fix(deps): update module github.com/cilium/cilium to v1.14.12 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/cilium/cilium	v1.14.6 -> v1.14.12

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-25630

Impact

For Cilium users who are using CRDs to store Cilium state (the default configuration) and Wireguard transparent encryption, responses from pods to the Ingress and health endpoints are not encrypted. Traffic from the Ingress and health endpoints to pods is not affected by this issue. The health endpoint is only used for Cilium's internal health checks.

Patches

This issue affects Cilium v1.14 before v1.14.7.

This issue has been patched in Cilium v1.14.7.

Workarounds

There is no workaround to this issue - affected users are encouraged to upgrade.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​gandro for their work on triaging and remediating this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.

CVE-2024-25631

Impact

For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted.

Patches

This issue affects Cilium v1.14 before v1.14.7.

This issue has been patched in Cilium v1.14.7.

Workarounds

There is no workaround to this issue - affected users are encouraged to upgrade.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​giorio94 and @​gandro for their work on triaging and remediating this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list at security@cilium.io. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.

CVE-2024-28248

Impact

Cilium's HTTP policies are not consistently applied to all traffic in the scope of the policies, leading to HTTP traffic being incorrectly and intermittently forwarded when it should be dropped.

Patches

This issue affects:

• Cilium v1.13 between v1.13.9 and v1.13.12 inclusive
• Cilium v1.14 between v1.14.0 and v1.14.7 inclusive
• Cilium v1.15.0 and v1.15.1

This issue has been patched in:

• Cilium v1.15.2
• Cilium v1.14.8
• Cilium v1.13.13

Workarounds

There is no workaround for this issue – affected users are strongly encouraged to upgrade.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​romikps for discovering and reporting this issue, and @​sayboras and @​jrajahalme for preparing the fix.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium internal security team, and your report will be treated as top priority.

CVE-2024-28249

Impact

In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies:

• Traffic that should be IPsec-encrypted between a node's Envoy proxy and pods on other nodes is sent unencrypted
• Traffic that should be IPsec-encrypted between a node's DNS proxy and pods on other nodes is sent unencrypted

Note: For clusters running in native routing mode, IPsec encryption is not applied to connections which are selected by a L7 Egress Network Policy or a DNS Policy. This is a known limitation of Cilium's IPsec encryption which will continue to apply after upgrading to the latest Cilium versions described below.

Patches

This issue affects:

• Cilium v1.15 before v1.15.2
• Cilium v1.14 before v1.14.8
• Cilium v1.13 before v1.13.13
• Cilium v1.4 to v1.12 inclusive

This issue has been resolved in:

• Cilium v1.15.2
• Cilium v1.14.8
• Cilium v1.13.13

Workarounds

There is no workaround to this issue.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​jschwinger233, @​julianwiedmann, @​giorio94, and @​jrajahalme for their work in triaging and resolving this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability in Cilium, we strongly encourage you to report it to our private security mailing list at security@cilium.io. This is a private mailing list that only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.

CVE-2024-28250

Impact

In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies:

• Traffic that should be WireGuard-encrypted is sent unencrypted between a node's Envoy proxy and pods on other nodes.
• Traffic that should be WireGuard-encrypted is sent unencrypted between a node's DNS proxy and pods on other nodes.

Patches

This issue affects:

• In native routing mode (routingMode=native):
  • Cilium v1.14 versions before v1.14.8
  • Cilium v1.15 versions before v1.15.2
• In tunneling mode (routingMode=tunnel):
  • Cilium v1.14 versions before v1.14.4
  • Cilium v1.14.4 if encryption.wireguard.encapsulate is set to false (default).

This issue has been resolved in:

• In native routing mode (routingMode=native):
  • Cilium v1.14.8
  • Cilium v1.15.2
• In tunneling mode (routingMode=tunnel):
  • Cilium v1.14.4. NOTE encryption.wireguard.encapsulate must be set to true.

Workarounds

There is no workaround to this issue.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​brb, @​giorio94, @​gandro and @​jschwinger233 for their work on triaging and remediating this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list at security@cilium.io. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.

CVE-2024-28860

Impact

Users of IPsec transparent encryption in Cilium may be vulnerable to cryptographic attacks that render the transparent encryption ineffective.

In particular, Cilium is vulnerable to the following attacks by a man-in-the-middle attacker:

• Chosen plaintext attacks
• Key recovery attacks
• Replay attacks

These attacks are possible due to an ESP sequence number collision when multiple nodes are configured with the same key. Fixed versions of Cilium use unique keys for each IPsec tunnel established between nodes, resolving all of the above attacks.

Important: After upgrading, users must perform a key rotation using the instructions here to ensure that they are no longer vulnerable to this issue. Please note that the key rotation instructions have recently been updated, and users must use the new instructions to properly establish secure IPsec tunnels. To validate that the new instructions have been followed properly, ensure that the IPsec Kubernetes secret contains a "+" sign.

Patches

All prior versions of Cilium that support IPsec transparent encryption (Cilium 1.4 onwards) are affected by this issue.

Patched versions:

• Cilium 1.15.3
• Cilium 1.14.9
• Cilium 1.13.14

Workarounds

There is no workaround to this issue. IPsec transparent encryption users are strongly encouraged to upgrade.

Acknowledgements

The Cilium community has worked together with members of Cure53 and Isovalent to prepare these mitigations. Special thanks to @​NikAleksandrov and @​pchaigno for their work on remediating the issue. Thanks to Marsh Ray, Senior Software Developer at Microsoft, for input and guidance on the fix.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

As usual, if you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list: security@cilium.io - first, before disclosing them in any public forums. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and is treated as top priority.

CVE-2024-37307

Impact

The output of cilium-bugtool can contain sensitive data when the tool is run (with the --envoy-dump flag set) against Cilium deployments with the Envoy proxy enabled.

Users of the following features are affected:

• TLS inspection
• Ingress with TLS termination
• Gateway API with TLS termination
• Kafka network policies with API key filtering

The sensitive data includes:

• The CA certificate, certificate chain, and private key used by Cilium HTTP Network Policies, and when using Ingress/Gateway API
• The API keys used in Kafka-related network policy

cilium-bugtool is a debugging tool that is typically invoked manually and does not run during the normal operation of a Cilium cluster.

Patches

This issue affects:

• Cilium v1.13 between v1.13.0 and v1.13.16 inclusive
• Cilium v1.14 between v1.14.0 and v1.14.11 inclusive
• Cilium v1.15 between v1.15.0 and v1.15.5 inclusive

This issue has been patched in:

• Cilium v1.15.6
• Cilium v1.14.12
• Cilium v1.13.17

Workarounds

There is no workaround to this issue.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​sayboras for their work on triaging and remediating this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

---

Release Notes

cilium/cilium (github.com/cilium/cilium)

v1.14.12: 1.14.12

Compare Source

We are pleased to release Cilium v1.14.12 that improves background resynchronization of nodes, improves the CLI to troubleshoot connectivity issues, lowers CPU consumption with IPsec for large clusters, and brings a number of additional fixes. Thanks to all contributors, reviewers, testers, and users! ❤️

Summary of Changes

Minor Changes:

• (v1.14) Generate SBOMs using Syft instead of bom (#​32750, @​ferozsalam)
• Improved background resynchronization of nodes. Before all nodes were being updated at the same time, now we spread updates over time to average out CPU usage. (Backport PR #​32874, Upstream PR #​32577, @​marseel)
• Introduce CLI commands to troubleshoot connectivity issues to the etcd kvstore and clustermesh control plane (Backport PR #​32571, Upstream PR #​32336, @​giorio94)
• ipsec: Improve CPU usage of cilum-agent in large clusters (Backport PR #​32883, Upstream PR #​32588, @​marseel)
• pkg/labels: print all leaf CIDRs, not just the last one. (Backport PR #​32511, Upstream PR #​28224, @​squeed)

Bugfixes:

• .github/workflows: fix digests file creation (Backport PR #​32888, Upstream PR #​32860, @​aanm)
• [v1.14] iptables: Do not install NOTRACK rules if IPv4NativeRoutingCIDR is nil (#​32650, @​pippolo84)
• cni: Reserve local ports for DNS proxy even if IPv6 is disabled (Backport PR #​32787, Upstream PR #​32725, @​gandro)
• Fix PromQL query in Cilium Metrics dashboard (Backport PR #​32695, Upstream PR #​32017, @​mikemykhaylov)
• Fix rare race condition afflicting clustermesh when disconnecting from a remote cluster, possibly causing the agent to panic (Backport PR #​32695, Upstream PR #​32513, @​giorio94)
• Fix: Ensure enabling metrics turns on identity GC metrics (#​32447, @​jaredledvina)
• Fixes accidentally ignoring the preflight.nodeSelector Helm value. (Backport PR #​32695, Upstream PR #​32548, @​squeed)
• ipsec: Safely delete Xfrm state (Backport PR #​32704, Upstream PR #​32450, @​jschwinger233)
• proxy: Re-enable proxy rule installation in native-routing mode for CEC (Backport PR #​32483, Upstream PR #​32367, @​sayboras)
• Remove deprecated hubble.ui.securityContext.enabled from hubble-ui deployment template (Backport PR #​32888, Upstream PR #​32338, @​stelucz)

CI Changes:

• ci: Filter supported versions of EKS (Backport PR #​32888, Upstream PR #​32304, @​marseel)
• ci: Filter supported versions of GKE (Backport PR #​32695, Upstream PR #​32302, @​marseel)
• ci: l4lb: Don't hang on gathering logs forever (Backport PR #​32968, Upstream PR #​32947, @​joestringer)
• ci: l4lb: gather more infos about docker-in-docker issues (Backport PR #​32695, Upstream PR #​32570, @​mhofstetter)
• ci: l4lb: restart docker-in-docker container on failure (Backport PR #​32695, Upstream PR #​32600, @​mhofstetter)
• eks: Don't use spot instances (Backport PR #​32695, Upstream PR #​32553, @​michi-covalent)
• GCP OIDC instead of SA creds. (Backport PR #​32708, Upstream PR #​30809, @​viktor-kurchenko)
• gha: test certificate generation methods in conformance clustermesh (Backport PR #​32787, Upstream PR #​32654, @​giorio94)
• Modify GitHub Actions Workflows to echo the inputs they are given when triggered by a workflow_dispatch event. (Backport PR #​32503, Upstream PR #​31424, @​learnitall)
• Use GH_RUNNER_EXTRA_POWER for CI image workflow (Backport PR #​32503, Upstream PR #​32402, @​michi-covalent)
• workflows: ignore "No egress gateway found" drops (Backport PR #​32695, Upstream PR #​32564, @​jibi)
• workflows: Remove stale CodeQL workflow (Backport PR #​32695, Upstream PR #​32084, @​pchaigno)

Misc Changes:

• (v1.14) Bump golang.org/x/net (#​32792, @​ferozsalam)
• background-sync: fix bootstrap issue and edge-case with 1 node (Backport PR #​32874, Upstream PR #​32630, @​marseel)
• bump cni plugins to v1.5.0 (Backport PR #​32695, Upstream PR #​32629, @​antonipp)
• Bump timeout of lint-build-commits.yaml (Backport PR #​32787, Upstream PR #​32746, @​YutaroHayakawa)
• chore(deps): update all github action dependencies (v1.14) (#​32495, @​renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#​32637, @​renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#​32720, @​renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#​32741, @​renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#​32842, @​renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#​32925, @​renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (patch) (#​32638, @​renovate[bot])
• chore(deps): update cilium/cilium-cli action to v0.16.7 (v1.14) (#​32496, @​renovate[bot])
• chore(deps): update cilium/little-vm-helper action to v0.0.18 (v1.14) (#​32581, @​renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.9 (v1.14) (#​32836, @​renovate[bot])
• chore(deps): update dependency cilium/hubble to v0.13.5 (v1.14) (#​32949, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.10 docker digest to 16438a8 (v1.14) (#​32636, @​renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 19478ce (v1.14) (#​32924, @​renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to a6d2b38 (v1.14) (#​32369, @​renovate[bot])
• chore(deps): update github/codeql-action action to v3.25.5 (v1.14) (#​32510, @​renovate[bot])
• chore(deps): update go to v1.21.11 (v1.14) (#​32895, @​renovate[bot])
• chore(deps): update hubble cli to v0.13.4 (v1.14) (#​32722, @​renovate[bot])
• chore(deps): update stable lvh-images (v1.14) (patch) (#​32723, @​renovate[bot])
• contrib: Remove CHARTS_PATH dependency (Backport PR #​32695, Upstream PR #​32328, @​joestringer)
• Docs: add note about AKS kube-apiserver entity (Backport PR #​32695, Upstream PR #​32464, @​darox)
• docs: ipsec: remove limitation for native-routing with L7 egress policy (Backport PR #​32956, Upstream PR #​32906, @​julianwiedmann)
• Miscellaneous improvements to the clustermesh troubleshooting guide (Backport PR #​32571, Upstream PR #​32552, @​giorio94)
• Remove release scripts (Backport PR #​32968, Upstream PR #​32938, @​aanm)

Other Changes:

• [1.14-backport] ipsec: Fix unencrypted traffic when IPsec is used with L7 egress proxy (#​31976, @​jschwinger233)
• [v1.14] bugtool: Avoid sensitive data in envoy config dump (#​32965, @​sayboras)
• [v1.14] envoy: Bump envoy version to v1.28.4 (#​32910, @​sayboras)
• envoy: Update envoy 1.27.x to 1.28.3 (#​32482, @​sayboras)
• install: Update image digests for v1.14.11 (#​32545, @​nebril)

v1.14.12

Docker Manifests

cilium

docker.io/cilium/cilium:v1.14.12@​sha256:9c9612ed763a9ff823aca5e56aff6bb1e8ca36516282ed7f5c1b8866d011752c
quay.io/cilium/cilium:v1.14.12@​sha256:9c9612ed763a9ff823aca5e56aff6bb1e8ca36516282ed7f5c1b8866d011752c

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.14.12@​sha256:39e4ddad59cc3a4c05e7f44333fcbc8e1e64ee5eed8b9614916ed9673bb10a92
quay.io/cilium/clustermesh-apiserver:v1.14.12@​sha256:39e4ddad59cc3a4c05e7f44333fcbc8e1e64ee5eed8b9614916ed9673bb10a92

docker-plugin

docker.io/cilium/docker-plugin:v1.14.12@​sha256:7f358167a6c57fab052c524ee9b638784f90f904631423c7cf51f8fe301e1107
quay.io/cilium/docker-plugin:v1.14.12@​sha256:7f358167a6c57fab052c524ee9b638784f90f904631423c7cf51f8fe301e1107

hubble-relay

docker.io/cilium/hubble-relay:v1.14.12@​sha256:63749d9af901846b8a9229e01210afce2f9b1769419deaf55571dd16b7864574
quay.io/cilium/hubble-relay:v1.14.12@​sha256:63749d9af901846b8a9229e01210afce2f9b1769419deaf55571dd16b7864574

kvstoremesh

docker.io/cilium/kvstoremesh:v1.14.12@​sha256:c46f1939edd78d38f537e52b12ea051bafc591611b75e197bebb1e508764b565
quay.io/cilium/kvstoremesh:v1.14.12@​sha256:c46f1939edd78d38f537e52b12ea051bafc591611b75e197bebb1e508764b565

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.14.12@​sha256:e01302d3c00ce5b8e29703d4fdafefb0e9f4e65d1849a5551e0ad4d45a7af42c
quay.io/cilium/operator-alibabacloud:v1.14.12@​sha256:e01302d3c00ce5b8e29703d4fdafefb0e9f4e65d1849a5551e0ad4d45a7af42c

operator-aws

docker.io/cilium/operator-aws:v1.14.12@​sha256:a922c610fbc6e3e8bfda1876c6b2644f605b0cdec78f49854b9ce02213dc0abe
quay.io/cilium/operator-aws:v1.14.12@​sha256:a922c610fbc6e3e8bfda1876c6b2644f605b0cdec78f49854b9ce02213dc0abe

operator-azure

docker.io/cilium/operator-azure:v1.14.12@​sha256:416a39117ab7d261aacafc6e70e58bb0979c81c3c9d5cc4769f626de3f8015dd
quay.io/cilium/operator-azure:v1.14.12@​sha256:416a39117ab7d261aacafc6e70e58bb0979c81c3c9d5cc4769f626de3f8015dd

operator-generic

docker.io/cilium/operator-generic:v1.14.12@​sha256:0dd45f29aadeca7b9ef9f42991130ca135e54801c65416bd727add19e4727ba6
quay.io/cilium/operator-generic:v1.14.12@​sha256:0dd45f29aadeca7b9ef9f42991130ca135e54801c65416bd727add19e4727ba6

operator

docker.io/cilium/operator:v1.14.12@​sha256:5e1552ebb3e95655ec301637b2a9f90669e214d0d2f4c5397e867f4ae36bf262
quay.io/cilium/operator:v1.14.12@​sha256:5e1552ebb3e95655ec301637b2a9f90669e214d0d2f4c5397e867f4ae36bf262

v1.14.11: 1.14.11

Compare Source

We are pleased to release Cilium v1.14.11.

This release brings us reducing pressure on the BPF connection tracking and NAT maps, as well as fixes for failing service connections, HostFirewall policy updates and many more.

Security Advisories

This release addresses following security vulnerabilities:

• GHSA-3mh5-6q8v-25wj
• GHSA-5fq7-4mxc-535h

Summary of Changes

Minor Changes:

• envoy: Bump go version to 1.21.10 (#​32414, @​sayboras)
• Skip overlay traffic in the BPF SNAT processing, and thus reduce pressure on the BPF Connection tracking and NAT maps. (Backport PR #​31797, Upstream PR #​31082, @​julianwiedmann)

Bugfixes:

• Agent: add kubeconfigPath to initContainers (Backport PR #​32251, Upstream PR #​32008, @​darox)
• cilium-cni: Reserve ports that can conflict with transparent DNS proxy (Backport PR #​32419, Upstream PR #​32128, @​gandro)
• cni: Use correct route MTU when ENI, Azure or Alibaba Cloud IPAM is enabled (Backport PR #​32385, Upstream PR #​32244, @​learnitall)
• dnsproxy: Fix bug where DNS request timed out too soon (Backport PR #​32251, Upstream PR #​31999, @​gandro)
• Envoy upstream connections are now unique for each downstream connection when using the original source address of a source pod. (Backport PR #​32314, Upstream PR #​32270, @​jrajahalme)
• envoy: pass idle timeout configuration option to cilium configmap (Backport PR #​32251, Upstream PR #​32203, @​mhofstetter)
• Fix failing service connections, when the service requests are transported via cilium's overlay network. (Backport PR #​31797, Upstream PR #​32116, @​julianwiedmann)
• Fixes a bug where Cilium in chained mode removed the agent-not-ready taint too early if the primary network is slow in deploying. (Backport PR #​32251, Upstream PR #​32168, @​squeed)
• Fixes an (unlikely) bug where HostFirewall policies may miss updates to a node's labels. (Backport PR #​32385, Upstream PR #​30548, @​squeed)
• fqdn: fix memory leak in transparent mode when there was a moderately high number of parallel DNS requests (>100). (Backport PR #​32104, Upstream PR #​31959, @​marseel)
• ipam: retry netlink.LinkList call when setting up ENI devices (Backport PR #​32251, Upstream PR #​32099, @​jasonaliyetti)
• operator: fix errors/warnings metric. (Backport PR #​31907, Upstream PR #​31214, @​tommyp1ckles)

CI Changes:

• alibabacloud/eni: avoid racing node mgr in test (Backport PR #​31987, Upstream PR #​31877, @​bimmlerd)
• ci: Filter supported versions of AKS (Backport PR #​32385, Upstream PR #​32303, @​marseel)
• ci: Increase timeout for images for l4lb test (Backport PR #​32251, Upstream PR #​32201, @​marseel)
• gha: configure fully-qualified DNS names as external targets (Backport PR #​32104, Upstream PR #​31510, @​giorio94)
• gha: drop double installation of Cilium CLI in conformance-eks (Backport PR #​32104, Upstream PR #​32042, @​giorio94)
• Miscellaneous improvements to the clustermesh upgrade/downgrade test (Backport PR #​32104, Upstream PR #​31958, @​giorio94)
• test: De-flake xds server_e2e_test (Backport PR #​32104, Upstream PR #​32004, @​jrajahalme)
• workflows: Fix CI jobs for push events on private forks (Backport PR #​32251, Upstream PR #​32085, @​pchaigno)

Misc Changes:

• bpf: host: restore HostFW for overlay traffic in to-netdev (Backport PR #​31797, Upstream PR #​31818, @​julianwiedmann)
• bpf: tests: don't define HAVE_ENCAP in IPsec tests (Backport PR #​31797, Upstream PR #​31737, @​julianwiedmann)
• build(deps): bump pydantic from 2.3.0 to 2.4.0 in /Documentation (Backport PR #​32251, Upstream PR #​32176, @​dependabot[bot])
• chore(deps): update all github action dependencies (v1.14) (#​31997, @​renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#​32109, @​renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#​32373, @​renovate[bot])
• chore(deps): update all-dependencies (v1.14) (#​31996, @​renovate[bot])
• chore(deps): update cilium/cilium-cli action to v0.16.4 (v1.14) (#​32110, @​renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.6 (v1.14) (#​32370, @​renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.9 docker digest to 81811f8 (v1.14) (#​31995, @​renovate[bot])
• chore(deps): update go to v1.21.10 (v1.14) (#​32368, @​renovate[bot])
• chore(deps): update golangci/golangci-lint-action action to v6 (v1.14) (#​32397, @​renovate[bot])
• chore(deps): update hubble cli to v0.13.3 (v1.14) (#​32111, @​renovate[bot])
• chore(deps): update stable lvh-images (v1.14) (patch) (#​31823, @​renovate[bot])
• CI: bump default FQDN datapath timeout from 100 to 250ms (Backport PR #​32251, Upstream PR #​31866, @​squeed)
• docs: Add annotation for Ingress endpoint (Backport PR #​32385, Upstream PR #​32284, @​sayboras)
• docs: Fix prometheus port regex (Backport PR #​32251, Upstream PR #​32030, @​JBodkin-Amphora)
• Docs: mark Tetragon as Stable (Backport PR #​31987, Upstream PR #​31886, @​sharlns)
• Document Cluster Mesh global services limitations when KPR=false (Backport PR #​31987, Upstream PR #​31798, @​giorio94)
• endpoint: Skip build queue warning log is context is canceled (Backport PR #​32251, Upstream PR #​32132, @​jrajahalme)
• fqdn: Change error log to warning (Backport PR #​32385, Upstream PR #​32333, @​jrajahalme)
• fqdn: Fix Upgrade Issue Between PortProto Versions (Backport PR #​32385, Upstream PR #​32325, @​nathanjsweet)
• golangci: Enable errorlint (Backport PR #​31793, Upstream PR #​31458, @​jrajahalme)
• Improve release organization page (Backport PR #​31987, Upstream PR #​31970, @​joestringer)
• install/kubernetes: update nodeinit image to latest version (Backport PR #​32251, Upstream PR #​32181, @​tklauser)
• ipsec: Debug info for transient IPsec upgrade drops (Backport PR #​32385, Upstream PR #​32240, @​pchaigno)
• l7 policy: add possibility to configure Envoy proxy xff-num-trusted-hops (Backport PR #​32265, Upstream PR #​32200, @​mhofstetter)
• Remove aks-preview from AKS workflows (Backport PR #​32251, Upstream PR #​32118, @​marseel)
• Remove cilium/build from codeowners (#​32146, @​joestringer)

Other Changes:

• [1.14] images: update cilium-{runtime,builder} (#​32443, @​nebril)
• [1.14] operator: propagate CiliumClusterConfig when in kvstore mode (#​32349, @​hemanthmalla)
• [v1.14-backport] Introduce fromEgressProxyRule (#​31926, @​jschwinger233)
• ci: no longer suppported v1.25 in GKE (#​32183, @​marseel)
• envoy: Bump envoy version to v1.27.5 (#​32078, @​sayboras)
• fix k8s versions tested in CI (#​31969, @​nbusseneau)
• install: Update image digests for v1.14.10 (#​31914, @​asauber)

v1.14.10: 1.14.10

Compare Source

We are pleased to announce the release of Cilium v1.14.10.

This release includes hubble metrics when using cilium sysdump, and a fix to an issue with overlapping keys that may have affected the ability to recover from a full Service map. Bugfixes include improved behavior for overlapping and restored DNS policies, a fix to a race condition in Service updates for L7 LB, and a fix to the retry logic in the cilium health controllers.

Security Advisories

This release addresses a security vulnerability. For more information, see GHSA-j654-3ccm-vfmm

Summary of Changes

Minor Changes:

• bugtool: Collect hubble metrics (Backport PR #​31888, Upstream PR #​31533, @​chancez)
• Fix overlapping keys in agent-side service BPF map cache used for retries. In rare cases this bug may have caused retrying of a failed BPF map update for a services entry to be skipped leading to a missing entry. This may have, for example, adversely affected recovering from a full BPF service map after excess services were removed. (Backport PR #​31888, Upstream PR #​29581, @​xyz-li)
• Update to Envoy 1.27.0, run cilium-envoy process without any privileges. (Backport PR #​31007, Upstream PR #​27498, @​jrajahalme)

Bugfixes:

• cilium-health: Fix broken retry loop in cilium-health-ep controller (Backport PR #​31724, Upstream PR #​31622, @​gandro)
• cni: Allow text-ts log format value (Backport PR #​31888, Upstream PR #​31686, @​sayboras)
• fix: Delegated ipam not configure ipv6 if ipv6 disabled in agent (Backport PR #​31724, Upstream PR #​31104, @​tamilmani1989)
• Fixed a race condition in service updates for L7 LB. (Backport PR #​31861, Upstream PR #​31744, @​jrajahalme)
• Fixed issue with assigning 0 nodeID when corresponding bpf map run out of space.
  Potentially it could have impacted connectivity in large clusters (>4k nodes) with IPSec or Mutual Auth enabled.
  Otherwise, it was merely generating unnecessary error log messages. (Backport PR #​31656, Upstream PR #​31380, @​marseel)
• fqdn: Fix minor restore bug that causes false negative checks against a restored DNS IP map. (#​31871, @​nathanjsweet)
• fqdn: Fixed bug that caused DNS Proxy to be overly restrictive on allowed DNS selectors. (#​31801, @​nathanjsweet)
• metric: Avoid memory leak/increase in cilium-agent (Backport PR #​31888, Upstream PR #​31714, @​sayboras)

CI Changes:

• ci-e2e: Add e2e test with WireGuard + Host Firewall (Backport PR #​31724, Upstream PR #​31594, @​qmonnet)
• ci-e2e: Enable Ingress Controller test for more setup (Backport PR #​31658, Upstream PR #​30657, @​sayboras)
• ci-ipsec-e2e: Misc refactor + more keys (Backport PR #​31429, Upstream PR #​29592, @​brb)
• ci/ipsec: Print more info to debug credentials removal check failures (Backport PR #​31724, Upstream PR #​31652, @​qmonnet)
• deflake endpointmanager tests (Backport PR #​31724, Upstream PR #​31488, @​bimmlerd)
• gh/workflows: Add IPsec key rotation action and use it in ci-eks / ci-ipsec-e2e (Backport PR #​31429, Upstream PR #​29704, @​brb)
• gha: Enable Ingress Controller tests in conformance-e2e (Backport PR #​31658, Upstream PR #​29130, @​sayboras)
• workflows: Debug info for key rotations (Backport PR #​31724, Upstream PR #​31627, @​pchaigno)

Misc Changes:

• bitlpm: Document and Fix Descendants Bug (Backport PR #​31888, Upstream PR #​31851, @​nathanjsweet)
• Bump go-jose to v3.0.3 (v1.14) (#​31881, @​ferozsalam)
• chore(deps): update all github action dependencies (v1.14) (#​31824, @​renovate[bot])
• chore(deps): update cilium/little-vm-helper action to v0.0.17 (v1.14) (#​31707, @​renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.4 (v1.14) (#​31675, @​renovate[bot])
• chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to f41b84c (v1.14) (#​31748, @​renovate[bot])
• chore(deps): update go to v1.21.9 (v1.14) (#​31765, @​renovate[bot])
• chore(deps): update stable lvh-images (v1.14) (patch) (#​31708, @​renovate[bot])
• cilium-dbg: avoid leaking file resources (Backport PR #​31888, Upstream PR #​31750, @​tklauser)
• docs: Document No node ID found drops in case of remote node deletion (Backport PR #​31724, Upstream PR #​31635, @​pchaigno)
• docs: ipsec: document native-routing + Egress proxy case (Backport PR #​31724, Upstream PR #​31478, @​julianwiedmann)
• Fix spelling in DNS-based proxy info (Backport PR #​31888, Upstream PR #​31728, @​saintdle)
• helm: update nodeinit image using renovate (Backport PR #​31724, Upstream PR #​31641, @​tklauser)
• Move governance docs to the Cilium community repo (Backport PR #​31888, Upstream PR #​31692, @​katiestruthers)
• Remove Hubble-OTel from the roadmap (Backport PR #​31888, Upstream PR #​31847, @​xmulligan)
• Restructure OpenShift installation instructions to point to Red Hat Ecosystem Catalog (Backport PR #​31724, Upstream PR #​29300, @​learnitall)
• Support for batch deletion of endpoints (Backport PR #​31585, Upstream PR #​27351, @​tklauser)
• v1.14: update cilium/certgen to v0.1.11 (#​31883, @​rolinh)

Other Changes:

• [v1.14] envoy: Bump envoy image for golang 1.21.9 (#​31771, @​sayboras)
• [v1.14] fix unsupported aws region (#​31742, @​brlbil)
• [v1.15] envoy: Bump golang version to 1.21.8 (Backport PR #​31007, Upstream PR #​31221, @​sayboras)
• CI: Remove unsupported k8s version (#​31829, @​brlbil)
• envoy: Bump envoy version to v1.27.4 (#​31808, @​sayboras)
• install: Update image digests for v1.14.9 (#​31629, @​jrajahalme)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.14.10@​sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031
quay.io/cilium/cilium:v1.14.10@​sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.14.10@​sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798
quay.io/cilium/clustermesh-apiserver:v1.14.10@​sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798

docker-plugin

docker.io/cilium/docker-plugin:v1.14.10@​sha256:8aa57cb38a30dbe56345b5d549054beaea96a210c15a1e4ca5224b4f858cdcda
quay.io/cilium/docker-plugin:v1.14.10@​sha256:8aa57cb38a30dbe56345b5d549054beaea96a210c15a1e4ca5224b4f858cdcda

hubble-relay

docker.io/cilium/hubble-relay:v1.14.10@​sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0
quay.io/cilium/hubble-relay:v1.14.10@​sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.14.10@​sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14
quay.io/cilium/operator-alibabacloud:v1.14.10@​sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14

operator-aws

docker.io/cilium/operator-aws:v1.14.10@​sha256:72440aa4cb8a42dddb05cfc74c6fba0a18d0902b1e434f5dcde8dca0354a8be6
`quay.io/cilium/operator-aws:v1.14.10@​sha256:72440

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
github.com/go-jose/go-jose/v3	v3.0.1 -> v3.0.3