Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build(deps): bump github.com/cilium/cilium from 1.13.3 to 1.13.4 in /tools-v2 #2536

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jun 16, 2023

Bumps github.com/cilium/cilium from 1.13.3 to 1.13.4.

Release notes

Sourced from github.com/cilium/cilium's releases.

1.13.4

We are pleased to release Cilium v1.13.4.

This release addresses the following security issue:

It aslso contains fixes related to IPsec, datapath drop notifications, CPU overhead, downgrade path, RevSNAT for ICMPv6, as well as a range of other regular bugfixes.

See the notes below for a full description of the changes.

⚠️ Warning - IPsec ⚠️

Do NOT upgrade to this release if you are using IPsec.

Summary of Changes

Minor Changes:

  • Add agent flag enable-ipsec-key-watcher to allow users to disable the IPsec key watcher and thus require an agent restart for the key rotation to take effect. (Backport PR #25977, Upstream PR #25893, @​pchaigno)
  • Updating documentation helm values now works also on arm64. (Backport PR #25731, Upstream PR #25422, @​jrajahalme)

Bugfixes:

  • Add drop notifications for various error paths in the datapath. (Backport PR #25503, Upstream PR #25183, @​julianwiedmann)
  • bpf,datapath: read jiffies from /proc/schedstat (Backport PR #25855, Upstream PR #25795, @​ti-mo)
  • Compare annotations before discarding CiliumNode updates. (Backport PR #25588, Upstream PR #25465, @​LynneD)
  • CPU overhead regression introduced in v1.13 is fixed. (#25548, @​jrajahalme)
  • Fix a bug due to which we would leak Linux XFRM policies, potentially leading to increased CPU consumption, when IPsec is enabled with Azure or ENI IPAM. (Backport PR #25897, Upstream PR #25784, @​pchaigno)
  • Fix a bug that would cause connectivity drops of type XfrmInNoStates on upgrade when IPsec is enabled with ENI or Azure IPAM mode. (Backport PR #25897, Upstream PR #25724, @​pchaigno)
  • Fix a bug that would cause connectivity drops of type XfrmOutPolBlock on upgrade when IPsec is enabled. (Backport PR #25897, Upstream PR #25735, @​pchaigno)
  • Fix a possible deadlock when using WireGuard transparent encryption. (Backport PR #25923, Upstream PR #25419, @​bimmlerd)
  • Fix bug affecting EKS installations with IPsec encryption enabled, where Cilium wouldn't attach its IPsec BPF program to new ENI interfaces, resulting in connectivity loss between pods on remote nodes. (Backport PR #25897, Upstream PR #25744, @​joamaki)
  • Fix downgrade path from 1.14 to 1.13 due to stale IPAM-allocated IPv6 on cilium_host (#25962, @​jschwinger233)
  • Fix false error log message when IPsec is enabled with IPAM modes ENI or Azure and a remote node is deleted. (Backport PR #26160, Upstream PR #26093, @​pchaigno)
  • Fix incorrect hubble flow data when HTTP requests contain an x-forwarded-for header by adding an explicit use_remote_address: true config to Envoy HTTP configuration to always use the actual remote address of the incoming connection rather than the value of x-forwarded-for header, which may originate from an untrusted source. This change has no effect on Cilium policy enforcement where the source security identity is always resolved before HTTP headers are parsed. Previous Cilium behavior of not adding x-forwarded-for headers is retained via an explicit skip_xff_append: true config setting, except for Cilium Ingress where the source IP address is now appended to x-forwarded-for header. (Backport PR #25731, Upstream PR #25674, @​jrajahalme)
  • Fix leak of IPsec XFRM FWD policies in IPAM modes cluster-pool, kubernetes, and crd when nodes are deleted. Fix incorrect catch-all default-drop XFRM OUT policy for IPsec IPv6 traffic that could lead to leaking plain-text IPv6 traffic if combined with some other bug. (Backport PR #26079, Upstream PR #25953, @​pchaigno)
  • Fix missing drop notifications on conntrack lookup failures when IPv4 and IPv6 are both enabled or socket-level load balancing is disabled. (Backport PR #25588, Upstream PR #25426, @​bleggett)
  • Fix RevSNAT for ICMPv6 packets. (Backport PR #25503, Upstream PR #25306, @​julianwiedmann)
  • Fix three issues in the bug fix to attach IPsec BPF programs to ENI interfaces: do not fatal if loading unexpectedly fails (which may happen if the device is suddenly deleted), ignore veth device changes in order not to reinitialize when new endpoints appear and wait 1 second for further device state changes between reinitializations. (Backport PR #25977, Upstream PR #25936, @​joamaki)
  • Fixed Cilium agent crash when policy refers to a non-existing Envoy listener. (Backport PR #26079, Upstream PR #25969, @​jrajahalme)
  • gateway-api: Race condition between routes and Gateway (Backport PR #25731, Upstream PR #25573, @​sayboras)
  • gateway-api: Skip reconciliation for non-matching controller routes (Backport PR #25731, Upstream PR #25549, @​sayboras)
  • helm: Correct typo in Ingress validation (Backport PR #25731, Upstream PR #25570, @​sayboras)
  • Reject incorrect configuration enable-host-legacy-routing=false kube-proxy-replacement=partial. (Backport PR #25855, Upstream PR #25803, @​pchaigno)

CI Changes:

... (truncated)

Changelog

Sourced from github.com/cilium/cilium's changelog.

v1.13.4

Summary of Changes

Minor Changes:

  • Add agent flag enable-ipsec-key-watcher to allow users to disable the IPsec key watcher and thus require an agent restart for the key rotation to take effect. (Backport PR #25977, Upstream PR #25893, @​pchaigno)
  • Updating documentation helm values now works also on arm64. (Backport PR #25731, Upstream PR #25422, @​jrajahalme)

Bugfixes:

  • Add drop notifications for various error paths in the datapath. (Backport PR #25503, Upstream PR #25183, @​julianwiedmann)
  • bpf,datapath: read jiffies from /proc/schedstat (Backport PR #25855, Upstream PR #25795, @​ti-mo)
  • Compare annotations before discarding CiliumNode updates. (Backport PR #25588, Upstream PR #25465, @​LynneD)
  • CPU overhead regression introduced in v1.13 is fixed. (#25548, @​jrajahalme)
  • Fix a bug due to which we would leak Linux XFRM policies, potentially leading to increased CPU consumption, when IPsec is enabled with Azure or ENI IPAM. (Backport PR #25897, Upstream PR #25784, @​pchaigno)
  • Fix a bug that would cause connectivity drops of type XfrmInNoStates on upgrade when IPsec is enabled with ENI or Azure IPAM mode. (Backport PR #25897, Upstream PR #25724, @​pchaigno)
  • Fix a bug that would cause connectivity drops of type XfrmOutPolBlock on upgrade when IPsec is enabled. (Backport PR #25897, Upstream PR #25735, @​pchaigno)
  • Fix a possible deadlock when using WireGuard transparent encryption. (Backport PR #25923, Upstream PR #25419, @​bimmlerd)
  • Fix bug affecting EKS installations with IPsec encryption enabled, where Cilium wouldn't attach its IPsec BPF program to new ENI interfaces, resulting in connectivity loss between pods on remote nodes. (Backport PR #25897, Upstream PR #25744, @​joamaki)
  • Fix downgrade path from 1.14 to 1.13 due to stale IPAM-allocated IPv6 on cilium_host (#25962, @​jschwinger233)
  • Fix false error log message when IPsec is enabled with IPAM modes ENI or Azure and a remote node is deleted. (Backport PR #26160, Upstream PR #26093, @​pchaigno)
  • Fix incorrect hubble flow data when HTTP requests contain an x-forwarded-for header by adding an explicit use_remote_address: true config to Envoy HTTP configuration to always use the actual remote address of the incoming connection rather than the value of x-forwarded-for header, which may originate from an untrusted source. This change has no effect on Cilium policy enforcement where the source security identity is always resolved before HTTP headers are parsed. Previous Cilium behavior of not adding x-forwarded-for headers is retained via an explicit skip_xff_append: true config setting, except for Cilium Ingress where the source IP address is now appended to x-forwarded-for header. (Backport PR #25731, Upstream PR #25674, @​jrajahalme)
  • Fix leak of IPsec XFRM FWD policies in IPAM modes cluster-pool, kubernetes, and crd when nodes are deleted. Fix incorrect catch-all default-drop XFRM OUT policy for IPsec IPv6 traffic that could lead to leaking plain-text IPv6 traffic if combined with some other bug. (Backport PR #26079, Upstream PR #25953, @​pchaigno)
  • Fix missing drop notifications on conntrack lookup failures when IPv4 and IPv6 are both enabled or socket-level load balancing is disabled. (Backport PR #25588, Upstream PR #25426, @​bleggett)
  • Fix RevSNAT for ICMPv6 packets. (Backport PR #25503, Upstream PR #25306, @​julianwiedmann)
  • Fix three issues in the bug fix to attach IPsec BPF programs to ENI interfaces: do not fatal if loading unexpectedly fails (which may happen if the device is suddenly deleted), ignore veth device changes in order not to reinitialize when new endpoints appear and wait 1 second for further device state changes between reinitializations. (Backport PR #25977, Upstream PR #25936, @​joamaki)
  • Fixed Cilium agent crash when policy refers to a non-existing Envoy listener. (Backport PR #26079, Upstream PR #25969, @​jrajahalme)
  • gateway-api: Race condition between routes and Gateway (Backport PR #25731, Upstream PR #25573, @​sayboras)
  • gateway-api: Skip reconciliation for non-matching controller routes (Backport PR #25731, Upstream PR #25549, @​sayboras)
  • helm: Correct typo in Ingress validation (Backport PR #25731, Upstream PR #25570, @​sayboras)
  • Reject incorrect configuration enable-host-legacy-routing=false kube-proxy-replacement=partial. (Backport PR #25855, Upstream PR #25803, @​pchaigno)

CI Changes:

Misc Changes:

... (truncated)

Commits
  • 4061cdf Prepare for release v1.13.4
  • cd3cbaa ctmap: right-shift kernel jiffies by BPF_MONO_SCALER
  • 5f42c00 docs: Promote Deny Policies out of Beta
  • aac8a6a ipsec: Don't attempt per-node route deletion when unexistant
  • a8db2ae chore(deps): update dependency cilium/hubble to v0.11.6
  • 843403d Add github workflow to push development helm charts to quay.io
  • 07dd4ec ipsec: Only match appropriate XFRM configs with node ID
  • fbfd0b9 ipsec: Only delete ipsec endpoint when node ID is not 0
  • 94d5894 ipsec: Fix IPv6 wildcard CIDR used in some IPsec policies
  • 48fffb1 ipsec: Change XFRM FWD policy to simplest wildcard
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [github.com/cilium/cilium](https://github.com/cilium/cilium) from 1.13.3 to 1.13.4.
- [Release notes](https://github.com/cilium/cilium/releases)
- [Changelog](https://github.com/cilium/cilium/blob/1.13.4/CHANGELOG.md)
- [Commits](cilium/cilium@1.13.3...1.13.4)

---
updated-dependencies:
- dependency-name: github.com/cilium/cilium
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Jun 16, 2023
@Cyber-SiKu
Copy link
Contributor

cicheck

1 similar comment
@Cyber-SiKu
Copy link
Contributor

cicheck

@zweix123
Copy link
Contributor

+1

@caoxianfei1 caoxianfei1 merged commit e770d4a into master Jun 21, 2023
@dependabot dependabot bot deleted the dependabot/go_modules/tools-v2/github.com/cilium/cilium-1.13.4 branch June 21, 2023 02:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants