chore(deps): update all github action dependencies (master) (minor)

[renovate]

This PR contains the following updates:

Package	Update	Change
cilium/cilium	minor	1.12.5 -> v1.13.4
helm/helm	minor	v3.10.3 -> v3.12.2
kubernetes-sigs/kind	minor	v0.17.0 -> v0.20.0

---

Release Notes

cilium/cilium (cilium/cilium)

v1.13.4: 1.13.4

Compare Source

We are pleased to release Cilium v1.13.4.

This release addresses the following security issue:

• GHSA-r7wr-4w5q-55m6

It aslso contains fixes related to IPsec, datapath drop notifications, CPU overhead, downgrade path, RevSNAT for ICMPv6, as well as a range of other regular bugfixes.

See the notes below for a full description of the changes.

⚠️ Warning - IPsec ⚠️

Do NOT upgrade to this release if you are using IPsec.

Summary of Changes

Minor Changes:

• Add agent flag enable-ipsec-key-watcher to allow users to disable the IPsec key watcher and thus require an agent restart for the key rotation to take effect. (Backport PR #​25977, Upstream PR #​25893, @​pchaigno)
• Updating documentation helm values now works also on arm64. (Backport PR #​25731, Upstream PR #​25422, @​jrajahalme)

Bugfixes:

• Add drop notifications for various error paths in the datapath. (Backport PR #​25503, Upstream PR #​25183, @​julianwiedmann)
• bpf,datapath: read jiffies from /proc/schedstat (Backport PR #​25855, Upstream PR #​25795, @​ti-mo)
• Compare annotations before discarding CiliumNode updates. (Backport PR #​25588, Upstream PR #​25465, @​LynneD)
• CPU overhead regression introduced in v1.13 is fixed. (#​25548, @​jrajahalme)
• Fix a bug due to which we would leak Linux XFRM policies, potentially leading to increased CPU consumption, when IPsec is enabled with Azure or ENI IPAM. (Backport PR #​25897, Upstream PR #​25784, @​pchaigno)
• Fix a bug that would cause connectivity drops of type XfrmInNoStates on upgrade when IPsec is enabled with ENI or Azure IPAM mode. (Backport PR #​25897, Upstream PR #​25724, @​pchaigno)
• Fix a bug that would cause connectivity drops of type XfrmOutPolBlock on upgrade when IPsec is enabled. (Backport PR #​25897, Upstream PR #​25735, @​pchaigno)
• Fix a possible deadlock when using WireGuard transparent encryption. (Backport PR #​25923, Upstream PR #​25419, @​bimmlerd)
• Fix bug affecting EKS installations with IPsec encryption enabled, where Cilium wouldn't attach its IPsec BPF program to new ENI interfaces, resulting in connectivity loss between pods on remote nodes. (Backport PR #​25897, Upstream PR #​25744, @​joamaki)
• Fix downgrade path from 1.14 to 1.13 due to stale IPAM-allocated IPv6 on cilium_host (#​25962, @​jschwinger233)
• Fix false error log message when IPsec is enabled with IPAM modes ENI or Azure and a remote node is deleted. (Backport PR #​26160, Upstream PR #​26093, @​pchaigno)
• Fix incorrect hubble flow data when HTTP requests contain an x-forwarded-for header by adding an explicit use_remote_address: true config to Envoy HTTP configuration to always use the actual remote address of the incoming connection rather than the value of x-forwarded-for header, which may originate from an untrusted source. This change has no effect on Cilium policy enforcement where the source security identity is always resolved before HTTP headers are parsed. Previous Cilium behavior of not adding x-forwarded-for headers is retained via an explicit skip_xff_append: true config setting, except for Cilium Ingress where the source IP address is now appended to x-forwarded-for header. (Backport PR #​25731, Upstream PR #​25674, @​jrajahalme)
• Fix leak of IPsec XFRM FWD policies in IPAM modes cluster-pool, kubernetes, and crd when nodes are deleted. Fix incorrect catch-all default-drop XFRM OUT policy for IPsec IPv6 traffic that could lead to leaking plain-text IPv6 traffic if combined with some other bug. (Backport PR #​26079, Upstream PR #​25953, @​pchaigno)
• Fix missing drop notifications on conntrack lookup failures when IPv4 and IPv6 are both enabled or socket-level load balancing is disabled. (Backport PR #​25588, Upstream PR #​25426, @​bleggett)
• Fix RevSNAT for ICMPv6 packets. (Backport PR #​25503, Upstream PR #​25306, @​julianwiedmann)
• Fix three issues in the bug fix to attach IPsec BPF programs to ENI interfaces: do not fatal if loading unexpectedly fails (which may happen if the device is suddenly deleted), ignore veth device changes in order not to reinitialize when new endpoints appear and wait 1 second for further device state changes between reinitializations. (Backport PR #​25977, Upstream PR #​25936, @​joamaki)
• Fixed Cilium agent crash when policy refers to a non-existing Envoy listener. (Backport PR #​26079, Upstream PR #​25969, @​jrajahalme)
• gateway-api: Race condition between routes and Gateway (Backport PR #​25731, Upstream PR #​25573, @​sayboras)
• gateway-api: Skip reconciliation for non-matching controller routes (Backport PR #​25731, Upstream PR #​25549, @​sayboras)
• helm: Correct typo in Ingress validation (Backport PR #​25731, Upstream PR #​25570, @​sayboras)
• Reject incorrect configuration enable-host-legacy-routing=false kube-proxy-replacement=partial. (Backport PR #​25855, Upstream PR #​25803, @​pchaigno)

CI Changes:

• [v1.13 backport] test: Switch target FQDN (#​25584, @​nbusseneau)
• Add github workflow to push development helm charts to quay.io (Backport PR #​26087, Upstream PR #​25205, @​chancez)
• hostfw tests flake workaround (Backport PR #​25588, Upstream PR #​25323, @​tommyp1ckles)
• Pick up the latest startup-script image (Backport PR #​25855, Upstream PR #​25774, @​michi-covalent)
• test/k8s: add host firewall workaround for svc host policy test. (Backport PR #​25588, Upstream PR #​25461, @​tommyp1ckles)
• test/k8s: for services test, wait for all applied manifests to delete (Backport PR #​25503, Upstream PR #​25341, @​tommyp1ckles)
• test/k8s: quarantine K8sDatapathServicesTest (Backport PR #​25731, Upstream PR #​25670, @​aanm)
• test/k8s: update host policies for firewall tests. (Backport PR #​25503, Upstream PR #​25374, @​tommyp1ckles)
• test: delete ginkgo test "NodePort with L7 Policy from outside" (Backport PR #​25731, Upstream PR #​25702, @​jschwinger233)
• test: prevent panic on k8s services host fw test on some runs. (Backport PR #​25855, Upstream PR #​25747, @​tommyp1ckles)

Misc Changes:

• backport (v1.13): docs: Promote Deny Policies out of Beta (#​26147, @​nathanjsweet)
• bpf: dsr: fix typo in tail_nodeport_dsr_ingress_ipv4() (Backport PR #​25855, Upstream PR #​25742, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.13) (patch) (#​25704, @​renovate[bot])
• chore(deps): update cilium/actions-app-token action to v0.21.1 (v1.13) (#​25865, @​renovate[bot])
• chore(deps): update dependency cilium/hubble to v0.11.6 (v1.13) (#​26042, @​renovate[bot])
• chore(deps): update docker.io/library/alpine docker tag to v3.17.3 (v1.13) (#​25852, @​renovate[bot])
• chore(deps): update docker.io/library/alpine docker tag to v3.17.3 (v1.13) (#​25853, @​renovate[bot])
• chore(deps): update docker.io/library/golang docker tag to v1.19.10 (v1.13) (#​25857, @​renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to ac58ff7 (v1.13) (#​25547, @​renovate[bot])
• chore(deps): update quay.io/cilium/hubble docker tag to v0.11.6 (v1.13) (#​25997, @​renovate[bot])
• ctmap: right-shift kernel jiffies by BPF_MONO_SCALER (Backport PR #​26200, Upstream PR #​26197, @​ti-mo)
• docs: Add Bottlerocket OS to validated distros (Backport PR #​25503, Upstream PR #​25390, @​nebril)
• docs: document missing entity 'ingress' (Backport PR #​25731, Upstream PR #​25665, @​mhofstetter)
• docs: Fix broken link to backends leak issue (Backport PR #​25503, Upstream PR #​25278, @​akhilles)
• docs: Improve BGP Control Plane page (Backport PR #​25731, Upstream PR #​23939, @​krouma)
• gateway-api: Remove unused function check (#​26058, @​ferozsalam)
• install: Fail helm if kube-proxy-replacement is not valid (Backport PR #​25977, Upstream PR #​25907, @​jrajahalme)
• ipsec: Fix cleanup of XFRM states and policies (Backport PR #​26079, Upstream PR #​26072, @​pchaigno)
• Slim down Node handler interface (Backport PR #​25923, Upstream PR #​25450, @​bimmlerd)
• test/provision/compile.sh: Make usable from dev VM (Backport PR #​25503, Upstream PR #​25352, @​jrajahalme)
• Update network attacker sections of the threat model (Backport PR #​25977, Upstream PR #​25640, @​ferozsalam)

Other Changes:

• envoy: Bump envoy version to v1.23.10 (#​25884, @​mhofstetter)
• install: Update image digests for v1.13.3 (#​25726, @​thorn3r)
• wireguard: Always unset fwMark (#​25858, @​brb)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.13.4@​sha256:bde8800d61aaad8b8451b10e247ac7bdeb7af187bb698f83d40ad75a38c1ee6b
quay.io/cilium/cilium:v1.13.4@​sha256:bde8800d61aaad8b8451b10e247ac7bdeb7af187bb698f83d40ad75a38c1ee6b
docker.io/cilium/cilium:stable@sha256:bde8800d61aaad8b8451b10e247ac7bdeb7af187bb698f83d40ad75a38c1ee6b
quay.io/cilium/cilium:stable@sha256:bde8800d61aaad8b8451b10e247ac7bdeb7af187bb698f83d40ad75a38c1ee6b

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.13.4@​sha256:3f2bb561ddcf45bd7c598b6846439518c6f4fc735a08e518587da8849496235a
quay.io/cilium/clustermesh-apiserver:v1.13.4@​sha256:3f2bb561ddcf45bd7c598b6846439518c6f4fc735a08e518587da8849496235a
docker.io/cilium/clustermesh-apiserver:stable@sha256:3f2bb561ddcf45bd7c598b6846439518c6f4fc735a08e518587da8849496235a
quay.io/cilium/clustermesh-apiserver:stable@sha256:3f2bb561ddcf45bd7c598b6846439518c6f4fc735a08e518587da8849496235a

docker-plugin

docker.io/cilium/docker-plugin:v1.13.4@​sha256:1a11d2f643b92ff4ece29adf7c945795c3faacbc9a47e0089bf6fb6e944c0ae1
quay.io/cilium/docker-plugin:v1.13.4@​sha256:1a11d2f643b92ff4ece29adf7c945795c3faacbc9a47e0089bf6fb6e944c0ae1
docker.io/cilium/docker-plugin:stable@sha256:1a11d2f643b92ff4ece29adf7c945795c3faacbc9a47e0089bf6fb6e944c0ae1
quay.io/cilium/docker-plugin:stable@sha256:1a11d2f643b92ff4ece29adf7c945795c3faacbc9a47e0089bf6fb6e944c0ae1

hubble-relay

docker.io/cilium/hubble-relay:v1.13.4@​sha256:bac057a5130cf75adf5bc363292b1f2642c0c460ac9ff018fcae3daf64873871
quay.io/cilium/hubble-relay:v1.13.4@​sha256:bac057a5130cf75adf5bc363292b1f2642c0c460ac9ff018fcae3daf64873871
docker.io/cilium/hubble-relay:stable@sha256:bac057a5130cf75adf5bc363292b1f2642c0c460ac9ff018fcae3daf64873871
quay.io/cilium/hubble-relay:stable@sha256:bac057a5130cf75adf5bc363292b1f2642c0c460ac9ff018fcae3daf64873871

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.13.4@​sha256:6938be50749205631c02d72277e35199a1adec1323c9310dc2d96911784b1a69
quay.io/cilium/operator-alibabacloud:v1.13.4@​sha256:6938be50749205631c02d72277e35199a1adec1323c9310dc2d96911784b1a69
docker.io/cilium/operator-alibabacloud:stable@sha256:6938be50749205631c02d72277e35199a1adec1323c9310dc2d96911784b1a69
quay.io/cilium/operator-alibabacloud:stable@sha256:6938be50749205631c02d72277e35199a1adec1323c9310dc2d96911784b1a69

operator-aws

docker.io/cilium/operator-aws:v1.13.4@​sha256:c6bde19bbfe1483577f9ef375ff6de19402ac20277c451fe05729fcb9bc02a84
quay.io/cilium/operator-aws:v1.13.4@​sha256:c6bde19bbfe1483577f9ef375ff6de19402ac20277c451fe05729fcb9bc02a84
docker.io/cilium/operator-aws:stable@sha256:c6bde19bbfe1483577f9ef375ff6de19402ac20277c451fe05729fcb9bc02a84
quay.io/cilium/operator-aws:stable@sha256:c6bde19bbfe1483577f9ef375ff6de19402ac20277c451fe05729fcb9bc02a84

operator-azure

docker.io/cilium/operator-azure:v1.13.4@​sha256:55bb91b96c2e3361b3e622b42c8925a31f2f7124150666696030f15d718cd83e
quay.io/cilium/operator-azure:v1.13.4@​sha256:55bb91b96c2e3361b3e622b42c8925a31f2f7124150666696030f15d718cd83e
docker.io/cilium/operator-azure:stable@sha256:55bb91b96c2e3361b3e622b42c8925a31f2f7124150666696030f15d718cd83e
quay.io/cilium/operator-azure:stable@sha256:55bb91b96c2e3361b3e622b42c8925a31f2f7124150666696030f15d718cd83e

operator-generic

docker.io/cilium/operator-generic:v1.13.4@​sha256:09ab77d324ef4d31f7d341f97ec5a2a4860910076046d57a2d61494d426c6301
quay.io/cilium/operator-generic:v1.13.4@​sha256:09ab77d324ef4d31f7d341f97ec5a2a4860910076046d57a2d61494d426c6301
docker.io/cilium/operator-generic:stable@sha256:09ab77d324ef4d31f7d341f97ec5a2a4860910076046d57a2d61494d426c6301
quay.io/cilium/operator-generic:stable@sha256:09ab77d324ef4d31f7d341f97ec5a2a4860910076046d57a2d61494d426c6301

operator

docker.io/cilium/operator:v1.13.4@​sha256:f2068be1706717d0e0b29489dc0b93bf7f1940d18e0bea2def937286beb48464
quay.io/cilium/operator:v1.13.4@​sha256:f2068be1706717d0e0b29489dc0b93bf7f1940d18e0bea2def937286beb48464
docker.io/cilium/operator:stable@sha256:f2068be1706717d0e0b29489dc0b93bf7f1940d18e0bea2def937286beb48464
quay.io/cilium/operator:stable@sha256:f2068be1706717d0e0b29489dc0b93bf7f1940d18e0bea2def937286beb48464

v1.13.3: 1.13.3

Compare Source

We are pleased to release Cilium v1.13.3. This release fixes bugs in ipsec and policy implementations and is recommended for all users.

Summary of Changes

Major Changes:

• Assume Ingress identity for cluster internal traffic through Cilium Ingress for policy enforcement. (Backport PR #​25019, Upstream PR #​24826, @​jrajahalme)
• policy: Promote Deny Policies from Beta to Stable (#​25427, @​nathanjsweet)

Minor Changes:

• Drop traffic matching an egress gateway policy when no gateway are found (Backport PR #​24999, Upstream PR #​24835, @​MrFreezeex)
• ingress: Add ownerReferences for shared mode (Backport PR #​25013, Upstream PR #​24942, @​sayboras)
• sysdump: Added Kubernetes CNI logs to sysdump. (Backport PR #​25346, Upstream PR #​23937, @​marseel)
• Update CNI (loopback) to 1.3.0 (Backport PR #​25454, Upstream PR #​25400, @​anfernee)
• Use BGP Control Plane annotations from Node Resource for creation of CiliumNode Resource (Backport PR #​25346, Upstream PR #​24914, @​margau)

Bugfixes:

• Add support for builtin kernel modules (Backport PR #​25137, Upstream PR #​23953, @​TheAifam5)
• Address cilium-agent startup performance regression. (Backport PR #​25185, Upstream PR #​25007, @​bimmlerd)
• cmd/cleanup: Fix cleanup of generic XDP programs (Backport PR #​25184, Upstream PR #​25117, @​pchaigno)
• datapath: Fix double SNAT (Backport PR #​25223, Upstream PR #​25189, @​brb)
• DNS proxy now always updates the proxy policy to avoid intermittent policy drops. (Backport PR #​25346, Upstream PR #​25147, @​jrajahalme)
• Filter ipv6 advertisements when using metallb as BGP speaker. (Backport PR #​25137, Upstream PR #​25043, @​harsimran-pabla)
• Fix a regression in which link-local addresses were not treated with the "host" identity in some circumstances. (Backport PR #​25368, Upstream PR #​25298, @​asauber)
• Fix broken IPv4 connectivity from outside to NodePort service when using L7 ingress policy, by removing PROXY_RT route table. (Backport PR #​25086, Upstream PR #​24807, @​jschwinger233)
• Fix bug that caused ToCIDR netpols matching kube-apiserver IPs (when external to the cluster) to not reliably allow connectivity. (#​25241, @​giorio94)
• Fix bug that causes enforcement of host policies on reply IPv6 pod traffic. (Backport PR #​25137, Upstream PR #​25024, @​pchaigno)
• Fix bug where Cilium configurations running with tunneling disabled, BPF-masq disabled, but with masquerading enabled, do not clean up ipset configuration when a node IP changes. This can lead to a lack of masquerading on those node IPs. (Backport PR #​25013, Upstream PR #​24825, @​christarazi)
• Fix connectivity issue if nodes share the same name across the clustermesh and wireguard is enabled (Backport PR #​25013, Upstream PR #​24785, @​giorio94)
• Fix data race affecting the preferred mark in backends, e.g. backends selected by service with affinity set to local. In very rare cases a backend might be missing its preferred status and a non-local backend might be selected. (Backport PR #​25346, Upstream PR #​25087, @​joamaki)
• Fix incorrect network policy ebpf setup that may lead to incorrect packets denies when CEP is present in multiple CES (Backport PR #​25184, Upstream PR #​24838, @​alan-kut)
• Fix operator shutdown hanging when kvstore is enabled (Backport PR #​25223, Upstream PR #​24979, @​giorio94)
• Fix operator startup delay caused by leader election lease not being released correctly (Backport PR #​25137, Upstream PR #​24978, @​giorio94)
• Fix panic due to assignment to nil BGP service announcements map. (Backport PR #​25013, Upstream PR #​24985, @​harsimran-pabla)
• Fix permission issue when copying cni plugins onto host path (Backport PR #​25346, Upstream PR #​24891, @​JohnJAS)
• Fix security-group-tags not working in ENI (Backport PR #​25013, Upstream PR #​24951, @​aanm)
• Fix spurious errors containing "Failed to map node IP address to allocated ID". (Backport PR #​25346, Upstream PR #​25222, @​bimmlerd)
• Fix syncing of relevant node annotations into CiliumNode (Backport PR #​25368, Upstream PR #​25307, @​meyskens)
• Fix the bug when long-living connections using egress gateway may be reset. (Backport PR #​25346, Upstream PR #​24905, @​gentoo-root)
• ipcache don't short-circuit InjectLabels if source differs (Backport PR #​25077, Upstream PR #​24875, @​squeed)
• pkg/kvstore: Fix for deadlock in etcd status checker (Backport PR #​25013, Upstream PR #​24786, @​hemanthmalla)
• Track reply packets in long-living egress gateway connections and SNATed host-local connections. (Backport PR #​25424, Upstream PR #​25112, @​gentoo-root)
• When using KPR Nodeport with DSR, support backends in hostNetwork or with L7 policies. (Backport PR #​24795, Upstream PR #​22978, @​julianwiedmann)

CI Changes:

• Always use the 8.8.8.8 DNS resolver in kind (Backport PR #​25409, Upstream PR #​24713, @​aspsk)
• ci: remove STATUS commands from upstream tests' Jenkinsfile (Backport PR #​25137, Upstream PR #​25046, @​nbusseneau)
• Delete "Cilium monitor verbose mode" test (Backport PR #​25346, Upstream PR #​25212, @​michi-covalent)
• Enable testing of BPF programs requiring XDP_TX in CI (Backport PR #​25409, Upstream PR #​24250, @​lmb)
• inctimer: fix test flake where timer does not fire within time. (Backport PR #​25346, Upstream PR #​25219, @​tommyp1ckles)
• jenkinsfiles: Fix order of ginkgo tests (Backport PR #​25137, Upstream PR #​25002, @​pchaigno)
• mlh: update Jenkins jobs following removal of kernel 4.9 support (#​24955, @​nbusseneau)
• test: Unquarantine host firewall + nodeport test (Backport PR #​25184, Upstream PR #​25025, @​pchaigno)

Misc Changes:

• bpf: dsr: don't track L2 addresses for DSR traffic (Backport PR #​24795, Upstream PR #​24524, @​julianwiedmann)
• bpf: dsr: restore CB_SRC_LABEL across DSR-INGRESS tail-call (Backport PR #​24795, Upstream PR #​24794, @​julianwiedmann)
• bpf: lb: introduce an optimized CT lookup (Backport PR #​24795, Upstream PR #​22936, @​julianwiedmann)
• bpf: minor CT cleanups (Backport PR #​24795, Upstream PR #​23718, @​julianwiedmann)
• bpf: nodeport: minor DSR improvements (Backport PR #​24795, Upstream PR #​23326, @​julianwiedmann)
• chore(deps): update docker.io/library/golang:1.19.8 docker digest to 9f2dd04 (v1.13) (#​25421, @​renovate[bot])
• chore(deps): update hubble cli to v0.11.5 (v1.13) (patch) (#​25125, @​renovate[bot])
• daemon: Mark CES feature as beta in agent flag (Backport PR #​25013, Upstream PR #​24850, @​pchaigno)
• docs: socketLB.hostNamespaceOnly also needed for gVisor (Backport PR #​25346, Upstream PR #​25322, @​pchaigno)
• docs: Add matrix version between envoy and cilium (Backport PR #​25223, Upstream PR #​25109, @​sayboras)
• docs: Add platform support to docs (Backport PR #​25223, Upstream PR #​25174, @​joestringer)
• docs: small fixes for k8s upgrade guide (Backport PR #​25013, Upstream PR #​24869, @​tklauser)
• Documentation: add migration document (Backport PR #​25013, Upstream PR #​23751, @​squeed)
• documentation: move policy warning to v1.13.2 section (#​24997, @​squeed)
• envoy: Debug log remote IDs for Envoy policies (Backport PR #​25013, Upstream PR #​24939, @​jrajahalme)
• Fix missed clustermesh config change race condition with back-to-back changes (Backport PR #​25013, Upstream PR #​24993, @​giorio94)
• Fix possible panic in the ipcache when removing the prefix labels for an unknown resource ID (Backport PR #​25346, Upstream PR #​25230, @​giorio94)
• Fixed documentation regarding cilium versioning scheme and support (Backport PR #​25223, Upstream PR #​25171, @​ayesha-kr)
• gha: Add retry mechanism in http test (Backport PR #​25346, Upstream PR #​25244, @​sayboras)
• helm: add clustermesh nodeport config warning about known bug #​24692 (Backport PR #​25223, Upstream PR #​25033, @​giorio94)
• hive: Don't log interrupt signal as error (Backport PR #​25013, Upstream PR #​23880, @​joamaki)
• ipsec: Install default-drop XFRM policy sooner (Backport PR #​25346, Upstream PR #​25257, @​pchaigno)
• Makefile: use a specific template for mktemp files (Backport PR #​25223, Upstream PR #​25192, @​kaworu)
• node/manager: Only remove old IPs if they weren't already added (Backport PR #​25013, Upstream PR #​25067, @​christarazi)
• pkg/service: Backends leak follow ups with revised fixes, debugging improvements and unit tests (Backport PR #​25223, Upstream PR #​24770, @​aditighag)
• Remote node identities are enabled by default in the Cilium agent. They have already been enabled by default in the Helm charts since Cilium version 1.7. (Backport PR #​25013, Upstream PR #​24874, @​tklauser)
• Update the documentation for required IAM policy rights needed for Cilium to work in EKS. (Backport PR #​25137, Upstream PR #​25078, @​toredash)
• Update threat model (Backport PR #​25013, Upstream PR #​24760, @​ferozsalam)

Other Changes:

• [v1.13] contrib/backporting: Fix main branch reference (#​25091, @​joestringer)
• envoy: Upgrade to v1.23.9 (#​25208, @​sayboras)
• install: Update image digests for v1.13.2 (#​24952, @​gentoo-root)
• v1.13: docs: Document upgrade impact for IPsec (#​24963, @​pchaigno)
• v1.13: docs: Fix typo in IPsec upgrade note (#​24973, @​pchaigno)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.13.3@​sha256:77176464a1e11ea7e89e984ac7db365e7af39851507e94f137dcf56c87746314
quay.io/cilium/cilium:v1.13.3@​sha256:77176464a1e11ea7e89e984ac7db365e7af39851507e94f137dcf56c87746314
docker.io/cilium/cilium:stable@sha256:77176464a1e11ea7e89e984ac7db365e7af39851507e94f137dcf56c87746314
quay.io/cilium/cilium:stable@sha256:77176464a1e11ea7e89e984ac7db365e7af39851507e94f137dcf56c87746314

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.13.3@​sha256:5ad8e9dc17f5677d1d75b53a4e80ec2e5c4fcf4973ced8b30f8ad53933c6969a
quay.io/cilium/clustermesh-apiserver:v1.13.3@​sha256:5ad8e9dc17f5677d1d75b53a4e80ec2e5c4fcf4973ced8b30f8ad53933c6969a
docker.io/cilium/clustermesh-apiserver:stable@sha256:5ad8e9dc17f5677d1d75b53a4e80ec2e5c4fcf4973ced8b30f8ad53933c6969a
quay.io/cilium/clustermesh-apiserver:stable@sha256:5ad8e9dc17f5677d1d75b53a4e80ec2e5c4fcf4973ced8b30f8ad53933c6969a

docker-plugin

docker.io/cilium/docker-plugin:v1.13.3@​sha256:e94d344c8e059ce87453dff579086bd0bed9d65e69434ad60eef783380c4e860
quay.io/cilium/docker-plugin:v1.13.3@​sha256:e94d344c8e059ce87453dff579086bd0bed9d65e69434ad60eef783380c4e860
docker.io/cilium/docker-plugin:stable@sha256:e94d344c8e059ce87453dff579086bd0bed9d65e69434ad60eef783380c4e860
quay.io/cilium/docker-plugin:stable@sha256:e94d344c8e059ce87453dff579086bd0bed9d65e69434ad60eef783380c4e860

hubble-relay

docker.io/cilium/hubble-relay:v1.13.3@​sha256:19e4aae5ff72cd9fbcb7d2d16a1570533320a478acc015fc91a4d41a177cadf6
quay.io/cilium/hubble-relay:v1.13.3@​sha256:19e4aae5ff72cd9fbcb7d2d16a1570533320a478acc015fc91a4d41a177cadf6
docker.io/cilium/hubble-relay:stable@sha256:19e4aae5ff72cd9fbcb7d2d16a1570533320a478acc015fc91a4d41a177cadf6
quay.io/cilium/hubble-relay:stable@sha256:19e4aae5ff72cd9fbcb7d2d16a1570533320a478acc015fc91a4d41a177cadf6

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.13.3@​sha256:8dba4795cb38200746a2236623f5b84742ee2c56a8afda724c85f5027ea854eb
quay.io/cilium/operator-alibabacloud:v1.13.3@​sha256:8dba4795cb38200746a2236623f5b84742ee2c56a8afda724c85f5027ea854eb
docker.io/cilium/operator-alibabacloud:stable@sha256:8dba4795cb38200746a2236623f5b84742ee2c56a8afda724c85f5027ea854eb
quay.io/cilium/operator-alibabacloud:stable@sha256:8dba4795cb38200746a2236623f5b84742ee2c56a8afda724c85f5027ea854eb

operator-aws

docker.io/cilium/operator-aws:v1.13.3@​sha256:394c40d156235d3c2004f77bb73402457092351cc6debdbc5727ba36fbd863ae
quay.io/cilium/operator-aws:v1.13.3@​sha256:394c40d156235d3c2004f77bb73402457092351cc6debdbc5727ba36fbd863ae
docker.io/cilium/operator-aws:stable@sha256:394c40d156235d3c2004f77bb73402457092351cc6debdbc5727ba36fbd863ae
quay.io/cilium/operator-aws:stable@sha256:394c40d156235d3c2004f77bb73402457092351cc6debdbc5727ba36fbd863ae

operator-azure

docker.io/cilium/operator-azure:v1.13.3@​sha256:7749b732d510954d9fb74f7e675b31b49100fd773e588c6fbbf42529acfb1be8
quay.io/cilium/operator-azure:v1.13.3@​sha256:7749b732d510954d9fb74f7e675b31b49100fd773e588c6fbbf42529acfb1be8
docker.io/cilium/operator-azure:stable@sha256:7749b732d510954d9fb74f7e675b31b49100fd773e588c6fbbf42529acfb1be8
quay.io/cilium/operator-azure:stable@sha256:7749b732d510954d9fb74f7e675b31b49100fd773e588c6fbbf42529acfb1be8

operator-generic

docker.io/cilium/operator-generic:v1.13.3@​sha256:fa7003cbfdf8358cb71786afebc711b26e5e44a2ed99bd4944930bba915b8910
quay.io/cilium/operator-generic:v1.13.3@​sha256:fa7003cbfdf8358cb71786afebc711b26e5e44a2ed99bd4944930bba915b8910
docker.io/cilium/operator-generic:stable@sha256:fa7003cbfdf8358cb71786afebc711b26e5e44a2ed99bd4944930bba915b8910
quay.io/cilium/operator-generic:stable@sha256:fa7003cbfdf8358cb71786afebc711b26e5e44a2ed99bd4944930bba915b8910

operator

docker.io/cilium/operator:v1.13.3@​sha256:70245141d9c38df09c4c3884f61af81036672059b1ae45e8b1e2175b6cc0998c
quay.io/cilium/operator:v1.13.3@​sha256:70245141d9c38df09c4c3884f61af81036672059b1ae45e8b1e2175b6cc0998c
docker.io/cilium/operator:stable@sha256:70245141d9c38df09c4c3884f61af81036672059b1ae45e8b1e2175b6cc0998c
quay.io/cilium/operator:stable@sha256:70245141d9c38df09c4c3884f61af81036672059b1ae45e8b1e2175b6cc0998c

v1.13.2: 1.13.2

Compare Source

We are pleased to release Cilium v1.13.2.

This release addresses the following security issue:

• GHSA-pg5p-wwp8-97g8

Note: When updating to this release, make sure that you are using new helm chart version.

Summary of Changes

Known Issues:

• There is a known issue (#​24502) with CiliumNetworkPolicies that makes the kube-apiserver entity unreliable. Until this is resolved, it is recommended to remain on Cilium v1.12 or earlier if you are using the kube-apiserver entity in your CiliumNetworkPolicies.

Minor Changes:

• envoy: Bump envoy to v1.23.8 (#​24909, @​sayboras)
• envoy: Bump envoy version to v1.23.7 (#​24746, @​sayboras)
• Move poststart eni script to agent pod from nodeinit pod (Backport PR #​24547, Upstream PR #​24134, @​nebril)
• Provides operational state of BGP peers via CLI 'cilium bgp peers' (Backport PR #​24821, Upstream PR #​24612, @​harsimran-pabla)
• Support L2-less devices with fast forward (bpf-based host routing) (Backport PR #​24706, Upstream PR #​23935, @​jschwinger233)

Bugfixes:

• agent: rework clustermesh config watcher for increased robustness (Backport PR #​24547, Upstream PR #​24163, @​giorio94)
• bpf: dsr: fix parsing of IPv6 AUTH extension header (Backport PR #​24821, Upstream PR #​24792, @​julianwiedmann)
• bpf: fix ipv6 extension header parsing error (Backport PR #​24706, Upstream PR #​24309, @​chenyuezhou)
• bpf: policy: fix handling of ICMPv6 packet with extension headers (Backport PR #​24821, Upstream PR #​24797, @​julianwiedmann)
• Correctly configure extra SANs for the clustermesh API server certificate when generated through certgen (Backport PR #​24607, Upstream PR #​24339, @​giorio94)
• daemon: initialize datapath before compiling sockops programs (Backport PR #​24547, Upstream PR #​24140, @​jibi)
• egressgw: update all internal caches once k8s state is synced (Backport PR #​24706, Upstream PR #​24034, @​jibi)
• endpoint: fix k8sNamespace log field when ep gets deleted (Backport PR #​24706, Upstream PR #​24575, @​mhofstetter)
• Fix a bug where users are unable to change a wrong remote etcd configuration (Backport PR #​24547, Upstream PR #​24046, @​oblazek)
• Fix a memory leak in the service cache, and possible missed service updates on scale to zero events in rare circumstances (Backport PR #​24706, Upstream PR #​24619, @​giorio94)
• Fix bug in BGP CP where changing the route-id of an existing router would cause announcements to disappear (Backport PR #​24547, Upstream PR #​24304, @​dylandreimerink)
• Fix bug where ingress policies for remote-note identities are not applied correctly new nodes join the cluster, specifically when the nodes joining the cluster had IP addresses specified in CIDR policies (Backport PR #​24547, Upstream PR #​23764, @​christarazi)
• Fix Cilium Operator from crashing when encountering empty node pools on Azure (Backport PR #​24547, Upstream PR #​24189, @​forgems)
• Fix for disabled cloud provider rate limiting (Backport PR #​24547, Upstream PR #​24413, @​hemanthmalla)
• Fix missing delete events on informer re-lists to ensure all delete events are correctly emitted and using the latest known object state, so that all event handlers and stores always reflect the actual apiserver state as best as possible (#​24870, @​aanm)
• Fixed bug where L7 rules would be incorrectly merged between rules for the same (remote) endpoint. This bug could have caused L7 rules to be bypassed via a wildcard header rule being improperly appended to the set of HTTP rules when both a policy with HTTP header rules applying to multiple endpoints and an allow-all rule for only one of those endpoints are specified. (Backport PR #​24843, Upstream PR #​24788, @​jrajahalme)
• gateway-api: Re-queue gateway for namespace change (Backport PR #​24758, Upstream PR #​24624, @​sayboras)
• Handle leaked service backends that may lead to filling up of lb4_backends map and thereby connectivity issues. (Backport PR #​24758, Upstream PR #​24681, @​aditighag)
• helm: mandate issuer configuration when using cert-manager to generate certificates (Backport PR #​24821, Upstream PR #​24666, @​giorio94)
• ipsec: Clean up stale XFRM policies and states (Backport PR #​24821, Upstream PR #​24773, @​pchaigno)
• Prevent egress gateway from adding and then immediately removing BPF policy entries for policies that don't match any gateway node (Backport PR #​24706, Upstream PR #​24646, @​MrFreezeex)
• Services backends with publishNotReadyAddresses are able to receive traffic independently if they are Terminating, since is the user intent to make them reachable despite its state. (Backport PR #​24547, Upstream PR #​24174, @​aojea)
• Set user-agent for k8s client with Cilium's version (Backport PR #​24547, Upstream PR #​24275, @​aanm)
• Solve control-plane deadlock issues leading to outages. A typical log line indicative of this issue is probe=l7-proxy msg="No response from probe within 15 seconds" (Backport PR #​24814, Upstream PR #​24672, @​bimmlerd)

CI Changes:

• bpf/test: Add unit test to check whether netpol drops result in metric counter increament (Backport PR #​24607, Upstream PR #​24469, @​brb)
• bpf/tests: fix mac addresses definitions in egressgw test (Backport PR #​24607, Upstream PR #​23351, @​jibi)
• datapath/linux/route: fix CI expectations for rule string format (Backport PR #​24607, Upstream PR #​24577, @​NikAleksandrov)
• Fix race conditions when deleting CNP / CCNP in e2e tests (Backport PR #​24706, Upstream PR #​24484, @​jschwinger233)
• Fixed flake in the TestRequestIPWithMismatchedLabel LB-IPAM tests. (Backport PR #​24547, Upstream PR #​23297, @​dylandreimerink)
• gha: Clean-up Ingress/GatewayAPI Conformance tests (Backport PR #​24441, Upstream PR #​24025, @​sayboras)
• Increase timeout waiting for resources in Ingress conformance test (Backport PR #​24441, Upstream PR #​24388, @​meyskens)
• Port verifier tests to Go (Backport PR #​24706, Upstream PR #​24538, @​ti-mo)
• renovate: Fix Hubble release digest regex (Backport PR #​24547, Upstream PR #​24477, @​gandro)
• test: Enable conformance tests for non-SCTP traffic in conjunction with SCTP policies (Backport PR #​24547, Upstream PR #​24144, @​joestringer)
• test: Remove some {DP,Services} Ginkgo test cases (Backport PR #​24547, Upstream PR #​24223, @​brb)
• test: Update 1.26 k8s version (Backport PR #​24607, Upstream PR [#​24569](h

---

Configuration

📅 Schedule: Branch creation - "on friday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.