Releases: cilium/cilium
Releases · cilium/cilium
1.20.0-pre.1
Immutable
release. Only release title and notes can be modified.
v1.20.0-pre.1
This tag was signed with the committer’s verified signature.
Summary of Changes
Major Changes:
- nodeport: support n/s dynamic source ip resolution (#44625, @ldelossa)
- policy: return ICMPv6 "Destination unreachable" on IPv6 egress policy denials (#44234, @Andreagit97)
Minor Changes:
- Add jitter delay to the IPsec key file watcher for key rotations, to avoid thundering herd problem on Cilium agents. (#44263, @shavyshetty)
- Add support for
PreferSameZoneandPreferSameNodetraffic distribution (#44771, @raphink) - clustermesh: run official MCS-API conformance in CI (#44424, @MrFreezeex)
- Do not run with netkit and per-endpoint routes if kernel does not support netkit scrub attributes. (#44960, @ajmmm)
- Fix performance bug in L7 policy proxy redirect handling (#44613, @fristonio)
- Fixes issue where the Cilium agent fails to initialise when using KVStore identity mode with etcd behind a K8s Service (#44653, @41ks)
- helm,docs: add configDriftDetection Helm values and documentation (#44703, @PhilipSchmid)
- IPAM: Add CIDR label to IPAM capacity metric (#44541, @soggiest)
- operator: add --leader-election-resource-lock-timeout flag (#44500, @darox)
- pkg/policy: Support more tunnel protocols as extended protocols (#44459, @simplysoft)
- Proxylib related fields are removed from CNP and CCNP CRDs. (#44610, @jrajahalme)
- The hubble-relay container now runs with readOnlyRootFilesystem (#43653, @jcpunk)
- The internal representation of load-balancing backends has been refactored to efficiently support thousands of services referencing a shared backend. (#44511, @joamaki)
Bugfixes:
- Add rate limiting to neighbor reconciler to reduce CPU usage and memory churn (#43928, @dylandreimerink)
- bgp: Fix potential race in service advertisements upon error retry (#45049, @rastislavs)
- bpf: nodeport: use hairpin redirect for L7 LB on bridge devices (#44658, @smagnani96)
- clustermesh: fix a bug in the MCS-API CRD installl that could attempt a CRD downgrade when the version label is higher (#44738, @MrFreezeex)
- ctmap: Change order of active maps (#44729, @brb)
- Ensure completion.WaitGroup always has a timeout (#44731, @jrajahalme)
- envoy: Fix xds server npds listeners accounting (#44830, @fristonio)
- Fix
loadBalancerSourceRangesnot being enforced on ExternalIPs frontends of LoadBalancer services. (#44747, @syedazeez337) - Fix a slow memory leak triggered by incremental policy updates (#44328, @odinuge)
- Fix bug where more Helm options were gated by
loadbalanceroption than intended (#42916, @mliner) - Fix endpoints for static pods stuck in init identity (#45016, @aaroniscode)
- Fix IPSec key rotation race condition where packets were dropped due to XFRM states not being ready when peers started using the new key. Also adds logging for key rotation flow. (#44335, @daanvinken)
- Fix memory leak triggered by policies being created and deleted (#44724, @odinuge)
- Fix node selector handling for k8s ClusterNetworkPolicy (#44446, @TheBeeZee)
- Fix panic in Hubble Relay when new peer address is unresolvable (#45021, @pesarkhobeee)
- fix(datapath): ignore link-local IPv6 addresses for NodePort binding (#44778, @Bigdelle)
- Fixed a bug in dual-stack cluster-pool IPAM where an operator restart with a pre-existing duplicate IPv6 PodCIDR could cause the affected node's IPv4 PodCIDR to be incorrectly freed and reassigned to another node. (#44832, @christarazi)
- Fixed an issue where policy update ack is never completed after endpoint deletion. (#44754, @jrajahalme)
- Fixed ipcache identity update hang when last proxy listener is removed. (#44597, @jrajahalme)
- Fixed VTEP ARP responses returning 00:00:00:00:00:00 MAC due to interface MAC missing from eBPF Overlay configuration. (#44513, @akos011221)
- Fixes a bug where toCIDRSet / fromCIDRSet policies permitted CIDR exceptions larger than the given CIDR set. (#44637, @tsotne95)
- Fixes GRPCRoute being silently excluded from Envoy config when a Gateway listener explicitly sets allowedRoutes.kinds. (#44826, @eufriction)
- l7lb: fix bypassing ingress policies for local backends (#44693, @smagnani96)
- lb: fix panic in orphan backend cleanup when addr is zero-value (#44853, @vipul-21)
- lb: Skip nil slots during BPF map restore to prevent panic (#44895, @vipul-21)
- loadbalancer: Fix issue in resynchronization of state from api-server which may have left stale backends around until an updated EndpointSlice was received (#44711, @joamaki)
- operator/identitygc: fix nil pointer dereference on shutdown (#45091, @tsotne95)
- sockets: fix nil pointer dereference in filterAndDestroySockets (#44843, @umut-polat)
- wal: Do not truncate in NewWriter (#44886, @joamaki)
CI Changes:
- .github/workflows: disable cache for go steps (#45073, @aanm)
- .github/workflows: replace external set-commit-status action (#45078, @aanm)
- .github: cleanup disk before ci-verifier tests (#44971, @aanm)
- allocator: handle unlikely goroutine leak (#44589, @asauber)
- Allow Renovate to update Go to v1.25 on Cilium v1.17 and v1.18 (#44801, @ferozsalam)
- bpf: complexity-tests: minor cleanups (#45018, @julianwiedmann)
- bpf: test: remove test for conflict of NAT LB with catch-all EGW policy (#44770, @julianwiedmann)
- bpf: tests: move v*_svc_loopback boilerplate into bpf_lxc.h (#44621, @julianwiedmann)
- bpf: tests: simplify __lb_v4_upsert_service() (#44911, @julianwiedmann)
- bpf:test: extend encrypt_host.h suite and add decrypt_host.h (#44339, @smagnani96)
- ci: add fail-fast false to ci image builds (#45079, @Artyop)
- ci: add k8s 1.35 for AKS (#44550, @Artyop)
- ci: add k8s 1.35 for gke tests (#44549, @Artyop)
- ci: fix is-workflow-call check to handle empty input (#45020, @aanm)
- ci: fix PR branch pull step on stable pushes (#45019, @Artyop)
- ci: fix pr number check for base branch retrieval (#45024, @Artyop)
- ci: inline Go version in setup-go version (#44654, @tklauser)
- ci: lint Ariane config (#44554, @nebril)
- ci: set TMPDIR=/host/tmp in datapath verifier tests (#45047, @aanm)
- datapath/loader: Add map count to verifier complexity records (#44652, @dylandreimerink)
- Documentation: fix CI to catch untracked generated files (#44642, @MrHohn)
- Fix some test-e2e-upgrade issues (#45075, @aanm)
- fix: escape $ character in regex to prevent injection (#44638, @peoyekunle)
- fix: harden k8s apiserver endpoint access (#44863, @sekhar-isovalent)
- fix: nil pointer reference in DNS benchmark test (#44542, @vipul-21)
- gateway-api CI: Change to have the full matrix run nightly, and have the experimental release channel to run on PRs. (#44656, @xtineskim)
- ginkgo: remove
Supports IPv4 Fragments(#44271, @smagnani96) - loadbalancer: Fix privileged testing (#44733, @joamaki)
- Miscellaneous changes to the Conformance MCS-API workflow (#45060, @giorio94)
- Remove 'unparallel' build tag to restore editor tooling functionality (#44304, @ti-mo)
- Remove exotic netkit e2e tests (#44998, @ajmmm)
- sockets: Ensure bpffs is mounted in TestPrivilegedSocketDestroyers (#44979, @christarazi)
- test: migrate K8sDatapathConfig to component-based tests (#44618, @saiaunghlyanhtet)
- Use fake external targets on nodes without Cilium in GKE CI workflows for better stability. (#41713, @gentoo-root)
- workflows/aks: Use static Helm cluster name (#44983, @rastislavs)
- workflows/gke: Re-add missing UID in cluster name (#44605, @pchaigno)
- workflows: Extend KPR + AKS tests (#42308, @pchaigno)
- workflows: Fix Conformance KPR to run GKE with KPR enabled (#44692, @pchaigno)
Misc Changes:
- .github/renovate: update k8s generate files when swagger is updated (#44954, @aanm)
- .github/renovate: use builder container for generate-k8s-api in all r… (#44996, @aanm)
- .github/workflows: do not use deployments for environments (#44908, @aanm)
- .github: do not allow blank issues from being created (#44907, @aanm)
- .github: use create eks nodegroup action for l7-perf workflow (#44706, @fristonio)
- [bpf] avoid leaking explicit tbid traffic to the host network namespace (#45061, @ldelossa)
- [embedded_envoy_test] More fixes (#44749, @nezdolik)
- [envoy] Rename embedded envoy test (#44839, @nezdolik)
- Added logic to auto-generate Cilium feature metric documentation from command line. (#44715, @ajmmm)
- bgp: Ensure ServerLogger uses BGP instance name (#44910, @martonra)
- bgp: Introduce --with-attrs option to bgp/routes (#45015, @YutaroHayakawa)
- bpf, datapath: switch BPF tproxy option to runtime config (#44649, @tklauser)
- bpf, datapath: switch endpoint routes option to runtime config (#44838, @tklauser)
- bpf, datapath: switch identity mark option to runtime config (#44905, @tklauser)
- bpf, datapath: switch IPv4...
Contributors
ghost, gandro, and 66 other contributors
Assets 3
0
Join discussion
1.19.2
Summary of Changes
Minor Changes:
- ztunnel/helm: move ztunnel daemonset management from operator to helm (Backport PR #44593, Upstream PR #43763, @nddq)
Bugfixes:
- Add rate limiting to neighbor reconciler to reduce CPU usage and memory churn (Backport PR #44699, Upstream PR #43928, @dylandreimerink)
- bpf: nodeport: use hairpin redirect for L7 LB on bridge devices (Backport PR #44760, Upstream PR #44658, @smagnani96)
- cilium-dbg: fix seg-fault
ip get -l reserved:host(Backport PR #44517, Upstream PR #44443, @aanm) - clustermesh: fix a few minor typo/issues in the MCS-API documentation (Backport PR #44398, Upstream PR #44299, @MrFreezeex)
- clustermesh: fix a goroutine leak related to EndpointSliceSync when removing cluster (Backport PR #44517, Upstream PR #44444, @MrFreezeex)
- clustermesh: fix a race condition where EndpointSlices created just before a cluster is removed could be left uncleaned (Backport PR #44517, Upstream PR #44503, @MrFreezeex)
- Enable Cilium upgrade and downgrade when existing XDP attach types differ from new XDP programs (Backport PR #44496, Upstream PR #44209, @dylandreimerink)
- Fix a bug where node IPv6 updates and deletes were not correctly propagated to the Linux kernel neighbor subsystem. (Backport PR #44593, Upstream PR #44540, @tklauser)
- Fix bug where more Helm options were gated by
loadbalanceroption than intended (Backport PR #44699, Upstream PR #42916, @mliner) - Fix envoy admin socket being created as world-accessible (Backport PR #44593, Upstream PR #44512, @0xch4z)
- Fix IPSec key rotation race condition where packets were dropped due to XFRM states not being ready when peers started using the new key. Also adds logging for key rotation flow. (Backport PR #44699, Upstream PR #44335, @daanvinken)
- Fix tearing down wrong pod's veth in aws-cni chaining when using deterministic pod names (Backport PR #44517, Upstream PR #44494, @aanm)
- Fixed a bug in service load balancing where backend slot assignments could have gaps when maintenance backends exist, potentially causing traffic misrouting. (Backport PR #44398, Upstream PR #43902, @Aman-Cool)
- Fixed a bug where bandwidth priority updates were not applied when only the priority annotation was changed on a Pod. (Backport PR #44517, Upstream PR #44329, @zbb88888)
- Fixed an issue where wildcard FQDN network policy identities were not correctly pushed to Envoy when using SNI-based policies. (Backport PR #44517, Upstream PR #44462, @liyihuang)
- Fixed VTEP ARP responses returning 00:00:00:00:00:00 MAC due to interface MAC missing from eBPF Overlay configuration. (Backport PR #44699, Upstream PR #44513, @akos011221)
- gateway-api: Fix hostname intersection bug that was preventing cert-manager challenges from working correctly. (Backport PR #44517, Upstream PR #44492, @youngnick)
- gateway-api: Fixed some issues with TLSRoute attachment that will be covered by new conformance tests soon. (Backport PR #44517, Upstream PR #44397, @youngnick)
- Grant permissions to the cilium-operator so that it can reconcile ServiceImport when the when the admission plugin OwnerReferencesPermissionEnforcement is activated (Backport PR #44517, Upstream PR #44458, @MrFreezeex)
- helm/ztunnel: Add host field to readiness probe to bind the health check port 15021 to 127.0.0.1 instead of 0.0.0.0 (Backport PR #44593, Upstream PR #44196, @nddq)
- ingress: Ensure that the shared ingress exposes port 443 so that it can pass upstream loadbalancer health checks. (Backport PR #44517, Upstream PR #44229, @xtineskim)
- ipam: Fix concurrent map access to multipool map (Backport PR #44517, Upstream PR #44150, @christarazi)
- l7lb: fix bypassing ingress policies for local backends (Backport PR #44800, Upstream PR #44693, @smagnani96)
- loadbalancer/healthserver: refresh ProxyRedirect per request (Backport PR #44398, Upstream PR #44286, @mhofstetter)
- policy: Improve PASS handling for non-consecutive tiers and wildcard fallbacks (Backport PR #44418, Upstream PR #43917, @TheBeeZee)
CI Changes:
- .github/workflows: eks-cluster-pool-manager: fix race condition and c… (Backport PR #44398, Upstream PR #44283, @aanm)
- ci: add k8s 1.35 for AKS (Backport PR #44699, Upstream PR #44550, @Artyop)
- ci: add k8s 1.35 for gke tests (Backport PR #44699, Upstream PR #44549, @Artyop)
- ci: k8s 1.35 to EKS matrix (Backport PR #44517, Upstream PR #44403, @Artyop)
- ci: reduce number of k8s versions tested on EKS (Backport PR #44517, Upstream PR #44426, @Artyop)
- docs: Bump k8s compat version (Backport PR #44593, Upstream PR #44516, @joestringer)
- gh: e2e-upgrade: don't hardcode IPsec encryption algorithm (Backport PR #44517, Upstream PR #44381, @julianwiedmann)
- test/helpers: ignore error creating lease lock message (Backport PR #44398, Upstream PR #44282, @aanm)
Misc Changes:
- [v1.19] fix: add Documentation/cmdref/cilium-dbg_policy_subject-selectors.md (#44644, @jingyuanliang)
- Added circuit breaker configuration (max connections, requests, and retries) for Cilium Envoy ingress, egress, and external envoy. (Backport PR #44699, Upstream PR #44195, @liyihuang)
- bgp: Clean up unused RouteReflector and improve GoBGP test commands (Backport PR #44632, Upstream PR #44074, @liyihuang)
- bgp: Introduce bgp/peers Hive Shell command (Backport PR #44517, Upstream PR #44067, @YutaroHayakawa)
- bgp: Introduce bgp/routes Hive Shell command (Backport PR #44517, Upstream PR #44220, @YutaroHayakawa)
- bgp: Make the BGP instance name retrievable from GoBGP (Backport PR #44517, Upstream PR #44024, @YutaroHayakawa)
- chore(deps): update all github action dependencies (v1.19) (#44475, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.19) (#44572, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.19) (#44673, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.19) (#44788, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.19) (#44573, @cilium-renovate[bot])
- chore(deps): update base-images (v1.19) (#44574, @cilium-renovate[bot])
- chore(deps): update base-images (v1.19) (#44668, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.19.2 (v1.19) (#44568, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/certgen docker tag to v0.4.1 (v1.19) (#44671, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1771585526-532310e626e42c7086de4ef3ea913736125bbd31 (v1.19) (#44472, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1772889061-409b87726267dd621aab2cc455bad504fa5006d0 (v1.19) (#44669, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773220507-ffc0948a7ec4868e6b552a71cf4d3860e78b53cc (v1.19) (#44723, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773656288-7b052e66eb2cfc5ac130ce0a5be66202a10d83be (v1.19) (#44787, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.19) (patch) (#44473, @cilium-renovate[bot])
- contrib: Auto-find source files in check-source-info.sh (Backport PR #44628, Upstream PR #44506, @YutaroHayakawa)
- contrib: Minor cleanups for check-source-info.sh (Backport PR #44628, Upstream PR #44431, @YutaroHayakawa)
- docs(ztunnel): fix some typo (Backport PR #44398, Upstream PR #44294, @alagoutte)
- docs: add policy language chapter headline (Backport PR #44398, Upstream PR #44204, @orangecms)
- docs: Fix duplicate
--versionin Helm OCI install/upgrade documentation examples. (Backport PR #44398, Upstream PR #44380, @gma1k) - docs: Fix some "parsed-literal" blocks (Backport PR #44517, Upstream PR #44385, @qmonnet)
- Docs: improve docs around ipsec upgrade in 1.18 (Backport PR #44398, Upstream PR #44302, @darox)
- docs: Point to cilium.io for community blogs (Backport PR #44517, Upstream PR #44420, @qmonnet)
- fix(deps): update all-dependencies (v1.19) (#44471, @cilium-renovate[bot])
- fix(deps): update k8s.io patch updates stable (v1.19) (#44474, @cilium-renovate[bot])
- fix(deps): update k8s.io patch updates stable to 0f775a3 (v1.19) (#44570, @cilium-renovate[bot])
- fix(deps): update k8s.io patch updates stable to v0.35.2 (v1.19) (patch) (#44571, @cilium-renovate[bot])
- fix(deps): update module sigs.k8s.io/controller-runtime to v0.23.3 (v1.19) (#44670, @cilium-renovate[b...
Contributors
tklauser, alagoutte, and 28 other contributors
Assets 2
1.18.8
Known issues
- Users who deploy Cilium on GKE should skip this version or upgrade to 1.19.2 due to a known regression.
Summary of Changes
Minor Changes:
- Allow to attach Cilium's XDP program on network interfaces that have jumbo MTU configured and support xdp.frags program type. (Backport PR #44499, Upstream PR #41967, @viktor-kurchenko)
Bugfixes:
- bpf: nodeport: use hairpin redirect for L7 LB on bridge devices (Backport PR #44758, Upstream PR #44658, @smagnani96)
- cilium-dbg: fix seg-fault
ip get -l reserved:host(Backport PR #44519, Upstream PR #44443, @aanm) - Enable Cilium upgrade and downgrade when existing XDP attach types differ from new XDP programs (Backport PR #44499, Upstream PR #44209, @dylandreimerink)
- Fix a bug where node IPv6 updates and deletes were not correctly propagated to the Linux kernel neighbor subsystem. (Backport PR #44592, Upstream PR #44540, @tklauser)
- Fix a bug where removed addresses from EndpointSlices might be missed if multiple EndpointSlices share the same name (Backport PR #44021, Upstream PR #43999, @EmilyShepherd)
- Fix envoy admin socket being created as world-accessible (Backport PR #44592, Upstream PR #44512, @0xch4z)
- Fixed an issue where wildcard FQDN network policy identities were not correctly pushed to Envoy when using SNI-based policies. (Backport PR #44519, Upstream PR #44462, @liyihuang)
- Fixed VTEP ARP responses returning 00:00:00:00:00:00 MAC due to interface MAC missing from eBPF Overlay configuration. (Backport PR #44700, Upstream PR #44513, @akos011221)
- gateway-api: Fix hostname intersection bug that was preventing cert-manager challenges from working correctly. (Backport PR #44519, Upstream PR #44492, @youngnick)
- l7lb: fix bypassing ingress policies for local backends (Backport PR #44804, Upstream PR #44693, @smagnani96)
- loadbalancer/healthserver: refresh ProxyRedirect per request (Backport PR #44399, Upstream PR #44286, @mhofstetter)
CI Changes:
- gh: e2e-upgrade: don't hardcode IPsec encryption algorithm (Backport PR #44519, Upstream PR #44381, @julianwiedmann)
Misc Changes:
- chore(deps): update all github action dependencies (v1.18) (#44372, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.18) (#44480, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.18) (#44579, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.18) (#44681, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.18) (#44791, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.18) (#44369, @cilium-renovate[bot])
- chore(deps): update base-images (v1.18) (#44580, @cilium-renovate[bot])
- chore(deps): update base-images (v1.18) (#44678, @cilium-renovate[bot])
- chore(deps): update base-images to v1.25.8 (v1.18) (#44810, @cilium-renovate[bot])
- chore(deps): update cilium/cilium-cli action to v0.19.1 (v1.18) (#44344, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.19.1 (v1.18) (#44401, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.19.2 (v1.18) (#44577, @cilium-renovate[bot])
- chore(deps): update dependency sphinx-tabs to v3.5.0 (v1.18) (#44679, @cilium-renovate[bot])
- chore(deps): update docker.io/library/ubuntu:24.04 docker digest to d1e2e92 (v1.18) (#44476, @cilium-renovate[bot])
- chore(deps): update gcr.io/distroless/static:nonroot docker digest to e3f9456 (v1.18) (#44797, @cilium-renovate[bot])
- chore(deps): update gcr.io/distroless/static:nonroot docker digest to f512d81 (v1.18) (#44575, @cilium-renovate[bot])
- chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.8 (v1.18) (#44370, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/certgen docker tag to v0.4.1 (v1.18) (#44680, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770979049-232ed4a26881e4ab4f766f251f258ed424fff663 (v1.18) (#44371, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1771585526-532310e626e42c7086de4ef3ea913736125bbd31 (v1.18) (#44478, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773220507-ffc0948a7ec4868e6b552a71cf4d3860e78b53cc (v1.18) (#44676, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773405792-4046425704636ea5b770460c20c065069cf572dc (v1.18) (#44789, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773656288-7b052e66eb2cfc5ac130ce0a5be66202a10d83be (v1.18) (#44807, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.18) (patch) (#44252, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.18) (patch) (#44479, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.18) (patch) (#44677, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.18) (patch) (#44790, @cilium-renovate[bot])
- Docs: improve docs around ipsec upgrade in 1.18 (Backport PR #44399, Upstream PR #44302, @darox)
- fix(deps): update k8s.io patch updates stable (v1.18) (#44477, @cilium-renovate[bot])
- fix(deps): update k8s.io patch updates stable to v0.33.9 (v1.18) (patch) (#44578, @cilium-renovate[bot])
- fix(deps): update sigs.k8s.io/mcs-api/controllers digest to 0f775a3 (v1.18) (#44576, @cilium-renovate[bot])
- fix(deps): update sigs.k8s.io/mcs-api/controllers digest to 15301c2 (v1.18) (#44675, @cilium-renovate[bot])
- loadbalancer/healthserver: stabilize proxy-redirect test (Backport PR #44519, Upstream PR #44323, @mhofstetter)
Other Changes:
- [1.18] gha: Use eks 1.32 from us-west-2 (#44753, @sayboras)
- [v1.18] endpoint/bpf: remove change empty condition for updateEnvoy (#44616, @liyihuang)
- [v1.18] gh: verifier: disable RHEL8 (#44317, @julianwiedmann)
- [v1.18] loadbalancer: Fix flake in hybrid-dsr.txtar (#44756, @julianwiedmann)
- install: Update image digests for v1.18.7 (#44326, @cilium-release-bot[bot])
Docker Manifests
cilium
quay.io/cilium/cilium:v1.18.8@sha256:070a63cc414869cf6c53202cb50929a87adb7d5b25de0f2f40ab39eb6434b706
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.18.8@sha256:5cb08daad7397f52ce5c36fcbfe83c56494f340d9b8f10f8bc7a3f2a812c33d5
docker-plugin
quay.io/cilium/docker-plugin:v1.18.8@sha256:8e1c89bc4ef3bbc55a10edc96a9f2915af45181e46ff189c00f3d8fb7825a0b7
hubble-relay
quay.io/cilium/hubble-relay:v1.18.8@sha256:dcf324aa35ab59c8fe6d002e3df6a63fff18280da464d09e4a97d58c085bb015
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.18.8@sha256:36c1702c8afd0b0221e3d88ca08537100caef509de6a6bb7244d5fa4643a7252
operator-aws
quay.io/cilium/operator-aws:v1.18.8@sha256:7ab154b269eae378456d63cc9085d96c4f472e11a1496ca4c62af68ff4b31da3
operator-azure
quay.io/cilium/operator-azure:v1.18.8@sha256:a4027d349e817bda9168af1e27231be491a3026c748128a79026e366321f6332
operator-generic
quay.io/cilium/operator-generic:v1.18.8@sha256:f9d1715932751b1454d0f59b492497cb1636dea6335beab0f9026fa8b5a6f62f
operator
quay.io/cilium/operator:v1.18.8@sha256:cc3f7bdf9e443b807d3cb9b0bd30eddac5591c3f4b1e6fa053bfaa8697a7ee58
Contributors
tklauser, dylandreimerink, and 12 other contributors
Assets 2
1.17.14
Summary of Changes
Bugfixes:
- bpf: nodeport: use hairpin redirect for L7 LB on bridge devices (Backport PR #44709, Upstream PR #44658, @smagnani96)
- Fix envoy admin socket being created as world-accessible (Backport PR #44591, Upstream PR #44512, @0xch4z)
- l7lb: fix bypassing ingress policies for local backends (Backport PR #44805, Upstream PR #44693, @smagnani96)
CI Changes:
- pkg: Mark node_linux_test.go as unparallel (Backport PR #44591, Upstream PR #38172, @jschwinger233)
Misc Changes:
- [1.17] gha: Use eks 1.30 from us-west-2 (#44752, @sayboras)
- chore(deps): update all github action dependencies (v1.17) (#44376, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.17) (#44485, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.17) (#44583, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.17) (#44687, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.17) (#44794, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.17) (#44373, @cilium-renovate[bot])
- chore(deps): update base-images to v1.25.8 (v1.17) (#44811, @cilium-renovate[bot])
- chore(deps): update cilium/cilium-cli action to v0.19.1 (v1.17) (#44345, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.19.1 (v1.17) (#44402, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.19.2 (v1.17) (#44552, @cilium-renovate[bot])
- chore(deps): update dependency mfridman/protoc-gen-go-json to v1.6.0 (v1.17) (#44684, @cilium-renovate[bot])
- chore(deps): update dependency protocolbuffers/protobuf to v34 (v1.17) (#44584, @cilium-renovate[bot])
- chore(deps): update dependency sphinx-tabs to v3.5.0 (v1.17) (#44685, @cilium-renovate[bot])
- chore(deps): update docker.io/library/ubuntu:24.04 docker digest to d1e2e92 (v1.17) (#44481, @cilium-renovate[bot])
- chore(deps): update gcr.io/distroless/static:nonroot docker digest to e3f9456 (v1.17) (#44798, @cilium-renovate[bot])
- chore(deps): update gcr.io/distroless/static:nonroot docker digest to f512d81 (v1.17) (#44581, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/certgen docker tag to v0.4.1 (v1.17) (#44686, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770979049-232ed4a26881e4ab4f766f251f258ed424fff663 (v1.17) (#44374, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1771585526-532310e626e42c7086de4ef3ea913736125bbd31 (v1.17) (#44483, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773220507-ffc0948a7ec4868e6b552a71cf4d3860e78b53cc (v1.17) (#44682, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773405792-4046425704636ea5b770460c20c065069cf572dc (v1.17) (#44792, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773656288-7b052e66eb2cfc5ac130ce0a5be66202a10d83be (v1.17) (#44808, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#44375, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#44484, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#44683, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#44793, @cilium-renovate[bot])
- fix(deps): update k8s.io patch updates stable (v1.17) (patch) (#44508, @cilium-renovate[bot])
- fix(deps): update k8s.io patch updates stable to v0.32.13 (v1.17) (patch) (#44582, @cilium-renovate[bot])
- fix(deps): update k8s.io/utils digest to b8788ab (v1.17) (#44482, @cilium-renovate[bot])
- Include the results of
find /sys/fs/bpfin bugtool output (Backport PR #44591, Upstream PR #38980, @ti-mo)
Other Changes:
- Fix gke channels (#44558, @Artyop)
- install: Update image digests for v1.17.13 (#44325, @cilium-release-bot[bot])
Docker Manifests
cilium
quay.io/cilium/cilium:v1.17.14@sha256:cdcfab5b4466d607f713d1ada281ee4513dd3982eb2c48ef2d0cc708cc3d1ba3
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.17.14@sha256:6cc4e47b2a50649e739dbb61f266497e7ef53d048b60dc32ba563bd4efd7f0ba
docker-plugin
quay.io/cilium/docker-plugin:v1.17.14@sha256:087072e60566cc37e21facec0e4096d49bef2e83cd340896ae477a7746819067
hubble-relay
quay.io/cilium/hubble-relay:v1.17.14@sha256:ce5b991bb011fa744c94e04fd7f1a7d3c8e3ce7d2da0652766abe6c468ead990
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.17.14@sha256:bdfa469e453986b995632f889cfb90bc501b80a809ff4b8be8d236eba5fcc2cb
operator-aws
quay.io/cilium/operator-aws:v1.17.14@sha256:182c13e6edda041bfc885932d5e87b1d8ac3588f6f6af309944efee46a2193b2
operator-azure
quay.io/cilium/operator-azure:v1.17.14@sha256:a462e7265ee34a667905c6144b7aa5d5ee8328ee1a4eca3f44bdc1463cc69741
operator-generic
quay.io/cilium/operator-generic:v1.17.14@sha256:773886ec9337f6628ba84e36ac7e3e554c1622024fc2a8b04a3377970aee8889
operator
quay.io/cilium/operator:v1.17.14@sha256:2113d66000847f39135722c61545ddb2c1bbd9fc4479f10dca175fc4bf9bda1b
Contributors
ti-mo, jschwinger233, and 4 other contributors
Assets 2
1.20.0-pre.0
v1.20.0-pre.0
This tag was signed with the committer’s verified signature.
Summary of Changes
Major Changes:
- Add support for Kubernetes Cluster Network Policy (KCNP) (#42338, @TheBeeZee)
- Gateway API support now includes BackendTLSPolicy features (#43045, @youngnick)
Minor Changes:
- [41867] Part 3: Add subnet config watcher with stateDB and BPF map sync (#43438, @anubhabMajumdar)
- [CFP-39876]: Add namespace filtering conditions to ServiceImport controller (#44040, @jimassa)
- Add detection of unknown keys in the cilium-config ConfigMap during preflight for the agent and operator. (#43025, @andy176631)
- Add option to create CiliumEndpointSlices directly from pods instead of CiliumEndpoints (#38388, @jshr-w)
- Add support for wildcard specifier anywhere in SNI pattern (#43674, @fristonio)
- bpf: lxc: also handle non-DSR Nodeport services in per-packet LB path (#44507, @julianwiedmann)
- cli: clustermesh: use ca bundle to connect clusters (#42833, @MrFreezeex)
- clustermesh: remove components restart when providing directly IP (no domain) to connect to remote clustermesh-apiserver (#44425, @MrFreezeex)
- Explicitly set
hostUsers: trueon containers where user namespaces would break the runtime. (#43615, @jcpunk) - Generalize the node-port nat conflict detection by removing dependency on direct routing interface (#43955, @ldelossa)
- Improve probing for necessary kernel functionality required for service backend termination to avoid false positives. (#42867, @tommyp1ckles)
- ingress: allow per-protocol port overrides for HTTP, HTTPS and TLS passthrough in the HostNetwork mode. (#44447, @viktor-kurchenko)
- Introduces "auto" datapath-mode. If set, Cilium will probe the underlying host for netkit device support at startup. If supported, pods will be created with netkit devices, otherwise veth pairs will continue to be used. (#43062, @ajmmm)
- iptables: Allow Cilium to start in environments where
ip6tablesis not available but iptables rule installation is disabled via configuration. (#43940, @javiercardona-work) - k8s: remove permissions for list/get/watch of endpoints (#42760, @marseel)
- Metrics are collected for SCTP connections. (#43535, @Jack-R-lantern)
- metrics: remove agent bootstrap metrics (#44180, @mhofstetter)
- Provide a new annotation that enables dynamic pod routing. (#44319, @ldelossa)
- Remove deprecated "aws-pagination-enabled" option in Cilium operator in favor of "aws-max-results-per-call" (#43693, @pippolo84)
- Removed support for Envoy Go Extensions (proxylib) and Kafka-aware network policies. These features were deprecated in v1.16. Users relying on Kafka L7 policy enforcement should migrate to CiliumEnvoyConfig-based solutions. (#43557, @sayboras)
- Removed the
encryption.ipsec.interfaceHelm value and its associatedbpf_network.cprogram, which had been unused since at least Cilium 1.18. (#44284, @ti-mo) - The dummy endpoint (192.192.192.192:9999) is no longer created for Ingress and Gateway API. (#43558, @joamaki)
- The previously deprecated Helm value
clustermesh.enableMCSAPISupportwas removed in favor of theclustermesh.mcsapi.enabledHelm value (#44300, @MrFreezeex) - ztunnel/helm: move ztunnel daemonset management from operator to helm (#43763, @nddq)
Bugfixes:
- agent:overlay: Add underlayProtocol 'Auto' for automatic underlay selection (#43057, @smagnani96)
- Azure IPAM: Optimize subnet discovery to eliminate Azure NRP throttling by using targeted subnet queries instead of subscription-wide VNet enumeration, significantly improving performance in large Azure environments with many VNets. (#41555, @yuecong)
- Fix a bug where node IPv6 updates and deletes were not correctly propagated to the Linux kernel neighbor subsystem. (#44540, @tklauser)
- Fix envoy admin socket being created as world-accessible (#44512, @0xch4z)
- Fix in-cluster NodePort connectivity failure in DSR mode when SocketLB is disabled. When a pod accesses a NodePort service via a remote node's IP (instead of the ClusterIP) and the selected backend resides on the same node as the client, the connection fails due to missing reverse NAT on the reply path. (#41963, @gyutaeb)
- Fix: Cilium Ingress now automatically reallocates ports and retries when cilium-envoy fails to bind due to port conflicts (#42859, @inerplat)
- Fixes increased CPU usage in
hubble observecaused by log coloring feature, even when coloring was disabled (#44119, @tporeba) - generate the proper logs when users put 0.0.0.0/0 as the native routing range for iptable nft mode (#43415, @liyihuang)
- helm/ztunnel: Add host field to readiness probe to bind the health check port 15021 to 127.0.0.1 instead of 0.0.0.0 (#44196, @nddq)
CI Changes:
- [GH-41867][Part-2][eBPF] Add BPF tests for skip_tunnel flag and subnet-based routing interaction in hybrid mode (#43631, @anubhabMajumdar)
- Add -Wno-unused-command-line-argument to loader/compiler unit test to mitigate test fault with LLVM 20.1. (#43299, @ajmmm)
- bpf/tests: support pkt sizes 1036-1518 bytes (#44314, @msune)
- bpf: test: modernize policy-reject-response test (#44186, @julianwiedmann)
- ci: eks cluster pool eips cleanup step (#43747, @Artyop)
- ci: Extend test timeout for ci-verifier (#44205, @rastislavs)
- ci: fix scheduled workflows for 1.19 branch (#43905, @marseel)
- ci: Use TMPDIR=/var/tmp for privileged tests (#44120, @rastislavs)
- ci:wireguard: enable Host Firewall in native routing e2e tests (#43450, @smagnani96)
- datapath/loader: Add netkit to BPF load tests (#44225, @ajmmm)
- docs: Bump k8s compat version (#44516, @joestringer)
- fix the race condition for the TestRouterIDAllocation bgp test case (#44545, @liyihuang)
- Further GC ratchet test fix races (#43075, @tommyp1ckles)
- gateway-api: Skip MeshHTTPRouteNamedRule to stabilize CI (#44289, @jrife)
- gh: e2e-upgrade: skip all steps when downgrade_version doesn't exist (#43899, @julianwiedmann)
- gh: e2e-upgrade: skip disk cleanup when workflow is skipped (#44384, @julianwiedmann)
- gh: e2e: enable additional configs for downgrade-testing with v1.19 (#43750, @julianwiedmann)
- ginkgo: remove
ClusterIP can be accessed when external access is enabled(#44193, @smagnani96) - ginkgo: remove
ClusterIP cannot be accessed externally when access is disabled(#44192, @smagnani96) - golangci-lint: make .golangci.yaml compatible again with non-custom build (#44295, @ti-mo)
- Introduce additional test coverage for datapath connector (#44079, @ajmmm)
- loader: Reduce number of permutations for load-time configs (#44409, @pchaigno)
- policy: add new benchmarks for identity updates and large policy repository (#43407, @odinuge)
- policy: fix broken policy tests (#44334, @odinuge)
- release: Reset charts to upstream branch (#44411, @joestringer)
- Revert "chore: Add OwnerReferencesPermissionEnforcement to kind in CI" (#43935, @giorio94)
- test: remove K8sDatapathBandwidthTest (#44226, @puwun)
- tests: remove allowlist entry for deleting no longer present service (#43895, @Sm0ckingBird)
- workflows: Cover v6.18 kernel instead of v5.10 (#44405, @pchaigno)
- workflows: Extend KPR + GKE tests (#44406, @pchaigno)
Misc Changes:
- .github/renovate: add go mod commands after updating go deps (#43867, @aanm)
- .github/renovate: remove constrain about ghcr.io/spiffe images (#43755, @aanm)
- .github/renovate: skip cilium/ebpf (#44072, @aanm)
- .github/workflows: add missing auto labeler for v1.19 branch (#43759, @aanm)
- .github/workflows: fix renovate deployment (#43813, @aanm)
- [ipam/multi-pool] Fix races in the manager (#44183, @pippolo84)
- Add global namespace filtering support to service sync and MCS API service exports for improved ClusterMesh scalability (#43385, @jimassa)
- add JSON output for cilium-dbg endpoint list for bugtool commands (#44393, @liyihuang)
- Added circuit breaker configuration (max connections, requests, and retries) for Cilium Envoy ingress, egress, and external envoy. (#44195, @liyihuang)
- AWS ENI IPAM: Reduce API calls during ENI creation when using prefix delegation (#44154, @sh1un)
- bgp: Clean up unused RouteReflector and improve GoBGP test commands (#44074, @liyihuang)
- bgp: Ensure unique job names for
BGPCPResourceStoreinstances to avoid error logs during hive termination (#44514, @rastislavs) - bpf, datapath: move CIDR identity range to runtime config (#44223, @viktor-kurchenko)
- bpf, nat46x64: move RFC6052 prefix into node config (#43799, @viktor-kurchenko)
- bpf, nodeport: source port ranges converted to runtime config (#43680, @viktor-kurchenko)
- bpf, tunnel: TUNNEL_PORT and TUNNEL_PROTOCOL to runtime config (#43520, @viktor-kurchenko)
- bpf: consistently use proto extracted from packet as __be16 (#43720, @tklauser)
- bpf: correct comments in cil_from_netdev function (#43864, @liyihuang)
- bpf: host: don't force PACKET_HOST when IPSec is enabled (#43342,...
Contributors
gandro, jibi, and 65 other contributors
Assets 2
1.19.1
v1.19.1
This tag was signed with the committer’s verified signature.
Summary of Changes
Bugfixes:
- clustermesh: fix CRD update permission for MCS-API CRD install (Backport PR #44280, Upstream PR #44224, @Preisschild)
- Fix panic during datapath reinitialization if DirectRouting device is required but missing (Backport PR #44280, Upstream PR #44219, @fristonio)
- helm: Fixed RBAC errors with
operator.enabled=falseby aligning cilium-tlsinterception-secrets Role/RoleBinding conditionals (Backport PR #44280, Upstream PR #44159, @puwun) - Reduces rtnl_mutex contention on SR-IOV nodes by not requesting VF information in netlink RTM_GETLINK operations (Backport PR #44280, Upstream PR #43517, @pasteley)
CI Changes:
- ci: e2e: add
kernelto workflow job names (Backport PR #44127, Upstream PR #44291, @smagnani96) - gh: ariane: don't run cloud workflows for LVH kernel updates (Backport PR #44147, Upstream PR #44109, @julianwiedmann)
- gh: ariane: skip more workflows for LVH kernel updates (Backport PR #44147, Upstream PR #44115, @julianwiedmann)
Misc Changes:
- chore(deps): update all github action dependencies (v1.19) (#44248, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.19) (#44368, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.19) (#44363, @cilium-renovate[bot])
- chore(deps): update base-images (v1.19) (#44247, @cilium-renovate[bot])
- chore(deps): update cilium/cilium-cli action to v0.19.1 (v1.19) (#44343, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.19.1 (v1.19) (#44400, @cilium-renovate[bot])
- chore(deps): update docker.io/library/busybox:1.37.0 docker digest to b3255e7 (v1.19) (#44242, @cilium-renovate[bot])
- chore(deps): update docker.io/library/golang:1.25.7 docker digest to 85c0ab0 (v1.19) (#44364, @cilium-renovate[bot])
- chore(deps): update gcr.io/distroless/static:nonroot docker digest to f9f84bd (v1.19) (#44243, @cilium-renovate[bot])
- chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.8 (v1.19) (#44365, @cilium-renovate[bot])
- chore(deps): update module sigs.k8s.io/kube-api-linter to v0.0.0-20260206102632-39e3d06a2850 (v1.19) (#44244, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770265024-9828c064a10df81f1939b692b01203d88bb439e4 (v1.19) (#44245, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770554954-8ce3bb4eca04188f4a0a1bfbd0a06a40f90883de (v1.19) (#44262, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770979049-232ed4a26881e4ab4f766f251f258ed424fff663 (v1.19) (#44366, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.19) (patch) (#44246, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.19) (patch) (#44367, @cilium-renovate[bot])
- ci: e2e: improve GitHub action readability (Backport PR #44127, Upstream PR #44126, @smagnani96)
- docs: Update docsearch to v4.5.4 (Backport PR #44272, Upstream PR #44233, @joestringer)
- endpoint/watchdog: fetch all endpoints without programs loaded (Backport PR #44280, Upstream PR #44111, @mhofstetter)
- gateway-apis: Correct supported versions in docs (#44217, @youngnick)
- Policy Tiers: feature-flagging, add fuzzer, fix corner cases (Backport PR #44267, Upstream PR #43893, @jrajahalme)
- Policy: Fix rule origin for ordered policies (Backport PR #44280, Upstream PR #44178, @jrajahalme)
Other Changes:
- install: Update image digests for v1.19.0 (#44172, @cilium-release-bot[bot])
Docker Manifests
cilium
quay.io/cilium/cilium:v1.19.1@sha256:41f1f74a0000de8656f1de4088ea00c8f2d49d6edea579034c73c5fd5fe01792
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.19.1@sha256:56d6c3dc13b50126b80ecb571707a0ea97f6db694182b9d61efd386d04e5bb28
docker-plugin
quay.io/cilium/docker-plugin:v1.19.1@sha256:6edfbf46ca484b1ed961f3c7382159ba7f0227e7af692159e99e8d4810ecaf34
hubble-relay
quay.io/cilium/hubble-relay:v1.19.1@sha256:d8c4e13bc36a56179292bb52bc6255379cb94cb873700d316ea3139b1bdb8165
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.19.1@sha256:837b12f4239e88ea5b4b5708ab982c319a94ee05edaecaafe5fd0e5b1962f554
operator-aws
quay.io/cilium/operator-aws:v1.19.1@sha256:18913d05a6c4d205f0b7126c4723bb9ccbd4dc24403da46ed0f9f4bf2a142804
operator-azure
quay.io/cilium/operator-azure:v1.19.1@sha256:82bce78603056e709d4c4e9f9ebb25c222c36d8a07f8c05381c2372d9078eca8
operator-generic
quay.io/cilium/operator-generic:v1.19.1@sha256:e7278d763e448bf6c184b0682cf98cdca078d58a27e1b2f3c906792670aa211a
operator
quay.io/cilium/operator:v1.19.1@sha256:93a6306d4543f1d8eccd79d6770c00ef4d4791f66326d97f9851f9d316e70141
Contributors
joestringer, pasteley, and 8 other contributors
Assets 2
1.18.7
v1.18.7
This tag was signed with the committer’s verified signature.
Summary of Changes
Minor Changes:
- Exclude topology.kubernetes.io labels from security labels by default (Backport PR #43777, Upstream PR #43725, @moscicky)
- hubble-relay: Add
hubble.relay.logOptions.formatandhubble.relay.logOptions.levelHelm values to configure log format (text, text-ts, json, json-ts) and level (debug, info, warn, error) (Backport PR #44004, Upstream PR #43644, @puwun)
Bugfixes:
- Add permissions to the cilium-operator so that it can create EndpointSlices when the admission plugin OwnerReferencesPermissionEnforcement is activated (Backport PR #44034, Upstream PR #43912, @fgiloux)
- bpf: Correct refinement of inner packet L4 checksum detection (Backport PR #43923, Upstream PR #43868, @br4243)
- bpf: Fix marker to skip nodeport when punting to proxy (Backport PR #43886, Upstream PR #43069, @borkmann)
- clustermesh: correctly phase out not ready/not service endpoints from global services (Backport PR #44056, Upstream PR #43807, @MrFreezeex)
- Fix a bug with local redirect service entries being created when backend pods weren't ready. (Backport PR #43756, Upstream PR #43095, @aditighag)
- Fix ICMP error packet handling by adding the missing checksum recalculation performed during RevNAT for SNATed load-balanced traffic. (Backport PR #43861, Upstream PR #43196, @yushoyamaguchi)
- Grant permissions to the cilium-operator so that it can reconcile ingresses when the when the admission plugin OwnerReferencesPermissionEnforcement is activated (Backport PR #44034, Upstream PR #43949, @giorio94)
- helm: Fixed RBAC errors with
operator.enabled=falseby aligning cilium-tlsinterception-secrets Role/RoleBinding conditionals (Backport PR #44281, Upstream PR #44159, @puwun) - loadbalancer: Fix GetInstancesOfService to avoid removing an endpoint from Service A causes all requests to Service B to fail if the name of Service A is the prefix of Service B (Backport PR #43777, Upstream PR #43620, @imroc)
- Reduces rtnl_mutex contention on SR-IOV nodes by not requesting VF information in netlink RTM_GETLINK operations (Backport PR #44281, Upstream PR #43517, @pasteley)
CI Changes:
- fix(ctmap/gc): fix race conditions and flakiness in TestGCEnableRatchet (Backport PR #44056, Upstream PR #42009, @AritraDey-Dev)
- gh: ariane: don't run cloud workflows for LVH kernel updates (Backport PR #44148, Upstream PR #44109, @julianwiedmann)
- gh: ariane: skip more workflows for LVH kernel updates (Backport PR #44148, Upstream PR #44115, @julianwiedmann)
- gha: let CiliumEndpointSlice migration be run nightly on stable branches (Backport PR #44004, Upstream PR #43921, @giorio94)
- gke: lower scope of ESP firewall rule (Backport PR #43865, Upstream PR #43691, @marseel)
Misc Changes:
- .github/workflows: use proper directory structure for GH actions (#43760, @aanm)
- chore(deps): update all github action dependencies (v1.18) (#43845, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.18) (#43984, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.18) (#44099, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.18) (#44253, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.18) (#43839, @cilium-renovate[bot])
- chore(deps): update base-images (v1.18) (#43840, @cilium-renovate[bot])
- chore(deps): update base-images (v1.18) (#43983, @cilium-renovate[bot])
- chore(deps): update base-images (v1.18) (#44098, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.19.0 (v1.18) (#43844, @cilium-renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.22.3 (v1.18) (#44096, @cilium-renovate[bot])
- chore(deps): update docker.io/library/busybox:1.37.0 docker digest to b3255e7 (v1.18) (#44249, @cilium-renovate[bot])
- chore(deps): update docker.io/library/busybox:1.37.0 docker digest to e226d63 (v1.18) (#43979, @cilium-renovate[bot])
- chore(deps): update docker.io/library/ubuntu:24.04 docker digest to cd1dba6 (v1.18) (#43980, @cilium-renovate[bot])
- chore(deps): update gcr.io/distroless/static:nonroot docker digest to f9f84bd (v1.18) (#44250, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/certgen docker tag to v0.3.2 (v1.18) (#43841, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1768610924-2528359430c6adba1ab20fc8396b4effe491ed96 (v1.18) (#43842, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1768828720-c6e4827ebca9c47af2a3a6540c563c30947bae29 (v1.18) (#43981, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770265024-9828c064a10df81f1939b692b01203d88bb439e4 (v1.18) (#44251, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770554954-8ce3bb4eca04188f4a0a1bfbd0a06a40f90883de (v1.18) (#44260, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.18) (patch) (#43843, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.18) (patch) (#43982, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.18) (patch) (#44097, @cilium-renovate[bot])
- docs: add helm underlayProtocol value to documentation (Backport PR #44056, Upstream PR #43934, @aanm)
- docs: adjust URL to latest stable Hubble CLI version (Backport PR #43777, Upstream PR #43745, @tklauser)
- docs: Document hubble requirement on kernels with BPF_EVENTS compiled in (Backport PR #44056, Upstream PR #44042, @EmilyShepherd)
- docs: Update docsearch to v4.5.4 (Backport PR #44273, Upstream PR #44233, @joestringer)
- Documentation: Added Helm configuration instructions for enabling and customizing metrics. (Backport PR #44056, Upstream PR #43481, @suunj)
- gitattributes: make install/kubernetes driver match more specific. (Backport PR #44056, Upstream PR #43943, @tommyp1ckles)
- multicast: fix nil assignment to node configuration cell.Out map (Backport PR #43865, Upstream PR #40859, @ldelossa)
- workflows: Add id-token permission to call-publish-helm job (Backport PR #43777, Upstream PR #43717, @aanm)
Other Changes:
- .github/workflows: remove stable from v1.18 branch (#44153, @aanm)
- [v1.18] Backport setup gke cluster (#43793, @Artyop)
- install: Update image digests for v1.18.6 (#43714, @cilium-release-bot[bot])
Docker Manifests
cilium
quay.io/cilium/cilium:v1.18.7@sha256:99b029a0a7c2224dac8c1cc3b6b3ba52af00e2ff981d927e84260ee781e9753c
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.18.7@sha256:3d4512153afc5d8ceda3517f9b243619b55a67f9abaebcc92c4be2df94d43cfa
docker-plugin
quay.io/cilium/docker-plugin:v1.18.7@sha256:e9f15016c7247dffeb2a9216cccc2ab6d36345a2504d34e319c6e9a7873bf3e9
hubble-relay
quay.io/cilium/hubble-relay:v1.18.7@sha256:9bb9b2b1a4f4bef12a77738756cfbf970daa701e536e42f0a9c64a621bc7c9d5
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.18.7@sha256:ca3f0dd26a4b447524dce51ee8ef82485a08187b840c21ce4a1398c02b5174a0
operator-aws
quay.io/cilium/operator-aws:v1.18.7@sha256:fe56a6289afea7f6420f8de0218710ccaaa7af891df5fc180ddd33e6c7509b45
operator-azure
quay.io/cilium/operator-azure:v1.18.7@sha256:5fb753344c84ab0989d525f789738c874f3fa8f07fbb5cfce06034d027c9728f
operator-generic
quay.io/cilium/operator-generic:v1.18.7@sha256:244306c5e7c6b73dc7193424f46ed8a0530767b03f03baac80dd717a3a3f0ad7
operator
quay.io/cilium/operator:v1.18.7@sha256:8aa2bb32df776b8e8f6cfb57ab3eaed5a451bc9f20f1d62a2393840fc072678f
Contributors
tklauser, borkmann, and 20 other contributors
Assets 2
1.17.13
v1.17.13
This tag was signed with the committer’s verified signature.
Summary of Changes
Minor Changes:
- runtime: Add libatomic1 for cilium-envoy dependency (Backport PR #43926, Upstream PR #43292, @sayboras)
CI Changes:
- gh: ariane: don't run cloud workflows for LVH kernel updates (Backport PR #44152, Upstream PR #44109, @julianwiedmann)
- gh: ariane: skip more workflows for LVH kernel updates (Backport PR #44152, Upstream PR #44115, @julianwiedmann)
- gha: let CiliumEndpointSlice migration be run nightly on stable branches (Backport PR #44005, Upstream PR #43921, @giorio94)
Misc Changes:
- .github/workflows: use proper directory structure for GH actions (#43761, @aanm)
- chore(deps): update all github action dependencies (v1.17) (#43852, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.17) (#43989, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.17) (#44102, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.17) (#44259, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.17) (#43846, @cilium-renovate[bot])
- chore(deps): update base-images (v1.17) (#43847, @cilium-renovate[bot])
- chore(deps): update base-images (v1.17) (#44256, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.19.0 (v1.17) (#43851, @cilium-renovate[bot])
- chore(deps): update dependency protocolbuffers/protobuf to v33.5 (v1.17) (#44101, @cilium-renovate[bot])
- chore(deps): update docker.io/library/busybox:1.37.0 docker digest to b3255e7 (v1.17) (#44254, @cilium-renovate[bot])
- chore(deps): update docker.io/library/busybox:1.37.0 docker digest to e226d63 (v1.17) (#43985, @cilium-renovate[bot])
- chore(deps): update docker.io/library/golang:1.24.12 docker digest to c213114 (v1.17) (#43986, @cilium-renovate[bot])
- chore(deps): update docker.io/library/ubuntu:24.04 docker digest to cd1dba6 (v1.17) (#43987, @cilium-renovate[bot])
- chore(deps): update gcr.io/distroless/static:nonroot docker digest to f9f84bd (v1.17) (#44255, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/certgen docker tag to v0.3.2 (v1.17) (#43848, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.12-1768563234-33034fa55d3270872c9e2b24285bfaad20a90a54 (v1.17) (#43849, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1768828720-c6e4827ebca9c47af2a3a6540c563c30947bae29 (v1.17) (#43988, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770265024-9828c064a10df81f1939b692b01203d88bb439e4 (v1.17) (#44257, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770554954-8ce3bb4eca04188f4a0a1bfbd0a06a40f90883de (v1.17) (#44261, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#43850, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#44100, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#44258, @cilium-renovate[bot])
- docs: adjust URL to latest stable Hubble CLI version (Backport PR #43778, Upstream PR #43745, @tklauser)
- docs: Document hubble requirement on kernels with BPF_EVENTS compiled in (Backport PR #44057, Upstream PR #44042, @EmilyShepherd)
- docs: Update docsearch to v4.5.4 (Backport PR #44274, Upstream PR #44233, @joestringer)
- gitattributes: make install/kubernetes driver match more specific. (Backport PR #44057, Upstream PR #43943, @tommyp1ckles)
- workflows: Add id-token permission to call-publish-helm job (Backport PR #43778, Upstream PR #43717, @aanm)
Other Changes:
- [v1.17] Backport setup gke cluster (#43795, @Artyop)
- install: Update image digests for v1.17.12 (#43713, @cilium-release-bot[bot])
Docker Manifests
cilium
quay.io/cilium/cilium:v1.17.13@sha256:1e3907ba8815e2e474ea8da25876911af2da0ae07c04eaa87a326ba4343aa539
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.17.13@sha256:3aeee4e88b68934f45faf211a1e6b1b7310ac31b2dda448f5df77860c57a71fa
docker-plugin
quay.io/cilium/docker-plugin:v1.17.13@sha256:a37e314f585cb57165605c50449ed9fb4458d766689a328405644920ae6de6ee
hubble-relay
quay.io/cilium/hubble-relay:v1.17.13@sha256:0c49b7363157849623099de9fc9378da7146f49e7d5f602d113223542b789ace
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.17.13@sha256:a383d4c3896d150aad8e6f1d54df942e98e83033f381e5b9a7f424d1caf77471
operator-aws
quay.io/cilium/operator-aws:v1.17.13@sha256:8c6faae3a985690d35f77309a1300f4dd0e8f11544537e2589ffa3c0132d978a
operator-azure
quay.io/cilium/operator-azure:v1.17.13@sha256:4ad4c0cc236efe751f33fb1449a056af10654bc9cb7407862d412bc065ba6185
operator-generic
quay.io/cilium/operator-generic:v1.17.13@sha256:c2582d9eaeec598de9cd8815a3ed20caade17c26858eea672cff3240b0970983
operator
quay.io/cilium/operator:v1.17.13@sha256:581d5d54e5993be947cbce34fd5cb3401d124e2859dad0c947272f911b9b0d16
Contributors
tklauser, joestringer, and 7 other contributors
Assets 2
1.19.0
v1.19.0
This tag was signed with the committer’s verified signature.
🎉 Release Announcement 🎉: We are excited to announce the Cilium 1.19.0 release!
A total of 2934 new commits have been contributed to this release by a growing community of over 1010 developers and over 23,600 GitHub stars! 🤩
The full changelog can be found here.
Here are some of the highlights:
-
🛡️ Network Policy
- 🃏 Multi-Level DNS Matches: DNS Policies match pattern now support a wildcard prefix(
**.) to match multilevel subdomain as pattern prefix. (cilium/cilium#43420, @fristonio) - 📡 Match New Protocols: You can now match VRRP and IGMP protocols in host firewall rules. (cilium/cilium#39872, @aditighag; cilium/cilium#41949, @kyounghunJang)
- ⛔ Actively Deny Connections: When Network Policies deny a connection, Cilium can return ICMPv4 "Destination unreachable" messages for a friendlier deny. (cilium/cilium#41406, @antonipp)
- 🌐 Select Clusters Explicitly: When network policy selectors don't explicitly define a cluster for communication to be allowed, they will now default to only allowing the local cluster. (cilium/cilium#40609, @MrFreezeex)
- 🔧 Unlock Future Work: This release brings several internal improvements to the network policy engine in preparation for features planned in the next Cilium minor release (cilium/cilium#39906, @vipul-21; cilium/cilium#42784, cilium/cilium#42896, @jrajahalme)
⚠️ Deprecate underutilized features: To focus on solving common problems Cilium users face, this release deprecates the Kafka protocol match fields (beta), as well as theToRequiresandFromRequirespolicy fields. (cilium/cilium#43167, @sayboras; cilium/cilium#40967, @TheBeeZee)
- 🃏 Multi-Level DNS Matches: DNS Policies match pattern now support a wildcard prefix(
-
🔒 Encryption & Authentication
- 🔐 Encryption Strict Modes: Both IPsec and WireGuard transparent encryption modes now support a "strict mode" to require traffic to be encrypted between nodes. Unencrypted traffic will be dropped in this mode. (cilium/cilium#39239, cilium/cilium#42115, @rgo3, @julianwiedmann)
- 🚇 Ztunnel Beta: You can enroll namespaces into Ztunnel, which enables TCP connections between workloads to be transparently encrypted and authenticated. (cilium/cilium#42766, cilium/cilium#42819, cilium/cilium#43227 and others, @ldelossa, @rgo3, @nddq)
- 👥 Mutual Authentication: The out-of-band Mutual Authentication feature is now disabled by default, pending community feedback. If you have a requirement for mTLS, consider trying the new Ztunnel integration. (cilium/cilium#42665, @christarazi)
- ↪️ Accelerate IPsec: The IPsec encryption mode now supports BPF Host Routing for faster route lookups (cilium/cilium#41997, @pchaigno)
-
🚠 Networking
- 🚀 BIG TCP in Tunnels: Leverage upcoming Linux support for BIG TCP when communicating over UDP-based tunnels such as VXLAN and Geneve. (cilium/cilium#43416, @gentoo-root)
- 🥌 Packetization-Layer Path MTU Discovery: Detect maximum transmission unit (MTU) sizes for network paths using TCP. (cilium/cilium#42012, cilium/cilium#43710, @tommyp1ckles)
- 🚆 IPv6 Underlay: You can now choose IPv6 for the tunnel underlay address family on dual-stack clusters. (cilium/cilium#40324, @pchaigno)
- 🏷️ Multi-Pool IPAM is ready for wider use: Update the Multi-Pool IPAM feature to work with IPsec and direct routing modes, and promote it from Beta to Stable. (cilium/cilium#40460, cilium/cilium#42191, @pippolo84)
- 🎭 More Configurable Masquerade: IP Masquerade configuration can now be customized for traffic sent to nodes in other IP subnets, and addresses in IPAM pools can be excluded from masquerade (cilium/cilium#37568, @behzad-mir; cilium/cilium#43380, @alimehrabikoshki)
-
🕸️ Services and Service Mesh
- 📣 Layer-2 Announcements: Add support for Neighbor Discovery Advertisements for IPv6 Layer-2 Announcements. (cilium/cilium#39648, @msune)
- 🔁 IPv6 Service Loopback: Pods can now connect to themselves via a Kubernetes "loopback service" using IPv6. (cilium/cilium#39594, @saiaunghlyanhtet)
- ⛩️ Gateway API Enhancements: Cilium's GAMMA support now includes support for using GRPCRoute as well as HTTPRoute. (cilium/cilium#41936, @youngnick)
-
🛣️ Border Gateway Protocol (BGP)
- 🔌 Advertise Addresses from Interfaces: There's a new Interface BGP advertisement type that allows advertisement of IPs assigned on local interfaces. This can be useful for example in multi-homing setups, where a common node's loopback address can be advertised via multiple BGP sessions over different network interfaces. (cilium/cilium#42469, @rastislavs)
- ✉️ Override Source IP addresses: You can override the auto-generated BGP session source IP with the IP address applied on the configured
sourceInterfaceto allow binding the BGP connection to the loopback address which is not tied to the specific physical interface's lifecycle (cilium/cilium#42583, @rastislavs) - 🔁 Withdraw Empty Routes: Optionally withdraw BGP routes when a service has 0 endpoints, to allow balancing to a different DC/cluster with
externalTrafficPolicy=Cluster(cilium/cilium#40717, @oblazek) ⚠️ Move tocilium.io/v2API: The support for the olderCiliumBGPPeeringPolicyv1 API is now removed and should be replaced with v2 APIs. (cilium/cilium#42278, @rastislavs)
-
🛰️ Observability
- 🔬 Trace IP Options: Configure Cilium and Hubble to trace specific packets through the cluster using IP Options. (cilium/cilium#41306, @Bigdelle)
- 🚩 Filter Encrypted Flows: Filter flows when using the
hubblecommand line to understand the encryption status of the traffic, either--encryptedor--unencrypted. (cilium/cilium#43096, @SRodi) - 🔖 Tag Drops with Policy Names: Hubble v1.Events drop messages now include which Network Policy caused the drop. (cilium/cilium#41693, @41ks)
-
🌅 Performance and Scale
- ⚡ Faster Network Policy Computation: Improve Cilium resource usage for handling selectors in network policies. (cilium/cilium#42008, @jrajahalme; cilium/cilium#42580, @odinuge)
- 🔌 More Efficient Connection Tracking: Several improvements have been made to reduce the number of connections being tracked by Cilium, particularly when using Geneve, VXLAN or WireGuard. (cilium/cilium#38782, @BenoitKnecht; cilium/cilium#41990, @bersoare)
- 💾 Better Scale in AWS: Reduce memory usage for cilium-operator in large AWS environments with many resources. (cilium/cilium#42529, @liyihuang)
-
⚙️ Operations
- 📦 Access Helm charts via Registry: Helm charts are also available under
quay.io/cilium/charts/cilium(cilium/cilium#43624, @aanm) - 📊 Metrics Encryption: Add TLS/mTLS support for Prometheus metrics exposed by the Cilium Operator. (cilium/cilium#42077, @phuhung273)
- 🤖 Easier Multi-Cluster install: There's now support for auto-installing the Custom Resource Definitions (CRDs) for Multi-Cluster Services (MCS). (cilium/cilium#40729, @MrFreezeex)
- 📜 Simpler Certificate Management: Streamline Cluster Mesh and Hubble certificate generation when using GitOps approaches. (cilium/cilium#42298, @MrFreezeex)
- 🛠️ Cilium dependencies were updated to Kubernetes v1.35, Envoy v1.35, Gateway API v1.4, and GoBGP v3.37. (cilium/cilium#43422, @aanm; [#40569](https://github....
- 📦 Access Helm charts via Registry: Helm charts are also available under
Contributors
gentoo-root, BenoitKnecht, and 32 other contributors
Assets 2
1.19.0-rc.1
v1.19.0-rc.1
This tag was signed with the committer’s verified signature.
Summary of Changes
Minor Changes:
- auth: Disable by default (Backport PR #44003, Upstream PR #42665, @christarazi)
- Exclude topology.kubernetes.io labels from security labels by default (Backport PR #43780, Upstream PR #43725, @moscicky)
- hubble-relay: Add
hubble.relay.logOptions.formatandhubble.relay.logOptions.levelHelm values to configure log format (text, text-ts, json, json-ts) and level (debug, info, warn, error) (Backport PR #44003, Upstream PR #43644, @puwun) - Split selector cache to reduce cpu usage and reduce lock contention in the selector cache (Backport PR #44025, Upstream PR #42580, @odinuge)
Bugfixes:
- Add support for specifying plpmtud (mtu discovery) settings for Pod endpoints, with the default now being "1" (blackhole-detected). (Backport PR #44025, Upstream PR #43710, @tommyp1ckles)
- bpf: Correct refinement of inner packet L4 checksum detection (Backport PR #43922, Upstream PR #43868, @br4243)
- bpf: Fix marker to skip nodeport when punting to proxy (Backport PR #43866, Upstream PR #43069, @borkmann)
- clustermesh: correctly phase out not ready/not service endpoints from global services (Backport PR #44025, Upstream PR #43807, @MrFreezeex)
- endpoint/manager: wait for completed endpoint restoration before starting periodic GC & regeneration controllers (Backport PR #43866, Upstream PR #43776, @mhofstetter)
- endpoint/mgr: don't register periodic regeneration if interval is 0 (Backport PR #43866, Upstream PR #43790, @mhofstetter)
- Fix a bug where removed addresses from EndpointSlices might be missed if multiple EndpointSlices share the same name (Backport PR #44025, Upstream PR #43999, @EmilyShepherd)
- fix: incorrect schema entries for cpu limits (Backport PR #43780, Upstream PR #43735, @jcpunk)
- gateway api: fix for multiple listeners on a gateway check (Backport PR #43922, Upstream PR #43802, @xtineskim)
- Hubble Export FieldMask - Introduce functionality to specify multiple 'oneof' variants like l4.TCP/l4.UDP Hubble Export Aggregation - Enrich aggregated flow logs with timestamp to preserve temporal context (Backport PR #44003, Upstream PR #43924, @mereta)
- Make BIG TCP initialization flow more robust and fix bugs. (Backport PR #44025, Upstream PR #43891, @gentoo-root)
CI Changes:
- .github/ariane-config: schedule runs on conformance-ipsec.yaml (Backport PR #44003, Upstream PR #43907, @aanm)
- .github/workflows: k8s-kind-network-e2e: add shorter timeout (Backport PR #43922, Upstream PR #43908, @aanm)
- .github/workflows: re-add workflow_dispatch to tests-e2e-upgrade (Backport PR #43922, Upstream PR #43906, @aanm)
- ci: fix tests-datapath-verifier on 1.19 (Backport PR #44003, Upstream PR #43931, @marseel)
- cyclonus: add higher timeout and retries to avoid flakes (Backport PR #44003, Upstream PR #43909, @aanm)
- gateway-api: Skip MeshHTTPRouteMatching to stabilize CI (Backport PR #44003, Upstream PR #43890, @joestringer)
- gh: e2e-upgrade: test patch releases (Backport PR #43751, Upstream PR #43627, @julianwiedmann)
- gha: let CiliumEndpointSlice migration be run nightly on stable branches (Backport PR #44003, Upstream PR #43921, @giorio94)
- gke: lower scope of ESP firewall rule (Backport PR #43866, Upstream PR #43691, @marseel)
Misc Changes:
- .github/actions: login with cosign to sign helm OCI charts (Backport PR #43866, Upstream PR #43782, @aanm)
- bpf: subnet: make subnet map read-only (Backport PR #44025, Upstream PR #43948, @julianwiedmann)
- chore(deps): update all github action dependencies (v1.19) (#43838, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.19) (#43978, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.19) (#43833, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.19) (#43972, @cilium-renovate[bot])
- chore(deps): update base-images (v1.19) (#43834, @cilium-renovate[bot])
- chore(deps): update base-images (v1.19) (#43977, @cilium-renovate[bot])
- chore(deps): update docker.io/library/busybox:1.37.0 docker digest to e226d63 (v1.19) (#43973, @cilium-renovate[bot])
- chore(deps): update module sigs.k8s.io/kube-api-linter to v0.0.0-20260114104534-18147eee9c49 (v1.19) (#43835, @cilium-renovate[bot])
- chore(deps): update module sigs.k8s.io/kube-api-linter to v0.0.0-20260123105127-470c3a315f3a (v1.19) (#43974, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1768610924-2528359430c6adba1ab20fc8396b4effe491ed96 (v1.19) (#43836, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1768828720-c6e4827ebca9c47af2a3a6540c563c30947bae29 (v1.19) (#43975, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.19) (patch) (#43837, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.19) (patch) (#43976, @cilium-renovate[bot])
- Clarify the upgrade notes for v1.19 (Backport PR #43957, Upstream PR #43913, @joestringer)
- clustermesh: add missing reason in mcs condition metrics (Backport PR #43866, Upstream PR #43775, @MrFreezeex)
- daemon: fix version for deprecated encryption strict egress mode flags (Backport PR #43866, Upstream PR #43731, @rgo3)
- docs(observability): Add tutorial for IP option tracing (Backport PR #44025, Upstream PR #43961, @Bigdelle)
- docs: add helm underlayProtocol value to documentation (Backport PR #44025, Upstream PR #43934, @aanm)
- docs: add operator prometheus TLS (Backport PR #44025, Upstream PR #43997, @phuhung273)
- docs: Add upgrade note about wildcard service entries. (Backport PR #44025, Upstream PR #44013, @ajmmm)
- docs: adjust URL to latest stable Hubble CLI version (Backport PR #43780, Upstream PR #43745, @tklauser)
- endpoint/restore: introduce metrics (Backport PR #43866, Upstream PR #43748, @mhofstetter)
- endpoint/restore: remove special handling for host endpoint in case of ipsec (Backport PR #43922, Upstream PR #43757, @mhofstetter)
- Fix BPF IPv6 neighbor discovery code to fully pull in skb data into linear section. (Backport PR #43922, Upstream PR #43873, @borkmann)
- install: Quieten noisy build output (Backport PR #44003, Upstream PR #43960, @joestringer)
Other Changes:
- install: Update image digests for v1.19.0-rc.0 (#43772, @cilium-release-bot[bot])
Docker Manifests
cilium
quay.io/cilium/cilium:v1.19.0-rc.1@sha256:2df92477f0c53137c5238ca07844b9888167fa75906d281a21182d5c57b119ab
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.19.0-rc.1@sha256:83c971b855a632d5964b13a575a122f26e87532f15f23864906f0da70b72c4ee
docker-plugin
quay.io/cilium/docker-plugin:v1.19.0-rc.1@sha256:307c60a773100c81486e153df2c6aafac939be1f6ac1dcb192c4227d099adafb
hubble-relay
quay.io/cilium/hubble-relay:v1.19.0-rc.1@sha256:1e85dc30d3b5f6ef577b97078bc940400f3ea9e47c2151aa449047aba30e3f30
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.19.0-rc.1@sha256:b4feb092d5ddcfcdbba6917253a2d0cc3821a0df26f721e072e7e64d3b7e88b3
operator-aws
quay.io/cilium/operator-aws:v1.19.0-rc.1@sha256:c6fcac287b32747565f0ea10aa03a15eeaf69bd1792cc5df6248c07fd5c65b15
operator-azure
quay.io/cilium/operator-azure:v1.19.0-rc.1@sha256:e157421eb980cfe3b80b85117704e3d932211c367e13f207eea30c0fd8a4f39f
operator-generic
quay.io/cilium/operator-generic:v1.19.0-rc.1@sha256:8b9dc8107ee0d808a0a75b66455402e860529528de5968df21c11f8ce7627771
operator
quay.io/cilium/operator:v1.19.0-rc.1@sha256:ecf08e6c428aac38d658044bfdcdea161c278fdde8c6cdb0957f8f03090acd3a
Contributors
tklauser, borkmann, and 22 other contributors