiao)
• service: Skip upsert of service for disabled IP family (Backport PR #15243, Upstream PR #15026, @pchaigno)

CI Changes:

• bpf: Enable monitor aggregation in complexity tests (Backport PR #15006, Upstream PR #14995, @pchaigno)
• checkpatch: update image (skip backports, add a check, suppress one report type) (Backport PR #15164, Upstream PR #15096, @qmonnet)
• ci(smoketest): Pin promtool version in GHA (Backport PR #14961, Upstream PR #14954, @sayboras)
• ci: disable endpointslice in 1.17 cluster (Backport PR #15164, Upstream PR #15058, @nebril)
• ci: use quay.io images in upstream tests (Backport PR #15164, Upstream PR #15081, @nebril)
• lbmap: Initialize maps before test suite runs (Backport PR #14870, Upstream PR #14842, @christarazi)
• test: Avoid unnecessary restarts of unmanaged pods (Backport PR #15006, Upstream PR #14938, @pchaigno)
• test: Delete all unmanaged pods with a single kubectl delete (Backport PR #15006, Upstream PR #14942, @pchaigno)
• test: K8sVerifier Fix test-verifier's scheduling (Backport PR #14870, Upstream PR #14803, @pchaigno)
• test: Use Endpoint instead of EndpointSlice in 1.17 (Backport PR #15006, Upstream PR #15010, @nebril)

Misc Changes:

• .github: add stable tag for v1.9 releases (#15084, @aanm)
• .github: publish into official repo for next release (#15033, @aanm)
• [v1.9] .github: add GitHub actions to build images (#14936, @aanm)
• Add configurable suffix for operator image repo in helm (Backport PR #15164, Upstream PR #14952, @nebril)
• add GH action to push hot fix images into -dev repositories (#15062, @aanm)
• Add support for image digests in helm charts (#15186, @aanm)
• Adds a Getting Started Guide for Rancher 2.x using Existing Nodes (Backport PR #15298, Upstream PR #15179, @seanmwinn)
• backporting: Add support for forked cilium repositories (Backport PR #15006, Upstream PR #15008, @gandro)
• backporting: Update instructions for backporting workflow (Backport PR #15164, Upstream PR #15118, @aditighag)
• build(deps): bump actions/setup-go from v1 to v2.1.3 (#15235, @dependabot[bot])
• build(deps): bump KyleMayes/install-llvm-action from v1 to v1.1.1 (#15211, @dependabot[bot])
• contrib/k8s: use provided image when installing external workload (Backport PR #15047, Upstream PR #15020, @tklauser)
• docs: Add FQDN limitation to IPVLAN docs (Backport PR #14930, Upstream PR #14893, @joestringer)
• docs: Add L7 not working warning to AWS CNI Chaining page (Backport PR #15243, Upstream PR #15163, @stimmerman)
• docs: Added instruction to also delete kube-proxy configmap (Backport PR #14961, Upstream PR #14847, @yoshz)
• docs: Clarify external workload docs (Backport PR #15254, Upstream PR #15253, @jrajahalme)
• docs: Clarify titles for allow-all-endpoints examples (Backport PR #15243, Upstream PR #15145, @pchaigno)
• docs: Document hostport requirements in eni (Backport PR #14961, Upstream PR #14920, @joestringer)
• docs: Fix max. number of tail calls (Backport PR #15243, Upstream PR #15162, @pchaigno)
• envoy: Do not use deprecated fields (Backport PR #15254, Upstream PR #15232, @jrajahalme)
• envoy: Silently discard expected warnings if flowdebug is not enabled (Backport PR #15288, Upstream PR #15284, @jrajahalme)
• Fix BPF map handling on upgrade when disabling the preallocation of BPF maps (Backport PR #15099, Upstream PR #14853, @christarazi)
• images: Set GOPS_CONFIG_DIR in scratch images (Backport PR #14961, Upstream PR #14886, @gandro)
• Improve release scripts (Backport PR #15259, Upstream PR #15121, @joestringer)
• iptables: Skip CILIUM_TRANSIENT_FORWARD for IPv6 (Backport PR #15006, Upstream PR #14994, @pchaigno)
• labelsfilter: Update documentation and add unit tests (Backport PR #14961, Upstream PR #14338, @pchaigno)
• Minor backporting script tweaks (Backport PR #15053, Upstream PR #14027, @twpayne)
• tools/licensegen: consider COPYING files (Backport PR #15243, Upstream PR #15239, @tklauser)
• v1.9: Update Go to 1.15.8 (#14984, @tklauser)

Other Changes:

• test: Fix docker compose in precheck (#15171, @nebril)

Docker Manifests

Docker Manifests

cilium

docker.io/cilium/cilium:v1.9.5@sha256:6c829237d4e00080b48e08d453bd87e816a16d7867236446bd9df407ecda0a38
quay.io/cilium/cilium:v1.9.5@sha256:6c829237d4e00080b48e08d453bd87e816a16d7867236446bd9df407ecda0a38
docker.io/cilium/cilium:stable@sha256:6c829237d4e00080b48e08d453bd87e816a16d7867236446bd9df407ecda0a38
quay.io/cilium/cilium:stable@sha256:6c829237d4e00080b48e08d453bd87e816a16d7867236446bd9df407ecda0a38

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.9.5@sha256:f2fd67898c15af0b0c3416ba60d4d60b30dbdf75651f0d129cd53d33268b742c
quay.io/cilium/clustermesh-apiserver:v1.9.5@sha256:f2fd67898c15af0b0c3416ba60d4d60b30dbdf75651f0d129cd53d33268b742c
docker.io/cilium/clustermesh-apiserver:stable@sha256:f2fd67898c15af0b0c3416ba60d4d60b30dbdf75651f0d129cd53d33268b742c
quay.io/cilium/clustermesh-apiserver:stable@sha256:f2fd67898c15af0b0c3416ba60d4d60b30dbdf75651f0d129cd53d33268b742c

docker-plugin

docker.io/cilium/docker-plugin:v1.9.5@sha256:82452b335af0fd6f04d0061258a9bbd57256f15335922a90657ea5ef09ea4b97
quay.io/cilium/docker-plugin:v1.9.5@sha256:82452b335af0fd6f04d0061258a9bbd57256f15335922a90657ea5ef09ea4b97
docker.io/cilium/docker-plugin:stable@sha256:82452b335af0fd6f04d0061258a9bbd57256f15335922a90657ea5ef09ea4b97
quay.io/cilium/docker-plugin:stable@sha256:82452b335af0fd6f04d0061258a9bbd57256f15335922a90657ea5ef09ea4b97

hubble-relay

docker.io/cilium/hubble-relay:v1.9.5@sha256:e4b06b224a66de2abeab4dcbd6a65ebf192ac8f77116deedfa654ff7ab1ae588
quay.io/cilium/hubble-relay:v1.9.5@sha256:e4b06b224a66de2abeab4dcbd6a65ebf192ac8f77116deedfa654ff7ab1ae588
docker.io/cilium/hubble-relay:stable@sha256:e4b06b224a66de2abeab4dcbd6a65ebf192ac8f77116deedfa654ff7ab1ae588
quay.io/cilium/hubble-relay:stable@sha256:e4b06b224a66de2abeab4dcbd6a65ebf192ac8f77116deedfa654ff7ab1ae588

operator-aws

docker.io/cilium/operator-aws:v1.9.5@sha256:9879c0730bd3f95450d10e04580c66df4546dd1561d8e35b2d046fa697a41514
quay.io/cilium/operator-aws:v1.9.5@sha256:9879c0730bd3f95450d10e04580c66df4546dd1561d8e35b2d046fa697a41514
docker.io/cilium/operator-aws:stable@sha256:9879c0730bd3f95450d10e04580c66df4546dd1561d8e35b2d046fa697a41514
quay.io/cilium/operator-aws:stable@sha256:9879c0730bd3f95450d10e04580c66df4546dd1561d8e35b2d046fa697a41514

operator-azure

docker.io/cilium/operator-azure:v1.9.5@sha256:dee876595bda32ffa8925a03f7bc3b8052ce2bc920867060b26ec698ebef9482
quay.io/cilium/operator-azure:v1.9.5@sha256:dee876595bda32ffa8925a03f7bc3b8052ce2bc920867060b26ec698ebef9482
docker.io/cilium/operator-azure:stable@sha256:dee876595bda32ffa8925a03f7bc3b8052ce2bc920867060b26ec698ebef9482
quay.io/cilium/operator-azure:stable@sha256:dee876595bda32ffa8925a03f7bc3b8052ce2bc920867060b26ec698ebef9482

operator-generic

docker.io/cilium/operator-generic:v1.9.5@sha256:6b7223ffbc94825590579492e9246533a72a97827a1a7ed959abcfcd1cd918a9
quay.io/cilium/operator-generic:v1.9.5@sha256:6b7223ffbc94825590579492e9246533a72a97827a1a7ed959abcfcd1cd918a9
docker.io/cilium/operator-generic:stable@sha256:6b7223ffbc94825590579492e9246533a72a97827a1a7ed959abcfcd1cd918a9
quay.io/cilium/operator-generic:stable@sha256:6b7223ffbc94825590579492e9246533a72a97827a1a7ed959abcfcd1cd918a9

operator

docker.io/cilium/operator:v1.9.5@sha256:60caae621d89368fc095c7efd2a9d8ba6e1f87c86cd58e6319795af912870953
quay.io/cilium/operator:v1.9.5@sha256:60caae621d89368fc095c7efd2a9d8ba6e1f87c86cd58e6319795af912870953
docker.io/cilium/operator:stable@sha256:60caae621d89368fc095c7efd2a9d8ba6e1f87c86cd58e6319795af912870953
quay.io/cilium/operator:stable@sha256:60caae621d89368fc095c7efd2a9d8ba6e1f87c86cd58e6319795af912870953